Skip to main content

Information held by the University is released for all sorts of reasons and to all sorts of people every working day. From students requiring information about courses, government agencies requesting details on core activities, journalists reporting on graduations, to members of the public enquiring about events, the flow of information is constant at all levels of the institution.

In addition to the release of general information in response to routine enquiries, the University is also required to deal with more complex, and potentially more time-consuming, requests arising from the exercise of statutory rights of access under the Data Protection Act 1998 and, from 1 January 2005, the Freedom of Information Act 2000. Compliance with each places specific obligations on the University as a whole and members of staff, in particular, how requests for information should be handled and processed.

The following sections provide advice to staff when dealing with requests for information and outline relevant procedures that should be adopted to ensure legislative compliance.

The Legislation 
The Data Protection Act (DPA) and the Freedom of Information Act (FOIA) together form part of an access to information regime in respect of information held by publicly-funded institutions in the UK. Each confers a general right of access to information which, subject to exemption, can be exercised by anyone who wishes to make an enquiry (e.g. a student, a member of staff, a corporate body or member of the public):

  • Data Protection - permits individuals who are the subject of personal data (“data subjects”) held by an institution to request in writing any personal data which relates to them (a “subject access request”) and, subject to exemption, to receive it within 40 calendar days. This right has been in force since October 2001.
  • Freedom of Information - extends the public’s right of access to all recorded information held by an organization, subject to exemption, and, as such, applies to all written requests for information, that do not constitute routine business requests.  Public authorities have 20 working days to comply with requests under FOIA.

The overall aim of the legislation is to enhance accountability and transparency of action and to protect individual privacy. In achieving these goals, the government has appointed an Information Commissioner to oversee and regulate institutional compliance. Assistant Information Commissioners for Wales, Scotland and Northern Ireland have also been appointed to support this role.

University Arrangements: An Overview 
Given the similarities between the DPA and FOIA, the University has adopted a unitary approach to simplify compliance, centralising responsibility in an Information Compliance Unit within the Registrar's Office. The Unit is responsible for:

  • Issuing relevant guidelines and advice to staff on DPA and FOIA. 
  • Co-ordinating responses to requests for personal data under DPA (i.e. Subject Access Requests) and to more complex requests for information requiring the application of an exemption under FOIA.

University departments will continue to deal with all other enquiries as they have always done, ensuring that any requests for personal data or for information that may be exempt under FOIA (click here for an outline list of exemptions under FOI), are transferred centrally to the Information Compliance Unit as soon as possible for processing. Requests for information received from the media should be forwarded to the Communications Office as required under existing University protocols.

There is also a statutory duty to provide adequate advice and assistance to all enquirers or potential enquirers and to ensure that all written requests for information are processed within statutory deadlines.

University Publication Scheme 
The University already places a great deal of information in the public domain, including the University Charter and Statutes, minutes of Senate, statistics relating to student numbers, and the University’s annual accounts etc. These are usually published via the University website at . As required by the FOIA, all of the information that the University places in the public domain is listed in our Publication Scheme, which describes both the types of information available and where it can be located. It is appropriate to re-direct potential enquirers to the University Publication Scheme if the information sought is available through it.

A copy of the Scheme from the Information Compliance Unit.

Identifying a Request for Information 
All written requests for information received by the University (i.e. by email, fax or letter) should be treated as potential requests under the FOIA regardless of who receives a request and whether or not it falls under DPA or FOIA. This is important as the Freedom of Information Act does not need to be cited when a request has been made and can extend to requests for personal data. All enquirers should therefore be offered appropriate advice and assistance and requests processed within a maximum of 20 working days to ensure compliance with both Acts.

To assist in the identification of requests, appropriate template forms have been prepared and included in an  which should be provided to potential enquirers. Alternatively, enquirers can be referred to the University Publication Scheme for information that is routinely released by the University or to the Information Compliance Unit for further assistance.
Handling a Request for Information 
As with all correspondence received by the University, staff should first of all ensure that all written requests for information that they receive are date stamped so that the statutory deadline for dealing with a request can be established i.e. when the 20 working day time-limit is due to elapse. Where a completed Information Request Form or Subject Access Form has been received, this should also be date stamped, but then forwarded to the Information Compliance Unit as a matter of course.

In dealing with all other written requests (i.e. those received by email, letter or fax), staff then need to make a basic judgement as to what sort of request has been made. There are three main choices:

(i) Routine requests – These should constitute straightforward requests for information that departments will have dealt with as a matter of course before the FOIA came into force. Examples include asking for copies of documents produced by your department for routine circulation, asking for contact details, asking for opening hours or details of services that your department might provide. NB: The vast majority of requests received by the University will fall within this category.

(ii) Media Requests – These relate to requests received from any member of the media, i.e. a newspaper, radio or television journalist. In accordance with existing University practice, all such requests should be referred to the Communications Office.

(iii) Non-Routine Requests – These will be requests for information that go beyond the day-to-day correspondence that your department normally deals with and which will require the central request procedure to be invoked (see below). Such  requests may:

  • Mention Freedom of Information or Data Protection. 
  • Refer to information that you do not already routinely provide in the course of your work. 
  • Refer to information that is not held by the University.
  • Involve a more complex or sensitive response. Requests may be complex for a variety of reasons, as set out below:  
    • Requests may involve consultation with other public bodies or with third parties.
    • It may be unclear as to whether or not the information sought is exempt (Click here for an outline of FOI exemptions).
    • Requests which relate to issues which have a high public profile.
    • Requests which may relate to financial interests. 
    • Requests which may be part of an orchestrated campaign.

All non-routine requests should be passed to the Information Compliance Unit as soon as possible.

Central Procedure for Dealing with a Request for Information 

Requests for information under FOIA or DPA will be received by the Information Compliance Unit either directly from an enquirer or on transfer from another University department. On receipt, requests will be date stamped and allocated a unique reference number so that progress can be monitored. The following procedure will then be observed:

  • Validation – The request will be assessed and validated by the Information Compliance Unit according to the terms of the relevant information access regime under which the request falls i.e. FOIA or DPA. The Legal Services Manager will also be notified of the request at this stage for information only.  
  • Acknowledgement - Initial contact will be established with the enquirer to acknowledge the request and to obtain any clarification required. 
  • Publication Scheme – The University Publication Scheme will then be consulted to determine whether the information requested has already been published. If so, the procedure for providing information covered by the Scheme will be followed.
  • Information Compliance Panel - If the information is not included in the Scheme, the Information Compliance Unit will decide how best to proceed with the request. 
  • Action - The Information Compliance Unit will consider the requested information and either refuse or disclose in full, or in part, within statutory guidelines.

Details of the request will then be logged onto a central enquiries database and the request closed.

Complaints Procedure 

Should an individual be dissatisfied with the way in which the University deals with a request for information or in the operation of its Publication Scheme, they are permitted to make a complaint. If a written complaint is received by the University regarding its compliance with the DPA or FOIA, it should be passed to the Information Compliance Unit. If the matter cannot be resolved informally, the complaint will be referred to a Pro-Vice-Chancellor for internal review. S/he will be responsible for assessing all aspects of the complaint and determining, firstly, whether there is a case to answer and, secondly, what action, if any, should be taken in response to it. In responding, the complainant will be informed of their right to appeal any decision taken by the University to the Office of the Information Commissioner. A record of all complaints will be maintained and the procedure reviewed on an annual basis.

Contact Details 
For further information and advice about the information contained in this document contact:

Information Compliance Unit
Registrar’s Office
Lanyon South 
T: Ext. 2505
W: Information Compliance Unit