FOI/EIR FOI Section/Regulation

Ss 1, 10, 17

s50(4)

Issue Finding in breach of sections 1, 10 or 17
Line to take:

A breach of s.1(1)(b) will arise if the authority was obliged at the time of the request to disclose information, and failed to do so. A breach of 1(1)(a) will similarly arise where the authority had an obligation to confirm or deny that information was held and did not do so. Breaches of s.17, on the other hand, are based on whether the authority accurately communicated its reasons for refusing the request, not on whether it was correct to do so.

The authority has a chance to correct these breaches at internal review. The Commissioner will therefore consider what, if any, breaches of s.1(1)(a), 1(1)(b) and the subsections of s.17 have occurred at the time of completion of the internal review. I.e. if the information is disclosable, the Commissioner will find a breach of s.1(1)(b) where the public authority has failed to provide that information by the time of the completion of the internal review. If the public authority has not taken the opportunity to carry out an internal review then the Commissioner will consider the position as it stands at the statutory time limit for compliance under s.10.

Depending on this finding, there may also be additional breaches of sections 10 and/or 17 relating to the time limits. Section 10(1) applies only where there was a duty under s.1(1)(a) or (b) i.e. there was no exemption from these sections. Where the public authority was late in issuing a refusal notice, this is a breach of 17(1).

This line relates to fully-investigated cases, i.e. cases where the Commissioner has reached a finding on whether a s.1(1)(a) or (b) duty applied at the time of the request. Where information has been “scoped out” of the investigation, he will not usually make any finding on sections 1 and 10. For requests or elements of a request which are included in the decision but have not been fully investigated, for example because the information was disclosed during the investigation, or where the authority has never responded to the request at all, see LTT187 gateway line.

Further Information:

Background

Section 1 of the FOIA provides:

(1) Any person making a request for information to a public authority is entitled –

(a) to be informed in writing by the public authority whether it holds the information of the description specified in the request, and

(b) if that is the case, to have that information communicated to him.”

Section 10(1) of the FOIA provides:

“…a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.”

The Commissioner’s approach

The main principles guiding the Commissioner’s approach are as follows:

  • The Commissioner’s role is not to look at what the requester has received by the time the DN is issued, but to assess how the public authority dealt with the request (King v IC & DWP [EA/2007/0085]). However, the authority does get an opportunity at the internal review to reconsider its decision and correct any errors:

    “….the Act encourages or rather requires that an internal review must be requested before the Commissioner investigates a complaint under s50.  Parliament clearly intended that a public authority should have the opportunity to review its refusal notice and if it got it wrong to be able to correct that decision before a complaint is made…”  (McIntyre v IC & MoD, [EA/2007/0068]).

Therefore, any procedural breaches, other than those relating to time limits, should be based on what the authority had done by the time of the internal review.

If the authority does not take the opportunity to review its decision then the “cut off point” is the statutory time for compliance (normally 20 days – but see note below). This means that an authority which does not offer an internal review is at a disadvantage in relation to information which is disclosed, for example, after 30 days.

Note that this relates only to the finding of breaches. Whether an obligation under 1(1)(a) or 1(1)(b) exists, or whether an exemption can be relied upon, must still be determined by reference to the circumstances at the time of the request. So if the authority was under an obligation to disclose information at the time of the request, it will be found in breach of 1(1)(b) if it did not do so at least by the completion of the internal review.

  • Findings on 1(1)(a) and 1(1)(b) are based on what the authority should have done, i.e. what it would have done had it come to the same decision as the Commissioner. Note that section 1(1) is not just a general duty to respond to a request. It relates specifically to the two separate duties to confirm or deny that information is held (1(1)(a)) and to communicate the information (1(1)(b)). Therefore if an exemption applies there will be no breach of 1(1)(b). Similarly if there is an exclusion from the duty to confirm or deny, there will be no breach of either 1(1)(a) or 1(1)(b).

If you have not investigated whether any exemptions applied at the date of the request, for example because the authority disclosed the information during the investigation, then you will not be able to make a determination on sections 1(1)(a) and (b). In this case, you should not use this line but refer to LTT187.

  • Section 17 (refusal notices) requires an authority to accurately communicate any exemptions it is relying on, whether or not the Commissioner subsequently determines that those exemptions are correct. In other words, it is not dependent on the outcome of the rest of the case. Breaches of s.17(1)(a), (b) and (c) will be decided according to whether the authority had accurately communicated its position by the internal review response at the latest. The Commissioner will also find breaches of s.17 if the authority later seeks to rely on an exemption which it did not mention to the requester either in its refusal notice or its internal review (see LTT63).

  • Findings on section 10 (time limits) are based on the findings for s.1(1). Again, section 10 is not a general “time limits” section, but refers to the time for compliance with s.1(1)(a) and (b). If there are breaches of both 1(1)(a) and (b) then there will also be s.10(1) breaches for each of these failures. If there is no duty under section 1(1)(a) or (b) then there are no  related breaches of s.10.

  • A late refusal notice is a breach of 17(1), not 10(1). If the refusal notice is issued later than 20 days, or if there are deficiencies in the refusal notice at this point, there will be a breach of 17(1).

In order to apply the principles, you should follow these steps:

1. Determine what obligations the authority was under at the date of the request, i.e. whether it was required to confirm that it held or did not hold information and whether it was required to disclose any information.

2. Identify the “cut off point” for determining procedural breaches. In other words, if an internal review was carried out, determine when you consider this to have been completed. If no internal review was carried out, calculate the date for compliance under s.10 (usually 20 working days, but see note below).

3. Identify what actions the authority ought to have taken but had failed to take by the cut off point. This will give you the breaches of 1(1)(a) and 1(1)(b).

4. Identify whether the authority had given an adequate refusal notice by the time of the cut-off point. This will give you any breaches of s.17 in so far as it relates to the content of the refusal notice. Remember that the refusal notice must include any exemptions which the authority relied on at any point including during the investigation.

5. In addition, if the authority had a duty under 1(1)(a) and/or 1(1)(b) and did not meet the statutory time for compliance, find related breaches of 10(1).

6. If the authority refused the request but did not issue its refusal notice within the statutory time for compliance there is a breach of s.17(1). This applies whether or not we consider that the authority was correct to refuse the request.

Below is a table setting out the potential breaches arising in relation to sections 1 and 10. Section 17 breaches are covered in a separate section later in this line.

Breaches of s.1(1) and s.10.

Breaches of s.1(1) and s.10 are based on what you have found the authority should have done (i.e. what it would have done had it come to the same decision as the Commissioner). You must start by determining what the authority should have done, that is, whether it was under any obligation to confirm what information it held and to disclose it. If you are only investigating the 1(1)(a) duty, see the additional notes at the end of the table. If you are not making a finding as to what obligations the authority was under at the time of the request, do not use this table but see the LTT187.

The table below gives the breaches of 1(1)(a), 1(1)(b) and 10 which have occurred in a number of scenarios. This should be read in conjunction with the section below on s.17.

Upon completion of an investigation there will be one of five outcomes:

(1) the information requested is not held (and the authority is required to confirm this)

(2) the public authority is not required to confirm or deny whether the information is held

(3) the authority is required to confirm or deny whether the information is held but the Commissioner has not reached a finding (yet) on whether the information should be disclosed.

(4) the information is held but was not required to be released

(5) the information is held and should have been released.

Note that you may reach different outcomes in respect to different pieces of information captured by a request.

Once the case outcome has been determined, then use the table to identify what the public authority’s obligations were in those circumstances and what breaches of sections 1(1) and 10 arise if the public authority has failed to meet those obligations. It is important to read the whole section of the table that relates to the particular outcome you have reached in order to fully determine the public authority’s obligations in those circumstances

 

 

Case outcome

Relevant section of the Act

Description of action required by PA (failure to take such action will constitute a breach)

Additional information

(1) Information requested is not held, but the authority should have said this.

s1(1)(a)

PA should have confirmed to the complainant that the information is not held.

The Commissioner will find a PA in breach of s1(1)(a) if confirmation has not been provided by the completion of the internal review or the time for statutory compliance.

s10(1)

PA should have provided confirmation within the statutory time for compliance.

If the PA has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review.

(2) PA was not required to confirm or deny whether information is held

s1(1)(a)

PA was not required to confirm or deny whether the information is held and should have provided a refusal notice.

No breach of 1(1)(a), but see section on s.17 below.

s1(1)(b)

There is no obligation under 1(1)(b) if 1(1)(a) does not apply.

No breach.

s10

s10 refers to the time for compliance with s1(1) so does not apply.

No breach.

(3) The public authority was obliged to confirm or deny whether information is held

(where the Commissioner is investigating the authority’s reliance on an exclusion from 1(1)(a))

s.1(1)(a)

No exclusion applied and so the PA was required to confirm or deny whether information is held.

The Commissioner will find a PA in breach of 1(1)(a) if confirmation or denial has not been provided by the completion of the internal review (or the time for statutory compliance).

s.1(1)(b)

The Commissioner is not in a position to make a finding on whether the information is disclosable.

Do not find a breach (this may be the subject of a future investigation).

s.10(1)

PA should have provided confirmation or denial within the statutory time for compliance.

If the PA has not carried this out within the statutory time for compliance then the Commissioner will find a breach of 10(1).

(4) Information requested is not disclosable and should not be provided

(applies where either the authority has not claimed an exclusion from 1(1)(a) or else this has been dealt with and rejected in a previous decision notice)

s1(1)(a)

PA should have confirmed to the complainant that it holds the information requested

The Commissioner will find a PA in breach of s1(1)(a) if confirmation was not provided by the completion of the internal review or the time for statutory compliance.

1(1)(b)

The authority was not under an obligation to disclose the information.

No breach.

s10(1)

PA should have provided confirmation that information is held within the statutory time for compliance.

If the public authority has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of the date of any internal review..

(5) Information requested is disclosable and should be provided

(applies where either the authority has not claimed an exclusion from 1(1)(a) or else this has been dealt with and rejected in a previous decision notice – it is not possible to come to a conclusion on 1(1)(b) if the authority is claiming an exclusion from the duty to confirm or deny)

s1(1)(a)

PA should have confirmed to the complainant that the information is held

The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance.

s1(1)(b)

PA should have provided the information to the complainant

The Commissioner will find a PA in breach of s1(1)(b) if information is not provided by the completion of the internal review or the time for statutory compliance.

s10(1)

PA should have communicated the information within the statutory time for compliance.

If the PA has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of any internal review. There will be two breaches of s.10(1) if the authority has failed to meet the statutory time limits in relation to both 1(1)(a) and 1(1)(b).

Note that in practice breaches of 1(1)(b) are only likely to be found where the authority is still refusing to disclose this information. Where information has been disclosed during the investigation, the Commissioner will not reach a decision on whether s.1(1)(b) applied at the date of the request (see LTT188). Breaches of s.1(1)(a) can however be included if the authority confirmed that the information was held after the internal review (or statutory time for compliance) but before the DN is issued, as long as the investigation has established that the 1(1)(a) duty existed at the time of the request.

The statutory time for compliance

The date for statutory compliance is usually 20 working days after the date of the request. This has been extended for specific public authorities and in certain circumstances in accordance with the ‘Time for Compliance Regulations’ - see LTT47.

In addition under s10(3) a public authority may extend the time for compliance where it is necessary to do so in order to properly consider the public interest in maintaining an exemption. In such cases the public authority is still required to cite and explain the exemption claimed within the 20 working days. The extension to the time limit in s.10(3) applies only where it is necessary in order to consider the application of the public interest test, i.e. where a qualified exemption is engaged.

Moreover, the extension can only be for as long as is reasonable in all the circumstances. The Commissioner’s Good Practice Guidance 4 indicates that in no case should this be more than an additional 20 working days, i.e. 40 working days in total.Therefore where a public authority takes longer than 40 working days to comply with a request it will have breached s10(1) unless the Commissioner is persuaded that such an extension is reasonable because of exceptional circumstances. Any extension beyond the additional 20 working days may however raise good practice issues and should be referred to the Enforcement team

If the authority has not provided an internal review, then the statutory time for compliance will also be the last date at which it can comply with its obligations. If it has not done so by that date then it will be in breach.

Breaches of s.17

Section 17 requires the authority to accurately convey its position as to why it is refusing a request. Therefore, the outcome of the request is not relevant – there is no breach of s.17 for citing an exemption which did not apply.

  • There will be breaches of s.17(1)(a), (b) and/or (c), 17(5) or 17(7) if the public authority refused the request but failed to issue a refusal notice complying with those sections (as relevant) at or before the internal review, or at the statutory time for compliance if no internal review was carried out.
  • Breaches of s.17 will also be found if the authority seeks to rely on another exemption during the investigation which it had not mentioned at or before internal review (see LTT63)
  • There will additionally be a breach of s.17(1) if the authority issued its refusal notice later than 20 working days (or as extended by the Time for Compliance Regulations).

Where the public authority is seeking to rely on a qualified exemption, there will be a breach of s.17(1) if it fails to notify the requester of this within 20 working days (or as extended by the Time for Compliance Regulations) and a breach of 17(3) if it takes more than a further 20 working days to communicate the outcome of the public interest test.

Note that there is one limited circumstance (relating to vexatious or repeated requests – see s.17(6)) in which an authority is not required to provide any refusal notice.

Further guidance on 1(1)(a) only cases

When a public authority has claimed an exclusion from the duty to confirm or deny, the DN will relate only to section 1(1)(a). The decision notice itself cannot confirm or deny whether information is held as the authority may appeal the Commissioner’s decision and the Commissioner must not undermine this right of appeal by disclosing that information is (or is not) held. Therefore no finding on 1(1)(b) can be included in the decision notice.

If the Commissioner does not accept the authority’s reliance on an exclusion from the duty to confirm or deny, then the decision notice will order the authority to confirm or deny whether information is held and, in relation to any information which may be held, to either disclose it or issue a valid refusal notice.

The following breaches will be included in the DN:

  • s.1(1)(a)
  • s.10(1) related to the breach of 1(1)(a)
  • any breaches of s.17 as per the explanation on s.17 above

If the authority subsequently confirms that it holds information but refuses to release it, this may result in a further complaint to the Commissioner.

If a subsequent DN is issued, breaches will be investigated and recorded as normal following this line, i.e. as at the time of the internal review or the time for compliance with the original request, rather than as at the time for compliance with the earlier decision notice. Failure to comply with the decision notice would be dealt with as contempt of court instead. However, it is not necessary to repeat any breaches which have already been found in the earlier DN. Rather, the later DN can include a line referring to the earlier one and confirming that these findings still stand.

EIR

Although this line refers to the FOIA, the principles outlined in the “Commissioner’s approach” section above would also apply to cases under the EIR, reading in the equivalent provisions. The main differences are as follows:

  • The statutory time for compliance will be 20 working days in all cases, except where the authority can legitimately extend it to 40 due to the volume and complexity of the information.
  • Public authorities are under a legal obligation to provide an internal review in relation to EIR requests – see LTT191
  • “Not held” is an exception under the EIR, so a refusal notice would be required.
  • Whereas the right to information is split into two parts in the FOIA, s.1(1)(a) and s.1(1)(b), both aspects are covered by reg.5(1) of the EIR. There are very limited circumstances in which an authority can claim an exclusion from the duty to confirm or deny under the EIR; however such cases should be dealt with as for s.1(1)(a) cases (described above) with the exception that any breach of this obligation would be phrased as “reg.5(1) in so far as it requires the authority to confirm or deny whether it holds information”.

PREVIOUS / NEXT

Source Details
Policy Team, IT, GS

Bowbrick / Nottingham City Council

King / DWP (20 March 2008)

McIntyre / MOD (11 February 2008)
Related Lines to Take
LTT47, LTT63, LTT101, LTT187, LTT191
Related Documents
Awareness Guidance 11, EA2005/0006 (Bowbrick), EA/2007/0085 (King), EA/2007/0068 (McIntyre), Good Practice Guidance No.5
Contact LA / HD / KP
Date 06/06/2011 Policy Reference

LTT29