The coronavirus (COVID-19) pandemic means areas such as information requests are likely to be low-priority for public authorities, but it is important to understand what the ICO has said about their approach to regulation, and what this means in practice.
The ICO's Statement on Freedom of Information Requests
The ICO has formally stated that whilst, as a regulator, they are unable to formally extend time limits under the GDPR, Freedom of Information Act and Environmental Information Regulations, it is taking a more relaxed approach to time limits. It expects that it might take public authorities longer than the statutory timescales to respond to requests, and it will not necessarily take regulatory action where this is unavoidable.
What Does This Mean for Public Authorities?
This means that the ICO is still expecting public authorities to deal with requests - including those made under the GDPR, Freedom of Information Act and the Environmental Information Regulations. However, if the impact of the current situation means that you are unable to respond within a month if it is a GDPR request, or 20 working days if it is a non-personal data information request, then the ICO will not penalise you for this. Your legal obligation to respond remains - all the ICO has said is that it will not penalise you if you are outside of the usual time limits.
If you are struggling to keep up with requests, it is important to keep the requestor updated. Explain that you are unlikely to be able to deal with their request within the usual timescale, and try and give a realistic estimate as to when you might be able to respond. It will assist you to have collated some evidence to support your estimate, and ensure that it is both reasonable and realistic.
If you are relying on the need to answer outside of the time limits, the ICO is likely to expect to see the following:
- A genuine lack of capacity on behalf of the authority.You will need some evidence to show that the diversion of resources means that there is a lack of expertise and capacity to deal with the request in the usual timescale.
- Regular reviews of the situation and capacity so that requests are responded to as soon as possible.
- As soon as you are able to deal with a request, the ICO will expect you to deal with it promptly - meaning as soon as possible.
It's likely that you will be receiving requests about your response to the crisis, and how you have acted and dealt with particular situations. Whilst responding to these questions inevitably takes time and resource, you should consider the public interest in the information that you are being asked to provide, and whether that public interest means that you should prioritise a response. We recommend that you have a system of triage, so that you can identify the more routine requests, and requests that are not time sensitive, and prioritise requests on that basis.
Why Can't We Refuse to Deal with Requests?
There is no scope within the legislation for you to refuse to deal with a request because of resource issues, or unprecedented demand on services. This means that you have a legal obligation to deal with any requests that you receive. Technically, you are still required to deal with them within the timescales given - the ICO does not have the power to extend or amend these. All they can do is relax their regulatory approach where they are convinced that a public authority was genuinely unable to deal with a request within the time limit specified.
- The legal obligation to deal with any information request that you receive remains in place, and you are required to provide a response.
- If you are genuinely struggling to deal with requests because of a lack of resources, you do have longer to deal with requests, but you will have to justify why the request took longer with reference to your specific circumstances.
- You will have to deal with the requests that you receive at some point, and it may be worth considering whether you can triage requests, and deal with the more urgent ones first.