Freedom of Information Act 2000
The Freedom of Information Act 2000 (the Act) came into force on the 1st January 2005. The Act provides that anyone may request information from a public authority in England, Wales and/or Northern Ireland (separate legislation applies to Scotland). Prospective applicants for information under the Act have a right:
(1) To be told whether or not the public authority holds that information, and if so,
(2) To have that information communicated to them.
The Act derived from the Freedom of Information Bill following a White Paper proposal published in December of 1997. It received Royal Assent on the 30th November 2000 before coming into force on the 1st January 2005. Much discussion and paper was generated in the period leading up to the Act coming into force. The Government have done much through codes of practice to develop the practices and procedures which attempted to implement the spirit of the Act prior to it coming into force. These codes of practice have now been entirely superseded by the operation of the Act itself. The burdens on any public authority and regulator are considerable. Those regulatory bodies who may in time fall to be considered public authorities may think it prudent to address some of the operational features of disclosure and costs attached thereto sooner rather than later.
A summary of the Act’s provisions
Scope of Eligibility
Any person may request information under the Act [s.1(1)], regardless of their age, nationality or location.
The information which may be requested is any information held by a public authority which is eligible for release and not subject to prescribed exemptions within Part 2 of the Act. These exemptions operate to protect information which is permitted to be kept confidential (see Part 2 sections 21-44; eg information relating to defence, international relations with other States or organisations, national security, the economy, court records, parliamentary privilege).
The exemptions most likely to be of interest to regulatory bodies are;
(i) investigations and proceedings conducted by public authorities [s. 30(1)]- this relates to criminal proceedings (eg the prosecution of market abuse by the FSA), is not absolute and requires the authority to perform a public interest balancing exercise for and against disclosure. The exemption applies to information held “with a view” to investigation or prosecution arguably not requiring that the dominant purpose for holding that information be for the purposes of investigation or prosecution – a broadly drawn exemption that provides ample scope for public authority regulators to decline to disclose ;
(ii) Law Enforcement [Section 31] – the provisions of Section 31(1)(g) and (h) provide a broad scope for exemption in the regulatory context. Section 31(1)(g) provides that the information which is not exempt information by virtue of Section 30 (Investigations and Proceedings etc) is exempt information if its disclosure under this Act would or would be likely to prejudice the exercise of any public authority of its functions for any of the purposes specified in subsection (2). Subsection (2) lists circumstances of which the following may be relevant for regulators: ss. 2(a) - the purpose of ascertaining whether any person has failed to comply with the law; ss.2(b)- the purpose of ascertaining whether any person is responsible for any conduct which is improper; ss.2(c)- the purpose of ascertaining whether circumstances which would justify a regulatory action in pursuance of any enactment exist or may arise; ss.2(d) - the purpose of ascertaining a persons fitness or competence in relation to the management of bodies corporate or in relation to any profession or other activity which he is or seeks to become authorised to carry on; ss.2(i) - for purposes of securing the health and safety and welfare of persons at work and; ss.2(j) - the purpose of protecting persons other than persons at work against risk to health or safety arising out of or in connection with the actions of persons at work. The provisions of Section 31(1)(h) provide exemption in respect of any civil proceedings which are brought by or on behalf of a public authority and arise out of an investigation conducted for any of the purposes specified in section 31(2), by or on behalf of the authority by virtue of Her Majesty’s prerogative or by virtue of powers conferred by or under an enactment.
Informer exemption [s. 30(2)] –disclosure of such information may lead directly or indirectly to the disclosure of the identity of an informant- a widely draw exemption in line with well established public policy grounds;
Personal Information [s. 40] -subject to a separate regime under the Data Protection Act 1998 (also supervised and enforced by the Information Commissioner);
Information provided in confidence [s.41] – exemption is conferred where the disclosure of information would constitute a breach of confidence actionable at common law- each government department is a separate person and regulatory bodies may have to review information transmitted from other public authorities to assess whether the initial source of the information supplied it in confidence and take steps as a matter of prudence to categorise any such information;
Legal Professional Privilege [s.42] – information between lawyers or their clients for the purpose of giving or receiving legal advice or in contemplation of prosecuting/defending legal proceedings – the public authorities privilege is not absolute and a public interest balancing exercise must be performed (ss.2(1),(2)) but any privilege asserted by a 3rd party is absolute.
The Act only applies to information held by public authorities. A full list of public authorities is contained in Schedule 1 of the Act, which may vary from time to time. Generally any government department is included as a public authority and other such well known institutions such as the Financial Services Authority are listed specifically by name. Other areas covered are those authorities contained within the health sector, the education sector, the police and armed forces. This precise definition is to be contrasted with the broader application of the term in the Human Rights Act 1998. Therefore while a public authority designated under Schedule 1 of the Act is almost certainly going to be considered as one under the HRA, the opposite is not the case.
S.19 – Publication schemes
Section 19 of the Act requires all public authorities to produce, maintain and disclose in accordance with a publication scheme. This scheme, which must be approved by the Information Commissioner, must state publicly what kinds of information the public authority concerned will of its own initiative make available and how they propose to facilitate access to the public. The publication scheme extends further than merely listing documents, it also identifies the classes of information held and made available under the Act. A public authority may also was entitled to make reasonable charges for providing that information prior to the introduction of the Act.
Making the Request
A request made to a public authority must be made in writing (which may include emails, state clearly what information is required and state the name of the applicant and any address for correspondence).
Response to a request for information
On receiving a request, the public authority must respond as soon as possible and no later than 20 working days after receipt of the request [s.10]. The public authority’s response should confirm or deny whether or not such information is held and either provide the information or state why it is not being provided and what provisions of the Act they rely on to withhold the information requested . The duties of public authorities also extend to advising and assisting requesters in their pursuit of information.
Right to levy reasonable charges
Public authorities may charge for the provision of information and such charges are laid down in regulations under the Act. These regulations state that where the cost is less than 450 in providing such information (600 in the case of central government) the provision of the information will be free of charge, (charges may however be levied for the costs of photocopying and postage). If the request will cost more than this to answer, the public authority can refuse to answer the request, or answer it for free, or charge up to and including the full cost of answering the request. If the applicant declines to pay any such legitimate charge this fact permits the public authority concerned to refuse to supply the information.
Refusals – reliance on exemptions
If a refusal to provide information is made by a public authority relying under one of the exemptions specified in the Act, the public authority must identify which exemption it relies upon giving details to the applicant of how to apply for an internal review of the decision to refuse [s.17]. If after this the public authority still refuses the applicant’s request, an applicant may seek a review of that decision by the Information Commissioner.
Although no specific limit is placed on the number of requests any one person can make of an authority, Section 14 of the Act states that a public authority can reserve the right to refuse vexatious or repeated requests which may include repeated requests from the same person for the same information or requests which are intended to disrupt the authority’s work.
Restrictions on use of information once supplied
Once the information is provided, the Freedom of Information Act does not place any restrictions on how the information supplied under it may be used. The Act of course provides in permitting a refusal for disclosure of the information, exemptions for commercially sensitive information, information intended for future publication or information relating to investigations, law enforcement and court records. The copyright does not transfer to the person to whom the information is supplied.
Implementing the Act for regulators
The Department for Constitutional Affairs [DCA] before the Act’s coming into force produced a model action plan (MAP) setting out the steps to be taken by public authorities to ensure compliance with an implementation of the Act’s provisions.
For those who may in time need to address this topic, the MAP is divided into 5 core objectives as follows:
(1) Leadership and policy;
(2) Training and awareness;
(3) Information and records management;
(4) Customers and stakeholders;
(5) Systems and procedures.
The leadership and policy was derived from the DCA, the Information Commissioner’s office and National Audit Office up to implementation and designed to provide practical assistance to public authorities to prepare for the Act’s provisions.
The training for the Act’s provisions internally must be a matter for the relevant public bodies themselves. The Lord Chancellor has however encouraged the use of an FOI logo to enhance public awareness of the rights of individuals to gain access to information to be used on the public authority’s documents.
It is common sense that good record keeping and information management should be a central feature of any efficient administrative process. Those regulatory bodies who are subject to or susceptible to being designated as public authorities under the Act are assisted by a Code of Practice on the Management of Records (provided for under Section 46 of the Act), the Model Action Plans (see ante) have been provided for by the National Archives for developing records management that conforms to the Code of Practice under Section 46. It will be the duty of any regulatory body to ensure compliance with such codes of practice and in so doing they may have regard to the standards and guidance on aspects of record management produced by the National Archives.
The Department of Constitutional Affairs has produced a standard specification for IT systems to manage Freedom of Information Act inquiries. These system specifications are designed to assist public bodies in a speedy and consistent implementation of the Act.
A key distinction between the Act and the Data Protection Act 1998 (DPA1998) is that the Act gives all people a general right of access to information held by or on behalf of public authorities intending to promote a cultural openness and accountability amongst public sector bodies. The DPA1998 on the other hand, is built around a set of enforceable principles intended to protect personal privacy, to encourage good practice in the handling of personal information and to give individuals a right of access to information about themselves (e.g. financial or health information). The DPA 1998 is not simply limited to the retention of data by public authorities, but all bodies that process personal information and tends even though limiting the categories of persons to whose to whom the personal data relates is therefore far more wide ranging potentially in its implications. Personal data is exempt information under the Act. 11. If an individual makes a request for access to information held by a public authority about him or herself, it will generally be dealt with under the provisions of the Data Protection Act. If the information however is of a more general nature, then the Freedom of Information Act may be more appropriate. Regulatory bodies who are or may be public bodies in due course may find themselves the subject of dual applications under both the Freedom of Information Act and the Data Protection Act. An applicant may wish to elicit information which may both be specific to that individual as well as information of concern to that individual but not within the category of personal data to which the DPA applies. The processes for access to the information and disclosure must be adhered to under the different provisions of the relevant acts. Sensibly the Information Commissioner is the last adjudicator and if necessary enforcer of both these statutes.
The Information Commissioner
The Information Commissioner (IC) as the key regulator has been closely involved in the practical implementation of the Act. Its publicly stated implementation plan of the Act’s provisions is designed to make transparent the IC’s objectives and to head off any criticism such as that which was levelled at the IC (and predecessor Data Protection Registrar) in relation to the implementation of the Data Protection Act.
Practical steps for Regulatory Bodies
Those regulatory bodies who may in time become public authorities would do well to look at the manner in which public authorities were encouraged through codes of practice to engage in a system of voluntary disclosure prior to becoming designated public authorities under the Act (e.g. police forces). The benefits of proper management systems and controls in record keeping may in themselves be desirable benefits of such an exercise even if public authorities and regulatory bodies have hitherto been less than forthcoming about information held by them. The natural inclination of smaller regulatory bodies is to retain as confidential as a matter of course their internal decision making and operational processes (e.g. minutes of meetings etc). It would be prudent for any regulatory body which is or may be caught by the Act to conduct a review of all information they generate and ascertain whether each category of information may fall to be disclosed under the Act or which exemption may apply to such information in order to resist its disclosure.
Those bodies who are engaged in regulatory proceedings should consider carefully the possible prejudice that may accrue in disciplinary proceedings or other proceedings (e.g. decisions to admit/register/deregister, suspend or intervene) if information concerning investigations or inquiries which may give rise to enforcement action were to be readily and freely available. Careful consideration should therefore be given to whether reliance can be placed on exemptions within sections 31(1)g and 31(2) of the Act (see ante). In practice however, the administrative operation of regulatory bodies which normally involves the minutes of committee meetings, decision making and policy making which affects not only the members of the bodies themselves, but also the public interest is information which in the current climate should as a general rule be made available unless there is good reason not to do so.
The cost implications of implementing such a system either akin to the Act or expressly to comply with it should be measured against the benefits and efficiencies that may accrue in a proper information management system in the administration of the regulatory body concerned.
The following are some useful links for those wishing to examine the practical implications of implementing the Act’s regime or similar processes:
17th February 2005