Policy on Access to Information

Contents:: Chapter index for Policy on Access to Information
Updated:: 19 November 2025

Part 5

• 5 Managing requests: general

5.1 Date of receipt

The date of receipt of a request is the date (up to midnight) it is physically or electronically received. For email requests, the date of receipt is the date the email was received by the server, not the date when it is opened by the recipient. Exceptionally, if an absent member of staff has set an out of office message with instructions on how to redirect the message to another member of staff, the date of receipt is when it arrives in the other member of staff’s inbox.

5.2 Acknowledgement

It is important that all requests by letter are date stamped when they are received, so the time limit can be monitored. If the request cannot be dealt with immediately, the IRO should acknowledge it in writing, even if the requester has been spoken to. The acknowledgement should be sent within five working days of receipt and should quote the LGSCO time limit, explain that we will respond by that date, and that we will respond electronically if the request was submitted electronically.

5.3 Evidence of identity

If a request is for personal information held in our files, it is important to establish we are dealing with the person concerned. If necessary, the IRO should request evidence of identity.

5.4 Advice and assistance

The FOIA requires us to provide advice and assistance to people who request information or propose to do so, and this is good practice for anyone who needs help. If, for example, access to information is requested under the FOIA which we cannot provide under that Act but could under the GDPR/DPA, we should explain this and provide the information under the UK GDPR/DPA. The duty covers all stages of the request, so if someone requests information in the course of a telephone call, for example, we should ask the person to put the request in writing.

We also have a duty to help people with disabilities and make reasonable adjustments. If someone cannot make a request in writing because of a disability, for example, it may be necessary to take the request over the phone and then send it back to be checked and signed.

5.5 Maintaining information while an access request is addressed

Records which are the subject of an outstanding access to information request must not be destroyed until it has been addressed and the two-month period for appeal has expired. (It is an offence to destroy information that has been requested under the FOIA, DPA and UK GDPR.) For case information, it is essential the Team Co-ordinator is notified of access requests and checks the “Other contact” screen before any deletion of any material held on the K: drive takes place. Any call recordings must also be retained.

ECHO is the master record for our casework and should contain all relevant information, but information may be in a variety of other places, including paper files, electronic files stored on shared drives or the intranet and call recordings. There should not be any casework emails outside ECHO. The Investigator or case owner must ensure these are checked and are retained as necessary. For corporate requests, the relevant manager should be consulted before record destruction takes place. See the Retention and disposal of casework records policy.

Records relating to management of SARs, FOIA and EIR requests are maintained in line with the Information and Record Management retention schedule.

5.6 Acquiring information

We are not required to acquire information we do not possess, create information or to disclose information which is provided as part of an existing charged service (as set out in the publication scheme) other than through that service. C

5.7 Transferring requests

If we do not hold information requested, but another authority does, we should provide the contact details of that organisation and advise the applicant to make a new request.

5.8 Interim replies

If it is not possible to send a full response to a request (e.g. because of the need to consult) the IRO should consider sending an interim response enclosing the data over which there is no doubt. When all outstanding issues regarding consultations, exclusions and exemptions are complete, send a final response to the requester.

5.9 Recording material sent

The IRO will maintain a clear record of the outcome of requests.

For casework requests where all or most information is being provided, an ECHO record will be kept of any material which has not been disclosed. Conversely, if little information is provided, a record of this should be kept. Copies of both any original and redacted versions of documents must be maintained. As Notes and Analysis is a ‘dynamic’ document which is subject to subsequent change, a copy of this at the date of disclosure will be kept. All documents will be clearly labelled to show their status.

For corporate requests, a similarly clear record of what has been provided will be kept. There is a file on the K drive for this.

5.10 Format of response

Where data subjects are exercising their rights under UK GDPR and the request is made by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If we cannot provide the information in the form the applicant requests, we should explain why. In considering whether or not it is reasonable to comply with the applicant’s requested format we must consider all the relevant circumstances, including the cost, but also taking account of the requirements of equality legislation (i.e. if the person has a disability).

Where a requestor is making a request under FOIA, then they can specify at the time of making the request, how they would like to receive the information. Where it is reasonable to do so, we must comply with their preference.

5.11 No requirement to confirm material exists under FOIA

The FOIA generally requires us to confirm or deny the existence of the material that has been requested, even if we are not releasing it. There is a provision to refuse to confirm or deny existence of the information. This applies when to do so would have the effect of disclosing information which the exemption is designed to protect. Where the public interest test is applied this usually has to be applied to the question of whether to confirm or deny as well.

5.12 Information that must be provided under UK GDPR/DPA

The data subject has the right to obtain confirmation as to whether or not their personal data are being processed, and where they are, they have the right to access the personal data and to the following information:

the purposes of processing
the categories of personal data concerned
the recipients or categories of recipients of the data
how long the data will be stored
their other rights in relation to the personal data (rectification, erasure etc)
that they have the right to complain to the ICO
the existence of any automated decision-making.

Cookie name	Description	Action
ASPSESSIONID	This helps the site to function smoothly during your visit. For example, remembering your display settings and online complaint form preferences.
CookieNotice.Analytics	Used to remember your choice for analytical cookies.
TH_TOOLBAR_SETTINGS	Stores an object containing user specific settings for the Browsealoud toolbar such as dialog positions and button states. No personally identifiable data is stored.
API_SETTINGS	Stores an object containing user specific API settings for the Browsealoud toolbar such as voice and language selection, user preferences set in the toolbar settings panel and selected styles for word highlighting. No personally identifiable data is stored.
audioalert	Stores a value ‘audioalert = true’ after the first Browsealoud audio alert.
__utma	Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmt	Used to throttle request rate.	BrowseAloud v.3 documentation Privacy policy
__utmb	Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmc	Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the__utmbcookie to determine whether the user was in a new session/visit.	BrowseAloud v.3 documentation Privacy policy
__utmz	Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
_ga	Used to distinguish users. The ID is used only to identify the session for the statistics and is completely anonymous.	BrowseAloud v.3 documentation Privacy policy
_gat_UA-4669579-11	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.	BrowseAloud v.3 documentation Privacy policy
_gid	Used to distinguish users.	BrowseAloud v.3 documentation Privacy policy

Company	Description	Action
Google Inc = _ga	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gid	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gat	Google Analytics tracking cookie. Used to manage the rate at which page view requests are made.	Terms and conditions Privacy policy