- Home
- » Publications
- » Freedom of Information Act 2000: Implementation & practice
Freedom of Information Act 2000: Implementation & practice
This webpage has been archived. Its content will not be updated.
View web retention policy
Audience Those who are responsible for implementing legal compliance including those involved with the development of information systems.
More recent information is available from JISC infoNet
This briefing paper covers:
- The new legislative framework for public access to information held by public authorities, including schools, colleges and universities
- The measures that should be taken to ensure compliance with the legislative framework
- The ways the FoIA and Data Protection Act (DPA) relate to each other
Contents
Responsibilities of Public Authorities
Public authorities have two main responsibilities under the Act:
- They must produce a 'publication scheme', which is, in essence, a guide to the information they hold that is routinely made available to the public, such as prospectuses, almanacs and websites. Under the Freedom of Information Act 2000, 'information' includes all information held anywhere within an institution and does not have to be in the form of a specific document or structure, eg a database. Each authority's publication scheme must be approved by the Information Commissioner
- They must deal with individual requests for information. Individuals already have the right to access their personal data, held on computer and in some paper files, under the Data Protection Act 1998. This is known as the 'subject access right'. The Freedom of Information Act permits individuals to access all other types of nonpersonal information that public authorities hold, subject to specific exemptions in the Act
The Freedom of Information Act (FoIA) 2000 was passed on 30 November 2000. It gives a general right of public access to all types of 'recorded' information held by public authorities, sets out exemptions from that general right, and places a number of obligations on public authorities.
The Act applies only to 'public authorities' and not to private entities. Public authorities are, however, broadly defined in the Act, and they include not only Government Departments, local authorities and many other public bodies, (such as the Post Office, National Gallery and the Parole Board), but also schools, colleges and universities. Private entities - such as spin-off companies - that are wholly or largely owned by a 'public authority' will also be subject to the Act.
The Act is enforced by the Information Commissioner - who oversees both Freedom of Information and Data Protection legislation. The Act applies only to England, Wales and Northern Ireland. The separate Freedom of Information Act for Scotland, passed by the Scottish Executive on 28 May 2002, is the subject of a separate briefing paper.
The Publication Scheme
As public authorities, FE and HE institutions are required to adopt and maintain publication schemes, which must be approved by the Information Commissioner. Such schemes must set out:
- The classes of information the institution publishes
- The manner in which the information is published
- Details of any charges
A publication scheme must be presented to the Information Commissioner as a text document, but once the scheme is approved it is up to the institution to decide how to make it available to the public. For example, the institution could publish the scheme on its Web site. In this case, the institution would still have to take into account the potential requirements of those who do not have access to the Internet, or who might require the scheme in an alternative form, such as a foreign language or in Braille. Publication schemes must be reviewed periodically, and the initial period of approval is likely to be five years.
When deciding what information should be included in its scheme, an institution must take into account the issue of public interest when:
- considering the degree of access to information provided
- publishing the reasons for its decisions with regard to access
As information included in the publication scheme is exempt from requests for information, it may be in an institution's interest to consider including a wider range of documentation in its publication scheme than was previously considered necessary to make public. An institutional information database or series of databases accessible via a Web-based front-end could allow the inclusion of large amounts of material in the publication scheme at low cost, and allow individuals to download information. With such a database system, those responsible for FoIA compliance could ensure that demand for materials in other formats, such as foreign languages and Braille, can be met.
Schemes may either be designed for particular bodies or be generic. Model schemes for groups of similar bodies such as FE and HE institutions may also be approved by the Commissioner.
JISC has established an FoIA publication scheme working group to provide a model publication scheme for FE and HE.
Contact JISC Legal Information Sevice for further information. See About this paper, at the end, for contact details.
Requests for information
Any individual will be able to make a request to an institution for information. The individual does not have to be the subject of that information, or be affected by its holding or use. For example, based on experience in other countries with similar Freedom of Information legislation, the media are likely to use the legislation widely to obtain information for broadcasting or publication. If an individual is the subject of that information then the principles of the Data Protection Act to protect the data subject will take precedence over any FoIA right.
The Act gives applicants two related rights to:
- be told whether the information is held by the institution
- receive the information, where possible in the manner requested, for example as a copy or summary, or in paper or electronic format. An individual may also request to inspect records in person
Requests for information made under the Freedom of Information Act must be made in writing, which includes electronic communications such as fax and email. The request must contain details of the applicant and of the information sought. An institution may ask for further details in order to identify and locate the information. Applicants will not be required to mention either the Freedom of Information Act or the Data Protection Act when making a request for information. In responding to a request for information, institutions will be obliged to provide information recorded both before and after the Act was passed.
Requests for information must be dealt with promptly, and the Act sets a maximum time for response of 20 working days. This is rather shorter than the 40-day limit set for subject access requests under the Data Protection Act 1998. A fee may be charged for providing the requested information. Permissible fees will be calculated according to the Fees Regulations, which will come into force prior to January 2005. Where a fee is required, the 20 working days will be extended by up to three months until the fee is paid.
There is no obligation to comply with 'vexatious' requests, or repeated requests, if the institution has recently responded to an identical or substantially similar request from the same person, but there is a duty to provide advice and assistance to anyone making a request.
Exemptions
The Act creates a general right of access to information held by public bodies, but also sets out 23 exemptions where that right is either not allowed or is qualified. The exemptions relate to issues such as national security, law enforcement, commercial interests, and data protection. In particular, information is exempt from the Act if it is accessible to the applicant by other means, such as from the Funding Councils or DfES. Therefore, information already accessible under an institution's publication scheme need not be provided in response to an individual request.
Apart from vexatious or repeated requests, to which an institution need not respond, there are two general categories of exemption: those where, even though an exemption exists, an institution has a duty to consider whether disclosure is required in the public interest, and those where there is no duty to consider the public interest.
The public interest test requires an institution to determine whether the public interest in withholding the exempt information outweighs the public interest in releasing it, by considering the circumstances of each particular case and the exemption that covers the information. The balance will lie in favour of disclosure, because information may only be withheld if the public interest in withholding it is greater than the public interest in releasing it, for example where disclosure of institutional information would harm a police investigation.
In some cases you can apply the exemption separately to whether you confirm that you hold the information and whether you disclose it.
Exemptions where the public interest test applies
Exemptions for which the institution has a duty to consider whether disclosure is required in the public interest are listed below. Where an institution considers that the public interest in withholding the information requested outweighs the public interest in releasing it, the institution must inform the applicant of its reasons, unless providing the reasoning would effectively mean releasing the exempt information.
| s22 |
Information intended for future publication |
| s24 |
National security (other than information supplied by or relating to named security organisations, where the duty to consider disclosure in the public interest does not arise) |
| s26 |
Defence |
| s27 |
International relations |
| s28 |
Relations within the United Kingdom |
| s29 |
The economy |
| s30 |
Investigations and proceedings conducted by public authorities |
| s31 |
Law enforcement |
| s33 |
Audit functions |
| s35 |
Formulation of government policy, and so on |
| s36 |
Prejudice to effective conduct of public affairs (except information held by the House of Commons or the House of Lords) |
| s37 |
Communications with Her Majesty, etc. and honours |
| s38 |
Health and safety |
| s39 |
Environmental information |
| s40 |
Personal information 1 |
| s42 |
Legal professional privilege |
| s43 |
Commercial interests |
1 If the institution believes that disclosure would not breach any of the data protection principles, but the individual who is the subject of the information has properly served notice under s.10 DPA 1998 that disclosure would cause unwarranted substantial damage or distress, or the individual who is the subject of the information would not have a right to know about it or a right of access to it under the DPA 1998, there is no absolute exemption, and the institution should consider the public interest in deciding whether to release the information
Absolute exemptions
Absolute exemptions are the exemptions for which it is not necessary to go on to consider disclosure in the public interest.
| s21 |
Information accessible to applicant by other means |
| s23 |
Information supplied by, or relating to, bodies dealing with security matters |
| s32 |
Court records, and so on |
| s34 |
Parliamentary privilege |
| s36 |
Prejudice to effective conduct of public affairs 2 |
| s40 |
Personal information 3 |
| s41 |
Information provided in confidence |
| s44 |
Prohibitions on disclosure where a disclosure is prohibited by an enactment or would constitute contempt of court |
2 Applies only to information held by House of Commons or House of Lords
3 There is an absolute exemption from the provisions of the FoIA if an applicant making a request for information under the FoIA is the subject of the information requested and they already have the right of 'subject access' under the DPA 1998. There is also an exemption from the provisions of the FoIA if the information requested under the FoIA concerns a third party and disclosure by the institution would breach one of the Data Protection Principles
Whole category exemptions
These are exemptions where the institution concerned must consider whether particular information falls within a particular category (or class) of information, such as:
| s30 |
Information relating to investigations and proceedings conducted by public authorities |
| s32 |
Court records |
| s35 |
Formulation of government policy |
If information falls into the category described in one of these exemptions, the institution is not required to release it. There is no requirement to consider whether releasing the particular information requested would prejudice a particular activity or interest.
Prejudice test exemptions
These are exemptions where the institution concerned must consider whether disclosure of particular information would, or would be likely to, prejudice:
| s27 |
The interests of the United Kingdom abroad |
| s31 |
Law enforcement |
The information therefore only becomes exempt if disclosing it would, or would be likely to, prejudice either of these factors.
Applying exemptions
An institution wishing to rely upon a specific exemption must therefore ask itself a series of questions:
- Is the information potentially covered by an exemption?
- Does the exemption apply to all or part of the information requested?
- If an exemption does apply, does it require consideration of whether disclosure should be made in the public interest, irrespective of the exemption?
- If an exemption does apply, does it require consideration of whether disclosure would be prejudicial to a particular activity or interest?
Institutions are advised to read the exemptions with care when determining whether they can be relied on. Only the information to which an exemption applies can be withheld. For example, if a requested document contains some exempt information, only those specific pieces of exempt information can be withheld and the rest of the document has to be released.
Where an institution decides an exemption applies and withholds information, it must give reasons for its decision and inform the applicant of his or her right to complain to the Information Commissioner. Where an exemption applies, but an institution is nevertheless required to release the information by the Information Commissioner, because it is in the public interest to do so, it must disclose the information requested 'within a reasonable time'.
Guidance as to how exemptions might apply in particular circumstances will be developed by the office of the Information Commissioner in time and in the light of case by case experience.
Timetable
The Act will be brought fully into force by January 2005. The duty to adopt a publication scheme will come into force first, and different sectors will have their own start dates (see the table below). The publication schemes will have been submitted to the Commissioner for approval prior to those dates. All public authorities will be required to deal with individual requests from the beginning of 2005, when the general right of access to information held by public authorities comes into force.
| Sector |
Submissions accepted from:
(to final deadline) |
Publication scheme in
force from: |
| Central Government |
1 July 2002 - 30 September 2002 |
30 November 2002 |
| Local Government |
1 October 2002 - 31 December 2002 |
28 February 2003 |
| Police and Prosecuting bodies |
1 February 2003 - 30 April 2003 |
30 June 2003 |
| National Health Service |
1 June 2003 - 31 August 2003 |
31 October 2003 |
| Education |
1 October 2003 - 31 December 2003 |
29 February 2004 |
| Other public authorities |
1 February 2004 - 30 April 2004 |
30 June 2004 |
The Information Commissioner
The Commissioner is an independent public official reporting directly to Parliament who is responsible for implementing the Act. The position of Commissioner involves:
- Promoting good practice
- Approving and advising on the preparation of publication schemes
- Providing information as to the public's rights under the Act
- Enforcing compliance with the Act
Enforcement
A person who has made a request for information may apply to the Information Commissioner for a decision on whether the request has been dealt with according to the Act. In response, the Information Commissioner may serve a decision notice on the public authority and applicant, setting out any steps that are required for compliance with the Act.
The Commissioner also has the power to serve information notices and enforcement notices on public authorities. In certain circumstances, the Information Commissioner may issue a decision or enforcement notice requiring disclosure of information in the public interest. If it feels that the Commissioner has erred, the public authority then has 20 days from receipt of the notice to obtain a signed certificate from a Cabinet Minister overriding the Information Commissioner's notice (Executive override). There is no right of appeal against the Ministerial certificate. All notices may be appealed to the independent Information Tribunal.
Codes of Practice
The Act requires the Secretary of State to issue a code of practice for public authorities to follow when dealing with requests for information. The Code of Practice on the Discharge of the Functions of Public Authorities under Part I of the Freedom of Information Act 2000 will include matters such as the advice and assistance that should be given to applicants, and procedures for dealing with complaints. It is currently available in draft form on the Lord Chancellor's Department Web site.
The Act also requires the Lord Chancellor to issue a code of practice for public authorities to follow in relation to keeping, managing and destroying their records. The Code of Practice on the Management of Records under s46 of the Freedom of Information Act 2000 is designed to establish standards of good practice in relation to record keeping. Good practice would make more efficient location and retrieval of information in response to requests. The code is currently available in draft form on the Public Record Office website. The JISC has produced a model action plan for further and higher education for compliance with this code of practice (see Further information).
Appeals
When serving a notice of any kind, the Commissioner must include an explanation of the appeals mechanism. Where a decision notice has been served, either the complainant or the public authority may appeal to the Information Tribunal, which may uphold, overturn or vary the notice. Where an information or enforcement notice has been served, a public authority has the same right of appeal. Appeals to the High Court against decisions of the Tribunal may be made by any party to the appeal.
Freedom of Information and Data Protection
The Information Commissioner oversees both the Freedom of Information Act 2000 and the Data Protection Act 1998. Both Acts relate to aspects of information policy. They overlap where personal information is considered for disclosure. Joint responsibility allows the Information Commissioner to develop a more effective structure for information handling and to provide a single point of contact for public authorities and the public.
The Freedom of Information Act 2000 makes some amendments to the Data Protection Act 1998. One of the most significant amendments is that the definition of 'data' is extended, as far as public authorities are concerned, to cover all personal information held, including 'structured' and 'unstructured' manual records. The rights that apply to this new category of data are more limited, however.
The Freedom of Information Act 2000 thus extends access rights that already exist under the Data Protection Act 1998. A request by an individual for information about him or herself will be exempt under the Freedom of Information Act and will continue to be handled as a 'subject access request' under the Data Protection Act. In certain circumstances, such a request may involve the release of associated third party information.
Where an applicant specifically requests information about a third party, or where responding to a request would involve the disclosure of personal information about a third party, the request falls within the remit of the Freedom of Information Act. However, the authority must apply the data protection principles when considering the disclosure of information relating to living individuals. An authority must not release third party information if to do so would mean breaching one of the Principles.
Where the disclosure would not breach the principles, the authority may release the information. However, if the third party has served notice under s.10 DPA 1998 that disclosure would cause them unwarranted substantial damage or distress, or the third party would not have a right to know about the information relating to them or a right of access to it under the DPA 1998, the institution is required to consider whether release of the information would be in the public interest.
Further information
Corresponding briefing paper
About this paper
This paper is one of a pair, and is aimed at those responsible for implementation and practice. See the , providing an outline of the FoIA aimed at senior managers and those responsible for strategy and policy. Colour printed copies are distributed by and available from JISC.
The information in these papers is taken from a much longer paper on the FoIA commissioned by JISC Legal Information Service. JISC Legal Information Service was set up in response to the concern, in FE and HE, about the increasing impact of new legislation on ICT and related areas. JISC Legal Information Sevice is a consortium of two university 'centres' and a firm of solicitors. The service provides information through its Web site, discussion group(s), email, workshops and other appropriate dissemination channels. It carries out research, commissions work from academics, practitioners and users, and monitors cases and legislation. JISC Legal Information Sevice cannot give professional legal advice but aims to provide information and alert institutions to the fact that such advice may be required. The service focuses on areas such as Intellectual Property, Data Protection, Human Rights and ISP liability and does not attempt to cover areas such as employment law.