Search British Business Bank
Popular Search placeholder

FOI Standard and Procedure

1. Purpose & Objective

This Standard and Procedure sets out the British Business Bank Group’s approach to managing Freedom of Information (FOI) requests.  For the purpose of this document, the terms “BBB” and “Bank” refers to British Business Bank plc and its subsidiaries. 

The key objective of this document is to establish a consistent approach to manage FOI requests to ensure BBB can meet its legal obligations under the Freedom of Information Act 2000 (FOIA).

2. Scope

FOIA applies to all recorded information held by BBB, created or received during the course of its business, regardless of where the information is located, its age, or format, e.g., printed documents, information held on computers, letters, emails, handwritten documents, photographs, images and sound or video recordings, and Teams messages. 

This Standard and Procedure applies to all teams and functions of BBB and all individuals operating under the control of BBB, including employees, directors, interns, contractors, secondees, agents and board members that hold BBB information. 

Non colleagues, via their agency, will receive a condensed version of the Policies for the Bank by HR. 

3. Freedom of Information Act

The FOIA applies to all public bodies in England, Wales and Northern Ireland.  As BBB is wholly owned by HM Government, it is subject to the FOIA. 

The FOIA provides public access to recorded information in two ways: 

  • Proactively publishing information (transparency) via its Publication Scheme; and
  • Responding to FOIA requests 

It is a criminal offence to deliberately alter, deface, block, erase, destroy or conceal any record with the intention of preventing the disclosure of information to an applicant (s.77 FOIA).  

4. Publishing Information (Publication Scheme)

Section 19 of the FOIA requires public authorities to be transparent and to publish information in accordance with the Information Commissioner’s model publication scheme.  

More detailed information regarding the Bank’s Publication Scheme can be found in the Data and Information Management Policy and the Proactive Publication Scheme Standard.

The Bank’s publication scheme is on the BBB Transparency webpage at Transparency - British Business Bank (british-business-bank.co.uk) and individual Business Units are responsible for ensuring the relevant information is published in accordance with its legal obligations.  

5. Making an FOI Request

Any person or company (a Requestor) from anywhere in the world can make a written request for  recorded information held by a public authority and the public authority is obliged to disclose the information  unless an exemption applies. If a third party holds recorded information on behalf of the public authority, the information is considered  to be held by the authority and subject to FOIA.

6. Identifying an FOI Request

The majority of FOI requests received by the Bank are made via the Bank’s online request form or email to the Bank’s FOI mailbox; however, a request can be received by anyone in the Bank, so it is important all colleagues can recognise a FOI request to ensure it is handled through this procedure and in compliance with the FOIA. 

Valid FOI Requests

A valid FOI request must:

  • Be in writing (email, letter or social media)
  • Give a real name and the return  address (email, postal, social media)  
  • Be clear and meaningful

If a request does not  comply with the above, the Bank  will ask the Requestor for clarification before accepting and progressing the request further. If a Requestor does not provide clarification within 30 days, the request will be closed. 

Business as Usual

For practical purposes, if a request can be answered as a business-as-usual enquiry (in full and quickly),  there is no need to treat it as a formal FOIA request, for example a question about a particular scheme, social media tweets, etc. 

However, if a request explicitly refers to FOI or any of the following factors apply, it must be treated as an FOI:

  • information is held by more than one Business Unit
  • you cannot provide the requested information straight away 
  • the Requestor makes it clear they expect a response under the Act  
  • some (or all) of the requested information may be refused to the applicant 

If you receive a request which you think should be treated as an FOI request, you must promptly forward it to the FOI team at [email protected].

Guidance on identifying an FOI request is available on the ICO’s website here: https://ico.org.uk/for-organisations/foi.

7. Vexatious or Repeated FOI Requests

We are under no obligation to comply with a request which is vexatious or repeated. 

A vexatious request is a request intended to be annoying or disruptive or which has a disproportionate impact on a public authority.  Examples of a patently obvious vexatious request might be where threats have been made against employees, or racist language used. 

The FOI  team is responsible for identifying cases where a request may be vexatious. 

For further information on vexatious requests, please consult the ICO’s guidance here: https://ico.org.uk/media/for-organisations/foi/freedom-of-information-and-environmental-information-regulations/section-14-dealing-with-vexatious-requests or speak to the FOI team.

8. Time Limits and Clarification

Our obligation under the FOIA is to respond to requests promptly and not later than 20 working days from receipt of the request; counting the first working day after the request is received as the first day. 
The exceptions to the 20 working days include: 

  • If the FOI team has asked the applicant for further information (clarification), the request is not yet valid and the 20 working days deadline only starts when sufficient clarification has been received
  • If the FOI team has agreed to the public interest test extension that provides the Bank a further maximum 20 working days to consider the public interest when using a qualified exemption. 

9. Reasonable Searches

The Bank is required to carry out reasonable searches to comply with a request and is obliged to collate the information regardless of whether or not it will be disclosed.  The only exception is if the time to identify, locate, and retrieve the information would exceed the costs limit, which for a public body is set at 18 hours, (The FOI and Data Protection (Appropriate Limit and Fees) Regulations 2004).  If it is estimated that the costs will exceed the 18 hour limit, we can apply a section 12 exemption, but the decision needs to be made in consultation with the FOI team and fully documented. 

Reasonable searches mean a check of the relevant records and systems including, but not limited to, emails, shared drives, One Drives, Teams, IT systems, and physical files. Colleagues are responsible for carrying out these searches, but in some cases the FOI team will instruct IT to carry out the searches, where it is considered to be more efficient and effective, or information may be held by different people across different systems. 

A description of what searches have been carried out needs to be documented in the Request Information Form in case there is a challenge as to how a request has been handled (Appendix D). 

10. Applying exemptions

The intention of the FOIA is to promote transparency and public accountability, but not all information can or should be released.  The FOI has a number of exemptions that public bodies can consider applying if they have concerns about disclosing information, for example personal, legally privileged, or commercially sensitive information. 

Appendix A lists the exemptions that BBB is more likely to use. 

The FOI team will work with the Business Areas to determine if an exemption applies and its use complies with the FOIA.

Legal will be engaged on the following, as a minimum:

  • All FOI requests relating to GWS, BBLS, SUL, and FF Schemes,
  • All Internal Reviews
  • All matters referred to the ICO
  • Any FOI requests which BBI, BPC or any product or other team ask for Legal’s involvement on.

11. Redacting Information

Redacting is the deliberate action to permanently ‘censor’ or ‘obscure’. 

Redaction is used to censor specific pieces of information. If a document contains information that is considered to be exempt, we are obliged to redact the specific information rather than exempt the whole document.  Types of information commonly redacted include personal data, commercially sensitive and legally privileged information.  

The redactions must be permanent and irreversible, for example to: 

  • Release data in CSV format to allow reuse, but to remove hidden data 
  • Release information in PDF format using specialist redaction software 

The Information Asset Administrator and the Business Area are responsible for identifying the information they consider to be exempt and to justify why. The information needs to be marked for redaction and discussed with the FOI team and, where necessary, other relevant stakeholders. 

The FOI team will implement the redactions for the final response and retain a copy of the marked redactions and the permanent redactions.

12. Procedure Summary

The procedural activities are described in the RACI table (Appendix C), but in summary: 

12.1 Triage and logging

Requests for information are received via the [email protected] mailbox. 
Each request received is assessed via a triage process to determine the following: 

  • Does the request fall under FOIA? 
  • Does the request fall under EIR (Environmental Information Regulations)? 
  • Does any of the information requested constitute a right of access request under UK GDPR? 
  • Does the request fall outside the above regimes? 

More detailed guidance on the process for assessing a request can be found in the D&IG Internal team Process - Managing the Inbox.

If the request is a request for information under EIR, D&IG will work with the relevant team by following the FOI request management process, outlined in this FOI Standard, taking into consideration the slight differences in Exemptions versus Exceptions as detailed in the D&IG EIR Guidance. 

The FOI team acknowledges and logs all valid requests on the FOI register and the internal FOI tracker and contacts the applicant if further clarification is needed. The FOI team will make the relevant IAAs aware of all open requests and, where necessary, seek advice regarding the handling of the request.

Valid requests are forwarded to the relevant Information Asset Administrator(s) with the Information Request Form (Appendix D) and in any of the circumstances described in 10 above, to Legal, and tracked to help ensure timely responses.  

12.2 Searches for information, collation and redaction 

The Business Area(s) carry out reasonable searches to identify and retrieve the information being requested and complete the Information Request Form (see section 9 above) to provide an initial response, identify potential disclosure concerns, and confirm the information has been checked by a Director or above (four-eyes check). 

Where information is considered exempt, the information must be highlighted and the FOI team, the IAA and any other business colleague the request may have been escalated to consulted to determine what exemption may apply and why. See section 10 for details of when the Legal team must be consulted.

12.3 Initial response and disclosure decisions 

The FOI team will review the Information Request Form and the collated information and, in consultation with the relevant stakeholders, produce a draft response considering any prejudice and public interest-based tests.

12.4 Final response 

The Information Asset Administrator(s), any other relevant members of the Business Area and, where appropriate, the Legal team, will review/input on the draft response including checking for hyperlinks and redactions. The FOI team will then produce a draft final response for approval by the Information Asset Owner and, where appropriate, the Legal team. The FOI team will create the final response and, where possible, send it in PDF and / or CSV format. 

Where data is provided (for example, data supplied by the BI team or raw data extracted from a business system) then the data owner will also be engaged to provide their approval. In most cases the Data owner and IAO are the same individual.

Prior to sending, the FOI team will carry out a second four-eyes check to quality assure the response in particular to ensure that all hyperlinks are working, and redactions have been permanently applied (see Appendix F).  No changes of any substance will be made without first referring back to the relevant Business Area and (where it has been involved, the Legal team). 

13. Roles and Responsibilities 

13.1 All Employees 

All employees are responsible for:  

  • Forwarding new FOI requests to [email protected] 
  • Assisting with the handling of a request when asked (e.g., searching for information)

13.2 FOI Officer / team

  • Monitor the FOI email inbox, triage, log and allocate requests 
  • Provide FOIA specialist advice, guidance and templates
  • Liaise with internal stakeholders (e.g., Legal, Communications, etc.) 
  • Help ensure responses comply with FOIA requirements
  • Apply permanent redactions 
  • Maintain records of all requests and responses
  • Liaise with the applicant (clarification, response, updates) 
  • Monitor compliance with this procedure
  • Produce FOI performance reports for Management
  • Prepare and implement FOI training for colleagues 

13.3 Information Asset Administrators

Business Areas will nominate at least one person to act as an Information Asset Administrator to be able to lead on the requests within their respective Business Area to: 

  • Act as single point of contact with the FOI team 
  • Coordinate searches to identify, locate and collate relevant information
  • Physically review the information held   
  • Ensure redactions are clearly marked for information subject to an exemption
  • Complete the Information Request Form 
  • Consult with the FOI team to consider / document use of exemptions
  • Liaise with relevant third-party stakeholders to consider any disclosure concerns 
  • Ensure completion of the four-eye check of the initial response (relevance, accuracy) 
  • Obtain IAO sign off 
  • Ensure all required training is completed 
  • Advise their business unit of their FOIA obligations 
  • Assist where necessary with Internal Reviews 
  • Ensure relevant information is uploaded onto the publication scheme 

Legal team will be consulted on all FOI requests around certain products (see section 10)

  • Review all internal reviews and correspondence from/to the ICO 
  • Lead on appeals and Information Tribunal proceedings
  • Maintain the Disputes Register

13.6 Risk and Compliance 

  • Compliance monitoring  

13.7 Line Managers 

  • Ensure direct reports complete relevant FOI eLearning module and other training to fulfil any additional or specific FOI duties.

13.8 Chief Officers 

The Chief Operating Officer is the strategic lead for the FOI process, but the IAO for the business area will be required to make a final decision in conjunction with their ExCo member, and by consulting with General Counsel or Deputy General Counsel to reach a mutual decision, on the release of information, in the event that a Business Area / stakeholders cannot reach agreement.  

13.9 Chief Executive Officer

S 36 FOIA allows a public authority to exempt information if its disclosure would prejudice the effective conduct of public affairs, but the use of Section 36 must be approved by the Qualified Person. 

The Bank’s Qualified Person is the Chief Executive. If the Bank wants to consider the use of s36, the Chief Executive Officer must approve the proposal, and their decision recorded. 

14. Internal Reviews 

If an applicant is dissatisfied with the handling of their FOI Request, they can request an internal review within two months of receiving the response to their FOI request.  This may happen when an applicant: 

  • believes we hold more information than we have disclosed
  • is still waiting for a response and is unhappy with the delay
  • disagrees with the use of an exemption

The internal review must be undertaken by someone other than the person who took the original decision, in order to ensure that there is an objective review to re-evaluate the initial handling of the request and pay particular attention to concerns raised by the applicant (e.g., how the request was handled, what searches were made, information checked, colleagues involved, reasons for the decisions and response).  The Internal Review Form (Appendix E) has been created to help document the key information and decisions taken as part of the Internal Review. The Legal team must be promptly notified of and consulted on all internal reviews.

Internal reviews are expected to be completed within 20 working days, but the maximum time is 40 working days for more complex cases; delays must be communicated to applicants.

An internal review can have the following outcomes:

  • Where the original decision is reversed the applicant must be told and the information provided to them. 
  • Where the original response is upheld, and the internal review decides against release, the applicant must be made aware of their further rights of appeal to the ICO. The FOI team must also ensure that full contact details for the ICO are provided to the applicant.
  • Where the original response is revised, both approaches discussed above should be applied to the appropriate sections of the request.
  • If the internal review upholds the original decision (as at the date of the request, the information was exempt from disclosure), you may wish to release further information if circumstances have changed and the original concerns about disclosure no longer apply. You are not obliged to do this, but it may resolve matters for the applicant and reduce the likelihood of them making a complaint to the ICO if you do.

15. Information Commissioner’s Office  

The ICO has a duty to investigate complaints made by members of the public who believe that an authority has failed to respond correctly to an information request. Complaints made to the ICO should be dealt with in the same way as an internal review and in each case in accordance with any specific instructions/deadlines agreed with the ICO on a case by case basis. If someone makes a complaint about a public authority, the ICO gives them an opportunity to correct any mistakes that may have occurred without the introduction of any formal action.

The FOI team will lead on the ICO cases and notify Legal who will log the complaint on the Bank’s Disputes Register.  The FOI team will work with colleagues to review the handling of the request and prepare the response. Legal must be involved with all matters referred to the ICO, and review/input to/approve all substantive correspondence regarding any complaint. 

The ICO will issue a Decision Notice to confirm if the public authority has complied with the law and has the right to instruct specific actions, e.g., to disclose additional information.  The parties affected by the Decision Notice can appeal and if that happens, Legal will take the lead on the potential proceedings which will be dealt with in accordance with the Disputes Management Policy and Disputes Management Process.

16. FOI Risks, Incidents, and Controls

The Bank is legally obliged to comply with FOIA and the Information Commissioner can take enforcement action where it considers an organisation has not fulfilled its FOIA duties. 
The risks related to FOIs include: 

  • Not responding to requests promptly or within the statutory deadlines
  • Responses don’t comply with the legal requirements (e.g., explain use of exemptions)
  • Incorrect arguments are used or inadequately articulated
  • Information released is inaccurate or incomplete or released in error 
  • Complaints from applicants involving the Information Commissioner’s Office
  • Failure to follow the FOI Standard

If one of the above risks occur, in consultation with the FOI team, it will be logged against the relevant Business Area via the Risk Incident Reporting Process - tasks and guides (british-business-bank.co.uk). 

The controls to the above risks include:

Control ReferenceControl TitleDescriptionFrequency
C_LIB_IM_01_12 Compliance with the Freedom of Information Act Each Business Unit has in place an Information asset administrator (IAA) to take the lead and coordinate FOI requests for their Unit and provide the response to the D & IG Team within agreed timescales set out in the FOI Standard in order to comply with the FOI Act. The D & IG Team logs, acknowledges and forwards the request within 2 working days of receipt to the relevant IAA and then track open requests and send reminders to IAA to ensure time compliance.Continuous 
C_LIB_RM_01_7Completion of Mandatory / E-learning trainingEvery Line Manager ensures that their Team completes all e-learning modules in line with their training timetable. The Line Manager reviews completion statuses for their team via the e-learning portal and puts in place actions to manage non-completion.Annually

17. Record Keeping

The FOI Officer team retains the records on behalf of the Bank, which includes the FOI Register, the FOI tracker, the request, associated templates and final response. These records will be kept for 3 years, from the end of the financial year the request was closed.  In the case of the FOI Register, after 3 years the details will be deleted or anonymised.  

18. Compliance and Performance Reporting 

This Standard and Procedure has been written to help the Bank comply with FOIA.  It is important that colleagues who handle FOI requests follow the procedure because applicants have the right to approach the Information Commissioner to ask them to review the way we have handled their request.

The Information Commissioner upholds information rights and can take enforcement action if they believe a public body has not complied with the FOIA. The usual enforcement is to issue decision notices as to whether an organisation has complied with the FOIA when handling a request. However, more serious cases can result in formal recommendations to improve, an audit of an organisation’s practices, or prosecution if there is evidence of an organisation (or employee) intentionally blocking, concealing, or deleting information that the Requestor had requested and to which they were entitled. 
The FOI team will monitor the Bank’s compliance with the FOI procedure and produce performance reports to the relevant Committees.  

19. Further Information 

For further information, please contact the BBB FOI team at mailto:[email protected].   

Further information on the Freedom of Information Act can be found on the Information Commissioner’s web site at https://ico.org.uk/foi

Appendix A – FOIA Exemptions

The table below lists the exemptions the Bank is most likely to use, but details about all the exemptions and examples of their use are available on the Information Commissioner’s website at When can we refuse a request for information? | ICO.

FOIA Section NoDescriptionType
21

Information already reasonably accessible 

May apply if the requested information can be obtained elsewhere, for example another organisation, website, etc. S.21

Absolute
22

Information intended for future publication

May apply if the requested information is intended to be published, for example annual accounts. To use, there must be a settled position to publish before the request is received, and the exact information has to be published. S.22

Qualified 
22A

Research Information

Similar to 22, but may apply to the raw data that has been created or used for the research to support the information or report due to be published. S.22a

Qualified
31

Law enforcement disclosure 

May apply where disclosure of the information may prejudice or would be likely to prejudice various law enforcement purposes, for example crime detection or prevention, administering justice or enable the commission of an offence. For example, giving requestors complete details of BBB’s IT systems could leave them victim to cyber-attacks. S.31

Qualified
36

Prejudice to the effective conduct of public affairs

Rarely used, but may apply where disclosure may inhibit the free and frank exchange of views or otherwise prejudice the effective conduct of public affairs.  Use has to be authorised by the Chief Executive Officer. S.36

Qualified
40

Personal Data

This exemption applies from the right to know where the information requested is personal data protected by the DPA. S.40

Qualified /Absolute
41

Information provided in confidence

This exemption applies for information that was provided to the public authority in confidence. S.41

Absolute
42

Legal professional privilege

This exemption applies to protect confidential communication between lawyers and clients. It is a fundamental principle of English Law. S.42

Absolute
43

Commercial Interests

This exemption applies to exempt information whose disclosure would, or would be likely to, prejudice the commercial interests of S.43 person. 

Qualified


 

Do you have a Freedom of Information Act (FOIA) request?

View our archive of previously answered Freedom of Information Act enquiries or use our contact us form to submit your own.

Find out more