Executive summary
The right to access official information is fundamental in a healthy and vibrant democracy. Freedom of Information (FOI) legislation is a vital tool in research, journalism, and in supporting citizens and groups to hold their public institutions to account. In the UK, the Freedom of Information Act has now been in operation for over 15 years. Its value can be seen in the high profile investigations and the public disclosure of wrongs that have arisen from the legislation. Alongside that, the value can be seen in the quieter acts of ordinary citizens being successful in accessing information from the public authorities that hold power over their lives.
Campaigns against adding new restrictions to Freedom of Information are generally successful and reflect the fact that FOI has become part of the constitutional settlement — but at the same time positive changes are resisted. The Act is static while the ways in which public services are delivered are changing. The regulator's FOI work is underfunded and as such there is more focus on the data protection duties within the regulator's portfolio. The picture of change that comes out of central government statistics is not encouraging, and there is not the data available to understand if this is a broader trend. Freedom of Information is unlikely to be abolished, but there is a danger of it sliding into obsolescence. Over time new classes of public body may never be covered by the Act, more public services are likely to be delivered by private sector organisations, and the legal rights that exist are less able to be enforced by an under-resourced regulator.
This paper takes advantage of the existing (and potential for future) devolution of Freedom of Information legislation to suggest changes in legislation and regulation that learn from good examples in different systems. We contrast existing and potential differences in approaches to FOI at the UK and devolved level; explore their weaknesses; and offer potential solutions to insufficient data and practical problems that have emerged with the legislation. This leads to a series of recommendations, both large and small, that are informed by the evidence and driven by the clear need for reform.
Recommendations for reform of the regulation, monitoring and administration of FOI in the UK:
- The ICO's data protection and access to information functions should be split into two offices, with oversight by Parliament, rather than within a ministerial portfolio.
- Statistics for large public bodies on volume and processing of Freedom of Information requests should be collected and released by the regulator.
- The UK Government should mirror the approach taken by Scottish Government in extending FOI obligations to a set of private providers of public services.
- The OSIC (Office of the Scottish Information Commissioner) should adopt the approach to fees for environmental information taken by the ICO.
- The Welsh Parliament should consider options for a limited divergence compared to that in Scotland, by expanding coverage of FOI to private providers of Welsh public services.
Recommendations for amendments to the Freedom of Information Act 2000, to clarify and strengthen the operation of the Act:
- Improve the clarity of the legislation through the addition of an explicit time limit for internal review; introduce a time limit for the future publication exemption; and specify that requests not answered by the statutory deadline should be considered refused.
- Amend prejudice tests to use stronger "substantial prejudice" language and strengthen protection for confidential communications.
- Require a report on use (or non-usage) by the government of Section 5 powers to add FOI obligations to private providers of public services.
- Change the definition of public authorities in the Environmental Information Regulations to be inclusive, not exclusive, of designations under Section 5.
About mySociety
mySociety is a not-for-profit group, based in the UK but working with partners internationally. We build and share digital technologies that help people be active citizens, across the four practice areas of Democracy, Transparency, Community and Climate. As one of the first civic technology organisations to be established, we are committed to building the Civic Technology community and undertaking rigorous research that tests our actions, assumptions and impacts. Our global research work into digital democracy, civic technology and user-centred design has positioned mySociety as a leading authority in digital civic engagement and participation.
As part of the Transparency practice area, mySociety runs WhatDoTheyKnow.com. This is a service that helps users make requests for information to public authorities and makes responses public. The goal is to make public information more accessible and increase the impact of the material released. The underlying software, Alaveteli, powers Freedom of Information services around the world. mySociety also runs a professional version of the service that lets requesters embargo requests to form part of more sensitive research or stories. Since it was launched in 2008, WhatDoTheyKnow has been used to send over 700,000 FOI requests to 38,000 authorities in the UK, resulting in the release of information that has been vital for civil society campaigns, academic research and journalist investigations, and has helped thousands of citizens access information from public authorities.
Introduction
The Freedom of Information Act has become a vital part of the UK's information system. It is a key tool for journalists to follow paper trails and get to the truth of misadministration and corruption scandals. Academics and researchers use FOI as a tool to understand how public services run by a variety of different bodies actually function and to highlight problems. Elected MPs and councillors use Freedom of Information requests themselves, where guaranteed timescales and the ability to appeal to the regulator make it a useful alternative to other formal or informal ways of requesting information.
The Freedom of Information Act is also a powerful tool for citizens. The public can use these rights to learn information of significance to groups and campaigns they are a part of, or to understand more about how the information public bodies hold affects their own lives. Even when the person may not be aware they are making a Freedom of Information request, the rights the Act creates makes it more likely that people will obtain the information they are interested in. The inconvenience of common requests to authorities is a spur to develop better proactive publication, which makes information accessible without anyone needing to ask. Just as the sign of a successful regulator is few people needing to use them, FOI is most successful when information is made more accessible without anyone needing to say "I am making a Freedom of Information request". It is in this spirit that WhatDoTheyKnow makes information received through FOI requests public and accessible through search engines. Where it has been decided the public have a right to access a piece of information, there is enormous benefit in making sure that as many people are able to do so as easily as possible.
The significance of Freedom of Information is shown by the fact that in times where it is threatened, coalitions of newspapers and civic society come together to argue for its importance. But while this effort has prevented retrograde steps such as introducing charging, recommendations to improve the Act made by the government's Independent Commission on Freedom of Information or the Information Commissioner's Office (ICO) are not implemented either. The legislation has remained static, and government powers to make private bodies which deliver public services subject to the Act are underused. This paper is concerned with demonstrating means of improving the functioning of Freedom of Information that rely only on examples that are already working well elsewhere in the UK.
FOI is a devolved matter, meaning that devolved parliaments and assemblies can legislate to vary the law on Freedom of Information. To date, only the Scottish Parliament has done this, and so public authorities in Scotland follow a distinct law for Freedom of Information and are subject to a separate regulator. This power to vary creates opportunities for innovation and for improving the quality of the legislative and regulatory approach to FOI. Devolution allows devolved administrations to make different political decisions about how to expand coverage to private bodies. Increasing the number of actors who can make political decisions around FOI increases the diversity of ways these legal powers can be exercised.
Devolution has led to a diversity of approaches where different parts of the Union can learn from useful decisions made in others. While the Scottish legislation has a number of superior aspects to the UK-wide legislation, there are areas of the Scottish approach that could be improved based on the UK experience, and the Scottish model is not necessarily an ideal model for replication (we recommend Wales explores a third path). This has led to four sets of recommendations, based on transferring practice from one UK-based system to another:
Improving statistical knowledge of how FOI works in the UK - The Office of the Scottish Information Commissioner has built a comprehensive and invaluable picture of the functioning of FOI in Scotland by collecting statistics on how requests were received and processed by authorities. In the UK, this coverage is limited to central government and a rarely followed requirement that larger authorities publish their own statistics. The majority of FOI requests made to public authorities in the UK are not covered by public statistics, making the regulator (and the interested public) blind to trends over time, and less able to understand whether FOI is functioning well or not. We recommend the Information Commissioner's Office (ICO) act as the host of a central repository.
Separating the Information and Data Protection components of the Information Commissioner - The UK's Information Commissioner has two major roles: data protection and access to information. The first of these roles has always been larger, but its scope and importance has only increased over time. Separating the access to information function and transferring oversight and funding from a government department to Parliament would help solidify the role's independence and set it up to deal with both current and future challenges.
Improving the operation of FOI and EIR across the UK - Taking examples of different approaches in the UK and Scotland, we recommend both regimes should adopt best practice from the other. This includes differences in philosophy around the strength of exemptions and extension to private operators, but also different practical approaches such as clearer rules on time scales, administrative silence, and harmonising rules on fees for FOI and EIR.
Exploring new paths for Welsh Freedom of Information - Currently the Welsh Parliament/Senedd has the ability to diverge in a similar respect to Scotland and set up a different system that applies to Welsh public authorities. We explore the implications of this and recommend a mini-divergence, where the Senedd legislates to give the Welsh Government the ability to add private organisations executing a Welsh public function to coverage of the Act.
These recommendations are not the limit of potential improvements to Freedom of Information, but reflect examples that fix clear problems, and are already functional approaches. Our goal is not just to show how Freedom of Information can fix problems already present, but how changes would make the overall system of regulation more responsive to new problems of the future.
What information rights exist in different parts of the UK?
Access to information laws create a right for citizens to access certain kinds of information held by public authorities. These generally fit under the umbrella of Right to Information (RTI) or Freedom of Information (FOI) laws, but can also include the right to see personal data about yourself (GDPR requests). This second set of rights is enshrined in separate legislation (the Data Protection Act in the UK). There are more permissive sets of right to access for environmental information (EIR).
Regarding information rights in the UK, asymmetric devolution has led to a separate system in Scotland but not England, Wales or Northern Ireland. These differ in the particulars of rights granted to citizens, but also in the system of regulation that oversees the wider process. Differences in the ability to practically exercise access to public information can result from a different legal basis, but also differences in approach and resourcing between regulators. In the UK, the Information Commissioner's Office (ICO) regulates access to public information, while in Scotland the Office of the Scottish Information Commissioner (OSIC) fulfills this role.
Access to public information in the UK is governed by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004. Devolved legislatures in Scotland, Wales and Northern Ireland in principle have the power to set separate rules around access to public information for public authorities in their areas. However, to date, this has only happened in Scotland. The Scottish Parliament, Scottish government, and Scottish public authorities are covered by the Freedom of Information (Scotland) Act 2002 (FOISA) and The Environmental Information (Scotland) Regulations 2004 (EISR).
The intention to create a separate access to public information system in Scotland led to a 1999 change to the Scotland Act 1998 to explicitly reserve access to public information rights to the UK Parliament, with the exception of Scottish public authorities with devolved responsibilities. Similar language is used in the Wales Act 2017. This means in principle Senedd Cyrmu (the Welsh Parliament) has similar competency to create a different set of FOI rights for Welsh public authorities, but has not done so. The Northern Ireland Act 1998 has not had this delimitation of responsibility added, and so it is likely that if the Northern Irish Assembly attempted to diverge, it would prompt an amendment for a similar clarification of the division of responsibilities. There is a separate code of practice that governs FOI to North-South implementation bodies that are not covered by either UK or Irish FOI law, so there are some FOI questions unique to Northern Ireland that the Northern Ireland Executive share responsibility for with the Government of Ireland.
The Scottish access to information regimes differ in several respects from the UK-wide system. Generally, FOISA is slightly more permissive in the information that should be granted to the requester. Many of the distinctions were already in the 1999 consultation document when it was published for public comment1. This suggests the differences are less a result of feedback from civil society, but from being able to build on the previous UK legislation, as well the dynamics of the legislation being driven by a Labour/Liberal Democrat coalition in Holyrood as opposed to a majority Labour government in Westminster. Beyond the legal difference, different approaches taken by the respective regulators lead to differences in how similar legislation is interpreted.
Notes (
):1: Scottish Executive (1999), An Open Scotland: Freedom of Information, a Consultation.
The right of access to environmental information (EIR) in the UK is the result of the implementation of an international convention (Aarhus Convention 1998) to provide greater access to environmental information, public participation in environmental decision making and a legal framework that allows challenge to decisions that run against the above. There are separate regulations creating the right for EIRs in Scotland (Environmental Information (Scotland) Regulations 2004) and the UK (Environmental Information Regulations 2004). Unlike FOI there are few substantial differences in the legal basis of EIR requests in Scotland. In both cases, it is a local implementation of directive 2003/4/EC of the European Parliament and of the Council and exceptions and time scales are the same in both jurisdictions. There are minor differences in how bodies can become subject to EIR, and the approach of the regulators. In general, Environmental Information Requests apply to a wider range of authorities than FOI, cover a smaller subject area, and there is a greater presumption of release of the information.
Scotland | Rest of UK | |
---|---|---|
Regulator | Office of the Scottish Information Commission (OSIC) | Information Commissioner’s Office (ICO) |
Freedom of Information Act | Freedom of Information Act 2000, or FOIA | |
Environmental Information Regulations | Environmental Information (Scotland) Regulations 2004, or EISR |
There are two regulators with oversight of the Freedom of Information system. The Information Commissioner's Office (ICO) is responsible for data protection across the whole of the UK, but only responsible for Freedom of Information (FOI) and Environmental Information Regulations (EIR) in England, Wales and Northern Ireland. The Office of the Scottish Information Commission (OSIC) is responsible for the Freedom of Information (Scotland) Act (FOISA) and the Environmental Information Regulations (EISR) in Scotland only. OISC decisions can be appealed to the Court of Session, while ICO decisions can be appealed to an Information Tribunal, the decisions of which can again be appealed to an Upper Tribunal. In principle, further appeals are possible to higher courts in both cases.
Collecting FOI performance data across the UK
The difference: There is centralised data on the volume and operation of FOI and EIR requests for most Scottish authorities, but this only exists for central government in the UK. Large authorities in the UK are recommended to self-publish their statistics.
The advantage: There is a far clearer picture of how FOI and EIR are used for Scottish authorities, giving a clearer sense of their impact and changes in use over time.
The fix: The regulator should promote itself as a central repository for collecting statistics on FOI performance from UK public authorities.
A key difference between the regulators in the UK and Scotland is that OSIC has better data on the operation of FOI throughout all authorities FOISA applies to. There is a quarterly process where authorities deposit statistics about the GDPR/SAR, FOI and EIR requests they have received, how they have been processed, and how exemptions and exceptions were applied. To support this report, and investigations of FOISA more widely, this data has been downloaded and reformatted into a mySociety minisite. For the rest of the UK, there is far less data on the operation of the Freedom of Information Act. The Cabinet Office publishes a similar quarterly series covering FOI statistics of requests made to a selection of central government ministries, departments and agencies (merging FOI and EIR data). These statistics are also included in the minisite. In principle, FOI covers far more public authorities than FOISA, but in terms of available information, the OSIC collects more information from more agencies. The Cabinet Office collects 76 statistics from 40 agencies, while the OSIC collects 110 from 508. This means that the available picture of information on FOI is far more complete in Scotland.
Chart showing the different volumes of requests received for FOISA, Subject Access Requests, and EIR in Scotland using OSIC FOI statistics. This shows that EIR requests have increased slowly from 2013 to 2019, from around 5,000 a year to 10,0000. Subject access requests have generally stayed between 10,000 and 20,000 but rose above this to 24,000 in 2019. FOI has increased from around 40,000 in 2013 to 70,000 in 2019.
In Scotland, the data is rich enough to allow understanding of the difference in scale between different kinds of information requests (Diagram 1). The volume of public information requests (FOI + EIR) has roughly doubled from 2013 to 2019 (1.9x for FOI and 2.0x for EIR), while Subject Access Requests have doubled (2.2x). Subject Access Requests make up 21% of information requests made to public authorities in Scotland from 2013 to 2019. Of the remaining public information requests in Scotland, 11% of these were EIR requests and 89% were FOI requests. The data can also show where different kinds of requests are made. Subject Access Requests are most commonly made to NHS bodies (where they make up 56% of all requests for information). They also make up 50% of requests made to police bodies. Most EIR requests in Scotland are made to local governments (where they make up 13% of the overall requests for public information). Some bodies focused on environmental matters receive more EIR than FOI requests (Scottish Environmental Protection Agency, Scottish Water, Scottish National Heritage, etc), but there are three councils (Edinburgh, Fife, and Aberdeen) who have received more EIRs than the Scottish Environment Protection Agency. There is no picture of this distinction in UK central government as it is not recorded by the Cabinet Office statistics, but the broader problem is that the Scottish statistics clearly show that FOI behaviour in central government is not typical of the overall system and conclusions drawn from this data do not generalise.
Chart showing local govrenment accounts for the majority of public information requests in Scotland. Numbers mirror table below.
Sector | Count | % |
---|---|---|
Local government | 308,664 | 63% |
National Health Service | 65,530 | 13% |
Educational institutions | 36,144 | 7% |
Others eg NDPBs | 33,431 | 7% |
Ministers/Parliament | 22,973 | 5% |
Police | 19,562 | 4% |
Non ministerial officeholders | 5,085 | 1% |
s.5 designated body | 2,294 | 0% |
Scottish data provides an overview of where FOI requests are sent. The majority of public information requests made in Scotland are made to local government (63%). Central government ministries/Parliament make up a comparatively small 5%. Glasgow City Council has individually received a greater proportion of all time FOI requests than Scottish ministers. In the UK, the Cabinet Office data only covers central government and there is no official information outside of central government. There have been several surveys of local government, such as the Constitution Unit's analysis in 2010 and mySociety's report in 2018. These snapshots show that the number of requests made to local government is far larger than those made to central government. In 2017, there were roughly 11x as many FOI requests made to local government as central government (the figure for Scotland in 2017 was 13x). There is not reliable information about the volume of requests for other kinds of authorities (for example, universities or health boards). The majority of FOI requests made to public authorities in the UK are not covered by public statistics, making the regulator (and the interested public) blind to trends over time, and less able to craft appropriate strategies.
There is some ability to use third-party sources to plug the gaps, but these are not reliable. For instance, WhatDoTheyKnow provides some information about the distribution of requests, but the Scottish benchmark suggests it is not a representative sample of the overall volume of FOI. In Scotland, requests made through WhatDoTheyKnow account for 5% of requests over all years covered, and 6% in 2019. There is variation between different sectors and authorities, requests to Education bodies account for 14% of requests through WhatDoTheyKnow, but are only 7% of the overall proportion of public information requests. If the same kinds of variations apply to the UK as a whole, extrapolating requests from WhatDoTheyKnow proportions is likely to be an inaccurate guide to overall proportions and trends. Understanding the flow of FOI requests requires official statistics.
Sector | WhatDoTheyKnow % | Overall % |
---|---|---|
Local Government | 65% | 63% |
National Health Service | 10% | 13% |
Educational Institutions | 14% | 7% |
Others e.g. NDPBs | 5% | 7% |
Ministers/Parliament | 3% | 5% |
Non Ministerial Officeholders | 1% | 4% |
Police | 1% | 1% |
s.5 designated bodies | 1% | 0% |
The value of having data for authorities beyond central government has been recognised, but the steps taken to date are insufficient. The 2018 FOI Code of Practice says that it is best practice for public authorities with over 100 Full Time Equivalent (FTE) employees to collect and publish a set of statistics about their FOI volume. However publication along these lines is rare, and even if it were to become more frequent, it would likely be published as hundreds of separate PDFs on different websites. The code of practice change was in reaction to a recommendation of the Independent Commission on Freedom of Information, but this recommendation also stated that "[t]he publication of these statistics should be co-ordinated by a central body, such as a department or the [Information Commission]". Without this coordination element, much of the work done by public authorities is wasted.
This is an example of public data fragmentation, where there is a mandate for public authorities to spend time and money producing data, but most of the value of this work is lost because the data cannot easily be aggregated. A relatively small amount of work by a central authority (in this case, the ICO) is needed to unlock the majority of the value in the data by allowing understanding of aggregate patterns and allowing comparisons between authorities.
We recommend that the UK regulator pursue a similar approach to OSIC of annual or quarterly data collection and release. This reduces the requirement on authorities to publish their own statistics, while increasing the value of the information in the aggregate. As the OSIC approach shows, this does not need to be technically complicated or require complex visualisations, and a relatively off-the-shelf approach would help collect the information. The problem is primarily administrative rather than technical.
While tens of thousands of public authorities are subject to FOI, the Code of Practice recommends only those with the equivalent of 100 full time employees should release statistics. There is no authoritative listing of these, but using data from WhatDoTheKnow, 90% of requests through the service (excluding those covered by OSIC) are sent to 1,200 authorities. This suggests that restricting collection to relatively large organisations would cover the majority of requests made, and the scope of this could vary to the resources available.
Using the Code of Practice as a basis would result in a far simpler survey compared to those currently used by the Cabinet Office and OSIC. We would recommend collecting more information about specific exemption usage, the number of requests that took longer than the statutory deadline, and the results of any internal review. These provide key performance indicators for comparison between organisations and sectors. The scale of information collected can again match the scale of resources available and any improvement on the status quo would be enormously beneficial.
Improving the operation of FOI and EIR across the UK
One of the virtues of devolution is that different jurisdictions can explore different paths and try new ideas. Without a requirement of a uniform system, if an idea works in one place it is worth asking if it is also a good idea elsewhere. This section explores differences in practice between Scotland and the UK in terms of the shape of the underlying legislation, as well as government and regulator actions.
Generally speaking, the UK legislation would be improved by reflecting on how the Scottish legislation has practically built on it. This includes philosophical differences about the balance between disclosure and withholding information, but also practical differences that improve how the same ideas function. Beyond legislation, the Scottish government has been far more active than the UK government in using their power under section 5 to designate private operators of public services as subject to the Act. While some aspects of this power present difficult questions about scope, existing examples from Scotland provide a template of how this power can be used in practice.
While generally drawing from Scottish examples, the flow is not all one way. The UK's ICO decision to harmonise how they treat fees between EIR and FOI would be worth investigation by their Scottish counterparts. We recommend that the UK Government should mirror the approach taken by Scottish Government in extending FOI coverage to a set of private providers of public services and suggest amendments to the Freedom of Information Act to clarify and strengthen the operation of the Act:
- Improve the clarity of legislation by adding an explicit time limit to internal review, adding a timeout for the use of the future publication exemption, and specify that requests not answered by the statutory deadline should be considered refused.
- Amend prejudice tests to use stronger "substantial prejudice" language and strengthen protection for confidential communications.
- Require a report on use (or non usage) of s.5 powers to add private providers of public services.
- Change the definition of public authorities in the Environmental Information Regulations to be inclusive, not exclusive, of designations under Section 5.
Improve clarity and action around time limits
The difference: The Scottish Freedom of Information Act is clearer on expected time scales for internal review and the future release exemption. It also has a clear mechanism for dealing with ‘administrative silence'.
The advantage: Clearer expectations speed up responses and simplify the escalation process.
The fix: We recommend:
- An explicit time limit for when requesters can apply for internal review, and how long review should take.
- The exemption concerning information withheld pending future publication should have an explicit timeout (this is 12 weeks in Scotland).
- Requests not answered by the statutory deadline should be considered refused to enable a normal appeal process.
Freedom of Information law in Scotland and the UK allows requesters who have had information withheld to request an internal review, where the authority is asked to review their original refusal. This is a process that frequently changes the original decision. Based on data in Scotland, 16% of internal reviews result in a substituted decision (not including where the decision was only upheld in part)5, and based on the UK central government roughly 25% of internal reviews lead to more information being released.
Notes (
):5:
The dynamics of internal review are more explicit in the Freedom of Information (Scotland) Act (s. 20 and s.21), giving time limits both for when the request should be received (40 days after expiry of time limit for the original request) and for how long it should take to complete (20 days). While there is a similar recommended deadline in the UK FOI Code of Practice, it has no real force and for the UK central government only 57% of internal reviews are completed by this point.6 In FOISA there is also more clarity around the exemption that allows information to be withheld if it is intended for future release. This requirement is vague in the UK FOI Act but in FOISA includes a requirement that this release must be in the next 12 weeks. Creating a more uniform set of time expectations on both sides is a useful innovation from Scotland that can be imported into the UK FOI system.
Notes (
):6: Open Democracy - Art of Darkness report (p. 8)
Creating more clarity around the timings and progression of the complaint process would also frustrate authorities attempting to drag out releasing information. Stonewalling or ‘administrative silence' is where a refusal is not issued at all, leaving the requester in limbo in relation to the standard review process. In the UK system, if an authority does not reply within the statutory time limit the requester can appeal to the ICO (the guidance suggests that the requester contact the public body to check they have received the request first). The ICO can then require the authority to issue a substantive response. The ICO has issued 818 decision notices to compel a response in the last five years, and this is likely to have undercounted the problem as the ICO's standard practice is to attempt to resolve the issue informally.7
Notes (
):7: Open Democracy - Art of Darkness report (p. 26)
The issue with this process is that it is resetting the clock to the start. As the standard time the ICO gives to issue a response is 35 calendar days, this is often more time than the original 20 working days clock. If the authority then applies an invalid refusal, it must then go through internal review (of indeterminate length) before being sent back to the ICO for another decision about the release of the information. For the authority actively stonewalling a response, this process can be made to drag out for a considerable time.
Creating more explicit administrative penalties for a lack of response can help to bring this time down. For instance, the FOI law in Ireland (the Freedom of Information Act 2014), includes a provision that requests not replied to in the normal timeframe are deemed to have been refused, allowing normal processes to continue. This is not as legislatively explicit in Scotland, but is the effective practice, The longer description of the review process in the Scottish legislation makes it clear that a complaint can be raised if dissatisfied with how an authority has dealt with a request for information in general, including a lack of reply. OSIC interpret this similarly to the Irish "deemed refusal" and say that receiving no reply at all should be treated as a refusal. The advantage of this approach is by not responding on time, authorities forfeit the right to mark their own homework. As authorities are now reviewing their "refusal" rather than starting from scratch, if the internal review then argues to withhold information on the basis of an actual exemption, it can be immediately appealed to the OSIC. In the event there is also no response to the request for review as well and the requester appeals to OSIC, the regulator will require the authority to complete a review, rather than returning to the start.8 This does not prevent authorities delaying responses, but significantly reduces the amount of time by which they can do so.
Notes (
):8: Even in cases where the authority is not acting maliciously, it is appropriate for there to be an administrative penalty for a complete lack of response. Reviewing decision notices issued by the OSIC, a lack of response is in some cases caused by the requester (for instance, using the wrong email address), but it is more common for the message to be received but misprocessed. 502 out of 516 decision notices about timescales found in favour of the requester.
While reasonable authorities will be working to the Code of Practice, the risk of authorities gaming the system means that aspects of the process need to be made more explicit9. As such we recommend that:
Notes (
):9: More information about the use of administrative silence can be found in Open Democracy's Art of Darkness report (p. 24)
- Guidance on length of time for an internal review in the Code of Practice (20 days) should be given legislative backing.
- The exemption for information withheld pending future publication should have an explicit time out (this is 12 weeks in Scotland).
- The complaints process should be better described in legislation, and include that requests not answered by the statutory deadline should be considered refused to engage the normal appeal process. (Notes)
Strengthen grounds to appeal use of exemptions
The difference: Exemptions under FOISA are subject to a stricter prejudice standard than UK's FOI law.
The advantage: Strengthens the power of the regulator to review use of prejudice exemptions where the threat is theoretical.
The fix: Amend prejudice tests in FOI law to stronger "substantial prejudice" language and strengthen protection for confidential communications.
Under both sets of Freedom of Information laws, all information held by a public authority is available for access by the public. Specific kinds of information are then excluded from this. These withheld categories of information are called exemptions. The changes in these exemptions over time changes the effectiveness of the law. Across central government, the overall number of requests granted in full dropped from 57% to 43% from 2010 to 2019. As analysis from the Institute for Government shows, this is a change across government, but concentrated in a few departments:
Some departments are more prone to withholding information. Typically, the Cabinet Office, Foreign and Commonwealth Office (FCO) [...], MoJ and HM Revenue and Customs (HMRC) are among the departments that grant the fewest Freedom of Information requests in full. Some departments, such as the Department for Environment, Food and Rural Affairs (Defra), Department of Health and Social Care (DHSC), Department for Digital, Culture, Media and Sport (DCMS) and the Ministry of Housing, Communities and Local Government (MHCLG) have progressively granted lower and lower amounts of Freedom of Information requests in full over the last 15 years.
One way to react to changing use of exemptions is to shift the balance more in favour of the requester by changing the strength of tests required to withhold information.
Exemptions can be divided into ‘class-based' and ‘prejudice-based' criteria. Class-based apply to specific kinds of information, whereas prejudice based exemptions relate to possible harms as a result of disclosure. For example, information related to ongoing criminal investigations and proceedings is a class-based exemption, whereas the exemption that disclosure would be likely to harm the "prevention or detection of crime" is a prejudice based test. While the different exemptions are similar between FOI and FOISA, there are differences in the detail that shift the default in favour or against disclosure in some cases. These distinctions are explored in more detail in an OSIC comparative document. In general, there is a higher bar to activate prejudice exemptions under FOISA, where this requires a risk of "substantial prejudice" rather than just "prejudice". While there is no definition of "substantial prejudice" in the Act, the OSIC describe the difference as "the disclosing the information must be of real and demonstrable significance, rather than simply marginal"10. This is a distinction that makes it easier for an appeal to say a prejudice exemption was incorrectly applied.
Notes (
):10: OSIC, Guidance on the use of FOSIA section 30
This is a graph from the Institute for Government showing the percentage of FOi requests granted in full. It shows that over time, less and less FOi request have been granted by a wider range of central government bodies.
While different exemptions are only part of the story, under the Scottish systems appeals to the regulator are more likely to succeed and the OSIC is more likely to rule in favour of information disclosure than the ICO. Building on previous analysis by OpenDemocracy, in the 2015-2019 time range, 53% of ICO decision notices fully upheld the original decision of the authority, whereas for the equivalent time range only 34% of OSIC decision notices fully upheld the original decision. Reducing the scope of the prejudice exemption would allow more prospect for appeals where the risk described was only theoretical.
Language in the Scottish version of the Act is not always to the requester's advantage, and there is also a broader definition of an exemption for confidential communications. This exemption applies just to lawyer/client communications for UK-based requests as opposed to broader legally protected communications such as doctor/patient and journalist/source in Scotland. Strengthening the right to confidential communications would provide a good balance to loosening exemptions in other areas. (Notes)
Require a report on use/non -use of s.5 powers
The difference: The Scottish Freedom of Information Act requires the government to produce a report on use (or non-use) of s.5 powers.
The advantage: A regular opportunity to reflect on how service delivery is changing and consider changes that might be useful.
The fix: The UK Parliament should similarly legislate for a regular report on use of expansion powers.
In 2013, the Freedom of Information (Scotland) Act was amended to require the Scottish government to report every two years on whether it had used the power under section 5 to expand coverage of FOI to bodies outside the public sector (section 7A), and to give explanations for use (or non-use) of s.5 powers.
In their 2019 report, the ICO recommended this as a measure the UK Parliament should adopt:
We know from engagement with the Scottish Information Commissioner's Office that this mechanism has proved useful and effective in aiding the progressive expansion of FOISA. It is a relatively simple change that the Government could make now. Such a mechanism subjects the state of public service delivery and relevant proactive transparency initiatives to regular scrutiny and analysis, ensuring that it stays on the agenda and that progress is accountable to the public. It also provides a helpful and clear means of engaging with proposals for designation and new policy ideas relevant to this area.
If the legislative intention is that, at a minimum, the use of these powers should be periodically considered even if decided against, a reporting mechanism encourages discussion, while not changing where decision making sits. (Notes)
Bodies added to FOI coverage under Section 5 should also be subject to EIR
The difference: The definition of public authorities for EIR in Scotland is inclusive of all additions to FOI coverage, the UK definition explicitly excludes those added under Section 5.
The advantage: The present situation may result in confusion about the status of an authority.
The fix: Change the definition of public authorities in the Environmental Information Regulations to be inclusive, not exclusive, of designations under Section 5.
One issue raised by the ICO in their 2019 report was the fuzzy boundaries of which organisations are covered by FOI and the Environmental Information Regulations (EIR). The government can (but generally does not) designate bodies fulfilling functions of a public nature as being public authorities for the purpose of FOI (through Section 5 orders) but these bodies might then be unclear about whether the Environmental Information Regulations applied to them or not.
The problem is that the definition of public authority in the Environmental Information Regulations Scotland includes bodies subject to FOI, with the explicit exclusion of "any person designated by Order under Section 5". A Section 5 order adds a body to FOI coverage, but not EIR coverage. That said, the situation is not necessarily that a body designed via s. 5 is not subject to EIR. The definition of public authority for the purposes of EIR is wider and a body added to FOI under s.5 might separately be a body "that carries out functions of public administration" and so is subject to EIR anyway. The problem is that one of these decisions is made by the government, and the other by the courts, and they might disagree. For an example of this, currently under UK law the Upper Tribunal ruled that housing associations are not covered for the purposes of EIR, as oversight by an official regulator did not mean associations have public functions. If housing associations were to be designated under s.5 for the purposes of FOI, it is unclear that this legal picture would change. A court and government could reach different decisions about whether or not a body had public functions.
In contrast, in Scotland the definition of public authority in the Environmental Information (Scotland) Regulations 2004 is inclusive of bodies designated by Section 5. If the government decides a body fulfills a public function and should be subject to FOI, it is also subject to EIR. While it remains a decision for the government what bodies are or are not designated under Section 5, it is in the interest of bodies who are given new responsibilities that their obligations are clear. There seems to be no benefit to an organisation that the government has decided fulfills a public function in being unclear about if it is subject to EIR or not.
Drop fees for EIR requests below the equivalent "reasonable limit" for FOI.
The difference: The ICO considers that the concept of FOI "appropriate limit" should apply to EIR requests. The OSIC allows charges below these limits.
The advantage: Resolves the situation where asking for environmental information may have higher barriers than other kinds of information.
The fix: OSIC should similarly amend guidance to the ICO to discourage charging below the FOI "appropriate limit" for EIR requests.
Both Environmental Information Requests (EIR) and FOI regimes allow for charging requesters for the provision of information but FOI has a minimum ‘appropriate limit' before charging is engaged, and so most requests are not charged. For UK central government authorities and all authorities in Scotland the limit is £600. For all other authorities in the UK, the limit is £450. EIR has no minimum limit, and so all requesters are allowed to be charged the (small) costs of providing the information if the authority has made their charging regime public.
In a 2019 decision, the ICO found that the idea of a ‘reasonable' charge under EIR should effectively track the idea of an ‘appropriate limit' in the Freedom of Information Act, so an EIR request that would otherwise require a charge of less than £600 (for a central government body) would not have a charge. The official guidance has not yet been updated to track this decision (through correspondence, this is still planned but has been delayed by Coronavirus response) but the existing 2016 guidance does already argue that public authorities should ‘avoid routinely charging for all EIR requests', while the equivalent OSIC guidance does not. The practical result of this is that the ICO may uphold a complaint that Croydon Council should not charge a £50 fee for access to environmental information at all, whereas OSIC would agree that Glasgow City Council could charge £50 if this price was listed publicly.
It is a discrepancy that while the goal of the EIRs is to make environmental information more widely accessible, the broader FOI law has a lower cost barrier to making a request. We would recommend that OSIC take a similar approach to the ICO and change guidance so that ‘reasonable' charges for information should track the equivalent appropriate limit in FOISA. Alternatively, the Scottish Parliament could amend the regulations to make this explicitly the case.
Exploring new paths for Welsh Freedom of Information
Senedd Cymru has the competence to diverge from UK Freedom of Information law to a similar degree as the Scottish Parliament. This would allow it to create new rules and institutions to manage access to public information for Welsh public authorities. This could include changing the scope of information covered by adding or removing exemptions11, adjusting legislative deadlines, fees limits, or creating a Welsh Information Commissioner's Office to regulate and manage the new regime.
Notes (
):11: With a similar restriction to Scotland in requiring an exemption for information given in confidence by a UK ministry/department.
The main issue with this approach is the overhead costs and complications of a new regulator, which would require a strong case for divergence. While this regulator could be proportionally better funded than the ICO, Wales is also a smaller country than Scotland, and an equally effective independent regulator is likely to be proportionally more expensive than the OSIC. More abstractly, harmonisation with Scottish FOI law might allow a "shared services" model with the Scottish regulator and overcome some issues of scale, but appeal structures in different legal systems may make this a complicated undertaking (and put limits of both parliaments on further divergence).
Not all legislative divergences necessarily require regulatory divergence. The ICO already interprets requests through two different legislative frameworks (FOI and EIR) depending on content, and minor variations applying to Welsh public authorities should not pose an insurmountable practical difficulty. While the exact breaking point would be a point of negotiation (significant changes to how exemptions should be interpreted is a likely example), smaller divergences should be possible where the Welsh system could exercise some autonomy while maintaining the ICO as the regulator. As such, we recommend a model for devolution of Welsh FOI that retains the existing legal structure, but gives power to the Welsh Government to expand coverage of the act to new organisations or offices. (Notes)
Legislate to give the Welsh ministers the ability to designate bodies under s.4 and s.5 of the Freedom of Information Act.
The problem: Welsh ministers may have different opinions from UK ministers on designation of Welsh bodies or private organisations as public authorities for the purpose of FOI, but have no relevant powers or responsibilities.
The fix: The Senedd should legislate to amend the Freedom of Information Act and give powers to the Welsh Government to add new bodies to coverage of the Act.
As long as the general framework of access and exemptions remains the same, divergences should be possible within the scope of the UK regulator. This could mean allowing the Welsh Government to include new kinds of bodies under FOI law (for instance, mirroring the Scottish expansion to social landlords and private prisons). Rather than creating a new Freedom of Information Act to cover Wales, this would use the existing framework of the Freedom of Information Act 2000, creating new powers for the Welsh Government as applicable to Welsh public authorities as defined by the Act.
Currently there is no special role other than consultation for the Welsh Ministers when the UK Minister is considering designating a Welsh organisation or role as a public authority for the purposes of FOI. This can be changed, as the Senedd has authority to legislate in this area. For instance, the Senedd can legislate to directly add new Welsh public authorities to the Freedom of Information Act 2000 Schedule 1 (where covered organisations are listed), and did so to change the name of a public authority in the Senedd and Elections (Wales) Act 2020. It could straightforwardly legislate to create the equivalent of a s.4 power for Welsh Ministers rather than the UK Secretary of State to add bodies or offices that were created by Welsh legislation or the Welsh Government to FOI coverage. This would mostly be an administrative change, but more substantively the Senedd could legislate for a power to allow private operators to be subject to Freedom of Information laws.
Section 5 of the Freedom of Information Act 2000 allows the UK Secretary of State to designate an entity to be a public authority for the purposes of FOI if they "exercise functions of a public nature" or have a contract to provide a service that is a function of a public authority. This allows private providers or services to be bought under the coverage of FOI law. As long as the entity in question was executing a function "exercisable only or mainly in or as regards Wales", the Senedd should have the competency to add it to the FOI Act's Schedule 1, or to empower the Welsh Government to do so.
This method of expanding coverage would not quite replicate the situation in Scotland, as the relevant UK Secretary of State would retain an effective veto power through an exclusion order (see box 1). But this would allow changes in the scope of FOI law to entities that deliver Welsh public services, without the overhead of a completely separate FOI framework or regulator.
There are several actions that the Welsh Government could take to investigate possible needs for divergence. Similar to the Cabinet Office statistics, the Welsh Government could gather information about how FOI is currently functioning inside Wales. While the Welsh Government currently has no direct powers to extend coverage to organisations fulfilling public services, it could develop an opinion on whether there are any specific organisations or classes of organisation it would want to include under FOI because they exercise function of a public nature, or are under a contract to provide the function of a public authority on behalf of that authority. If it concluded there were, the Welsh Government could ask the UK Cabinet Office Minister to designate on their behalf. This would be informative in several respects about the necessity of legislation. If there is no interest in using designation powers, there is not a pressing need for legislation. If there is an interest, but the UK Cabinet Minister is unresponsive, it improves the case for directly empowering the Welsh Ministers.
Similarly some of the tweaks advocated in this paper for the UK Parliament to adopt could also be adapted by the Senedd. If the Senedd was interested in proactive expansion it could require a report similar to the Scottish Parliament on the use (or non use) of s.5 powers by the Welsh Government. It could clarify time limits for public interest tests or internal reviews, or amend the Environmental Information Regulations to ensure that ‘Welsh public authorities' as designated under s.5 are covered by EIR, or lower fees for Environmental Information Requests. While there is a point where operating a different system under the same regulator becomes more difficult, it is already the case that the ICO handles two different regimes (FOI and EIR). Procedural changes of a limited scope could improve the accessibility of Freedom of Information in Wales without raising a substantial need for a separate regulator. (Notes)
Box 1. What are the differences between FOI devolution in Scotland and Wales?
Under the revised Government of Wales Act 2006 (added in Wales Act 2017), "Public access to information held by a public authority" is a reserved responsibility of the UK Parliament. There are exceptions to this for public access of information held by:
- the Senedd,
- The Senedd Commission,
- the Welsh Government, or
- any Welsh public authority,
unless supplied by a Minister of the Crown or government department and held in confidence.
The definition of "Welsh public authority" used is Section 83 of the Freedom of Information Act 2000. This broadly makes any public authority "whose functions are exercisable only or mainly in or as regards Wales" a Welsh public authority, unless it has been explicitly excluded by an order of the UK Secretary of State. This language of the exceptions mirrors the language added to the Scotland Act 1998, except the Scottish equivalent includes only Scottish public authorities with "mixed functions or no reserved functions", and Scottish public authorities are only those whose functions are "only in or as regards" Scotland (Scotland Act 1998, s. 126). This makes Welsh coverage potentially wider, as authorities dealing entirely with reserved matters while executing a function "only or mainly" in Wales are covered. On the other hand, there is no equivalent ability for the UK Minister to decide a Scottish public authority is in fact not one. In the event of divergence, the UK government has the power to ensure that any designation they disagree with should be treated under UK FOI law.
Improving clarity in Northern Ireland
This report does not make strong recommendations for Northern Ireland, except to note that similar options to Wales are theoretically available. Due to the order of the various devolution acts, the Northern Ireland Act 1998 does not have the same delimitation of responsibility for FOI. As such it is likely that if the Northern Ireland Assembly indicated an intent to diverge on access to information laws, it would prompt an amendment for a clarification of the restriction of competency to Northern Irish public authorities.
It is worth noting that there is a different FOI regime for North-South Implementation Bodies. These operate in both Northern Ireland and the Republic of Ireland but are not subject to either the UK's Freedom of Information Act 2000 or the Irish Freedom of Information Act 2014. Instead, an entirely separate FOI code of practice applies to these bodies. This is informed by both pieces of legislation, and so contains different features to UK FOI law. For instance, the concept of a deemed refusal from the Irish legislation is present. This Code of Practice applies to cross border implementary bodies, but not to the North South Ministerial Council itself.
The Code of Practice contains a right of internal review, and the Irish Office of the Ombudsman and the Northern Ireland Public Services Ombudsman both have jurisdiction for complaints of maladministration (there is a memorandum of understanding between the two organisations to coordinate). There are not many FOI requests made to these bodies, and correspondingly there are likely to be few complaints. Regardless, we would recommend that implementation bodies make clear there is a right of appeal to an ombudsman (several already do so). In turn, the two ombudsmen should be clear that while they refer other Freedom of Information issues to the respective commissioners, they do manage complaints about Freedom of Information for implementation bodies. If the code of practice is reviewed, this should similarly include a reference to the role of the two ombudsmen.
Conclusion
Our recommendations in this paper fulfill two major functions: fixing problems that are happening now, and bolstering the Freedom of Information system to better manage the challenges of the future. Currently the ICO's FOI functions are under-funded and not aligned with the general direction of the organisation. An Information Commissioner where the overwhelming majority of the organisations funding is for data protection work is unlikely to be able to champion quality in FOI administration and regulation on a full time basis. A stand-alone Access to Information Commissioner should be overseen by Parliament, rather than a government minister. FOI should be considered as a core constitutional right, and the strength of its regulation should not be subject to the mood of the government of the day.
The ICO has a separate problem in that it has very limited information about the system it is charged with regulating. Improved data collection about the volume and responses to information requests means that any regulator can be much more sensitive and reactive to problems in the overall system, better able to spot outliers or changes in exemption use, and better able to make the case for larger changes in approach. This kind of statistical knowledge is vital for a regulator to act proactively.
This paper capitalises on the idea that having multiple systems in the UK has allowed greater innovation on how Freedom of Information systems function and are regulated. We want to encourage devolved administrations and legislatures to further explore how adaptations of the FOI system may fit in with broader goals. While large legislative divergences may not always be desirable, increasing the number of actors who can make political judgements about expansion of coverage means political decisions can be made at a more local level. How successful these expansions are can help guide decisions or advocacy in other jurisdictions. Innovations and improvements in devolved nations may later influence wider UK adoption.
This report is not a comprehensive list of potential improvements to Freedom of Information in the UK. We have focused on areas where a big impact can result simply from transferring innovation between systems rather than from wholly new ideas. While some recommendations previously made by the Independent Commission of Freedom of Information are echoed in this document (such as a legislative time limit for internal review and a central store of Freedom of Information statistics), many of their other recommendations remain relevant. In particular we would highlight the following of their recommendations as important ideas that are worth revisiting:
- Replace the the public interest test time extension with a more limited extension around complexity of volume of a request,
- Make it possible for prosecutions under section 77 of the Act (erasure of information that has been requested) to take place more than six months after the offence, and;
- Require public authorities of a certain size to publish the requests received and the information released in public.
This paper has scratched the surface of these issues, and its aim is to catalyse conversation and innovation in strengthening FOI in the UK. Further research into the legal and practical aspects of the recommendations made in this report is necessary, as is more qualitative research on the barriers, risks and opportunities of innovating in this area. Comparative research into regulatory and monitoring regimes in Europe and further afield will further inform the case for reform. We see this paper as a beginning and a first step in demanding that our right to information and the legislation that enshrines it, is meaningful, robust and in service to the public.
Edits
- 2022-08-22 - Modified a statistic. Original paragraph said that "Based on data in Scotland, 40% of internal reviews result in some form of new information being released". This was based on the information in this table but using the reverse of the 60% where the original decision was partially or wholly upheld. In fact, part of this 40% is late responses and decisions reached but not issued. 16% of reviews led to an entirely substituted decision, but it can be said with this information how many led to a whole or partial substitution of the decision. This seems likely to be in the same ball park as the UK central government numbers rather than being much higher.
Related research
Footnotes
1 Scottish Executive (1999), An Open Scotland: Freedom of Information, a Consultation.
2 This broadly means Freedom of Information and Environmental Information Regulations, but also covers responsibilities like INSPIRE and other focuses around the publishing and availability of public sector data.
3 The Data Protection Registrar already existed as a result of the Data Protection Act 1984. The Data Protection Act 1998, transformed the Data Protection Registrar into the Data Protection Commissioner.
4 The equivalent terminology for England is independent special schools and non-maintained special schools (NMSS).
6 Open Democracy - Art of Darkness report (p. 8)
7 Open Democracy - Art of Darkness report (p. 26)
8 Even in cases where the authority is not acting maliciously, it is appropriate for there to be an administrative penalty for a complete lack of response. Reviewing decision notices issued by the OSIC, a lack of response is in some cases caused by the requester (for instance, using the wrong email address), but it is more common for the message to be received but misprocessed. 502 out of 516 decision notices about timescales found in favour of the requester.
9 More information about the use of administrative silence can be found in Open Democracy's Art of Darkness report (p. 24)
10 OSIC, Guidance on the use of FOSIA section 30
11 With a similar restriction to Scotland in requiring an exemption for information given in confidence by a UK ministry/department.