Site Map
Privacy Statement
Copyright Policy
Accessibility
Feedback
Search Site:

Legal Guidance for ICT Use in Education, Research and External Engagement

 

Content

Freedom of Information Act 2000 – Overview

Please note: this guidance has been prepared by JISC Legal for information purposes only and is not, nor is intended to be, legal advice. This information is not intended to constitute, and receipt of it does not constitute, a contract for legal advice or the establishment of a solicitor-client relationship.

28 February 2008

Table of Contents

  1. Introduction
  2. Responsibilities of Public Authorities
  3. The Publication Scheme
  4. Requests for Information
  5. Exemptions
  6. The ‘Public Interest’ Test
  7. Environmental Information Regulations
  8. Appeals and Enforcement
  9. Freedom of Information and Data Protection
  10. The Future

1. Introduction

Institutions hold a large proportion of information in computerised systems. The introduction, development and use of information and communication technologies should take place with an awareness of the legal duties related to freedom of information (and other information rights legislation). Difficulties in retrieving information due to the complexity, poor design, or failure of an information system will not be a defence to failure to meet the requirements of legislation. Good records management practices are required in e-administration information systems just as with paper-based systems.

The Freedom of Information Act 2000 (FOIA) gives a general right of public access to all types of 'recorded' information held by public authorities, sets out exemptions from that general right, and places a number of obligations on public authorities.

The Act only applies to 'public authorities' and not to private entities. However, public authorities are broadly defined in the Act, and include the majority of schools, colleges and universities (in addition to government departments, local authorities, and a long list of other public bodies, such as the Post Office, National Gallery and the Parole Board). Private entities, such as spin-off companies, that are wholly or largely owned by a 'public authority' are also subject to the Act.

The Act is enforced by the Information Commissioner (ICO), who combines oversight of both freedom of information and data protection legislation. The Act only applies to England, Wales and Northern Ireland. There is separate FOI legislation for Scotland enforced by a Scottish Information Commissioner. This is not covered in this paper but information is available from the Office of the Scottish Information Commissioner website at www.itspublicknowledge.info/.

2. Responsibilities of Public Authorities

Public authorities have two main responsibilities under the FOIA:

  • They must produce a 'publication scheme’. This is a guide to the information they hold which is publicly available e.g. prospectuses, policies, meeting minutes, and almanacs. Each authority’s publication scheme must be approved by the Information Commissioner.
  • They must deal with individual requests for information. Individuals already have the right to access their personal data, held on computer, and in some paper files, under the Data Protection Act 1998. This is known as the 'subject access right'. The FOIA permits individuals to access all other types of non-personal information that public authorities hold, unless the information falls under one of the specific exemptions in the Act.

3. The Publication Scheme

As public authorities, FE and HE institutions are required to adopt and maintain a publication scheme approved by the Information Commissioner. Such schemes must set out:

  • The classes of information the institution publishes
  • The manner of publication of the information
  • Details of any charges

3.1 Classes

The Act does not define what a 'class' should contain, leaving it up to public authorities to create their own formulation. The Information Commissioner's office (ICO) provided general guidance on this and the key points were as follows:

  • A general definition of a class as 'a group of information having one or more common characteristics'
  • Including a 'class' of information within a scheme commits the public authority to publishing the information that falls within it
  • A class will include as much or as little information as it defines - a class might consist of a single document
  • A clear class definition is thus advised to ensure that information which might be considered to fall within the class, but which the public authority feels should be exempt, can be clearly seen to be excluded from the class

3.2 Manner of Publication

There is no prescribed manner of publication for material described in the Publication Scheme. However, having stated that it will publish information, the public authority must also state the form in which it intends to publish it.

3.3 Charges

Unlike requests for information under the Act, where there is a set charging scheme detailed in the Fees Regulations, there are no prescribed charges for information contained in a public authority’s publication scheme. A public authority may choose not to charge for any information, to charge for all of it, or to charge for selected information. The publication scheme does not have to set out precise charges, merely to indicate which material will be subject to charges.

3.4 Approval and Maintenance of the Publication Scheme

Schemes may either be designed for particular bodies or may be generic. Model schemes, for groups of similar bodies, e.g. FE and HE institutions, may also be approved by the Information Commissioner.

The FE and HE education sectors agreed model publication schemes with the ICO. The majority of institutions in the FE and HE sectors have followed these models rather than creating a bespoke scheme. These model publication schemes together with guidance are available from the ICO website at www.ico.gov.uk/what_we_cover/freedom_of_information/publication_schemes.aspx Once a scheme is approved, it is open to the public authority to decide how to make it available to the public, e.g. publication of the scheme on its website. It must take into account the potential reasonable requirements of those who do not have access to the Internet, or who might require the scheme in an alternative form, such as in a foreign language or in Braille. Publication schemes must be reviewed periodically. The initial period of approval of the schemes was four years but this period has been extended (see below). As information included in the publication scheme is exempt from requests for information, it is in a public authority’s interest to consider including a wide range of documentation in its publication scheme. An institutional information database or series of databases accessible via a web-based front-end might allow for inclusion of large amounts of material in the publication scheme at relatively low cost.

3.5 The Future of Publication Schemes

The approval of publication schemes was intended to expire four years after the date of first approval, i.e. 2007. However, this has been extended (currently 2008) allowing the ICO more time to help public authorities improve and advance their schemes via a Development and Maintenance Initiative (DMI) which will inform the future direction of publication schemes. More information on this initiative and the current status of publication scheme approval is available from the ICO website at: www.ico.gov.uk/what_we_cover/freedom_of_information/publication_schemes.aspx.

4. Requests for Information

Any individual is able to make a request to an FE or HE institution for information. The individual making the information request does not have to be the subject of the information requested, or be affected by its holding or use.

The ICO website has information on this at: www.ico.gov.uk/what_we_cover/freedom_of_information/your_right_to_know.aspx

The Act gives applicants two related rights:

  • To be told whether the information is held by the institution
  • To receive the information, where possible in the manner requested, e.g. as a copy or summary, or in paper or electronic format. An individual may also request to inspect records in person

Requests for information made under the FOIA must be made in writing, although this does include electronic communications such as fax and email. The request must contain a name and address to enable a response to be made, and an indication of the information that is being sought. An institution may ask for further information that it reasonably requires to identify and locate the information requested. Applicants are not required to indicate that their request is an FOI request for information, and it is thus sensible to treat all non-routine requests for information, except those identified as concerning the requestor’s own personal data, as FOI requests. In responding to a request for information, institutions are obliged to provide information recorded both before and after the Act was passed. Requests for information must be dealt with promptly, and the Act sets a maximum time frame for response of 20 working days. A fee may be charged for provision of requested information in accordance with the FOI Fees Regulations. There is no obligation to comply with ‘vexatious’ requests’, or ‘repeated requests’, if the institution has recently responded to an identical or substantially similar request from the same person. However, there is a duty to provide advice and assistance to anyone making a request.

The ICO website contains guidance on all of these issues at: www.ico.gov.uk/Home/what_we_cover/freedom_of_information/guidance.aspx

The Ministry of Justice also has comprehensive guidance on the Fees Regulations at: www.foi.gov.uk/practitioner/feesguidance.htm.

To assist public authorities in compliance with their obligations under the legislation, Codes of Practice on Records Management and on Discharge of Functions were issued in accordance with the Act. These are available from the Ministry of Justice website at: www.justice.gov.uk/ JISC infoNet also provides information on records management on its website at: www.jiscinfonet.ac.uk/records-management.

5. Exemptions

The Act creates a general right of access to information held by public bodies, but also sets out 23 exemptions where that right is either disapplied or qualified. These relate to issues such as national security, law enforcement, commercial interests, and data protection. Information is also exempt from the Act if it is accessible to the applicant by other means, e.g. via the publication scheme, from the Funding Councils, HESA, QAA, or DCSF. Apart from vexatious or repeated requests, to which an institution need not respond, there are two general categories of exemption: those where, even though an exemption exists, an institution has a duty to consider whether disclosure is required in the public interest; and those where there is no duty to consider the public interest.

5.1 Exemptions Where the Public Interest Test Applies

  • s.22 Information intended for future publication
  • s.24 National security (other than information supplied by, or relating to, named security organisations, where the duty to consider disclosure in the public interest does not arise)
  • s.26 Defence
  • s.27 International relations
  • s.28 Relations within the United Kingdom
  • s.29 The economy
  • s.30 Investigations and proceedings conducted by public authorities
  • s.31 Law enforcement
  • s.33 Audit functions
  • s.35 Formulation of government policy, etc
  • s.36 Prejudice to the effective conduct of public affairs (except information held by the House of Commons or the House of Lords)
  • s.37 Communications with Her Majesty etc and honours
  • s.38 Health and safety
  • s.39 Environmental information
  • s.40 Personal information (if the institution believes that disclosure would not breach any of the data protection principles, but the individual who is the subject of the information has properly served notice under s.10 DPA 1998 that disclosure would cause unwarranted substantial damage or distress, or the individual who is the subject of the information would not have a right to know about it or a right of access to it under the DPA 1998, there is no absolute exemption and the institution should consider the public interest in deciding whether to release the information.)
  • s.42 Legal professional privilege
  • s.43 Commercial interests Where an institution considers that the public interest in withholding the information requested outweighs< the public interest in releasing it, the institution must inform the applicant of its reasons, unless providing the reasoning would effectively mean releasing the exempt information.

5.2 Absolute Exemptions

These are the exemptions where, if the exemption applies, it is not necessary to go on to consider disclosure in the public interest.

  • s.21 Information accessible to applicant by other means
  • s.23 Information supplied by, or relating to, bodies dealing with security matters
  • s.32 Court records, etc
  • s.34 Parliamentary privilege
  • s.36 Prejudice to the effective conduct of public affairs (only applies to information held by House of Commons or House of Lords)
  • s.40 Personal information (There is an absolute exemption from the provisions of the FOIA if an applicant making a request for information under the FOIA is the subject of the information requested and they already have the right of ‘subject access’ under the Data Protection Act 1998. There is also an exemption from the provisions of the FOIA if the information requested under the FOIA concerns a third party and disclosure by the institution would breach one of the Data Protection Principles)
  • s.41 Information provided in confidence
  • s.44 Prohibitions on disclosure, where a disclosure is prohibited by an enactment, or would constitute contempt of court

The exemptions can also be divided into two other categories:

5.3 Prejudice Test Exemptions

These are exemptions where the institution concerned must consider whether disclosure of particular information would, or would be likely to, prejudice - for example:

  • s.27 The interest of the United Kingdom abroad
  • s.31 Law enforcement For these exemptions, information only becomes exempt if disclosing it would, or would be likely to, prejudice the activity or interest described in the exemption.

5.4 Whole Category Exemptions

These are exemptions where the institution concerned must consider whether particular information falls within a particular category (or class) of information, for example:

  • s.30 Information relating to investigations and proceedings conducted by public authorities
  • s.32 Court records
  • s.35 Formulation of government policy

If information falls into the category described in one of these exemptions, the institution is not required to release it. There is no requirement to consider whether releasing the particular information requested would prejudice a particular activity or interest. An institution wishing to rely upon a specific exemption must therefore ask itself a series of questions:

  • Is the information potentially covered by an exemption?
  • Does the exemption apply to all or part of the information requested?
  • If an exemption does apply, does it require consideration of whether disclosure should be made in the public interest, irrespective of the exemption?
  • If an exemption does apply, does it require consideration of whether disclosure would be prejudicial to a particular activity or interest?

FE and HE institutions are advised to consider the exemptions with care when determining whether they can be relied on. Only the information to which an exemption applies can be withheld, e.g. if a particular document is requested which contains some exempt information, only those specific pieces of exempt information can be withheld. The rest of the document has to be released. Where an institution decides an exemption applies and withholds information, it must give reasons for its decision and inform the applicant of his right to complain to the Information Commissioner. Where an exemption applies, but an institution is then required by the Information Commissioner to release the information, because it is in the public interest to do so, it must disclose the information requested ‘within a reasonable time’.

Guidance on the application of exemptions is available from both the ICO website and the Ministry of Justice website at: www.ico.gov.uk/Home/what_we_cover/freedom_of_information/guidance.aspx and www.justice.gov.uk/.

The ICO has issued decision notices which provide indicators on how it is interpreting the FOIA where disclosure decisions are disputed. Some ICO decisions have, in turn, been appealed to the Information Tribunal. The notices and Tribunal decisions are available to search and download from the ICO website at: www.ico.gov.uk/what_we_cover/freedom_of_information/decision_notices.

6. The ‘Public Interest’ Test

The ‘public interest’ test requires an institution to consider whether the public interest in withholding the exempt information outweighs the public interest in releasing it. Put another way, the institution is being asked to assess whether maintaining the secrecy of the information serves a greater public good than permitting that information to be broadcast to the world. Thus the public interest test involves considering the circumstances of each particular case and the exemption that covers the information. The balance will lie in favour of disclosure, in that information may only be withheld if the public interest in withholding it is greater than the public interest in releasing it. The Act does not define what the ‘public interest’ is, although it seems clear that the term is not necessarily synonymous with ‘things the public are interested in’.

The Ministry of Justice and the ICO both provide guidance on the ’public interest’ test and examples can also be obtained from the decisions issued. www.ico.gov.uk/Home/what_we_cover/freedom_of_information/guidance.aspx and www.ico.gov.uk/what_we_cover/freedom_of_information/decision_notices and www.justice.gov.uk/.

7. Environmental Information Regulations

The Freedom of Information Act 2000 s.39 exempts environmental information from release under its regime, provided separate regulations have been enacted under s.74. The Environmental Information Regulations 2004 (EIR) give a right of access to environmental information held by public authorities including FE and HE institutions. The legislation bears similarities to, but is not identical to, the FOIA regime. For example, there are differences in the exceptions, calculation of fees, and in the circumstances whereby private companies may fall within its scope. The ICO provides guidance on the definition of environmental information and how the EIR apply at: www.ico.gov.uk/Home/what_we_cover/environmental_information_regulation.aspx.

8. Appeals and Enforcement

If a person requesting information is not satisfied that the public authority has complied with Part 1 of the FOIA he may ultimately request the ICO to investigate the matter. Details of how the ICO handles such requests is available at www.ico.gov.uk/complaints/freedom_of_information.aspx.

8.1 Decision Notice

If the ICO is unable to resolve the matter informally he will issue a Decision Notice to both parties which outlines his view as to whether the public authority has complied with the FOIA. If the decision is that information should have been released he will instruct the public authority to do so. If either of the parties disagrees with the decision, there is a right of appeal to the Information Tribunal which may uphold, overturn, or vary the Notice.

8.2 Information Notice

An Information Notice may be served on a public authority where the Information Commissioner needs further information from the public authority in order to ascertain whether it has complied with part 1 or with the codes of practice or in order to investigate a complaint. This is a binding, enforceable notice.

8.3 Enforcement Notice

The Information Commissioner has powers to require a public authority to address a failure to comply with the FOIA. This is done by means of an Enforcement Notice. The ICO has stated that Enforcement Notices will usually only be used if there is systemic or repeated non compliance.

8.4 Practice Recommendations

The Information Commissioner may issue a Practice Recommendation to indicate to a public authority the steps which it needs to take to conform to the Access and Records Management Codes of Practice. Practice Recommendations are not enforceable. Details of the ICO position on Enforcement and Practice Recommendations are available at www.ico.gov.uk/what_we_cover/freedom_of_information/enforcement.aspx.

9. Freedom of Information and Data Protection

The Information Commissioner oversees both the Freedom of Information Act 2000 and the Data Protection Act 1998. Both Acts relate to aspects of information policy. They overlap where personal information is considered for disclosure. Joint responsibility allows the Information Commissioner to develop a more effective structure for information handling and to provide a single point of contact for public authorities and the public.

The Freedom of Information Act 2000 makes a number of amendments to the Data Protection Act 1998. One of the most significant is that the definition of ‘data’ is extended, as far as public authorities are concerned, to cover all personal information held. This includes ‘structured’ and ‘unstructured’ manual records. However, only the right of subject access, the right to correct and limited compensation rights will apply to the new category of unstructured data. The Freedom of Information Act 2000 thus extends access rights which already exist under the Data Protection Act 1998. A request by an individual for information about himself will be exempt under the Freedom of Information Act and will continue to be handled as a ‘subject access request’ under the Data Protection Act. In certain circumstances such a request may involve the release of associated third party information. Where an applicant specifically requests information about a third party, or where responding to a request would involve the disclosure of personal information about a third party, the request falls within the remit of the Freedom of Information Act. However, the public authority must apply the Data Protection Principles when considering the disclosure of information relating to living individuals. A public authority must not disclose third party information, if to do so would mean breaching one of the Principles.

Where the disclosure would not breach the principles, the public authority may release the information. However, if the third party has served notice under s.10 DPA 1998 that disclosure would cause them unwarranted substantial damage or distress, or the third party would not have a right to know about the information relating to them or a right of access to it under the DPA 1998, the public authority is required to consider whether release of the information would be in the public interest. More information and guidance on this is available from the Ministry of Justice and ICO as above and also from the JISC Legal Briefing Paper at: www.jisclegal.ac.uk/dataprotection/dataprotection.htm.

10. The Future

As stated above, it is expected that both model and bespoke publication schemes will be reviewed in 2008. More information and guidance will be available from the ICO as to how this will be handled.

The Government recently proposed to amend the current fees regulations and to restrict the application of the Act with regard to certain groups. However, following a public consultation and the resulting Constitutional Affairs Select Committee Report, the Government has, for the moment, shelved those proposals. The Government response to the report is available on the Ministry of Justice website at: www.justice.gov.uk/docs/response-to-casc.pdf. It is anticipated that the freedom of information regime will continue to enjoy periodic review, for example, on issues such as designation of additional public authorities, thus requiring organisations to maintain a watching brief in this area.

This update paper is based on the previous papers written for JISC and JISC Legal by Andrew Charlesworth. These are available on the JISC Legal website at: www.jisclegal.ac.uk/freedomofinformation/freedomofinformationPub.htm. Betty Willder 28 February 2008

© JISC Legal - www.jisclegal.ac.uk

 

JISC logo

JISC Advance logo

JISC Legal is a JISC Advance service | JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263 | The contents of this website are provided for information purposes only and do not constitute legal advice. | Login |



 
skip navigation Menu top links right columnn content JISC Legal home page News Events