Data Protection and FOI

Data Protection and Freedom of Information

Getting information from public bodies

Access to general information

The Freedom of Information Act 2000 (FOIA) provides the right of access to recorded information held by a public authority. It applies to all categories of information held, with the exception of your own personal data.

The What do They Know site is run by UK Citizens OnLine Democracy and help people access information about central government, local government, Parliament, the NHS, the armed forces, state funded schools and universities and other public authorities.

The blog ‘Information Rights and Wrongs’ has some useful discussion of data protection issues and disclosure. See this post relating to the ‘balancing of interests test’ when considering if personal data should be disclosed.

The Information Commissioner’s Officer sets out a clear guide to making requests for information. In particular you are advised to consider the following points before making your request:


  • Is the information you want already available, for example, on the authority’s website?
  • Is the information you want your own personal data? (If so, you will need to make a subject access request, which we discuss below)
  • Is the authority likely to have the information? Public authorities must give reasonable advice and assistance to anyone asking for information, so you should feel free to ask for help in making your request.
  • Is the information you want suitable for general publication. The aim of the Freedom of Information Act is to make information available to the general public. You can only obtain information that would be given to anybody who asked for it, or would be suitable for the general public to see.
  • Some information, such as records about a dead relative, or documents you need for legal purposes, may not always be available under the Act. However, you may have a right to see the information you want under other legislation. The public authority holding the information you want should advise you.

It is also a good idea to think clearly about how you are going to frame your request. For example, a FOI request asking a LA to confirm ‘how many corrupt social workers it employs’ is very unlikely to meet with any useful response as this is simply too broad and general a request.

The ICO advises as follows:

If your request does lack any serious or clear purpose or if it is not focused on acquiring information, then the FOIA and EIR are probably not an appropriate means through which to pursue your concern. You might do better to explore whether there are other more suitable channels through which to take up the issue with the authority.

You should also bear in mind that the FOIA includes a safeguard against requests which exceed the cost limits for compliance (Section 12). The equivalent provision in the EIR is once again [Regulation 12(4)(b)] – manifestly unreasonable requests .

Therefore, if you are planning to ask for a large volume of information, or make a very general request, you should first consider whether you could narrow or refocus the scope of the request, as this may help you get what you really want and reduce any unnecessary burden or costs on the authority. Alternatively, you could try approaching the public authority for advice and assistance to help you reduce the scope of your request and cut down the cost of compliance – they have a duty to consider what advice and assistance they can provide.

Although you don’t have to say why you want the information, if you are happy to do so it might avoid a lot of wasted time and be more likely to get you what you want.


Access to information about you

The Data Protection Act 1998 (DPA) provides you with the right to access information that relates to you personally.

Section 7 allows individuals to make requests for their personal information, which is defined as data that must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the organisation’s possession).

Section 36 makes it clear that individuals do not need the consent of professionals to record meetings/visits, as the information being discussed in that situation is personal to them and therefore exempt from the data protection principles. There may be problems if the meeting is going to deal with issues relating to a third party. For further discussion about recording meetings between parents and social workers, see this post. 

Data Subject Access Request (DSAR)

Applying for information about yourself is called a Data Subject Access Request (DSAR). It can be helpful to ask the LA  for all documentation relating to your case, such as internal emails, if you are not happy with the way your case has been handled.

For further information, see the helpful Advice Sheet about access to records published by the Family Rights Group.

Children can also make requests, if they are considered to be sufficiently mature to understand what they are doing. To request your information, you should write to the Children’s Services department which is holding the information about you stating clearly what information you want and that you are asking for it under the Data Protection Act.

The Information Commissioner has provided a ‘Subject Access Code of Practice’ to help organisations deal with such requests for personal data by individuals. The maximum charge that can be made is £10 and organisations must respond within 40 days. 


How long can a LA hold information about you?

See this post from suesspicioussminds who discusses the case involving Northumberland County Council [2015] who were accused of acting unlawfully in holding on to data for 35 years. The claimant said he had been unfairly treated by the LA and he wanted his records destroyed. The Judge found that the LA were not acting unlawfully; there could be good reasons for holding on to such data – such as providing information to help later investigations into child abuse or malpractice.

Northumberland’s policy is:

… specifically to retain the records for 35 years after the case is closed, unless the child is or becomes looked after (in which case the retention policy is 75 years from the date of birth) or adopted (in which case the retention period is 100 years from the date of the Adoption Order).

Individual LA’s may have different policies and apply different time periods. What the Northumberland case makes clear is that this particular policy has survived legal challenge and found to be lawful. So it may be that information is retained for a considerable time.


Contact the Information Commissioner

The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. You can find out more here.

If you are not happy with the way a public body deals with your request for information,  you can make a complaint to the Information Commissioner.

Information Commissioner’s Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113
Fax: 01625 524 510
Email the Information Commissioner: [email protected]