Corporate report

SSRO procedures for responding to freedom of information requests

Published 28 April 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/ssro-procedures-for-responding-to-freedom-of-information-requests/ssro-procedures-for-responding-to-freedom-of-information-requests

1. Introduction

The Freedom of Information Act 2000 (the FOI Act) provides public access to information held by public authorities, including the SSRO. Under the FOI Act, the SSRO is obliged to publish certain information about its activities and external parties are entitled to request information from the SSRO (FOI requests). The fundamental principle underpinning the FOI Act is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.

This document provides guidance for the SSRO’s stakeholders on the procedures that the SSRO will follow for dealing with FOI requests made to the SSRO. Application of these procedures will ensure the SSRO fulfils its obligations under the FOI Act efficiently and effectively.

The Information Commissioner’s Office (ICO) has published extensive guidance on the FOI Act and responding to FOI requests. The SSRO will have regard to that guidance as appropriate when dealing with particular cases.

2. Application

The procedures apply in respect of any written (e.g., email or letter) requests for information received by the SSRO, but exclude requests made by individuals under the Data Protection Act 2018 for a copy of information the SSRO holds about them (Subject Access Requests).[footnote 1] An FOI request does not need to specify that is being made under the FOI Act for the provisions of the Act to apply.

3. Governance

The SSRO’s Chief Executive is accountable for ensuring the SSRO complies with its obligations under the FOI Act. They are authorised by the SSRO’s Board to appoint another appropriate SSRO staff member to act on their behalf.

Where an applicant is dissatisfied with the SSRO’s handling of, or response to, their FOI request they may ask the SSRO to undertake an internal review. Requests for an internal review of the handling of, or response to, an FOI request will be escalated to the Chief Executive who will determine how any review should be undertaken. (Further detail on internal reviews is provided below.)

The SSRO’s Executive Committee and Board receive periodic updates on the SSRO’s performance in responding to FOI requests.

4. Receiving, assessing and logging requests

The SSRO encourages those seeking information to submit requests via email to enquiries@ssro.gov.uk. This account is monitored daily to ensure the SSRO logs and responds quickly to any FOI requests.

Within two working days of an information request being received, an initial assessment will be made as to whether the request should be considered under the FOI Act. The initial assessment will consider the following.

  • Is it a request made in the normal course of business that can be dealt with easily? For example, a request for a copy of the SSRO’s published guidance on a particular topic. Such requests will be forwarded to the SSRO’s Helpdesk team (helpdesk@ssro.gov.uk) for logging and response.
  • Is it a Subject Access Request? Such requests will be forwarded to the SSRO’s Data Protection Manager for logging and response.
  • Is it a request for environmental information? Such requests will be forwarded to the Head of Legal for logging and response under the Environmental Information Regulations.
  • Does the request contain the information required by section 8(1) of the FOI Act: the name of the person seeking information; the address for correspondence; and a description of the information requested? If any of the required information is missing, or if the request is ambiguous, the applicant will be asked to amend and re-submit their request. In such cases, the SSRO will have regard to the guidance on providing Advice and assistance.

Where it is determined that a request should be considered under the FOI Act, the SSRO will record details about the request and the due date for a response (being 20 working days from the date of receipt).[footnote 2] A staff member will be allocated to respond to the request.

Each request will be allocated a reference number (RFI XXX) that will be reported to the requester and used in any correspondence on the matter.

5. Acknowledging receipt and acceptance of a request

An email[footnote 3] acknowledging receipt of an FOI request will be sent to the requester within two working days of receipt. This will confirm the reference number allocated to the request and the date by which a response will be provided after the request has been considered. Where the SSRO intends to seek the views of third parties to assist it in determining whether the requested information is exempt from disclosure, it will indicate this to the requester when acknowledging receipt of a request.

If the SSRO has considered the request and determined how it should respond before an acknowledgement is sent, the guidance below on refusing a request or responding to a request will be followed.

6. Refusing a request

The FOI Act provides that the SSRO may refuse a request for information in certain circumstances. Such circumstances include:

  • when it would cost too much or take too much time to deal with the request;
  • the request is vexatious; or
  • the request repeats a previous request from the same person.

Additionally, the FOI Act contains a number of exemptions that, if they apply, allow the SSRO to withhold information from a requester. In some cases, the FOI Act provides that the SSRO may refuse to confirm or deny whether the requested information is held.

These different circumstances are considered briefly below. The SSRO will always consider the guidance the ICO provides on refusing a request.

6.1 Cost of responding

Responding to FOI requests can be a drain on the resources of public authorities. Section 12 of the FOI Act provides that a public authority may refuse a request if it is estimated that the cost of complying with the request would exceed a cost limit specified in the Act.

The appropriate cost limit for the SSRO is currently set at £450. The Act indicates an hourly rate of £25 for staff time (regardless of who does the work) which means any request which requires more than 18 hours of staff time to comply with may be refused.

The cost of the following activities can be taken into account in estimating the cost of complying with an FOI request:

  • determining whether the SSRO holds the information;
  • finding the requested information, or records containing the information;
  • retrieving the information or records; and
  • extracting the requested information from records.

The cost assessment cannot include the time needed to decide whether exemptions apply, to redact (edit out) exempt information, or to carry out the public interest test (discussed in the section on Exemptions). If the costs of these activities are separately considered to place an oppressive burden on the SSRO’s resources, the SSRO may consider it appropriate to refuse the request on the grounds of being vexatious (see below).

6.2 Vexatious requests

Section 14 of the FOI Act provides that the SSRO may refuse to comply with a request that is vexatious; that is, one which has the potential to cause a disproportionate or unjustified level of disruption, irritation or distress, even where that may not be the requester’s intent.

In assessing whether a request is vexatious, consideration may be given to the value or purpose of the request and to the impact (or burden) on the SSRO of handling the request. A request may be considered vexatious where it appears to have little value or serious purpose, or alternatively where the work involved in dealing with a request would impose an unreasonable burden on the SSRO, taking into account the level of resources at the SSRO’s disposal. The key question the SSRO will consider is whether the value and purpose of the request justifies the impact of complying with it.

As noted above, a request might be considered vexatious when the time needed to decide whether any exemptions apply or to conclude the public interest test for any qualified exemptions (which may also necessitate seeking and considering the views of third parties) places an unreasonable burden on the SSRO’s resources.

6.3 Repeat requests

The SSRO can refuse to comply with a request if it is identical or substantially similar to one previously dealt with from the same requester. Repeat requests may be permitted where a reasonable time has passed since the last request and where the information requested is likely to have changed.

If the SSRO receives a request for information that is identical or substantially similar to one from another requester that has already been responded to, the SSRO will direct the requester to the response previously provided.

6.4 Exemptions

Information may be exempt from disclosure under the FOI Act for a number of reasons. The exemptions are identified in sections 21 to 44 of the FOI Act. The ICO provides detailed guidance on each of these.

Exemptions are divided into two types: absolute and qualified. Where an absolute exemption applies the information is automatically exempt from disclosure. Examples include information related to the security services (section 23 of the FOI Act) and information provided to the SSRO in confidence (section 41). Where a qualified exemption applies, the SSRO will need to consider whether the public interest in maintaining the exemption (and withholding the information) outweighs the public interest in disclosure. Examples include information that is intended to be published in the future (section 22) and information whose disclosure may harm the defence of the UK (section 26) or the commercial interests of the SSRO or another organisation (section 43).

For each exemption under the FOI Act, the ICO guidance identifies factors that should be considered in deciding whether the exemption applies and, for qualified exemptions, factors that should be considered in applying the public interest test.

6.5 Refusal notice

If any of the circumstances for refusing a request apply to all or any part of an FOI request, the SSRO will send the requester a written refusal notice. This applies whether the SSRO is refusing to say whether it holds the information requested or is confirming that the information is held but is refusing to release it. In most cases the refusal notice will be issued within 20 working days of receipt of the request.

The refusal notice will include:

  • the grounds for refusing the request with reference to the relevant section of the FOI Act;
  • details of the SSRO’s internal review procedures; and
  • details of the requester’s right to appeal to the ICO.

6.6 Advice and assistance

The SSRO has a duty under the FOI Act to provide advice and assistance to anyone who has made or is thinking of making a request for information. This might be appropriate when, for example, a request is ambiguous or unduly burdensome.

If a request is ambiguous, the SSRO will seek clarification from the requester on what information is required. This might include explaining the types of information that are held by the SSRO relevant to the area of interest.

When a request is refused on the basis that responding to the request would exceed the appropriate cost limit or because it is unduly burdensome, the refusal notice will, generally, identify ways in which the refused request might be amended in order to fall within the appropriate cost limit or be less burdensome.

Providing advice on the framing of an alternative request does not guarantee that the information requested under an alternative request would not be exempt from disclosure under the FOI Act. That would need to be considered on a case-by-case basis.

The time limit for responding to an FOI request (20 working days) will be reset where the SSRO receives a revised request after seeking clarification.

7. Responding to a request

The FOI Act requires that a response to an FOI request be provided within 20 working days from receipt.

When responding to an FOI request, attention will be paid to any particular requirements indicated in the request, for example, for information to be supplied in a specific format. If information cannot be supplied in the format requested, the SSRO will indicate to the requester the formats which are available and seek clarification from the requester on which they require.

7.1 Extending the period for providing a response

The period in which a response to a request is provided may be extended where this is necessary to consider the public interest test in cases where a qualified exemption under the FOI Act is engaged. The ICO guidance notes that additional time may be needed where the information requested is especially complex or voluminous, or where it is necessary to consult third parties.

The ICO considers that a reasonable extension of time to consider the public interest test should normally be no more than an extra 20 working days, which is 40 working days in total to deal with the request.

If the period for considering the request is extended because the SSRO is engaging with external parties for the purpose of considering the public interest test, this will be made clear to the requester when advising them of the time extension.

7.2 Publishing responses

As part of its ongoing commitment to transparency, the SSRO publishes details of the FOI requests it has considered and the responses it has provided to these. Following the conclusion of the SSRO’s consideration of an FOI request, the SSRO will prepare a copy of the response (or refusal), with personal information (such as requester name and address and SSRO staff details) redacted as appropriate. This will be published on the SSRO’s website.

8. Requests for information on qualifying contracts

An FOI request may seek disclosure of information held by the SSRO about qualifying defence contracts and qualifying sub-contracts. The SSRO will take particular care when considering whether and how to respond to such requests, informed by legal advice.

The information held by the SSRO about qualifying contracts has, generally, been provided to the SSRO by the Ministry of Defence (MOD) or by its suppliers (contractors) to the Secretary of State and the SSRO in fulfilment of the reporting obligations established by the Defence Reform Act 2014 (DRA) and Single Source Contract Regulations 2014 (SSCR). Under Schedule 5 of the DRA and Part 10 of the SSCR, it is a criminal offence for persons (including the SSRO) to make unauthorised disclosures of certain information provided under the regime.

In deciding how to respond to a request for information on qualifying contracts, consideration will be given to the application of relevant exemptions under the FOI Act including:

  • Security bodies (section 23);
  • National security (section 24);
  • Defence (section 26);
  • Information provided in confidence (section 41);
  • Commercial interests (section 43); and
  • Prohibitions on disclosure (section 44).

The SSRO will consult the MOD’s Single Source Advisory Team (SSAT) to reach a view on whether an exemption applies to any information requested related to qualifying contracts. When consulting SSAT, details of the FOI request will also be provided to the MOD’s FOI team who can advise whether the MOD has received and considered a similar request for information and may provide general advice on the handling of the request. Both teams will be kept informed of the SSRO’s progress in handling and responding to requests for information related to qualifying contracts.

If appropriate in the circumstances and to the extent allowed by the time limits for compliance under the FOI Act, the SSRO will also consult the relevant contractor(s). This is particularly the case where disclosure of the requested information may affect the interests of the contractor.

When seeking information or comment from the MOD or contractors to inform the SSRO’s assessment of whether any exemptions apply to information on qualifying contracts, the SSRO will specify:

  • what information held by the SSRO has been requested;[footnote 4]
  • what information or evidence is required from the MOD or the contractor to assist the SSRO in assessing whether any exemption applies under the FOI Act to the information requested;
  • a clear deadline by which a response is required by the MOD or contractor; and
  • how the SSRO intends to proceed if no response is provided by the specified deadline.

Reasonable efforts will be made to secure a response within the required timeframe.

Any representations on disclosure made by the MOD or a contractor during consultation may not be determinative. The decision whether to disclose information to comply with the FOI Act is a matter in which the SSRO will exercise its discretion, subject to the requirements of the FOI Act.

No information on qualifying contracts will be disclosed without having received and considered the MOD’s views. In cases where only the MOD provides information to assist the SSRO’s decision on disclosure of information, the SSRO may determine the appropriate response taking account only of the MOD’s views.

A request may seek disclosure of multiple pieces of information about a qualifying contract. The SSRO will provide a response or refusal on each piece of information at the earliest opportunity, rather than delay a response/refusal until decisions have been made on all the requested information.

If the SSRO determines that the FOI Act requires disclosure of information relating to a qualifying contract the SSRO will notify the MOD and relevant contractor of that decision before the information is disclosed. The notification will explain the rationale for disclosing any information which either party told the SSRO should be exempt from disclosure. Notice of disclosure will be provided at least three working days in advance of the response being sent to the requester. This will allow for any further representations to be made and considered ahead of the information being disclosed.

9. Internal reviews

9.1 Seeking a review

If a requester is dissatisfied with the way the SSRO has handled their request they may, in the first instance, ask the SSRO to conduct an internal review of this. If, following such a review, they are still dissatisfied they can complain to the ICO.

All communications to the requester will make clear how they may request an internal review and their right, subsequent to any review being undertaken, to complain to the ICO.

9.2 Conducting an internal review

The Chief Executive will be advised at the earliest opportunity that a review has been sought. They will determine whether to conduct the review in person or appoint a member of staff to conduct the review. The reviewer will not previously have been involved in the SSRO’s handling of the request.

The SSRO’s approach is informed by the ICO’s relevant guidance.

  • The SSRO will acknowledge the request for a review and provide a target date for response, which should usually be within 20 working days.
  • The review will be carried out by someone other than the person who issued the initial response.
  • Internal reviews will consider:
    • how the request was handled;
    • the initial response;
    • whether the relevant information was identified; and
    • whether the SSRO wishes to uphold the original exemptions or apply a different or additional exemptions.
  • If it is decided that the applicant should be provided with information that was withheld previously, this will be supplied with the outcome of the review or the applicant notified of when it will be provided.
  • The outcome of an internal review will be recorded.
  • The applicant will be informed of their right to appeal to the Information Commissioner.
  • Learning from internal reviews will be used to drive improved performance.

Following completion of the internal review, the outcome will be communicated to the requester.

10. Record-keeping

The following records pertaining to an FOI request will be saved:

  • communications from and to the requester, including information disclosures and refusal notices;
  • communications with external parties whose views are sought to inform the SSRO’s response to the request;
  • details of factors considered when deciding whether to disclose or withhold requested information;
  • the responsible director’s approval of any response or refusal notice; and
  • documentation related to any internal review of the SSRO’s response.

Effective record-keeping will support the administration of the SSRO’s consideration of an FOI request, the conduct of any internal review and the SSRO’s response to any investigation by the ICO of a complaint about the handling of the request.

11. Review of procedures

Where the SSRO’s performance on responding to FOI requests indicates a need for improvement, the application of these procedures and the procedures themselves may be subject to review.

Proposals for improving the procedures for handling, considering and responding to FOI requests should be forwarded to enquiries@ssro.gov.uk.

  1. The SSRO’s Personal Information Charter sets out what people can expect of the SSRO when it holds information about them. The SSRO’s Procedure for responding to Subject Access Requests is available on the SSRO’s website. 

  2. Where a request has been resubmitted following a request for clarification the due date for response will be 20 working days after the date the resubmitted request was received. 

  3. Or letter where no email address is provided. 

  4. Attention will be paid to any handling requirements that apply in respect of the requested information. It may be necessary (or preferable) in some cases to describe in generic terms the information that has been requested rather than to include the requested information when seeking comments on its disclosure. 

Back to top