ICO refuses to identify underperforming authorities

The Information Commissioner’s Office has refused to say which public authorities it had targeted because of their poor compliance with FOI time limits before the pandemic – despite having named them in the past and its own policy of identifying them.

Severe delays by some authorities in replying to FOI requests has long been the most serious problem facing requesters. In 2010 the ICO began monitoring authorities that repeatedly failed to meet FOI time limits. It press-released their names and continued monitoring them until their performance improved. Monitoring gradually declined, ceasing altogether in 2017.

In 2018 the ICO introduced an encouraging new ‘insight and compliance’ approach. Authorities were asked to submit their statistics on meeting FOI (and subject access) time limits.[1] Any not answering at least 90% of requests on time were asked to meet that standard. If they did not they were asked to draw up action plans and those that fell short of their action plan targets became candidates for enforcement notices. These could compel the authority to answer overdue requests by a specified date. However, in May 2020, during the pandemic, that policy too was dropped.

In June 2020 an FOI requester asked the ICO for the names of authorities monitored over the previous five years. The ICO replied that the names of those monitored until 2017 were publicly available [2] but that it was not prepared to name the authorities it had worked with under the subsequent insight and compliance approach. Revealing these, it said, could prejudice its ability to ‘constructively engage’ with the authorities and ‘jeopardise the ICO’s ability to obtain information’ from them. It upheld its refusal at internal review.

This is not the first time that the ICO has refused to identify underperforming authorities. We have described the detailed progress reports about the insight and compliance approach which the ICO had released with authority names redacted. However, unredacted versions of some of the same documents had been disclosed at the same time. Our blog piece named several of the authorities mentioned.

The ICO has since removed the unredacted documents from the website saying they had been released in error. It asked the requester to ‘not disseminate the previously disclosed documents further and delete any copies of this information you may have’. It added that disclosure of the names carried ‘a high risk of prejudice to our relationships with the organisations involved’.

Why the secrecy? In February 2019 the Information Commissioner, Elizabeth Denham, had suggested the ICO might publish ‘report cards’ on government departments’ FOI performance, using publicity to put pressure on under-performers.

More to the point, a September 2018 ICO document about the insight and compliance policy expressly stated that the ICO would identify the authorities whose performance it was trying to improve. This said:

we will publish the results of our compliance work undertaken at all levels with individual organisations on quarterly basis, these reports will provide data about:
(i) Details of organisations who we have worked with to improve their compliance.
(ii) The results of this work and any next steps.
(iii) Examples of good practice and organisations who are meeting and exceeding expectations. (emphasis added)

Despite this, the ICO claims that identifying these authorities would damage its work. That seems implausible: why would the ICO have adopted a policy of naming authorities if to do so was likely to be harmful?

The anonymity is all-embracing. The ICO has redacted all authorities’ names from these reports, wherever they occurred – including the names of those whose performance had improved.

For example, one of the redacted reports says one of the successes of the new approach has been:

‘Improved compliance by [redacted] in relation to the timeliness of handling FOI requests.’

The unredacted version reveals that this was the Home Office. It is inconceivable that revealing such an improvement could offend the Home Office and damage its relations with the ICO.

A number of helpful ICO spreadsheets provide updates on the progress of each unnamed authority. One shows that a police force answered only 53% of FOI requests on time in April 2019 but achieved 99% on time in October of that year, 94% in November and 100% in December. The force’s name is redacted.

What is the point of these redactions? Quarterly statistics on government departments’ compliance with FOI time limits are published by the Cabinet Office. They would reveal any change in, say, the Home Office’s performance from quarter to quarter. Police forces and other large authorities are also expected to publish quarterly statistics. Figures for individual months could be obtained from the authority under FOI.

The effect of redacting the names is not to suppress the statistics but any link between ICO efforts to improve performance and results. Where the ICO has intervened successfully, its success is obscured, denying it deserved credit. If the ICO has had little impact, that too would be hidden, shielding it from possible criticism. Neither outcome promotes accountability.

Redactions also conceal the names of:

  • five government departments which had been asked to provide the ICO with performance statistics and action plans
  • five police forces which had provided action plans to the ICO at its request and received feedback on them.

The equivalent information used to be published. All authorities selected for ICO monitoring prior to 2017 were told to submit their statistics, and all were publicly named. Authorities which had not improved received additional monitoring and were publicly identified. Under the insight and compliance approach those which did not improve were asked to submit action plans – but their names have been kept secret.

The ICO has previously gone significantly beyond this. For example, a January 2014 published ICO report to its management board, stated:

‘we have continued with our programme of formal Freedom of Information monitoring. This…quarter saw the final returns submitted by South Tyneside Council and Sussex Police. Both public authorities showed significant and sustained improvement in both timeliness of responses to requests and internal reviews…sufficient to satisfy us that the formal monitoring cases could be closed. Wirral MBC which had previously signed up to an Undertaking also demonstrated commitment and significant improvement in meeting its Undertaking and has also now concluded its period of formal monitoring. The Home Office has demonstrated ongoing improvement but not to a sufficient level, as yet, to satisfy us that they should no longer submit returns to us. They have set out how FOI request handling has been prioritised and a number of measures put in place by the Permanent Secretary. Metropolitan Police Service, which was already undergoing an extended period of monitoring also submitted its final return late in December. We are currently considering if further action is required. Looking forward our internal reporting has identified a further four authorities that require our attention in quarter 4. Those authorities are the Cabinet Office, Hackney Council, NHS England and the Crown Prosecution Service. The Cabinet Office has been subject to a previous Undertaking in relation to its FOI request handling. The Commissioner has written to the Permanent Secretary expressing his concerns and a meeting has arranged to discuss patchy compliance with FOIA across a number of Government Departments.’ (Bolding added) [3]

If the ICO could voluntarily make such disclosures why would releasing the equivalent information under FOI damage its regulatory functions?

Enforcement notices

The names of authorities warned that their failure to improve would lead to an enforcement notice have also been redacted. Again, the ICO has in the past sometimes identified such potential cases:

‘This quarter, following sustained improvement, Trafford Council were taken off formal monitoring. However, we are following up with them on one long overdue request which could potentially become an enforcement notice issue.’ (Bolding added) ICO Information rights report, Quarter 2 2016/17

‘Following work with the NI [Northern Ireland] Departments, and their restructure, we had follow up meetings with the Executive Office (formerly OFMDFM), the Department of Finance (formerly the DFPNI) and the Department of Health. These meetings and additional correspondence resulted in a number of significantly overdue requests (potential enforcement notice cases) being cleared.’ (Bolding added) ICO Information rights report, Quarter 1 2016/17

Occasionally an authority had itself revealed, in response to an FOI request, that it had been threatened with an enforcement notice. The Home Office had a substantial backlog of overdue FOI requests in 2017, one of which had been unanswered for almost three years. Following prolonged exchanges, the ICO finally told it in October 2017 that an enforcement notice would be issued if any of 53 long overdue requests was still outstanding on 1 November. On the day of the deadline, the Home Office finally replied to the last of the overdue requests – and the enforcement notice was averted. The Home Office had of course been fully aware that enforcement was on the cards: only the public had not known. It might still not know had the FOI request not been made.

What would be the effect of the ICO itself making such a threat public?

It would reveal that the ICO had intervened successfully to address a systemic problem. It would increase the expectation that the ICO would do so again if the problem recurred adding to the pressure for compliance. And it would warn other public authorities that disregarding FOI time limits will have consequences.

Disclosure might cause difficulties if, for example, it revealed internal ICO differences of opinion on whether enforcement action was justified. This would encourage the authority to challenge any subsequent notice. [4] But any such internal exchanges could legitimately be redacted, particularly while the issue was live.

If the ICO had been trigger happy, and threatened action where it was not called for, that could provoke authorities’ resentment which publicity would exacerbate. But if the threat followed repeated failure to respond to the ICO’s requirements, without good excuse, an authority could have no cause for complaint.

What if the ICO was threatening enforcement action in the hope it would produce results, but was not prepared to go through with it? Revealing that some enforcement threats were bluff would weaken the threat. But if this was happening, the authorities would know already. However, failing to enforce the Act in the face of repeated breaches of the law would also undermine the ICO’s regulatory function – and the FOI regime as a whole.

The actual disclosures suggest that the ICO’s new approach was beginning to produce results but the policy appears to have fallen victim to the pandemic. When disclosing the documents the ICO stated, in June 2020, that the approach was now ‘out of date’ and that it had just ‘moved away from updating the activity tracker included in this response, therefore requests for a more up-to-date version are not likely to return any disclosable information.’ Instead, the relevant department ‘will from now on be concentrating on producing thematic reports, our FOI self-assessment toolkit, and sharing good practice.’

The fact that the ICO decided not to continue enforcement during the pandemic is no surprise. The ICO had already stated that it would not penalise authorities for failing to comply with FOI requirements during this period. [5] Any resumption of a compliance policy would have to start with the new situation as it then would be taking account of and making necessary allowances for the substantial delays arising during the pandemic itself. So how would naming authorities that had improved or failed to improve before the emergency harm the ICO’s work after it?

The answer is surely that it would not – unless the ICO had promised anonymity to the authorities concerned who would then regard it as breaking its word. That could explain the blanket secrecy over names. On the other hand, the ICO’s compliance policy promised that it would publish quarterly reports containing ‘details of the organisations who we have worked with to improve their compliance…the results of this work and any next steps’ as well as ‘examples of good practice and organisations who are meeting and exceeding expectations’. Would the ICO really undertake to disregard its own policy?

Whatever the cause, the published data does provide some insight. But the anonymisation makes it hard for the public to judge how well the policy had been working and might work again if reintroduced. It prevents the public seeing which authorities had responded to it and which had not. And the assertion that naming authorities would damage the ICO’s regulatory functions remains an inexplicable and disturbing reversal of its previous openness.


  1. Initially, this approach was to focus on central government and the police.
  2. The ICO data shows that between 2010 and 2017 monitored government departments included the Cabinet Office, Department for Education, Department for Work and Pensions, Home Office, Ministry of Defence, Ministry of Justice, Northern Ireland Office and Scotland Office. The Welsh Assembly Government and the Office of the First Minister and Deputy First Minister in Northern Ireland have been monitored, as has the BBC, Crown Prosecution Service, Equality and Human Rights Commission, Government Equalities Office, Highways Agency, Legal Services Commission, Rural Payments Agency and Transport for London. Monitored London councils were Barnet, Croydon, Ealing, Greenwich, Hackney, Hammersmith & Fulham, Islington, Kingston upon Thames, Lambeth, Newham, Southwark and Westminster. Other monitored councils were Babergh, Barnsley, Birmingham, Bromsgrove, Calderdale, Cornwall, Cumbria CC, Gravesham, Great Yarmouth, Kent, Kirklees, Lancashire CC, Manchester, Medway, NE Lincolnshire, North Somerset, Nottingham, Salford, South Tyneside, Surrey Heath, Trafford, Waveney and Wirral; British Transport Police, City of London Police, the Metropolitan Police, Essex Police, Surrey Police and Sussex Police. Monitored NHS bodies were Camden and Islington NHS Foundation Trust, North West Strategic Health Authority, East Lancashire NHS Trust and NHS South West London. See
  3. ICO, Information Rights Report, Management Board, 27 January 2014
  4. The authority would have a right of appeal against a notice to the First-tier Tribunal under section 57(2) of FOIA.
  5. ‘FOI and the coronavirus: a measured approach’ published by the ICO on 16 March 2020.


Scroll to Top