There are several approaches you can take. Here are the three most popular.
Make it a Sensitive FOI
This is an FOI request (or FOISA) that requires personal data in the answer which you feel should be protected as if it were a SAR.
Let’s say there are 5 parts to the question which is generally about compensation and part 3 asks you about the applicant’s specific compensation but the rest are about general rules and amounts over the last couple of years.
Make it a SAR
It may be that the request is so peculiar to a person that it is really a SAR. This happens occasionally and is a natural solution which immediately covers you for any possibility that the data will be published outside your organisation. It will also not be seen by those without “Private” Request Type access.
Make two IRs: a SAR and and EIR
There may be a number of questions in the IR and you can create two IRs. Part 3 could be a SAR and parts 1,2,4&5 could be sent out in a second IR which was classified as an FOI request.
Which to choose?
Obviously, the first is the simplest. The advantages of a “sensitive” FOI (FOISA, EIR, etc.) are that they are excluded from the public disclosure log and are not seen by any staff whose access excludes Private request types.
The automated emails will have been set up so that they do not expose PII in the wrong places. Policies and workflow procedures would need to be in place so that the information management team know to make the subject line “Bill Smith’s Compensation” (in the above example). Rather they might make the correspondence subject “Potholes Compensation”.
The only other thing to consider is triage speed. Once you have set an IR as FOI, some automated triggers may have been launched. That needs to be taken into account before changing the request to a Sensitive FOI or SAR after a week of activity. Occasionally, however, it is not obvious up front or senior staff are not present an a mistake is made.
What are Private Request Types?
Generally these would be SARs, Sensitive FOIs and some that are specific to different jurisdictions. Examples include: CAFCAS in UK and Procurator Fiscal in Scotland. See the FAQ article about how their behaviour differs in the AXLR8 system.