Category Archives: FOIA

February 7, 2026 · 9:48 am

Beware invisible law

An interesting aspect of domestic law-making is what I think of as the “invisible provisions”. Here is an example which finally made it off the statute books recently.

If, prior to the last week, you went to the Data Protection Act 1998 page on legislation dot gov dot uk, and opened the “latest version”, you would get the words:

Act repealed (except s. 62, Sch. 15 paras. 13, 15, 16, 18, 19) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 44 (with ss. 117, 209, 210, Sch. 20 paras. 2-9, 17-25, 27-46, 53, 54, 58); S.I. 2018/625, reg. 2(1)(g)

Straightforward, then? It’s all been repealed (except for some minor provisions dealing with consumer credit and interpretation of Northern Ireland access to medical records law). And “repealed” means, “no longer in force”, yes? Well, not necessarily.

Because, what you wouldn’t see anywhere on the legislation pages for the 1998 Act, is paragraph 58 of Schedule 20 to the Data Protection Act 2018 (the Act that repealed the 1998 Act), where you will see “The repeal of a provision of the 1998 Act does not affect its operation for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003”.

So, even though the enforcement provisions of the 1998 Act were repealed, that repeal did not affect their operation for the purposes of enforcing PECR. They remained in effect even though they were repealed.

The commencement of section 115 of the Data (Use and Access) Act 2025 finally takes PECR enforcement away from the 1998 Act.

There are myriad examples of this. Take the Freedom of Information Act 2000. Nothing in its own provisions would suggest that its enforcement provisions also apply to the Environmental Information Regulations 2004. To understand that point, you have to refer to the Regulations themselves, which say “The enforcement and appeals provisions of the Act shall apply for the purposes of these Regulations as they apply for the purposes of the Act”.

How is one meant to know if an invisible provision is affecting a statute or other instrument? The simple answer is, you will only know if you know, or if you undertake sufficiently diligent research. Some have access to expensive legal research tools, but that’s not a luxury open to all.

All I can say is that it is a potential pitfall to be aware of, for anyone advising on the law.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data (Use and Access) Act, Data Protection Act 2018, Environmental Information Regulations, FOIA, Legislation

Tagged as ,

January 15, 2026 · 6:37 am

Russell Group is not a public authority for the purposes of FOIA

For those interested in the general question of what is a “publicly owned company” for the purposes of sections 3 and 6 of the Freedom of Information Act 2000 (FOIA), and the specific question of whether the Russell Group is a public authority for the purposes of the FOIA, the Information Tribunal judgment in Farfan v Information Commissioner & Anor [2026] UKFTT 48 (GRC) will make fascinating reading. For the remaining 69.2 million people in the UK, it will be impenetrable.

A company will be a publicly owned company for the purposes of section 3(1)(b) of FOIA if all of its members are themselves public authorities listed in schedule 1 of FOIA.

So, in short, the answer to the second question is “no”, because a) 22 of the 24 members of the Russell Group are university institutions, not the governing bodies of those institutions (and it is the latter which are listed in schedule 1), b) in any case, even if the Tribunal had decided that there was no distinction between the university institutions and their governing bodies, the remaining two members of the Russell Group are the Universities of Glasgow and Edinburgh, and they are not listed in schedule 1 of FOIA (rather, they are public authorities for the purposes of the Freedom of Information (Scotland) Act 2002).

Get reading, you crazy FOIA (and FOISA) nerds.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under FOIA, FOISA, Freedom of Information, Further education, Information Commissioner, Information Tribunal, judgments, Uncategorized

Tagged as

November 29, 2025 · 6:41 am

NCND for personal data – a qualified exemption?

[reposted from my LinkedIn Account]

I’ve been known to criticise First-tier Tribunal (FTT) judgments in the freedom of information jurisdiction. By contrast, this one is superb.

In it, the FTT dismantle the argument (and the decision notice) of the Information Commissioner’s Office that Bolton NHS Foundation Trust were entitled to “neither confirm nor deny” (NCND) holding reviews, including a review by PWC, into the Trust’s governance and management. The PWC review was the subject of an article in the Health Service Journal, and the requester was the journalist, Lawrence Dunhill.

Firstly, the FTT noted that the ICO “case begins with an elementary error of fact. It treats the Trust as having given an NCND response to the entirety of the Request when it did no such thing” (the Trust had only applied NCND in respect of the request for a PWC report, but had confirmed it held other reviews). Oddly, the Trust, in its submissions for the appeal, simply ignored this error (the FTT chose not to speculate on “whether that omission was accidental or tactical”).

Secondly, and notably, the FTT found a fundamental error of law in the ICO’s approach (and, by implication, in its guidance) to NCND in the context of personal data. Section 2(3)(fa) of FOIA provides that section 40(2) is an absolute exemption (therefore not subject to a public interest test). But section 2(3) does not include section 40(5B) (the personal data NCND provision) in the list of absolute exemptions. As far as I know, the ICO has always taken the view, however, that it is an absolute exemption – certainly its current guidance says this).

That approach, held the FTT, is “simply wrong…the exemption under FOIA, s40(5B)(a)(i) is qualified and the public interest balancing test applies”. And but for that error, they said, the ICO might have reached a different conclusion.

As it was, the FTT held that the legitimate interests balancing test under Article 6(1)(f) of the UK GDPR was sufficient to determine the issue: merely confirming or denying whether the PWC review was held would not cause unwarranted prejudice to a named individual when balanced against the requester’s legitimate interests.

It will be interesting to see if the ICO appeal this. Given the strength of the criticism it would perhaps be bold to do so, but it might be that the only alternative will be to have to rewrite their guidance on s40(5), and rethink their long-held view on it.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments, NCND, UK GDPR

Tagged as , ,

October 12, 2025 · 9:50 am

Tribunal: unincorporated associations are not companies for the purposes of FOIA

The question of whether a body is a public authority for the purposes of the Freedom of Information Act 2000 (FOIA) is determined by asking (up to) three questions:

1: is it listed in Schedule 1 to FOIA?
2: has it been designated as a public authority by order by the Secretary of State or Minister for the Cabinet Office?
3: is it a company wholly owned by the wider public sector, or by the Crown (or by both of those)?

If the answer to all of those is “no”, then the body is not a public authority, and it is not obliged to comply with FOIA, no matter how much it might seem or look like a public authority.

These issues arose in a recent case in the First-tier Tribunal, following a decision by the Information Commissioner’s Office that the Conference of Colleges of the University of Oxford (the “Conference”) – an unincorporated association – was not a FOIA public authority.

It is accepted that the University of Oxford is a public authority, as is each of the colleges of the University (see paragraph 53 of Schedule 1 FOIA). The appeal to the Tribunal was based on argument by the appellant (“The Association Of Precarious Postdoctoral Researchers Ltd”) that the Conference, being a body created by the constituent colleges, met the definition of a “company” wholly owned by those colleges. Although FOIA does not define “company”, certain other legislative provisions do, including section 1121 of the Corporation Tax Act 2010, pursuant to which it is defined as meaning “any body corporate or unincorporated association…”.

That argument, however – held the Tribunal – actually counted against the appellant, because in the absence of clear legislative intent to broaden the term for the purposes of FOIA, it should take its ordinary English use: “unincorporated associations are not considered to be caught by the normal definition of a ‘company’ and…Parliament will make express provision to include them where it intends to do”.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Commissioner, Information Tribunal

Tagged as , ,

June 6, 2025 · 8:44 am

Hinkley Point C construction company is a public authority under the EIR

The Information Tribunal has ruled that the Nuclear New Build Generation Company, a subsidiary of EDF Energy, created to construct s new nuclear power plant at Hinkley Point C (HPC), is a public authority for the purposes of the Environmental Information Regulations 2004 (EIR)

In the last fifteen years or so, a very interesting body of case law has been built up regarding the extent to which certain private persons have accrued, or have been conferred upon them, the status of a public authority for the purposes of the EIR. Some of the bodies who have been held to be public authorities (at least in a limited EIR sense) are water companies, BT, public gas transporters, and port authorities. Some which have not been held to be include Heathrow Airport and housing associations.

The EIR create a scheme for public access to environmental information held by public authorities, which runs in parallel to the scheme under the Freedom of Information Act 2000 (FOIA). Where FOIA, though, specifically designates public authorities, the EIR (which implemented an EU Directive, emanating in turn from the 1998 UNECE Aarhus Convention) define a public authority by virtue of its actions and powers.

Whether a person is a public authority will often turn on whether it “carries out functions of public administration”. The tests for this derive from the “Fish Legal ” in the CJEU: whether they are “entrusted, under the legal regime which is applicable to them, with the performance of services of public interest, inter alia in the environmental field, and…are, for this purpose, vested with special powers beyond those which result from the normal rules applicable in relations between persons governed by private law”

In NNB Generation Company (HPC) Ltd v Information Commissioner & Anor [2025] UKFTT 634 (GRC), the Tribunal, considering an appeal by HPC from a decision by the Information Commissioner’s Office that it was an EIR public authority (and in which Fish Legal were again the applicant), held that the relevant Development Consent Order, and the electricity and nuclear licences granted to HPC constituted entrustment with the performance of public services in relation to the environment, and the powers accruing from that entrustment “go far beyond what a private person without the benefit of such powers would be able to do in those circumstances, for example in empowering HPC to make byelaws, even if it opts not to do so”.

Decisions of this sort are nuanced and complex, and for that reason, often amenable to appeal. I would not be surprised if this one goes to the Upper Tribunal.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Environmental Information Regulations, FOIA, Information Commissioner, Information Tribunal, judgments

Tagged as

May 7, 2025 · 7:17 am

FOIA contempt proceedings against University of Exeter

Non-compliance by a public authority with the provisions of the Freedom of Information Act 2000 is rarely a particularly serious matter for the public authority: a delay in responding, or a failure to disclose what should be disclosed, or wrong reliance on exemptions will at most normally only result in a public decision notice by the Information Commissioner’s Office (ICO), and there are hundreds of those issued each year, which pass with barely any attention.

Where it can get serious is where the public authority fails to comply with an order by the ICO, or where, upon a case having been appealed to the First-tier Tribunal (FTT), the FTT has made an order for disclosure. Sections 54 and 61, respectively, of FOIA, empower the ICO and the FTT to treat the failure to comply as offence of contempt of court, and certify the offence to the Upper Tribunal, which has the power to commit for contempt. In principle, as I understand it, the Upper Tribunal could, if it agreed there was a contempt, impose a period of imprisonment or a fine (the powers here are not contained in the Upper Tribunal Rules, but in YSA (Committal for contempt by media) [2023] UKUT 00075 (IAC), the Upper Tribunal (in a non-FOIA case) said that as the Upper Tribunal Rules do not expressly deal with contempt certifications, then the Upper Tribunal should, so far as it can, adopt the contempt provisions of part 81 of the Civil Procedure Rules.

I’m not aware of any FOIA case where the Upper Tribunal (or the High Court, which had the jurisdiction until the Data Protection Act 2018 amended FOIA and conferred jurisdiction on the Upper Tribunal) has actually made a contempt committal. But the latest case to make its way to the Upper Tribunal, to consider whether to do so, involves the University of Exeter. The University was asked under FOIA for the names of attendees, and the organisations they represented, at two University groups – the Exeter Community Panel and the Resident Liaison Group. The University refused, citing data protection concerns (and relying on the exemption at section 40(2) FOIA), and the ICO agreed. However, the FTT disagreed (these were public facing groups and attendees would have had no reasonable expectation that their names would be kept private) and ordered disclosure. This, however, the University did not do, and upon being chased by the applicant, indicated that at least some of the information no longer existed, because of (undocumented) oral right to be forgotten requests made by attendees after the FTT had ordered disclosure (which raised s77 FOIA questions). As the FTT pointed out, the University had supplied the withheld information to the ICO and to the FTT itself for the purposes of the original proceedings, and it was “less than credible that the Respondent cannot recover that information and provide it to the Applicant”.

The FTT was satisfied therefore, that this was a “wilful”, “flagrant” and continuing failure to comply with its order – “a contrived and persistent failure that is still ongoing”.

The FTT nonetheless still urged the University to fully comply with the order, as doing say “may mitigate any action taken by the Upper Tribunal”.

Compliance with FOIA is not voluntary for a public authority. Still less so is compliance with orders of a court.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under contempt, FOIA, Freedom of Information, Information Tribunal, Upper Tribunal

Tagged as

April 16, 2025 · 6:25 am

The Emperor has no clothes!

[reposted from my LinkedIn account]

When a public authority receives a Freedom of Information Act request and the requested information contains personal data (of someone other than the requester) it must first consider whether it can even confirm or deny that the information is held. For instance “Dear NHS Hospital Trust – please say whether you hold a list of embarrassing ailments suffered by Jon Baines, and if you do, disclose the list to me”. To confirm (or deny) even holding the information would tell the requester something private about me, and would contravene the data protection principles at Article 5(1) of the UK GDPR. Therefore, the exemption at s40 of FOIA kicks in – specifically, the exemption at s40(5A): the hospital can refuse to confirm or deny whether the information is held.

But suppose that, mistakenly, the hospital had perhaps confirmed it held the information, but refused to disclose it? The cork, surely, is for ever out of the bottle.

Upon appeal by the requester (this requester really has it in for me) to the ICO, I could understand the latter saying that the hospital should have applied s40(5A) and failure to do so was a failure to comply with FOIA. However, certainly of late, the ICO has engaged in what to me is a strange fiction: it says in these circumstances that it will “retrospectively apply s40(5A)” itself. It will pretend to put the cork back in the bottle, after the wine has been consumed.

And now, the Information Tribunal has upheld an ICO decision to do so, albeit with no argument or analysis as to whether it’s the correct approach. But even more bizarre it says

We are satisfied that the Commissioner was correct to apply section 40(5B) FOIA proactively, notwithstanding the information that has previously been provided by the Trust, to prevent the Trust from providing confirmation or denial that the information is held.

But the Trust had already done so! It can’t retrospectively be prevented from doing something it has already done. The cork is out, the wine all gone.

Am I missing something? Please excuse the sudden mix of metaphor, but can no one else see that the Emperor has no clothes?

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

13 Comments

Filed under Data Protection, FOIA, Freedom of Information, Information Commissioner, UK GDPR

Tagged as , ,

March 12, 2025 · 4:50 am

Cabinet Office wins Covid face masks FOIA appeal

The Information Tribunal has overturned a decision of the Information Commissioner’s Office and ruled that the Cabinet Office is not required to disclose minutes of meetings in June and July 2020 at which policy decisions were taken to make mandatory the wearing of face masks in shops and on public transport.

It is a shame that, for a decision of some import, the judgment reads like a stream-of-consciousness draft, and that it is infused with unnecessary sarcasm at various points.

The ICO had determined that although the exemption at s35 FOIA (for information relating to the formulation of government policy) was engaged. He acknowledged the importance of a protected space for government decision-making, and of the principle of collective responsibility, but decided that the “exceptionally weighty” public interest favoured disclosure.

The Tribunal, however, via reasoning which is – frankly – very difficult to follow, appears to have focused on the issue of “accountability”, something that the requester had mentioned rather in passing in support of his request, but which was not a matter expressly mentioned in the ICO’s decision. Having fixed on this concept, the Tribunal appears to have decided that as those in government at the time have since been held accountable in various ways, there was diminished public interest in achieving accountability by way of disclosure of the requested information. The key passage is probably this (at 57):

In considering the context of this request there is a stark contrast between the salience and effectiveness of other multiple forms of accountability…and the value of the information sought – in contrast with the risk of harm to the functioning of government caused by its release disproportionate to any benefit.

I do not say the Tribunal has necessarily got this wrong, but I do say that this a FOIA case of some significance, and that it warranted a clearer judgment.

Whether the judgment is amenable to an appeal is not entirely clear, but it’s worth pointing out that the original requester was not a party to, and was not joined to, these proceedings, and so I do not believe he himself has a right of appeal to the Upper Tribunal, and one wonders whether the ICO will have the enthusiasm to do so, given the costs involved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as , ,

February 19, 2025 · 1:03 pm

FOI doesn’t need a “purpose”

[reposted from my LinkedIn account]

At the close of an otherwise unobjectionable and unsurprising refusal of a Freedom of Information Act 2000 appeal (on the issue of a vexatious request), the Information Tribunal judge says this:

“FOIA exists to safeguard freedom of information. It was not enacted to serve as a tool for furthering personal campaigns and causes, however heartfelt they may be.”

When Parliament enacted FOIA it expressly declined to insert a “purpose clause”. As its explanatory notes say “A request for information can be made by any individual or body, regardless of the purpose of the application.” So if someone wants to use FOIA as a tool for furthering personal campaigns and causes, then (as long as their requests are not, as they were here, vexatious) they jolly well can. And judges should respect this.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, FOIA, Freedom of Information, Information Tribunal, judgments, Uncategorized

Tagged as

February 19, 2025 · 9:41 am

The state of central government transparency

[reposted from my LinkedIn account]

This is one of the most extraordinary FOIA judgments I’ve ever seen, and it says an awful lot about the approach to transparency at the centre of the civil service.

The Cabinet Office have been trying to resist disclosure under FOIA of copies of blank ministerial declaration of interest forms, on grounds that to do so would be prejudicial to the conduct of public affairs, because among other things [checks notes] “Disclosure may lead to speculative scrutiny regarding why certain elements are included in the forms, potentially leading to amendments to the form which undermines its effectiveness”.

But there’s also an extraordinary citation of a piece of evidence given by a Cabinet Office witness – the “Director of Propriety and Ethics” – to the effect that the system for Minister declaring interests relies heavily on the trust and candour of Ministers, and the effect of disclosure would be that they “may be reluctant to provide the same level of detail” than they do currently.

Let’s just think about that. Ministers have a constitutional and ethical duty to declare interests, but this relies on trust and candour, and disclosure of a blank declaration form might mean that those we trust to be candid in their ethical duty to declare those interests might decide to be less trustworthy and candid as a result? What a sorry state of affairs.

Fortunately, the Information Tribunal, like the Information Commissioner’s Office before, had no truck with these arguments, and refused the Cabinet Office’s appeal.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under access to information, Cabinet Office, FOIA, Freedom of Information, Information Commissioner, Information Tribunal, judgments

Tagged as ,