ICO should end its near invisibility on FOI

The mission statement of the Information Commissioner’s Office (ICO) is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” Yet it if you read its publicity, you’d be forgiven for thinking it was effectively a privacy regulator – the freedom of information (FOI) content is so limited as to be almost invisible.

The Campaign for Freedom of Information has analysed all speeches, statements, news items and blogs published on the ICO website between 1 January 2020 and 31 December 2021. This covers the last 2 years of former Information Commissioner (IC) Elizabeth Denham’s term of office. Our analysis reveals:

  • The IC did not give a speech on FOI in over 2 years.[1]
  • None of the ICO’s 54 statements during the period focussed on FOI.[2]
  • Only 2 out of 72 ICO news items (3%) focussed on FOI.[3]
  • Less than a quarter of ICO blog pieces (13/61) focussed on FOI.[4]
  • In total, just 8% (15/197) of the items analysed focussed on the ICO’s FOI responsibilities.

We also analysed the content of the ICO e-newsletters over the same two-year period. There were 18 newsletters, but:

  • Only 5% (8/161) of the items focussed on FOI.
  • A further 4% (7/161) focussed on both FOI and Data Protection.

These figures highlight how the ICO’s data protection focus has largely elbowed FOI off the page.

A 2021 ICO survey showed the results. While 66% of adults knew that the ICO was the UK’s data protection regulator only 25% of adults in England, Wales and Northern Ireland knew that the ICO regulated FOI in those countries.[5] 

Even when the ICO does something notable on FOI it often just appears somewhere on its website without mention in the ICO’s newsletter, let alone a news release – though it may be tweeted. For example:

  • The ICO failed to publicise the first FOI practice recommendation it served on any public authority in over a decade. The Campaign did so after spotting it on the ICO’s website.[6] The recommendation highlighted Waltham Forest Council’s multiple FOI failings including breaches of time limits, incorrect interpretation of the scope of requests, failure to specify which section of the FOIA it was refusing requests under, not providing information in a requester’s preferred format, not carrying out internal reviews properly and misapplying the cost limit.
  • A recent practice recommendation served on Bicester Town Council was also added to the ICO’s website without publicity. This was issued after a Tribunal suggested that a Council representative had ‘fabricated’ an account to suggest that it had responded to a request when it had not done so. The Campaign again highlighted it after noticing it on the ICO’s website.

In the past, practice recommendations warranted an ICO news release (see for example ‘Liverpool City Council criticised for Freedom of Information handling’, ‘Nottingham City Council receives recommendations regarding its records management practice’, ‘Greater Manchester Police criticised for freedom of information handling’, ‘Department of Health must improve its management of records’, ‘CLG ordered to improve handling of FOI requests’, ‘ICO issues practice recommendation to NOMS’, ‘Department of Health must improve FOI request handling’, ‘Information Commissioner intervenes to improve internal review process’, ‘Ministry of Defence criticised for freedom of information handling’) and attracted news coverage.[7]  News releases would not only have drawn public attention to the specific failings of the authorities but warned other poor performers that they might face similar action.  Practice recommendations have no legal force and if they are not publicised may have no impact at all

  • A 2020 report on a major ICO programme to improve the timeliness of police responses to FOI and subject access requests was tweeted but not made much of, apart from a blog which described the findings in general terms.The ICO collected timeliness statistics for all police forces and monitored 12 under-performers requiring them to publish action plans to improve. The blog did not highlight the fact that during a year of monitoring, the percentage of FOI requests answered on time increased from 71% to 82%; the number of requests over one year old decreased from 557 to 145 and the volume of requests awaiting completion decreased by 38% (3,135 requests).  Over a 6-month period Cumbria police eliminated a backlog of almost 900 overdue requests and went from meeting the time limits in just 29% of cases to 100% compliance. However, three forces failed to respond to pressure for improvements and were issued with practice recommendations.

The ICO didn’t press release these findings or include them in its newsletter, denying itself and the improved police forces credit, missing a chance to demonstrate how poor performance can be turned round and limiting public pressure on poor performers.

 A February 2022 follow-up report on the ICO police monitoring exercise has also appeared on the ICO’s website – without publicity or even a tweet. This provided detailed feedback on the impact of the ICO’s recommendations and the techniques which police forces have found to be effective. This would encourage other public authorities to adopt best practice but, again, the ICO has done nothing to draw it to their attention.

  • In January 2022, the ICO published an updated EIR/FOI casework guide explaining what requesters and public authorities should expect when it investigates complaints and when it may prioritise cases. The new guide has also not been publicised.
  • The ICO published over 2,500 FOI decision notices during the 2-year period, many finding that public authorities had wrongly withheld information or breached procedural provisions. None have featured in ICO publicity.[8]However, many examples of enforcement action taken under data protection and related legislation have been publicised, highlighting ICO interventions and the need for organisations to improve. In the early days of FOI, the ICO often used to press release significant decisions.[9]

In March 2022 the ICO published a blog by the Director of FOI and Transparency illustrating significant ICO decisions requiring disclosure about the Covid-19 pandemic and others finding that sensitive information had rightly been withheld.  Its March 2022 newsletter also highlighted updated FOI guidance on vexatious requests. These are welcome developments though much more is needed.

The ICO’s Head of Complaints and Appeals recently explained to a parliamentary committee how the underfunding of the ICO’s FOI work limited what it could do. He said there were 65 people in his department, 60 of whom are involved in casework and “It feels as if we are always close to that point at which we can take a breather and do some of the wider work we want to do—some of the engagement work, some of the teaching skills, wider guidance, greater engagement, and enforcement work.”

We have sympathy with the ICO over its funding position.  But that doesn’t explain its failure to publicise what it has done, a virtually cost-free exercise. This reinforces the impression that FOI is a low priority for the ICO. It encourages under-performing authorities to believe their failures will be ignored and reinforces a public view of the ICO as lethargic about its FOI role.

The low priority given to FOI was brought home in 2018 when the ICO published a draft Regulatory Action Policy setting out eight objectives for the year.  Every one was a data protection matter.  No FOI issue appeared, despite the severe delays faced by many FOI requesters. After we highlighted the one-sided nature of the objectives the list was dropped from the final document, but there was no indication that the priorities themselves had changed.

A 2021 survey by the Campaign showed that requesters faced delays of up to two and a half years in obtaining an initial response from government departments.

In 2018 the ICO introduced a more active FOI enforcement policy but this was abandoned when the pandemic struck.  The ICO now appears to be considering adopting a new version, an important step. A key element should be the use of enforcement notices requiring an authority which has failed to deal with a substantial backlog to answer overdue requests by a set deadline. The ICO has had this power since the FOI Act was introduced but inexplicably used it to deal with delays only twice in seventeen years. By contrast, it uses its full range of powers to deal with data protection breaches.

John Edwards, the new Information Commissioner, should ensure that the ICO enforces the FOI Act with the vigour that this important tool for accountability requires.  He should ask why the ICO has allowed its public profile on FOI to shrink to near invisibility, with only 3% of its news items focussing solely on FOI.  This contrasts with the regular stream of publicity for its data protection activities. The ICO’s DP focus is likely to increase still further, with new data protection legislation due this Parliamentary session. The ICO’s failure to publicise what it does on FOI undermines the impact of its work in this key area.  But the poor publicity is not itself the main problem, merely a symptom of the low priority that FOI receives at the ICO.  That is what must be addressed.



[1] Of the 10 speeches published on the ICO website, two contain a passing reference to FOI and another refers to the launch of a FOI toolkit for public authorities, but none have FOI as their focus.

[2] For example, a statement on 7 July 2021 about the ICO’s annual tracking survey said: “The survey of over 2,000 individuals monitors changes in what people think about data protection and freedom of information, and how they utilise their information rights”, but the figure used to illustrate this and the quote from the IC are purely about data protection.

[3] A news item on 17 July 2020 described the launch of the first phase of a FOI toolkit to help public authorities assess and improve their current FOI performance.  An item on 13 March 2020 highlighted a council employee fined for committing an offence under section 77 of the FO Act for deliberately destroying a record to prevent disclosure.

In addition, three news items related to both the FOI and Data Protection functions of the ICO: an item on 20 December 2021 about a consultation on the ICO’s Regulatory Action Policy; an open letter on 24 September 2020 from the IC on support during the pandemic and recovery period and an item on 20 July 2020 about the ICO’s Annual Report.

[4] Relevant blog pieces included: ‘Access to information: driving change through education, engagement and enforcement’ (12 November 2020); ‘Supporting you to meet your information access requests’ (24 February 2021);  ‘ICO launches investigation into the use of private correspondence channels at the Department of Health and Social Care’ (6 July 2021); ‘How the ICO uses its powers to enhance transparency and support public authorities’ (23 July 2021); ‘Government records communicated through private accounts have always been subject to FOI laws’ (4 November 2021).

[5] Scotland has its own FOI Act enforced by the Scottish Information Commissioner.

[6] Practice recommendations are listed on the ICO website. A practice recommendation can be issued where a public authority is failing to comply with the codes of practice on FOI and records management under sections 45 and 46 of FOIA. The Waltham Forest Practice Recommendation was the first to be served on a public authority since 2009.  Previous practice recommendations were issued to the Ministry of Defence (10 August 2009), Greater Manchester Police (31 March 2009), Department of Health (3 March 2009), Department of Communities and Local Government (3 November 2008), Department of Health (31 March 2008) and National Offender Management Service (10 March 2008). These are available from the bottom of this archived page of the ICO’s website.

[7] E.g. ‘Freedom of Information: Government breaches right-to-know laws’ and ‘Police handling of complaints slammed’).

[8] In February 2022, for the first time in over two years, the ICO’s newsletter listed the FOI decision notices issued by it that month but without referring to their contents.

[9] For example, ‘Information Commissioner orders disclosure of MPs expenses’ (24 February 2006), ‘Information Commissioner orders disclosure of Ryanair and Derry City Council Airport agreement’ (27 February 2006), ‘Information Commissioner issues Enforcement Notice concerning information on the legality of military intervention in Iraq’ (25 May 2006), ‘Worcester County Council right to refuse FOI request’ (16 June 2006), ‘Holidaymaker wins right to information on Legionnaire’s disease’ (27 July 2006), ‘ICO orders release of information on government inquiry into smuggling allegations by British American Tobacco’ (28 July 2006), ‘Gateway Reviews on ID cards should be made public’ (3 August 2006), ‘Information Commissioner rules: Network Rail subject to EIR’ (4 August 2006), ‘Information Commissioner orders disclosure of MPs’ travel expenses’ (12 September 2006), ‘Information Commissioner rules against Ofcom on mobile phone base stations’ (13 September 2006), ‘Epsom and St Helier University Hospitals NHS Trust right to refuse access to patient’s records under FOI’ (30 October 2006), ‘Noise data at Robin Hood Airport should be made public’ (29 November 2006), ‘Information Commissioner upholds Freedom of Information complaint against The National Archives relating to the 1911 census’ (13 December 2006), ‘Information Commissioner orders Defra to release ministerial advice’ (5 January 2007), ‘List of council properties should be made public’ (12 January 2007), ‘Liverpool Council ordered to release prostitution documents’ (19 January 2007), ‘Information on excessive expenses claims to be released under FOI’ (31 January 2007), ‘Council pension investments must be made public says Information Commissioner’ (1 February 2007), ‘Vexatious FOI request placed unreasonable burden on a public authority’ (20 February 2007), ‘More information to be released on ASBOs’ (9 March 2007), ‘ICO backs BBC in refusing to answer vexatious requests’ (4 April 2007), ‘Gloucestershire County Council right to refuse FOI request for petition details’ (4 April 2007), ‘Leeds City Council to release residents’ questionnaire responses’ (9 May 2007), ‘Information on identity cards to be made public’ (9 May 2007), ‘National Gallery right to withhold information under FOI’ (14 June 2007), ‘Councils right to withhold retirement details under FOI’ (14 June 2007), ‘Information Commissioner respects MPs’ private lives in ruling on their additional cost allowance’ (15 June 2007), ‘Home Office right to withhold information under FOI’ (18 June 2007), ‘Royal Mail ordered to release statistics on mail thefts’ (24 August 2007), ‘ICO backs four organisations for withholding information’ (20 September 2007), ‘Sheffield Teaching Hospitals NHS Foundation Trust ordered to release internal audit report under FOI’ (25 October 2007), ‘Police Service of Northern Ireland withheld information from FOI requester’ (15 November 2007), ‘Ministerial advice on Manchester United takeover reports should be released’ (13 December 2007).

Scroll to Top