CoreShare
FOI Star · FOI request management for NHS trusts

Reduce FOI response costs. Improve response efficiency.

FOI Star is a tool to store, track and fulfil every Freedom of Information request in your organisation — with the added power of AI finding past answers and drafting responses, and a person approving every disclosure. One deadline-aware system, every request evidenced, from receipt to publication.

Worth five minutes of your time if your FOI team lives in a shared mailbox and spreadsheets, your on-time rate is drifting, or the ICO's 2025 enforcement run against NHS trusts has reached your risk register. What follows: why now, how it works, what it costs — and the arithmetic of what it saves.

The statutory clock — FOIA s.10 Day 1 → Day 20
Request receivedResponse due
From Coreshare — an established supplier to NHS trusts Ten years delivering for top-10 pharma EcoVadis Silver rated
Why now

The regulator is now watching the clock. So should you.

Late FOIs are an enforcement risk, not just a backlog. During 2025 the ICO took formal action against at least ten NHS bodies for FOI failings — six served enforcement notices, from Dorset County Hospital in February to Cambridge University Hospitals in October 2025. Every one is public, on the regulator's own register.

82%
Average on-time compliance across a 31-trust ICO sample
ICO · Jul 2025
90%
The ICO's benchmark — its action plans require at least 90% on time
ICO action plans · 2025
71%
On-time rate at large trusts, with an 86-request backlog
ICO · by trust size
10+
NHS bodies subject to formal ICO action for FOI failings during 2025 — six served enforcement notices
ICO regulatory action register · 2025
67 of 222
Open requests more than a year old when Cambridge University Hospitals was served an enforcement notice; quarterly compliance had ranged from 14% to 50%
ICO · 23 Oct 2025
17%
On-time rate at one trust served an enforcement notice — despite a digital FOI platform in place
Nottingham Univ. Hospitals · Q4 2024/25
Little or no tracking and monitoring: responses rarely issued in line with statutory timescales.
— ICO FOI self-assessment toolkit, part of its "Unsatisfactory" rating criteria

In other words, the regulator treats the absence of a proper tracking system as the failure itself. That is precisely the gap this product closes.

One caution from the same casebook: the trust behind that 17% had already implemented a digital FOI platform — eighteen months before its enforcement notice. The software did what software does: it revealed far more open requests than the roughly 250 the trust believed it had — by April 2025 the count stood at 536, a backlog its previous tracking had never surfaced. But a year after go-live the backlog still stood, there was no published plan to clear it, and the notice came anyway. Software bought after the backlog has formed clears nothing by itself. What the ICO measures is sustained on-time delivery, evidenced month by month — which is why FOI Star pairs the case log with an ageing-backlog report your board can read. That is the difference in kind: a tracker could see that trust's backlog, but had nothing to shrink it with.

And scrutiny, once it begins, persists: a trust under ICO review reports to the regulator, on the regulator's timetable. The least expensive time to fix FOI tracking is before that letter arrives.

How it works

One route, from receipt to disclosure

Every request follows the same tracked path. AI does the heavy lifting where it helps; a person decides everything that matters. Each step is recorded.

01

Receipt & logging

Requests arrive by public form, email or manual entry — captured with requester, date and question in one place.

02

Start the clock

The 20-working-day deadline starts automatically, the system alerts you before the clock is about to break, and a live ageing report shows the backlog the way your board will ask to see it. No more spreadsheet diary dates.

03

AI first-pass check

Before anyone lifts a finger, AI checks whether the answer is already published, or was answered, partially answered or referred in the last three years.

AI flags likely duplicates — a person decides to close
04

Assign & collaborate

Route to the right owner; add or transfer collaborators internally. Everything stays inside the organisation.

05

AI-assisted drafting

The system drafts a suggested response from the material gathered, and helps you apply the s.12 cost limit — logging time against the four permitted activities so your estimate is documented and defensible.

Human-approved responses
06

Approval engine

Add whoever is part of your process — admin, IG manager, comms, as many as you need. Every approval is logged and audited, and nothing is disclosed until the chain is complete.

07

Disclose, publish & close

Send the response, optionally publish it to a searchable log so the next requester finds it first, and close the case against your retention rule.

The solution

What sets it apart — from spreadsheets, and from FOI trackers

Most FOI software records the backlog. FOI Star is built to shrink it — these three capabilities do that work.

External-facing

A public search portal

Requesters search everything you've already published before they ask. Many questions answer themselves — cutting duplicate requests before they ever start the clock.

Branded to your trust, on your own web address.
Internal AI

AI past-research, on every request

The moment a request lands, the AI searches three years of your own history — answered, partially answered or referred — and drafts a suggested response for a person to review and approve.

It surfaces what a person might miss, so far less is answered twice — once your request history is loaded in at onboarding.
UK-hosted

Your own AI, in the UK

The AI runs on Azure OpenAI in UK South. Your request data is held in a database isolated to your trust. Customer data is processed and stored in UK regions and is never used to train models; the sub-processor list and data-flow map are supplied with the contract.

A clean answer to the first question your IG lead will ask.
Built for information governance

Answers to the questions your IG manager will ask first

Your data stays in the UK

Hosted in UK Azure regions, in a database isolated to your trust; customer data is processed and stored in the UK, with the sub-processor list and data-flow map supplied with the contract. CDW resells the subscription; Coreshare acts as your data processor under UK GDPR Article 28 terms, with the contractual chain set out plainly in the contract pack for your IG review. Your request content is never used to train models.

A full, append-only audit trail

Every action across the whole life cycle of the request — receipt, clock start, each AI suggestion, every assignment, transfer, each logged approval and the disclosure — is recorded in an append-only log with restricted administrative access.

Sign in with Office 365

Staff use their existing trust login. Your own MFA and security policies apply. No new passwords, no separate user list to manage.

Isolated per trust

Each organisation has its own front end and its own separate database. Your data never shares a table with another trust's.

AI that advises, never decides

The system proposes; your team approves. A named person is accountable for every disclosure, exactly as the law expects.

Assurance evidence, ready to hand over

A template DPIA, data-flow map and UK GDPR Article 28 processor terms come with the standard contract, and our information-security and DSPT position is set out plainly in the contract pack. Coreshare is EcoVadis Silver rated — the sustainability assurance our top-10 pharma clients already require of us, and ready evidence for your social-value criteria. FOI Star is not a clinical system, so DCB0129 clinical safety assessment does not apply — we confirm that position in writing.

Buying it

A familiar buying route, through a supplier your trust already uses — structured to fit your budget.

Priced and structured to fit how NHS bodies actually buy software — through a supplier your trust already knows.

The route

Would be purchased through our reseller partner, CDW

  • CDW issues the statement of work; your trust raises its purchase order to CDW and pays CDW — a supplier many trusts already hold on their ledgers. If yours does, supplier onboarding is already behind you.
  • Fulfilled as a framework call-off through CDW — agreement, lot and service reference confirmed with your procurement team before any commitment, alongside how it sits against your SFIs.
  • A subscription normally sits as operational spend — but if your budget position favours a different structure, a single prepaid multi-year invoice for example, we will shape the agreement to fit.
  • A twelve-month term with no lock-in beyond it — walk away at any point, and your data leaves with you, exported in open, re-usable formats at no charge. Fees for the current term are non-refundable.
  • Onboarding is a fixed, one-off fee, quoted against your scope — set-up, approval-chain configuration and migration of your existing FOI log. The pricing note below explains how the first-year and whole-life totals are built up.
In plain terms

A predictable annual cost, bought through an established framework route and a supplier you already work with.

The payback

What FOI already costs you

FOI handling is expensive in staff time long before you count the compliance risk. The figures below are illustrative and deliberately conservative — we'll model your real numbers in a benchmark call, including the clinical and senior time each request pulls in.

~£200
Average staff cost to handle one FOI request
Illustrative estimate
~£100k
A year of FOI handling at roughly 500 requests
Illustrative
£225k
Statutory exposure at 500 requests: up to 18 countable hours × £25 each before the s.12 refusal threshold — a meter that omits reading, redaction and approvals entirely
Worked ceiling · SI 2004/3244
£36
Cost per request at the medium tier and ~500 requests a year — against the ~£200 illustrative staff-time cost of handling one
£17,950 ÷ 500 requests

And those figures count only the FOI team. Most requests don't stop there: information is pulled from clinical systems by the people who run them, answers are checked by service leads, and sign-off climbs to a director — several people, on senior salaries, touching every request. The statute meters FOI effort at a notional £25 an hour; nobody who actually answers one costs £25 an hour. That distributed time is the cost no spreadsheet shows — and it is what the AI first-pass, the public disclosure log and routed approvals are built to claw back: fewer requests reaching clinical teams at all, and less senior time on the ones that do. And because FOI Star logs time against the four permitted activities as the work is scoped, lawful s.12 refusals are found before the eighteen hours are spent — not after.

What ICO intervention looks like in practice

Once the ICO intervenes, the bar is set for you: recent action plans require at least 90 per cent of requests answered on time — and scrutiny does not end with the first letter. One London teaching trust took fourteen months to lift compliance from 33 per cent (March 2024) to 61 per cent (May 2025) under sustained ICO scrutiny — hard-won, and still short of the bar. Reaching 90 per cent and holding it takes a system that measures it for you, week in, week out.

Try it now

Score your trust in two minutes

Five questions, scored against the ICO's published timeliness criteria and its 2025 review of NHS trusts. Your figures never leave this page — nothing is sent, stored or tracked.

Indicative only — scored from the ICO's published criteria and 2025 data. The 30-minute benchmark call produces the full toolkit-scored baseline and board pack.
Pricing

One annual subscription, sized to your trust

Pricing follows the same small, medium and large groupings the ICO used in its July 2025 review, so what you pay tracks the volume — and the risk — you actually carry. Every tier is the full product — what scales is the service wrap around it.

Purchasing via our reseller partner, CDW · one framework call-off Statement of work, purchase order and invoicing all run through CDW — one familiar supplier, one purchase order.
Small trust
£12,950 /year
Community, ambulance or smaller specialist trusts with lower request volumes.
  • The full product — workflow, audit trail, AI first-pass & drafting, s.12 metering
  • Public disclosure-log portal
  • Board-level ageing & performance reporting
  • Office 365 sign-in
  • Standard support
Most trusts
Medium trust
£17,950 /year
Typical acute or mental-health trusts managing several hundred FOIs a year.
  • The full product, as Small
  • Priority support
  • Assisted onboarding & migration of your existing FOI log
Large trust
£24,950 /year
Large acute trusts and teaching hospitals with high volume and backlog risk.
  • The full product, as Small
  • Priority support with a named account contact
  • Enhanced onboarding & migration assistance
  • A seat on the FOI Star customer advisory board — priority input to the product roadmap
  • Early access to new capabilities
note

Billed annually through CDW, on a twelve-month term — exit at any point, fees for the current term non-refundable, with a full data export in open formats included as standard. Prices above are the annual subscription and are indicative; a one-off onboarding fee is quoted against your scope, and we put the full first-year and whole-life contract value in writing with the statement of work — so your procurement team sees the complete figure, not an annual slice. Every tier is the same product: tiers differ on the service wrap, and any wrap is available to any trust, whatever its size — ask at the benchmark call. Multi-trust, ICB-wide and perpetual-licence arrangements are also available — ask, and we will structure the agreement to fit.

Benchmark your trust against the ICO's 90% action-plan target

Bring last quarter's FOI figures to a 30-minute call. We will score your position against the ICO's own FOI self-assessment toolkit — where you stand today, where the risk sits, and what an action plan would ask of you. You keep the scored baseline, whether or not you take this any further.

After the call we draft the material for you to adapt: a one-page board briefing, a draft risk-register entry and a costed business case built on your own request volumes and staff time. Not ready for a call? Ask for the two-page board briefing to circulate to your director of corporate governance.

Book the benchmark call
Specimen risk-register entry — yours to adapt
Risk: failure to meet the FOIA s.10 statutory deadline, leading to ICO enforcement action, an action plan requiring at least 90% on-time performance, and reputational harm. Current control: shared mailbox and spreadsheet tracking. Proposed control: dedicated deadline-aware FOI system with auditable approvals and board-level compliance reporting.