Freedom of information and environmental information privacy policy
Collecting and retaining personal information
The Tavistock and Portman NHS Foundation Trust will process the personal data applicants provide in line with the General Data Protection Regulation (UK GDPR) and the Data Protection Act (2018), and in accordance with our Privacy Policy which can be found via the following link: Tavistock and Portman Privacy Policy
Our Combined Freedom of Information Policy and Environmental Information Regulation Policy outline our internal processes which we undertake in relation to requests They can be found here: Freedom of information policy – Tavistock and Portman.We will act as “Controller” (in line with Article 4 of the UK GDPR for the personal data applicants may provide
Any questions, comments or concerns about the handling of applicants’ personal data, can be raised with the FOI team, or with our Data Protection Officer who can be contacted on dpo@tavi-port.nhs.uk
What we need
To process applicants requests under the Freedom of Information (FOI) Act (2000) or the Environmental Information Regulations (EIR) (2004), we will need the following personal data:
Applicant’s name, (a first name and a surname, or any variation of the requester’s first name combined with their surname). A combination of the requester’s middle names and surname is also acceptable, as this is simply another way of expressing their real name.
An address for correspondence; this should preferably be email, but may also be via hard copy correspondence.
Details of anyone authorised to request information on behalf of the applicant (if applicable)
We may ask for further personal data, particularly if we have concerns that the applicant has failed to provide their real name.
By providing this information, the applicant is allowing us to use this information to provide them with a response to their request.We will also need to process their information if they request an internal review, or make an appeal to the Information Commissioner.
We also use the applicant’s information to verify their identity, where required, to contact them by post, email or telephone, and to maintain our records in line with our retention schedule – Retention of all Clinical and Corporate Records Guidance are based on section 46 of the Freedom of Information Act 2000 – Records Management Code of Practice under s 46 of FOIA
Why we use applicants’ data
Our primary purpose for using applicant data is so that we can process their requests for information.
When we receive a request for information we will record the details of the request in our FOI request log. This includes contact details and any other information provided by the applicant. We will also store a copy of the information that falls within scope of the request
In addition, we use applicant data for the following secondary reasons:
Recording the types of applicants making requests to us by broad category (private individual, academia, commercial, legal/financial firm, other NHS Trust, Media, Political Party/MP, Other).
If a request is received from a journalist or from a media organisation, our communications team will be notified and provided with a copy of the Trust’s response, so that they are aware of any potential and/or forthcoming new coverage to which they may need to respond.
We sometimes discuss FOI requests with other public authorities, such as FOI officers in other Trusts or local councils, or suppliers, to obtain opinion about disclosing details of contracts with them. We would never deliberately share the identity of applicants under these circumstances. If applicants have submitted the same request to a number of public authorities, their identity may be obvious to those who have received the request.
If the request is about information we have received from another organisation we will routinely consult the organisation/s concerned to seek their view on disclosing the material.
Legal basis for processing
The legal basis for processing FOI requests request is article Article 6(1)(e) of the UK GDPR which relates to processing necessary to comply with a legal obligation to which we are subject. In the case of information requests, the legal obligations are set out in:
- General Data Protection Regulations (2016)
- Data Protection Act (2018)
- Freedom of Information Act (2000)
- RoPSI Regulations (2015)
If any applicants’ information provided to us, in relation to their information request, contains special category data, such as health, religious or ethnic information, the legal basis we rely on to process this is in article 9(2) of the UK GDPR which also relates to our public task and the safeguarding of the applicant’s fundamental rights.
Schedule 1 Part 2(6) or the DPA 2018 which relates to statutory and government purposes.
As a public authority, The Trust is governed by both the Freedom of Information (FOI) Act (2000) and the Environmental Information Regulations (EIR) (2004), and we are required to comply with both pieces of legislation. To correspond with applicants, we will require the personal data set out above. Furthermore, S.8 of the FOI Act 2000 obliges applicants to provide their name. Failure to provide this invalidates their request, and could mean the Information Commissioners Office will not assist regarding their request.
As such, the Trust takes care to ensure applicants are aware of their obligations and rights. If we have concerns that applicants have not provided their real name, we may request further personal data to ensure their request is valid.
Who we share applicants’ personal information with
The personal data applicants provide will be received by the FOI Team in the Tavistock and Portman NHS Foundation Trust. The FOI Team is part of the Information Governance Team. For resilience and staff cover, other members of the Information Governance Team can access this information.
Where a request for an internal review is received, applicants’ personal data may be shared with a senior staff members outside the Information Governance team to independently manage the review. Where an appeal to the Information Commissioner’s Office is made by the applicant, we are lawfully required to share the applicants’ information with them.
The Trust saves FOI requests within the Trust’s email system, which holds FOI correspondence with internal and external parties. Applicant details are entered into a dedicated FOI log, within the Trust’s IT system. Please contact our Data Protection Officer dpo@tavi-port.nhs.uk for more information.
How we will communicate with applicants
Whenever applicants have requested information from us, we will of course need to communicate with them; for example, to provide them with their requested information, or to ask for clarification of their request. This will usually be in the format they have used to contact us, or the format they have requested (most commonly via email).
If applicants write to us in hard copy and provide an email address in their letter, and unless they have requested otherwise, we will communicate with them via email.
If applicants have provided a telephone number, we may call them to request clarification. However, we will only discuss their request with the applicant, or a person for whom we have prior authority to do so.
How we protect applicants’ personal information
Applicants’ personal data will be stored on within the Trust’s IT network which may be copied for testing, back up, archiving, or disaster recovery purposes.
As outlined above, routine access to this personal data is limited to those who require it to assist with the request.
If applicants choose to provide further personal data, or more sensitive information, as part of the request process this will be stored with their correspondence, and processed in line with our full privacy policy which can be found here. Tavistock and Portman Privacy Policy
How long we keep applicants’ personal information
Unless asked not to, we will delete the personal information relating to a request in accordance with – Records Management Code of Practice under s 46 of FOIA
This does not impact rights as a data subject, for example to have personal data deleted or rectified. Please contact our Data Protection Officer on dpo@tavi-port.nhs.uk for more information, or to make such a request.
Applicants’ rights
For a full outline of applicants’ rights as a data subject, please see the Trust’s full Privacy Policy which may be reached via the following link: Tavistock and Portman Privacy Policy
Changes to this privacy notice
Our privacy notices are regularly kept up to date.
Applicants will always be able to view our current FOI privacy notice on our website, within the section on Freedom of Information Requests.
Further information
For further information is available from the following publications, produced by the Information Commissioner’s Office.