Line to take - LTT29 - Finding in breach of sections 1, 10 or 17

From FOIwiki
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
  • FOI/EIR: FOI
  • Section/Regulation: s1, s10, s17, s50(4)
  • Issue: Finding in breach of sections 1, 10 or 17
  • Source: Policy Team, IT, GS
  • Details: Bowbrick / Nottingham City Council; King / DWP (20 March 2008); McIntyre / MOD (11 February 2008)
  • Related Lines to Take: LTT39, LTT47, LTT63, LTT101, LTT187, LTT191
  • Related Documents: Awareness Guidance 11, EA/2005/0006 (Bowbrick), EA/2007/0085 (King), EA/2007/0068 (McIntyre), Robust case handing Policy; Good Practice Guidance No.5
  • Contact: LA/HD/KP
  • Date: 18/01/2011
  • Policy Reference: LTT29
  • © Copyright Information Commissioner's Office, re-used with permission
  • Original source linked from here: LTT


Line to take

A breach of s1(1)(b) will arise if the authority was obliged at the time of the request to disclose information, and failed to do so. A breach of 1(1)(a) will similarly arise where the authority had an obligation to confirm or deny that information was held and did not do so. Breaches of s17, on the other hand, are based on whether the authority accurately communicated its reasons for refusing the request, not on whether it was correct to do so

The Commissioner will consider what, if any, procedural breaches of s1(1)(a), 1(1)(b) and the subsections of s17 have occurred at the time of completion of the internal review. If the public authority has not taken the opportunity to carry out an internal review, then the Commissioner will consider the position as it stands at the statutory time limit for compliance under s.10.

Therefore, if the information is disclosable, the Commissioner will find a breach of s1(1)(b) where the public authority has failed to provide that disclosable information at the time of the completion of the internal review. There may also be additional breaches of sections 10 and/or 17 relating to the time limits.


Further Information

Background

Section 1 of the FOIA provides:

“(1) Any person making a request for information to a public authority is entitled -
(a) to be informed in writing by the public authority whether it holds the information of the description specified in the request, and
(b) if that is the case, to have that information communicated to him.”

Section 10(1) of the FOIA provides:

“...a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.”


The Commissioner’s approach

The main principles guiding the Commissioners approach are as follows:

  • The Commissioner's role is not to look at what the requester has received by the time the DN is issued, but to assess how the public authority dealt with the request (King v ICO & DWP EA/2007/0085). However, the authority does get an opportunity at the internal review to reconsider its decision and correct any errors:
“...the Act encourages or rather requires that an internal review must be requested before the Commissioner investigates a complaint under s50. Parliament clearly intended that a public authority should have the opportunity to review its refusal notice and if it got it wrong to be able to correct that decision before a complaint is made...” (Mcintyre v ICO & MoD - [EA/2007/0068]).
Therefore, any procedural breaches, other than those relating to time limits, should be based on what the authority had done by the time of the internal review.
If the authority does not take the opportunity to review its decision then the "cut off point" is the statutory time for compliance (normally 20 days — but see note below). This means that an authority which does not offer an internal review is at a disadvantage in relation to information which is disclosed, for example, after 30 days.
Note that this relates only to the finding of breaches. Whether an obligation under 1(1)(a) or 1(1)(b) exists, or whether an exemption can be relied upon, must still be determined by reference to the circumstances at the time of the request. So if the authority was under an obligation to disclose information at the time of the request, it will be found in breach of 1(1)(b) if it did not do so at least by the completion of the internal review.
  • Findings on 1(1)(a) and 1(1)(b) are based on what the authority should have done, i.e. what it would have done had it come to the same decision as the Commissioner. Note that section 1(1) is not just a general duty to respond to a request. It relates specifically to the two separate duties to confirm or deny that information is held (1(1)(a)) and to communicate the information (1(1)(b)). Therefore if an exemption applies there will be no breach of 1(1)(b). Similarly if there is an exclusion from the duty to confirm or deny, there will be no breach of either 1(1)(a) or 1(1)(b).
If you have not investigated whether any exemptions applied at the date of the request. for example because the authority disclosed the information during the investigation, then you will not be able to make a determination on sections 1(1)(a) and (b). In this case. you should not use this line but refer to [Gateway] LTT187.
  • Section 17 (refusal notices) requires an authority to accurately communicate any exemptions it is relying on, whether or not the Commissioner subsequently determines that those exemptions are correct. In other words, it is not dependent on the outcome of the rest of the case. Breaches of s17(1) (a), (b) and (c) will be decided according to whether the authority had accurately communicated its position by the internal review response at the latest. The Commissioner will also find breaches of s17 if the authority later seeks to rely on an exemption which it did not mention to the requester either in its refusal notice or its internal review (see LTT63).
  • Findings on section 10 (time limits) are based on the findings for s1(1). Again, section 10 is not a general time limits section, but refers to the time for compliance with s1(1)(a) and (b). If there are breaches of both 1(1)(a) and (b) then there will also be s10(1) breaches for each of these failures. If there is no duty under section 1(1)(a) or (b) then there are no related breaches of s1O. A late refusal notice is a breach of 17(1).

In order to apply the principles, you should follow these steps:

  1. Determine what obligations the authority was under at the date of the request, i.e. whether it was required to confirm that it held or did not hold information and whether it was it required to disclose any information
  2. Identify the "cut off point" for determining procedural breaches. In other words, if an internal review was carried out, determine when you consider this to have been completed. If no internal review was carried out, calculate the date for compliance under s10 (usually 20 working days, but see note below).
  3. Identify what actions the authority ought to have taken but had failed to take by the cut off point. This will give you the breaches of 1(1)(a) and 1(1)(b).
  4. Identify whether the authority had given an adequate refusal notice by the time of the cut-off point. This will give you any breaches of s17 in so far as it relates to the content of the refusal notice. Remember that the refusal notice must include any exemptions which the authority relied on at any point including during the investigation,
  5. In addition, if the authority had a duty under 1(1)(a) and/or 1(1)(b) and did not meet the statutory time for compliance, find related breaches of 10(1).

If the authority refused the request but did not issue its refusal notice within the statutory time for compliance there is a breach of s17(1).

Below is a table setting out the potential breaches arising in relation to sections 1 and 10. Section 17 breaches are covered in a separate section later in this line.


Breaches of s1(1) and s10

Breaches of s1(1) and s10 are based on what you have found the authority should have done (i.e. what it would have done had it come to the same decision as the Commissioner). You must start by determining what the authority should have done, that is, whether it was under any obligation to confirm what information it held and to disclose it. If you are only investigating the 1(1)(a) duty, see the additional notes at the end of the table. If you are not making a finding as to what obligations the authority was under at the time of the request, do not use this table but see the Gateway LTT187.

The table below gives the breaches of 1(1)(a), 1(1)(b) and 10 which have occurred in a number of scenarios. This should be read in conjunction with the section below on s17.

Upon completion of an investigation there will be one of five outcomes:

  • (1) the information requested is not held (and the authority is required to confirm this)
  • (2) the public authority is not required to confirm or deny whether the information is held
  • (3) the authority is required to confirm or deny whether the information is held but the Commissioner has not reached a finding (yet) on whether the information should be disclosed
  • (4) the information is held but was not required to be released
  • (5) the information is held and should have been released

Note that you may reach different outcomes in respect to different pieces of information captured by a request.

Once the case outcome has been determined then use the table to identify what the public authority’s obligations were in those circumstances and what breaches of sections 1(1) and 10 arise if the public authority has failed to meet those obligations. It is important to read the whole section of the table that relates to the particular outcome you have reached in order to fully determine the public authority’s obligations in those circumstances.

Case outcome Relevant section of the Act Description of action required by PA (failure to take such action will constitute a breach) Additional information
(1) Information requested is not held, but the authority should have said this s1(1)(a) PA should have confirmed to the complainant that the information is not held The Commissioner will find a PA in breach of s1(1)(a) if confirmation has not provided by the completion of the internal review or the time for statutory compliance
s10(1) PA should have provided confirmation within the statutory time for compliance If the PA has not carried out this action within the time for statutory compliance, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review
(2) PA is not required to confirm or deny whether information is held s1(1)(a) PA is not required to confirm or deny whether the information is held and should provide a refusal notice
s1(1)(b) There is no obligation under 1(1)(b) if 1(1)(a) does not apply. No breach
s10 s10 refers to the time for compliance with s1(1) so does not apply No breach
(3) The public authority was obliged to confirm or deny whether information is held

(where the Commissioner is investigating the authority's reliance on an exclusion from 1(1)(a))

s1(1)(a) No exclusion applied and so the PA was required to confirm or deny whether information is held The Commissioner will find a PA in breach of 1(1)(a) if confirmation or denial has not been provided by the completion of the internal review (or the time for statutory compliance)
s1(1)(b) The Commissioner is not in position to make a finding on whether the information is disclosable. Do not find a breach (this may be the subject of a future investigation).
s10(1) PA should have provided confirmation or denial within the statutory time for compliance If the PA has not carried this out within the statutory time for compliance then the Commissioner will find a breach of 10(1).
(4) Information requested is not disclosable and should not be provided

(applies where either the authority has not claimed an exclusion from 1(i)(a) or else this has been dealt with and rejected in a previous decision notice)

s1(1)(a) PA should have confirmed to the complainant that it holds the information requested The Commissioner will find a PA in breach of s1(1)(a) if confirmation was not provided by the completion of the internal review or the time for statutory compliance.
s1(1)(b) The authority was not under an obligation to disclose the information No breach
s10(1) PA should have provided confirmation that information is held within the statutory time for compliance If the public authority has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of the date of any internal review
(5) Information requested is disclosable and should be provided

(applies where either the authority has not claimed an exclusion from s1(1)(a) or else this has been dealt with and rejected in a previous decision notice — it is not possible to come to a conclusion on 1(1)(b) if the authority is claiming an exclusion from the duty to confirm or deny)

s1(1)(a) PA should have confirmed to the complainant that the information is held The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance
s1(1)(b) PA should have provided the information to the complainant The Commissioner will find a PA in breach of s1(1)(b) if information is not provided by the completion of the internal review or the time for statutory compliance.
s10(1) PA should have communicated the information within the statutory time for compliance. If the PA has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of any internal review. There will be two breaches of s10(1) if the authority has failed to meet the statutory time limits in relation to both 1(1)(a) and 1(1)(b).


Note that in practice breaches of 1(1)(b) are only likely to be found where the authority is still refusing to disclose this information. Where information has been disclosed during the investigation, the Commissioner will not reach a decision on whether s1(1)(b) applied at the date of the request (see LTT A). Breaches of s1(1)(a) can however be included if the authority confirmed that the information was held after the internal review (or statutory time for compliance) but before the DN is issued, as long as the investigation has established that the 1(1)(a) duty existed at the time of the request.


The statutory time for compliance

The date for statutory compliance is usually 20 working days after the date of the request. This has been extended for specific public authorities and in certain circumstances in accordance with the ‘Time for Compliance Regulations’ see LTT47.

In addition under s10(3) a public authority may extend the time for compliance where it is necessary to do so in order to property consider the public interest in maintaining an exemption. In such cases the public authority is still required to cite and explain the exemption claimed within the 20 working days. The extension to the time limit in s10(3) applies only where it is necessary in order to consider the application of the public interest test, i.e. where a qualified exemption is engaged.

Moreover, the extension can only be for as long as is reasonable in all the circumstances. The Commissioner’s Good Practice Guidance 4 indicates that in no case should this be more than an additional 20 working days, i.e. 40 working days in total. Therefore where a public authority takes longer than 40 working days to comply with a request it will have breached s10(1) unless the Commissioner is persuaded that such an extension is reasonable because of exceptional circumstances. Any extension beyond the additional 20 working days may however raise good practice issues and should be referred to the Enforcement team.

If the authority has not provided an internal review, then the statutory time for compliance will also be the last date at which it can comply with its obligations. If it has not done so by that date then it will be in breach.


Breaches of s17

Section 17 requires the authority to accurately convey its position as to why it is refusing a request. Therefore, the outcome of the request is not relevant — there is no breach of s17 for citing an exemption which did not apply.

  • There will be breaches of s17(1)(a), (b) and/or (c), 17(5) or 17(7) if the public authority refused the request but failed to issue a refusal notice complying with those sections (as relevant) at or before the internal review, or at the statutory time for compliance if no internal review was carried out.
  • Breaches of s17 will also be found if the authority seeks to rely on another exemption during the investigation which it had not mentioned at or before internal review (see LTT63)
  • There will additionally be a breach of s17(1) if the authority issued its refusal notice later than 20 working days (or as extended by the Time for Compliance Regulations).

Where the public authority is seeking to rely on a qualified exemption, there will be a breach of s17(1) if it fails to notify the requester of this within 20 working days (or as extended by the Time for Compliance Regulations) and a breach of 17(3) if it takes more than a further 20 working days to communicate the outcome of the public interest test.

Note that there is one limited circumstance (relating to vexatious or repeated requests — see s17(6)) in which an authority is not required to provide any refusal notice.


Further guidance on 1(1)(a) only cases

When a public authority has claimed an exclusion from the duty to confirm or deny, the DN will relate only to section 1(1)(a). The decision notice itself cannot confirm or deny whether information is held as the authority may appeal the Commissioners decision and the Commissioner must not undermine this right of appeal by disclosing that information is (or is not) held. Therefore no finding on 1(1)(b) can be included in the decision notice.

If the Commissioner does not accept the authority's reliance on an exclusion from the duty to confirm or deny, then the decision notice will order the authority to confirm or deny whether information is held and, in relation to any information which may be held, to either disclose it or issue a valid refusal notice.

The following breaches will be included in the ON’

  • s1(1)(a)
  • s10(1) related to the breach of 1(1)(a)
  • any breaches of s17 as per the explanation on s17 above

If the authority subsequently confirms that it holds information but refuses to release it this may result in a further complaint to the Commissioner.

If a subsequent DN is issued, breaches will be investigated and recorded as normal following this line, i.e. as at the time of the internal review or the time for compliance with the original request, rather than as at the time for compliance with the earlier decision notice. Failure to comply with the decision notice would be dealt with as contempt of court instead. However, it is not necessary to repeat any breaches which have already been found in the earlier DN. Rather, the later DN can include a line referring to the earlier one and confirming that these findings still stand.


EIR

Although this line refers to the FOIA, the principles outlined in the "Commissioner's approach" section above would also apply to cases under the EIR, reading in the equivalent provisions. The main differences are as follows:

  • The statutory time for compliance will be 20 working days in all cases, except where the authority can legitimately extend it to 40 due to the volume and complexity of the information.
  • Public authorities are under a legal obligation to provide an internal review in relation to EIR requests — see LTT191
  • "Not held" is an exception under the EIR, so a refusal notice would be required
  • Whereas the right to information is split into two parts in the FOIA, s1(1)(a) and s1(1)(b), both aspects are covered by reg 5(1) of the EIR. There are very limited circumstances in which an authority can claim an exclusion from the duty to confirm or deny under the ElR however such cases should dealt with as for s1(1)(a) cases (described above) with the exception that any breach of this obligation would be phrased as "reg 5(1) in so far as it requires the authority to confirm or deny whether it holds information".