The Information Commissioners Office (ICO) has recently delivered a number of reprimands against public bodies for Freedom of Information (FOI) non-compliance; the area is clearly becoming a priority for the regulator. In particular, the enforcement notices have called out organisations with:

  • substantial backlogs of outstanding requests, or
  • a high percentage of requests being responded to outside of statutory time limits.

In light of these enforcement notices, public bodies subject to the FOI Act should be urgently looking at their own resourcing and prioritisation to prevent or minimise ICO investigation. In this first in a series of articles and updates, we sketch out the core obligations and timescales of FOI.

Core duties

Under FOI, public bodies have three obligations:

  1. to proactively publish information
  2. in response to a request for information, to confirm whether that information is held, and
  3. in response to a request for information, to disclose that information.

Who can make a request and how?

Any individual can make an FOI request to a body subject to FOI, and that request can be made to any employee of that body – while you can direct requests to a dedicated FOI function, all public-facing staff should be trained to recognise an FOI request, and to direct it appropriately.


Numerous exemptions apply that allow a body to refuse to comply with above, depending on the nature of the information or the effects its release could have.

Some of the most common exemptions include:

Personal data

Requests for the requestor’s personal data should be treated under the UK GDPR; requests including third party personal data will need to be considered under a balancing act.

Prejudice to commercial interests

Where information would impair a party’s (the public body, a private sector supplier/partner, or any other body) commercial interests, depending on the public interest in the information it may not need to be disclosed – this might be disclosing a trade secret, confidential pricing, proposed plans or failures to meet contractual targets.

Prejudice to conduct of public affairs

Where information would impair the public body’s ability to carry out its duties or would otherwise impede its ability to discuss and exchange views internally it may not need to be disclosed – for example information about a crisis while the public body is in the midst of that crisis.

Law enforcement

Where a public body processes information, or releasing that information could expose the public body to crime, it may be able to withhold information – this would include for example financial data such as whether business rates have been paid by individual properties, which would allow fraudsters to launch a ‘man in the middle’ attack.


At first instance, FOI requests should be handled within 20 working days of receipt. In some circumstances, this can be extended by a further 20 working days, but organisations should not assume this will always be the case.

If you have any queries regarding FOI matters, or would like to discuss compliance more generally, please contact Ben Pumphrey or Alastair Turnbull.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.