The ICO hones in on Freedom of Information Act (FOIA) Requests

It's always important to keep track of regulatory action and enforcement in a particular area of law, and that’s no different for Freedom of Information Act (FOIA) requests, regardless of whether you are sending or receiving them.  All organisations working with public bodies should be aware of recent new guidance from the Information Commissioner's Office (ICO), the regulator involved. 

It is clear that the ICO's approach is changing in this area.  Regulatory enforcement for lack of compliance with FOIA has been relatively soft in approach over the last decade.  The ICO has, of course, had to balance the need for enforcement vs the need to be sympathetic to stretched public authority resources and more recently, the strain that COVID has had, particularly in the public sector.  Over the last year however, the ICO has put FOIA back to the top of the agenda, particularly focusing on enforcement for significant and longstanding non-compliance, perhaps not helped by the relatively low enforcement risk to date.  This is evident from Warren Seddon's Director's update earlier this month, where he indicated that the ICO has delivered more strategic regulation in the past 12 months than in the lifetime of the Freedom of Information Act.

Taking a closer look at the ICO's publications earlier this month on the topic, we can clearly see there are:

• Increased Practice Recommendations (PRs):  Many will be familiar with the decision and information notices of the ICO, which are its most routine form of action to order disclosure of requested information that has not been forthcoming.  However, part of the ICO's new focus on FOIA is to issue "practice recommendations" to deal with a repeated or potentially significant issue.  The ICO has issued 12 PRs in the last year (compared to nine in the last 18 years).  This includes three PRs published this month to the London Borough of Tower Hamlets, Liverpool City Council and the Medicines and Healthcare Products Regulatory Agency.  The ICO noted that it has issued these PRs so that they can be used by public authorities more widely to proactively review and improve their own services.  Recommendations in these PRs include creating action plans (and publishing them for transparency purposes), publishing FOIA statistics (including number of requests and number of days to complete where longer than 20 days), using the ICO's self-assessment toolkit to improve timeliness and improvements in staff training and processes to reach a 90% timeliness target.  These PRs are perhaps a warning of further enforcement to come from the ICO as, whilst they cannot be directly enforced, they may in turn result in the issuing of an enforcement notice.  Furthermore, a failure to take account of a PR may also lead in some circumstances to an adverse comment in a report to Parliament by the Commissioner.
• Increased Enforcement Notices: Whilst the ICO has focussed on PRs and working with public authorities to improve services, it hasn’t been afraid to use its enforcement powers for dealing with the repeated and most significant / systematic issues.  There have been six enforcement notices over the last year (compared to three in the last 18 years, the most recent being in 2015).  Recent enforcement includes notices issued to the Ministry of Defence and the Environment Agency requiring them to respond to hundreds of requests that are well past the legal deadline of 20 working days for a response, and in some cases years overdue.  The ICO noted that this approach to FOIA is "unacceptable" and that it will continue to take action when it sees significant backlogs build up and concerns about the plans in place to address them.  The consequence of failing to comply with an Enforcement Notice are not to be taken lightly as the Commissioner can make written certification of this fact to the High Court.  Upon consideration and inquiry by the High Court, the public body may be dealt with as if it has committed a contempt of court

The ICO has also recently finalised its FOI and Transparency regulatory manual which sets out its new approach to the strategic enforcement of FOIA.  This sets out the ICO's responsibilities and powers and how it intends to carry out its work.  This includes some useful insight into how the ICO will approach enforcement and aggregating / mitigating features which it will take into account.

It is clear that the ICO is now prioritising FOIA, noting that it considers it an essential part of delivering its ICO25 commitments to promote openness and transparency across the public sector.  All organisations involved in or working with the public sector will need to know the details.

Please get in touch with Fieldfisher if you would like to discuss FOIA.  We can support with a specific FOIA request, with your wider strategy or even running training for teams handling requests.