Freedom of Information Response (UK)

A Freedom of Information Response in the United Kingdom is a legally binding written instrument.

The Freedom of Information Act 2000 grants any person — regardless of nationality, location, or reason — a right of access to information held by a public authority. 'Public authorities' for the purposes of the Act include all UK government departments, local authorities, NHS bodies, publicly funded schools and universities, police forces, and a wide range of other bodies listed in Schedule 1 to the Act. The Act does not apply to private companies, charities, or individuals, unless they are contracted to perform public functions.

Section 1 of the FOIA 2000 imposes two duties on public authorities: the duty to confirm or deny whether the requested information is held, and the duty to communicate the information if it is held (and no exemption applies). Section 10 requires the authority to comply with both duties promptly and in any event within 20 working days from receipt of the request. The Information Commissioner's Office (ICO) — the independent regulatory body established under the Data Protection Act 1998 and now operating under the Data Protection Act 2018 — is responsible for enforcing the FOIA 2000 and can issue decision notices, enforcement notices, and monetary penalty notices for non-compliance.

The FOIA 2000 contains two categories of exemptions that permit a public authority to withhold information. Absolute exemptions (set out in sections 21, 23, 32, 34, 36 (for the Houses of Parliament), 37, 41, and 44) apply regardless of any balancing exercise; if the information falls within an absolute exemption, it may be withheld without further justification. Qualified exemptions require the authority to carry out a public interest test — comparing the public interest in maintaining the exemption against the public interest in disclosing the information — before withholding. Most FOIA exemptions are qualified.

The Environmental Information Regulations 2004 (EIR 2004, SI 2004/3391) operate alongside the FOIA 2000 and provide a right of access to environmental information held by public authorities, with a somewhat different (and generally narrower) set of exceptions. Where a request concerns environmental information, the authority must consider whether the EIR 2004 rather than FOIA 2000 applies, as the two regimes have different rules on response time, exceptions, and internal review procedures.

A UK Freedom of Information Response is needed whenever a public authority in England, Wales, or Northern Ireland receives a written FOI request and must formally communicate its decision on whether to disclose, partially disclose, or refuse the requested information within 20 working days.

A government department — such as the Home Office, the Department for Education, or HM Revenue and Customs — receiving a journalist's request for information about policy decisions, internal communications, or spending data must prepare a formal FOI response confirming whether the information is held and providing it unless an applicable exemption applies. HMRC receives thousands of FOI requests per year and must respond to each within the statutory 20-working-day period under section 10 of the FOIA 2000.

A local authority receiving a citizen's request for information about planning applications, social care commissioning decisions, or councillor expenses must prepare a formal FOI response. Local authorities are subject to the FOIA 2000 under Part I of Schedule 1 and are regulated by the ICO; the Local Government Transparency Code 2015 (published by the Department for Levelling Up, Housing and Communities) also sets out proactive publication requirements that complement FOI obligations.

An NHS trust or integrated care board receiving a request for data about hospital waiting times, clinical incident records, or procurement contracts must prepare a formal FOI response. NHS bodies are listed in Schedule 1 to the FOIA 2000 and are subject to both FOIA 2000 and the Environmental Information Regulations 2004 for relevant environmental information. The NHS's Right to Know policy sets out internal procedures for handling FOI requests consistently across NHS organisations.

A university or publicly funded research institution receiving a request for information about research funding, grant expenditure, or admissions data must prepare a formal FOI response. Universities are subject to FOIA 2000 to the extent they are publicly funded; their research data may also be subject to the EIR 2004 where it concerns environmental matters.

A police force or constabulary receiving a request for information about crime statistics, use-of-force incidents, or procurement decisions must prepare a formal FOI response. Police forces are listed in Schedule 1 to the FOIA 2000 and are also subject to the law enforcement processing provisions of Part 3 of the Data Protection Act 2018, which may interact with FOIA exemptions where the requested information relates to law enforcement activities.

A UK Freedom of Information Response must include the following elements to comply with the FOIA 2000, the ICO's guidance on responding to FOI requests, and the authority's obligations under section 17 of the Act.

The requester reference and acknowledgement block must identify the original FOI request by reference — including the date received and, where the authority operates a case management system, the unique request reference number. The response must be addressed to the requester and must make clear that it is a response to their specific FOI request.

The confirmation or denial of holding clause must address the section 1(1)(a) duty: whether the authority holds the requested information. If the authority does not hold the information, the response should confirm this clearly. If the authority holds some but not all of the requested information, this must be stated. An authority may also rely on section 12 (cost limit — the estimated cost of compliance exceeds the appropriate limit, which is £600 for central government and £450 for other authorities under the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004) to refuse a request it would otherwise comply with.

The disclosure decision clause must state clearly what information is being provided (if any) and how. Where the authority is providing the information, it may do so by providing it directly in the response, by providing copies of documents, by directing the requester to a website where the information is available, or by providing a summary. Under section 21 FOIA 2000, information that is reasonably accessible to the applicant by other means (for example, through the authority's publication scheme) is absolutely exempt.

The exemption notice under section 17 FOIA 2000 is required where the authority is withholding all or part of the requested information. The notice must: specify the exemption(s) relied upon; state whether the exemption is absolute or qualified; and, for qualified exemptions, explain why the public interest in maintaining the exemption outweighs the public interest in disclosure. A generic or formulaic public interest test explanation is likely to be criticised by the ICO on appeal; the authority must engage substantively with the specific competing public interests in the case.

The refusal notice format must comply with section 17 FOIA 2000, which requires the authority to issue the refusal within the 20-working-day period. If the authority requires additional time to consider the public interest test (for a qualified exemption), it must still respond within the 20-working-day period acknowledging the request and confirming that a public interest test is being carried out; the ICO's guidance suggests the extended time should not normally exceed a further 20 working days.

The internal review and ICO complaints procedure must be included in every response that refuses or limits disclosure. The authority must inform the requester of their right to request an internal review of the decision, and their right to complain to the ICO under section 50 FOIA 2000 if dissatisfied with the outcome of the internal review. The internal review procedure should be completed within 20 working days (or 40 working days for complex cases) in accordance with the ICO's Model Complaints Procedure.

The publication scheme cross-reference should direct requesters to the authority's publication scheme — the proactive publication framework required under section 19 FOIA 2000 — where the requested information or related information may already be published. Signposting requesters to the publication scheme reduces the administrative burden of repeated requests for commonly sought information.

Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. The forms-legal.com Freedom of Information Response (UK) template covers the mandatory elements under Freedom of Information Act 2000.