About the guide
What is the FOI Act?
Publication scheme
Definition documents
Receiving a request
Refusing a request
Complaints

About the guide

About the Guide to freedom of information

We have updated our guidance about refusing a request, and have changed the following sections:

  1. When you can use an exemption to neither confirm or deny you hold information, if to do so would disclose personal data; and
  2. When you can refuse a request because it contains personal data.

 

In line with ‘Opennness by Design: The Information Commissioner’s strategic plan 2019/20-2021/22’, we have begun to review and update our Freedom of Information Guidance. Updates will be placed here when updated guidance is published.

 

This guide is for those who work for a public authority and have day-to-day responsibility for freedom of information.

It explains how to apply the Act by giving practical examples and answering frequently asked questions.

What is the FOI Act?

In brief

The Freedom of Information Act 2000 provides public access to information held by public authorities.

It does this in two ways:

The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland’s own Freedom of Information (Scotland) Act 2002.

Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Recorded information includes printed documents, computer files, letters, emails, photographs, and sound or video recordings.

The Act does not give people access to their own personal data (information about themselves) such as their health records or credit reference file. If a member of the public wants to see information that a public authority holds about them, they should make a data protection subject access request.

In more detail

What is the Freedom of Information Act for?

The government first published proposals for freedom of information in 1997. In the white paper Your Right to Know, the government explained that the aim was a more open government based on mutual trust.

"Openness is fundamental to the political health of a modern state. This White Paper marks a watershed in the relationship between the government and people of the United Kingdom. At last there is a government ready to trust the people with a legal right to information."

Public authorities spend money collected from taxpayers, and make decisions that can significantly affect many people’s lives. Access to information helps the public make public authorities accountable for their actions and allows public debate to be better informed and more productive.

"Unnecessary secrecy in government leads to arrogance in governance and defective decision-making." - Your Right to Know

Access to official information can also improve public confidence and trust if government and public sector bodies are seen as being open. In a 2011 survey carried out on behalf of the Information Commissioner’s Office, 81% of public bodies questioned agreed that the Act had increased the public’s trust in their organisation.

What are the principles behind the Freedom of Information Act?

The main principle behind freedom of information legislation is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to. This is sometimes described as a presumption or assumption in favour of disclosure. The Act is also sometimes described as purpose and applicant blind.

This means that:

This does not prevent you voluntarily giving information to certain people outside the provisions of the Act.

Are we covered by the Freedom of Information Act?

The Act only covers public authorities. Schedule 1 of the Act contains a list of the bodies that are classed as public authorities in this context. Some of these bodies are listed by name, such as the Health and Safety Executive or the National Gallery. Others are listed by type, for example government departments, parish councils, or maintained schools. Executive agencies are classed as part of their parent government department; for example, the DVLA is covered by the Act because it is part of the Department for Transport. However, arm’s-length bodies are not considered part of the department sponsoring them, and they are listed individually in Part VI of Schedule 1.

Section 5 of the Act gives the Secretary of State the power to designate further bodies as public authorities. If in doubt, you can check the latest position at www.legislation.gov.uk.

Certain bodies are only covered for some of the information they hold, for example:

In addition to the bodies listed in the Act, with effect from 1 September 2013 the definition of a public authority now also covers companies which are wholly owned:

These terms are defined in more detail in the amended section 6 of FOIA.

For example, some local authorities have transferred responsibility for services (eg social housing) to a private company (sometimes known as an arm’s-length management organisation or ALMO), which is wholly owned by the local authority. This type of company counts as a public authority in its own right and needs to respond to requests for information. Where a company is wholly owned by a number of local authorities it is also now a public authority for the purposes of FOIA.

Individual MPs, assembly members or councillors are not covered by the Act.

For further information, read our more detailed guidance:

When is information covered by the Freedom of Information Act?

The Act covers all recorded information held by a public authority. It is not limited to official documents and it covers, for example, drafts, emails, notes, recordings of telephone conversations and CCTV recordings. Nor is it limited to information you create, so it also covers, for example, letters you receive from members of the public, although there may be a good reason not to release them.

The Act includes some specific requirements to do with datasets. For these purposes, a dataset is collection of factual, raw data that you gather as part of providing services and delivering your functions as a public authority, and that you hold in electronic form. Your duties in relation to datasets are explained elsewhere in this Guide, where they are relevant.

Requests are sometimes made for less obvious sources of recorded information, such as the author and date of drafting, found in the properties of a document (sometimes called meta-data). This information is recorded so is covered by the Act and you must consider it for release in the normal way.

Similarly, you should treat requests for recorded information about the handling of previous freedom of information requests (meta-requests) no differently from any other request for recorded information.

The Act does not cover information that is in someone’s head. If a member of the public asks for information, you only have to provide information you already have in recorded form. You do not have to create new information or find the answer to a question from staff who may happen to know it.

The Act covers information that is held on behalf of a public authority even if it is not held on the authority’s premises. For example, you may keep certain records in off-site storage, or you may send out certain types of work to be processed by a contractor. Similarly, although individual councillors are not public authorities in their own right, they do sometimes hold information about council business on behalf of their council.

Where you subcontract public services to an external company, that company may then hold information on your behalf, depending on the type of information and your contract with them. Some of the information held by the external company may be covered by the Act if you receive a freedom of information request. The company does not have to answer any requests for information it receives, but it would be good practice for them to forward the requests to you. The same applies where you receive services under a contract, for example, if you consult external solicitors.

The Act does not cover information you hold solely on behalf of another person, body or organisation. This means employees’ purely private information is not covered, even if it is on a work computer or email account; nor is information you store solely on behalf of a trade union, or an individual MP or councillor.

For further information, read our more detailed guidance:

Who can make a freedom of information request?

Anyone can make a freedom of information request – they do not have to be UK citizens, or resident in the UK. Freedom of information requests can also be made by organisations, for example a newspaper, a campaign group, or a company. Employees of a public authority can make requests to their own employer, although good internal communications and staff relations will normally avoid the need for this.

Requesters should direct their requests for information to the public authority they think will hold the information. The public authority that receives the request is responsible for responding. Requests should not be sent to the Information Commissioner’s Office (ICO), except where the requester wants information the ICO holds.

For further information, read our more detailed guidance:

What are our obligations under the Freedom of Information Act?

You have two main obligations under the Act. You must:

In addition, three codes of practice contain recommended good practice when applying the Act.

The section 45 code of practice gives recommendations for public authorities about their handling of requests. It covers the situations in which you should give advice and assistance to those making requests; the complaints procedures you should put in place; and various considerations that may affect your relationships with other public bodies or third parties.

There is an additional section 45 code of practice on datasets. This provides guidance to public authorities on how to meet their obligations in relation to the dataset provisions in sections 11, 11A, 11B and 19 of the Act.

The section 46 code of practice covers good records management practice and the obligations of public authorities under the Public Records Acts to maintain their records in an ordered and managed way, so that they can readily retrieve information when it is needed.

These codes of practice are not directly legally binding but failure to follow them is likely to lead to breaches of the Act. In particular there is a link between following part II of the section 45 code of practice and complying with section 16 of the Act. Section 16 requires you to provide applicants with reasonable advice and assistance. This includes advice and assistance to members of the public before they have made their request.

For further information, read our more detailed guidance:

What do we need to tell people about the Freedom of Information Act?

Making information available is only valuable to the public if they know they can access it, and what is available. You should:

You should communicate with the public in a range of ways. This is likely to include websites, noticeboards, leaflets, or posters in places where people access your services.

You must also make your staff, contractors, customers or others you have contact with aware of how the Act may affect them. You should make it clear that you cannot guarantee complete confidentiality of information and that as a public body you must consider for release any information you hold if it is requested. You will need to consider each request individually, but it is worthwhile having policies or guidelines for certain types of information, such as information about staff.

How does the Freedom of Information Act affect data protection? 

The General Data Protection Regulation (the GDPR) and the Data Protection Act 2018 (the DPA 2018) give rules for handling information about people. They include the right for people to access their personal data. The Freedom of Information Act and the DPA 2018 come under the heading of information rights and are regulated by the ICO.

When a person makes a request for their own information, this is a data protection subject access request. However, members of the public often wrongly think it is the Freedom of Information Act that gives them the right to their personal information, so you may need to clarify things when responding to such a request.

The GDPR and the DPA 2018 exist to protect people’s right to privacy, whereas the Freedom of Information Act is about getting rid of unnecessary secrecy. These two aims are not necessarily incompatible but there can be a tension between them, and applying them sometimes requires careful judgement.

When someone makes a request for information that includes someone else’s personal data, you will need to carefully balance the case for transparency and openness under the Freedom of Information Act against the data subject’s right to privacy under the data protection legislation. You will need to decide whether you can release the information without infringing the GDPR data protection principles.

See When can we refuse a request? for more information on the exemptions for personal data.

How does the Freedom of Information Act affect copyright and intellectual property?

The Act does not affect copyright and intellectual property rights that give owners the right to protect their original work against commercial exploitation by others. If someone wishes to re-use public sector information for commercial purposes, they should make an application under the Re-use of Public Sector Information Regulations. See the What is PSI? section of the National Archives website for more information on this. The ICO does not have any powers to regulate copyright or the re-use of information.

When giving access to information under the Act, you cannot place any conditions or restrictions on that access. For example, you cannot require the requester to sign any agreement before they are given access to the information. However, you can include a copyright notice with the information you disclose. You can also make a claim in the courts if the requester or someone else uses the information in breach of copyright. The ICO encourages public authorities to use the Open Government Licence provided by the National Archives.

In most cases re-use of information released under the Act is dealt with under RPSI. RPSI applies to most but not all public authorities; for example, universities in general are not covered by RPSI although their libraries are. For public authorities that are not subject to RPSI, there are some re-use provisions in the Act but they only apply to one type of information, namely datasets. Under these provisions, if you are releasing a dataset that is a ‘relevant copyright work’ and you are the only owner of the copyright or database rights, then you must release it under a licence that permits re-use. The licences to use for this are specified in the section 45 code of practice on datasets. If the dataset can be re-used without charge, then the appropriate licence will usually be the Open Government Licence.

For further information, read our more detailed guidance:

What other laws may we need to take into account when applying the Freedom of Information Act?

The Freedom of Information Act may work alongside other laws.

Some of the exemptions in the Act that allow public authorities to withhold information use principles from common law, for example the section 41 exemption refers to the law of confidence.

Also, section 44 of the Act allows information to be withheld when its disclosure is prohibited under other legislation, and section 21 can exempt information that is accessible to an applicant using procedures in other legislation. See When can we refuse a request? for more information on the exemptions.

When dealing with requests for information, you should continue to be aware of your obligations under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland). These Acts are not regulated by the ICO so they are not covered in this guidance.

You should handle requests for environmental information under the Environmental Information Regulations 2004. The Regulations also require you to make environmental information available proactively by readily accessible electronic means. If you are likely to be handling requests for information, you will need to familiarise yourself with the basics of the Regulations, especially the definition of ‘environmental information’, found in regulation 2(1).

If you are a public sector body as defined by RPSI then most of the information you hold as part of your public task must be made available for re-use on request. Most, but not all public authorities are public sector bodies under RPSI. Libraries, museums and archives are covered but they have discretion as to whether to permit re-use. RPSI applies to information in which you, as the public sector body, hold the intellectual property rights but does not generally apply to information that is exempt from disclosure under the Act or under the Environmental Information Regulations.

The Infrastructure for Spatial Information in the European Community Regulations 2009 came into force on 31 December 2009. You will need to take these into account when considering your duty under the Freedom of Information Act to proactively publish information, as they require public authorities to make ‘spatial data sets’ (sets of data linked to geographical locations) publicly available in a consistent and usable electronic format.

For further information, read our more detailed guidance:

Publication scheme

In brief

As well as responding to requests for information, you must publish information proactively. The Freedom of Information Act requires every public authority to have a publication scheme, approved by the Information Commissioner’s Office (ICO), and to publish information covered by the scheme.

The scheme must set out your commitment to make certain classes of information routinely available, such as policies and procedures, minutes of meetings, annual reports and financial information.

To help you do this the ICO has developed a model publication scheme. There are two versions; one for most public authorities and one for the few public authorities that are only covered for part of the information they hold.

The information you release in accordance with the publication scheme represents the minimum you must disclose. If a member of the public wants information not listed in the scheme, they can still ask you for it (see What should we do when we receive a request?).

Most public authorities will make their publication scheme available on their website under ‘freedom of information’, ’guide to information’ or ‘publication scheme’. If you are asked for any of this information, you should be able to make it available quickly and easily, so you should make your staff aware of the information available through your publication scheme.

If you are involved in implementing and maintaining the scheme, you will need to read the detail below.

In more detail

Do we need to produce our own publication scheme?

No. Every public authority must have a publication scheme, but the ICO has now created a model publication scheme that all public authorities must use. It is available in two versions; one is designed for those public authorities that are only covered for certain information, and the other is for all other public authorities. Any publication scheme you have that was created before 1 January 2009 is now out of date and you should replace it with the ICO model scheme.

What is the model publication scheme?

The model publication scheme is a short document (say two pages long) setting out your high-level commitment to proactively publish information. It is suitable for all sectors and consists of seven commitments and seven classes of information.

The model publication scheme commits you to publish certain classes of information. It also specifies how you should make the information available, what you can charge, and what you need to tell members of the public about the scheme.

The ICO will inform public authorities if we plan to update the model publication scheme, via our website.

For further information, read:

How should we comply with the model publication scheme?

You should adopt the scheme and you need not tell the ICO you have done so. The model scheme is appropriate for all public authorities so you should not change it. You should also make sure you publish the information it covers.

You should also produce:

You should publicise the fact that information is available to the public under the scheme. You should make sure the model scheme, guide to information, and schedule of fees are all available on your website, public notice board, or in any other way you normally communicate with the public.

What kind of information should we publish and include in our guide to information?

The model publication scheme describes the seven types (classes) of information you should publish.

The seven classes of information are broad and include headings like ‘Who we are and what we do’ and ‘The services we offer’. The classes cover all the more formal types of information you hold, such as information about the structure of your organisation, minutes of meetings, contracts, reports, plans and policies. You should include all information that falls in the seven classes, unless there is a good reason not to. This is in line with one of the principles of the Act – that public information should be made available unless there is good reason to withhold it, and the Act allows it.

You are not required to proactively publish drafts, notes, older versions of documents that have been superseded, emails or other correspondence. Actions and decisions in relation to specific individuals are also unlikely to be covered. Members of the public wanting access to information that is not included in your guide to information can still make a freedom of information request.

To help you decide what you should include in your guide to information, the ICO has produced definition documents for the various sectors. These set out the types of information the ICO would normally expect particular types of public authority to publish. For some smaller public authorities, such as health practitioners, parish councils and primary schools, the ICO has produced template guides to information that just need to be filled in.

Remember that you also need to maintain your publication scheme and continue to publish the information it lists. This means you must put in place a process to:

You should make yourself aware of any records management policies that support proactive publication. For example, you may need to notify the relevant person or department when you update, replace or alter any of the information covered by the publication scheme. You should make sure your staff receive the right training and guidance about this.

The Act contains specific requirements in relation to datasets and publication schemes. You must make available any dataset that has been requested, and any updated version you hold under your publication scheme, unless you are satisfied that it is not appropriate to do so. You must make the dataset available in a re-usable form. If the dataset is covered by the Re-use of Public Sector Information Regulations (RPSI), then you should license it for re-use under RPSI. If it is not covered, for example because you are not a public sector body under RPSI, then you should deal with licensing issues under the dataset provisions in the Act.

For further information, read our more detailed guidance:

What if we don’t have all the information that the model publication scheme covers?

The Act only covers information you hold. It does not require you to create new information or to record information you do not need for your own business purposes.

In your guide to information, list only the information you hold and must publish.

Can we refuse to publish information?

You should list any information you hold that falls within the classes in your guide to information unless:

Where you have decided not to publish information, it is good practice to record your reasons for this decision, in case you are questioned about this later.

Why must we publish information, rather than simply responding to requests?

The Act is designed to increase transparency. Members of the public should be able to routinely access information that is in the public interest and is safe to disclose. Also, without the publication scheme, members of the public may not know what information you have available.

The publication scheme covers information you have already decided you can give out. People should be able to access this information directly on the web, or receive it promptly and automatically whenever they ask.

Does all the information have to be on a website?

No, but if you have a website this is the easiest way for most people to access the information and will reduce your workload. The scheme recommends that information should be on a website wherever possible. However, some information may not suitable for uploading to a website, such as information that is held only in hard copy or very large files. The ICO appreciates that some small public authorities will not have the technical resources to support complex or regularly updated websites.

Where information is not available online, you must still list the information in your guide to information and give contact details so people can make a request to see it. You should provide this promptly on request. You should also make information available in this way for people who lack access to the internet.

Some information may be available to view in person only, but this should be reserved for those exceptional circumstances where it is the only practicable option. For example, a large or fragile historical map may be difficult to copy. You should provide contact details and promptly arrange an appointment for the requester to view the information they have asked for.

The ICO recommends that you give the contact details of post holders who are responsible for specific types or pieces of information because they can easily access that information in their normal work and answer any questions about it. Making defined post holders responsible for specific pieces of information helps keep the information you publish up to date.

How much can we charge for information?

The Act does not specify how much you can charge for information published in accordance with a publication scheme (this is different from the rule for information released in response to a request – see What should we do when we receive a request?). However, you must publish a list of charges indicating when you will charge and how much. You will not be able to charge if you have not indicated this in advance.

The ICO model publication scheme requires any fee to be justified, transparent and kept to a minimum. As a general rule, you can only make the following charges:

If you make a dataset available for re-use under your publication scheme, and it is covered by RPSI, then you may charge for permitting re-use according to RPSI. If it is not covered, for example because you are not a public sector body under RPSI, then you should deal with charging for re-use according to the dataset provisions in the Act. If datasets are made available for re-use under the Open Government Licence there is no re-use fee.

For further information, read our detailed guidance:

Definition documents

These set out the types of information we would expect particular types of authority to publish and list in their guide to information. For more details on using these, see our guidance on using the definition documents (pdf). Definition documents have not been produced for some smaller authorities as they have their own template guides to information, which are included below.

Central Government

Northern Ireland

Wales

Local Government

Health

Education

Police

Other Bodies

Can’t find your sector specific definition document or template guide to information ?

The ICO has now published a sector specific definition document for most public authorities. These documents accompany the new model publication scheme and are a guide to the types of information we expect authorities to proactively publish.

There may be organisations specified in Schedule 1 of the Freedom of Information Act, eg Advisory NDPBs, who feel their role is too specialised to adopt the Non Departmental Public Bodies definition document. Although we recommend this as a starting point the ICO will welcome any suggestions on refining this definition document to make it more appropriate to these bodies.

Receiving a request

In brief

Anyone has a right to request information from a public authority. You have two separate duties when responding to these requests:

You normally have 20 working days to respond to a request.

For a request to be valid under the Freedom of Information Act it must be in writing, but requesters do not have to mention the Act or direct their request to a designated member of staff. It is good practice to provide the contact details of your freedom of information officer or team, if you have one, but you cannot ignore or refuse a request simply because it is addressed to a different member of staff. Any letter or email to a public authority asking for information is a request for recorded information under the Act.

This doesn’t mean you have to treat every enquiry formally as a request under the Act. It will often be most sensible and provide better customer service to deal with it as a normal customer enquiry under your usual customer service procedures, for example, if a member of the public wants to know what date their rubbish will be collected, or whether a school has a space for their child. The provisions of the Act need to come into force only if:

This request handling flowchart provides an overview of the steps to follow when handling a request for information.

In more detail

What makes a request valid?

To be valid under the Act, the request must:

This is not a hard test to satisfy. Almost anything in writing which asks for information will count as a request under the Act. The Act contains other provisions to deal with requests which are too broad, unclear or unreasonable.

Even if a request is not valid under the Freedom of Information Act, this does not necessarily mean you can ignore it. Requests for ‘environmental information’, for example, can be made verbally. You also have an obligation to provide advice and assistance to requesters. Where somebody seems to be requesting information but has failed to make a valid freedom of information request, you should draw their attention to their rights under the Act and tell them how to make a valid request.

For further information, read our more detailed guidance:

Can a question be a valid request?

Yes, a question can be a valid request for information. It is important to be aware of this so that you can identify requests and send them promptly to the correct person.

Example:

“Please send me all the information you have about the application for a 24-hour licence at the Midnite Bar.”

“Re. Midnite Bar licence application. Please explain, why have you decided to approve this application?”

Both are valid requests for information about the reasons for the decision.

Under the Act, if you have information in your records that answers the question you should provide it in response to the request. You are not required to answer a question if you do not already have the relevant information in recorded form.

In practice this can be a difficult area for public authorities. Many of those who ask questions just want a simple answer, not all the recorded information you hold. It can be frustrating for applicants to receive a formal response under the Act stating that you hold no recorded information, when this doesn’t answer their simple question. However, requesters do have a right to all the relevant recorded information you hold, and some may be equally frustrated if you take a less formal approach and fail to provide recorded information.

The best way round this is usually to speak to the applicant, explain to them how the Act works, and find out what they want. You should also remember that even though the Act requires you to provide recorded information, this doesn’t prevent you providing answers or explanations as well, as a matter of normal customer service.

The Information Commissioner’s Office (ICO) recognises that some public authorities may initially respond to questions informally, but we will expect you to consider your obligations under the Act as soon as it becomes clear that the applicant is dissatisfied with this approach. Ultimately, if there is a complaint to the ICO, the Commissioner will make her decision based on whether recorded information is held and has been provided.

Should Parliamentary Questions be treated as FOI requests?

Parliamentary Questions (PQs) are part of parliamentary proceedings and must not be treated as requests for information under FOIA (or under the EIR); to do so would infringe parliamentary privilege.

Councils may permit members of the public to raise questions, either orally or in writing, at council meetings. These questions also should not be treated as requests for information under FOIA or under the EIR.

When should we deal with a request as a freedom of information request?

You can deal with many requests by providing the requested information in the normal course of business. If the information is included in the publication scheme, you should give this out automatically, or provide a link to where the information can be accessed (see What information do we need to publish?).

If you need to deal with a request more formally, it is important to identify the relevant legislation:

Any other non-routine request for information you hold should be dealt with under the Freedom of Information Act.

What are the timescales for responding to a request for information?

Your main obligation under the Act is to respond to requests promptly, with a time limit acting as the longest time you can take. Under the Act, most public authorities may take up to 20 working days to respond, counting the first working day after the request is received as the first day. For schools, the standard time limit is 20 school days, or 60 working days if this is shorter.

Working day means any day other than a Saturday, Sunday, or public holidays and bank holidays; this may or may not be the same as the days you are open for business or staff are in work.

The time allowed for complying with a request starts when your organisation receives it, not when it reaches the freedom of information officer or other relevant member of staff.

Certain circumstances (explained in this guidance and in When can we refuse a request?) may allow you extra time. However, in all cases you must give the requester a written response within the standard time limit for compliance.

For further information, read our more detailed guidance:

What should we do when we receive a request?

First, read the request carefully and make sure you know what is being asked for. You must not simply give the requester information you think may be helpful; you must consider all the information that falls within the scope of the request, so identify this first. Always consider contacting the applicant to check that you have understood their request correctly.

You should read a request objectively. Do not get diverted by the tone of the language the requester has used, your previous experience of them (unless they explicitly refer you to this) or what you think they would be most interested in.

Example:

“Approving the 24-hour licence at the Midnite Bar – can you provide me the details of this completely ridiculous licence application?”

This may still be a valid request, in spite of the language.

What if we are unsure what’s being asked for?

Requests are often ambiguous, with many potential interpretations, or no clear meaning at all. If you can’t answer the request because you are not sure what is being requested, you must contact the requester as soon as possible for clarification.

You do not have to deal with the request until you have received whatever clarification you reasonably need. However, you must consider whether you can give the requester advice and assistance to enable them to clarify or rephrase their request. For example, you could explain what options may be available to them and ask whether any of these would adequately answer their request.

Example:

“You have asked for all expenses claims submitted by Mrs Jones and dates of all meetings attended by Mrs Jones in June, July or August last year.

This could mean:
A) all expenses claims Mrs Jones ever submitted, plus dates of meetings she attended in June, July and August; or
B) all expenses claims Mrs Jones submitted in June, July or August, and dates of meetings she attended in the same months.

Please let us know which you mean.”

 

Example:

“You have asked for a copy of our risk assessment policy. We do not have a specific policy relating to risk assessment. However, the following policies include an element of risk assessment:
* Health and Safety at Work policy
* Corporate Risk Strategy
* Security Manual

Please let us know whether you would be interested in any of these documents or what risk assessment information you are interested in seeing.”

The time for compliance will not begin until you have received the necessary clarification to allow you to answer the request.

For further information, read our more detailed guidance;

What happens if we don’t have the information?

The Act only covers recorded information you hold. When compiling a response to a request for information, you may have to draw from multiple sources of information you hold, but you don’t have to make up an answer or find out information from elsewhere if you don’t already have the relevant information in recorded form.

Before you decide that you don’t hold any recorded information, you should make sure that you have carried out adequate and properly directed searches, and that you have convincing reasons for concluding that no recorded information is held. If an applicant complains to the ICO that you haven’t identified all the information you hold, we will consider the scope, quality and thoroughness of your searches and test the strength of your reasoning and conclusions.

If you don’t have the information the requester has asked for, you can comply with the request by telling them this, in writing. If you know that the information is held by another public authority, you could transfer the request to them or advise the requester to redirect their request. Part III of the section 45 code of practice provides advice on good practice in transferring requests for information.

For further information, read our more detailed guidance:

It will take us a long time to find the information. Can we have extra time?

The Act does not allow extra time for searching for information. However, if finding the information and drawing it together to answer the request would be an unreasonable burden on your resources and exceed a set costs limit, you may be able to refuse the request. Likewise, you may not have to confirm whether or not you hold the information, if it would exceed the costs limit to determine this.

See When can we refuse a request? for more details.

Do we have to tell them what information we have?

Yes, unless one of the reasons for refusing to do this applies – see When can we refuse a request? for details.

You have two duties when responding to requests for information: to let the requester know whether you hold the information, and to provide the information. If you are giving out all the information you hold, this will fulfil both these duties. If you are refusing all or part of the request, you will normally still have to confirm whether you hold (further) information. You do not need to give a description of this information; you only have to say whether you have any (further) information that falls within the scope of the request.

In some circumstances, you can refuse to confirm or deny whether you hold any information. For example, if a requester asks you about evidence of criminal activity by a named individual, saying whether you hold such information could be unfair to the individual and could prejudice any police investigation. We call this a ‘neither confirm nor deny’ (NCND) response.

For further information, read our more detailed guidance:

Do we have to release the information?

Yes, under the law you must release the information unless there is good reason not to. For more about when you may be able to refuse the request, or withhold some or all of the information, see When can we refuse a request?.

What if the information is inaccurate?

The Act covers recorded information, whether or not it is accurate. You cannot refuse a request for information simply because you know the information is out of date, incomplete or inaccurate. To avoid misleading the requester, you should normally be able to explain to them the nature of the information, or provide extra information to help put the information into context.

When considering complaints against a public authority, the ICO will normally reject arguments that inaccurate information should not be disclosed. However, in a few cases there may be strong and persuasive arguments for refusing a request on these grounds if these are specifically tied to an exemption in the Act. It will be up to you to identify such arguments.

Can we change or delete information that has been requested?

No. You should normally disclose the information you held at the time of the request. You are allowed to make routine changes to the information while you are dealing with the request as long as these would have been made regardless of the request. However, it would not be good practice to go ahead with a scheduled deletion of information if you know it has been requested.

You must not make any changes or deletions as a result of the request, for example, because you are concerned that some of the information could be embarrassing if it were released. This is a criminal offence (see What happens when someone complains?).

For further information, read our more detailed guidance:

In what format should we give the requester the information?

There are a number of ways you could make information available, including by email, as a printed copy, on a disk, or by arranging for the requester to view the information. Normally, you should send the information by whatever means is most reasonable. For example, if the requester has made their request by email, and the information is an electronic document in a standard form, then it would be reasonable for you to reply by email and attach the information.

However, requesters have the right to specify their preferred means of communication, in their initial request. So you should check the original request for any preferences before sending out the information.

You may also want to consider whether you would like to include anything else with the information, such as a copyright notice for third party information, or explanation and background context.

Remember that disclosures under the Act are ‘to the world’, so anyone may see the information.

If the information that you are making available is a dataset, and the requester has expressed a preference for an electronic copy, then, so far as reasonably practicable, you must provide the dataset in a re-usable form.

If your authority is also a public sector body under the Re-use of Public Sector Information Regulations 2015 (RPSI) then you should deal with licensing re-use under the terms of RPSI. If RPSI does not apply you should license re-use according to the dataset provisions in the Act. These say that if the dataset is a ‘relevant copyright work’ and you are the only owner of the copyright or database rights, then you must make it available under a licence that permits re-use. The licences to use for this are specified in the section 45 code of practice on datasets. If the dataset can be re-used without charge, then the appropriate licence will usually be the Open Government Licence.

For further information, read our more detailed guidance:

Can we charge for the information?

Yes, in certain cases. The Act does not allow you to charge a flat fee but you can recover your communication costs, such as for photocopying, printing and postage. You cannot normally charge for any other costs, such as for staff time spent searching for information, unless other relevant legislation authorises this.

However, if the cost of complying with the request would exceed the cost limit referred to in the legislation, you can offer to supply the information and recover your full costs (including staff time), rather than refusing the request. You can find more detail about the cost limit in When can we refuse a request?.

If you wish to charge a fee, you should send the requester a fees notice. You do not have to send the information until you have received the fee. The time limit for complying with the request excludes the time spent waiting for the fee to be paid. In other words, you should issue the fees notice within the standard time for compliance. Once you have received the fee, you should send out the information within the time remaining.

If the information that you are providing is a dataset, and it is covered by the RPSI, then you may charge for permitting re-use according to RPSI. If it is not covered, for example because you are not a public sector body under RPSI, then you should deal with charging for re-use according to the dataset provisions in the Act. There is no re-use fee if you are making the datasets available for re-use under the Open Government Licence.

For further information, read our more detailed guidance:

Does the Freedom of Information Act allow us to disclose information to a specific person or group alone?

Disclosures under the Act are ‘to the world’. However, you can restrict the release of information to a specific individual or group at your discretion, outside the provisions of the Act.

If you make a restricted disclosure, you should make it very clear to the requester that the information is for them alone; many requesters are satisfied with this.

However, if the requester has made it clear that they want the information under the Act and are not satisfied with receiving it on a discretionary basis, you can give them the information, but you may also need to give them a formal refusal notice, explaining why you have not released it under the Act. See When can we refuse a request? for more details about refusal notices.

Is there anything else we should consider before sending the information?

You should double check that you have included the correct documents, and that the information you are releasing does not contain unnoticed personal data or other sensitive details which you did not intend to disclose.

This might be a particular issue if you are releasing an electronic document. Electronic documents often contain extra hidden information or ‘metadata’ in addition to the visible text of the document. For example, metadata might include the name of the author, or details of earlier draft versions. In particular, a spreadsheet displaying information as a table will often also contain the original detailed source data, even if this is not immediately visible at first glance.

You should ensure that staff responsible for answering requests understand how to use common software formats, and how to strip out any sensitive metadata or source data (eg data hidden behind pivot tables in spreadsheets).

See the National Archives Redaction Toolkit for further information, or read our more detailed guidance:

Refusing a request

In brief

A requester may ask for any information that is held by a public authority. However, this does not mean you are always obliged to provide the information. In some cases, there will be a good reason why you should not make public some or all of the information requested.

You can refuse an entire request under the following circumstances:

In addition, the Freedom of Information Act contains a number of exemptions that allow you to withhold information from a requester. In some cases it will allow you to refuse to confirm or deny whether you hold information.

Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.

There is also an exemption for personal data if releasing it would be contrary to the General Data Protection Regulation (the GDPR) or the Data Protection Act 2018 (the DPA2018).

You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. This may be, for example, information you receive from the security services, which is covered by an absolute exemption. However, most exemptions are not absolute but require you to apply a public interest test. This means you must consider the public interest arguments before deciding whether to disclose the information. So you may have to disclose information in spite of an exemption, where it is in the public interest to do so.

If you are refusing all or any part of a request, you must send the requester a written refusal notice. You will need to issue a refusal notice if you are either refusing to say whether you hold information at all, or confirming that information is held but refusing to release it.

In more detail

When can we refuse a request on the grounds of cost?

The Act recognises that freedom of information requests are not the only demand on the resources of a public authority. They should not be allowed to cause a drain on your time, energy and finances to the extent that they negatively affect your normal public functions.

Currently, the cost limit for complying with a request or a linked series of requests from the same person or group is set at £600 for central government, Parliament and the armed forces and £450 for all other public authorities. You can refuse a request if you estimate that the cost of compliance would exceed this limit. This provision is found at section 12 of the Act.

You can refuse a request if deciding whether you hold the information would mean you exceed the cost limit, for example, because it would require an extensive search in a number of locations. Otherwise, you should say whether you hold the information, even if you cannot provide the information itself under the cost ceiling.

When calculating the costs of complying, you can aggregate (total) the costs of all related requests you receive within 60 working days from the same person or from people who seem to be working together.

How do we work out whether the cost limit would be exceeded?

You are only required to estimate whether the limit would be exceeded. You do not have to do the work covered by the estimate before deciding to refuse the request. However, the estimate must be reasonable and must follow the rules in the Freedom of Information (Appropriate Limit and Fees) Regulations 2004.

When estimating the cost of compliance, you can only take into account the cost of the following activities:

The biggest cost is likely to be staff time. You should rate staff time at £25 p40(2)er person per hour, regardless of who does the work, including external contractors. This means a limit of 18 or 24 staff hours, depending on whether the £450 or £600 limit applies to your public authority.

You cannot take into account the time you are likely to need to decide whether exemptions apply, to redact (edit out) exempt information, or to carry out the public interest test.

However, if the cost and resources required to review and remove any exempt information are likely to be so great as to place the organisation under a grossly oppressive burden then you may be able to consider the request under Section 14 instead. (vexatious requests).

Please see 'Dealing with vexatious requests' for further details about refusing requests which impose a grossly oppressive burden.

Note that although fees and the appropriate limit are both laid down in the same Regulations, the two things must not be confused:

See What should we do when we receive a request? for the rules on charging a fee.

For further information, read our more detailed guidance:

What if we think complying with the request would exceed the cost limit?

If you wish to use section 12 (cost limit) of the Act as grounds for refusing the request, you should send the requester a written refusal notice. This should state that complying with their request would exceed the appropriate cost limit. However, you should still say whether you hold the information, unless finding this out would in itself incur costs over the limit.

There is no official requirement for you to include an estimate of the costs in the refusal notice. However, you must give the requester reasonable advice and assistance to refine (change or narrow) their request. This will generally involve explaining why the limit would be exceeded and what information, if any, may be available within the limits.

Example
“You have asked for all the details of expenses claims made for food or drink between 1995 and 2010.

No forms have been kept for the period before 1999. Between 1999 and 2006, these forms were submitted manually and are not stored separately or sorted by type of expenditure but are filed in date order along with other invoices and bills. We estimate that we have at least 10,000 items in these boxes, and we would have to look at every page to identify the relevant information. Even at 10 seconds an item, this would amount to more than 27 hours of work.

However, records since 2007 are kept electronically and we could provide these to you.”

You should not:

If the requester refines their request appropriately, you should then deal with this as a new request. The time for you to comply with the new request should start on the working day after the date you receive it.

If the requester does not want to refine their request, but instead asks you to search for information up to the costs limit, you can do this if you wish, but the Act does not require you to do so.

Can we charge extra if complying with a request exceeds the cost limit

Yes, if complying with a request would cost you more than the £450 or £600 limit, you can refuse it outright or do the work for an extra charge.

If you choose to comply with a request costing over £450 or £600, you can charge:

You should not do this work without getting written agreement from the requester that they will pay the extra costs. You should also give the requester the option of refining their request rather than paying extra. The ‘time for compliance’ clock is paused in these circumstances, until you receive payment.

For further information, read our more detailed guidance:

When can we refuse a request as vexatious?

As a general rule, you should not take into account the identity or intentions of a requester when considering whether to comply with a request for information. You cannot refuse a request simply because it does not seem to be of much value. However, a minority of requesters may sometimes abuse their rights under the Freedom of Information Act, which can threaten to undermine the credibility of the freedom of information system and divert resources away from more deserving requests and other public business.

You can refuse to comply with a request that is vexatious. If so, you do not have to comply with any part of it, or even confirm or deny whether you hold information. When assessing whether a request is vexatious, the Act permits you to take into account the context and history of a request, including the identity of the requester and your previous contact with them. The decision to refuse a request often follows a long series of requests and correspondence.

The key question to ask yourself is whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation.

Bear in mind that it is the request that is considered vexatious, not the requester. If after refusing a request as vexatious you receive a subsequent request from the same person, you can refuse it only if it also meets the criteria for being vexatious.

You should be prepared to find a request vexatious in legitimate circumstances, but you should exercise care when refusing someone’s rights in this way.

For further information, read our more detailed guidance:

When can we refuse a request because it is repeated?

You can refuse requests if they are repeated, whether or not they are also vexatious. You can normally refuse to comply with a request if it is identical or substantially similar to one you previously complied with from the same requester. You cannot refuse a request from the same requester just because it is for information on a related topic. You can do so only when there is a complete or substantial overlap between the two sets of information.

You cannot refuse a request as repeated once a reasonable period has passed. The reasonable period is not set down in law but depends on the circumstances, including, for example, how often the information you hold changes.

Example
"Please could you send me the latest copy of your register of interests? You kindly sent me a copy of this two years ago but I assume it may have been updated since then. Also I no longer have the copy you sent previously.”

This request is not repeated because a reasonable period has elapsed.

What if we want to refuse a request as vexatious or repeated?

You should send the requester a written refusal notice. If the request is vexatious or repeated, you need only state that this is your decision; you do not need to explain it further. However, you should keep a record of the reasons for your decision so that you can justify it to the Information Commissioner’s Office if a complaint is made.

If you are receiving vexatious or repeated requests from the same person, you can send a single refusal notice to the applicant, stating that you have found their requests to be vexatious or repeated (as appropriate) and that you will not send a written refusal in response to any further vexatious or repeated requests.

This does not mean you can ignore all future requests from this person. For example, a future request could be about a completely different topic, or have a valid purpose. You must consider whether the request is vexatious or repeated in each case.

For further information, read our more detailed guidance:

When can we withhold information under an exemption?

Exemptions exist to protect information that should not be disclosed, for example because disclosing it would be harmful to another person or it would be against the public interest.

The exemptions in Part II of the Freedom of Information Act apply to information. This may mean that you can only apply an exemption to part of the information requested, or that you may need to apply different exemptions to different sections of a document.

You do not have to apply an exemption. However, you must ensure that in choosing to release information that may be exempt, you do not disclose information in breach of some other law, such as disclosing personal information in contravention of the GDPR or the DPA 2018. Nor do you have to identify all the exemptions that may apply to the same information, if you are content that one applies.

You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. However, most exemptions are not absolute but are ‘qualified’. This means that before deciding whether to withhold information under an exemption, you must consider the public interest arguments. This balancing exercise is usually called the public interest test (PIT). The Act requires you to disclose information unless there is good reason not to, so the exemption can only be maintained (upheld) if the public interest in doing so outweighs the public interest in disclosure.

Example
The BBC received a request for two contracts relating to licence fee collection. The Commissioner accepted that some of the information in the contracts was commercially sensitive and it was likely that it would prejudice the BBC’s commercial interests. However, this was not significant enough to outweigh the need for the BBC to be accountable for its use of public money, as well as the importance of informing an ongoing consultation about the licence fee.

(ICO decision notice FS50296349)

In this case, even though the information fell within an exemption, the public interest favoured disclosure.

You can have extra time to consider the public interest. However, you must still contact the requester within the standard time for compliance to let them know you are claiming a time extension.

When can we use an exemption to refuse to say whether we have the information?

In some cases, even confirming that information is or is not held may be sensitive. In these cases, you may be able to give a ‘neither confirm nor deny’ (NCND) response.

Whether you need to give a NCND response should usually depend on how the request is worded, not on whether you hold the information. You should apply the NCND response consistently, in any case where either confirming or denying could be harmful.

Example
“Please could you send me the investigation file relating to the murder committed at 23 Any Street on 12 January 2011?”

In this case, assuming the murder was publicly reported, the police could confirm that they held some information on the topic, without giving the contents.

“Please could you send me any information you have linking Mr Joe Bloggs to the murder committed at 23 Any Street on 12 January 2011”

In this case the police do not confirm whether they hold any such information. If they do have information, this could tip off a suspect, and may be unfair to Mr Bloggs. If they don’t have the information, this could also be valuable information for the murderer. So the police would give the same response, whether or not they hold any such information.

Unless otherwise specified, all the exemptions below also give you the option to claim an exclusion from the duty to confirm or deny whether information is held, in appropriate cases.

If you think you may need to claim an exclusion from the duty to confirm or deny whether you hold information, then you will need to consider this duty separately from the duty to provide information. You will need to do this both:

If it would be damaging to even confirm or deny if information is held, then you must issue a refusal notice explaining this to the requester. In this situation we would not expect you to go on to address the separate question of whether any information that is held should be disclosed, at this stage. You will need to do this only if the requester successfully appeals against your NCND response and you do actually hold some information.

However, if you decide that you are willing to confirm or deny whether information is held, and you do in fact hold some information, then you will need to immediately go on to consider whether that information should be disclosed.

For further information, read our more detailed guidance:

What exemptions are there?

Some exemptions apply only to a particular category or class of information, such as information held for criminal investigations or relating to correspondence with the royal family. These are called class-based exemptions.

Some exemptions require you to judge whether disclosure may cause a specific type of harm, for instance, endangering health and safety, prejudicing law enforcement, or prejudicing someone’s commercial interests. These are called prejudice-based exemptions.

This distinction between ‘class-based’ and ‘prejudice-based’ is not in the wording of the Act but many people find it a useful way of thinking about the exemptions.

The Act also often refers to other legislation or common law principles, such as confidentiality, legal professional privilege, or data protection. In many cases, you may need to apply some kind of legal ‘test’ - it is not as straightforward as identifying that information fits a specific description. It is important to read the full wording of any exemption, and if necessary consult our guidance, before trying to rely on it.

The exemptions can be found in Part II of the Act, at sections 21 to 44.

What is ‘prejudice’ and how do we decide whether disclosure would cause this?

For the purposes of the Act, ‘prejudice’ means causing harm in some way. Many of the exemptions listed below apply if disclosing the information you hold would harm the interests covered by the exemption. In the same way, confirming or denying whether you have the information can also cause prejudice. Deciding whether disclosure would cause prejudice is called the prejudice test.

To decide whether disclosure (or confirmation/denial) would cause prejudice:

For further information, read our more detailed guidance:

Section 21 – information already reasonably accessible

This exemption applies if the information requested is already accessible to the requester. You could apply this if you know that the requester already has the information, or if it is already in the public domain. For this exemption, you will need to take into account any information the requester gives you about their circumstances. For example, if information is available to view in a public library in Southampton, it may be reasonably accessible to a local resident but not to somebody living in Glasgow. Similarly, an elderly or infirm requester may tell you they don’t have access to the internet at home and find it difficult to go to their local library, so information available only over the internet would not be reasonably accessible to them.

When applying this exemption, you have a duty to confirm or deny whether you hold the information, even if you are not going to provide it. You should also tell the requester where they can get it.

This exemption is absolute, so you do not need to apply the public interest test.

For further information, read our more detailed guidance:

Section 22 – information intended for future publication

This exemption applies if, when you receive a request for information, you are preparing the material and definitely intend for it to be published,  and it is reasonable not to disclose it until then. You do not need to have identified a publication date. This exemption does not necessarily apply to all draft materials or background research. It will only apply to the material you intend to be published.

You do not have to confirm whether you hold the information requested if doing so would reveal the content of the information.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 22A – research information

This exemption applies if, when you receive a request for information,

So long as the research programme is continuing, the exemption may apply to a wide range of information relating to the research project. There does not have to be any intention to publish the particular information that has been requested, nor does there need to be an identified publication date.

You do not have to confirm whether you hold the information requested if doing so would reveal the content of the information.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Sections 23 and 24 – security bodies and national security

The section 23 exemption applies to any information you have received from, or relates to, any of a list of named security bodies such as the security service. You do not have to confirm or deny whether you hold the information, if doing so would reveal anything about that body or anything you have received from it. A government minister can issue a certificate confirming that this exemption applies.

This exemption is absolute, so you do not need to consider the public interest test.

The section 24 exemption applies if it is “required for the purpose of safeguarding national security”. The exemption does not apply just because the information relates to national security.

A government minister can issue a certificate confirming that this exemption applies and this can only be challenged on judicial review grounds. However, the exemption is qualified by the public interest test.

Section 25 is not an exemption, but gives more detail about the ministerial certificates mentioned above.

For further information, read our more detailed guidance:

Sections 26 to 29

These exemptions are available if complying with the request would prejudice or would be likely to prejudice the following:

Section 27 also applies to confidential information obtained from other states, courts or international organisations.

All these exemptions are qualified by the public interest test.

For further information, read our more detailed guidance:

Sections 30 and 31 – investigations and prejudice to law enforcement

The section 30 exemption applies to a specific category of information that a public authority currently holds or has ever held for the purposes of criminal investigations. It also applies to information obtained in certain other types of investigations, if it relates to obtaining information from confidential sources.

When information does not fall under either of these headings, but disclosure could still prejudice law enforcement, section 31 is the relevant exemption.

Section 31 only applies to information that does not fall into the categories in section 30. For this reason sections 30 and 31 are sometimes referred to as being mutually exclusive. Section 31 applies where complying with the request would prejudice or would be likely to prejudice various law enforcement purposes (listed in the Act) including preventing crime, administering justice, and collecting tax. It also protects certain other regulatory functions, for example those relating to health and safety and charity administration.

Both exemptions are qualified by the public interest test.

For further information, read our more detailed guidance:

Section 32 – court records

This exemption applies to court records held by any authority (though courts themselves are not covered by the Act).

To claim this exemption, you must hold the information only because it was originally in a document created or used as part of legal proceedings, including an inquiry, inquest or arbitration.

This is an unusual exemption because the type of document is relevant, as well as the content and purpose of the information they hold.

This exemption is absolute, so you do not need to apply the public interest test. You also do not have to confirm or deny whether you hold any information that is or would fall within the definition above.

For further information, read our more detailed guidance:

Section 33 – prejudice to audit functions

This exemption can only be used by bodies with audit functions. It applies where complying with the request would prejudice or would be likely to prejudice those functions.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 34 – parliamentary privilege

You can use this exemption to avoid an infringement of parliamentary privilege. Parliamentary privilege protects the independence of Parliament and gives each House of Parliament the exclusive right to oversee its own affairs. Parliament itself defines parliamentary privilege, and the Speaker of the House of Commons can issue a certificate confirming that this exemption applies; the Clerk of the Parliaments can do the same for the House of Lords.

This exemption is absolute, so you do not need to apply the public interest test.

For further information, read our more detailed guidance:

Sections 35 and 36 – government policy and prejudice to the effective conduct of public affairs

These two sections form a mutually exclusive pair of exemptions in the same way as section 30 and section 31.

The section 35 exemption can only be claimed by government departments or by the Welsh Assembly Government. It is a class-based exemption, for information relating to:

Section 35 is qualified by the public interest test.

For policy-related information held by other public authorities, or other information that falls outside this exemption but needs to be withheld for similar reasons, the section 36 exemption applies.

The section 36 exemption applies only to information that falls outside the scope of section 35. It applies where complying with the request would prejudice or would be likely to prejudice “the effective conduct of public affairs”. This includes, but is not limited to, situations where disclosure would inhibit free and frank advice and discussion.

This exemption is broad and can be applied to a range of situations.

Example
A council refused to disclose a list of schools facing financial difficulties, because this could damage the schools’ ability to recruit pupils, as well as making schools less likely to co-operate and share financial information freely with the council (ICO decision notice FS50302293).

A university refused to disclose a complete list of staff email addresses. On a previous occasion when email addresses had been disclosed, this led to a security attack, as well as an increase in spam, phishing, and emails directed inappropriately (ICO decision notice FS50344341).

The Cabinet Office refused to release details of the discussions between political parties that took place between the general election and the formation of the coalition government. This was necessary to ensure that a stable government could be formed, as politicians needed to be able to freely discuss their differences as well as seek impartial advice from the civil service (ICO decision notice FS50350899).

Section 36 differs from all other prejudice exemptions in that the judgement about prejudice must be made by the legally authorised qualified person for that public authority. A list of qualified people is given in the Act, and others may have been designated. If you have not obtained the qualified person’s opinion, then you cannot rely on this exemption. The qualified person’s opinion must also be a “reasonable” opinion, and the Information Commissioner may decide that the section 36 exemption has not been properly applied if she finds that the opinion given isn’t reasonable.

In most cases, section 36 is a qualified exemption. This means that even if the qualified person considers that disclosure would cause harm, or would be likely to cause harm, you must still consider the public interest. However, for information held by the House of Commons or the House of Lords, section 36 is an absolute exemption so you do not need to apply the public interest test.

For further information, read our more detailed guidance: 

Section 37 – communications with the royal family and the granting of honours

This exemption has been changed since the Freedom of Information Act was first published, so you should refer to an up-to-date copy at www.legislation.gov.uk.

It covers any information relating to communications with the royal family and information on granting honours. This exemption is absolute in relation to communications with the monarch, the heir to the throne, and the second in line of succession to the throne, so the public interest test does not need to be applied in these cases.

All other information under the scope of this exemption is qualified, so the public interest test must be applied.

For further information, read our more detailed guidance:

Section 38 – endangering health and safety

You can apply the section 38 exemption if complying with the request would or would be likely to endanger anyone’s physical or mental health or safety. In deciding whether you can apply this exemption, you should use the same test as you would for prejudice. This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 39 – environmental information

You should deal with any request that falls within the scope of the Environmental Information Regulations 2004 under those Regulations. This exemption confirms that, in practice, you do not also need to consider such requests under the Freedom of Information Act.

Only public authorities that are covered by the Regulations can rely on this exemption. A small number of public authorities, including the BBC and other public service broadcasters, are not subject to the Environmental Information Regulations. They should handle requests for environmental information under the Freedom of Information Act.

This exemption is qualified by the public interest test, but because you must handle this type of request under the Environmental Information Regulations, it is hard to imagine when it would be in the public interest to also consider it under the Freedom of Information Act.

Section 40(1) – personal information of the requester

This exemption confirms that you should treat any request made by an individual for their own personal data as a data protection subject access request. You should apply this to any part of the request that is for the requester’s own personal data. They should not be required to make a second, separate subject access request for these parts of their request. See our Guide to GDPR - Right of Access for advice on how to handle subject access requests.

If the information contains some of the requester’s personal data plus other non-personal information, then you will need to consider releasing some of the information under the GDPR or the DPA 2018 and some under the Freedom of Information Act.

This exemption is absolute, so you do not need to apply the public interest test.

Requested information may involve the personal data of both the requester and others. For further information, read our guidance:

Section 40(2) – Personal information

This exemption covers the personal data of third parties (anyone other than the requester) where complying with the request would breach any of the principles in the GDPR.

If you wish to rely on this exemption, you need to refer to the GDPR as the data protection principles are not set out in the Freedom of Information Act. More details can be found in our Guide to the GDPR - the Principles.

This exemption can only apply to information about people who are living; you cannot use it to protect information about people who have died.

The most common reason for refusing information under this exemption is that disclosure would contravene GDPR principle (a) because there is no lawful basis for processing. Section 40(2) is an absolute exemption, so you do not need to apply the public interest test. However, you may need to include public interest arguments when considering lawfulness under principle (a).

Section 40 includes other provisions for people’s data protection rights, and these provisions are qualified by a public interest test.

For further information, read our more detailed guidance:

Section 41 – confidentiality

This exemption applies if the following two conditions are satisfied:

You cannot apply this exemption to information you have generated within your organisation, even if it is marked “confidential”. However, you can claim it for information you originally received from someone else but then included in your own records.

To rely on this exemption, you must apply the legal principles of the common law test of confidence, which is a well established though developing area of law.

This exemption is absolute so you do not need to apply the public interest test. However, you will still need to consider the public interest in disclosure, because the law of confidence recognises that a breach of confidence may not be actionable when there is an overriding public interest in disclosure.

You should carefully consider how you use confidentiality clauses in contracts with third parties and set reasonable levels of expectations about what may be disclosed.

For further information, read our more detailed guidance:

Section 42 – legal professional privilege

This applies whenever complying with a request would reveal information that is subject to ‘legal professional privilege’ (LPP) or the equivalent Scottish rules. LPP protects information shared between a client and their professional legal advisor (solicitor or barrister, including in-house lawyers) for the purposes of obtaining legal advice or for ongoing or proposed legal action. These long-established rules exist to ensure people are confident they can be completely frank and candid with their legal adviser when obtaining legal advice, without fear of disclosure.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 43 – trade secrets and prejudice to commercial interests

This exemption covers two situations:

Both parts of this exemption are qualified by the public interest test.

For further information, read our more detailed guidance:

Section 44 – prohibitions on disclosure

You can apply this exemption if complying with a request for information:

This exemption is often used by regulators. For example, the Information Commissioner is prohibited by section 132 in Part 5 of the DPA 2018 from disclosing certain information she has obtained in the course of her duties, except in specified circumstances.

The Freedom of Information Act does not override other laws that prevent disclosure, which we call ‘statutory bars’.

This exemption is absolute, so you do not need to apply the public interest test, but bear in mind that some statutory bars may refer to the public interest.

For further information, read our more detailed guidance:

Can we withhold information about people who have died?

The GDPR and the DPA 2018 do not cover information about people who have died, so you cannot rely on a section 40 exemption to withhold this type of information.

This may be a particular issue if you are a public authority that holds sensitive information such as health or social care records. Where you receive a request for this kind of information about someone who has died, the most appropriate exemption is likely to be section 41 (confidentiality). This is because the information would originally have been provided to a healthcare practitioner or social worker in confidence, and we consider this duty of confidentiality to extend beyond death.

Information about people who have died is likely to be covered by an exemption, because the Freedom of Information Act is about disclosure ‘to the world’ and it would often be inappropriate to make this type of information public. However, some requesters may have rights that allow them personally to access the information. For instance, the Access to Health Records Act 1990 gives the personal representative of the deceased (eg the executor of their will) the right to access their medical records. If you receive a request from someone who has the right to access the records in this way, you can refuse the request under section 21 (reasonably accessible) and handle the request under the Access to Health Records Act.

For further information, read our more detailed guidance:

Can we have extra time to consider exemptions?

No, but if the exemption is qualified you can have extra time to consider the public interest test. In doing so you must:

When and how do we apply the public interest test?

If the exemption you wish to apply is qualified, then you will need to do a public interest test, even if you know the exemption applies.

If you think that you may need to claim an exclusion from the duty to confirm or deny, then you will need to consider the public interest test for this duty. You will need to do this separately from the public interest test for the duty to provide information.

For ‘neither confirm nor deny’ cases (NCND) the public interest test involves weighing the public interest in confirming whether or not information is held against the public interest in refusing to do this. The public interest in maintaining the exclusion from the duty to confirm or deny would have to outweigh the public interest in confirming or denying that information is held, in order to justify an NCND response.

Similarly, when considering whether you should disclose information, you will need to weigh the public interest in disclosure against the public interest in maintaining the exemption. You must bear in mind that the principle behind the Act is to release information unless there is a good reason not to. To justify withholding information, the public interest in maintaining the exemption would have to outweigh the public interest in disclosure.

Note that the wording of the test refers to the public interest in maintaining the exemption (or exclusion). In other words, you cannot consider all the arguments for withholding the information (or refusing to confirm whether it is held), only those which are inherent in the exemption or exclusion ie relate directly to what it is designed to protect.

Example
A government department is seeking to rely on section 35 to withhold information relating to the development of a controversial policy.

It argues that disclosure would:
a) have a negative impact on the ongoing discussions about this policy;
b) discourage ministers and civil servants from openly debating controversial or unpopular options when discussing similar policies in the future;
c) cause stress and upset to the people involved;
d) potentially lead to threats or harassment.

While a) and b) are legitimate public interest considerations for this exemption, c) and d) are not. Instead, they may suggest that section 38 (health and safety) or section 40 (data protection) might be relevant.

You can withhold information only if it is covered by one of the exemptions and, for qualified exemptions, the public interest in maintaining the exemption outweighs the public interest in disclosure. You must follow the steps in this order, so you cannot withhold information because you think it would be against the public interest without first identifying a specific exemption.

For further information, read our more detailed guidance:

How much extra time can we have to consider the public interest test?

The law says you can have a “reasonable” extension of time to consider the public interest test. We consider that this should normally be no more than an extra 20 working days, which is 40 working days in total to deal with the request. Any extension beyond this time should be exceptional and you must be able to justify it.

To claim this extra time, you must:

You must identify the relevant exemptions and ensure they can be applied in this case, for example, by considering the prejudice test before you do this. You cannot use the extra time for considering whether an exemption applies. You should release any information that is not covered by an exemption within the standard time.

When you have come to a conclusion on the balance of the public interest, you should:

Is there anything else we need to know about exemptions?

Certain exemptions do not apply to historical records. Originally, a historical record was a record over 30 years old, although this has now been amended to 20 years by the Constitutional Reform and Governance Act 2010. This reduction is being phased in gradually over 10 years. In effect, from the end of 2013 the time limit is 29 years. It will reduce by another year every year until it reaches 20 years at the end of 2022. Other exemptions expire after 60 or 100 years. A full list of these can be found in section 63 of the Act.

When deciding whether or not an exemption applies, you will usually need to consider what information is already in the public domain. If the requested information or similar information is already publicly available, then this may affect:

These will be important considerations in many cases.

For further information, read our more detailed guidance:

If we are relying on an exemption to refuse the request, what do we need to tell the requester?

If you are relying on an exemption, you must issue a written refusal notice within the standard time for compliance, specifying which exemptions you are relying on and why.

If you have already done a public interest test, you should explain why you have reached the conclusion that the public interest in maintaining the exemption outweighs the public interest in disclosure.

If you are claiming extra time to consider the public interest test, you will not be able to give a final refusal notice at this stage, but you should explain which exemptions you are relying on. If your final decision is to withhold all or part of the information, you will need to send a second refusal notice to explain your conclusion on the public interest test.

If you are withholding information but are still required to reveal that you hold the information, you should also remember to do this.

What do we have to include in a refusal notice?

You must refuse requests in writing promptly or within 20 working days (or the standard time for compliance) of receiving it.

In the refusal notice you should:

For further information, read our more detailed guidance:

What if we are withholding only parts of a document?

Often you can withhold only some of the information requested. In many cases, you can disclose some sections of a document but not others, or you may be able to release documents after having removed certain names, figures or other sensitive details (called ‘redaction’).

The Act does not lay down any rules about redaction. The following are guidelines for good practice.

For further information, read our more detailed guidance:

You may also wish to refer to the Redaction Toolkit produced by the National Archives.

What if the requester is unhappy with the outcome?

Under the Act, there is no obligation for an authority to provide a complaints process. However, it is good practice (under the section 45 code of practice) and most public authorities choose to do so.

If you do have a complaints procedure, also known as an internal review, you should:

When issuing a refusal notice, you should state whether you have an internal review procedure and how to access it. If a requester complains even when you have not refused a request, you should carry out an internal review if they:

Even if your internal review upholds your original decision (that, as at the date of the request, the information was exempt from disclosure) you may wish to release further information if circumstances have changed and your original concerns about disclosure no longer apply. You are not obliged to do this but it may resolve matters for the requester and reduce the likelihood of them making a complaint to the Information Commissioner if you do.

Complaints

In brief

The ICO has a general duty to investigate complaints from members of the public who believe that an authority has failed to respond correctly to a request for information. If someone makes a complaint against you, our complaints handling process gives you an opportunity to reconsider your actions and put right any mistakes without us taking any formal action.

If the complaint is not resolved informally, we will issue a decision notice. If we find that you have breached the Act, the decision notice will say what you need to do to put things right.

We also have powers to enforce compliance if you have failed to adopt the publication scheme or have not published information as you should (see What information do we need to publish?), whether or not we have received a complaint about this.

You may be breaching the Freedom of Information Act if you do any of the following:

This last point is the only criminal offence in the Act that individuals and public authorities can be charged with.

Other breaches of the Act are unlawful but not criminal. The Information Commissioner’s Office (ICO) cannot fine you if you fail to comply with the Act, nor can we require you to pay compensation to anyone for breaches of the Act. However, you should correct any mistakes as soon as you are aware of them.

In more detail

When might the ICO receive a complaint about how we have handled a request?

If someone thinks you have not dealt with their request for information properly, they should start by complaining to you. Most public authorities have an internal complaints procedure relating to requests (see When can I refuse a request?). If after going through your complaints procedure the requester is still dissatisfied, or if you fail to review your original decision, then the requester can complain to the ICO.

Whenever you refuse a request you must always let people know about their right to complain to the ICO.

What can the ICO do about a complaint?

The ICO will often resolve complaints informally. You may accept that you have made a mistake, or the requester may withdraw their complaint once we have explained the law to them. In many cases, a satisfactory compromise is reached.

We also have the power to issue legally binding decision notices. We do this in about a third of valid freedom of information complaints. The decision notice will state whether you have complied with the law, and, if not, what you should do to put things right. Depending on the complexity of the case, a decision notice will generally include the arguments and evidence that we have considered in reaching our decision.

A decision notice may state that you have dealt with a request correctly. However, if we find that you have breached the Act, we may order you to take steps to put things right, such as disclosing some or all of the requested information. This happens in about half of cases that are resolved by a decision notice. For example, if we find that you have incorrectly applied an exemption, this is a breach of section 1 of the Act and the remedy would be for you to disclose the information. In other cases we may require you to give the requester further advice and assistance.

The ICO does not punish public authorities or compensate requesters. We cannot investigate other matters that may lie behind the request. We focus on only whether you have complied with the Act.

What should we do if someone complains to the ICO about how we have handled a request?

If a requester makes a complaint to the ICO, one of our case officers will contact you and explain what we need from you. If you know a complaint has been made, you should make sure you keep all the relevant correspondence, as well as the requested information. If you now realise you should have released more information, you should do this as soon as possible and let us know that you have done so.

In many cases we will need to see the disputed information. Our case officers will not pass this on to the requester (even if we find in their favour) and will not reveal the contents of the disputed information in any decision notice. Staff with higher levels of security clearance will be able to handle very sensitive information.

The case officer dealing with the complaint may ask you to explain your decision more fully or provide further evidence. This guide, and the guidance it links to, should help you work out what you are required to provide. Remember that you are required to disclose requested information unless there is good reason not to. It is your responsibility to show why you should be allowed to refuse a request, so it is in your interests to co-operate fully with our investigation.

In rare circumstances when a public authority persistently refuses to co-operate with us, we can issue an information notice. This is a legally binding notice, requiring an authority to give us the information or reasons we have asked for.

For further information, read our more detailed guidance:

Can we introduce a new reason for refusing a request at this stage?

It is not good practice to introduce new reasons for refusing a request at this late stage (see When can I refuse a request?) and you should avoid doing so. However, if you do decide you need to rely on a new exemption, then we will consider your arguments in the normal way. You will need to inform us and the requester about your new arguments straight away.

What should we do if we receive a decision notice from the ICO?

In our decision notice we may find against you or may decide you handled the request correctly. In some cases we may uphold your overall decision but make some findings about delays and other aspects of your request handling. This is an opportunity for you to learn and improve, and perhaps avoid future complaints.

If the decision notice requires you to take steps, such as disclosing some information, you should do this within 35 calendar days of the date of the notice, unless you intend to appeal. If you disagree with the decision and wish to appeal, you must lodge your appeal with the First Tier Tribunal (Information Rights) within 28 calendar days. The requester also has a right of appeal.

Failure to comply with a decision notice is contempt of court, punishable by a fine.

What does it cost to appeal against the ICO’s decision?

There is no fee for appealing to the Tribunal and you do not need to be represented by a barrister or solicitor, although it is advisable to have professional legal representation. Bear in mind that a Tribunal appeal may be time consuming and requires careful preparation.

Costs are not normally awarded in the Tribunal. The Tribunal may award costs where a party has acted unreasonably in bringing the case or in the way they conducted themselves, although this is rare.

More details of the appeal process are on the Tribunal’s website under Information Rights: how to appeal.

What happens when the ICO’s decision is appealed?

A public authority, the requester or both can appeal against the Information Commissioner’s decision notice.

If the Tribunal decides that the Commissioner’s decision was wrong in law, or that she exercised her discretion wrongly, it can overturn the decision and issue a substitute decision notice. This decision notice has the same legal status as the first one. Like the Commissioner, the Tribunal can only consider questions relevant to the Act, not any wider dispute that may arise from the request.

Appeals may be by oral hearing, where witnesses give evidence in person. If the evidence can be presented entirely in writing, the appeal will be decided on the basis of those documents.

If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.

Does the ICO have any other powers to enforce the Act?

The Information Commissioner issues decision notices on complaints about specific requests for information. However, if a breach of the Act doesn’t fall within the scope of a decision notice, the ICO may decide to issue an enforcement notice.

The ICO can use an enforcement notice if you have failed to adopt the publication scheme or failed to publish in accordance with it (see What information do we need to publish?).

The Commissioner may also use an enforcement notice if an authority is repeatedly failing to comply with its obligations, which she may have been made aware of from complaints or from other information available to her. For example, the Ministry of Justice publishes statistics for the time different government departments take to respond to requests. Also, problems with the way certain public authorities handle freedom of information requests may be discussed in the media or online. In such cases the Commissioner may issue an enforcement notice covering a number of different requests, whether or not the ICO has received specific complaints. An example would be where the Commissioner becomes aware of a backlog of requests at an authority and orders it to clear this by a given date.

The ICO may also ask you to sign an agreement that you will take a particular course of action to improve your compliance with the Act.

Further information about the Commissioner’s powers can be found in our web pages Taking action – freedom of information and environmental information.

What about poor practice that doesn’t amount to a breach of the Act?

The section 45 and section 46 codes of practice (see What is Freedom of Information?) lay down good practice that you should follow in fulfilling your freedom of information responsibilities. These codes are not legally binding, but they should help you avoid breaching the Act. The Commissioner is also responsible for promoting the codes and may take action on poor practice, even if this has not led to a breach of the Act.

If you fail to follow good practice as set down in the codes of practice, the Commissioner may issue a practice recommendation. For example, she may recommend that you introduce an internal review procedure, or improve staff training. The Commissioner’s recommendations are not legally binding, but the ICO publishes and publicises all practice recommendations. In addition, if you fail to comply with good practice, you will probably be breaching the Act. Also, you may be given a practice recommendation if you have been given several negative decision notices. In our experience, public authorities generally comply with practice recommendations.

The ICO does not usually take enforcement action without first approaching you to discuss any difficulties you may be having in trying to comply with the Act, and giving you a chance to improve.

Are there criminal offences in the Freedom of Information Act?

Yes, section 77 states that it is a criminal offence to alter, block, destroy or conceal information.

Depending on the nature of the incident, an authority or its individual members of staff could be charged with this offence. The penalty is a fine.

There are no financial or custodial penalties for failure to provide information on request or for failure to publish information. But you could be found in contempt of court for failing to comply with a decision notice, enforcement notice, or information notice. This could lead to a fine or, in theory, jail for a senior officer of the authority.

Sample questions we ask public authorities

We have published the standardised sample copy that our case officers use when writing to public authorities, including introductory information about the exemptions and key questions we may need to ask. The questions are not exhaustive and case officers tailor their correspondence in each case.

We have made this internal ICO resource available to help with transparency around freedom of information requests and how we approach casework. It may help public authorities to consider these questions, when deciding if relevant exemptions apply.