Freedom of Information Solicitors

If you have received a Freedom of Information request and are unsure whether you need to comply with it or not, please do not hesitate to get in touch. Our Data and Privacy Law team are on hand and available to provide specialist advice, assistance, and training in relation to all things FOI and would be happy to assist.

The Freedom of Information Act

The Freedom of Information Act 2000 (FOI) provides public access to certain information held by public authorities. This is done in one of two ways. The FOI obliges public authorities to publish certain information in relation to their activities publically. The FOI also permits members of the public to request information from public authorities, this is known as a Freedom of Information Request.

Who is a Public Authority for the purposes of FOI?

The Freedom of Information Act 2000 (FOI) provides public access to certain information held by public authorities. This is done in one of two ways. The FOI obliges public authorities to publish certain information in relation to their activities publically. The FOI also permits members of the public to request information from public authorities, this is known as a Freedom of Information Request.

What can a member of the public request?

The FOI includes all recorded information held by the public authority. It is not limited to information generated specifically by that public authority, so it can also include information the public authority has received from external sources. It does not matter what format the data is stored in, electronic copy, emails, hard copy letters, drafts, and notes are all equally encompassed under the FOI.

Individuals cannot request their personal data from public authorities via a FOI. If an individual seeks access to their personal data, they must submit a Subject Access Request under the GDPR.

Do we have to comply with an FOI?

There are a number of exemptions that can apply in order to prevent a public authority from making the requested information available. For example, if disclosing the requested information may have a direct and real risk of causing a negative consequence, the public authority need not comply with the request.

Is FOI compatible with other data protection laws?

The purpose of FOI is to provide transparency and remove unnecessary secrets in relation to the work carried out by public authorities. On the face of it, this may seem to compete with the GDPR’s aim of an individual’s right to privacy however the FOI and GDPR are not necessarily incompatible with each other.

When complying with a FOI request, it may be that an individual’s personal data is included in the information to be provided to the member of the public. This requires a balancing exercise to be undertaken to assess whether you are legally able to release the personal data under the FOI. The lawful reasons for processing under the GDPR should be considered.

How long do we have to comply with a FOI and can we charge?

You should comply with a FOI promptly. Most public authorities have up to 20 working days, starting with the day after the request was received, to comply, although this should be treated as the maximum amount of time permitted.

The FOI permits you to charge a fee in order to recover your costs of complying with the request, such as photocopying, printing and postage.

How Lupton Fawcett can help you

We have experienced Data Protection Solicitors ready to answer your enquiries about any data protection law issues via email or telephone.

Lupton Fawcett are a leading personal and commercial law firm in Yorkshire with well-established offices of highly experienced solicitors in Leeds, Sheffield and York.

We provide a personalised service, with sector specialists and extensive resources to ensure we are giving you the best solutions to your problems.

Within every area of law, we put your interests first.

Our specialist Freedom of Information Solicitors work regularly with clients across the United Kingdom including Bradford, Birmingham, Hull, Leeds, Liverpool, London, Manchester, Sheffield, York and Nottingham.

We can support your needs wherever you live in England, Wales, Northern Ireland and Ireland.

We will always respond promptly, and we will be happy to help.

 

 

Related Blog Posts

Data Law

Morrisons not responsible for data breach

The Supreme Court has today ruled that the grocery retailer was not liable for a substantial data breach committed by a disgruntled employee.

Pencil iconBy Alex Evans on 2nd April 2020

ICO provides clarification on Data Protection principles in light of Covid-19

ICO provides clarification on Data Protection principles in light of Covid-19

As is the case with many organisations across the globe, the Information Commissioner’s Office (ICO) has released responses to some frequently asked questions they

Pencil iconBy Ellie Leatherday on 27th March 2020

Keep calm and don't forget the GDPR! 1

Keep calm and don’t forget the GDPR!

The nation and world at large are currently gripped by a Covid-19 induced panic.

Pencil iconBy Ellie Leatherday on 16th March 2020

Data Law

UK law does not meet EU conditions for data adequacy

On 12 February 2020 the European Parliament stated in a resolution that it does not consider the UK data protection framework to be adequate. What impact could

Pencil iconBy David Baines on 19th February 2020

Data Law

Cavalier attitude to data protection leads ICO to levy its first fine under the GDPR

The long awaited and much anticipated first UK fine issued by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR) has

Pencil iconBy Ellie Leatherday on 3rd January 2020

Data Law

Important update for UK Digital Service Providers post Brexit

With Brexit on the horizon, deal or no deal, the Department for Digital Culture, Media and Sport has drafted updated compliance information for the Network

Pencil iconBy Joan Pettingill on 28th October 2019

Data Law

Immigration control & the GDPR

To what extent do employers need to comply with the GDPR when processing immigration data?

Pencil iconBy Ellie Leatherday on 22nd October 2019

Data protection – new changes which will shock employers

A patient’s right to access their data need not be a headache for GPs

A look at what effect the GDPR has had on a patient’s rights to access their data from their GP Practice and what steps

Pencil iconBy Joan Pettingill on 17th April 2019

Data protection – new changes which will shock employers

Damages for Breach of Confidence

The Court of Appeal has upheld an award of “Wrotham Park damages” in a business sale for breach of confidentiality, non-compete and non-solicitation covenants.

Pencil iconBy Simon Lockley on 9th January 2019

Data protection – new changes which will shock employers

Subject Access Requests under the GDPR – how are you coping?

Changes introduced by the GDPR and the Data Protection Act 2018 have increased the time pressure on organisations that have to respond to Subject Access Requests (“

Pencil iconBy Louise Connacher on 7th August 2018

Data protection – new changes which will shock employers

Data Protection Act 1998 vs the GDPR – which applies?

In the aftermath of the furore on the 25 May 2018, the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues, has

Pencil iconBy Ellie Leatherday on 6th August 2018

Data protection – new changes which will shock employers

Data protection doesn’t apply to agricultural businesses – does it?

Recent changes to legislation mean that data protection law is something that agricultural businesses have to take seriously.

Pencil iconBy Louise Connacher on 4th January 2018

Why Choose Lupton Fawcett?

Having advised and supported many local families, individuals and businesses, we are proud to offer clients a dedicated service from specialist solicitors who are experts in their field:

We're Award Winning

We were awarded the Legal 500 HR/Employment Law team of the year in 2017

We're Connected

We're connected to the people, businesses and infrastructure throughout Yorkshire

We Put You First

You can be sure to expect superb client service from us. Our clients are our priority

We're accredited

Recognised by leading Legal Directories Chambers & Partners and the Legal 500

Frequently Asked Questions

What does GDPR apply to?

GDPR applies to the processing of personal data wholly or in part by “automated means” or forming part of a “filing system”. However, there are some exceptions, including that it doesn’t apply where personal data is processed by a person purely in the course of a personal or household activity.

Personal data means any information relating to an identified or identifiable natural person. This includes provisions which take into account advances in technology; therefore online identifiers, such as an IP address, are also included.  ‘Special categories of personal data’ or sensitive data, such as sexual orientation and religious beliefs, are covered by the GDPR and includes genetic and biometric data where it is possible to identify an individual as a result of that data being processed.

Who does GDPR affect?

The GDPR affects any individuals located in the EU and also any businesses, charities and other organisations that process personal data and are established or located in the EU, as well as those which are located outside of the EU but still process personal data of individuals located in the EU and/or sell goods to them.

Will I need to register with the Information Commissioner’s Office?

Unless your business is exempt, you are required to register with the Information Commissioner’s Office and pay an annual data protection fee. Your business may be exempt from paying the fee if it only processes personal data for specific purposes, such as staff administration, marketing, or accounts and records. Our team of solicitors can help you determine whether you need to pay a fee.

The amount of the fee varies depending upon the size of your business, but currently starts at a cost of £40.

Accountability

Organisations must show how they adhere to the GDPR’s principles by, for example, demonstrating what procedures are in place to protect the data that they hold. Many organisations will currently have in place adequate measures; however, it is likely that others will be required to examine and address their current practices to ensure compliance with the GDPR.

What rights does a data subject have?

Data subjects have several rights under the data protection legislation, including amongst others:

  • a right of access to their personal data (also known as a Subject Access Request or SAR);
  • a right of erasure of their personal data (also known as the “right to be forgotten”); and
  • a right of rectification of errors.

The timescales can be quite short and so prompt action may be needed. Under the GDPR, a request has to be responded to “without undue delay and in any event within one month of receipt of the request”.

If any information held is incorrect, the data subject is entitled to request that it is rectified. Where this information has been disclosed to third parties, the disclosing party is also obliged to ensure that this information is rectified.

Where there is no compelling reason for personal data to be held, a data subject has the right to request that the personal data be deleted. The data subject may also request that any processing of their data ceases. This request must be complied with unless there are compelling and legitimate grounds for processing that personal data.

Do I need to appoint a data protection officer (DPO)?

If you are a public authority or carry out large scale processing of special categories of data or the regular systematic monitoring of data subject on a large scale, then the data protection legislation states that in most circumstances you will be required to appoint a DPO.

Otherwise, appointment of a DPO is optional, although larger organisations may find that it is prudent for them to appoint a DPO to ensure compliance with the GDPR. 

Do I have to report all personal data breaches?

Any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data will be a personal data breach under the GDPR.

Not all breaches have to be reported; the ICO does not need to be notified if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals. Your business will also need to determine whether there has been, or there is likely to be, a high risk to the rights and freedoms of individuals. Decisions are then made whether the regulator, other controllers, and/or data subjects need to be informed.

What to do now?

Organisations should consider what policies and procedures they have in place, and whether these are adequate to meet the obligations imposed upon them under the GDPR. Where appropriate, any supply contracts should be considered to ensure that adequate rights are in place, for example relating to reporting of security breaches.

Get In Touch Today!

Get In Touch Today!

Please complete this form to make an enquiry and we will get back to you as soon as we can.

Remember you can still call us on 0333 323 5292 or email us at law@luptonfawcett.law

  • This field is for validation purposes and should be left unchanged.