Requesting information from a public body: freedom of information guidance for IG professionals

Anyone can request recorded information held by your organisation via the Freedom of Information (FOI) route.

A request must be made in writing and can be submitted through any written channel. It must include the requester’s name and contact details such as a return email or postal address. A request can be made in the name of an organisation, or by one person, such as a solicitor, on behalf of another. Requests may also be sent via third party websites, such as What do they know?

Organisations can state their preferred method of contact for FOI requests but may not limit contact to this method. You will need to provide details for the various channels through which someone can make a request, such as postal address, online form, and email address. Any relevant hard copy information about your services should inform people of how they can make FOI requests.

If using an online form for individuals to submit FOI requests, it should contain the minimum number of fields possible for a valid FOI request in order not to discourage people from submitting requests. Online forms should automatically send the requester a copy of the request as confirmation of receipt and record of the content of the request.

When you receive a request, you need to check it is valid. Requests may come from human beings, organisations or be AI or bot-generated all are valid if they include a name and email or postal address.

Requests which include attachments should be checked for potential malware designed to attack your network or IT systems.

Once satisfied you have a valid request that doesn’t contain malware, you should acknowledge receipt of the request to the requester via their stated contact method.

Your organisation has 20 working days to provide a response to the request. You can extend the 20-day response time when:

• you need more time to consider whether the public interest test balance applies to withholding the information
• you are considering whether it is in the public interest to not confirm nor deny the request

In these circumstances you can extend the time limit by a ’reasonable’ amount. The FOIA does not define what a ‘reasonable’ extension is, though ICO guidance suggests the total response time should not exceed 40 days, except in exceptional circumstances.

Examples of exceptional circumstances may be when the organisation is under extreme pressure due to a major incident, or the FOI request is exceptionally complex and involves a number of external parties. Where an extension is applied, you should still issue a notice to the requester within the first 20 days, explaining why you need more time, and providing an estimated date for the final response.

Further information about applying extensions to the response period can be found on the ICO website.

You should check to see if you have previously responded to the same (or similar query) in the past. This could be done by:

• looking at previous FOI responses held on a database
• checking your disclosure logs
• checking your publication scheme
• checking other third-party websites that publish FOI responses

If you have responded to a previous request for the same information, you can re-use that response if it remains relevant and accurate and signpost the requester to it if it has been published.

It is good practice before re-sharing a response to check that it does not contain any hidden data (see section on checking responses for hidden data for further information).

While the FOIA only applies to information held by public authorities, some public authorities may hold datasets which include data from both public authorities and private bodies, for example data on treatment at NHS and non-NHS funded hospitals.

Case law establishes that the FOIA would only apply to the information which the public authority has an ‘appropriate connection’ to. If you are only holding the data on behalf of the private organisation (that is, storing it in your building), this is not likely to be considered an appropriate connection, however if you are using the data for your own purposes, then it is likely to be in scope.

The ICO provides further guidance about how to make this determination.

You will need to consider whether any exemptions apply to releasing the information. Each exemption works differently and needs to be considered carefully if you are looking to use it. As a rule, you should work towards disclosure unless an exemption applies, as opposed to finding a way for an exemption to apply.

The public interest test under FOIA requires you to weigh the public interest in maintaining the exemption against the public interest in disclosure whenever you are considering applying a qualified exemption. It is generally in the public interest to:

• promote transparency and accountability as a public body
• promote understanding amongst the public of your activities
• evidence good decision-making as a public body
• ensure integrity amongst public bodies
• ensure justice and fair treatment
• ensure the best use of public resources by public bodies

To apply a qualified exemption, organisations must assess and evidence that there is a stronger public interest in withholding the information. For example, it may also be in the public interest to:

• protect the safe space within your organisation to allow decision makers to assess policy options without public interference
• maintain the confidentiality of investigations to allow them to be safe and effective
• protect individuals from harm
• protect your ability to deliver services to the public
• protect your systems which allow you to deliver your services and prevent cyber risks

You should document your assessment showing how you have weighed arguments on each side.

You should carefully consider the release of cyber related information because it could increase your cyber risk. It may be safe to respond to a request asking about the number of cyber attacks your organisation has had over the past 12 months, but to provide details of what those attacks were and whether they were successful is likely to increase the organisation’s cyber risk. All requests must be considered on a case by case basis and the specific risks associated with the request considered.

See the ICO's guidance on FOI and cyber security for more information.

Before disclosing any information, you should consider whether information which is already publicly available could be linked to the information you are about to disclose, and whether this would cause the information to fall under an exemption.

For example:

• if the name of an NHS security contractor is already publicly available, and
• there is information in the public domain which describes vulnerabilities known in the contractor's services, and
• you receive a request asking what services you receive from that contractor, which would confirm that your organisation uses the services with known vulnerabilities
• the requestor could piece the information together to get the bigger picture about the organisation's security. This is known as a jigsaw attack

In these cases, you should consider whether an exemption would apply to the release of this information.

A ‘neither confirm nor deny’ (NCND) response can be sent where simply acknowledging that you hold, or don’t hold, the requested information would disclose something about that situation or request.

Organisations may be able to refuse to answer a request under Section 12 FOIA where there is evidence that complying would exceed a cost of £450 to the organisation. Examples of costs which may be considered as part of these calculations may include:

• staff time
• costs associated with special software needed
• the cost of retrieving and transporting information which is held off site

In this case the organisation should provide advice to the requestor about how to refine their request so that it does not meet this limit.

Organisations may also be able to refuse requests which they consider to be manifestly unjustified, inappropriate or making improper use of a formal procedure under Section 14 FOIA. For example, requests that contain abusive language or threats to staff members, regardless of the legitimacy of the request.

If you are refusing to provide information on the grounds of an exemption, including refusing to confirm or deny whether information is held, you need to send the requester a refusal notice explaining why, within the appropriate time frame.

Refusal notices should be written in plain English, avoiding jargon and abbreviations where possible, so that they can be understood by the requester.

You must include the following information in a refusal notice:

• the exemptions being relied on to withhold information, including the section, subsection and wording of the exemption
• the reasons why you have applied the exemption
• the explanation of the public interest factors you have considered (if relevant)
• an explanation of your reasoning for concluding that the public interest favoured withholding the information (if relevant)

This would not apply if providing this detail would undermine the purpose of claiming the exemption.

Further information on writing a refusal notice is available on the ICO website.

Wilful and deliberate action that takes place after a request has been received to prevent the disclosure of records and information is a breach and can lead to regulatory action by the ICO. Examples of wilful and deliberate actions include altering, defacing, erasing, blocking or withholding information from lawful disclosure.

Before sending data in response to an FOI request, you should:

1. Consider getting a second person to look over the response.
2. Check any spreadsheets or documents you plan to release which can contain hidden data:

• always extract data from the original source spreadsheet into a clean spreadsheet for disclosure
• check for embedded or hidden documents as these may reveal exempted information
• check for pivot tables, as these will link to the source data which may reveal exempted information
• use the Inspect Workbook function to spot hidden columns in Excel and other Microsoft products
• convert spreadsheets into a CSV file before disclosure, as this will reduce the risk of exempted information being inadvertently disclosed

See the ICO guidance on disclosing information to the public securely for further information.

If the requester has submitted their request via a 3rd party website such as What do they know? you can check if they want their response to be sent via the website, or direct to them. Responses sent to 3rd party websites will be publicly available to anyone who visits the website, so an inadvertent disclosure of exempted information would be available for anyone to see. On the other hand, responses sent directly to the individual will limit the impact of an unintended disclosure.

You should keep a copy of the request and response for future reference and note any of your responses that are published on gov.uk or 3rd party websites. These can be used as a quick reference guide in case future requests for the same information come in.

The requested information, once identified, checked and any exemptions applied, should be sent to the person in the format they have requested.

It should be remembered that whilst the response is sent to the individual, it will be available to anyone in the world who can access your published responses.

Further guidance on responding to a request can be found on the ICO website.

Given developing guidance around FOI requests and how to check for hidden data, it is good practice to undertake a review of past FOI responses. This can be done periodically as a form of ongoing audit, or as a one off exercise where issues have been identified.

In deciding whether to undertake a review, and to what extent, organisations should consider:

• the robustness of historical processes and procedure in relation to FOI, in particular around checking for hidden data
• the effectiveness of training in place for staff handling FOI requests historically
• whether there has been any record of data breaches as a result of a response to an FOI request

Where your organisation has issued a large number of FOI responses and it is not possible to check them all, it may be appropriate to prioritise reviewing responses which present the highest risk of holding hidden data. For example:

• reviewing responses where spreadsheets have been provided, as these present the most risk of having hidden data
• reviewing responses issued to public platforms such as What do they know? as these are the most likely to be publicly available
• reviewing responses which have been identified as being sensitive or high risk
• reviewing responses from a particular period where you have identified that processes, procedures or training may have been below the expected standard

Having a way to track requests can help organisations to ensure that responses are well managed and issued within the statutory deadlines.

The ICO have produced a request tracking template which can be used for this purpose.

To help your organisation manage FOI requests, it is advisable to routinely publish as much corporate information as possible.

You must publish a publication scheme, or make hard copies of information available at relevant locations or with public facing teams such as the Patient Advice and Liaison Services (PALS). This is likely to reduce the number of incoming FOI requests.

It is important to ensure that all staff receive training in the FOIA to ensure they understand their responsibilities and the importance of timely action in this area.

See the ICO guidance on disclosing information to the public securely for further information.