ICO takes tougher approach to enforcement

Following the news on the reduction in the backlog of FOI complaints last week (see earlier post), there is more good news for FOI requesters today from the Information Commissioner's Office, which has published a new policy on freedom of information regulatory action. Failure to deal with requests within the statutory time for compliance has been identified as a key target for intervention by the ICO.

Today the Information Commissioner’s Office (ICO) sets out the measures that public authorities will face if they routinely fail to meet the requirements of the Freedom of Information Act (FOIA) or the Environmental Information Regulations 2004 (EIR). Organisations will face action from the ICO if they regularly fail to issue a response on time, refuse to disclose information without specifying an exemption, or if they fail to respond to a request altogether. The tougher approach to enforcing the Freedom of Information Act will ensure individuals get speedier responses from public bodies.

Mick Gorrill, Head of Enforcement at the ICO, said: “Organisations that take FOIA seriously will have advice and support from the ICO. The public bodies that continually fail to meet their legal obligations will face regulatory action. Using FOIA can take too long and is sometimes overly cumbersome for members of the public. After monitoring authorities’ compliance with the Act, we will take action against those that abuse the system.”

The ICO will be making more use of regulatory powers including Enforcement Notices, Undertakings and Practice Recommendations to improve compliance. Where there is evidence that a public authority is regularly or seriously failing to meet its obligations, the ICO will not hesitate to take regulatory action, particularly where organisations fail to respond to requests in a timely manner. The ICO has identified timeliness as a key target for action, in recognition that a quarter (between 20–25%) of FOIA complaints to the ICO relate, at least in part, to the time taken for public bodies to respond to requests.

The ICO website states that it intends to publish the names of those authorities being monitored on a regular basis. The policy itself states:

We will adopt a selective approach to initiating and pursuing regulatory action. Our approach will be driven by concerns about significant or repeated failures to meeting the requirements of FOIA, EIR or their associated codes of practice. The type of intervention will be appropriate to the failure and proportionate.

...The initial drivers will usually be:

• concerns raised with us in the complaints that we receive;
• concerns raised with us by an authority direct;
• issues that come to our attention via the media, the web and social media such as information rights blogs;
• concerns raised by Parliament, the Ministry of Justice or liaison groups;
• concerns raised by the First Tier Tribunal (Information Rights); and
• concerns that become apparent through our other activities, for example wider information handling issues that come to our attention via our data protection audit programme.

Download the ICO's freedom of information regulatory action policy here.