The British Information Commissioner's Office Is Setting an Example for Regulators Everywhere

Created on September 30, 2022

Legal GRC Market Analyst at Exterro

The UK Information Commissioner’s Office (ICO) issued two actions against government agencies under the Freedom of Information Act 2000 (FOIA), including its first enforcement action in seven years, signaling that it will be joining other regulators and DPAs in more vigorous enforcement of existing regulations.


On 8 September 2022, the ICO issued two FOIA actions: an enforcement notice to the Department of International Trade (DIT) and a practice recommendation to the Department for Business, Energy and Industrial Strategy (BEIS) for persistent failure to respond to Freedom of Information (FOI) requests within the required time limit.

Download the Alert Now!

The enforcement action against DIT comes on the heels of poor performance in meeting the required timelines for FOI requests—from January to March 2022, DIT had the worst response figures in the government, with over 50% of its responses being sent late. Its response time also fell the prior year, despite no apparent change in request volume or staffing circumstances. The action requires DIT to respond to its backlog of outstanding requests older than 20 working days within 35 calendar days and to publish an action plan to address any future delays.

Government FOI statistics also showed that BEIS consistently failed to respond to FOI requests on a timely basis; however, the delays were more understandable as BEIS has received a 55% increase in requests since 2020. Since BEIS engaged with ICO and had these mitigating circumstances, it received only a practice recommendation defining the steps it should take, including developing an action plan to improve performance, rather than a more serious enforcement action.

Who It Applies To 

While the ICO only took actions against two departments, there is no doubt that they intend for all government agencies to heed the requirements of FOIA 2000. John Edwards, UK Information Commissioner, issued a statement indicating ICO’s “new approach” to FOIA regulation, “I advise public authorities to take note and learn lessons from the action we have taken today, as we will be making greater use of our powers under the Act to drive good practice and compliance.”


A practice recommendation is not enforceable, and outlines the actions the agency must take to comply with the Code of Practice. If its performance does not improve, ICO can then issue an enforcement notice.

An enforcement notice requires the agency to take specific steps to comply with FOIA 2000, issued to address systematic or recurring breaches of the Code of Practice. Failure to comply with an enforcement notice may lead a finding of contempt of court against its subject.

Expert Analysis by Xavier Alabart, Founder, Principal Consultant, The Privacy Aces, LLC

The new Information Commissioner has made it clear that failing to meet FOIA’s obligations is not acceptable and banged the “learn lessons” drum to all Public Authorities. Considering the nature of the failures--persistent delay to respond--public authorities have no alternative but reviewing their FOIA process and streamlining it. Commercial workflow and tracking tools, like those used by the private sector to serve data subject access requests (DSARs), might be needed to support the FOIA request-to-delivery process and to help prioritizing and acting on individual requests so that most, if not all, are responded to in time.

Data Privacy Tip 

Public agencies can struggle to comply effectively with FOIA or other public record requests, especially when they’re forced to manage the process using spreadsheets and manual searches for relevant data. Find out how Exterro technology can help you manage FOIA and public record requests today.