The ICO exists to empower you through information.

About this detailed guidance

This guidance discusses in detail the key FOIA and EIR considerations when outsourcing public services and is written for public authorities. You should read it if you need a deeper understanding of how to deal with access to information issues when outsourcing. This guidance will help you to understand when information is held for the purposes of FOIA and the EIR.

When dealing with FOIA and EIR issues in outsourcing, you should remember that you cannot contract out your FOIA and EIR responsibilities. Therefore, this guidance will also explain how adopting a transparency by design approach from the beginning can help you meet your obligations under access to information law.

In detail

Who holds the information?

Establishing whether information is held is crucial in the context of outsourcing. FOIA provides a general right of access to information held by public authorities. This means that, for the purposes of FOIA and the EIR, an applicant has a right to obtain information held by a private contractor or sub-contractor only in so far as the information is being held on behalf of a public authority.

Requests relating to outsourcing can be particularly complex. This is because they can ask about information that a contractor has provided to you or about information the contractor physically holds. This is in addition to information you have produced and physically hold.

As a result, determining what information you – as a public authority – hold is key to dealing appropriately with requests for information about outsourced services.

Section 3(2) of FOIA defines “held” as follows:

3(2) For the purposes of this Act, information is held by a public authority if—

(a) it is held by the authority, otherwise than on behalf of another person, or

(b) it is held by another person on behalf of the authority.

This two-part definition covers the following information:

  • Information you hold as a public authority – this is information within the scope of a FOIA request.
  • Information you hold only on behalf of another person – this is not within the scope of a FOIA request.
  • Information which another person holds on your behalf – this is within the scope of a FOIA request.

Both parts of this definition can be relevant when dealing with requests about outsourced services.

Information ‘you’ hold

Information that you have produced about your outsourcing activities is information that falls within the scope of FOIA. However, in the context of outsourcing, you are also likely to hold information that you have received from third parties. An example of this is information companies provided as part of the tendering process when bidding for a contract. In these circumstances, you need to consider whether you hold this information “otherwise than on behalf of another person”.


The Upper Tribunal (UT) gave a binding judgement on the interpretation of section 3(2)(a) on this point in University of Newcastle upon Tyne v the Information Commissioner and the British Union for the Abolition of Vivisection (“BUAV”) [2011] UKUT 185 (AAC) (11 May 2011)

Namely, the UT accepted the First-Tier Tribunal’s earlier finding that “if the information is held to any extent on behalf of the authority itself, the authority ‘holds’ it within the meaning of the Act.” [para 21].

In this case, BUAV made a FOIA request to the University of Newcastle upon Tyne (‘The University’). BUAV requested information about project licenses issued under the Animal (Scientific Procedures) Act (ASPA) 1986 relating to experiments on monkeys. The University refused to disclose the requested information.

BUAV filed a complaint to the Information Commissioner. The Commissioner decided that the University did not hold the information.

BUAV appealed to the FTT which overturned the Commissioner’s decision. The Tribunal argued that ‘holding’ “is not a purely physical concept, and it has to be understood with the purpose of the Act in mind. (…) There must be an appropriate connection between the information and the authority, so that it can be properly said that the information is held by the authority”. [para. 47]

This means that it is not enough for the information to be present on an authority’s premises or IT network. For the information to be in scope of FOIA, the authority needs to hold it ‘to any extent’ for its own purposes.

In this specific case, the FTT found that a link did exist between the information and the University. The disputed information – ie the project licences – were held by two professors in their capacity as employees of the University. Therefore, the Tribunal concluded that the University was holding the information for its own purposes, which brought it within scope of FOIA.

On appeal, the UT accepted that the FTT’s argument was an accurate statement of the law and upheld the FTT’s decision that the University was holding the information.

This judgement did not concern a request for information about outsourced services. However, the findings of this decision can help you decide whether you hold the information for the purposes of FOIA when outsourcing services. For example, you may be providing secure storage for some business records belonging to a contractor. If this information is unrelated to any outsourced work the contractor is doing on your behalf, it is likely the information is not in scope of FOIA. Even though you are physically holding the information, you are not holding it to any extent for your own purposes. Therefore, there is no appropriate connection between you and the information.

By contrast, if the information you have received from a contractor or other external party is about the outsourcing of your services, then you hold the information for your own purposes to some extent. This means that this information may fall within the scope of a FOIA request. For example, tenders submitted by both successful and unsuccessful bidders during a procurement process. This does not necessarily mean you have to disclose this kind of information, if requested. For instance, tenders may contain commercially sensitive information. In cases such as these, you could rely on one of the FOIA exemptions to make the decision to legitimately withhold the information. However, this is a separate issue from making a decision about whether you hold the information in the first place.

Information “held” for the purposes of the EIR

Regulation 3(2) defines “held” as follows:

3 (2) For the purposes of these Regulations, environmental information is held by a public authority if the information –

(a) is in the authority’s possession and has been produced or received by the authority; or

(b) is held by another person on behalf of the authority

Although phrased slightly differently, in essence, this definition is very similar to the one under FOIA. The information is in your “possession” as far as you hold it to any extent for your own purposes.

Tribunal decisions have helped to further clarify the meaning of information held for the purposes of the EIR.


The Upper Tribunal (UT) considered whether the requested information was held under the EIR as a main point of appeal in Holland vs Information Commissioner and University of Cambridge (‘the University’) [2016] UKUT 260 (AAC) (1 June 2016).

In this case, the Tribunal argued that – for a public authority to ‘hold’ the information under the EIR – the “information is in the authority’s possession and produced or received by it” [para. 45].     

The applicant had requested from the University information about the reports of the Intergovernmental Panel on Climate Change (IPCC)’s working group produced by the review editor. The review editor was also a professor at the University. However, he was fulfilling the role in the IPCC in an unpaid and honorary capacity. The role was also not connected to his professorship at the University.

Consequently, the University refused the request on the grounds that the professor’s role “was not connected to his contractual employment by or professional role within the University” [para 5]. As a result, the authority considered the information was not in its possession under EIR.

The requester challenged the refusal and complained to the Information Commissioner. Following the Commissioner’s decision that the University did not hold the information for the purposes of EIR, he appealed to the First-Tier Tribunal (FTT) which upheld the Commissioner’s decision.

In his submission to the UT, the requester contended that information is held if it is in the ‘physical’ possession of the authority or ‘in their control’. In this case, the information had been sent to the review editor at his university’s email address which operated through the University’s server. The requester argued that the information was ‘in possession’ of the University as it was held on a computer owned by the University.

The UT rejected this interpretation. The Tribunal pointed out that the phrase ‘produced and received by the authority’ in reg 3(2)(a) added something to the fact of possession, and that the word ‘by’ was meant to show “that the authority must itself be the producer or recipient of the information” [para. 46].

The Tribunal argued that a “factual determination is required as to how the information has come to be in the possession of the authority. The question is whether the information was produced or received by means which were unconnected with the authority, for example by an individual in their personal or other independent capacity; or whether it was produced or received by means which related to the authority, for example by someone acting in their professional capacity in relation to the authority (such as an employee of the authority). The connection must be such that it can be said that the production or receipt of the information is attributable to (“by”) the authority.” [para 48].

As a result, the UT dismissed the requester’s appeal and upheld the FTT’s decision that the University did not hold the information for the purposes of EIR because it had been received, held and produced by the professor “as a private individual on behalf of IPCC; the precise location at which Professor Wadhams carried out this role and the specific computer, library, desk and e-mail address he used for the role is immaterial.” [para 11].

Information held on “your behalf”

For the purposes of FOIA, the second part of the definition of section 3(2) states that information held by the public authority includes information “held by another person on behalf of the authority”.

This means that there may be information within the scope of a FOIA request that you do not physically hold, either in hard copies or electronic files on your systems. This could be information that the contractor holds on your behalf.

A contractor will inevitably generate a large amount of information while running an outsourced service. At some stage, you will receive some of this information. Usually, this will be as part of reporting against key performance indicators (KPIs). However, behind these KPI reports, there is likely to be other information that you will not necessarily have received. Therefore, if you receive a FOIA request about that information, you need to establish how much of this the contractor holds purely for their own purposes and how much they hold on your behalf.

To do so, it is important you have an objective reason to help you to determine whether the contractor holds certain information on your behalf. Normally, the contract you have with a contractor is the primary source to look at. This will provide you with an objective and evidence-based approach to resolving the issue of whether information is held on your behalf. This is because the contract is the legal document defining the relationship between, and respective responsibilities of, each party. It is unlikely that the contract will explicitly spell out what information is held on your behalf. However, it can provide you with helpful indicators in establishing if that is the case.

For example, the contract should set out the following information:

  • What information the contractor is required to provide you for reporting and monitoring purposes.
  • What information you have the right to see and whether there are any conditions on that access.
  • What happens to information that is in the contractor’s possession at the termination of the contract. That is, whether it remains with the contractor or whether it reverts to you.

Generally, the Commissioner and the Tribunals also look at contractual clauses when deciding held or not held cases in the context of outsourcing.


In Decision Notice FS50800160, through a close reading of the contract’s terms, the Commissioner reached the conclusion that the contractor, Capita Business Services Ltd, held the requested information on behalf of the authority by virtue of section 3(2)(b) of FOIA. In reaching this decision, the Commissioner gave weight to a clause in the appendix of the contract which gave the authority access to certain information which related to one of its core functions.

The Department for Work and Pensions (DWP) outsourced some of the tests to determine eligibility for Personal Independence Payments (PIP) to two private companies. PIP is a welfare benefit aimed at providing support with extra cost of living expenses to adults with a disability.

In Northern Ireland (NI), the Department for Communities (‘the Department’) is responsible for administering social security and welfare as one of its devolved functions. Capita was one of the two private companies to which eligibility for PIP had been outsourced, covering the NI region.

The request to the Department concerned data on approval-related audits carried out by Capita.

According to the terms of the contract, Capita was to provide Departmental decision makers with medical expertise to facilitate the assessment of PIP benefit eligibility in NI. Capita was contractually required to provide the Department with management information on a regular basis.

The requested information( ie the approval-related audits) was generated by Capita and there was no provision under the agreed terms of the contract that this information was to be automatically provided to the Department.

However, during their investigation, the Commissioner found the following clause in Appendix 3 of the contract between the Department and Capita. The clause stated that:

“The Authority intends, wherever it can, to capture and collate information through its IT system(s). However, the Authority does reserve the right to make reasonable requests for information from the Provider including ad-hoc requests for information from time to time”.

The Department argued that this clause did not mean that Capita held the disputed information on behalf of the authority and that the Department was not able to make a ‘reasonable request’ to access this kind of information. The Department held this position on the following grounds:

  • the information was not created for Departmental business reasons;
  • it is not gathered or required by the Department to meet a business requirement; and
  • the clause was meant to provide access to certain information ‘from time to time’ and it was not intended to provide a general right of access to Capita’s internal documentation using the public authority as a conduit.

The Commissioner disagreed with this reasoning. They found that the requested information was about the monitoring of a function which the Department had contractually devolved to Capita (ie medical assessments for determining the eligibility of state benefits).

For this reason, in the Commissioner’s view, the Department could make a reasonable request for the information under the terms of the agreement and Capita would be contractually bound to comply.

Consequently, the Commissioner decided that “section 3(2) operates so that the requested information is held by Capita on behalf of the public authority” [para. 33].

This example shows that the contractor was found to hold the requested information on behalf of the authority even though the authority did not automatically receive it under the terms of the contract nor had routine access to it for a specific business need. In the case above, the Commissioner also noted that “the closer the outsourced service is to the public authority’s core function, the more likely it is that information about that service is held on behalf of the authority”.

Therefore, when looking at a contract to determine whether the information is held on your behalf, you need to establish the scope of any clauses dealing with access to information. These clauses may either give you access to certain specified information about the outsourced service or a more general right to access information to monitor the contractor’s performance.


In Decision Notice FS50810571, the Commissioner found that the contractor was not holding the information on behalf of the authority. In reaching this conclusion, they were again influenced by the terms of the contract which did not give the authority access to the specific information being requested.

The applicant had asked for information about the job descriptions, salary bands and number of staff delivering the procurement service for Peterborough City Council. The contracted partner for this work was Serco Ltd.

During the investigation, the Council stated that Serco was contracted to provide several managed services, including procurement. However, the authority stressed that the contractor was entirely responsible for deciding how the contract requirements were to be met. This included decisions about number of roles needed, relevant job descriptions and associated salary. The Council noted that it had no role in this process and that, under the contractual terms, it only had access to information such as number of core resource days and how these hours were apportioned within the procurement function itself.

The Commissioner accepted these arguments. They found that, under the terms of the contract, the Council had no right of access to this specific information, nor they could find evidence that the authority had a role in creating, recording, filing or removing the information.

Consequently, the Commissioner decided that Serco did not hold the requested information on behalf of the Council, as defined by section 3(2)(b) of FOIA.

The above examples have shown the role the contract can have in helping you to establish when information is held on your behalf and when it is not. However, there may be circumstances where the information is still being held on your behalf even though this is not specifically provided for in the contract.


In William Visser v. Information Commissioner and London Borough of Southwark Council, EA/2012/0125 (11 January 2013), the First-tier Tribunal decided that the information was being held by the contractor on behalf of Southwark Council, even though there was no contractual requirement for the contractor to collate and provide the requested information to the authority for monitoring purposes.

The applicant had submitted a request for information to the Council asking for a copy of the attendance register at Seven Islands Leisure Centre. The Council had contracted out the management of its leisure centres to a company called Fusion Lifestyle.

Under the terms of the contract, Fusion was required to submit an annual report including key performance indicators and trend analysis of usage figures. There was no contractual requirement for Fusion to keep a register nor to provide this kind of granular information to the Council. However, on examining the evidence, the Tribunal found that there was a connection between the requested information and the Council. In the Tribunal’s view, this connection meant that the information was being held on behalf of the Council.

Specifically, the Tribunal argued that:

“The legal relationship between Fusion and the Council is set out in the contract. The Council requires a certain level of performance (…) Fusion uses the requested information to demonstrate whether it has met that level of performance. Accordingly, the requested information is specifically used by Fusion to satisfy provisions of the contract and, therefore, we consider it to be held for the Council’s purposes and so held under FOIA” [para. 29].

These cases show that the contract is an important source when deciding who holds the information. However, these examples also show that you need to look at contractual provisions in context and take into account all the facts of the case. The contract you have with a contractor may include no provisions that indicate certain information is held on your behalf. However, if you can access information as a matter of custom and practice, or if you can access it in certain circumstances, it is likely that the information is being held on your behalf.

When considering your obligations under access to information law in the context of outsourcing, you should be mindful that these obligations apply throughout the outsourcing chain. Both FOIA and the EIR simply refer to information held by ‘another person’ on behalf of a public authority. This means that, if the main contractor contracted out some work to a sub-contractor, information held by the subcontractor may still be in the scope of FOIA or EIR.  

In these circumstances, we recommend you take the same evidence-based approach described earlier. That is, making an assessment about whether information is held on your behalf by taking into account any relevant contract terms and the facts of the case.


In Decision Notice FER0484371, the Commissioner found that – on the facts of the case – the information held by the subcontractor was not being held on behalf of the authority.

This case concerned a request to the Olympic Delivery Authority (ODA) for information about the reinstatement of Leyton Marsh following its use as a basketball training venue during the London Olympics. Specifically, the applicant had requested information about the procurement, preparation and installation of turf and seed. The request was handled under the EIR.

The work was carried out by a company called STRI which were subcontracted by Nussli, that were the main contractors to the ODA. The information was held by STRI.

The Commissioner found that, although the information held by STRI related to the work they were doing ultimately on behalf of the ODA, this did not necessarily mean that they held that information on behalf of the ODA. STRI did not have a direct contractual relationship with the ODA. The ODA’s contract was with Nussli, and there was no clause in it that gave the ODA direct access to, or any control over, the information held by any subcontractor.

Publicly-owned companies and joint working arrangements

Outsourcing is not restricted to situations where you enter a contract with an existing private company. In some cases, you may wish to set up a company or some other form of organisation to deliver a service on your behalf.

Where you have set up a company – either on your own or in partnership with other public authorities – the company in question may be a public authority for the purposes of FOIA. This means that the company could qualify as a ”publicly owned company” as defined by section 6 of FOIA. To meet the criteria under this section, the company needs to be wholly owned by the Crown or the wider public sector, or a combination of both.  Even if the company does not meet these criteria, it may still be holding information falling within the scope of FOIA. This means it is similar to the scenarios examined above in the context of outsourcing to a private contractor. The company may be holding information on your behalf even though it is not publicly owned.

Likewise, there may be situations where you physically hold the information about this type of external company because of your dealings with it. For example, you are funding it or you have a representative on its board, thereby holding associated documents and records on your systems. As we have seen above, in these circumstances you need to establish whether you hold the information to any extent for your own purposes.

Alternatively, you may be delivering services through joint working or partnership arrangements with one or more public authorities to deliver public services. For example, the provision of employment skills training and apprenticeships, health and social care services or support to businesses. A joint working or partnership arrangement is an agreement which sets out the rights and responsibilities of each partner in the partnership. An example of this could be a Memorandum of Understanding. The arrangement may have its own name and branding but not have its own legal personality. This means it is not a body with its own legal rights and duties. In this scenario, a FOIA or EIR request to that body is, in effect, a request to all parties involved in the partnership. This means that, in practice, one of the public authorities in the partnership may take the lead in gathering the information and coordinating the response to the request. However, each of the parties involved needs to establish what relevant information they hold.


Several councils set up a partnership to provide support and assistance to residents in the region who have lost their jobs because of the Covid-19 pandemic. The partnership has its own branding and contact details. It delivers several initiatives aimed at providing support with retraining or employability skills development courses.

If a FOIA request is made about the services provided through the partnership, each public authority partner would be responsible for  identifying what relevant information they hold about this that may be in scope of FOIA.

This could be information such as:

  • reports on effectiveness of the retraining programmes in reducing unemployment in the region;
  • funding provided by each partner into the partnership for the provision of the services delivered; or
  • contracts in place with third-party training providers and the tendering process for assigning these.

Public authorities entering a joint or partnership arrangement for the delivery of public services are not to be confused with instances where public authorities join a membership association to receive certain services through being a member, by paying a membership fee. You can view more detail on designation as public authorities in our guidance on Public authorities under FOIA.

Information management

Information held by a contractor on your behalf is also within the scope of your responsibility for information management purposes. This means you should ensure that the contractor applies appropriate information management standards and procedures. This responsibility is set out in the s46 Code of Practice on Records Management. The Code provides guidance to public authorities on good practice about the keeping, management and destruction of records. In section 2.8, ‘Responsibilities where information is shared’’, the Code states:

“Where the authority works jointly with another authority, body or contractor, a lead or commissioning authority should be agreed which will remain responsible for ensuring that information is managed in accordance with the Code throughout its life.

The authority and its partner authorities, bodies or contractors should set out their responsibilities in an information sharing agreement. This includes where information in separate authorities’ systems is integrated by technical means” (para. 2.8.1 and 2.8.2)

What is a “Transparency by Design” approach?

When drawing up an outsourcing contract, we recommend that you adopt a “transparency by design” approach as a matter of best practice. This can help you to meet your transparency obligations and demonstrate accountability when outsourcing the delivery of your services.

Transparency by design encompasses four main elements of best practice:

  • Making information available proactively.
  • Agreeing what information is held in terms of FOIA or EIR or both.
  • Setting out the responsibilities in handling requests for information.
  • Considering in advance whether information may be exempt from disclosure.

If you are considering outsourcing for a major project, we would also recommend carrying out a transparency impact assessment at the outset. By this, we mean considering beforehand in a formal way:

  • all the types of information that will be generated because of the contract, including the information you could proactively disclose;
  • identifying the kind of information that is likely to be requested, including by reviewing previous FOIA or EIR requests, that would inform public debate;
  • the effects of disclosing the information on your interests as well as on those of the contractor or any other relevant third-party (eg a subcontractor); and
  • how to carry out the public interest test, when necessary.

As part of this exercise, you could also consider consulting with interest groups and other relevant stakeholders. This will help you to have a better understanding of the types of information that could be requested and how you could make this available, unless an exemption or exception applies.

Making information available proactively

Transparency by design starts with transparency by default. This means that your default position should be to commit to publishing as much information proactively and routinely as possible. Therefore, you need to identify key information about the contract that you can make publicly available. Once you have made this decision, you should plan how you will provide this information and in what format. As part of the information, you should disclose not only the contract itself but also information about the contractor’s performance against KPIs. You could also choose to list the types of information you intend to publish proactively in an annex to the contract.

You should list the information you publish routinely in your publication scheme. The ICO has developed a model publication scheme to help you meet your transparency obligations of making certain classes of information routinely available. We have also published definition documents for different areas of the public sector. These documents explain what information we expect you to proactively publish under each class. You should include details of contracts put out to tender and of contracts awarded in the class ‘What we spend and how we spend it’. The threshold value of the invitations to tender and contracts varies according to the sector.

To increase transparency, you should also consider using open data formats. This will improve the way data is analysed and facilitate its re-use, thereby helping you to further demonstrate compliance with your transparency obligations. The Open Data Institute has published a helpful guide on How to embed open data into the procurement of public services.

Agreeing what is held

As a matter of best practice, you should lay out in the contract what information about the outsourced service is being held on your behalf. This is not about drawing up an exhaustive list of documents or datasets, although you could list some specific items. Rather, you should identify the types of information that will be held on your behalf. This could include information that:

  • you have a right to see to monitor the contractor’s performance in delivering the service;
  • you provide to the contractor such as the content of training materials;
  • will be passed on to you at the termination of the contract such as systems’ manuals and documentation.

As explained before, establishing whether you hold information is crucial in the context of outsourcing. Addressing these issues at the outset can:

  • assist you to meet your transparency obligations;
  • save you time in the long run;
  • remove ambiguity; and
  • promote consistency.

Making an assessment of what information will be held on your behalf should not be a unilateral exercise. You should discuss these issues with your contractor and reach a broad agreement on the types of information that could be requested under FOIA or the EIR. You should also involve relevant members of your staff in these conversations, such as your information access officer(s), as well as members of your procurement team.

If the contractor has contracted out some work to a subcontractor, you should ensure the contract lists what types of information the contractor will hold on your behalf. You should include provisions in the contract to give the contractor the right to access this information from the subcontractor, as required.

It is important to remember that you retain ultimate responsibility to comply with access to information law. As a public authority, you cannot limit what is held so narrowly in the contract that it excludes information that should reasonably be in scope. Rather, your default position should be to publish as much information as possible proactively, whilst spelling out in the contract the details of what information is in scope and what information may be exempt from disclosure.

Clearly setting out in the contract what information the contractor holds on your behalf will help you to deal effectively with access to information requests. As shown in the examples above, when dealing with a complaint or appeal, the ICO and Tribunals will look at the contract as a primary, albeit not definitive, source of reference to establish what is held.

Setting out responsibilities in handling requests for information

As part of your transparency obligations, you should include in the contract clauses the procedures you should follow when you receive a FOIA or EIR request.

Typically, these procedures will include the following elements:    

  • The contractor recognises that you – as a public authority – are subject to freedom of information.
  • When receiving a FOIA or EIR request directly, the contractor undertakes to transfer these requests to you with no undue delay.
  • You retain the decision-making function about what information to disclose or withhold or both in response to the requests. In reaching your decision, you can consult with the contractor and take their views into account. However, you are not bound by them.
  • The contractor should assist you in answering these requests and provide you with all the information you reasonably need.
  • Agreed ground rules about disclosing information designed as potentially exempt. Specifically, you should provide clarity that decisions about whether to release this information will depend on the facts and there is no guarantee that you will not disclose potentially exempt information.

The Cabinet Office and the Government Legal Department have developed a Model Services Contract and a Model Services Contract guidance document for  use by government departments and public authorities for service contracts with a value of £20 million or more. The Model Service Contract includes an example of a standard FOIA clause, clause 23. Standard clauses such as these are a useful tool to ‘build in’ transparency into your contract,  helping you to meet your FOIA and EIR obligations. These clauses can also be a helpful way to engage in a dialogue with contractors and explain your transparency requirements to them.

Considering in advance whether information may be exempt from disclosure

As previously mentioned, the fact that you or your contractor hold information about the outsourced services which is in scope of FOIA or the EIR does not necessarily mean you must disclose it.

Although the ICO expects you to embed transparency when outsourcing, we also recognise that there is information you can legitimately withhold from disclosure. The exemptions and exceptions in FOIA and the EIR provide safeguards which allow you to strike a balance between the public interest in transparency about outsourcing and the protection of legitimate interests such as commercial interests, information provided in confidence or third-party personal data.

When receiving a request for information about your outsourced services, you can consider whether a FOIA exemption or an EIR exception apply (where the information is environmental). You should carry out the public interest test where needed.

Once you have agreed with the contractor what information is within scope of FOIA or the EIR, you should also engage with them at an early stage. You should identify potentially sensitive areas and the types of information that may be subject to an exemption or exception. This exercise may produce a detailed list of information. You could consider laying out this list in a working arrangement or protocol, rather than setting it out in the contract terms. To identify particularly sensitive information, you could also review previous FOIA or EIR requests. In the case of a major project, you should also carry out a transparency impact assessment.

Nonetheless, you should always consider each request for information in context and assess it depending on the circumstances of the case. You should also keep in mind that the sensitivity of certain information can change over time, for example based on what stage has been reached in the lifecycle of the contract.