1. A tool to help challenge FOI refusals — now on WhatDoTheyKnow

    If you’ve recently received a refusal to a Freedom of Information request you sent through WhatDoTheyKnow, you might have noticed our latest feature.

    As mentioned in a previous blog post we’ve been working on functionality to help people challenge refusals, and the first iteration of this is up and running.

    You might now see an automated notice above a refusal, identifying which exemption may have been applied. These are visible only to the person who made the request, and do not appear in every case; see more about that below.

    An alert saying "Bristol City Council may have refused all or part of your request under Section 43, Section 41, and Section 42. Get help to challenge it."

    Click ‘get help to challenge it’ and you’ll be presented with a series of questions about your request and the reply you received from the authority, to see whether there is any scope for a challenge.

    questions about the FOI request, including 'is the information that you requested commercial in nature?' and 'is the information yuo requested a contract?' from WhatDoTheyKnow

    Your answers to these questions will generate tailored advice on what to do next, also presenting you with editable fragments of text that you can use to get started with any challenge or request for clarification.

    Dear Bristol City Council, Please pass this on to the person who conducts Freedom of Information reviews. I am writing to request an internal review of Bristol City Council's handling of my FOI request 'property purchase - valuations, terms of sale and contracts'. As you may be aware, ICO guidance states that when applying a Section 43 exemption, an authority "must show that because [the information] is commercially sensitive, disclosure would be, or would be likely to be, prejudicial to the commercial activities of a person (an individual, a company, the public authority itself or any other legal entity)". This response does not appear to have included such details, so I am requesting that you conduct an internal review, and, if the exemption is upheld, show how the release would be prejudicial to commercial activities, and of whom.

    What’s the thinking?

    WhatDoTheyKnow has always existed to make it easier for anyone to make an FOI request, without having to be an expert in the law.

    We think we’ve got the initial part of that down pretty well (with the obvious caveat that there are always improvements to be made) — but up until now we haven’t directed a lot of attention to what happens after the authority responds.

    Even for seasoned users of FOI, but especially for those new to the whole area, it is daunting to receive a refusal from an authority. By their nature, FOI responses contain some legalese, and this can be enough to make the best of us think, ‘Ah well, they probably know more about it than I do’ — and give up.

    But another way of looking at it is that this legalese is there to help you. A body can’t just turn down your request because it doesn’t want to answer it: it has to say which exemption it is using under FOI law. If you know your way around that law, it is the key to understanding what to do next, and in fact, it’s this legal bumph that our code will be using to check what questions to ask you.

    Before we introduced this intervention, a good number of users just gave up when they received a refusal from an authority — and that’s fair enough. We’d been directing users to a generic help page with details of what options are broadly available for challenging a refusal, but only the very determined would take it further.

    And as we mentioned in our previous post, 22% of internal reviews (where you ask the request to be examined again, by a different member of staff at the authority) result in the full or partial release of information. It’s clear that bodies can, and do make mistakes sometimes.

    Our new functionality helps you discern where that might have happened, and put together a decent challenge.

    How it works

    When an FOI request is refused, the authority have to give the reason, and this has to be one of a set number of ‘exemptions’ — clauses in the FOI Act that list the circumstances under which an authority is not obliged to disclose information.

    Our code scans the response to identify which exemption/s have been applied. Remember, though, that this is just an automated best guess, so it’s still very much up to the user to check whether it’s correct!

    At the next stage the user will be asked: “Did the authority mention any of these exemptions when refusing your request?” and there is the chance to remove exemptions if they’re wrong, and add any that haven’t been picked up by the code.

    Checkboxes on WHatDoTheyKnow asking the user to confirm which exemption their request has ben refused under

    Then, informed by guidance from the Information Commissioner’s Office (ICO) for the identified exemption, we present a series of questions which should help you understand whether there are grounds for asking for an internal review.

    Depending on your answers, you’ll see some advice. This might simply tell you that the exemption seems to have been applied correctly; it might advise you to ask the authority to clarify areas where their response is unclear, or it could point out where it appears that there has been an error on the part of the authority.

    Image saying 'you may have grounds for an internal review' followed by four sentences saying much the same, on WhatDoTheyKnow

    Note the various variations on ‘you have/may have grounds for an internal review’ — this is because each conclusion has been generated by a different response to one of the questions. In this example, the user has four different potential challenges to the refusal:

    • The exemption seems to have been incorrectly applied
    • The authority hasn’t provided some evidence that they should have
    • The user has identified something about the contract that means the exemption shouldn’t have been applied to every part of it
    • The authority hasn’t demonstrated that disclosure would be prejudicial to business interests

    Whew! But if that’s a little overwhelming, there’s still some more support for the user.

    Click ‘request an internal review’ and you’ll be shown some fragments of text you can copy and paste into your reply to help you start composing it. These are just prompts: they can be edited or overwritten to reflect your specific situation, and to allow you to express yourself in the language you’d ordinarily use.

    Selection of different types of challenge to an FOI refusal, on WhatDoTheyKnow, eg "The authority refused to disclose the requested information on the grounds that it would be prejudicial to business interests, but has not demonstrated the likelihood of this prejudice occuring. As you may be aware, ICO guidance states that when applying a Section 43 exemption, an authority "must show that because [the information] is comme... Read more"

    Know your exemptions

    Some exemptions are used far more commonly than others: for example we discovered when we began this work that the most often applied was the Section 12 exemption, ‘where cost of compliance exceeds appropriate limit’ — that is, responding in full would cost the authority too much in terms of expense or manhours.

    Other common exemptions are Section 14 (turning down ‘vexatious’ or repeated requests for the same information); Section 40 (where the release would contain someone’s personal information); and Section 21 (where the information is already available elsewhere).

    It’s worth knowing basic facts around exemptions: for example, if some of the information you’ve requested is covered by an exemption (say, a portion of it would contain personal information) the authority should still be releasing the rest. And if they tell you it’s available elsewhere, they should also do all they can to point you to the relevant place.

    Some exemptions require a public interest test, where the authority must weigh up whether it is more beneficial for society as a whole to release the information than it is beneficial under the conditions of the exemption to refuse it. An example may be where the information relates to the UK’s defence capability, but would reveal something so important for the public to be aware of that any potential threat to national security is outweighed.

    For this first stage of the new functionality, we covered the 13 most commonly used exemptions out of the full 27. Also, our tool might miss some exemptions. If that’s the case, or the exemption can’t be identified, you simply won’t see anything on the request.

    Sharing knowledge

    The ICO provides detailed guidance for authorities about each exemption, and this has also proved invaluable for us as we strive to point out where there may be room for requesting a review. As we’ve learned while creating this functionality, law is not precise: in many cases it is open to interpretation, and legal challenges at tribunal act as precedents, helping to consolidate its exact meaning. The ICO guidance is basically an attempt to unify such interpretation.

    But the average person may not have the time to read up on the ins and outs of how this exemption or that should be applied, so we hope our sets of questions will give you a short cut towards understanding whether there’s a valid challenge to be made. Eventually, we hope it’s not too bold to suggest, the functionality may even increase the public’s understanding of FOI.

    We are, of course, keen that this initiative doesn’t place an extra burden on authorities. The mechanism should work just as well in pointing out where the authority has acted correctly, and so discourage pointless challenges.

    Where requests for internal reviews are made, the result should be that they are better informed, clearly structured and based on valid challenges. In time, this feature may even have the knock-on effect that authorities are incentivised to improve their initial responses, taking more care that exemptions are correctly applied.

    We know this isn’t perfect yet, so if you’re from an authority and you want to share feedback, please do let us know. And if you’re a member of the public and you see anomalies in the wording or interface, please do also get in touch. You can contact us here.

    Image: Andrew Fleming (CC by-nc/2.0)

  2. Challenging refusals: upholding the right to information

    We’re very pleased to say that we’ve been awarded funding by the Joseph Rowntree Charitable Trust to extend the Freedom of Information services we offer through WhatDoTheyKnow and WhatDoTheyKnow Pro.

    This work will support users in taking the next steps, if appropriate, when their requests for information are denied.

    A bit of background

    In the last few years, there has been a significant and sustained decline in FOI requests being granted by the UK government.

    According to the Institute for Government, the proportion of refused FOI requests reached a record level in the third quarter of 2019, with departments refusing to comply in full with more than half of all FOI requests that they received. This compares to around 40% in 2010 and around 30% in 2005.

    And yet, our research found that, when challenged, a large proportion of refusals were overturned, suggesting that the fault did not lie with the type of request being made. 22% of internal reviews resulted in the full or partial release of information, and a further 22% of appeals to the ICO led to all or some of the information being released.

    For local authorities, up to half of internal reviews – and just over half of all ICO appeals – led to the release of all or some of the information requested. In Scotland, with its own FOI regime, 64% of appeals to the Information Commissioner resulted in the full or partial release of information.

    And so, while acknowledging that some refusals are certainly legitimate, there is a clear case for challenging such responses. But to do so is daunting, especially for novice requesters who can understandably be discouraged by an official response citing exemptions in legalese.

    Our plan

    This new funding will allow us to approach the issue from four different, but interlinked directions, each intended to inform and support users in challenging government refusals of FOI requests.

    • When a WhatDoTheyKnow user confirms that they’ve received a refusal, we’ll be integrating context-sensitive advice. This will inform the user of their right to appeal, give clear guidance on how to assess whether the authority has complied with the law, and also advise on other channels, beside FOI, by which information may be obtained.
    • We’ll automatically identify which exemption has been cited in the refusal, giving us the ability to help users better understand why their request has been turned down.
    • Based on this finding, we’ll offer context-specific advice for the exemption identified. For example, if the request has been turned down because of cost, we’ll show how to reframe it to fall below the ‘appropriate limit’.
    • Finally, once the user has been fully informed, we’ll offer the support they need to escalate the request to an appeal.

    Ultimately we hope that this work will help reset the balance on the public’s right to access information, better enabling citizens, journalists and civil society to effectively scrutinise and hold authorities to account.

    As always, we’ll also be thinking hard about how to make all of this apply more universally, across the various legislatures that apply in jurisdictions where people are running sites on the Alaveteli platform.

    If this interests you, watch this space. We’ll be sure to update when we’ve made some progress on the project.

    Image: Tim Mossholder

  3. My FOI request’s been refused — so, what now?

    Our WhatDoTheyKnow.com service makes it really easy to request information from public bodies: all you need to do is describe the information you are seeking, send your request, and the authority provides it to you.

    At least, that’s what happens when everything goes smoothly.

    The default case

    When you request information, the authority generally has two duties under the FOI Act:

    • They must confirm or deny whether the information is held
    • If they do hold it, they must disclose it.

    But, there are circumstances – called exemptions – where the authority can withhold the information, or where they might not even state whether or not they have it at all.

    Understanding which exemptions have been applied will also help you to understand what to do next.

    The authority have confirmed they hold the information, but refused to release it

    Why have they refused?

    If your request is refused, the authority must say which exemption/s allow them to do so — have a good read of their response, and find out which one/s have been applied.

    You’re looking for a section number that refers to the part of the Act that explains why they can refuse. You can check on FOIwiki’s handy table for the full list of exemptions.

    Generally, when citing an exemption, the authority will also include the relevant text from the FOI Act, but if not, you can check it for yourself in the actual wording of the Act.

    Example of an authority explaining which exemption they have used

    They did not cite an exemption

    Authorities must say which exemption applies to your request — so, double-check that they haven’t done so (look in any attachments as well as in their main email), and once you are certain that they haven’t, write back and ask them to confirm which exemption they are using. Here’s an example of that in action.

    If you want to, you can quote the part of the FOI Act which says that they must do this: Section 17 (1)b:

    A public authority which, in relation to any request for information, is to any extent relying on […] a claim that information is exempt information must […] give the applicant a notice which—

    • states that fact,
    • specifies the exemption in question, and
    • states (if that would not otherwise be apparent) why the exemption applies.

    They did cite an exemption

    Once you know which exemption has been used, you are in a good position to examine whether it has been correctly applied .

    FOIwiki’s table lists all the exemptions that an authority can use, and includes some technical details about how they can be applied.

    Some exemptions have very little room for appeal and the decision to apply them is obvious: for example, the Ministry of Defence won’t release plans for an upcoming battle in a time of war, making a request for this type of information pretty futile.

    Others rely much more on the judgement of the authority who’s dealing with your request. Under Section 38, for example, a request can be turned down because it might ‘endanger the physical or mental health of any individual’– but in many cases, assessing how someone’s mental health might be affected by the release of information must require a certain amount of prediction.

    Some exemptions allow an authority to use additional tools for assessing whether or not to release information:

    • A public interest test
    • A prejudice test

    They said they’d applied a Public Interest Test

    Some exemptions, known as ‘qualified exemptions’, require the authority to apply a Public Interest Test. This may give you more opportunity to ask for a review.

    You can check the details of your exemption, and whether it’s qualified, in FOIwiki’s table.

    In short, a public interest test sees the authority  trying to weigh up the benefit to the general public of the information being released against the safeguards that the exemption is trying to provide, and decide which has more weight. The ICO provide good information about Public Interest Tests, with several examples of how they have been applied in the past.

    If you think you can demonstrate that the Public Interest Test has come down on the wrong side of this weighing up exercise, you may want to ask for an internal review — see the end of this article for next steps.

    They said they’d applied a Prejudice Test

    Some exemptions, called ‘prejudice based’ exemptions, require a prejudice test. Again, this might also give you more opportunity to ask for a review.

    You can check the details of your exemption, and whether it’s prejudice-based, on FOIwiki’s table.

    Generally speaking, it’s applied to exemptions which seek to protect certain interests — for example, Section 29 of the Act allows exemption where release might do harm to the economy.

    The prejudice test is a way for the person dealing with the request to check that the perceived threat is ‘real, actual or of substance’, and that there’s a reasonable risk that the release would cause the harm that the exemption is trying to protect against. There is a good explanation in the ICO guidelines.

    As with Public Interest Tests, if you can demonstrate that the Prejudice Test has come up with a decision that is arguably misapplied, you may want to ask for an internal review — see the foot of this article for next steps.

    They didn’t apply a Public Interest test

    This probably means that the exemption is “absolute”, which makes it hard to challenge.

    First, check on FOIwiki’s table that the Section the authority is using is an absolute exemption.

    If it is:

    • You might like to consider how cut-and-dried it is that the information falls within the class that the exemption protects. If it is clearly covered by the exemption (for example you have asked for information that is self-evidently provided to the authority by Special Forces) then there isn’t much point in going any further. But suppose you have been told that, under Section 21, the information is accessible via other means. Section 21 is an Absolute exemption but may be open to a challenge if, for example, there are circumstances which prevent you from accessing the information.

    If it’s not:

    • Ask the authority what public interest test they applied (or more details of how they applied it).

    The authority won’t confirm or deny whether they hold the information

    Why won’t they confirm or deny?

    If confirming or denying whether the information is held would actually reveal exempted information in itself, then the authority may refuse to do so.

    You can read more about this in the ICO’s guidance.

    Can I do anything if they ‘neither confirm nor deny’?

    Yes — you can challenge this stance if you have reason to believe that confirming or denying that they hold the information would not reveal exempted information in itself. However, it can be a time-consuming and potentially difficult route to take, and even if you are successful in getting the authority to confirm that they have the information, you may then find that an exemption is then applied, taking you practically back to square one.

    Next steps

    If you still want the information you’ve requested, there are some general tactics you can use when faced with an exemption:

    • Reduce the scope of your request: Check the exemption cited and, if possible, modify your request to circumvent it.
    • Ask for an internal review: if you think the exemption, public interest test or prejudice test has been wrongly applied, you can ask for another member of staff to assess your request and whether you should have received a full, or partial, response.
    • Appeal to the ICO: If you’ve had an internal review and still think the decision was wrong, you may make an appeal to the Information Commissioner’s Office.

    Read more about all of these routes on our guidance page.

    And here are some other useful links from the Information Commissioner’s Office:

    Finally, for now

    The ideal is, of course, to submit a request which does not trigger an exemption, as clearly this saves everyone’s time. You can see our advice on writing responsible and effective requests here.

    That said, full or partial refusals are not an uncommon occurrence — it’s totally routine for FOI responses to have some material removed (usually personal information such as names and roles of junior officials, or material identifying members of the public), or to turn the request down completely.

    There are just over 25 exemptions listed in the Act (the exact number depends on how you count subsections and variants), removing the obligation for bodies to provide information in categories as diverse as any and all communications with members of the Royal Family, to commercial interests and trade secrets — and all sorts of things in between.

    We’ll be examining the various exemptions available to authorities and suggesting ways in which you can avoid them.  Keep an eye on our blog — and we’ll also link to posts from this post as we publish them.


    Image: Scott Warman

  4. WhatDoTheyKnow used for research on FOI refusals

    When you send a Freedom of Information request through WhatDoTheyKnow.com, every part of the exchange is published online. Those who have browsed the site will know that you can read the correspondence around each request from beginning to end, including the initial enquiry, auto-replies, any holding letters, messages seeking clarification, and finally, the response — or refusal.

    We built the site so that, when information was released, that information would be available for everyone. The result is the massive online archive, all searchable, that you can find on WhatDoTheyKnow today. That being the case, why do we bother publishing out all the rest of the correspondence? Why not simply publish the end result, that is, the actual information?

    Well, we believe there’s value even in what you might consider the ephemera of everything else, not least that it helps demystify the various steps of the FOI process.

    This week, an article by ‘FOIMan’ Paul Gibbons showed that the publication of this material can also help with research. He was able to look at 250 ‘refusal notices’ — that is, times when authorities had turned down requests for information — and pull out examples of best and worst practice.

    The result will benefit us all, from those requesting information to those who process the requests: for the former, it sets out what to expect from a refusal, and for the latter, it highlights how to ensure that you are sticking to the law as well as ensuring a good experience for the public.

    A refusal, as Gibbons points out, does not have to be a shutting of the gates in the face of the requester: it can help educate, point people towards a better means of obtaining the information they need, or even clarify for the FOI officer where withholding the information may in fact be inappropriate. We’re very glad to have seen our data being used in this way.


    Image: Gemma Evans (Unsplash)