What is the Freedom of Information Act?

It is vital for organisations to understand the range of laws which apply to data access and privacy and their impact. The Freedom of Information Act 2000 (FOIA) gives the public the right to access information held by public authorities in the UK. This legislation is separate from the widely known UK General Data Protection Regulation (UK GDPR), which regulates the use of personal data and gives individuals the right to access a copy of their own personal data. This article introduces a Freedom of Information Request (FOI Request) under the FOIA and how it differs from a Subject Access Request (SAR) under the UK GDPR rules. 

What is the Freedom of Information Act and a Freedom of Information Request?

The FOIA grants individuals the right to access recorded information held by public authorities. The ICO’s guidance explains that this law covers public bodies, including government departments, local councils, the NHS, state-funded schools, and police forces. 

An FOI Request is a formal written request that an individual or organisation submits to access recorded information held by public authorities. Individuals must submit FOI requests in writing (including letters, emails, or online forms). However, some public authorities may also accept requests via social media if the platform allows for permanent records. 

Public authorities must respond within 20 working days (unless extra time is allowed in limited cases), either by providing the requested information (i.e., confirming they hold the relevant information and providing it) or explaining why they cannot disclose it with a refusal notice.  

Recorded information can include various types, such as files and computer files, letters, emails, telephone recordings, CCTV footage, videos, and photographs. However, the right to submit a FOI Request does not include a right to a copy of personal data. 

Refusal and Exemptions

The FOIA also includes several conditions under which public authorities can refuse requests and sets out absolute and qualified exemptions. Absolute exemptions apply automatically, while qualified exemptions require a public interest test to weigh whether disclosure serves the public interest. 

Individuals who are unsatisfied with a response can ask the organisation to review its decision and, if the issue remains unresolved, complain to the ICO. 

While this provides a high-level and introductory overview of the rights available, various details and caveats regarding FOI Requests must be considered. Organisations can consult the ICO’s guidance for detailed information on the scope of the request and how to respond to it. 

How Does the Freedom of Information Act Differ from the UK GDPR?

Although the FOIA and the UK GDPR grant individuals the right to access information, they each serve different purposes. 

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

The FOIA promotes transparency in public authorities. It allows individuals to request information about government bodies and public organisations’ activities, policies, and operations. 

In contrast, the UK GDPR regulates how all organisations (public or private) may handle personal data about living individuals. Under the GDPR, individuals have the right to access personal data held about them by any organisation. This is where well-known Subject Access Requests (SARs) come into play, allowing individuals to access information about how organisations use their personal data. 

What is a Subject Access Request Under UK GDPR?

A SAR allows individuals to request access to their personal data held by any organisation that processes information about them as a controller. This includes knowing how and why their data is being used, where it is stored, and with whom it is shared. SARs are a key right under the UK GDPR, which gives individuals greater control over their personal data.

In contrast to FOI requests, SARs specifically focus on personal data, and businesses must ensure they provide individuals with accurate and complete information in response to a request unless exemptions apply.

Failure to comply with a legitimate SAR request breaches the UK GDPR, and an organisation can face various potential penalties for failing to do so. 

Why Should You Understand the Difference Between FOI and SAR Requests?

It is critical to understand that SARs and FOI requests are different and not confuse the different laws and requests. For private businesses processing personal data, dealing with SARs correctly is critical. 

For a public authority subject to the FOIA rules and handling personal data as a controller, it is crucial to establish clear procedures for handling both FOI requests and SARs to avoid confusion and potential breaches of both sets of laws. 

Key Takeaways

Recognising the distinction between FOIA requests and SARs is vital. FOIA requests allow individuals to access recorded information held by public authorities to promote transparency within government and public sector organisations. In contrast, SARs give individuals the right to obtain personal data held about them by any organisation, as set out as a key right under the UK GDPR. For organisations subject to both legal frameworks, it is vital to identify which rules apply and to handle requests accurately and within the prescribed timeframes. Clear procedures can help organisations meet their legal obligations under both FOIA and UK GDPR. 

If you have other data privacy issues, our experienced data and privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents. Call us today at 0808 196 8584 or visit our membership page. 

Frequently Asked Questions