Exceptions

When can we refuse a request for information?

In brief

A requester may ask for any information that is held by a Hall Of Fame Collection Archive. However, this does not mean we are always obliged to provide the information. In some cases, there will be a good reason why we should not make public some or all of the information requested.

We can refuse an entire request under the following circumstances:

  • Requires high levels of cost, and time, for staff to process the request.
  • The request is vexatious.
  • The request repeats a previous request from the same person.

In addition, the Freedom of Information Act contains a number of exemptions that allow us to withhold information from a requester. In some cases it will allow us to refuse to confirm or deny whether we hold information.

Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.

There is also an exemption for personal data if releasing it would be contrary to the General Data Protection Regulation (the GDPR) or the Data Protection Act 2018 (the DPA2018).

We can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. However, most exemptions are not absolute but require you to apply a public interest test. This means we must consider the public interest arguments before deciding whether to disclose the information. So we may have to disclose information in spite of an exemption, where it is in the public interest to do so.

If we are refusing all or any part of a request, we must send the requester a written refusal notice. We will need to issue a refusal notice if we are either refusing to say whether we hold information at all, or confirming that information is held but refusing to release it.

When can we refuse a request on the grounds of cost?

The Act recognises that freedom of information requests are not the only demand on the resources of a public authority. They should not be allowed to cause a drain on time, energy and finances to the extent that they negatively affect normal public functions.

When calculating the costs of complying, we can aggregate (total) the costs of all related requests we receive within 60 working days from the same person or from people who seem to be working together.

How do we work out whether the cost limit would be exceeded?

We are only required to estimate whether the limit would be exceeded. We do not have to do the work covered by the estimate before deciding to refuse the request. However, the estimate must be reasonable and must follow the rules.

When estimating the cost of compliance, We can only take into account the cost of the following activities:

  • determining whether we hold the information;
  • finding the requested information, or records containing the information;
  • retrieving the information or records; and
  • extracting the requested information from records.

The biggest cost is likely to be staff time.

However, if the cost and resources required to review and remove any exempt information are likely to be so great as to place the organisation under a grossly oppressive burden then we may be able to consider the request under Section 14 instead. (vexatious requests).

Note that although fees and the appropriate limit are both laid down in the same Regulations, the two things must not be confused:

  • The cost of compliance and the appropriate limit relate to when a request can be refused.
  • The fees are what you can charge when information is disclosed.

What if we think complying with the request would exceed the cost limit?

If we wish to use section 12 (cost limit) of the Act as grounds for refusing the request, we should send the requester a written refusal notice. This should state that complying with the request would exceed the appropriate cost limit. However, we should still say whether we hold the information, unless finding this out would in itself incur costs over the limit.

There is no official requirement for us to include an estimate of the costs in the refusal notice. However, we must give the requester reasonable advice and assistance to refine (change or narrow) the request. This will generally involve explaining why the limit would be exceeded and what information, if any, may be available within the limits.

 

We should not:

 
  • give the requester part of the information requested, without giving the chance to say which part they would prefer to receive;
  • fail to let the requester know why we think we cannot provide the information within the cost limit;
  • advise the requester on the wording of a narrower request but then refuse that request on the same basis; or
  • tell the requester to narrow down their request without explaining what parts of their request take your costs over the limit. A more specific request may sometimes take just as long to answer.

If the requester refines their request appropriately, we will then deal with this as a new request. The time for us to comply with the new request should start on the working day after the date we receive it.

If the requester does not want to refine their request, but instead asks us to search for information up to the costs limit, we can do this if we wish, but the Act does not require us to do so.

Can we charge extra if complying with a request exceeds the cost limit

Yes, if complying with a request would cost you more than agreed upon, we can refuse it outright or do the work for an extra charge:

  • the cost of compliance (the costs allowed in calculating whether the appropriate limit is exceeded); plus
  • the communication costs; plus
  • an hourly rate for staff time taken for printing, copying or sending the information.

We will not do this work without getting written agreement from the requester that they will pay the extra costs. We will also give the requester the option of refining their request rather than paying extra. The ‘time for compliance’ clock is paused in these circumstances, until we receive payment.

When can we refuse a request as vexatious?

As a general rule, we should not take into account the identity or intentions of a requester when considering whether to comply with a request for information. We cannot refuse a request simply because it does not seem to be of much value. However, a minority of requesters may sometimes abuse their rights under the Freedom of Information Act, which can threaten to undermine the credibility of the freedom of information system and divert resources away from more deserving requests and other business responsibilities.

We can refuse to comply with a request that is vexatious. If so, we do not have to comply with any part of it, or even confirm or deny whether we hold information. When assessing whether a request is vexatious, the Act permits us to take into account the context and history of a request, including the identity of the requester and our previous contact with them. The decision to refuse a request often follows a long series of requests and correspondence.

The key question to ask ourself is whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation.

Bear in mind that it is the request that is considered vexatious, not the requester. If after refusing a request as vexatious we receive a subsequent request from the same person, we can refuse it only if it also meets the criteria for being vexatious.

We will be prepared to find a request vexatious in legitimate circumstances, but we should exercise care when refusing someone’s rights in this way.

When can we refuse a request because it is repeated?

We can refuse requests if they are repeated, whether or not they are also vexatious. We can normally refuse to comply with a request if it is identical or substantially similar to one we previously complied with from the same requester. We cannot refuse a request from the same requester just because it is for information on a related topic. We can do so only when there is a complete or substantial overlap between the two sets of information.

We cannot refuse a request as repeated once a reasonable period has passed. The reasonable period is not set down in law but depends on the circumstances, including, for example, how often the information we hold changes.

What if we want to refuse a request as vexatious or repeated?

We will send the requester a written refusal notice. If the request is vexatious or repeated, we need only state that this is our decision; we do not need to explain it further. However, we should keep a record of the reasons for our decision so that we can justify it to the Information Commissioner’s Office if a complaint is made.

If we are receiving vexatious or repeated requests from the same person, we can send a single refusal notice to the applicant, stating that we have found their requests to be vexatious or repeated (as appropriate) and that we will not send a written refusal in response to any further vexatious or repeated requests.

This does not mean we can ignore all future requests from this person. For example, a future request could be about a completely different topic, or have a valid purpose. We must consider whether the request is vexatious or repeated in each case.

When can we withhold information under an exemption?

Exemptions exist to protect information that should not be disclosed, for example because disclosing it would be harmful to another person or it would be against the public interest.

The exemptions in Part II of the Freedom of Information Act apply to information. This may mean that we can only apply an exemption to part of the information requested, or that we may need to apply different exemptions to different sections of a document.

We do not have to apply an exemption. However, we must ensure that in choosing to release information that may be exempt, we do not disclose information in breach of some other law, such as disclosing personal information in contravention of the GDPR or the DPA 2018. Nor do we have to identify all the exemptions that may apply to the same information, if we are content that one applies.

We can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. However, most exemptions are not absolute but are ‘qualified’. This means that before deciding whether to withhold information under an exemption, we must consider the public interest arguments. The Act requires us to disclose information unless there is good reason not to, so the exemption can only be maintained (upheld) if the public interest in doing so outweighs the public interest in disclosure.


In this case, even though the information fell within an exemption, the public interest favoured disclosure.

We can have extra time to consider the public interest. However, we must still contact the requester within the standard time for compliance to let them know we are claiming a time extension.

When can we use an exemption to refuse to say whether we have the information?

In some cases, even confirming that information is or is not held may be sensitive. In these cases, we may be able to give a ‘neither confirm nor deny’ (NCND) response.

Whether we need to give a NCND response should usually depend on how the request is worded, not on whether we hold the information. We should apply the NCND response consistently, in any case where either confirming or denying could be harmful.

Unless otherwise specified, all the exemptions below also give us the option to claim an exclusion from the duty to confirm or deny whether information is held, in appropriate cases.

If we think we may need to claim an exclusion from the duty to confirm or deny whether we hold information, then we will need to consider this duty separately from the duty to provide information. We will need to do this both:

  • when we decide whether an exemption applies; and
  • when we apply the public interest test.

If it would be damaging to even confirm or deny if information is held, then we must issue a refusal notice explaining this to the requester. In this situation we would not expect to go on to address the separate question of whether any information that is held should be disclosed, at this stage. We will need to do this only if the requester successfully appeals against our NCND response and we do actually hold some information.

However, if we decide that we are willing to confirm or deny whether information is held, and we do in fact hold some information, then we will need to immediately go on to consider whether that information should be disclosed.

What exemptions are there?

Some exemptions apply only to a particular category or class of information, such as information held for criminal investigations. These are called class-based exemptions.

Some exemptions require us to judge whether disclosure may cause a specific type of harm, for instance, endangering health and safety, prejudicing law enforcement, or prejudicing someone’s commercial interests. These are called prejudice-based exemptions.

This distinction between ‘class-based’ and ‘prejudice-based’ is not in the wording of the Act but many people find it a useful way of thinking about the exemptions.

The Act also often refers to other legislation or principles of law, such as confidentiality, legal professional privilege, or data protection. In many cases, we may need to apply some kind of legal ‘test’ - it is not as straightforward as identifying that information fits a specific description. It is important to read the full wording of any exemption, and if necessary consult our guidance, before trying to rely on it.

The exemptions can be found in Part II of the Act, at sections 21 to 44.

What is ‘prejudice’ and how do we decide whether disclosure would cause this?

For the purposes of the Act, ‘prejudice’ means causing harm in some way. Many of the exemptions listed below apply if disclosing the information we hold would harm the interests covered by the exemption. In the same way, confirming or denying whether we have the information can also cause prejudice. Deciding whether disclosure would cause prejudice is called the prejudice test.

To decide whether disclosure (or confirmation/denial) would cause prejudice:

  • We must be able to identify a negative consequence of the disclosure (or confirmation/denial), and this negative consequence must be significant (more than trivial);
  • We must be able to show a link between the disclosure (or confirmation/denial) and the negative consequences, showing how one would cause the other; and
  • there must be at least a real possibility of the negative consequences happening, even if we can’t say it is more likely than not.

Section 21 – information already reasonably accessible

This exemption applies if the information requested is already accessible to the requester. We could apply this if we know that the requester already has the information, or if it is already in the public domain. For this exemption, we will need to take into account any information the requester gives us about their circumstances.

When applying this exemption, we have a duty to confirm or deny whether we hold the information, even if we are not going to provide it. We should also tell the requester where they can get it.

This exemption is absolute, so we do not need to apply the public interest test.

Section 22 – information intended for future publication

This exemption applies if, when we receive a request for information, we are preparing the material and definitely intend for it to be published, and it is reasonable not to disclose it until then. We do not need to have identified a publication date. This exemption does not necessarily apply to all draft materials or background research. It will only apply to the material we intend to be published.

We do not have to confirm whether we hold the information requested if doing so would reveal the content of the information.

This exemption is qualified by the public interest test.

Section 22A – research information

This exemption applies if, when we receive a request for information,

  • we hold information on an ongoing programme of research;
  • there is an intention by someone –whether an individual or organisation, private or public sector - to publish a report of the research; and
  • disclosure of the information would or would be likely to prejudice the research programme, the interests of participants in the programme, or a public authority holding or intending to publish a report of the research.

So long as the research programme is continuing, the exemption may apply to a wide range of information relating to the research project. There does not have to be any intention to publish the particular information that has been requested, nor does there need to be an identified publication date.

We do not have to confirm whether we hold the information requested if doing so would reveal the content of the information.

This exemption is qualified by the public interest test.

Sections 23 and 24 – security bodies and national security

The section 23 exemption applies to any information we have received from, or relates to, any of a list of named security bodies such as the security service. We do not have to confirm or deny whether we hold the information, if doing so would reveal anything about that body or anything we have received from it.

This exemption is absolute, so we do not need to consider the public interest test.

The section 24 exemption applies if it is “required for the purpose of safeguarding national security”. The exemption does not apply just because the information relates to national security.

Section 25 is not an exemption, but gives more detail about the certificates mentioned above.

Sections 26 to 29

These exemptions are available if complying with the request would prejudice or would be likely to prejudice the following:

  • defence (section 26);
  • the effectiveness of the armed forces (section 26);
  • international relations (section 27);
  • Government relations (section 28);
  • the economy (section 29); or
  • the financial interests (section 29).

Section 27 also applies to confidential information obtained from other states, courts or international organisations.

All these exemptions are qualified by the public interest test.

Sections 30 and 31 – investigations and prejudice to law enforcement

The section 30 exemption applies to a specific category of information that a public authority currently holds or has ever held for the purposes of criminal investigations. It also applies to information obtained in certain other types of investigations, if it relates to obtaining information from confidential sources.

When information does not fall under either of these headings, but disclosure could still prejudice law enforcement, section 31 is the relevant exemption.

Section 31 only applies to information that does not fall into the categories in section 30. For this reason sections 30 and 31 are sometimes referred to as being mutually exclusive. Section 31 applies where complying with the request would prejudice or would be likely to prejudice various law enforcement purposes (listed in the Act) including preventing crime, administering justice, and collecting tax. It also protects certain other regulatory functions, for example those relating to health and safety and charity administration.

Both exemptions are qualified by the public interest test.

Section 32 – court records

This exemption applies to court records held by any authority (though courts themselves are not covered by the Act).

To claim this exemption, we must hold the information only because it was originally in a document created or used as part of legal proceedings, including an inquiry, inquest or arbitration.

This is an unusual exemption because the type of document is relevant, as well as the content and purpose of the information they hold.

This exemption is absolute, so we do not need to apply the public interest test. We also do not have to confirm or deny whether we hold any information that is or would fall within the definition above.

Section 33 – prejudice to audit functions

This exemption can only be used by bodies with audit functions. It applies where complying with the request would prejudice or would be likely to prejudice those functions.

This exemption is qualified by the public interest test.

Section 34 – parliamentary privilege

We can use this exemption to avoid an infringement of parliamentary privilege. Parliamentary privilege protects the independence of Parliament and gives each House of Parliament the exclusive right to oversee its own affairs.

This exemption is absolute, so we do not need to apply the public interest test.

Sections 35 and 36 – government policy and prejudice to the effective conduct of public affairs

These two sections form a mutually exclusive pair of exemptions in the same way as section 30 and section 31.

The section 35 exemption can only be claimed by government departments. It is a class-based exemption, for information relating to:

  • the formulation or development of government policy;
  • communications between ministers;
  • advice from the law officers; and
  • the operation of any ministerial private office.

Section 35 is qualified by the public interest test.

For policy-related information held by other public authorities, or other information that falls outside this exemption but needs to be withheld for similar reasons, the section 36 exemption applies.

The section 36 exemption applies only to information that falls outside the scope of section 35. It applies where complying with the request would prejudice or would be likely to prejudice “the effective conduct of public affairs”. This includes, but is not limited to, situations where disclosure would inhibit free and frank advice and discussion.

This exemption is broad and can be applied to a range of situations.

Section 36 differs from all other prejudice exemptions in that the judgement about prejudice must be made by the legally authorised qualified person for that public authority. A list of qualified people is given in the Act, and others may have been designated.

In most cases, section 36 is a qualified exemption. This means that even if the qualified person considers that disclosure would cause harm, or would be likely to cause harm, we must still consider the public interest.

 

Section 37 – communications

This exemption has been changed since the Freedom of Information Act was first published.

All other information under the scope of this exemption is qualified, so the public interest test must be applied.

Section 38 – endangering health and safety

We can apply the section 38 exemption if complying with the request would or would be likely to endanger anyone’s physical or mental health or safety. In deciding whether we can apply this exemption, we should use the same test as we would for prejudice. This exemption is qualified by the public interest test.

Section 39 – environmental information

We should deal with any request that falls within the scope of the Environmental Information Regulations 2004 under those Regulations. This exemption confirms that, in practice, we do not also need to consider such requests under the Freedom of Information Act.

Only public authorities that are covered by the Regulations can rely on this exemption. A small number of public authorities, including public service broadcasters, are not subject to the Environmental Information Regulations. They should handle requests for environmental information under the Freedom of Information Act.

This exemption is qualified by the public interest test, but because we must handle this type of request under the Environmental Information Regulations, it is hard to imagine when it would be in the public interest to also consider it under the Freedom of Information Act.

Section 40(1) – personal information of the requester

This exemption confirms that we should treat any request made by an individual for their own personal data as a data protection subject access request. We should apply this to any part of the request that is for the requester’s own personal data. They should not be required to make a second, separate subject access request for these parts of their request.

If the information contains some of the requester’s personal data plus other non-personal information, then we will need to consider releasing some of the information under the UK GDPR or the DPA 2018 and some under the Freedom of Information Act.

This exemption is absolute, so we do not need to apply the public interest test.

Requested information may involve the personal data of both the requester and others.

Section 40(2) – Personal information

This exemption covers the personal data of third parties (anyone other than the requester) where complying with the request would breach any of the principles in the GDPR.

If we wish to rely on this exemption, we need to refer to the GDPR as the data protection principles are not set out in the Freedom of Information Act. 

This exemption can only apply to information about people who are living; we cannot use it to protect information about people who have died.

The most common reason for refusing information under this exemption is that disclosure would contravene GDPR principle (a) because there is no lawful basis for processing. Section 40(2) is an absolute exemption, so we do not need to apply the public interest test. However, we may need to include public interest arguments when considering lawfulness under principle (a).

Section 40 includes other provisions for people’s data protection rights, and these provisions are qualified by a public interest test.

Section 41 – confidentiality

This exemption applies if the following two conditions are satisfied:

  • we received the information from someone else; and
  • complying with the request would be a breach of confidence that is actionable (further information about what is meant by actionable is provided in our detailed guidance below).

We cannot apply this exemption to information we have generated within our organisation, even if it is marked “confidential”. However, we can claim it for information we originally received from someone else but then included in our own records.

To rely on this exemption, we must apply the legal principles of law test of confidence, which is a well established though developing area of law.

This exemption is absolute so we do not need to apply the public interest test. However, we will still need to consider the public interest in disclosure, because the law of confidence recognises that a breach of confidence may not be actionable when there is an overriding public interest in disclosure.

We should carefully consider how we use confidentiality clauses in contracts with third parties and set reasonable levels of expectations about what may be disclosed.

Section 42 – legal professional privilege

This applies whenever complying with a request would reveal information that is subject to ‘legal professional privilege’ (LPP). LPP protects information shared between a client and their professional legal advisor (including in-house lawyers) for the purposes of obtaining legal advice or for ongoing or proposed legal action. These long-established rules exist to ensure people are confident they can be completely frank and candid with their legal adviser when obtaining legal advice, without fear of disclosure.

This exemption is qualified by the public interest test.

Section 43 – trade secrets and prejudice to commercial interests

This exemption covers two situations:

  • when information constitutes a trade secret (such as the recipe for a branded product); or
  • when complying with the request would prejudice or would be likely to prejudice someone’s commercial interests.

Both parts of this exemption are qualified by the public interest test.

Section 44 – prohibitions on disclosure

We can apply this exemption if complying with a request for information:

  • is not allowed under law;
  • would be contrary to a retained obligation; or
  • would constitute contempt of court.

This exemption is often used by regulators.

The Freedom of Information Act does not override other laws that prevent disclosure, which we call ‘statutory bars’.

This exemption is absolute, so we do not need to apply the public interest test, but bear in mind that some statutory bars may refer to the public interest.

Can we withhold information about people who have died?

The GDPR and the DPA 2018 do not cover information about people who have died, so we cannot rely on a section 40 exemption to withhold this type of information.

This may be a particular issue if public authority holds sensitive information such as health or social care records. Where we receive a request for this kind of information about someone who has died, the most appropriate exemption is likely to be section 41 (confidentiality). This is because the information would originally have been provided to a healthcare practitioner or social worker in confidence, and we consider this duty of confidentiality to extend beyond death.

Information about people who have died is likely to be covered by an exemption, because the Freedom of Information Act is about disclosure ‘to the world’ and it would often be inappropriate to make this type of information public. However, some requesters may have rights that allow them personally to access the information. For instance, the Access to Health Records Act 1990 gives the personal representative of the deceased (eg the executor of their will) the right to access their medical records. If we receive a request from someone who has the right to access the records in this way, we can refuse the request under section 21 (reasonably accessible) and handle the request under the Access to Health Records Act.

Can we have extra time to consider exemptions?

No, but if the exemption is qualified we can have extra time to consider the public interest test. In doing so we must:

  • identify the relevant exemption(s) before we can claim any extra time for the public interest test; and
  • write and let the requester know why we are claiming extra time.

When and how do we apply the public interest test?

If the exemption we wish to apply is qualified, then we will need to do a public interest test, even if we know the exemption applies.

If we think that we may need to claim an exclusion from the duty to confirm or deny, then we will need to consider the public interest test for this duty. We will need to do this separately from the public interest test for the duty to provide information.

For ‘neither confirm nor deny’ cases (NCND) the public interest test involves weighing the public interest in confirming whether or not information is held against the public interest in refusing to do this. The public interest in maintaining the exclusion from the duty to confirm or deny would have to outweigh the public interest in confirming or denying that information is held, in order to justify an NCND response.

Similarly, when considering whether we should disclose information, we will need to weigh the public interest in disclosure against the public interest in maintaining the exemption. We must bear in mind that the principle behind the Act is to release information unless there is a good reason not to. To justify withholding information, the public interest in maintaining the exemption would have to outweigh the public interest in disclosure.

Note that the wording of the test refers to the public interest in maintaining the exemption (or exclusion). In other words, we cannot consider all the arguments for withholding the information (or refusing to confirm whether it is held), only those which are inherent in the exemption or exclusion ie relate directly to what it is designed to protect.

 

We can withhold information only if it is covered by one of the exemptions and, for qualified exemptions, the public interest in maintaining the exemption outweighs the public interest in disclosure. We must follow the steps in this order, so we cannot withhold information because we think it would be against the public interest without first identifying a specific exemption.

How much extra time can we have to consider the public interest test?

The law says we can have a “reasonable” extension of time to consider the public interest test. We consider that this should normally be no more than an extra 20 working days, which is 40 working days in total to deal with the request. Any extension beyond this time should be exceptional and we must be able to justify it.

To claim this extra time, we must:

  • contact the requester in writing within the standard time for compliance;
  • specify which exemption(s) we are seeking to rely on; and
  • give an estimate of when we will have completed the public interest test.

We must identify the relevant exemptions and ensure they can be applied in this case, for example, by considering the prejudice test before we do this. We cannot use the extra time for considering whether an exemption applies. We should release any information that is not covered by an exemption within the standard time.

When we have come to a conclusion on the balance of the public interest, we should:

  • disclose the information; or
  • write to the requester explaining why we have found that the public interest favours maintaining the exemption.

Is there anything else we need to know about exemptions?

Certain exemptions do not apply to historical records. Originally, a historical record was a record over 30 years old, although this has now been amended to 20 years by the Constitutional Reform and Governance Act 2010. This reduction is being phased in gradually over 10 years. In effect, from the end of 2013 the time limit is 29 years. It will reduce by another year every year until it reaches 20 years at the end of 2022. Other exemptions expire after 60 or 100 years. A full list of these can be found in section 63 of the Act.

When deciding whether or not an exemption applies, we will usually need to consider what information is already in the public domain. If the requested information or similar information is already publicly available, then this may affect:

  • whether the requested disclosure will still cause prejudice;
  • whether the test for applying a class-based exemption is still met;
  • where the balance of the public interest lies.

These will be important considerations in many cases.

If we are relying on an exemption to refuse the request, what do we need to tell the requester?

If we are relying on an exemption, we must issue a written refusal notice within the standard time for compliance, specifying which exemptions we are relying on and why.

If we have already done a public interest test, we should explain why we have reached the conclusion that the public interest in maintaining the exemption outweighs the public interest in disclosure.

If we are claiming extra time to consider the public interest test, we will not be able to give a final refusal notice at this stage, but we should explain which exemptions we are relying on. If our final decision is to withhold all or part of the information, we will need to send a second refusal notice to explain our conclusion on the public interest test.

If we are withholding information but are still required to reveal that we hold the information, we should also remember to do this.

What do we have to include in a refusal notice?

We must refuse requests in writing promptly or within 20 working days (or the standard time for compliance) of receiving it.

In the refusal notice we should:

  • explain what provision of the Act we are relying on to refuse the request and why;
  • give details of any internal review (complaints) procedure we offer or state that we do not have one; and
  • explain the requester’s right to complain to the ICO, including contact details for this.

What if we are withholding only parts of a document?

Often we can withhold only some of the information requested. In many cases, we can disclose some sections of a document but not others, or we may be able to release documents after having removed certain names, figures or other sensitive details (called ‘redaction’).

The Act does not lay down any rules about redaction. The following are guidelines for good practice.

  • Make sure redaction is not reversible. Words can sometimes be seen through black marker pen or correction fluid. On an electronic document, it is sometimes possible to reverse changes or to recover an earlier version to reveal the withheld information. We must ensure that staff responding to requests understand how to use common software formats, and how to strip out any sensitive information. Take advice from IT professionals if necessary.
  • In particular, we must take care when using pivot tables to anonymise data in a spreadsheet. The spreadsheet will usually still contain the detailed source data, even if this is hidden and not immediately visible at first glance. Consider converting the spreadsheet to a plain text format (such as CSV) if necessary.
  • Give an indication of how much text we have redacted and where from. If possible, indicate which sections we removed using which exemption.
  • Provide as much meaningful information as possible. For example, when redacting names we may still be able to give an indication of the person’s role, or which pieces of correspondence came from the same person.
  • As far as possible, ensure that what we provide makes sense. If we have redacted so much that the document is unreadable, consider what else we can do to make the information understandable and useful for the requester.
  • Keep a copy of both the redacted and unredacted versions so that we know what we have released and what we have refused, if the requester complains.

What if the requester is unhappy with the outcome?

Under the Act, there is no obligation for an authority to provide a complaints process. However, it is good practice (under the section 45 code of practice) and most public authorities choose to do so.

Complaints procedure, also known as an internal review, we should:

  • ensure the procedure is triggered whenever a requester expresses dissatisfaction with the outcome;
  • make sure it is a straightforward, single-stage process;
  • make a fresh decision based on all the available evidence that is relevant to the date of the request, not just a review of the first decision;
  • ensure the review is done by someone who did not deal with the request, where possible, and preferably by a more senior member of staff; and
  • ensure the review takes no longer than 20 working days in most cases, or 40 in exceptional circumstances.

When issuing a refusal notice, we should state whether we have an internal review procedure and how to access it. If a requester complains even when we have not refused a request, we should carry out an internal review if they:

  • disagree with our interpretation of their request;
  • believe we hold more information than we have disclosed; or
  • are still waiting for a response and are unhappy with the delay.

Even if our internal review upholds our original decision (that, as at the date of the request, the information was exempt from disclosure) we may wish to release further information if circumstances have changed and our original concerns about disclosure no longer apply. We are not obliged to do this but it may resolve matters for the requester and reduce the likelihood of them making a complaint.