Requesting information from a public body: freedom of information

What information you can request under FOI

You have a right to request recorded information held by public authorities.

Some examples of the types of information you can request in health and care include:

• Printed information - for example, paper copies of policies, letters or minutes of meetings
• Electronic documents - for example, spreadsheets that record staffing information such as numbers of nurses employed by a hospital or an email about setting up a new clinic
• Sound or video recordings - for example, a recording of a staff meeting at a local hospital
• Photographs - for example, of a hospital before it was renovated

Who you can request information from

In health and care, you can request information from organisations that are publicly funded, including but not limited to:

• NHS England
• NHS trusts and foundation trusts
• integrated care boards (ICBs)
• local authorities and providers of community health services, for example:
  • child health services
  • community paediatric clinics
  • intermediate care services
  • school health services
  • sexual health services
  • community end of life and palliative care services
  • mental health services
• Providers of NHS services including but not limited to:
  • GPs
  • hospitals
  • dentists
  • pharmacies
  • opticians
• Professionals or other organisations providing services on behalf of the NHS, for example include but are not limited to:
  • dieticians
  • occupational therapists
  • osteopaths
  • physiotherapists
  • podiatrists
  • prosthetists and orthotists
  • radiographers
  • speech and language therapists

Some of the organisations and professions in this list, such as dentists and opticians, may provide NHS services as well as private services. For example, a dental practice may have both NHS patients and private patients, or an optician may offer NHS-funded eye tests as well as private eye tests. Where this is the case, the provider would only have to release information about their NHS work, and not about their private work, under an FOI request.

Professionals or hospitals, dentists, pharmacies and opticians which only provide private services would not have to provide any information under an FOI request.

Before submitting an FOI request

Before submitting an FOI request, it is worth checking whether the information you are looking for is already available on the organisation’s website. Many public authorities publish lots of information online, which may be quicker to find than making a request.

You can also check for previous FOI responses on the website What do they know?

How to submit an FOI request

FOI requests must be made in writing. Guidance on how to write an effective FOI request can be found on the Information Commissioner’s (ICO) website.

Requests may be submitted in different ways, for example by:

• letter
• email
• fax
• text message
• online form
• social media

Large organisations may express a preferred method of receiving FOI requests, for example by online form, but you do not have to use that method. Organisations may not restrict or limit the ways requests may be submitted.

Charges for FOI requests

FOI requests are free to make, although the organisation may charge a fee to cover the cost of photocopying or postage. Where this applies, the organisation must let you know about the fee before completing the request.

Where the cost of an FOI request would exceed £450, organisations may refuse the request. If this is the case, they should provide you with information about how to simplify your request so that it does not meet this limit.

Protecting your identity

The FOI team in the organisation you submit your request to will not tell other parts of the organisation who you are when dealing with your request. The only exceptions to this are requests the organisation considers to be deliberate attempts to disrupt its work or waste its time. For example, when someone sends many similar requests to the organisation within a short space of time.

FOI response times

In most cases, organisations must respond to the request, either providing the requested information or telling you why they will not provide it, within 20 working days of receipt. However, in some circumstances, organisations may extend the response time. If they are going to do that, they will inform you first. The response time may also be paused if the organisation needs to contact you to clarify the request, or to request payment of a fee.

Information the organisation might not provide

Organisations should provide the requested information unless there is a reason not to. If they are not going to provide the information, they will let you know why.

Examples of reasons why a health and care organisation will not provide information include:

• they do not hold the information
• the information has already been published
• the information is about to be published in the near future
• the information could cause serious physical or mental harm to a person
• the information is legal advice
• the information would pose a security risk if shared

Further guidance about withheld information and what to expect after making a request is available on the ICO website.

In some cases, the organisation may respond by not confirming or denying if they hold the information requested. This is to protect information that should not be shared.

If you are not happy with the response

If you are not happy with the response to your FOI request, you can submit a complaint to the organisation. Organisations are required to conduct internal reviews and respond to all complaints.

Each organisation should provide information on their website about how to complain. If you are still unhappy with the response to your complaint, you can contact the ICO.

The difference between Subject Access Requests (SARs) and Freedom of Information requests (FOIs)

An SAR is a way for you to request copies of your own personal information (information that is about you) while an FOI is a way to request other information held by a public authority, usually relating to its operations.

You can read more in our SARS guidance.

How requests can be made

Members of the public can submit FOI requests for information held by your organisation. These requests must be in writing but may be submitted in any format such as email, letter, email, fax, text message, online form or on social media.

Verbal requests

If an individual verbally asks you for information, for example during a medical appointment, you should ask them to put the request into writing and provide them with information about who to contact. You should also tell them to include a contact email or postal address for the response to go to.

If you receive an FOI request, you should forward it to the team that deals with FOI requests in your organisation, likely to be the Information Governance (IG) team, as soon as possible.

Response times

In most cases the organisation must respond within 20 working days of receipt of the request, though in some circumstances this may be extended, such as when there are exemptions to be considered (see guidance for IG professionals for further information).

It is unlikely that you will be asked to input to the response, but you should provide support and assistance if asked.

Requests for information about staff

Information about named staff members is not routinely disclosed under FOI, as this is classed as personal data, although in some instances, where the information is about senior or public facing roles, information may be released on the basis that it is already publicly available (for example board member salaries published in annual accounts) or it is in the public interest to disclose.

Information relating to staff that is not personal data and does not identify a person, such as the number of nurses employed by the organisation, could be disclosed.

Anyone can request recorded information held by your organisation via the FOI route.

Ways of receiving requests

A request must be made in writing and can be submitted through any written channel. It must include the requester’s name and contact details such as a return email or postal address. A request can be made in the name of an organisation, or by one person, such as a solicitor, on behalf of another. Requests may also be sent via third party websites, such as What do they know?

Organisations can state their preferred method of contact for FOI requests but may not limit contact to this method. You will need to provide details for the various channels through which someone can make a request, such as postal address, online form, and email address. Any relevant hard copy information about your services should inform people of how they can make FOI requests.

Online forms

If using an online form for individuals to submit FOI requests, it should contain the minimum number of fields possible for a valid FOI request in order not to discourage people from submitting requests. Online forms should automatically send the requester a copy of the request as confirmation of receipt and record of the content of the request.

Checking if a request is valid

When you receive a request, you need to check it is valid. Requests may come from human beings, organisations or be AI or bot-generated – all are valid if they include a name and email or postal address.

Requests which include attachments should be checked for potential malware designed to attack your network or IT systems.

Acknowledging receipt of the request

Once satisfied you have a valid request that doesn’t contain malware, you should acknowledge receipt of the request to the requester via their stated contact method.

Response times

Your organisation has 20 working days to provide a response to the request. You can extend the 20-day response time when:

• you need more time to consider whether the public interest test balance applies to withholding the information
• you are considering whether it is in the public interest to not confirm nor deny the request

In these circumstances you can extend the time limit by a ’reasonable’ amount. The FOIA does not define what a ‘reasonable’ extension is, though ICO guidance suggests the total response time should not exceed 40 days, except in exceptional circumstances.

Examples of exceptional circumstances may be when the organisation is under extreme pressure due to a major incident, or the FOI request is exceptionally complex and involves a number of external parties. Where an extension is applied, you should still issue a notice to the requester within the first 20 days, explaining why you need more time, and providing an estimated date for the final response.

Further information about applying extensions to the response period can be found on the ICO website.

Checking if you have already answered a request for the same information

You should check to see if you have previously responded to the same (or similar query) in the past. This could be done by:

• looking at previous FOI responses held on a database
• checking your disclosure logs
• checking your publication scheme
• checking other third-party websites that publish FOI responses

If you have responded to a previous request for the same information, you can re-use that response if it remains relevant and accurate and signpost the requester to it if it has been published.

It is good practice before re-sharing a response to check that it does not contain any hidden data (see section on checking responses for hidden data for further information).

Private information held by public bodies

While the FOIA only applies to information held by public authorities, some public authorities may hold datasets which include data from both public authorities and private bodies, for example data on treatment at NHS and non-NHS funded hospitals.

Case law establishes that the FOIA would only apply to the information which the public authority has an ‘appropriate connection’ to. If you are only holding the data on behalf of the private organisation (that is, storing it in your building), this is not likely to be considered an appropriate connection, however if you are using the data for your own purposes, then it is likely to be in scope.

The ICO provides further guidance about how to make this determination.

Exemptions to releasing information

You will need to consider whether any exemptions apply to releasing the information. Each exemption works differently and needs to be considered carefully if you are looking to use it. As a rule, you should work towards disclosure unless an exemption applies, as opposed to finding a way for an exemption to apply.

Qualified exemptions

Some exemptions are qualified. This means that whether or not you can withhold the information is subject to a public interest test which you will need to carry out to help decide whether the public interest in withholding the information outweighs the public interest in disclosure. Please see specific ICO guidance on each exemption linked throughout for further information on conditions for applying these exemptions.

Information which may be exempt subject to a public interest test includes:

Information which is intended for publication in the near future

Exempt under Section 22 FOIA.

You can consider applying this exemption if the information requested is going to be published in the future, and it is reasonable not to disclose it until then. In health and care examples of this may include minutes of board papers which you routinely publish on your website, your annual accounts or research which is soon to be published.

Information which if released, would make the UK or its citizens more vulnerable to a national security threat

Exempt under Section 24 FOIA.

In health and care, this is most likely to be relevant to information that would make national or regional infrastructure vulnerable to cyber-attacks.

Information which would prejudice the prevention and detection of crime

Exempt under Section 31 FOIA.

In health and care this may include information that would prejudice investigations into the improper conduct of professionals, an individual's fitness or competence in relation to a profession, the causes of accidents, fraud and more.

Information which would prejudice the conduct of public affairs

Exempt under Section 36 FOIA.

In health and care this means that the release of the information would impact your ability to offer an effective public service, for example, if the release of information would make your systems vulnerable to cyber-attack or require the diversion of significant resources to manage the impact. Where Section 36 is being relied on, you are also required to seek the opinions of your qualified person and document their advice.

Information which would, or be likely to, endanger the physical or mental health or safety of an individual

Exempt under Section 38 FOIA.

While information about living individuals will be covered under a personal data exemption, this exemption could cover, for example, non-health information relating to someone who has died whilst working for the organisation and where disclosure might cause mental distress to the family. In health and care, this exemption may also apply to information which could impact public health. (Refer to our guidance on accessing records of deceased individuals for further information.

Information which is subject to legal professional privilege

Exempt under Section 42 FOIA.

In health and care this may include any form of legal advice sought, for example on new policies, services, contracts or in the process of disputes.

Absolute exemptions

Other exemptions are absolute. This means that you do not have to conduct any further tests before deciding to withhold the information.

Information which may fall under an absolute exemption includes:

Information which is already accessible to the applicant

Exempt under Section 21 FOIA.

You can consider applying this exemption when you know that the requestor already has the information, or when it is already in the public domain, for example when it is published on your website.

Information which has been supplied by a named security body

Exempt under Section 23 FOIA.

In health and care this may be information received from the National Crime Agency or the Government Communications Headquarters (full list of named security bodies available here)

Information which identifies a living person or is the personal information of the requester

Exempt under Section 40 FOIA.

Requests for the requesters own personal information should be handled under a Subject Access Request. You may need to consider whether requests that ask for information about small numbers of people (i.e. rare diagnoses within a small rural area) may allow for the identification of an individual.

The Public Interest Test

The public interest test under FOIA requires you to weigh the public interest in maintaining the exemption against the public interest in disclosure whenever you are considering applying a qualified exemption. It is generally in the public interest to:

• promote transparency and accountability as a public body
• promote understanding amongst the public of your activities
• evidence good decision-making as a public body
• ensure integrity amongst public bodies
• ensure justice and fair treatment
• ensure the best use of public resources by public bodies

In order to apply a qualified exemption, organisations must assess and evidence that there is a stronger public interest in withholding the information. For example, it may also be in the public interest to:

• protect the safe space within your organisation to allow decision makers to assess policy options without public interference
• maintain the confidentiality of investigations to allow them to be safe and effective
• protect individuals from harm
• protect your ability to deliver services to the public
• protect your systems which allow you to deliver your services and prevent cyber risks

You should document your assessment showing how you have weighed arguments on each side.

Exemptions related to cyber-security

You should carefully consider the release of cyber-related information because it could increase your cyber risk. It may be safe to respond to a request asking about the number of cyber-attacks your organisation has had over the past 12 months, but to provide details of what those attacks were and whether they were successful is likely to increase the organisation’s cyber risk. All requests must be considered on a case-by-case basis and the specific risks associated with the request considered.

Jigsaw attacks/mosaic effect

Before disclosing any information, you should consider whether information which is already publicly available could be linked to the information you are about to disclose, and whether this would cause the information to fall under an exemption. For example:

• if the name of an NHS security contractor is already publicly available, and;
• there is information in the public domain which describes vulnerabilities known in the contractor's services, and;
• you receive a request asking what services you receive from that contractor, which would confirm that your organisation uses the services with known vulnerabilities;
• the requestor could piece the information together to get the bigger picture about the organisation's security. This is known as a jigsaw attack.

In these cases, you should consider whether an exemption would apply to the release of this information.

A ‘neither confirm nor deny’ response

A ‘neither confirm nor deny’ (NCND) response can be sent where simply acknowledging that you hold, or don’t hold, the requested information would disclose something about that situation or request.

Handling costly, vexatious, or improper requests

Organisations may be able to refuse to answer a request under Section 12 FOIA where there is evidence that complying would exceed a cost of £450 to the organisation. Examples of costs which may be considered as part of these calculations may include:

• staff time
• costs associated with special software needed
• the cost of retrieving and transporting information which is held off site

In this case the organisation should provide advice to the requestor about how to refine their request so that it does not meet this limit.

Organisations may also be able to refuse requests which they consider to be manifestly unjustified, inappropriate or making improper use of a formal procedure under Section 14 FOIA. For example, requests that contain abusive language or threats to staff members, regardless of the legitimacy of the request.

Refusing a request

If you are refusing to provide information on the grounds of an exemption, including refusing to confirm or deny whether information is held, you need to send the requester a refusal notice explaining why, within the appropriate time frame.

Refusal notices should be written in plain English, avoiding jargon and abbreviations where possible, so that they can be understood by the requester.

You must include the following information in a refusal notice:

• the exemptions being relied on to withhold information, including the section, subsection and wording of the exemption
• the reasons why you have applied the exemption
• the explanation of the public interest factors you have considered (if relevant)
• an explanation of your reasoning for concluding that the public interest favoured withholding the information (if relevant)

This would not apply if providing this detail would undermine the purpose of claiming the exemption.

Further information on writing a refusal notice is available on the ICO website.

Wilfully preventing disclosure

Wilful and deliberate action that takes place after a request has been received to prevent the disclosure of records and information is a breach and can lead to regulatory action by the ICO. Examples of wilful and deliberate actions include altering, defacing, erasing, blocking or withholding information from lawful disclosure.

Checking responses for hidden data

Before sending data in response to an FOI request, you should:

1. Consider getting a second person to look over the response.
2. Check any spreadsheets or documents you plan to release which can contain hidden data:

• always extract data from the original source spreadsheet into a clean spreadsheet for disclosure
• check for embedded or hidden documents as these may reveal exempted information
• check for pivot tables, as these will link to the source data which may reveal exempted information
• use the Inspect Workbook function to spot hidden columns in Excel and other Microsoft products
• convert spreadsheets into a CSV file before disclosure, as this will reduce the risk of exempted information being inadvertently disclosed

If the requester has submitted their request via a 3rd-party website such as What do they know? you can check if they want their response to be sent via the website, or direct to them. Responses sent to 3rd-party websites will be publicly available to anyone who visits the website, so an inadvertent disclosure of exempted information would be available for anyone to see. On the other hand, responses sent directly to the individual will limit the impact of an unintended disclosure.

You should keep a copy of the request and response for future reference and note any of your responses that are published on gov.uk or 3rd-party websites. These can be used as a quick reference guide in case future requests for the same information come in.

Sending a response

The requested information, once identified, checked and any exemptions applied, should be sent to the person in the format they have requested.

It should be remembered that whilst the response is sent to the individual, it will be available to anyone in the world who can access your published responses.

Further guidance on responding to a request can be found on the ICO website.

Checking past responses

Given developing guidance around FOI requests and how to check for hidden data, it is good practice to undertake a review of past FOI responses. This can be done periodically as a form of ongoing audit, or as a one-off exercise where issues have been identified.

In deciding whether to undertake a review, and to what extent, organisations should consider:

• the robustness of historical processes and procedure in relation to FOI, in particular around checking for hidden data
• the effectiveness of training in place for staff handling FOI requests historically
• whether there has been any record of data breaches as a result of a response to an FOI request

Where your organisation has issued a large number of FOI responses and it is not possible to check them all, it may be appropriate to prioritise reviewing responses which present the highest risk of holding hidden data. For example:

• reviewing responses where spreadsheets have been provided, as these present the most risk of having hidden data
• reviewing responses issued to public platforms such as What do they know? as these are the most likely to be publicly available
• reviewing responses which have been identified as being sensitive or high risk
• reviewing responses from a particular period where you have identified that processes, procedures or training may have been below the expected standard

Tracking requests

Having a way to track requests can help organisations to ensure that responses are well managed and issued within the statutory deadlines.

The ICO have produced a request tracking template which can be used for this purpose.

Corporate information

To help your organisation manage FOI requests, it is advisable to routinely publish as much corporate information as possible.

You must publish a publication scheme, or make hard copies of information available at relevant locations or with public-facing teams such as the Patient Advice and Liaison Services (PALS). This is likely to reduce the number of incoming FOI requests.

Staff training

It is important to ensure that all staff receive training in the FOIA to ensure they understand their responsibilities and the importance of timely action in this area.