What is a freedom of information (FOI) request?

Filing cabinet
(Image credit: Shutterstock)

Under the Freedom of Information (FOI) Act 2000, everybody in the UK has the right to request information held by public sector organisations and non-governmental authorities. The organisations that full under the remit of this act include central government departments and local authorities, as well as regulators and public sector corporations such as the BBC.

RELATED RESOURCE

Operationalising anti-fraud on the mainframe

Reducing losses in banking, cards, and payments

FREE DOWNLOAD

To obtain information held by any public sector body you must submit a freedom of information (FOI) request, which normally involves writing into a department within that body in order to explain the specific information you’re hoping to obtain.

It’s an extremely powerful tool that allows citizens to obtain all types of information, from communications to financial records, although the type of data you’re hoping to obtain may differ between different organisations. You could, for example, ask for information about internal and external meetings, or about how that organisation spends its money. You can even ask for internal staff surveys, emails sent to and from individuals, and reports that haven’t been published.

The legislation was first introduced by Tony Blair’s Labour government as a means by which to raise transparency in the public sector and allow the public to hold these bodies to account. Organisations are also legally required to routinely publish information about their activities to improve general transparency, with FOI used as a tool to extract data that an organisation hasn’t made public.

Under the rules, organisations must respond to an FOI request within 20 working days, although they are a number of exceptions that allow them to refuse the request, so long as they provide a detailed explanation as to why they’ve done so.

This tool is particularly useful for journalists hoping to glean information not made public, as it’s understood that organisations will only publish what they need to while keeping sensitive information hidden from scrutiny. The most famous example of how FOI was used by journalists was in the expenses scandal of 2009, in which several FOI requests to government departments uncovered great misuse of public funds among MPs.

Why would I make a Freedom of Information request?

Public authorities are required to disclose information through an FOI request, and therefore it's not necessary to justify the request.

In most cases, FOI requests are submitted in order to collect information that's useful for the public to know, or as part of wider research into public sector activities.

You're able to request any information the public body holds. That means any data on printed documents, spreadsheets, images, audio recordings, email communications, or even instant messages sent on work devices can all fall under the scope of an FOI request. The request is, therefore, able to tap into a wealth of public data, although anything classed as personal information is off-limits, barring exceptional public interest justification.

The mechanism is incredibly popular as a result. However, there are a number of exemptions that limit the scope of an FOI request. Some of these include a block on any information relating to the Royal Family and anything considered to be sensitive data relating to political parties. Anything considered to be commercially sensitive data or related to national security is also exempt from any request.

A request may be rejected entirely if it does not fall within the terms of the Freedom of Information Act. This is normally the result of a request being too costly to process, either financially or in terms of time. Most public authorities are allotted a maximum of £450, or 18 hours of work, to cover the cost of processing a request, although this rises to £600 and 24 hours of work for central government departments and the Houses of Parliament.

If your FOI request is rejected, the officer handling your case is obliged to explain in clear terms the reasons why, and offer you a path to dispute the decision. Other reasons for rejecting a request may include if the request has already been made in the past by another individual or if the request is vexatious.

How do you file a Freedom of Information request?

An FOI request is fairly simple to make. You need to address a letter, email, fax or online form to the public body you want the information from, providing your name, address, and a detailed description of what information you're after. It's important to define the scope of your enquiry, so the body doesn't come back with either insufficient or far too much detail.

You can ask for the information to be provided in either paper format, large print, audio format, or digital format. Bear in mind that while FOI requests are free, you might be asked to pay postage fees, or photocopying costs.

Recent FOI findings

FOI requests are often used to scrutinise the work and actions of the UK’s governmental bodies which would normally not be revealed if not for the request. In March 2022, ransomware protection provider ProLion found that more than half (52%) of London’s borough councils do not have a cyber insurance policy, potentially placing key services at risk. An additional five councils refused to say whether or not they have in place a cyber insurance policy, citing Section 31 of the Freedom of Information Act which exempts the disclosure of information that could “prejudice the prevention or detection of crime”. One council said that disclosing the information relating to cyber insurance could lead to an increased risk by encouraging an attack, said ProLion. Other councils stated that the disclosure of such information would give cyber criminals insight into possible vulnerabilities, or embolden them to attack those most at risk. This was found to be especially troubling following the 2020 cyber attack on Hackney Council.

RELATED RESOURCE

Operationalising anti-fraud on the mainframe

Reducing losses in banking, cards, and payments

FREE DOWNLOAD

However, there are also cases where FOI requests are used to reveal findings into the cyber security landscape. One recent example of such is an FOI request filed by Crypto Head, which found a 12-fold increase in crimes related to cryptocurrencies between 2016 and 2020. The FOI request, which had been filed to the UK's national reporting centre for fraud and cyber crime, Action Fraud, revealed that 24,847 reports of crypto crimes in the UK over four years, with the number increasing by 124% every year on average.

Although filed at different public sector organisations, both cases are examples of how FOI requests can be used to reveal useful information to the public.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.