The ICO exists to empower you through information.

Latest updates

14 August 2023 - FOI and EIR Video Training Modules - Overview of FOIA and EIR

In brief

Anyone has a right to request information from a public authority. You have two separate duties when responding to these requests:

  • to tell the applicant whether you hold any information falling within the scope of their request; and
  • to provide that information

You normally have 20 working days to respond to a request.

For a request to be valid under the Freedom of Information Act it must be in writing, but requesters do not have to mention the Act or direct their request to a designated member of staff. It is good practice to provide the contact details of your freedom of information officer or team, if you have one, but you cannot ignore or refuse a request simply because it is addressed to a different member of staff. Any letter or email to a public authority asking for information is a request for recorded information under the Act.

This doesn’t mean you have to treat every enquiry formally as a request under the Act. It will often be most sensible and provide better customer service to deal with it as a normal customer enquiry under your usual customer service procedures, for example, if a member of the public wants to know what date their rubbish will be collected, or whether a school has a space for their child. The provisions of the Act need to come into force only if:

  • you cannot provide the requested information straight away; or
  • the requester makes it clear they expect a response under the Act.

This request handling flowchart provides an overview of the steps to follow when handling a request for information.

In more detail

What makes a request valid?

To be valid under the Act, the request must:

  • be in writing. This could be a letter or email. Requests can also be made via the web, or even on social networking sites such as Facebook or Twitter if your public authority uses these;
  • include the requester’s real name. The Act treats all requesters alike, so you should not normally seek to verify the requester’s identity. However, you may decide to check their identity if it is clear they are using a pseudonym or if there are legitimate grounds for refusing their request and you suspect they are trying to avoid this happening, for example because their request is vexatious or repeated. Remember that a request can be made in the name of an organisation, or by one person on behalf of another, such as a solicitor on behalf of a client;
  • include an address for correspondence. This need not be the person’s residential or work address – it can be any address at which you can write to them, including a postal address or email address;
  • describe the information requested. Any genuine attempt to describe the information will be enough to trigger the Act, even if the description is unclear, or you think it is too broad or unreasonable in some way. The Act covers information not documents, so a requester does not have to ask for a specific document (although they may do so). They can, for example, ask about a specific topic and expect you to gather the relevant information to answer their enquiry. Or they might describe other features of the information (eg author, date or type of document).

This is not a hard test to satisfy. Almost anything in writing which asks for information will count as a request under the Act. People may also send you requests through websites like WhatDoTheyKnow, which will automatically publish your response online. These are still valid requests. The Act contains other provisions to deal with requests which are too broad, unclear or unreasonable.

Even if a request is not valid under the Freedom of Information Act, this does not necessarily mean you can ignore it. Requests for ‘environmental information’, for example, can be made verbally. You also have an obligation to provide advice and assistance to requesters. Where somebody seems to be requesting information but has failed to make a valid freedom of information request, you should draw their attention to their rights under the Act and tell them how to make a valid request.

For further information, read our more detailed guidance:

Can a question be a valid request?

Yes, a question can be a valid request for information. It is important to be aware of this so that you can identify requests and send them promptly to the correct person.


“Please send me all the information you have about the application for a 24-hour licence at the Midnite Bar.”

“Re. Midnite Bar licence application. Please explain, why have you decided to approve this application?”

Both are valid requests for information about the reasons for the decision.

Under the Act, if you have information in your records that answers the question you should provide it in response to the request. You are not required to answer a question if you do not already have the relevant information in recorded form.

In practice this can be a difficult area for public authorities. Many of those who ask questions just want a simple answer, not all the recorded information you hold. It can be frustrating for applicants to receive a formal response under the Act stating that you hold no recorded information, when this doesn’t answer their simple question. However, requesters do have a right to all the relevant recorded information you hold, and some may be equally frustrated if you take a less formal approach and fail to provide recorded information.

The best way round this is usually to speak to the applicant, explain to them how the Act works, and find out what they want. You should also remember that even though the Act requires you to provide recorded information, this doesn’t prevent you providing answers or explanations as well, as a matter of normal customer service.

The Information Commissioner’s Office (ICO) recognises that some public authorities may initially respond to questions informally, but we will expect you to consider your obligations under the Act as soon as it becomes clear that the applicant is dissatisfied with this approach. Ultimately, if there is a complaint to the ICO, the Commissioner will make their decision based on whether recorded information is held and has been provided.

Should Parliamentary Questions be treated as FOI requests?

Parliamentary Questions (PQs) are part of parliamentary proceedings and must not be treated as requests for information under FOIA (or under the EIR); to do so would infringe parliamentary privilege.

Councils may permit members of the public to raise questions, either orally or in writing, at council meetings. These questions also should not be treated as requests for information under FOIA or under the EIR.

When should we deal with a request as a freedom of information request?

You can deal with many requests by providing the requested information in the normal course of business. If the information is included in the publication scheme, you should give this out automatically, or provide a link to where the information can be accessed (see What information do we need to publish?).

If you need to deal with a request more formally, it is important to identify the relevant legislation:

  • If the person is asking for their own personal data, you should deal with it as a data protection subject access request.
  • If the person is asking for ‘environmental information’, the request is covered by the Environmental Information Regulations 2004.

Any other non-routine request for information you hold should be dealt with under the Freedom of Information Act.

What are the timescales for responding to a request for information?

Your main obligation under the Act is to respond to requests promptly, with a time limit acting as the longest time you can take. Under the Act, most public authorities may take up to 20 working days to respond, counting the first working day after the request is received as the first day. For schools, the standard time limit is 20 school days, or 60 working days if this is shorter.

Working day means any day other than a Saturday, Sunday, or public holidays and bank holidays; this may or may not be the same as the days you are open for business or staff are in work.

The time allowed for complying with a request starts when your organisation receives it, not when it reaches the freedom of information officer or other relevant member of staff.

Certain circumstances (explained in this guidance and in When can we refuse a request?) may allow you extra time. However, in all cases you must give the requester a written response within the standard time limit for compliance.

For further information, read our more detailed guidance:

What should we do when we receive a request?

First, read the request carefully and make sure you know what is being asked for. You must not simply give the requester information you think may be helpful; you must consider all the information that falls within the scope of the request, so identify this first. Always consider contacting the applicant to check that you have understood their request correctly.

You should read a request objectively. Do not get diverted by the tone of the language the requester has used, your previous experience of them (unless they explicitly refer you to this) or what you think they would be most interested in.


“Approving the 24-hour licence at the Midnite Bar – can you provide me the details of this completely ridiculous licence application?”

This may still be a valid request, in spite of the language.

What if we are unsure what’s being asked for?

Requests are often ambiguous, with many potential interpretations, or no clear meaning at all. If you can’t answer the request because you are not sure what is being requested, you must contact the requester as soon as possible for clarification.

You do not have to deal with the request until you have received whatever clarification you reasonably need. However, you must consider whether you can give the requester advice and assistance to enable them to clarify or rephrase their request. For example, you could explain what options may be available to them and ask whether any of these would adequately answer their request.


“You have asked for all expenses claims submitted by Mrs Jones and dates of all meetings attended by Mrs Jones in June, July or August last year.

This could mean:
A) all expenses claims Mrs Jones ever submitted, plus dates of meetings she attended in June, July and August; or
B) all expenses claims Mrs Jones submitted in June, July or August, and dates of meetings she attended in the same months.

Please let us know which you mean.”



“You have asked for a copy of our risk assessment policy. We do not have a specific policy relating to risk assessment. However, the following policies include an element of risk assessment:
* Health and Safety at Work policy
* Corporate Risk Strategy
* Security Manual

Please let us know whether you would be interested in any of these documents or what risk assessment information you are interested in seeing.”

The time for compliance will not begin until you have received the necessary clarification to allow you to answer the request.

For further information, read our more detailed guidance;

What happens if we don’t have the information?

The Act only covers recorded information you hold. When compiling a response to a request for information, you may have to draw from multiple sources of information you hold, but you don’t have to make up an answer or find out information from elsewhere if you don’t already have the relevant information in recorded form.

Before you decide that you don’t hold any recorded information, you should make sure that you have carried out adequate and properly directed searches, and that you have convincing reasons for concluding that no recorded information is held. If an applicant complains to the ICO that you haven’t identified all the information you hold, we will consider the scope, quality and thoroughness of your searches and test the strength of your reasoning and conclusions.

If you don’t have the information the requester has asked for, you can comply with the request by telling them this, in writing. If you know that the information is held by another public authority, you could transfer the request to them or advise the requester to redirect their request. Part III of the section 45 code of practice provides advice on good practice in transferring requests for information.

For further information, read our more detailed guidance:

It will take us a long time to find the information. Can we have extra time?

The Act does not allow extra time for searching for information. However, if finding the information and drawing it together to answer the request would be an unreasonable burden on your resources and exceed a set costs limit, you may be able to refuse the request. Likewise, you may not have to confirm whether or not you hold the information, if it would exceed the costs limit to determine this.

See When can we refuse a request? for more details.

Do we have to tell them what information we have?

Yes, unless one of the reasons for refusing to do this applies – see When can we refuse a request? for details.

You have two duties when responding to requests for information: to let the requester know whether you hold the information, and to provide the information. If you are giving out all the information you hold, this will fulfil both these duties. If you are refusing all or part of the request, you will normally still have to confirm whether you hold (further) information. You do not need to give a description of this information; you only have to say whether you have any (further) information that falls within the scope of the request.

In some circumstances, you can refuse to confirm or deny whether you hold any information. For example, if a requester asks you about evidence of criminal activity by a named individual, saying whether you hold such information could be unfair to the individual and could prejudice any police investigation. We call this a ‘neither confirm nor deny’ (NCND) response.

For further information, read our more detailed guidance:

Do we have to release the information?

Yes, under the law you must release the information unless there is good reason not to. For more about when you may be able to refuse the request, or withhold some or all of the information, see When can we refuse a request?.

What if the information is inaccurate?

The Act covers recorded information, whether or not it is accurate. You cannot refuse a request for information simply because you know the information is out of date, incomplete or inaccurate. To avoid misleading the requester, you should normally be able to explain to them the nature of the information, or provide extra information to help put the information into context.

When considering complaints against a public authority, the ICO will normally reject arguments that inaccurate information should not be disclosed. However, in a few cases there may be strong and persuasive arguments for refusing a request on these grounds if these are specifically tied to an exemption in the Act. It will be up to you to identify such arguments.

Can we change or delete information that has been requested?

No. You should normally disclose the information you held at the time of the request. You are allowed to make routine changes to the information while you are dealing with the request as long as these would have been made regardless of the request. However, it would not be good practice to go ahead with a scheduled deletion of information if you know it has been requested.

You must not make any changes or deletions as a result of the request, for example, because you are concerned that some of the information could be embarrassing if it were released. This is a criminal offence (see What happens when someone complains?).

For further information, read our more detailed guidance:

In what format should we give the requester the information?

There are a number of ways you could make information available, including by email, as a printed copy, on a disk, or by arranging for the requester to view the information. Normally, you should send the information by whatever means is most reasonable. For example, if the requester has made their request by email, and the information is an electronic document in a standard form, then it would be reasonable for you to reply by email and attach the information.

However, requesters have the right to specify their preferred means of communication, in their initial request. So you should check the original request for any preferences before sending out the information.

You may also want to consider whether you would like to include anything else with the information, such as a copyright notice for third party information, or explanation and background context.

Remember that disclosures under the Act are ‘to the world’, so anyone may see the information.

If the information that you are making available is a dataset, and the requester has expressed a preference for an electronic copy, then, so far as reasonably practicable, you must provide the dataset in a re-usable form.

If your authority is also a public sector body under the Re-use of Public Sector Information Regulations 2015 (RPSI) then you should deal with licensing re-use under the terms of RPSI. If RPSI does not apply you should license re-use according to the dataset provisions in the Act. These say that if the dataset is a ‘relevant copyright work’ and you are the only owner of the copyright or database rights, then you must make it available under a licence that permits re-use. The licences to use for this are specified in the section 45 code of practice on datasets. If the dataset can be re-used without charge, then the appropriate licence will usually be the Open Government Licence.

For further information, read our more detailed guidance:

Can we charge for the information?

Yes, in certain cases. The Act does not allow you to charge a flat fee but you can recover your communication costs, such as for photocopying, printing and postage. You cannot normally charge for any other costs, such as for staff time spent searching for information, unless other relevant legislation authorises this.

However, if the cost of complying with the request would exceed the cost limit referred to in the legislation, you can offer to supply the information and recover your full costs (including staff time), rather than refusing the request. You can find more detail about the cost limit in When can we refuse a request?.

If you wish to charge a fee, you should send the requester a fees notice. You do not have to send the information until you have received the fee. The time limit for complying with the request excludes the time spent waiting for the fee to be paid. In other words, you should issue the fees notice within the standard time for compliance. Once you have received the fee, you should send out the information within the time remaining.

If the information that you are providing is a dataset, and it is covered by the RPSI, then you may charge for permitting re-use according to RPSI. If it is not covered, for example because you are not a public sector body under RPSI, then you should deal with charging for re-use according to the dataset provisions in the Act. There is no re-use fee if you are making the datasets available for re-use under the Open Government Licence.

For further information, read our more detailed guidance:

Does the Freedom of Information Act allow us to disclose information to a specific person or group alone?

Disclosures under the Act are ‘to the world’. However, you can restrict the release of information to a specific individual or group at your discretion, outside the provisions of the Act.

If you make a restricted disclosure, you should make it very clear to the requester that the information is for them alone; many requesters are satisfied with this.

However, if the requester has made it clear that they want the information under the Act and are not satisfied with receiving it on a discretionary basis, you can give them the information, but you may also need to give them a formal refusal notice, explaining why you have not released it under the Act. See When can we refuse a request? for more details about refusal notices.

Is there anything else we should consider before sending the information?

You should double check that you have included the correct documents, and that the information you are releasing does not contain unnoticed personal data or other sensitive details which you did not intend to disclose.

This might be a particular issue if you are releasing an electronic document. Electronic documents often contain extra hidden information or ‘metadata’ in addition to the visible text of the document. For example, metadata might include the name of the author, or details of earlier draft versions. In particular, a spreadsheet displaying information as a table will often also contain the original detailed source data, even if this is not immediately visible at first glance.

You should ensure that staff responsible for answering requests understand how to use common software formats, and how to strip out any sensitive metadata or source data (eg data hidden behind pivot tables in spreadsheets).

See the National Archives Redaction Toolkit for further information, or read our more detailed guidance on how to disclose information safely.