What is the Freedom Of Information Act (FOI)?

General Data Protection Regulation (GDPR) might arguably be the most extensive and comprehensive privacy regulation to date. But it is certainly not the first privacy regulation to come into effect. Indeed, it has multiple predecessors. Over time, different laws have been enacted to make the system more transparent to the public. The Freedom of Information Act 2000 is one such act of parliament that received royal assent and came into force on 30th November 2000. In 2017 alone, 46,681 requests were received under the FOI Act. Why is the FOI Act so popular? What kind of information can be requested under it? And how will it coexist with GDPR? The answers to these and many more questions are explored in detail here.

information security policy

What is the Freedom of Information Act (FOI) 2000?

The Freedom of Information (FOI) Act 2000 grants the general public the “right to access” information. Under this act, anyone can access information held by public authorities. The information can be made public via voluntary publications or the members of the public can request specific information from the public authority.

Before the implementation of the act, the general public only knew limited information published by the public authorities voluntarily. The draft bill for the act was put before the Houses of Parliament in 1999 and it received royal assent and came into force on 30th November 2000.

Under this Act, any information held by the public authorities in England, Northern Island, and Wales must be made accessible to the general public, when requested. As for Scotland, it has its own FOI. However, the FOI Act 2000 applies to UK-wide authorities based in Scotland.

Who comes under the purview of the Act?

Freedom of Information Act 2000 gives the public the right to access information possessed by and pertaining to the entities that perform functions funded by the taxpayer’s money and affect the life of the public, at large. Three types of bodies come under the FOI. These include:

Public Authorities: Any public authority that operates in the UK comes under the FOI. For clarity, a complete list of public authorities is provided in Schedule 1 of the Act. The military, local public bodies, schools, police, colleges and so on come under the definition of a public authority in the context of FOI.

Publicly Owned Companies: These are the companies that are wholly owned either by the public authorities listed in Schedule 1 or by the Crown.

Designated Bodies: These are designated by the Secretary of State. They are treated as public authorities if they are performing a function similar to a public authority or are contracting to do work that has been provisioned for public authority.

information security policy

Who is qualified to request information under FOI?

There are no qualifying criteria to request information under FOI.

FOI entitles anyone to file a request for information under the Act, irrespective of the fact whether a person is a citizen or even a resident. Organisations can also make requests to get information about public authorities. Employees of a public authority can also request information under FOI 2000.

All that is required, is for a person requesting the information to complete an application and send it to the relevant public authority, which they think holds the information they are looking for. The public authority is then liable to respond to that request.

What kind of information can be requested under FOI?

Freedom of Information (FOI) has been created to promote transparency and it achieves that purpose by making all the recorded information held by the public authority available to the public. So, it is not just official reports that can be requested under FOI. It also includes information security policy for emails, recorded phone conversations, video footage, official drafts, and more. Freedom of Information (FOI) also includes metadata, since technically, it is recorded information. So, the applicant has the right to not only ask for a document but also request details such as the author of the document and the time at which it was created.

Public authorities are only required to share already recorded information. So, if a Freedom of Information Act (FOI) request is placed with an organisation, it is only liable to share the relevant information that is already in the recorded format. It does not have to create a document to answer the query raised under the Act. Freedom of Information (FOI) also does not cover the personal information held by the public authority for a person or an organisation. For instance, personal employee records of the organisation are off-limits.

Freedom of Information Act 2000 is enforced by the Information Commissioner’s Office (ICO) and organisations seek advice requests from the ICO.

How does FOI 2000 differ from GDPR?

The primary objective of the General Data Protection Regulation (GDPR) is to secure personal data by improving the processes involved in its collection, storage, and processing. It also aims to create transparency by providing people access to their data and give them better control over how that data is processed. On the other hand, the FOI Act does not seek access to personal data, but information on the operations of a public authority.

GDPR is about ensuring the protection of the basic right of individuals to their privacy. In contrast, (FOI) Act involves removing opaque structures and bringing more transparency into the entire public system.


GDPR is a much stricter law than its predecessors. So, it will have a much more profound impact on the public than the Freedom of Information (FOI) Act. When a request is filed with a public authority for information that includes personal information belonging to another individual, then the authority must determine the extent to which the requested information can be furnished in the name of transparency. While maintaining the right to privacy of the individual whose information is sought by the applicant.

information security policy

In fact, public authorities are mandatorily required to appoint a Data Protection Officer (DPO) under GDPR. So, it is the responsibility of the DPO to determine what information should be provided to data subjects under the GDPR. In certain cases, the public authority can deny access to certain personal records sighting the privacy rights of the individuals.

Freedom of Information (FOI) Act 2000 is a milestone in a democratic system. It bestows people’s right to question their government and the affiliated organisations regarding how their tax money is being spent. It is one of the most important checks and balances in the public space and introduces much-needed accountability. In a civil society, every member should be aware of this Act and should be able to use it to ensure that their government remains accountable.