As a parish or town council, you'll be familiar with FOI and GDPR requests made by residents, but when it comes to managing requests under each, things can get a little tricky.
While both the Freedom of Information (FOI) Act and the UK General Data Protection Regulations (UK GDPR) involve the disclosure of specific information, they serve different purposes and have distinct processes.
Understanding the differences between an FOI request and a GDPR Subject Access Request (SAR) is crucial for staying compliant and handling these requests effectively.
What is an FOI Request?
An FOI request allows any member of the public to request information from public authorities, including parish and town councils. The purpose of the Act is to promote transparency by giving people the right to access information held by councils and other public bodies.
Key Features of FOI Requests:
Who can request? Anyone can make an FOI request. It could be a resident, journalist, or researcher, for example. They do not need to live within your parish. Indeed, requests can sometimes come from organisations far away from the council concerned.
What can be requested? The request can relate to almost any information your council holds, for example meeting minutes, spending records, reports, or other documents that aren't exempt from disclosure.
Response time: Councils must respond to FOI requests within 20 working days.
Exemptions: Not all information has to be provided - but each request must be treated on its own merits. The FOI Act includes a list of exemptions, which we can advise councils on.
What is a GDPR Subject Access Request (SAR)?
Under the GDPR, individuals have the right to access their personal data that your council may hold, typically referred to as a Subject Access Request (SAR). This is not about general information like an FOI request, but specifically about personal data—information that identifies them, or which specifically relates to them.
Key Points About GDPR SARs:
Who can request? Only the individual whose data is being processed can make a SAR. This could be a resident, for example, or anyone whose personal data you process.
What can be requested? A SAR allows the individual to request details about the personal data your council holds on them, in order to verify the lawfulness of processing. Such data may include, for example, content in emails, digital records, and CCTV footage that contain their personal information.
Response time: You must respond to SARs within one calendar month, though extensions can sometimes be allowed in complex cases.
Purpose: GDPR aims to protect individual privacy and ensure that personal data is handled fairly and lawfully.
Key Differences Between FOI and GDPR SAR Requests
While both FOI and GDPR SAR requests require your attention, they operate under different principles. Here’s a quick breakdown of the key differences:
Aspect | FOI Request | GDPR SAR |
Type of Information | General council information (non-personal) | Personal data relating to the individual requesting it |
Who Can Request? | Anyone | Only the individual whose data is held |
Response Time (yes, we realise 20 working days and 1 calendar month are identical.... 🤷) | 20 working days | 1 calendar month |
Purpose | Transparency in council activities | Protecting individual privacy and data rights |
Scope of Data | Public records, reports, documents, etc. | Personal data (e.g., emails, records, CCTV footage) |
Cost | Free (with some exemptions for excessive requests) | Free (unless the request is repetitive/excessive) |
Handling FOI and SARs Efficiently
As a clerk or officer overseeing GDPR and FOI requests, it's essential to have clear procedures for handling both. Here are a few tips:
Establish Clear Processes: Set up clear workflows to ensure both FOI and SAR requests are logged and managed within their respective deadlines.
Know the Exemptions: Familiarise yourself with FOI exemptions and GDPR rights to know when you can refuse a request or apply limitations.
Train Your Team: Make sure that anyone who handles council data understands how to identify and process FOI and SARs appropriately.
Keep Good Records: Maintain accurate records of all requests, the data provided, and any exemptions applied. This will help you if you need to justify your decisions later on.
Seek Help When Needed: If a request is particularly complex, or you're unsure whether an exemption applies, call our team on 01903 299000 and we can provide your council with advice.
Final Thoughts
FOI and GDPR SAR requests are part of a council's routine but understanding the difference between them is key to ensuring compliance.
Remember, whilst FOI promotes public transparency, the UK GDPR is designed to protect an individual's privacy. By keeping these two distinct processes clear in your mind and following best practices, you'll be well-equipped to handle both types of requests effectively.
For more detailed support or expert advice on handling FOI or GDPR compliance, the Council Hive Hub provides access to a wealth of resources, templates, and professional guidance designed specifically for councils.