ICO Support Public Authorities with Information Governance

18th August 2023

The Information Commissioner’s Office does not punish public authorities

Public authorities in the course of providing their services, may gather and hold a great deal of information on behalf of their citizens; there is a vital need to not only protect the privacy of this data but also respect individuals' rights to request access to information they hold.

Across the United Kingdom, the Information Commissioner's Office (ICO), uphold information rights, including those covered by: The Data Protection Act (DPA), the Privacy and Electronic Communications Regulations (PECR), General Data Protection Regulation (GDPR), and many more. Specific to public authorities the ICO also regulates the Freedom of Information Act (FOIA) and the Environmental Information Regulations (EIR), for bodies across most of the UK.

The Information Commissioner’s Office

We will take enforcement action where necessary to make a real difference to people’s lives.

Given the number of bodies and offices that fall within the FOIA, ‘who is classified as a Public authority?’ is designated under legislation; This includes the majority of central and local government bodies (departments, the NHS, Education, Blue Lights & council bodies) and organisations wholly owned by the public sector or the Crown.

While the ICO is responsible for authorities that operate in England and Wales, or UK wide, it is the Scottish Information Commissioner who are responsible for promoting and enforcing Scotland's FOI law to authorities operating solely within Scotland. The Northern Lighthouse Board which despite being based in Scotland and covering all Scottish lighthouses also incorporates the Isle of Man meaning it is regulated by the ICO.

The Environmental Information Regulations (EIR), relate to specific information requests on ‘environmental information’ such as land development, pollution levels, energy production, waste management and wildlife information - this is applicable to additional bodies such as the privately owned water companies are subject to responding to EIR requests.


The Freedom of Information Act (FOIA) gives members of the public the right to access certain information held by public authorities. The FOIA requires public authorities to respond to requests for information within an initial 20 working days - 30 days for The National Archives and 20 ‘school’ days for education establishments – to provide the information requested unless an exemption applies.

Despite clear regulatory obligations on public authorities to respond to requests promptly, some bodies fail to meet the required standards. This is not only frustrating for the requestors, but also undermines the fundamental principles of transparency and accountability that underpin the FOIA.

The Information Commissioner’s Office

Our wide-ranging regulatory role means we need to focus on areas where poor data protection practices have the greatest impact on people.

If a public authority consistently fails to respond to FOI requests within the required timeframe or provides incomplete or inaccurate information, the ICO has the power to issue corrective action or enforcement requests, which require said body to take specific steps to comply with the FOI Act, such as providing information that has been requested or improving its handling of FOI requests.

In addition to taking enforcement action against public authorities, the ICO also publishes an annual report on the performance of public authorities in responding to FOI requests. The report highlights areas of good practice, the best and worst performers and provide guidance to public authorities in areas where they need to improve their performance.

Automation and Self-Service

According to the ICO annual report for 2022/23, last year they were contacted by 132,414 people for advice on data protection, plus 39,781 complaints from people worried how organisations were handling their personal information. While not only handing queries and investigating complaints, the ICO also manage the register of data protection fee payers, which itself includes with more than 1 million organisations.

To manage all their given responsibilities while delivering the objectives of their three year strategic plan ICO25, the ICO have looked to improve efficiency and reduce their administrative burden through automation and empowerment.

The ICO have introduced a digital assistant to help guide organisations through their data protection fee payers’ journey and answer related questions - In the first year this handled around 110,000 customer queries. They have subsequently expanded these capabilities to allow self-service changes to fee-payer registration details, further freeing up their resources.

To help those help-themselves, the ICO have also established a FOI workplan and resources which includes: Digitised internal ICO training, engagement blogs, self-assessment toolkits, and response templates.

ICO Acting With Public Authorities

The ICO continues to take action against public authorities that have demonstrated consistently poor performance in responding to requests made under the FOIA. Looking to reduce reliance on punitive fines - as this comes from future budgets effectively punishing the citizenry twice – the ICO are instead supporting public authorities with compliance with practice recommendations, information notices, conducting audits, and only as a final stage implementing enforcement notices.

This is a reflection of the ICO’s renewed approach to regulating the Freedom of Information Act, proactively supporting public authorities and highlighting those who are “failing to meet their transparency obligations”.

The ICO's actions are not just about enforcing the law but also about improving the culture of openness and transparency within public authorities. By taking action against those that consistently fail to respond to FOI requests, the ICO is sending a message that openness and transparency are fundamental principles that must be upheld by all public authorities.

Overall, the ICO plays an important role in ensuring that public authorities comply with information regulations such as the FOIA and that individuals are able to access the information they are entitled to.

How Can We Help?

Civica Information Governance supports public authorities effectively respond to information requests under the FOI and EIR regulations, and all data controllers to adhere to the Data Protection Act and GDPR. Through automated workflows, scheduled reminders, compliant templates, self-service portals, and disclosure logs - you will wonder how you managed without it.

For your free demonstration simply click here