The Information Commissioner’s Office (ICO) has undertaken a range of recent enforcement activities relating to Freedom of Information law compliance. Organisations with backlogs of requests – including police forces, NHS organisations, and local authorities - have been required to put in place action plans to increase adherence to the requirements of the Freedom of Information Act 2000.  

The ICO has also published thematic guidance on compliance among police forces (available here) which is of general application to all public authorities, as well as self-assessment toolkits to help monitor compliance.  

We set out below key themes from the ICO’s enforcement notices and audits:  

• Organisations need to remember and use their publication schemes, which are under-utilised. 

• All processes for the handling of Freedom of Information (FOI) / Environmental Information Regulations (EIR) requests should be formally documented in relevant policies or procedures. There is a consistent need to develop or apply quality assurance processes to ensure the quality of FOI responses prior to their release (e.g. peer review or dip-sampling). This is particularly important when personal data is involved in a response and when team resources are limited – where recruitment is a challenge which the ICO recognises. 

• The ICO warns against applying blanket rules for exemptions/exceptions, and those responsible for applying exemptions need to be properly trained to do so. Correct application of any redactions is also important.  

• 50% of police forces audited by the ICO had processes for mitigating and responding to data breaches in FOI responses. This indicates, however, that 50% do not. Recent high-profile cases in which sensitive data has been disclosed ‘to the world’ in spreadsheets or pivot-tables demonstrates the importance of checking data prior to disclosure and having appropriate management processes in place in the event of a mistake. 

• Training for all staff should include general guidance on recognising and triaging FOI requests. Staff with special responsibilities for handling FOI requests, both within the FOI team and in other departments - including senior staff - should be provided with FOI training suitable to their role. The content should be regularly reviewed and updated.  

• Refresher training within the FOI team should be in place for all trained request handlers to ensure that knowledge and practices remain current. This should be documented to help demonstrate commitment to the ongoing development of team members. Updates and refreshers should be given more generally too.  

• Action plans should be developed to address backlogs. 

• Training compliance rates should be monitored and reported to relevant governance boards.  

• Recommended good practice is organisations ‘keeping FOI on the agenda’ through regular triage and risk assessment meetings. These review and discuss FOI requests among the FOI team, business area staff responsible for gathering information, and senior officers. These meetings can help to identify complex or potentially high-risk requests, and encourage timely responses.  

What to take away 

Backlogs of FOI and other information rights requests are affecting a large number of organisations, and this is a current priority area of enforcement for the regulator.

The risks from inappropriate disclosure of information through FOI has also recently come to the fore through the ICO’s £750,000 monetary penalty notice against the Police Service for Northern Ireland following the disclosure of personal data about officers and staff under FOIA hidden in a spreadsheet.

Although organisations are under significant resource pressures, demonstrating an effective approach to information law compliance remains very important.

How Capsticks can help

For advice on FOI and information rights issues, including managing tricky requests, ICO complaints, or addressing backlogs, please speak to Emma Godding, Charlotte Bolt,  Tana Dryden-Strong or Andrew Latham.