20 top tips for dealing with FOIA (and EIR) requests
2025 marks the 20th anniversary of the access provisions of the Freedom of Information Act 2000 (FOIA) coming fully into force, and over the last two decades the legislation has been used to bring to the public light a huge variety of information, with the Information Commissioner’s Office and Tribunals having to adjudicate during that time on a number of tricky and sensitive questions of whether disclosure of information is ultimately required.
Reflecting on our own experience across that time, we've compiled below 20 top tips for dealing with requests for disclosure under the FOIA and its similar (but not identical) legislative sibling in the form of the Environmental Information Regulations 2004, which (as the name suggests) are applicable when requests relate to environmental information (as defined in that legislation).
Top tips
- Be clear if the FOIA and/or EIR apply to your organisation. In broad terms, both apply to “public authorities”, but the test for each differs – and you need to consider the legislation itself, rather than assuming that the regimes are identical. You may be subject to the EIR, but not the FOIA.
- Be alert to the potential application of the FOIA/EIR through “informal means”. A request can be made via a variety of mediums, including social media, and doesn't need to refer to the FOIA/EIR directly. In fact, if environmental information is being requested, the EIR doesn't even require the request to be in writing – it can be made verbally.
- But if a request is said to be made under the FOIA (or the EIR), do consider if that is the right legislative regime. For example, if a requester seeks their own personal information, it should be dealt with as a potential data subject access request under the UK General Data Protection Regulation/Data Protection Act 2018. Responding under the FOIA/EIR may not align with individual rights under data protection legislation, particularly given that….
- The legal effect of disclosure under the FOIA/EIR is that it is “to the world at large”, not solely to the requester. That is the case regardless of whether you deal with the request via private email, rather than your disclosure taking place via public-facing systems such as www.whatdotheyknow.com. Generally speaking, you cannot apply restrictions to how the requester (and/or others) use the information you disclose.
- Always consider if the request is sufficiently clear. If the meaning is unclear or ambiguous, or there are a number of possible interpretations, you should ask the requester to clarify what is sought.
- Never (ever!) delete information on receipt of a request. It is a criminal offence to alter, deface, block, erase, destroy or conceal any record held by a public authority with the intention of preventing its disclosure where a request has been made for it, and the requester would otherwise be entitled to the information.
- Bear in mind that throughout dealing with requests, public authorities are required to provide reasonable advice and assistance to requesters (and prospective requesters) under section 16 of the FOIA. For example, if you need to clarify what a requester is seeking (as above), you might need to explain the types of information which your public authority holds within a particular category.
- Consider at an early point of dealing with requests whether this a request that you're not obliged to deal with under section 14 of the FOIA. For example, if the request (note: not the requester) is vexatious or it's a repeat request (within the meaning given in the legislation), you're not obliged to respond.
- Consider carefully your obligations to search for information recorded in any form to discharge your duties under the legislation to identify what information is “held”, that can be either by your public authority or another person on your behalf. You need to search in areas that are reasonable to expect the information would be found. What does your organisation’s records management policies point to?
- But even if you don’t hold a document already containing the information, you might still hold the information as a matter of law. The test is whether you have the “building blocks” to generate it, without any complex judgement. As technology evolves, information may be across a variety of sources and mediums, including potentially in non-corporate communications channels such as private email accounts/messaging accounts such as WhatsApp.
- Document appropriately the steps you take to discharge those duties, in order to capture your compliance with the legislation at the time. Remember, the onus is on the public authority to demonstrate that information is not held, on the balance of probabilities.
- Bear in mind that the scope of obligations are not limitless. If the time it will take to search for and retrieve the information is going to exceed the “appropriate limit” (which is either 18 or 24 hours, depending on what kind of public authority) you're not required to proceed. However, you do need to advise and assist the requester, under section 16 FOIA. For example, consider if you can help them to refine their request to come within the time limit. Be aware that the 18/24 hours doesn't extend to considering exemptions from disclosure and applying redactions, which in practice can often be the most time consuming elements of request handling.
- Do consider if this is information already available via your organisation’s publication scheme, rather than repeating the investment your public authority has already made in that, but bear in mind that information can change over time, and you need to consider if the precise information is already available.
- Always consider if statutory exemptions apply to the information, in whole or part. That question should be considered on a granular basis, rather than on a “blanket basis”. It's often helpful to consider what you can disclose, rather than what you cannot.
- To the extent that exemptions do apply, think whether you need to consult third parties potentially affected by any proposed disclosure. This is important to consider both from the perspective of complying with your duties under the FOIA/EIR, and also often in maintaining your relationship with those third parties.
- To the extent you are satisfied that exemptions apply, check if they are “absolute” or “qualified” under the legislation. Qualified exemptions involve a second stage consideration of the “public interest test”, ie whether the public interest in favour of maintaining the exemption outweighs the public interest in disclosure (and there is always a public interest in favour of transparency and accountability). You will need to document undertaking that assessment carefully.
- If you are redacting material to apply exemptions, consider carefully whether you are redacting effectively, both from a technical perspective of whether the redaction approach is sufficient to permanently safeguard the withheld information (see-through markers are always to be avoided), and also considering how the information you do intend to disclose can form a “jigsaw piece” with what is already in the public domain.
- You need to respond to the request within 20 working days in a manner which complies with the technical requirements of the legislation (although in some cases, you can take further time to conclude on any public interest test which applies). For example, you must inform the requester of whether you hold the information (although sometimes you need to consider whether confirming or denying that will, of itself, reveal the exempt information), any exemptions you are relying on and their ability to make a complaint to the ICO. 20 working days can pass quickly, depending on the scope of request and scope of exemptions you need to consider, possibly requiring the input of a range of colleagues and possibly third parties. It is always best to start the process as quickly as you can!
- Once the request is despatched, as a final step, ensure that you have an orderly record of how it has been dealt with and make sure you satisfy your records management requirements. Requesters are entitled to ask your organisation to undertake an internal review and ultimately ask the ICO to assess your organisation’s handling of the request under its statutory powers of oversight under the legislation. This generally culminates in the publication of a formal decision notice on the ICO’s website but can also have wider implications if the ICO considers its wider powers of enforcement should be exercised. An orderly record will assist with the smooth engagement with that. Some organisations upload responses to an FOI log and/or publication scheme, which also reduces the burden of dealing with similar requests in future.
- Not all requests are straightforward; indeed, some can be very challenging to deal with both in terms of nature and scale of information sought. Responses to requests will often involve a collaborative internal (and possibly external) effort, which is generally assisted where all relevant stakeholders have an appropriate understanding of the requirements of the legislation. In basic terms, if information within the scope of the request is held by your organisation as a public authority, it must be disclosed unless a statutory exemption applies. And do have in mind throughout that recorded information as to how you deal with a request is, itself, potentially disclosable unless an exemption applies (for example, communications comprising the seeking and providing of legally privileged advice).
Our team of information governance specialists have a wealth of experience of supporting clients in navigating the FOIA and EIR across a huge variety of subject matter. Please do contact us if we can help you.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.