The ICO exists to empower you through information.

What information should you include in your refusal notice?

When you refuse a request under FOIA or the EIR, you must issue a refusal notice. You must do this as soon as you can or within 20 working days.

Your refusal notice must explain how you have handled the request and why you have made the decision to refuse it.

Specifically, you should explain:

  • how you have decided that the requested information is personal data;
  • whether you’ve handled the request under FOIA or the EIR. This is especially important if the requested information is statistical data; and
  • which specific limb of section 40 or regulation 13 you are relying on.

If you are claiming other exemptions for the same piece of information, you must also explain why those apply.

If you have decided that the first condition applies, explain how you have considered each part of the legitimate interest assessment. Explain how you conducted the balancing exercise and the outcome.

If you have decided that the second or third condition apply, explain how you conducted the public interest test and the outcome.

If you are relying on the NCND provisions of FOIA, section 17(4) says you don’t have to explain why the exemption applies if doing so risks revealing whether or not you hold the information.

Requesters may not be familiar with FOIA or the EIR. You should explain your decision as clearly and simply as possible.

For more information, read our guidance on Refusing a request.

What should you tell requesters about internal reviews?

Your refusal notice should also give details of any internal procedure you have in place for dealing with complaints about your handling of the request. This is known as an internal review.

Under FOIA, it’s good practice to offer an internal review but you don’t have to.

You must offer an internal review under the EIR.

If you offer an internal review, you could ask the requester to provide arguments in support of disclosing the requested information, or confirming or denying that you hold it.

If the requester does provide arguments, you should address them in the internal review.

The internal review is your opportunity to consider if you dealt with the request in accordance with your obligations under the Act or under the Regulations.