Reforming Freedom of Information

Improvements to strengthen access to information in the UK

Other formats: Plain text, PDF, EPUB.

Executive summary

The right to access official information is fundamental in a healthy and vibrant democracy. Freedom of Information (FOI) legislation is a vital tool in research, journalism, and in supporting citizens and groups to hold their public institutions to account. In the UK, the Freedom of Information Act has now been in operation for over 15 years. Its value can be seen in the high profile investigations and the public disclosure of wrongs that have arisen from the legislation. Alongside that, the value can be seen in the quieter acts of ordinary citizens being successful in accessing information from the public authorities that hold power over their lives.

Campaigns against adding new restrictions to Freedom of Information are generally successful and reflect the fact that FOI has become part of the constitutional settlement — but at the same time positive changes are resisted. The Act is static while the ways in which public services are delivered are changing. The regulator's FOI work is underfunded and as such there is more focus on the data protection duties within the regulator's portfolio. The picture of change that comes out of central government statistics is not encouraging, and there is not the data available to understand if this is a broader trend. Freedom of Information is unlikely to be abolished, but there is a danger of it sliding into obsolescence. Over time new classes of public body may never be covered by the Act, more public services are likely to be delivered by private sector organisations, and the legal rights that exist are less able to be enforced by an under-resourced regulator.

This paper takes advantage of the existing (and potential for future) devolution of Freedom of Information legislation to suggest changes in legislation and regulation that learn from good examples in different systems. We contrast existing and potential differences in approaches to FOI at the UK and devolved level; explore their weaknesses; and offer potential solutions to insufficient data and practical problems that have emerged with the legislation. This leads to a series of recommendations, both large and small, that are informed by the evidence and driven by the clear need for reform.

Recommendations for reform of the regulation, monitoring and administration of FOI in the UK:
  1. The ICO's data protection and access to information functions should be split into two offices, with oversight by Parliament, rather than within a ministerial portfolio.
  2. Statistics for large public bodies on volume and processing of Freedom of Information requests should be collected and released by the regulator.
  3. The UK Government should mirror the approach taken by Scottish Government in extending FOI obligations to a set of private providers of public services.
  4. The OSIC (Office of the Scottish Information Commissioner) should adopt the approach to fees for environmental information taken by the ICO.
  5. The Welsh Parliament should consider options for a limited divergence compared to that in Scotland, by expanding coverage of FOI to private providers of Welsh public services.
Recommendations for amendments to the Freedom of Information Act 2000, to clarify and strengthen the operation of the Act:
  1. Improve the clarity of the legislation through the addition of an explicit time limit for internal review; introduce a time limit for the future publication exemption; and specify that requests not answered by the statutory deadline should be considered refused.
  2. Amend prejudice tests to use stronger "substantial prejudice" language and strengthen protection for confidential communications.
  3. Require a report on use (or non-usage) by the government of Section 5 powers to add FOI obligations to private providers of public services.
  4. Change the definition of public authorities in the Environmental Information Regulations to be inclusive, not exclusive, of designations under Section 5.

About mySociety

mySociety is a not-for-profit group, based in the UK but working with partners internationally. We build and share digital technologies that help people be active citizens, across the four practice areas of Democracy, Transparency, Community and Climate. As one of the first civic technology organisations to be established, we are committed to building the Civic Technology community and undertaking rigorous research that tests our actions, assumptions and impacts. Our global research work into digital democracy, civic technology and user-centred design has positioned mySociety as a leading authority in digital civic engagement and participation.

As part of the Transparency practice area, mySociety runs WhatDoTheyKnow.com. This is a service that helps users make requests for information to public authorities and makes responses public. The goal is to make public information more accessible and increase the impact of the material released. The underlying software, Alaveteli, powers Freedom of Information services around the world. mySociety also runs a professional version of the service that lets requesters embargo requests to form part of more sensitive research or stories. Since it was launched in 2008, WhatDoTheyKnow has been used to send over 700,000 FOI requests to 38,000 authorities in the UK, resulting in the release of information that has been vital for civil society campaigns, academic research and journalist investigations, and has helped thousands of citizens access information from public authorities.

Introduction

The Freedom of Information Act has become a vital part of the UK's information system. It is a key tool for journalists to follow paper trails and get to the truth of misadministration and corruption scandals. Academics and researchers use FOI as a tool to understand how public services run by a variety of different bodies actually function and to highlight problems. Elected MPs and councillors use Freedom of Information requests themselves, where guaranteed timescales and the ability to appeal to the regulator make it a useful alternative to other formal or informal ways of requesting information.

The Freedom of Information Act is also a powerful tool for citizens. The public can use these rights to learn information of significance to groups and campaigns they are a part of, or to understand more about how the information public bodies hold affects their own lives. Even when the person may not be aware they are making a Freedom of Information request, the rights the Act creates makes it more likely that people will obtain the information they are interested in. The inconvenience of common requests to authorities is a spur to develop better proactive publication, which makes information accessible without anyone needing to ask. Just as the sign of a successful regulator is few people needing to use them, FOI is most successful when information is made more accessible without anyone needing to say "I am making a Freedom of Information request". It is in this spirit that WhatDoTheyKnow makes information received through FOI requests public and accessible through search engines. Where it has been decided the public have a right to access a piece of information, there is enormous benefit in making sure that as many people are able to do so as easily as possible.

The significance of Freedom of Information is shown by the fact that in times where it is threatened, coalitions of newspapers and civic society come together to argue for its importance. But while this effort has prevented retrograde steps such as introducing charging, recommendations to improve the Act made by the government's Independent Commission on Freedom of Information or the Information Commissioner's Office (ICO) are not implemented either. The legislation has remained static, and government powers to make private bodies which deliver public services subject to the Act are underused. This paper is concerned with demonstrating means of improving the functioning of Freedom of Information that rely only on examples that are already working well elsewhere in the UK.

FOI is a devolved matter, meaning that devolved parliaments and assemblies can legislate to vary the law on Freedom of Information. To date, only the Scottish Parliament has done this, and so public authorities in Scotland follow a distinct law for Freedom of Information and are subject to a separate regulator. This power to vary creates opportunities for innovation and for improving the quality of the legislative and regulatory approach to FOI. Devolution allows devolved administrations to make different political decisions about how to expand coverage to private bodies. Increasing the number of actors who can make political decisions around FOI increases the diversity of ways these legal powers can be exercised.

Devolution has led to a diversity of approaches where different parts of the Union can learn from useful decisions made in others. While the Scottish legislation has a number of superior aspects to the UK-wide legislation, there are areas of the Scottish approach that could be improved based on the UK experience, and the Scottish model is not necessarily an ideal model for replication (we recommend Wales explores a third path). This has led to four sets of recommendations, based on transferring practice from one UK-based system to another:

Improving statistical knowledge of how FOI works in the UK - The Office of the Scottish Information Commissioner has built a comprehensive and invaluable picture of the functioning of FOI in Scotland by collecting statistics on how requests were received and processed by authorities. In the UK, this coverage is limited to central government and a rarely followed requirement that larger authorities publish their own statistics. The majority of FOI requests made to public authorities in the UK are not covered by public statistics, making the regulator (and the interested public) blind to trends over time, and less able to understand whether FOI is functioning well or not. We recommend the Information Commissioner's Office (ICO) act as the host of a central repository.

Separating the Information and Data Protection components of the Information Commissioner - The UK's Information Commissioner has two major roles: data protection and access to information. The first of these roles has always been larger, but its scope and importance has only increased over time. Separating the access to information function and transferring oversight and funding from a government department to Parliament would help solidify the role's independence and set it up to deal with both current and future challenges.

Improving the operation of FOI and EIR across the UK - Taking examples of different approaches in the UK and Scotland, we recommend both regimes should adopt best practice from the other. This includes differences in philosophy around the strength of exemptions and extension to private operators, but also different practical approaches such as clearer rules on time scales, administrative silence, and harmonising rules on fees for FOI and EIR.

Exploring new paths for Welsh Freedom of Information - Currently the Welsh Parliament/Senedd has the ability to diverge in a similar respect to Scotland and set up a different system that applies to Welsh public authorities. We explore the implications of this and recommend a mini-divergence, where the Senedd legislates to give the Welsh Government the ability to add private organisations executing a Welsh public function to coverage of the Act.

These recommendations are not the limit of potential improvements to Freedom of Information, but reflect examples that fix clear problems, and are already functional approaches. Our goal is not just to show how Freedom of Information can fix problems already present, but how changes would make the overall system of regulation more responsive to new problems of the future.

What information rights exist in different parts of the UK?

Access to information laws create a right for citizens to access certain kinds of information held by public authorities. These generally fit under the umbrella of Right to Information (RTI) or Freedom of Information (FOI) laws, but can also include the right to see personal data about yourself (GDPR requests). This second set of rights is enshrined in separate legislation (the Data Protection Act in the UK). There are more permissive sets of right to access for environmental information (EIR).

Regarding information rights in the UK, asymmetric devolution has led to a separate system in Scotland but not England, Wales or Northern Ireland. These differ in the particulars of rights granted to citizens, but also in the system of regulation that oversees the wider process. Differences in the ability to practically exercise access to public information can result from a different legal basis, but also differences in approach and resourcing between regulators. In the UK, the Information Commissioner's Office (ICO) regulates access to public information, while in Scotland the Office of the Scottish Information Commissioner (OSIC) fulfills this role.

Devolution of information rights

Access to public information in the UK is governed by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. Devolved legislatures in Scotland, Wales and Northern Ireland in principle have the power to set separate rules around access to public information for public authorities in their areas. However, to date, this has only happened in Scotland. The Scottish Parliament, Scottish government, and Scottish public authorities are covered by the Freedom of Information (Scotland) Act 2002 (FOISA) and The Environmental Information (Scotland) Regulations 2004 (EISR).

The intention to create a separate access to public information system in Scotland led to a 1999 change to the Scotland Act 1998 to explicitly reserve access to public information rights to the UK Parliament, with the exception of Scottish public authorities with devolved responsibilities. Similar language is used in the Wales Act 2017. This means in principle Senedd Cyrmu (the Welsh Parliament) has similar competency to create a different set of FOI rights for Welsh public authorities, but has not done so. The Northern Ireland Act 1998 has not had this delimitation of responsibility added, and so it is likely that if the Northern Irish Assembly attempted to diverge, it would prompt an amendment for a similar clarification of the division of responsibilities. There is a separate code of practice that governs FOI to North-South implementation bodies that are not covered by either UK or Irish FOI law, so there are some FOI questions unique to Northern Ireland that the Northern Ireland Executive share responsibility for with the Government of Ireland.

The Scottish access to information regimes differ in several respects from the UK-wide system. Generally, FOISA is slightly more permissive in the information that should be granted to the requester. Many of the distinctions were already in the 1999 consultation document when it was published for public comment1. This suggests the differences are less a result of feedback from civil society, but from being able to build on the previous UK legislation, as well the dynamics of the legislation being driven by a Labour/Liberal Democrat coalition in Holyrood as opposed to a majority Labour government in Westminster. Beyond the legal difference, different approaches taken by the respective regulators lead to differences in how similar legislation is interpreted.

Notes (hide):

1: Scottish Executive (1999), An Open Scotland: Freedom of Information, a Consultation.

The right of access to environmental information (EIR) in the UK is the result of the implementation of an international convention (Aarhus Convention 1998) to provide greater access to environmental information, public participation in environmental decision making and a legal framework that allows challenge to decisions that run against the above. There are separate regulations creating the right for EIRs in Scotland (Environmental Information (Scotland) Regulations 2004) and the UK (Environmental Information Regulations 2004). Unlike FOI there are few substantial differences in the legal basis of EIR requests in Scotland. In both cases, it is a local implementation of directive 2003/4/EC of the European Parliament and of the Council and exceptions and time scales are the same in both jurisdictions. There are minor differences in how bodies can become subject to EIR, and the approach of the regulators. In general, Environmental Information Requests apply to a wider range of authorities than FOI, cover a smaller subject area, and there is a greater presumption of release of the information.

ScotlandRest of UK

Regulator

Office of the Scottish Information Commission (OSIC)

Information Commissioner’s Office (ICO)

Freedom of Information Act

Freedom of Information (Scotland) Act 2002, or FOISA

Freedom of Information Act 2000, or FOIA

Environmental Information Regulations

Environmental Information (Scotland) Regulations 2004, or EISR

Environmental Information Regulations 2004, or EIR

Table 1 - Different legal regimes for access to public information

There are two regulators with oversight of the Freedom of Information system. The Information Commissioner's Office (ICO) is responsible for data protection across the whole of the UK, but only responsible for Freedom of Information (FOI) and Environmental Information Regulations (EIR) in England, Wales and Northern Ireland. The Office of the Scottish Information Commission (OSIC) is responsible for the Freedom of Information (Scotland) Act (FOISA) and the Environmental Information Regulations (EISR) in Scotland only. OISC decisions can be appealed to the Court of Session, while ICO decisions can be appealed to an Information Tribunal, the decisions of which can again be appealed to an Upper Tribunal. In principle, further appeals are possible to higher courts in both cases.

Collecting FOI performance data across the UK

The difference: There is centralised data on the volume and operation of FOI and EIR requests for most Scottish authorities, but this only exists for central government in the UK. Large authorities in the UK are recommended to self-publish their statistics.

The advantage: There is a far clearer picture of how FOI and EIR are used for Scottish authorities, giving a clearer sense of their impact and changes in use over time.

The fix: The regulator should promote itself as a central repository for collecting statistics on FOI performance from UK public authorities.

FOI statistics in the UK

A key difference between the regulators in the UK and Scotland is that OSIC has better data on the operation of FOI throughout all authorities FOISA applies to. There is a quarterly process where authorities deposit statistics about the GDPR/SAR, FOI and EIR requests they have received, how they have been processed, and how exemptions and exceptions were applied. To support this report, and investigations of FOISA more widely, this data has been downloaded and reformatted into a mySociety minisite. For the rest of the UK, there is far less data on the operation of the Freedom of Information Act. The Cabinet Office publishes a similar quarterly series covering FOI statistics of requests made to a selection of central government ministries, departments and agencies (merging FOI and EIR data). These statistics are also included in the minisite. In principle, FOI covers far more public authorities than FOISA, but in terms of available information, the OSIC collects more information from more agencies. The Cabinet Office collects 76 statistics from 40 agencies, while the OSIC collects 110 from 508. This means that the available picture of information on FOI is far more complete in Scotland.

Chart showing the different volumes of requests received for FOISA, Subject Access Requests, and EIR in Scotland using OSIC FOI statistics. This shows that EIR requests have increased slowly from 2013 to 2019, from around 5,000 a year to 10,0000. Subject access requests have generally stayed between 10,000 and 20,000 but rose above this to 24,000 in 2019. FOI has increased from around 40,000 in 2013 to 70,000 in 2019.

Chart 1 - Volumes of requests recorded by OSIC for FOISA, EIR and SAR

In Scotland, the data is rich enough to allow understanding of the difference in scale between different kinds of information requests (Diagram 1). The volume of public information requests (FOI + EIR) has roughly doubled from 2013 to 2019 (1.9x for FOI and 2.0x for EIR), while Subject Access Requests have doubled (2.2x). Subject Access Requests make up 21% of information requests made to public authorities in Scotland from 2013 to 2019. Of the remaining public information requests in Scotland, 11% of these were EIR requests and 89% were FOI requests. The data can also show where different kinds of requests are made. Subject Access Requests are most commonly made to NHS bodies (where they make up 56% of all requests for information). They also make up 50% of requests made to police bodies. Most EIR requests in Scotland are made to local governments (where they make up 13% of the overall requests for public information). Some bodies focused on environmental matters receive more EIR than FOI requests (Scottish Environmental Protection Agency, Scottish Water, Scottish National Heritage, etc), but there are three councils (Edinburgh, Fife, and Aberdeen) who have received more EIRs than the Scottish Environment Protection Agency. There is no picture of this distinction in UK central government as it is not recorded by the Cabinet Office statistics, but the broader problem is that the Scottish statistics clearly show that FOI behaviour in central government is not typical of the overall system and conclusions drawn from this data do not generalise.

Chart showing local govrenment accounts for the majority of public information requests in Scotland. Numbers mirror table below.

Chart 2 - Public Information requests received by sector (FOISA + EIR)

SectorCount%

Local government

308,664

63%

National Health Service

65,530

13%

Educational institutions

36,144

7%

Others eg NDPBs

33,431

7%

Ministers/Parliament

22,973

5%

Police

19,562

4%

Non ministerial officeholders

5,085

1%

s.5 designated body

2,294

0%

Table 2 - Public Information requests received by sector (FOISA + EIR)

Scottish data provides an overview of where FOI requests are sent. The majority of public information requests made in Scotland are made to local government (63%). Central government ministries/Parliament make up a comparatively small 5%. Glasgow City Council has individually received a greater proportion of all time FOI requests than Scottish ministers. In the UK, the Cabinet Office data only covers central government and there is no official information outside of central government. There have been several surveys of local government, such as the Constitution Unit's analysis in 2010 and mySociety's report in 2018. These snapshots show that the number of requests made to local government is far larger than those made to central government. In 2017, there were roughly 11x as many FOI requests made to local government as central government (the figure for Scotland in 2017 was 13x). There is not reliable information about the volume of requests for other kinds of authorities (for example, universities or health boards). The majority of FOI requests made to public authorities in the UK are not covered by public statistics, making the regulator (and the interested public) blind to trends over time, and less able to craft appropriate strategies.

There is some ability to use third-party sources to plug the gaps, but these are not reliable. For instance, WhatDoTheyKnow provides some information about the distribution of requests, but the Scottish benchmark suggests it is not a representative sample of the overall volume of FOI. In Scotland, requests made through WhatDoTheyKnow account for 5% of requests over all years covered, and 6% in 2019. There is variation between different sectors and authorities, requests to Education bodies account for 14% of requests through WhatDoTheyKnow, but are only 7% of the overall proportion of public information requests. If the same kinds of variations apply to the UK as a whole, extrapolating requests from WhatDoTheyKnow proportions is likely to be an inaccurate guide to overall proportions and trends. Understanding the flow of FOI requests requires official statistics.

SectorWhatDoTheyKnow %Overall %

Local Government

65%

63%

National Health Service

10%

13%

Educational Institutions

14%

7%

Others e.g. NDPBs

5%

7%

Ministers/Parliament

3%

5%

Non Ministerial Officeholders

1%

4%

Police

1%

1%

s.5 designated bodies

1%

0%

Table 3 - WhatDoTheyKnow proportions to Scottish public sectors

Collecting more data about FOI

The value of having data for authorities beyond central government has been recognised, but the steps taken to date are insufficient. The 2018 FOI Code of Practice says that it is best practice for public authorities with over 100 Full Time Equivalent (FTE) employees to collect and publish a set of statistics about their FOI volume. However publication along these lines is rare, and even if it were to become more frequent, it would likely be published as hundreds of separate PDFs on different websites. The code of practice change was in reaction to a recommendation of the Independent Commission on Freedom of Information, but this recommendation also stated that "[t]he publication of these statistics should be co-ordinated by a central body, such as a department or the [Information Commission]". Without this coordination element, much of the work done by public authorities is wasted.

This is an example of public data fragmentation, where there is a mandate for public authorities to spend time and money producing data, but most of the value of this work is lost because the data cannot easily be aggregated. A relatively small amount of work by a central authority (in this case, the ICO) is needed to unlock the majority of the value in the data by allowing understanding of aggregate patterns and allowing comparisons between authorities.

We recommend that the UK regulator pursue a similar approach to OSIC of annual or quarterly data collection and release. This reduces the requirement on authorities to publish their own statistics, while increasing the value of the information in the aggregate. As the OSIC approach shows, this does not need to be technically complicated or require complex visualisations, and a relatively off-the-shelf approach would help collect the information. The problem is primarily administrative rather than technical.

While tens of thousands of public authorities are subject to FOI, the Code of Practice recommends only those with the equivalent of 100 full time employees should release statistics. There is no authoritative listing of these, but using data from WhatDoTheKnow, 90% of requests through the service (excluding those covered by OSIC) are sent to 1,200 authorities. This suggests that restricting collection to relatively large organisations would cover the majority of requests made, and the scope of this could vary to the resources available.

Using the Code of Practice as a basis would result in a far simpler survey compared to those currently used by the Cabinet Office and OSIC. We would recommend collecting more information about specific exemption usage, the number of requests that took longer than the statutory deadline, and the results of any internal review. These provide key performance indicators for comparison between organisations and sectors. The scale of information collected can again match the scale of resources available and any improvement on the status quo would be enormously beneficial.

Separating the Information and Data Protection Commissioners

The difference: In regulation at the UK level, data protection and access to information is dealt with by a single regulator (the ICO) whose budget for FOI regulation is controlled by a government department. The Scottish regulator (OSIC) only deals with access to information and has parliamentary rather than government funding and oversight.

The advantage: Scotland's Information Commissioner has greater operational independence from government, as well as a more focused approach on access to information problems.

The fix: Separate FOI responsibilities into a new Commissioner who operates under the Officer of Parliament model.

In the UK, the Information Commissioner's Office is a single regulator who handles both data protection issues (concerned with the protection of private information) and access to information (citizen access to information held by public authorities).

Following the model of Scotland, we recommend that the access to information portfolio2 should be handled by a separate commissioner who is funded and appointed by Parliament, but does not have responsibility for broader issues of data protection.

Notes (hide):

2: This broadly means Freedom of Information and Environmental Information Regulations, but also covers responsibilities like INSPIRE and other focuses around the publishing and availability of public sector data.

This is aimed at solving two problems that hinder the effectiveness of the Information Commissioner:

  • A public service regulator being funded by a government department creates an incentive to underfund the regulator.
  • Freedom of Information is a small part of the portfolio of the Information Commissioner, and increasingly out of alignment with the main goals of the organisation. Proper attention to this important function requires understanding it as a separate (if smaller) role.

Sharing data protection and access to information roles in a single office is not uncommon (Switzerland, Germany and Hungary also use this model), but neither is it universal. Ireland, Canada and Portugal separate their Privacy and Information Commissioners into two offices. That the offices ended up joined in the UK was not the original intention, and was a result of a series of concerns about how the two proposed roles would theoretically interact if they were separate. The experience of the Office of the Scottish Information Commissioner (OSIC) shows how a separate Information Commissioner can be practically managed in a UK context. Similarly, the original decision not to position the Information Commissioner as an Office of Parliament (as happened with the Scottish version of the role) reflects abstract concerns about government interference that have not been avoided in the final structure of the office.

Some aspects of the original construction of the Information Commissioner's role may always have been mistaken, others have been addressed by seeing how the different legal regimes interact in practice. The biggest factor in why a change is desirable now is the shift in scale of the data protection side of the role. The increasing importance of data protection regulation puts the Data Protection and Information Commissioner roles on two different paths. The Data Protection role is primarily focused on abuse of data by private operators, with increasing regulatory alignment between jurisdictions and a corresponding global pool of expertise. The Information Commissioner role is by contrast a regulator of public bodies, with a more restrained national focus. Two roles that were joined for convenience twenty years ago may now be better served by a separation.

History of the role

The original combination of the Data Protection and Information Commissioner roles represents the circumstances and concerns of the late 1990s. The 1997 original white paper - Your right to know: the Government's proposals for a Freedom of Information Act - expected a separate Information Commissioner that drew on the role of the Data Protection Registrar as a model:

We envisage that the Information Commissioner will fulfil a role similar to that performed by the Parliamentary Ombudsman under the Code. However, we intend to make the new Commissioner an independent office holder (like the Data Protection Registrar) rather than an officer accountable to Parliament (like the Parliamentary Ombudsman). We believe that an independent officer is the more appropriate model given the wide coverage of the Act which will include very large numbers of bodies (for example schools and local authorities) that are not directly accountable to Parliament. An independent office holder will be answerable to the courts for his or her decisions. In this way, the appeals system will be (and will be seen to be) independent and in particular not subject to any form of political override which might ultimately be used to resolve contentious cases in favour of the Government.

This gives two reasons for why the idea of the Information Commissioner being an Officer of Parliament (as would be the eventual position of the Scottish Information Commissioner) was rejected. The first is that the scope of Freedom of Information was intended to be far wider than those directly accountable to Parliament (and so would not just be an expansion on the ombudsman's role), and the second was that the government's inherent power in Parliament would damage the independence of the appeal system, either in practice or appearance.

The implications of this part of the white paper were questioned at the time. The Parliamentary Ombudsman objected to the implication that their office was not independent, and in the end, the Freedom of Information Act would result in direct powers for the Government to resolve very contentious issues in their favour (ministerial veto), making the political control line of objection tenuous. In rejecting a role for Parliament on the grounds it might give the government too much power over the FOI process, it instead has led to a situation where the government directly sets the amount of money available for FOI enforcement. Fear of government control of Parliament (and hence the FOI process) led to the same problem through another path.

Having arrived at the idea the Data Protection Registrar was a suitable model for the Information Commissioner, the two roles became joined because of concern around how the several regimes being introduced would interact.3 Both Data Protection and Freedom of Information have a common concern in providing "access to information" but there is an inherent tension between the two information roles. The Data Protection Commissioner is concerned with protecting and preventing the release of private information, while the Information Commissioner's job is to ensure public authorities are living up to their responsibility to publish. As MP Rob Morris would later put it, the data protection role should be "in a sense, against Freedom of Information", while the Information Commissioner role "involves a certain bias towards releasing information, so that we can have transparency in public life and proper scrutiny of the workings of Government". The concern was these two roles might come to different understandings of what private information was, and so come into conflict. There were also questions about how dividing the role from the Parliamentary Ombudsman would work, as complaints about denials of information might form part of a wider complaint about maladministration by a public authority. The kinds of hypothetical complaints that were envisioned under the new systems might result in appeals to multiple different authorities, leading to confusion.

Notes (hide):

3: The Data Protection Registrar already existed as a result of the Data Protection Act 1984. The Data Protection Act 1998, transformed the Data Protection Registrar into the Data Protection Commissioner.

Alongside the concern that different commissioners would end up fighting about the definition of private information, there was concern they were creating a regulatory environment that was hard for citizens to navigate. The Public Administration Committee was concerned at how citizens would approach the different organisations:

We are concerned by a problem put to us by both the Ombudsman and the Data Protection Registrar. An Information Commissioner will add another to the list of public sector complaints authorities in the UK. As the Ombudsman wrote in his evidence to us, "creating another authority in the form of an Information Commissioner is bound to further complicate the task of the ordinary citizen in seeking redress". "It does not sit as comfortably as it might with concepts of better government and one-stop shops for citizens", the Data Protection Registrar told us.

The committee's initial report suggested a collegiate structure might be useful to help reconcile the three different bodies where there was overlap, but in the Committee's response to the Government's response to their initial report this had become a more forceful regret "that an opportunity was not taken to consider joining the Freedom of Information and Data Protection regimes in order to make a more coherent and more workable system for access to personal information". The eventual decision to merge the two commissioners reflected the idea that conflicts between the different roles should be resolved internally, with one organisation with a definition of what private information was across all relevant legislation. The government's public reasoning was that:

The Select Committee on Public Administration said in its report that there was a need for coherence between the data protection regime and the Freedom of Information regime, with a "simple and comprehensive" right of access to each. We agree. Many requests for information will be for a mixture of personal and general information. We shall therefore merge the office of the Data Protection Commissioner with that of the Information Commissioner.

While the series of steps that led to this decision are reasonable, the benefit of hindsight shows two key problems with the solution:

  • The merger of the two roles is not a merger between two equals, the scope of the Information Commissioner has always been smaller than the Data Protection Commissioner, and this difference in scale has only grown over time.
  • The FOI regime has failed to isolate the Information Commissioner from political control of the budget, limiting the commissioner's effectiveness.

In general there is also now far more information about how different information regimes function in practice that resolve the theoretical concerns about having separate regulators. The experience of the Scottish Information Commissioner demonstrates that data protection and access to information regimes can co-exist in different organisations. It is time to consider if this initial merger was an error.

Divergence of the two roles

The combination of the Information Commissioner role with Data Protection Commissioner role was never a merger between equals. The first "Information Commissioner" was the former Data Protection Registrar and despite substantial expansions in scope and powers, the core of the role remains in the Data Protection role. This was not necessarily a problem while FOI remained a substantial part of the overall portfolio of responsibilities, but access to information has progressively decreased as a proportion of overall funding and activity.

The importance of data protection to people's lives and to the wider economy has increased substantially over the last few decades. In 2006, the ICO published stories about a private detective being fined £1,200 for obtaining data unlawfully, and a guide for managing employee references. In 2021, the ICO's website was publishing information around decisions on the UK's inter-compatibility with EU data protection laws (allowing continued flows of personal data after Brexit), fining a firm £500,000 for sending millions of spam messages, and promoting a speech by the Commissioner discussing the massive amounts of personal information being collected by the pandemic response. The primary purpose of the ICO has consistently been protecting the private data of citizens from abuse from private or public operators, but the key areas of concern have shifted to global tech giants and international systems of data regulations.

This change in relative importance can be seen in relative funding available for data protection and FOI activity. The ICO's Data protection activity is funded by fees paid by organisations holding personal data, while FOI activity is funded by a grant from a government department. These two funding streams move in different directions, while the general trend of the FOI grant is down, the amount of income through data protection has increased over time, with a large increase after the change in fee structures in the Data Protection Act 2018 (Chart 3). When Freedom of Information came into effect, the FOI grant made up around around 33% of the combined FOI and data protection income, by 2018/19 this had fallen to 7% (Chart 4). The change in focus is also visible in the annual report of the organisation. While 9 of 39 pages in the 2005/2006 were focused on access to information activities, by the 2018/19 report, only 3 of 70 were. The ICO has not been absent from access to information policy issues (for instance their 2019 report on Outsourcing Oversight), but it is also undeniable that access to information activities are moving further and further from the core work of the organisation.

Chart showing the relative funding for data protection and FOI in the ICO budget adjusted for inflation. This shows a decline over time for FOi, and an increase over time for data protection, with the increases being more dramatic after 2017 (law change).

Chart 3 - Inflation adjusted income from FOI grant and DPA fees

Chart showing FOI grant as a percentage of the FOI and data protection revenue. This declines from 33-35 in the first few years to 9% and 7% in most recent years.

Chart 4 - Relative proportion of FOI in comparison to DPA fees income.

Never a perfect fit, the roles of Information and Data Protection Commissioner are moving further apart and access to information represents a progressively less important part of the organisation. This is not just a UK trend, but reflects a wider shift in the importance of personal data regulation. Data protection is becoming an area defined by international agreements and regulatory alignment between markets. This means that the pool of viable candidates for Data Protection Commissioners is becoming wider and experience abroad is more directly applicable. While there are commonalities in FOI law, it differs far more in the particulars from country to country. For combined versions of the role, it is convenient if the Commissioner has an interest in both areas (and may well have experience in a similar combined role, as the current Information Commissioner did in British Columbia), but this will not always be the case. It is not good for data protection if the best suited candidate to handle a difficult portfolio is scored lower because of lack of experience with access to information rights. It is not good for access to information if the candidates for the role are being mostly judged on an entirely different problem. It would be to the benefit of both sides of the organisation to restructure in a way that allows two Commissioners to give proper focus to the needs and strategic thinking for two very different streams of work.

In this respect the Office of the Scottish Information Commissioner (OSIC) can serve as a model for how a more focused FOI Commissioner would work in the UK. OSIC demonstrates that separate organisations managing the different portfolios can interact perfectly well in the UK system, while creating an organisation with a clear sense of purpose. But purpose alone is not sufficient, and a separate reason the OSIC's capacity compares favourably is that OSIC is comparably better funded. A restructuring of the Information Commissioner role would be a good opportunity to address the issues of oversight and funding of the access to information portfolio.

Conflicts of interest: government control over the budget

At a 2014 event on the ten year anniversary of Freedom of Information law in Scotland, the then UK Information Commissioner Christopher Graham envied the ability of the OSIC to gather performance statistics, but pointed out OSIC handles comparatively fewer complaints, while the "ICO's grant-in-aid for FOI has been cut in every year since I've been Commissioner". This disparity remains true. In terms of workload, the ICO processed 6,421 FOI complaints in 2019, while the OSIC dealt with only 494. The ICO's FOI work is funded by a grant in aid by the Department of Culture, Media and Sport. In the financial year 2019-20, this was £3,750,000. OSIC is funded through the Scottish Parliamentary Corporate Body (SPCB) and received 1,771,000 in 2019-19. Per head of population, Scotland has 32p spent on regulating FOI, while the rest of the UK has 6p. The smaller organisation is always likely to be better funded per head (and some of that represents efficiency gains in a larger regulator), but the ICO's FOI funding has declined over time, while OSIC's has not. An Open Democracy report described the changes in the ICO's finances:

Deep austerity cuts and rising caseloads have massively diminished the commissioner's capacity. The ICO's FOI budget was cut from £5.2 million in 2010–11 to £3.7 million in 2014–15 and has remained at roughly this level. This amounts to a 41% budget cut over a decade after adjustment for inflation.

Meanwhile, the number of casework complaints the ICO receives annually has risen by 46% in the same period. Consequently, the ICO's funding per complaint has dropped from £1,460 in 2010–11 to £589 in 2019–20 – a decrease of 60%.

The 2020-21 increase in the FOI grant when accounting for inflation just returns to the status quo of funding since 2014. Meanwhile, the OSIC's funding has been relatively consistent since its creation adjusted for inflation. It never received the same cuts during the early 2010s and so the ratio of ICO to OSIC funding has fallen from a pre-2010 norm of 1 to 3 to a post-2014 norm of 1 to 2. A 50% increase in the FOI grant (£2 million) would restore this ratio to around where it was in 2010. While there is no ‘correct' ratio of funding, that OSIC has administrative monitoring capacity that the ICO does not, is highly suggestive the current ratio is too low. Similarly that an increase in casework has been managed with a static budget is laudable, but is suggestive that more proactive activities are being prevented by a lack of funding.

This chart shows the relative FOI funding of ICO and OSIC adjsuted for inflation. This shows relatively consistent funding for OSIC of around 2 million a year, while the ICO funding was (in modern terms) funded over 7 million, a decline after 2010 to a new stable figure of around 4 million a year.

Chart 5 - Comparative funding for FOI activities of the ICO and OSIC.

While the intention in making the Information Commissioner semi-independent of Parliament was meant to limit the power of government, in reality it has allowed the government to underfund its own regulator. This problem has not gone unnoticed, and multiple Parliamentary committees have suggested the ICO would be better able to execute its functions if it reported to Parliament (as in the case in Scotland) rather than a government department. The Select Committee on Constitutional Affairs said in 2004:

The UK model, where funding of the ICO is provided by the government department responsible for FOI promotion and compliance, is unusual. Since the level of funding for the ICO can have a direct impact on its capability to enforce compliance, there is a potential for conflicts of interest. We note that in other comparable jurisdictions such as Canada, New Zealand and Scotland, the ICO is funded directly by Parliament.

Ten years later, a 2014 Public Affairs committee report argued that the Information Commissioner should report to Parliament and be an Officer of Parliament (as is the case in Scotland):

The Information Commissioner and HM Inspectorate of Prisons should be more fully independent of Government and should report to Parliament. The Information Commissioner, Commissioner for Public Appointments and the Chair of the Committee on Standards in Public Life should become Officers of Parliament, as the Parliamentary and Health Service Ombudsman and the Comptroller and Auditor General already are.

The fundamental problem that these reports are addressessing has not diminished, and in 2024 it will be still be true that the Information Commissioner would be a more effective agent if their funding and oversight reflected a role as a constitutional watchdog, rather than as an arms-length body of the Department of Digital, Media, Culture and Sport. While both sides of the organisation could benefit from standing as Officers of Parliament (as in the case in Canada), the Data Protection side of the organisation, through its self-funding from data protection fees, is in a far better position to manage a relationship with a government sponsor. Separating and reinventing the ‘access to information' role within the parliamentary ecosystem solves several issues at once.

An independent, effective and well-funded regulator is in the direct interest of MPs. Freedom of Information is a tool that MPs themselves make use of and frequently reference the results of Freedom of Information in debates. In some instances an FOI request can be a more powerful tool than parliamentary questions. While the response takes longer than a parliamentary question, it can yield more in-depth information, and the ability to appeal to the regulator might be useful in retrieving more contentious information. Freedom of Information is a useful tool in the toolbox for parliamentarians to scrutinise the government, and as such Parliament as an institution has an interest in oversight and support of the Information Commissioner.

Separating institutions

The problems of ensuring access to official information from hostile government departments is poorly placed as a secondary (and government funded) function of a data protection organisation. As proposed by several Parliamentary committees, bringing the FOI roles under the supervision and funding of Parliament would resolve the obvious conflict of interest where a government hostile to Freedom of Information can be in a position of power over the regulator. This might also be an appropriate move for the privacy side of the role, but the need is less pressing.

The 1990s concerns about separate regulators were concerned about the citizen experience of making a complaint and the idea that better governance involved one-stop shops. But if the regulator needs to constantly uphold individual citizens rights, it has failed. The goal is not that a large number of citizens will find redress through the Information Commissioner, but that the system of regulation that they create will avoid the need for complaints. More regulators with a clear sense of purpose (and support structures aligned with that purpose) will be better "one-stop" regulators.

Regardless of the merits of the original decision, the roles have been joined for the last few decades, and so separating them would lead to different institutions than if they had always remained separate. In terms of easing domestic understanding, it may be better for the Data Protection side of the role to retain the name, while creating the new role of an FOI/Access to Information Commissioner. In terms of preserving existing staff and institutional knowledge, the FOI Commissioner could be co-located with the ICO. Cooperation and coordination between the two roles remains important. The goal of a split is not to throw away what has been learned, but that the future direction of FOI regulation is best able not just to deal with the challenges present now, but to be able to craft a separate path to navigate the decades ahead.

Improving the operation of FOI and EIR across the UK

One of the virtues of devolution is that different jurisdictions can explore different paths and try new ideas. Without a requirement of a uniform system, if an idea works in one place it is worth asking if it is also a good idea elsewhere. This section explores differences in practice between Scotland and the UK in terms of the shape of the underlying legislation, as well as government and regulator actions.

Generally speaking, the UK legislation would be improved by reflecting on how the Scottish legislation has practically built on it. This includes philosophical differences about the balance between disclosure and withholding information, but also practical differences that improve how the same ideas function. Beyond legislation, the Scottish government has been far more active than the UK government in using their power under section 5 to designate private operators of public services as subject to the Act. While some aspects of this power present difficult questions about scope, existing examples from Scotland provide a template of how this power can be used in practice.

While generally drawing from Scottish examples, the flow is not all one way. The UK's ICO decision to harmonise how they treat fees between EIR and FOI would be worth investigation by their Scottish counterparts. We recommend that the UK Government should mirror the approach taken by Scottish Government in extending FOI coverage to a set of private providers of public services and suggest amendments to the Freedom of Information Act to clarify and strengthen the operation of the Act:

  • Improve the clarity of legislation by adding an explicit time limit to internal review, adding a timeout for the use of the future publication exemption, and specify that requests not answered by the statutory deadline should be considered refused.
  • Amend prejudice tests to use stronger "substantial prejudice" language and strengthen protection for confidential communications.
  • Require a report on use (or non usage) of s.5 powers to add private providers of public services.
  • Change the definition of public authorities in the Environmental Information Regulations to be inclusive, not exclusive, of designations under Section 5.

UK Government action

Follow example of the Scottish Government and expand coverage to new organisations under s.5

The difference: The Scottish government has extended FOI coverage to an increased number of private providers of public services.

The advantage: Increased transparency over how public services are delivered regardless of public or private provider.

The fix: The UK government should make use of their s.5 power to match the coverage in Scotland.

Freedom of Information laws in the UK and Scotland allow for new bodies to be made subject to FOI requests through secondary legislation (generally powers given to ministers to fill in the gaps in primary legislation). It is relatively common in both Scotland and the UK for orders to be made under Section 4 (same section in both UK and Scottish FOI acts) bringing in newly created public bodies or removing defunct organisations. Primary legislation will often amend the relative FOI law directly to cover when new classes of organisation are created. It is less common to see extensions under Section 5 (same section in both FOI acts) which extend FOI regulations to cover organisations outside the public sector when they are judged to be fulfilling a public function. As shown below, the Scottish Ministers have made three orders to extend coverage to five new groups. The UK government has similarly made three orders, but these are smaller in scope (and in one case is correcting a name change).

In Scotland, FOISA and EIR has been extended under Section 5 to the following organisations and classes of organisations:

  • 2013
    • Arms-length external organisations set up by local authorities to deliver recreational, sporting, cultural or social facilities and activities
  • 2016
    • Grant-aided [special] schools and independent special schools
    • Providers of secure accommodation
    • Scottish Health Innovations Limited
    • Private prison contractors
  • 2019
    • Social registered landlords

In the UK, FOI has been extended under Section 5 to the following organisations:

  • 2011
    • The Association of Chief Police Officers of England, Wales and Northern Ireland
    • The Financial Ombudsman Service Limited
    • Universities and Colleges Admissions Service (UCAS)
  • 2015
    • Network Rail Limited
    • Network Rail Infrastructure Limited
    • Network Rail Holdco Limited
  • 2018
    • National Police Chiefs' Council [replacing Association of Chief Police Officers]

For the UK jurisdiction, the main intentional change is in the 2011 additions. The addition of Network Rail was a result of an accounting change that reclassified it as part of the public sector rather than a deliberate drive to extend oversight. There is a contrast between the two sets of expansions, in that the Scottish extensions have tended to be for classes of organisations, whereas UK s.5 extensions have been entirely for individually listed organisations. This is not because there have been no class extensions for UK FOI, rather these have been made under primary legislation. The Academies Act 2010 added previously established academics as a class and the Protection of Freedoms Act 2011 expanded the definition of public companies covered by the act to include companies owned jointly by multiple public authorities. As new kinds of authority have been created by new legislation, these have generally directly amended the Freedom of Information Act.

In both Scotland and the UK, there is a debate about extending FOI to cover private contractors who have responsibility for delivering public services. This would represent a substantial expansion of bodies covered by FOI, but in both cases the growth of outsourcing since the creation of the FOI regimes has led to a reduction in the accessible public information about the delivery of public services. The ICO have argued for the extension of FOI to these organisations in a 2019 report that recommended more frequent designations under Section 5. The OSIC similarly supported in-principle ab extension of FOISA to cover contractors (depending on size and duration of contract). There was a wider 2019 consultationon further extensions to FOISA that has yet to have a response published. At present, it seems more likely that this change will happen in Scotland than the wider UK FOI law.

As explored in the 2019 ICO report, there is difficulty in defining automatic triggers for when private operators should be included. That said, and as the Scottish example shows, there are broad categories where it is uncontroversial that the private organisation is running a service on behalf of a public authority, and so is producing information that would be publicly accessible if the public authority was directly running the services. As such, we recommend that the broad classes adopted by the Scottish government similarly be added to schedule 1 of the Freedom of Information Act by the UK government. These are:

  • Arms-length external organisations set up by local authorities to deliver recreational, sporting, cultural or social facilities and activities
  • Grant-aided [special] schools and independent special schools4
  • Providers of secure accommodation
  • Private prison contractors
  • Social registered landlords/housing associations

Notes (hide):

4: The equivalent terminology for England is independent special schools and non-maintained special schools (NMSS).

Covering the above groups would help maintain the standards of accountability of public services. Expansion ultimately remains a political decision, but decisions on broad classes of organisation can be reached without needing to establish firm rules on private provision.

Changes to UK legislation

Improve clarity and action around time limits

The difference: The Scottish Freedom of Information Act is clearer on expected time scales for internal review and the future release exemption. It also has a clear mechanism for dealing with ‘administrative silence'.

The advantage: Clearer expectations speed up responses and simplify the escalation process.

The fix: We recommend:

  • An explicit time limit for when requesters can apply for internal review, and how long review should take.
  • The exemption concerning information withheld pending future publication should have an explicit timeout (this is 12 weeks in Scotland).
  • Requests not answered by the statutory deadline should be considered refused to enable a normal appeal process.

Freedom of Information law in Scotland and the UK allows requesters who have had information withheld to request an internal review, where the authority is asked to review their original refusal. This is a process that frequently changes the original decision. Based on data in Scotland, 16% of internal reviews result in a substituted decision (not including where the decision was only upheld in part)5, and based on the UK central government roughly 25% of internal reviews lead to more information being released.

Notes (hide):

5:

The dynamics of internal review are more explicit in the Freedom of Information (Scotland) Act (s. 20 and s.21), giving time limits both for when the request should be received (40 days after expiry of time limit for the original request) and for how long it should take to complete (20 days). While there is a similar recommended deadline in the UK FOI Code of Practice, it has no real force and for the UK central government only 57% of internal reviews are completed by this point.6 In FOISA there is also more clarity around the exemption that allows information to be withheld if it is intended for future release. This requirement is vague in the UK FOI Act but in FOISA includes a requirement that this release must be in the next 12 weeks. Creating a more uniform set of time expectations on both sides is a useful innovation from Scotland that can be imported into the UK FOI system.

Notes (hide):

6: Open Democracy - Art of Darkness report (p. 8)

Creating more clarity around the timings and progression of the complaint process would also frustrate authorities attempting to drag out releasing information. Stonewalling or ‘administrative silence' is where a refusal is not issued at all, leaving the requester in limbo in relation to the standard review process. In the UK system, if an authority does not reply within the statutory time limit the requester can appeal to the ICO (the guidance suggests that the requester contact the public body to check they have received the request first). The ICO can then require the authority to issue a substantive response. The ICO has issued 818 decision notices to compel a response in the last five years, and this is likely to have undercounted the problem as the ICO's standard practice is to attempt to resolve the issue informally.7

Notes (hide):

7: Open Democracy - Art of Darkness report (p. 26)

The issue with this process is that it is resetting the clock to the start. As the standard time the ICO gives to issue a response is 35 calendar days, this is often more time than the original 20 working days clock. If the authority then applies an invalid refusal, it must then go through internal review (of indeterminate length) before being sent back to the ICO for another decision about the release of the information. For the authority actively stonewalling a response, this process can be made to drag out for a considerable time.

Creating more explicit administrative penalties for a lack of response can help to bring this time down. For instance, the FOI law in Ireland (the Freedom of Information Act 2014), includes a provision that requests not replied to in the normal timeframe are deemed to have been refused, allowing normal processes to continue. This is not as legislatively explicit in Scotland, but is the effective practice, The longer description of the review process in the Scottish legislation makes it clear that a complaint can be raised if dissatisfied with how an authority has dealt with a request for information in general, including a lack of reply. OSIC interpret this similarly to the Irish "deemed refusal" and say that receiving no reply at all should be treated as a refusal. The advantage of this approach is by not responding on time, authorities forfeit the right to mark their own homework. As authorities are now reviewing their "refusal" rather than starting from scratch, if the internal review then argues to withhold information on the basis of an actual exemption, it can be immediately appealed to the OSIC. In the event there is also no response to the request for review as well and the requester appeals to OSIC, the regulator will require the authority to complete a review, rather than returning to the start.8 This does not prevent authorities delaying responses, but significantly reduces the amount of time by which they can do so.

Notes (hide):

8: Even in cases where the authority is not acting maliciously, it is appropriate for there to be an administrative penalty for a complete lack of response. Reviewing decision notices issued by the OSIC, a lack of response is in some cases caused by the requester (for instance, using the wrong email address), but it is more common for the message to be received but misprocessed. 502 out of 516 decision notices about timescales found in favour of the requester.

While reasonable authorities will be working to the Code of Practice, the risk of authorities gaming the system means that aspects of the process need to be made more explicit9. As such we recommend that:

Notes (hide):

9: More information about the use of administrative silence can be found in Open Democracy's Art of Darkness report (p. 24)

  • Guidance on length of time for an internal review in the Code of Practice (20 days) should be given legislative backing.
  • The exemption for information withheld pending future publication should have an explicit time out (this is 12 weeks in Scotland).
  • The complaints process should be better described in legislation, and include that requests not answered by the statutory deadline should be considered refused to engage the normal appeal process.
  • (Notes)

Strengthen grounds to appeal use of exemptions

The difference: Exemptions under FOISA are subject to a stricter prejudice standard than UK's FOI law.

The advantage: Strengthens the power of the regulator to review use of prejudice exemptions where the threat is theoretical.

The fix: Amend prejudice tests in FOI law to stronger "substantial prejudice" language and strengthen protection for confidential communications.

Under both sets of Freedom of Information laws, all information held by a public authority is available for access by the public. Specific kinds of information are then excluded from this. These withheld categories of information are called exemptions. The changes in these exemptions over time changes the effectiveness of the law. Across central government, the overall number of requests granted in full dropped from 57% to 43% from 2010 to 2019. As analysis from the Institute for Government shows, this is a change across government, but concentrated in a few departments:

Some departments are more prone to withholding information. Typically, the Cabinet Office, Foreign and Commonwealth Office (FCO) [...], MoJ and HM Revenue and Customs (HMRC) are among the departments that grant the fewest Freedom of Information requests in full. Some departments, such as the Department for Environment, Food and Rural Affairs (Defra), Department of Health and Social Care (DHSC), Department for Digital, Culture, Media and Sport (DCMS) and the Ministry of Housing, Communities and Local Government (MHCLG) have progressively granted lower and lower amounts of Freedom of Information requests in full over the last 15 years.

One way to react to changing use of exemptions is to shift the balance more in favour of the requester by changing the strength of tests required to withhold information.

Exemptions can be divided into ‘class-based' and ‘prejudice-based' criteria. Class-based apply to specific kinds of information, whereas prejudice based exemptions relate to possible harms as a result of disclosure. For example, information related to ongoing criminal investigations and proceedings is a class-based exemption, whereas the exemption that disclosure would be likely to harm the "prevention or detection of crime" is a prejudice based test. While the different exemptions are similar between FOI and FOISA, there are differences in the detail that shift the default in favour or against disclosure in some cases. These distinctions are explored in more detail in an OSIC comparative document. In general, there is a higher bar to activate prejudice exemptions under FOISA, where this requires a risk of "substantial prejudice" rather than just "prejudice". While there is no definition of "substantial prejudice" in the Act, the OSIC describe the difference as "the disclosing the information must be of real and demonstrable significance, rather than simply marginal"10. This is a distinction that makes it easier for an appeal to say a prejudice exemption was incorrectly applied.

This is a graph from the Institute for Government showing the percentage of FOi requests granted in full. It shows that over time, less and less FOi request have been granted by a wider range of central government bodies.

Chart 6: Institute for Government analysis of successful FOI requests to government departments

While different exemptions are only part of the story, under the Scottish systems appeals to the regulator are more likely to succeed and the OSIC is more likely to rule in favour of information disclosure than the ICO. Building on previous analysis by OpenDemocracy, in the 2015-2019 time range, 53% of ICO decision notices fully upheld the original decision of the authority, whereas for the equivalent time range only 34% of OSIC decision notices fully upheld the original decision. Reducing the scope of the prejudice exemption would allow more prospect for appeals where the risk described was only theoretical.

Language in the Scottish version of the Act is not always to the requester's advantage, and there is also a broader definition of an exemption for confidential communications. This exemption applies just to lawyer/client communications for UK-based requests as opposed to broader legally protected communications such as doctor/patient and journalist/source in Scotland. Strengthening the right to confidential communications would provide a good balance to loosening exemptions in other areas. (Notes)

Require a report on use/non -use of s.5 powers

The difference: The Scottish Freedom of Information Act requires the government to produce a report on use (or non-use) of s.5 powers.

The advantage: A regular opportunity to reflect on how service delivery is changing and consider changes that might be useful.

The fix: The UK Parliament should similarly legislate for a regular report on use of expansion powers.

In 2013, the Freedom of Information (Scotland) Act was amended to require the Scottish government to report every two years on whether it had used the power under section 5 to expand coverage of FOI to bodies outside the public sector (section 7A), and to give explanations for use (or non-use) of s.5 powers.

In their 2019 report, the ICO recommended this as a measure the UK Parliament should adopt:

We know from engagement with the Scottish Information Commissioner's Office that this mechanism has proved useful and effective in aiding the progressive expansion of FOISA. It is a relatively simple change that the Government could make now. Such a mechanism subjects the state of public service delivery and relevant proactive transparency initiatives to regular scrutiny and analysis, ensuring that it stays on the agenda and that progress is accountable to the public. It also provides a helpful and clear means of engaging with proposals for designation and new policy ideas relevant to this area.

If the legislative intention is that, at a minimum, the use of these powers should be periodically considered even if decided against, a reporting mechanism encourages discussion, while not changing where decision making sits. (Notes)

Bodies added to FOI coverage under Section 5 should also be subject to EIR

The difference: The definition of public authorities for EIR in Scotland is inclusive of all additions to FOI coverage, the UK definition explicitly excludes those added under Section 5.

The advantage: The present situation may result in confusion about the status of an authority.

The fix: Change the definition of public authorities in the Environmental Information Regulations to be inclusive, not exclusive, of designations under Section 5.

One issue raised by the ICO in their 2019 report was the fuzzy boundaries of which organisations are covered by FOI and the Environmental Information Regulations (EIR). The government can (but generally does not) designate bodies fulfilling functions of a public nature as being public authorities for the purpose of FOI (through Section 5 orders) but these bodies might then be unclear about whether the Environmental Information Regulations applied to them or not.

The problem is that the definition of public authority in the Environmental Information Regulations Scotland includes bodies subject to FOI, with the explicit exclusion of "any person designated by Order under Section 5". A Section 5 order adds a body to FOI coverage, but not EIR coverage. That said, the situation is not necessarily that a body designed via s. 5 is not subject to EIR. The definition of public authority for the purposes of EIR is wider and a body added to FOI under s.5 might separately be a body "that carries out functions of public administration" and so is subject to EIR anyway. The problem is that one of these decisions is made by the government, and the other by the courts, and they might disagree. For an example of this, currently under UK law the Upper Tribunal ruled that housing associations are not covered for the purposes of EIR, as oversight by an official regulator did not mean associations have public functions. If housing associations were to be designated under s.5 for the purposes of FOI, it is unclear that this legal picture would change. A court and government could reach different decisions about whether or not a body had public functions.

In contrast, in Scotland the definition of public authority in the Environmental Information (Scotland) Regulations 2004 is inclusive of bodies designated by Section 5. If the government decides a body fulfills a public function and should be subject to FOI, it is also subject to EIR. While it remains a decision for the government what bodies are or are not designated under Section 5, it is in the interest of bodies who are given new responsibilities that their obligations are clear. There seems to be no benefit to an organisation that the government has decided fulfills a public function in being unclear about if it is subject to EIR or not.

Changes to EIR in Scotland

Drop fees for EIR requests below the equivalent "reasonable limit" for FOI.

The difference: The ICO considers that the concept of FOI "appropriate limit" should apply to EIR requests. The OSIC allows charges below these limits.

The advantage: Resolves the situation where asking for environmental information may have higher barriers than other kinds of information.

The fix: OSIC should similarly amend guidance to the ICO to discourage charging below the FOI "appropriate limit" for EIR requests.

Both Environmental Information Requests (EIR) and FOI regimes allow for charging requesters for the provision of information but FOI has a minimum ‘appropriate limit' before charging is engaged, and so most requests are not charged. For UK central government authorities and all authorities in Scotland the limit is £600. For all other authorities in the UK, the limit is £450. EIR has no minimum limit, and so all requesters are allowed to be charged the (small) costs of providing the information if the authority has made their charging regime public.

In a 2019 decision, the ICO found that the idea of a ‘reasonable' charge under EIR should effectively track the idea of an ‘appropriate limit' in the Freedom of Information Act, so an EIR request that would otherwise require a charge of less than £600 (for a central government body) would not have a charge. The official guidance has not yet been updated to track this decision (through correspondence, this is still planned but has been delayed by Coronavirus response) but the existing 2016 guidance does already argue that public authorities should ‘avoid routinely charging for all EIR requests', while the equivalent OSIC guidance does not. The practical result of this is that the ICO may uphold a complaint that Croydon Council should not charge a £50 fee for access to environmental information at all, whereas OSIC would agree that Glasgow City Council could charge £50 if this price was listed publicly.

It is a discrepancy that while the goal of the EIRs is to make environmental information more widely accessible, the broader FOI law has a lower cost barrier to making a request. We would recommend that OSIC take a similar approach to the ICO and change guidance so that ‘reasonable' charges for information should track the equivalent appropriate limit in FOISA. Alternatively, the Scottish Parliament could amend the regulations to make this explicitly the case.

Exploring new paths for Welsh Freedom of Information

Senedd Cymru has the competence to diverge from UK Freedom of Information law to a similar degree as the Scottish Parliament. This would allow it to create new rules and institutions to manage access to public information for Welsh public authorities. This could include changing the scope of information covered by adding or removing exemptions11, adjusting legislative deadlines, fees limits, or creating a Welsh Information Commissioner's Office to regulate and manage the new regime.

Notes (hide):

11: With a similar restriction to Scotland in requiring an exemption for information given in confidence by a UK ministry/department.

The main issue with this approach is the overhead costs and complications of a new regulator, which would require a strong case for divergence. While this regulator could be proportionally better funded than the ICO, Wales is also a smaller country than Scotland, and an equally effective independent regulator is likely to be proportionally more expensive than the OSIC. More abstractly, harmonisation with Scottish FOI law might allow a "shared services" model with the Scottish regulator and overcome some issues of scale, but appeal structures in different legal systems may make this a complicated undertaking (and put limits of both parliaments on further divergence).

Not all legislative divergences necessarily require regulatory divergence. The ICO already interprets requests through two different legislative frameworks (FOI and EIR) depending on content, and minor variations applying to Welsh public authorities should not pose an insurmountable practical difficulty. While the exact breaking point would be a point of negotiation (significant changes to how exemptions should be interpreted is a likely example), smaller divergences should be possible where the Welsh system could exercise some autonomy while maintaining the ICO as the regulator. As such, we recommend a model for devolution of Welsh FOI that retains the existing legal structure, but gives power to the Welsh Government to expand coverage of the act to new organisations or offices. (Notes)

Legislate to give the Welsh ministers the ability to designate bodies under s.4 and s.5 of the Freedom of Information Act.

The problem: Welsh ministers may have different opinions from UK ministers on designation of Welsh bodies or private organisations as public authorities for the purpose of FOI, but have no relevant powers or responsibilities.

The fix: The Senedd should legislate to amend the Freedom of Information Act and give powers to the Welsh Government to add new bodies to coverage of the Act.

As long as the general framework of access and exemptions remains the same, divergences should be possible within the scope of the UK regulator. This could mean allowing the Welsh Government to include new kinds of bodies under FOI law (for instance, mirroring the Scottish expansion to social landlords and private prisons). Rather than creating a new Freedom of Information Act to cover Wales, this would use the existing framework of the Freedom of Information Act 2000, creating new powers for the Welsh Government as applicable to Welsh public authorities as defined by the Act.

Currently there is no special role other than consultation for the Welsh Ministers when the UK Minister is considering designating a Welsh organisation or role as a public authority for the purposes of FOI. This can be changed, as the Senedd has authority to legislate in this area. For instance, the Senedd can legislate to directly add new Welsh public authorities to the Freedom of Information Act 2000 Schedule 1 (where covered organisations are listed), and did so to change the name of a public authority in the Senedd and Elections (Wales) Act 2020. It could straightforwardly legislate to create the equivalent of a s.4 power for Welsh Ministers rather than the UK Secretary of State to add bodies or offices that were created by Welsh legislation or the Welsh Government to FOI coverage. This would mostly be an administrative change, but more substantively the Senedd could legislate for a power to allow private operators to be subject to Freedom of Information laws.

Section 5 of the Freedom of Information Act 2000 allows the UK Secretary of State to designate an entity to be a public authority for the purposes of FOI if they "exercise functions of a public nature" or have a contract to provide a service that is a function of a public authority. This allows private providers or services to be bought under the coverage of FOI law. As long as the entity in question was executing a function "exercisable only or mainly in or as regards Wales", the Senedd should have the competency to add it to the FOI Act's Schedule 1, or to empower the Welsh Government to do so.

This method of expanding coverage would not quite replicate the situation in Scotland, as the relevant UK Secretary of State would retain an effective veto power through an exclusion order (see box 1). But this would allow changes in the scope of FOI law to entities that deliver Welsh public services, without the overhead of a completely separate FOI framework or regulator.

Other actions

There are several actions that the Welsh Government could take to investigate possible needs for divergence. Similar to the Cabinet Office statistics, the Welsh Government could gather information about how FOI is currently functioning inside Wales. While the Welsh Government currently has no direct powers to extend coverage to organisations fulfilling public services, it could develop an opinion on whether there are any specific organisations or classes of organisation it would want to include under FOI because they exercise function of a public nature, or are under a contract to provide the function of a public authority on behalf of that authority. If it concluded there were, the Welsh Government could ask the UK Cabinet Office Minister to designate on their behalf. This would be informative in several respects about the necessity of legislation. If there is no interest in using designation powers, there is not a pressing need for legislation. If there is an interest, but the UK Cabinet Minister is unresponsive, it improves the case for directly empowering the Welsh Ministers.

Similarly some of the tweaks advocated in this paper for the UK Parliament to adopt could also be adapted by the Senedd. If the Senedd was interested in proactive expansion it could require a report similar to the Scottish Parliament on the use (or non use) of s.5 powers by the Welsh Government. It could clarify time limits for public interest tests or internal reviews, or amend the Environmental Information Regulations to ensure that ‘Welsh public authorities' as designated under s.5 are covered by EIR, or lower fees for Environmental Information Requests. While there is a point where operating a different system under the same regulator becomes more difficult, it is already the case that the ICO handles two different regimes (FOI and EIR). Procedural changes of a limited scope could improve the accessibility of Freedom of Information in Wales without raising a substantial need for a separate regulator. (Notes)

Box 1. What are the differences between FOI devolution in Scotland and Wales?

Under the revised Government of Wales Act 2006 (added in Wales Act 2017), "Public access to information held by a public authority" is a reserved responsibility of the UK Parliament. There are exceptions to this for public access of information held by:

  1. the Senedd,
  2. The Senedd Commission,
  3. the Welsh Government, or
  4. any Welsh public authority,

unless supplied by a Minister of the Crown or government department and held in confidence.

The definition of "Welsh public authority" used is Section 83 of the Freedom of Information Act 2000. This broadly makes any public authority "whose functions are exercisable only or mainly in or as regards Wales" a Welsh public authority, unless it has been explicitly excluded by an order of the UK Secretary of State. This language of the exceptions mirrors the language added to the Scotland Act 1998, except the Scottish equivalent includes only Scottish public authorities with "mixed functions or no reserved functions", and Scottish public authorities are only those whose functions are "only in or as regards" Scotland (Scotland Act 1998, s. 126). This makes Welsh coverage potentially wider, as authorities dealing entirely with reserved matters while executing a function "only or mainly" in Wales are covered. On the other hand, there is no equivalent ability for the UK Minister to decide a Scottish public authority is in fact not one. In the event of divergence, the UK government has the power to ensure that any designation they disagree with should be treated under UK FOI law.

Improving clarity in Northern Ireland

This report does not make strong recommendations for Northern Ireland, except to note that similar options to Wales are theoretically available. Due to the order of the various devolution acts, the Northern Ireland Act 1998 does not have the same delimitation of responsibility for FOI. As such it is likely that if the Northern Ireland Assembly indicated an intent to diverge on access to information laws, it would prompt an amendment for a clarification of the restriction of competency to Northern Irish public authorities.

It is worth noting that there is a different FOI regime for North-South Implementation Bodies. These operate in both Northern Ireland and the Republic of Ireland but are not subject to either the UK's Freedom of Information Act 2000 or the Irish Freedom of Information Act 2014. Instead, an entirely separate FOI code of practice applies to these bodies. This is informed by both pieces of legislation, and so contains different features to UK FOI law. For instance, the concept of a deemed refusal from the Irish legislation is present. This Code of Practice applies to cross border implementary bodies, but not to the North South Ministerial Council itself.

The Code of Practice contains a right of internal review, and the Irish Office of the Ombudsman and the Northern Ireland Public Services Ombudsman both have jurisdiction for complaints of maladministration (there is a memorandum of understanding between the two organisations to coordinate). There are not many FOI requests made to these bodies, and correspondingly there are likely to be few complaints. Regardless, we would recommend that implementation bodies make clear there is a right of appeal to an ombudsman (several already do so). In turn, the two ombudsmen should be clear that while they refer other Freedom of Information issues to the respective commissioners, they do manage complaints about Freedom of Information for implementation bodies. If the code of practice is reviewed, this should similarly include a reference to the role of the two ombudsmen.

Conclusion

Our recommendations in this paper fulfill two major functions: fixing problems that are happening now, and bolstering the Freedom of Information system to better manage the challenges of the future. Currently the ICO's FOI functions are under-funded and not aligned with the general direction of the organisation. An Information Commissioner where the overwhelming majority of the organisations funding is for data protection work is unlikely to be able to champion quality in FOI administration and regulation on a full time basis. A stand-alone Access to Information Commissioner should be overseen by Parliament, rather than a government minister. FOI should be considered as a core constitutional right, and the strength of its regulation should not be subject to the mood of the government of the day.

The ICO has a separate problem in that it has very limited information about the system it is charged with regulating. Improved data collection about the volume and responses to information requests means that any regulator can be much more sensitive and reactive to problems in the overall system, better able to spot outliers or changes in exemption use, and better able to make the case for larger changes in approach. This kind of statistical knowledge is vital for a regulator to act proactively.

This paper capitalises on the idea that having multiple systems in the UK has allowed greater innovation on how Freedom of Information systems function and are regulated. We want to encourage devolved administrations and legislatures to further explore how adaptations of the FOI system may fit in with broader goals. While large legislative divergences may not always be desirable, increasing the number of actors who can make political judgements about expansion of coverage means political decisions can be made at a more local level. How successful these expansions are can help guide decisions or advocacy in other jurisdictions. Innovations and improvements in devolved nations may later influence wider UK adoption.

This report is not a comprehensive list of potential improvements to Freedom of Information in the UK. We have focused on areas where a big impact can result simply from transferring innovation between systems rather than from wholly new ideas. While some recommendations previously made by the Independent Commission of Freedom of Information are echoed in this document (such as a legislative time limit for internal review and a central store of Freedom of Information statistics), many of their other recommendations remain relevant. In particular we would highlight the following of their recommendations as important ideas that are worth revisiting:

  • Replace the the public interest test time extension with a more limited extension around complexity of volume of a request,
  • Make it possible for prosecutions under section 77 of the Act (erasure of information that has been requested) to take place more than six months after the offence, and;
  • Require public authorities of a certain size to publish the requests received and the information released in public.

This paper has scratched the surface of these issues, and its aim is to catalyse conversation and innovation in strengthening FOI in the UK. Further research into the legal and practical aspects of the recommendations made in this report is necessary, as is more qualitative research on the barriers, risks and opportunities of innovating in this area. Comparative research into regulatory and monitoring regimes in Europe and further afield will further inform the case for reform. We see this paper as a beginning and a first step in demanding that our right to information and the legislation that enshrines it, is meaningful, robust and in service to the public.

Edits

  • 2022-08-22 - Modified a statistic. Original paragraph said that "Based on data in Scotland, 40% of internal reviews result in some form of new information being released". This was based on the information in this table but using the reverse of the 60% where the original decision was partially or wholly upheld. In fact, part of this 40% is late responses and decisions reached but not issued. 16% of reviews led to an entirely substituted decision, but it can be said with this information how many led to a whole or partial substitution of the decision. This seems likely to be in the same ball park as the UK central government numbers rather than being much higher.

Related research

Footnotes

1 Scottish Executive (1999), An Open Scotland: Freedom of Information, a Consultation.

2 This broadly means Freedom of Information and Environmental Information Regulations, but also covers responsibilities like INSPIRE and other focuses around the publishing and availability of public sector data.

3 The Data Protection Registrar already existed as a result of the Data Protection Act 1984. The Data Protection Act 1998, transformed the Data Protection Registrar into the Data Protection Commissioner.

4 The equivalent terminology for England is independent special schools and non-maintained special schools (NMSS).

5

6 Open Democracy - Art of Darkness report (p. 8)

7 Open Democracy - Art of Darkness report (p. 26)

8 Even in cases where the authority is not acting maliciously, it is appropriate for there to be an administrative penalty for a complete lack of response. Reviewing decision notices issued by the OSIC, a lack of response is in some cases caused by the requester (for instance, using the wrong email address), but it is more common for the message to be received but misprocessed. 502 out of 516 decision notices about timescales found in favour of the requester.

9 More information about the use of administrative silence can be found in Open Democracy's Art of Darkness report (p. 24)

10 OSIC, Guidance on the use of FOSIA section 30

11 With a similar restriction to Scotland in requiring an exemption for information given in confidence by a UK ministry/department.