FOI & EIR Policy

This policy covers the University's responsibilities under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR).

This policy ensures that the University complies with FOIA and EIR by managing the Information 'held' by the University. This includes all information created or received, regardless of format, as well as information held by third parties on the University's behalf.

As a Public Authority, the University is committed to the principles underlying the FOIA and EIR. This legislation provides a general ‘right of access’ to much of the information held by the University, to ensure openness, transparency, and accountability. The University fully recognises this ‘right to access’ and will not restrict access to information unless a statutory exemption applies.  

The University commits to:  

  • Make publicly available all routinely published information via the University’s Publication Scheme FOI publication scheme - Freedom of Information Requests - University of Derby
  • Ensure all requests for information are dealt with in an efficient, timely, and helpful manner, in accordance with the Section 60 Code of Practice on the Discharge of Functions accompanying FOIA and the Section 62 Code of Practice on the Discharge of Functions accompanying EIR
  • Apply due consideration as to whether information should be disclosed in instances where a statutory exemption or exception applies

The purpose of this policy is to outline the University’s commitment to compliance with the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR). The policy aims to ensure that the University manages information effectively and transparently, providing access to information held by the University in accordance with legal requirements. This policy promotes openness, transparency, and accountability by ensuring that information is accessible to the public, except where a statutory exemption or exception applies.

The FOIA provides public access to information held by public authorities in two ways: public authorities are obliged to publish certain information about their activities, and members of the public are entitled to request information from public authorities.

The EIR grants a right for any person to request access to environmental information held by public authorities and for public authorities to take steps to proactively make environmental information available to the public.

The University has a responsibility to implement the provisions of FOIA and EIR maintaining a general ‘right of access’ to the information it holds, proactively publishing information via its Publication Scheme, and maintaining its records in accordance with the regulatory environment as set down in the section 61 Code of Practice: Records Management that accompanies FOIA.

The University has a responsibility to implement the provisions of FOIA and EIR. It must therefore maintain a general ‘right of access’ to the information it holds, proactively publish information via its Publication Scheme, and maintain its records in accordance with the regulatory environment as set down in the section 61 Code of Practice: Records Management that accompanies FOIA. 

The Data Protection Officer, along with the Assurance Team within Legal, Governance & Assurance Services has overall institutional responsibility for ensuring compliance with this Policy and acts as a central point of contact for enquirers. It has responsibility for:  

  • Managing and responding to non-routine Information Requests where the Act's exemptions or exceptions, as appropriate, apply
  • Developing guidance and training for staff on FOI and EIR issues
  • Developing and maintaining the University’s Publication Scheme
  • Providing the administrative structure for all Requests for Review received under FOIA and EIR
  • Coordinating contact between the University and the Information Commissioner, including statistical returns, as required, Investigations, Appeals, and the Publication Scheme

Responsibilities of Specific Roles

College PVC Deans, Principal Buxton & Leek, Professional Services - Department Directors and Associate Directors, and other appropriate senior management

  • Ensuring compliance with this policy

Data Stewards

  • Liaising with the Assurance Services to retrieve information and respond to non-routine requests for information
  • Collating and checking the accuracy of responses from their College/Service area
  • Liaising with the Assurance Services regarding contributions to the University’s Publication Scheme from their School/Service
  • Providing advice and guidance to their own College/Service area

All Members of Staff

  • Familiarising themselves with this Policy and associated guidelines
  • Providing general advice and assistance to those requesting information
  • Seeking advice from and liaising with their local Data Steward as soon as possible after receiving a request
  • Managing documents and records in accordance with University procedures
  • Responding to routine “business as usual” requests for information

Note: Compliance with this Policy is compulsory for all staff of the University of Derby (this includes, but is not limited to any person contracted, on fixed terms, temporary, associate, or visiting staff member). Any member of the University who fails to comply with this Policy may be subject to disciplinary action, through the appropriate policy or channel. 

Receipt of Request

Initial Assessment

  • Assurance Services will conduct an initial assessment to determine whether the request is valid under the FOIA or EIR
  • Acknowledge receipt of the request within 5 working days, informing the requester of the expected timeframe for a full response

Information Gathering

  • The request is then assigned to the relevant Data Steward or department to gather the required information
  • Data Stewards are responsible for ensuring the accuracy and completeness of the information provided

Review and Approval

  • Once the information is collected, Assurance Services will review it to ensure compliance with FOIA/EIR requirements
  • If exemptions or exceptions apply, Assurance Services will consult relevant senior management as necessary to determine the applicability of these exemptions
  • Assurance Services will prepare the final response, including any redactions or where applicable, explanations for withheld information

Response to Requester

  • Provide a formal response to the requester within the statutory 20 working days deadline, unless an extension is justified and communicated
  • Ensure that the response is clear, and concise, and includes all relevant information or reasons for any withheld information

Appeal and Complaint Process - Internal Review

  • If the requester is dissatisfied with the response, they can request an internal review, via the Appeals and Complaints process within 40 days of receiving the initial response
  • The internal review will primarily be conducted by the University's Data Protection Officer or other appropriate senior management who were not involved in the original decision
  • The review will be completed within 20 working days, unless we consider more time is required, in either situation the requester will be informed of the outcome and any further steps

Escalation to Information Commissioner

  • If the requester remains dissatisfied after the internal review, the requestor can escalate their complaint to the Information Commissioner’s Office (ICO)
  • The Data Protection Officer and Assurance Services will cooperate fully with any ICO investigations or inquiries

Data Protection Officer - University of Derby

Need advice?

Contact Assurance Service by emailing foi@derby.ac.uk for Information requests, or gdpr@derby.ac.uk for data protection-related requests.

August 2021

  • Policy updated, web page created

August 2023

  • Change to DPO details

June 2024

  • General review and updates to teams structures