Freedom of Information: an overview

1. Introduction

The goal of this post is to explain some of the key features of Freedom of Information (FOI) legislation and requests.

Some staff members are routinely involved with helping the Information Governance team coordinate responses to these requests, and are designated ‘go-to’ persons for particular information topics. These colleagues may need to know more about this topic, and some of the more detailed information in this blog is written with these colleagues in mind.

Other staff are less formally involved with coordinating responses, but may be asked from time to time to help provide information for requests (e.g. by their line manager, who is a designated person for FOI request), so if you fall into this group you may find this helpful as a reference only — but don’t worry too much about the more technical details, especially in Section 4 on exemptions and refusals.

No member of staff, however, can afford to ignore this topic, if only because anyone in the organisation can receive a request. Furthermore, a request becomes “live” when it is received, not when it is read, and there is no requirement for FOI requests to be sent during business hours. It’s therefore necessary to be able to identify an FOI request, and to know what to do if you receive one, to avoid delays and to help ensure the University complies with this legislation.

The structure of this blog post is as follows. Initially, in section 2, I present a high-level overview of Freedom of Information legislation as it applies to the University. I then take a closer look at the procedure, in section 3, which should hopefully be helpful for all staff. I focus throughout on Freedom of Information (Scotland) Act 2002 (“FOISA”) requests, as these are the main type of FOI request we receive — I mention the other type, Environmental Information Regulation requests (or “EIRs”), though, briefly. Finally, in Section 4, I discuss some of the most common exemptions and refusals we apply with FOI requests (again, focusing on FOISA requests).

For simplicity, unless otherwise stated, when I refer to “FOI requests” below I will be referring to FOISA requests. The procedure outlined in Section 3, though, is almost identical for EIRs requests. At the end, I provide some links for further information, including information about some of the differences between FOISA and EIRs requests.

2. High-level overview


The Freedom of Information (Scotland) Act 2002 (“FOISA”) is legislation intended to promote the transparency and accountability of public authorities in Scotland. It is part of a broader UK-wide Freedom of Information regime, which includes separate Freedom of Information Acts covering England, Wales and Northern Ireland.

This Freedom of Information regime also includes complementary, and closely related, environmental information legislation — in Scotland, this is the Environmental Information (Scotland) Regulations 2004 (“EIRs”).

The FOISA and EIRs impose three main duties on public authorities:

  • to proactively publish information about their work,
  • to respond to requests for information, and
  • to advise and assist requestors (often called “applicants”)

The right to information

Applicants have the right to ask for any “recorded” information held by public authorities. This includes all business-related paper and electronic records, including information contained in audio and video files.

An applicant can be natural person, or a legal entity such as a company or other organisation, and can be located anywhere in the world.

Requests must be made in a “recordable format”, so a purely verbal request won’t suffice. Acceptable formats, though, include paper letters, email, voicemail and social media posts directed to an organisation, so there are many ways to submit a request.

As a public authority, the University needs to comply with the FOISA and EIRs. We need to respond to requests within 20 working days, which can be challenging for more complex requests. And, as noted above, there also a requirement to proactively publish information (e.g. by providing regular updates on our website).

With any FOI request, there is a presumption in favour of disclosure. This means that while there are exceptions where information can be legitimately withheld, requested recorded information must be disclosed unless an exception applies.

3. Procedure in more detail

Identifying Freedom of Information requests

In practice, most FOI requests are sent by email to the University’s FOI email address. They do not, however, need to be sent to the FOI mailbox, and can be sent to anyone in the organisation. Consequently, recognising FOI requests is not just a matter for the Information Governance team: all employees need to know how to identify them.

To be valid an FOI request must be in a recorded format, as noted earlier. It must also include the applicant’s name and address, which can be an email address, and describe the information sought. Requests don’t need to refer to Freedom of Information legislation, though, so more general requests for information (including, for example, requests sent to the Media team) can often be processed as FOI requests.

One feature of FOI requests is a request for public disclosure of information, and this can offer a clue that a request for information could (or should) be processed as a Freedom of Information request. FOI requests, however, do not necessarily come “out of the blue”, and can develop from routine, business-as-usual, emails.

For example, a member of staff might be liaising with an external party, and operating entirely within the scope of their normal role, when an information request is made which should be treated as an FOI request. It might, for example, be made in the context of a complaint. If you feel uncomfortable about an information disclosure, perhaps because it goes beyond what you might ordinarily be expected to disclose, then this could offer another clue that a request for information is a Freedom of Information request.

Luckily, most FOI requests make some reference to the legislation, and/or state that they are FOI requests. But some do not — perhaps because the requester does not realise that they are making an FOI request — and it’s important to be mindful of this. If in doubt, please contact our team for advice. And if you think you have received an FOI request, please forward it to our team as soon as possible.

The statutory “clock” starts as soon as a valid FOI request is physically or electronically received by a public authority like Edinburgh Napier University. It is not necessary for the request to be read. An obvious problem with this for email requests is that staff are not always available to check their email. A request could be “received”, for example, when a staff member is on annual leave, meaning that the statutory deadline could be breached before anyone in the organisation becomes aware of the request.

We can limit this risk by using out-of-office auto-replies to inform applicants that they should divert FOI requests to our FOI mailbox (and thus improve our chances of responding in time). We recommend that all staff include this information in their out-of-office messages — further information on this is provided at the end. The statutory “clock”, though, still starts when such a request is “received” (provided it is valid).

Requesting clarification

Once an FOI request has been received it is sometimes necessary to liaise with the applicant to clarify what is requested. This could be because the request is insufficiently clear, but it can also for other reasons e.g. the request is overly broad and we would be unable to comply. This falls under our duty to provide reasonable “advice and assistance”, and can extend to helping an applicant make a valid request.

We sometimes liaise with colleagues to establish how best to seek clarification, as they can be in a better position than Information Governance to identify issues like ambiguities in the questions asked or problems with the scope of a request.

When we request clarification a case will usually be put “on hold”, and the statutory clock suspended, pending clarification from the applicant. Ideally this should be requested early in the timeframe of a request, so it is important to establish as quickly as possible whether the request needs clarification.

Processing the request

The first step in processing an FOI request is usually to establish whether the requested information is “held”. Whether information is held, however, is not the same as whether it is held centrally, and/or recorded officially, in such a way that it is readily accessible to staff. Rather, information is held if it is recorded anywhere in an applicable format (as noted earlier, this can include formats like emails, Teams conversations and handwritten notes).

If information is held, then the next step is to consider whether an exemption or other refusal is appropriate. I will say more about exemptions and refusals in the next section. I will also say more about when we can say that information is “not held”, and when we can refuse to say whether information is held or not (referred to as “neither confirm nor deny”).

Because it can be difficult to establish whether information is held, and time consuming to provide information when it is, we normally provide an informal internal deadline for staff. This is usually around 10 days after receipt of the request, although there can be some flexibility depending on availability of staff and the nature or complexity of the request. The goal, though, is to ensure that there is sufficient time to gather information, review it, and consider (sometimes in conjunction with senior staff) whether we should apply an exemption or other refusal prior to the 20 day statutory deadline.

Review and appeal process

If an applicant is unhappy with the response provided to their request, they can request an internal review. This must be requested within 6 months, and the University has 20 working days to respond.

If they remain dissatisfied following the outcome of an internal review, they can appeal to the regulator, Office of the Scottish Information Commissioner (OSIC). If OSIC investigates, it may either uphold or overrule a public authority’s decision (and, in the latter case, an authority might be required to disclose information previously withheld). If OSIC does not investigate (e.g. because the original FOI request was a repeated request), the applicant will be provided with an explanation.

4. Exemptions and refusals


As can be seen from the chart above, which shows exemptions and refusals used over a 12-month period in 2020-21, there are lots of potential legal reasons for refusing to provide information. This figure shows the reasons we relied on in the year from October 2020-September 2021, and does not include all possible legal bases.

For brevity here I will discuss the top 5 of these bases: sections 17, 12, 25, 33(1)(b) and 38(1)(b) of the FOISA. These accounted for around 80% of the legal reasons used to refuse disclosure, so are those most likely encountered in practice.

Section 17: information not held

As noted earlier, information is “held” if it is recorded anywhere in the organisation, as a business record, in any of a wide range of formats. To establish whether information is held, we are required to carry out “reasonable and proportionate” checks. While we are not required to conduct absolutely exhaustive searches, as mentioned earlier we cannot draw the line at what is held “centrally” (e.g. in a more convenient and accessible database or spreadsheet). We need to consider what is, or could be, held anywhere within our records irrespective of whether these are easy to search or query. Paper documents held in storage, for example, might need to be examined.

As might be expected, FOI requests can highlight issues with records management within organisations e.g. information which applicants or even staff assume should be easy to find turns out to be stored in a less than ideal, or organised, way, and/or not held in a complete enough way to enable a response to a request.

In line with this, the FOISA Section 61 Code of Practice makes the point that FOI legislation relies on good records management, and that the right to information is “of limited value if information cannot be found when requested or, when found, cannot be relied upon as authoritative” (p.5). In addition to the three “main duties” imposed by FOI legislation, mentioned above, public authorities also have a duty to implement good records management practices.

Ordinarily, when responding to a request, public authorities will state whether the information requested is held (even before applying an exemption). Occasionally, however, the mere fact of disclosing whether information is held could disclose potentially compromising information. For example, disclosing whether ransomware attacks were recorded as having occurred could provide intelligence to would-be attackers about an organisation’s security capabilities. In such cases, it may be appropriate for an organisation to say that it can “neither confirm nor deny” that the requested information is held.

Section 12: cost

If we think that it would take considerable time and resources to locate, gather and collate information, we can refuse to comply with a request under 12 of FOISA. The bar, however, is quite high for this — the cost must be over £600 for the organisation. Taking into account OSIC guidance on charges per hour, this translates into around 40 hours of work (and must exclude any time spent redacting, or discussing and applying exemptions).

Although this is a high bar, it’s not uncommon to receive a request which would take hundreds of hours to comply with. We can also issue a “fees notice”, and request payment from an applicant, if a request would take less than 40 hours to comply with but more than a certain threshold (around 14 hours). There is also no requirement to work up to the cost limit, so it can be important to evaluate how much time a request could take before starting the work — and this assessment can itself count towards the cost limit.

There is sometimes an interplay between “not held” and “cost” considerations. For example, we might not be sure whether information is held because it would take a long time to establish this with certainty. The choice then might be between section 17 if we think, on balance of probabilities, that the information is not held, and section 12 if we think that it is.

Section 25: information otherwise available

We can apply section 25 in cases where information is already in the public domain, and it’s possible to “reasonably obtain” it without requesting it via the FOISA. In many cases, where we apply this, the information will already be on our website (e.g. information about a service we provide, or contact details), although in some cases the information may be available via external websites (e.g. HESA non-continuation statistics).

We aim to use this exemption wherever possible. OSIC encourages public authorities to actively publish information, in line with their duty to do so (as mentioned above). The regulator may also use section 25 statistics (which we are obliged to provide, along with other FOI statistics) as a compliance indicator: an unusually low use of section 25 for one organisation in a particular sector, for example, may reflect poor availability of information on that organisation’s website.

Section 33(1)(b): commercial interests

About 15% of our requests in the “October 2020 — September 2021” period were from commercial organisations, which is a typical proportion of requests, and many of these were for financial and/or contractual information. Unsurprisingly, these requests can involve commercially sensitive information, and it may seem obvious that applicants are seeking to gain some commercial advantage from the disclosure.

It is entirely appropriate to consider a “commercial interests” exemption in these cases (section 33(1)(b) is the most common, but is not the only option available). The bar for applying this exemption, however, is high: it must be the case that disclosure “would, or would be likely to, prejudice substantially the commercial interests” of a public authority. The assessment must also be based on evidence, or at least strong arguments, and a speculation that the University’s commercial interests might be harmed (prejudiced) will not be enough.

Additionally, a general rule that the motivation or reason for a request should not be taken into account (i.e. that FOI responses should be “applicant-blind”) still applies. Thus, for example, a commercial advantage gained by an applicant from information disclosed might only be relevant, in terms of the exemption, if this “would, or would be likely to” substantially prejudice an ongoing tendering process and thereby harm the University’s commercial interests.

Section 38(1)(b): third party personal data

Finally, we can refuse to disclose information where we think this would, or could potentially, identify one or more “data subjects” (i.e. natural, living, persons).

Section 38 is complex, as it represents an intersection between Freedom of Information and Data Protection law. There are four exemptions within section 38, including section 38(1)(a) which exempts from disclosure “personal data of which the applicant is the data subject“. This is intended by legislators to steer applicants toward making “subject access requests” for their own personal data, under the UK GDPR and Data Protection Act 2018. Section 38(1)(b), though, has been the most commonly used “section 38” exemption at the University in recent years.

Where third party personal data is requested, deciding whether to apply section 38(1)(b) frequently involves considering whether disclosure would violate one or more of the data protection principles in Article 5(1) of the UK GDPR. These include the requirement that personal data is “processed lawfully, fairly and in a transparent manner in relation to the data subject“. In such a case, it is necessary to balance the interests that the applicant might have to the information against the rights that the data subject (third party) might have to prevent disclosure. This task may involve both asking the applicant why they have a requested the information (a deviation from the usual “applicant blind” approach to managing FOI requests), and consulting with the data subject. The data subject, however, has a right to object to the disclosure, and if they are reasonably contactable (e.g. they are a member of staff) and after being consulted choose to exercise this right, the public authority then needs to consider whether, in the face of this objection, there is nevertheless an overriding public interest in disclosure.

In many cases, disclosing third party personal data will be uncontroversial. We routinely disclose the names and contact details of senior staff involved with contracts and procurement, for example. There is an often expectation that this information will be disclosed, and much of it may already be publicly available on our website. In other cases, however, the requested information may be more problematic e.g. because providing it could enable the identification of individuals in circumstances where they would not reasonably expect their personal data to be disclosed, and where disclosure could lead to harm to one or more individuals. In such cases it may be entirely appropriate, and uncontroversial, to apply Section 38(1)(b). There are inevitably more difficult cases, though, where consultation with senior colleagues, and potentially OSIC, may be necessary.

Even after we apply this exemption we may still provide some information. For example, if we are asked to disclose the number of students who have withdrawn for a particular reason, and we hold this information, we may apply section 38(1)(b) if the numbers are very small but disclose that “<=5” students withdrew. Providing information in this way (in this example after “anonymisation by generalisation”) helps to ensure that we discharge our legal duty to “advise and assist” FOI applicants.

5. Summary and further information

I’ve presented an overview of the Freedom of Information legislation in Scotland, focusing on the Freedom of Information (Scotland) Act 2002 (FOISA).

Some key points are that requests, provided they are valid, can become “live” as soon as they are received by anyone in the organisation. As it is not necessary to actually read an FOI request this to occur, it’s important to provide FOI-related information in “out of office” messages. Further information is available here: The message we recommend is:

If your email contains a request made under the Freedom of Information (Scotland) Act, please visit our FOI website: Alternatively, visit to check for the information you require. For routine enquiries see

The Scottish Information Commissioner also provides some guidance about this here:

Once an FOI request is received, the organisation has 20 working days to respond, although if we need to request clarification the statutory “clock” can be suspended until this is received. We will usually set an internal deadline of roughly 10 days after receipt of a request to ensure the organisation remains on track to respond in time.

I’ve also discussed some common exemptions used at the University. As we may discuss these exemptions with staff while obtaining information, and coordinating responses, it is helpful to have some awareness of these are approached.

EIRs requests, which were mentioned in passing, are very similar to FOISA requests. Likewise, they are requests for public disclosure of information, albeit for environmental information. Examples of EIRs requests we have received include requests for information about environmental sustainability policy, and our disposal and recycling of waste. More information on EIRs requests, including some of the differences to FOISA requests, can be found here:;

A final point to stress is that it is unnecessary for a request (whether FOISA or EIRs) to specifically refer to FOI legislation. In principle, any request for public disclosure of information can be treated as an FOI request. All staff, therefore, need to be able to recognise FOI requests. If an FOI request is received, please forward it promptly to our team at Please also let us know if you are unsure whether a request for information is an FOI request.