Assessing compliance

Public-sector organisations must evaluate existing FOI procedures to help improve organisational efficiency. By Steve Bailey.

So, how has it been for you? Are you being celebrated as a soothsayer, for the timely introduction of proportionate measures that are enabling your organisation to ride the wave, or are you slowly slipping beneath the surface and drowning in a sea of unanswered requests? Perhaps you are in the seemingly enviable but ultimately worrying situation of presiding over an expensive and elaborate set of systems and procedures that could easily process one hundred requests a week, but is actually only required to deal with two per month.

The simple fact is that most public authorities in the UK had to plan and build their preparations for FOI based on a series of unknowns. No one could predict the number or nature of the requests they would receive with any degree of accuracy. Would it be a flood or a trickle? Would it be uniform across, or even, within sectors? Or, would numbers be constant, or peak and trough in relation to events? There were some global FOI regimes from which some parallels could be drawn, but differences in legislation, combined with other cultural and social factors made comparison difficult.

Thankfully, we have now survived just over half a year of living with the Act and have come through more or less unscathed. As well as being cause for some cautious celebration, this also presents the ideal opportunity to take a step back and reflect on exactly how well we are coping. We now have a significant corpus of knowledge and experience against which to assess the suitability and effectiveness of the measures we put in to place. This workshop will examine the ways in which we can start to pull this information together, and consider some of the actions possession of such knowledge may lead to.

Why bother assessing compliance?

Some might say that we’ve survived up until now and should merely forge ahead, continuing with processes that we know work. This does have some merit, particularly to those fond of the old maxim, “if it ain’t broke, don’t fix it”.

Of course, this is always a vast over-simplification. To use a motoring metaphor, an engine may not be broken, but it and its owners will still benefit from regular servicing to help keep it running smoothly and performing to optimum levels.

While you may be managing to complete every request within 20 working days, it could well be the case that it is taking up far more staff time than it should, due to problems in locating and accessing the information required.

It is perfectly possible to be meeting your obligations under the Act, while causing significant disruption to other areas of the organisation, draining resources and skewing priorities. Perhaps you are managing to pull everything together on day 19 after much fevered activity and an all hands to the pumps effort. But at what cost? As well as being damaging to the overall function of the organisation, it is almost inevitable in such circumstances, that events will eventually combine and create a situation where compliance with the Act is impossible.

It may also be the case that the opposite is true. Perhaps you have over-engineered each process, subsequently creating layers of unwanted and unneeded bureaucracy. While this may mean that you are in no danger of falling foul of the Information Commissioner, the same result could probably still be achieved, safely, at half the time and cost.

Compliance, efficiency and proportionality should be our goals, and now is definitely the time to see how close we are to achieving them.

Scope

So what areas should we be looking to include within the scope of our review? I would suggest the following list of processes as a starting point:

The receipt, logging & tracking of requests;
The decision making process (in relation to disclosure, exemptions, fees etc);
The appeals process;
Locating and accessing information;
Preparing information for release,
Staff awareness and training.

For each of these – and whatever others you may identify – you are looking to answer the following basic questions:

What is our current process for achieving this task?
Is it documented and widely understood?
Is the process over-reliant on one key person?
What is the most time-consuming part of the process?
How important is it and could it be removed/improved?
Is the process consistently applied?

If it is deviated from, why is this so?

Lack of staff training and awareness
Too time-consuming
Doesn’t achieve required results
Too many ‘exceptions to the rule’
Technical constraints
Operational constraints
Lack of resources

What is needed to improve the process?

New policies/procedures
Staff training
Technology

This is, by no means, an exhaustive list, but applying it to each of the areas and processes affected by FOI should provide you with a useful snap-shot of the state of your compliance measures. In particular, it should help identify any gaps or weaknesses that need to be strengthened, and any redundant processes that can be streamlined.

Locating the good, the bad and the ugly

It is one thing to define your scope and agree your criteria but quite another to actually obtain the information you are seeking. Indeed, the ease with which you can answer these questions is likely to be a good indicator of the general level of compliance. Effective, well understood and well documented processes should be relatively easy to audit.

The following techniques can often ease the information retrieval process:

Review past requests

Pick a random selection of requests received over the past six months and assess exactly how each was resolved. You will need to look at the formal documentation produced by your organisation – normally a request log or similar – to determine how long the process took, who was involved, what information was requested and what was released under the request. It will also require you to speak with those involved to assess their own contribution and what they thought of the process. What lessons can be learnt? What was the main problem encountered? Which single process would you approach differently, if you received the same request again? What worked well and what could be built upon?

‘Mystery shopper’ exercises

This can be done either as an overt exercise, where all concerned know that the request they are dealing with is part of a practice run, or covertly, where it is assumed by all concerned that it is a genuine request. In both cases, the objective is to observe the process in ‘real-time’, noting areas where it breaks down, struggles, or is over-reliant on key individuals. If you opt for the covert approach, you will need to think carefully about the nature of the request and the amount of effort you want your organisation to devote in responding to it (bearing in mind that your colleagues may not appreciate dropping everything and spending days processing for no particular reason).

Such dry runs are particularly useful as they provide you with the opportunity to select requests that you know will be contentious or difficult to resolve, such as applying for information held by a department notorious for poor information management. This approach also allows you to play with the variables to highlight other potential problems, for instance, what happens when a key member of staff is away from the office?

The exercise can be great for highlighting problems to staff and management in a clear and convincing manner – but, only if the examples you choose are fair and representative.

Include checks as part of a formal audit

All organisations are likely to undergo regular inspection from both internal and external auditors. As well as an audit from a financial perspective, they will often include a review of processes at work within the organisation, and their effectiveness – particularly if they have legal ramifications. Persuading your internal auditors to include your FOI procedures as part of an inspection could have several advantages. First, it will ensure that your process review is taken seriously within the organisation. Second, it will ensure your processes receive a rigorous and professional review conducted by those trained in the art and third, it will have the benefits of professional distance and detachment from the processes under scrutiny.

Steve Bailey is records manager for the Joint Information Systems Committee (JISC) at the University of Bristol