Arrow back

Freedom of Information: Your Guide

30 March, 2020

Transparency is one of the best ways for your organisation to maintain a high level of trust with its customers and the public.

The Freedom of Information Act (2000) was introduced to provide public access to information held by public authorities, including several guidelines and requirements for organisations to consider.

Failure to comply can have troublesome consequences for you as an individual as well as your organisation. Therefore, it’s important that you understand your roles and responsibilities regarding Freedom of Information (FOI) within your organisation.

What is a Freedom of Information Request?

Anyone can make a request for information from a public authority. A freedom of information request must be presented in writing either by email or by letter. In addition, new guidelines state that you should treat requests made via social media as legitimate.

Requests should include the requester’s name and a reference to the information in question. However, the request does not have to specifically mention all information or the Freedom of Information Act.

How to Reply to Freedom of Information Requests

You have two main responsibilities when replying to a freedom of information request: inform the requester as to whether or not you possess the information and provide that information.

Providing the requested information is not exempt from public release (see the section below), you should respond with all information relating to the request within 20 days.

Selective or incomplete information, or an overview, would not be considered an adequate response to a Freedom of Information request.

Bear in mind that more general requests might need clarification before you adequately answer. In this case, you should contact the requester as soon as possible.

Wherever possible, your freedom of information officer should take the lead role in replying to requests. Remember, you can always refer to the Data Handling Flowchart if you’re ever unsure of how to deal with an information request.

Is Any Information Exempt From Freedom of Information Requests?

There are three main sets of circumstances which would make information exempt from being released under the Freedom of Information Act (2000).

Remember, even if you’re unable to release information relating to a request, you should still contact the requester within 20 days explaining the reasoning for your decision not to release the information.

The three circumstances are:


You should exempt any information that concerns a pending legal investigation as this could potentially compromise the case and endanger those involved.


You should assess whether the information relates to a member of the royal family, or is likely to cause harm upon release. Should this be the case, your reply must state:

  • A negative consequence of the information’s release
  • How the release could lead to this consequence
  • A real possibility of the consequence occurring.


Requests can be deemed vexatious if the information has already been provided to the requester or made available to the public. In either case, a reply should still be sent explaining the refusal and directing the requester to the information.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance