A requester may ask for any information that is held by a public authority. However, this does not mean you are always obliged to provide the information. In some cases, there will be a good reason why you should not make public some or all of the information requested.
You can refuse an entire request under the following circumstances:
It would cost too much or take too much staff time to deal with the request.
The request is vexatious.
The request repeats a previous request from the same person.
In addition, the Freedom of Information Act contains a number of exemptions that allow you to withhold information from a requester. In some cases it will allow you to refuse to confirm or deny whether you hold information.
Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.
There is also an exemption for personal data if releasing it would be contrary to the UK General Data Protection Regulation (the UK GDPR) or the Data Protection Act 2018 (the DPA2018).
You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. This may be, for example, information you receive from the security services, which is covered by an absolute exemption. However, most exemptions are not absolute but require you to apply a public interest test. This means you must consider the public interest arguments before deciding whether to disclose the information. So you may have to disclose information in spite of an exemption, where it is in the public interest to do so.
If you are refusing all or any part of a request, you must send the requester a written refusal notice. You will need to issue a refusal notice if you are either refusing to say whether you hold information at all, or confirming that information is held but refusing to release it.
When can we refuse a request on the grounds of cost?
The Act recognises that freedom of information requests are not the only demand on the resources of a public authority. They should not be allowed to cause a drain on your time, energy and finances to the extent that they negatively affect your normal public functions.
Currently, the cost limit for complying with a request or a linked series of requests from the same person or group is set at £600 for central government, Parliament and the armed forces and £450 for all other public authorities. You can refuse a request if you estimate that the cost of compliance would exceed this limit. This provision is found at section 12 of the Act.
You can refuse a request if deciding whether you hold the information would mean you exceed the cost limit, for example, because it would require an extensive search in a number of locations. Otherwise, you should say whether you hold the information, even if you cannot provide the information itself under the cost ceiling.
When calculating the costs of complying, you can aggregate (total) the costs of all related requests you receive within 60 working days from the same person or from people who seem to be working together.
How do we work out whether the cost limit would be exceeded?
You are only required to estimate whether the limit would be exceeded. You do not have to do the work covered by the estimate before deciding to refuse the request. However, the estimate must be reasonable and must follow the rules in the Freedom of Information (Appropriate Limit and Fees) Regulations 2004.
When estimating the cost of compliance, you can only take into account the cost of the following activities:
determining whether you hold the information;
finding the requested information, or records containing the information;
retrieving the information or records; and
extracting the requested information from records.
The biggest cost is likely to be staff time. You should rate staff time at £25 per person per hour, regardless of who does the work, including external contractors. This means a limit of 18 or 24 staff hours, depending on whether the £450 or £600 limit applies to your public authority.
You cannot take into account the time you are likely to need to decide whether exemptions apply, to redact (edit out) exempt information, or to carry out the public interest test.
However, if the cost and resources required to review and remove any exempt information are likely to be so great as to place the organisation under a grossly oppressive burden then you may be able to consider the request under Section14 instead. (vexatious requests).
Please see 'Dealing with vexatious requests' for further details about refusing requests which impose a grossly oppressive burden.
Note that although fees and the appropriate limit are both laid down in the same Regulations, the two things must not be confused:
The cost of compliance and the appropriate limit relate to when a request can be refused.
The fees are what you can charge when information is disclosed.
For further information, read our more detailed guidance:
What if we think complying with the request would exceed the cost limit?
If you wish to use section 12 (cost limit) of the Act as grounds for refusing the request, you should send the requester a written refusal notice. This should state that complying with their request would exceed the appropriate cost limit. However, you should still say whether you hold the information, unless finding this out would in itself incur costs over the limit.
There is no official requirement for you to include an estimate of the costs in the refusal notice. However, you must give the requester reasonable advice and assistance to refine (change or narrow) their request. This will generally involve explaining why the limit would be exceeded and what information, if any, may be available within the limits.
Example “You have asked for all the details of expenses claims made for food or drink between 1995 and 2010.
No forms have been kept for the period before 1999. Between 1999 and 2006, these forms were submitted manually and are not stored separately or sorted by type of expenditure but are filed in date order along with other invoices and bills. We estimate that we have at least 10,000 items in these boxes, and we would have to look at every page to identify the relevant information. Even at 10 seconds an item, this would amount to more than 27 hours of work.
However, records since 2007 are kept electronically and we could provide these to you.”
You should not:
give the requester part of the information requested, without giving them the chance to say which part they would prefer to receive;
fail to let the requester know why you think you cannot provide the information within the cost limit;
advise the requester on the wording of a narrower request but then refuse that request on the same basis; or
tell the requester to narrow down their request without explaining what parts of their request take your costs over the limit. A more specific request may sometimes take just as long to answer. For instance, in the example above, if the requester had later asked only for expenses claims relating to hotel room service, this would also have meant searching all the records.
If the requester refines their request appropriately, you should then deal with this as a new request. The time for you to comply with the new request should start on the working day after the date you receive it.
If the requester does not want to refine their request, but instead asks you to search for information up to the costs limit, you can do this if you wish, but the Act does not require you to do so.
Can we charge extra if complying with a request exceeds the cost limit
Yes, if complying with a request would cost you more than the £450 or £600 limit, you can refuse it outright or do the work for an extra charge.
If you choose to comply with a request costing over £450 or £600, you can charge:
the cost of compliance (the costs allowed in calculating whether the appropriate limit is exceeded); plus
£25 an hour for staff time taken for printing, copying or sending the information.
You should not do this work without getting written agreement from the requester that they will pay the extra costs. You should also give the requester the option of refining their request rather than paying extra. The ‘time for compliance’ clock is paused in these circumstances, until you receive payment.
For further information, read our more detailed guidance:
When can we refuse a request as vexatious?
As a general rule, you should not take into account the identity or intentions of a requester when considering whether to comply with a request for information. You cannot refuse a request simply because it does not seem to be of much value. However, a minority of requesters may sometimes abuse their rights under the Freedom of Information Act, which can threaten to undermine the credibility of the freedom of information system and divert resources away from more deserving requests and other public business.
You can refuse to comply with a request that is vexatious. If so, you do not have to comply with any part of it, or even confirm or deny whether you hold information. When assessing whether a request is vexatious, the Act permits you to take into account the context and history of a request, including the identity of the requester and your previous contact with them. The decision to refuse a request often follows a long series of requests and correspondence.
The key question to ask yourself is whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation.
Bear in mind that it is the request that is considered vexatious, not the requester. If after refusing a request as vexatious you receive a subsequent request from the same person, you can refuse it only if it also meets the criteria for being vexatious.
You should be prepared to find a request vexatious in legitimate circumstances, but you should exercise care when refusing someone’s rights in this way.
For further information, read our more detailed guidance:
When can we refuse a request because it is repeated?
You can refuse requests if they are repeated, whether or not they are also vexatious. You can normally refuse to comply with a request if it is identical or substantially similar to one you previously complied with from the same requester. You cannot refuse a request from the same requester just because it is for information on a related topic. You can do so only when there is a complete or substantial overlap between the two sets of information.
You cannot refuse a request as repeated once a reasonable period has passed. The reasonable period is not set down in law but depends on the circumstances, including, for example, how often the information you hold changes.
Example "Please could you send me the latest copy of your register of interests? You kindly sent me a copy of this two years ago but I assume it may have been updated since then. Also I no longer have the copy you sent previously.”
This request is not repeated because a reasonable period has elapsed.
What if we want to refuse a request as vexatious or repeated?
You should send the requester a written refusal notice. If the request is vexatious or repeated, you need only state that this is your decision; you do not need to explain it further. However, you should keep a record of the reasons for your decision so that you can justify it to the Information Commissioner’s Office if a complaint is made.
If you are receiving vexatious or repeated requests from the same person, you can send a single refusal notice to the applicant, stating that you have found their requests to be vexatious or repeated (as appropriate) and that you will not send a written refusal in response to any further vexatious or repeated requests.
This does not mean you can ignore all future requests from this person. For example, a future request could be about a completely different topic, or have a valid purpose. You must consider whether the request is vexatious or repeated in each case.
For further information, read our more detailed guidance:
When can we withhold information under an exemption?
Exemptions exist to protect information that should not be disclosed, for example because disclosing it would be harmful to another person or it would be against the public interest.
The exemptions in Part II of the Freedom of Information Act apply to information. This may mean that you can only apply an exemption to part of the information requested, or that you may need to apply different exemptions to different sections of a document.
You do not have to apply an exemption. However, you must ensure that in choosing to release information that may be exempt, you do not disclose information in breachof some other law, such as disclosing personal information in contravention of the UK GDPR or the DPA 2018. Nor do you have to identify all the exemptions that may apply to the same information, if you are content that one applies.
You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. However, most exemptions are not absolute but are ‘qualified’. This means that before deciding whether to withhold information under an exemption, you must consider the public interest arguments. This balancing exercise is usually called the public interest test (PIT). The Act requires you to disclose information unless there is good reason not to, so the exemption can only be maintained (upheld) if the public interest in doing so outweighs the public interest in disclosure.
Example The BBC received a request for two contracts relating to licence fee collection. The Commissioner accepted that some of the information in the contracts was commercially sensitive and it was likely that it would prejudice the BBC’s commercial interests. However, this was not significant enough to outweigh the need for the BBC to be accountable for its use of public money, as well as the importance of informing an ongoing consultation about the licence fee.
In this case, even though the information fell within an exemption, the public interest favoured disclosure.
You can have extra time to consider the public interest. However, you must still contact the requester within the standard time for compliance to let them know you are claiming a time extension.
When can we use an exemption to refuse to say whether we have the information?
In some cases, even confirming that information is or is not held may be sensitive. In these cases, you may be able to give a ‘neither confirm nor deny’ (NCND) response.
Whether you need to give a NCND response should usually depend on how the request is worded, not on whether you hold the information. You should apply the NCND response consistently, in any case where either confirming or denying could be harmful.
Example “Please could you send me the investigation file relating to the murder committed at 23 Any Street on 12 January 2011?”
In this case, assuming the murder was publicly reported, the police could confirm that they held some information on the topic, without giving the contents.
“Please could you send me any information you have linking Mr Joe Bloggs to the murder committed at 23 Any Street on 12 January 2011”
In this case the police do not confirm whether they hold any such information. If they do have information, this could tip off a suspect, and may be unfair to Mr Bloggs. If they don’t have the information, this could also be valuable information for the murderer. So the police would give the same response, whether or not they hold any such information.
Unless otherwise specified, all the exemptions below also give you the option to claim an exclusion from the duty to confirm or deny whether information is held, in appropriate cases.
If you think you may need to claim an exclusion from the duty to confirm or deny whether you hold information, then you will need to consider this duty separately from the duty to provide information. You will need to do this both:
when you decide whether an exemption applies; and
when you apply the public interest test.
If it would be damaging to even confirm or deny if information is held, then you must issue a refusal notice explaining this to the requester. In this situation we would not expect you to go on to address the separate question of whether any information that is held should be disclosed, at this stage. You will need to do this only if the requester successfully appeals against your NCND response and you do actually hold some information.
However, if you decide that you are willing to confirm or deny whether information is held, and you do in fact hold some information, then you will need to immediately go on to consider whether that information should be disclosed.
For further information, read our more detailed guidance:
What exemptions are there?
Some exemptions apply only to a particular category or class of information, such as information held for criminal investigations or relating to correspondence with the royal family. These are called class-based exemptions.
Some exemptions require you to judge whether disclosure may cause a specific type of harm, for instance, endangering health and safety, prejudicing law enforcement, or prejudicing someone’s commercial interests. These are called prejudice-based exemptions.
This distinction between ‘class-based’ and ‘prejudice-based’ is not in the wording of the Act but many people find it a useful way of thinking about the exemptions.
The Act also often refers to other legislation or common law principles, such as confidentiality, legal professional privilege, or data protection. In many cases, you may need to apply some kind of legal ‘test’ - it is not as straightforward as identifying that information fits a specific description. It is important to read the full wording of any exemption, and if necessary consult our guidance, before trying to rely on it.
The exemptions can be found in Part II of the Act, at sections 21 to 44.
What is ‘prejudice’ and how do we decide whether disclosure would cause this?
For the purposes of the Act, ‘prejudice’ means causing harm in some way. Many of the exemptions listed below apply if disclosing the information you hold would harm the interests covered by the exemption. In the same way, confirming or denying whether you have the information can also cause prejudice. Deciding whether disclosure would cause prejudice is called the prejudice test.
To decide whether disclosure (or confirmation/denial) would cause prejudice:
you must be able to identify a negative consequence of the disclosure (or confirmation/denial), and this negative consequence must be significant (more than trivial);
you must be able to show a link between the disclosure (or confirmation/denial) and the negative consequences, showing how one would cause the other; and
there must be at least a real possibility of the negative consequences happening, even if you can’t say it is more likely than not.
For further information, read our more detailed guidance:
Section 21 – information already reasonably accessible
This exemption applies if the information requested is already accessible to the requester. You could apply this if you know that the requester already has the information, or if it is already in the public domain. For this exemption, you will need to take into account any information the requester gives you about their circumstances. For example, if information is available to view in a public library in Southampton, it may be reasonably accessible to a local resident but not to somebody living in Glasgow. Similarly, an elderly or infirm requester may tell you they don’t have access to the internet at home and find it difficult to go to their local library, so information available only over the internet would not be reasonably accessible to them.
When applying this exemption, you have a duty to confirm or deny whether you hold the information, even if you are not going to provide it. You should also tell the requester where they can get it.
This exemption is absolute, so you do not need to apply the public interest test.
For further information, read our more detailed guidance:
Section 22 – information intended for future publication
This exemption applies if, when you receive a request for information, you are preparing the material and definitely intend for it to be published, and it is reasonable not to disclose it until then. You do not need to have identified a publication date. This exemption does not necessarily apply to all draft materials or background research. It will only apply to the material you intend to be published.
You do not have to confirm whether you hold the information requested if doing so would reveal the content of the information.
This exemption is qualified by the public interest test.
For further information, read our more detailed guidance:
Section 22A – research information
This exemption applies if, when you receive a request for information,
you hold information on an ongoing programme of research;
there is an intention by someone –whether an individual or organisation, private or public sector - to publish a report of the research; and
disclosure of the information would or would be likely to prejudice the research programme, the interests of participants in the programme, or a public authority holding or intending to publish a report of the research.
So long as the research programme is continuing, the exemption may apply to a wide range of information relating to the research project. There does not have to be any intention to publish the particular information that has been requested, nor does there need to be an identified publication date.
You do not have to confirm whether you hold the information requested if doing so would reveal the content of the information.
This exemption is qualified by the public interest test.
For further information, read our more detailed guidance:
Sections 23 and 24 – security bodies and national security
The section 23 exemption applies to any information you have received from, or relates to, any of a list of named security bodies such as the security service. You do not have to confirm or deny whether you hold the information, if doing so would reveal anything about that body or anything you have received from it. A government minister can issue a certificate confirming that this exemption applies.
This exemption is absolute, so you do not need to consider the public interest test.
The section 24 exemption applies if it is “required for the purpose of safeguarding national security”. The exemption does not apply just because the information relates to national security.
A government minister can issue a certificate confirming that this exemption applies and this can only be challenged on judicial review grounds. However, the exemption is qualified by the public interest test.
Section 25 is not an exemption, but gives more detail about the ministerial certificates mentioned above.
For further information, read our more detailed guidance:
Sections 26 to 29
These exemptions are available if complying with the request would prejudice or would be likely to prejudice the following:
defence (section 26);
the effectiveness of the armed forces (section 26);
international relations (section 27);
relations between the UK government, the Scottish Executive, the Welsh Assembly and the Northern Ireland Executive (section 28);
the economy (section 29); or
the financial interests of the UK, Scottish, Welsh or Northern Irish administrations (section 29).
Section 27 also applies to confidential information obtained from other states, courts or international organisations.
All these exemptions are qualified by the public interest test.
For further information, read our more detailed guidance:
Sections 30 and 31 – investigations and prejudice to law enforcement
The section 30 exemption applies to a specific category of information that a public authority currently holds or has ever held for the purposes of criminal investigations. It also applies to information obtained in certain other types of investigations, if it relates to obtaining information from confidential sources.
When information does not fall under either of these headings, but disclosure could still prejudice law enforcement, section 31 is the relevant exemption.
Section 31 only applies to information that does not fall into the categories in section 30. For this reason sections 30 and 31 are sometimes referred to as being mutually exclusive. Section 31 applies where complying with the request would prejudice or would be likely to prejudice various law enforcement purposes (listed in the Act) including preventing crime, administering justice, and collecting tax. It also protects certain other regulatory functions, for example those relating to health and safety and charity administration.
Both exemptions are qualified by the public interest test.
For further information, read our more detailed guidance:
Section 32 – court records
This exemption applies to court records held by any authority (though courts themselves are not covered by the Act).
To claim this exemption, you must hold the information only because it was originally in a document created or used as part of legal proceedings, including an inquiry, inquest or arbitration.
This is an unusual exemption because the type of document is relevant, as well as the content and purpose of the information they hold.
This exemption is absolute, so you do not need to apply the public interest test. You also do not have to confirm or deny whether you hold any information that is or would fall within the definition above.
For further information, read our more detailed guidance:
Section 33 – prejudice to audit functions
This exemption can only be used by bodies with audit functions. It applies where complying with the request would prejudice or would be likely to prejudice those functions.
This exemption is qualified by the public interest test.
For further information, read our more detailed guidance:
Section 34 – parliamentary privilege
You can use this exemption to avoid an infringement of parliamentary privilege. Parliamentary privilege protects the independence of Parliament and gives each House of Parliament the exclusive right to oversee its own affairs. Parliament itself defines parliamentary privilege, and the Speaker of the House of Commons can issue a certificate confirming that this exemption applies; the Clerk of the Parliaments can do the same for the House of Lords.
This exemption is absolute, so you do not need to apply the public interest test.
For further information, read our more detailed guidance:
Sections 35 and 36 – government policy and prejudice to the effective conduct of public affairs
These two sections form a mutually exclusive pair of exemptions in the same way as section 30 and section 31.
The section 35 exemption can only be claimed by government departments or by the Welsh Assembly Government. It is a class-based exemption, for information relating to:
the formulation or development of government policy;
communications between ministers;
advice from the law officers; and
the operation of any ministerial private office.
Section 35 is qualified by the public interest test.
For policy-related information held by other public authorities, or other information that falls outside this exemption but needs to be withheld for similar reasons, the section 36 exemption applies.
The section 36 exemption applies only to information that falls outside the scope of section 35. It applies where complying with the request would prejudice or would be likely to prejudice “the effective conduct of public affairs”. This includes, but is not limited to, situations where disclosure would inhibit free and frank advice and discussion.
This exemption is broad and can be applied to a range of situations.
Example A council refused to disclose a list of schools facing financial difficulties, because this could damage the schools’ ability to recruit pupils, as well as making schools less likely to co-operate and share financial information freely with the council (ICO decision notice FS50302293).
A university refused to disclose a complete list of staff email addresses. On a previous occasion when email addresses had been disclosed, this led to a security attack, as well as an increase in spam, phishing, and emails directed inappropriately (ICO decision notice FS50344341).
The Cabinet Office refused to release details of the discussions between political parties that took place between the general election and the formation of the coalition government. This was necessary to ensure that a stable government could be formed, as politicians needed to be able to freely discuss their differences as well as seek impartial advice from the civil service (ICO decision notice FS50350899).
Section 36 differs from all other prejudice exemptions in that the judgement about prejudice must be made by the legally authorised qualified person for that public authority. A list of qualified people is given in the Act, and others may have been designated. If you have not obtained the qualified person’s opinion, then you cannot rely on this exemption. The qualified person’s opinion must also be a “reasonable” opinion, and the Information Commissioner may decide that the section 36 exemption has not been properly applied if they find that the opinion given isn’t reasonable.
In most cases, section 36 is a qualified exemption. This means that even if the qualified person considers that disclosure would cause harm, or would be likely to cause harm, you must still consider the public interest. However, for information held by the House of Commons or the House of Lords, section 36 is an absolute exemption so you do not need to apply the public interest test.
For further information, read our more detailed guidance:
Section 37 – communications with the royal family and the granting of honours
This exemption has been changed since the Freedom of Information Act was first published, so you should refer to an up-to-date copy at www.legislation.gov.uk.
It covers any information relating to communications with the royal family and information on granting honours. This exemption is absolute in relation to communications with the monarch, the heir to the throne, and the second in line of succession to the throne, so the public interest test does not need to be applied in these cases.
All other information under the scope of this exemption is qualified, so the public interest test must be applied.
For further information, read our more detailed guidance:
Section 38 – endangering health and safety
You can apply the section 38 exemption if complying with the request would or would be likely to endanger anyone’s physical or mental health or safety. In deciding whether you can apply this exemption, you should use the same test as you would for prejudice. This exemption is qualified by the public interest test.
For further information, read our more detailed guidance:
Section 39 – environmental information
You should deal with any request that falls within the scope of the Environmental Information Regulations 2004 under those Regulations. This exemption confirms that, in practice, you do not also need to consider such requests under the Freedom of Information Act.
Only public authorities that are covered by the Regulations can rely on this exemption. A small number of public authorities, including the BBC and other public service broadcasters, are not subject to the Environmental Information Regulations. They should handle requests for environmental information under the Freedom of Information Act.
This exemption is qualified by the public interest test, but because you must handle this type of request under the Environmental Information Regulations, it is hard to imagine when it would be in the public interest to also consider it under the Freedom of Information Act.
Section 40(1) – personal information of the requester
This exemption confirms that you should treat any request made by an individual for their own personal data as a data protection subject access request. You should apply this to any part of the request that is for the requester’s own personal data. They should not be required to make a second, separate subject access request for these parts of their request. See our Guide to UK GDPR - Right of Access for advice on how to handle subject access requests.
If the information contains some of the requester’s personal data plus other non-personal information, then you will need to consider releasing some of the information under the UK GDPR or the DPA 2018 and some under the Freedom of Information Act.
This exemption is absolute, so you do not need to apply the public interest test.
Requested information may involve the personal data of both the requester and others. For further information, read our guidance:
Section 40(2) – Personal information
This exemption covers the personal data of third parties (anyone other than the requester) where complying with the request would breach any of the principles in the UK GDPR.
If you wish to rely on this exemption, you need to refer to the UK GDPR as the data protection principles are not set out in the Freedom of Information Act. More details can be found in our Guide to the UK GDPR - the Principles.
This exemption can only apply to information about people who are living; you cannot use it to protect information about people who have died.
The most common reason for refusing information under this exemption