The Information Commissioners Office (ICO) has recently delivered a number of reprimands against public bodies for Freedom of Information (FOI) non-compliance; the area is clearly becoming a priority for the regulator. In particular, the enforcement notices have called out organisations with:
- substantial backlogs of outstanding requests, or
- a high percentage of requests being responded to outside of statutory time limits.
In light of these enforcement notices, public bodies subject to the FOI Act should be urgently looking at their own resourcing and prioritisation to prevent or minimise ICO investigation. In this first in a series of articles and updates, we sketch out the core obligations and timescales of FOI.
Under FOI, public bodies have three obligations:
- to proactively publish information
- in response to a request for information, to confirm whether that information is held, and
- in response to a request for information, to disclose that information.
Who can make a request and how?
Any individual can make an FOI request to a body subject to FOI, and that request can be made to any employee of that body – while you can direct requests to a dedicated FOI function, all public-facing staff should be trained to recognise an FOI request, and to direct it appropriately.
Numerous exemptions apply that allow a body to refuse to comply with above, depending on the nature of the information or the effects its release could have.
Some of the most common exemptions include:
Requests for the requestor’s personal data should be treated under the UK GDPR; requests including third party personal data will need to be considered under a balancing act.
Prejudice to commercial interests
Where information would impair a party’s (the public body, a private sector supplier/partner, or any other body) commercial interests, depending on the public interest in the information it may not need to be disclosed – this might be disclosing a trade secret, confidential pricing, proposed plans or failures to meet contractual targets.
Prejudice to conduct of public affairs
Where information would impair the public body’s ability to carry out its duties or would otherwise impede its ability to discuss and exchange views internally it may not need to be disclosed – for example information about a crisis while the public body is in the midst of that crisis.
Where a public body processes information, or releasing that information could expose the public body to crime, it may be able to withhold information – this would include for example financial data such as whether business rates have been paid by individual properties, which would allow fraudsters to launch a ‘man in the middle’ attack.
At first instance, FOI requests should be handled within 20 working days of receipt. In some circumstances, this can be extended by a further 20 working days, but organisations should not assume this will always be the case.