Line to take - LTT29 - Finding in breach of sections 1, 10 or 17: Difference between revisions

From FOIwiki
Jump to navigationJump to search
(LTT29 - 18/01/2011 version. 1st transcription)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
* FOI/EIR: FOI
* FOI/EIR: FOI
* Section/Regulation: s1, s10, s17, s50(4)
* Section/Regulation: [[LTT Exemption::FOI 1|s1]], [[LTT Exemption::FOI 10|s10]], [[LTT Exemption::FOI 17|s17]], [[LTT Exemption::FOI 50|s50(4)]]
* Issue: Finding in breach of sections 1, 10 or 17
* Issue: [[LTT Title::Finding in breach of sections 1, 10 or 17]]
* Source: Policy Team, IT, GS  
* Source: Policy Team, IT, GS  
* Details: Bowbrick / Nottingham City Council; King / DWP (20 March 2008); Mcintyre / MOD (11 February 2008)  
* Details: Bowbrick / Nottingham City Council; King / DWP (20 March 2008); McIntyre / MOD (11 February 2008)  
* Related Lines to Take: [[LTT39]], [[LTT47]], [[LTT63]], [[LTT101]]  
* Related Lines to Take: [[LTT39]], [[LTT47]], [[LTT63]], [[LTT101]], [[LTT187]], [[LTT191]]
* Related Documents: Awareness Guidance 11, [[EA/2005/0006]] (Bowbrick), [[EA/2007/0085]] (King), [[EA/2007/0068]] (Mcintvre), Robust case handing Policv; Good Practice Guidance No.5  
* Related Documents: Awareness Guidance 11, [[EA/2005/0006]] (Bowbrick), [[EA/2007/0085]] (King), [[EA/2007/0068]] (McIntyre), Robust case handing Policy; Good Practice Guidance No.5  
* Contact: LA/HD  
* Contact: LA/HD/KP
* Date: 24/02/2009
* Date: [[LTT Date::18/01/2011]]
* Policy Reference: LTT29
* Policy Reference: [[LTT Ref::LTT29]]
* {{Copyright-ICO}}
* {{Copyright-ICO}}
[[Category:ICO Line To Take]]


==Line to take==
==Line to take==


The Commissioner will consider what, if any, procedural breaches have occurred at the time of completion of the internal review. If the public authority has not carried out an internal review or where no valid response to the request was made at all, then the Commissioner will consider the position as it stands at the statutory time limit for compliance under s.10.  
A breach of s1(1)(b) will arise if the authority was obliged at the time of the request to disclose information, and failed to do so. A breach of 1(1)(a) will similarly arise where the authority had an obligation to confirm or deny that information was held and did not do so. Breaches of s17, on the other hand, are based on whether the authority accurately communicated its reasons for refusing the request, not on whether it was correct to do so
 
The Commissioner will consider what, if any, procedural breaches of s1(1)(a), 1(1)(b) and the subsections of s17 have occurred at the time of completion of the internal review. If the public authority has not taken the opportunity to carry out an internal review, then the Commissioner will consider the position as it stands at the statutory time limit for compliance under s.10.
 
Therefore, if the information is disclosable, the Commissioner will find a breach of s1(1)(b) where the public authority has failed to provide that disclosable information at the time of the completion of the internal review. There may also be additional breaches of sections 10 and/or 17 relating to the time limits.  


Therefore the Commissioner will always find a breach of s.1 where the public authority has failed to provide disclosable information at the time of the completion of the internal review. There may also be additional breaches of sections 10 and/or 17 depending on the circumstances of each case.


==Further Information==  
==Further Information==  


Background  
 
'''Background '''


Section 1 of the FOIA provides:  
Section 1 of the FOIA provides:  
Line 31: Line 37:
:''“...a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.” ''
:''“...a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.” ''


In the past, the Commissioner’s approach to finding procedural breaches has not been consistent.


'''King v Information Commissioner & the Department for Work and Pensions (2008) '''
'''The Commissioner’s approach'''


In this case, the DWP provided information to the complainant after the date of his complaint to the ICO, but before the Commissioner’s investigation had commenced. The Commissioner found the public authority to be in breach of section 10 only. On appeal, the Tribunal considered whether the Commissioner had erred in law in not finding a breach of section 1 of the Act.
The main principles guiding the Commissioners approach are as follows:


The Tribunal stated that the wording of section 50 of the Act supported the appellant’s contention that the Commissioner “should be considering the facts as they existed at the date that the Commissioner received the complaint” as, when making a complaint, the complainant is “applying for a decision whether the request has been dealt with in accordance with part I (as opposed to ‘is being dealt with)” and that section 50(2) states “on receiving an application under this section, the Commissioner '''shall make a decision'''...” (the Tribunal’s emphasis) (paras 83 & 84). The Tribunal decided that the Commissioner was wrong in law to find that the DWP had not breached its obligations under section 1 FOIA.
* The Commissioner's role is not to look at what the requester has received by the time the DN is issued, but to assess how the public authority dealt with the request (King v ICO & DWP [[EA/2007/0085]]). However, the authority does get an opportunity at the internal review to reconsider its decision and correct any errors:


At paragraph 87, the Tribunal also stated that failure to provide disclosable information by the date of the complaint to the Commissioner would constitute a breach of section 1 of the FOIA and '''in addition''' would also constitute a breach of either section 10 or section 17 FOIA, in relation to the time limit, depending upon the circumstances of the case.  
::''“...the Act encourages or rather requires that an internal review must be requested before the Commissioner investigates a complaint under s50. Parliament clearly intended that a public authority should have the opportunity to review its refusal notice and if it got it wrong to be able to correct that decision before a complaint is made...” '' (Mcintyre v ICO & MoD - [EA/2007/0068]).


In short, the Tribunal were making it clear that in this case the latest date as to when a decision should be made regarding section 1 is the date upon which the valid complaint is made to the ICO. The Commissioner’s view is that this does not preclude finding a section 1 breach at a date between that of the internal review and that upon which a valid complaint is accepted by the ICO.  
:Therefore, any procedural breaches, other than those relating to time limits, should be based on what the authority had done by the time of the internal review.


'''Mcintyre v Information Commissioner & Ministry of Defence (2008)'''
:If the authority does not take the opportunity to review its decision then the "cut off point" is the statutory time for compliance (normally 20 days — but see note below). This means that an authority which does not offer an internal review is at a disadvantage in relation to information which is disclosed, for example, after 30 days.


In this case, the MoD initially refused to disclose the requested information citing s.36. However, following the internal review, they did release most (though not all) of the information. Although the issue of procedural breaches was not key in this case, the Tribunal did comment at para 38:
:Note that this relates only to the finding of breaches. Whether an obligation under 1(1)(a) or 1(1)(b) exists, or whether an exemption can be relied upon, must still be determined by reference to the circumstances at the time of the request. So if the authority was under an obligation to disclose information at the time of the request, it will be found in breach of 1(1)(b) if it did not do so at least by the completion of the internal review.


:''“...the Act encourages or rather requires that an internal review must be requested before the Commissioner investigates a complaint under s50. Parliament clearly intended that a public authority should have the opportunity to review its refusal notice and if it got it wrong to be able to correct that decision before a complaint is made...” ''
* Findings on 1(1)(a) and 1(1)(b) are based on what the authority should have done, i.e. what it would have done had it come to the same decision as the Commissioner. Note that section 1(1) is not just a general duty to respond to a request. It relates specifically to the two separate duties to confirm or deny that information is held (1(1)(a)) and to communicate the information (1(1)(b)). Therefore if an exemption applies there will be no breach of 1(1)(b). Similarly if there is an exclusion from the duty to confirm or deny, there will be no breach of either 1(1)(a) or 1(1)(b).


The Tribunal in this case seem to suggest that a public authority has up until the conclusion of the internal review to remedy any breaches but that the conclusion of the internal review is the point at which the Commissioner should make his decision as to which procedural breaches have occurred, if any.  
:If you have not investigated whether any exemptions applied at the date of the request. for example because the authority disclosed the information during the investigation, then you will not be able to make a determination on sections 1(1)(a) and (b). In this case. you should not use this line but refer to [Gateway] [[LTT187]].


'''The Commissioner’s Approach '''
* Section 17 (refusal notices) requires an authority to accurately communicate any exemptions it is relying on, whether or not the Commissioner subsequently determines that those exemptions are correct. In other words, it is not dependent on the outcome of the rest of the case. Breaches of s17(1) (a), (b) and (c) will be decided according to whether the authority had accurately communicated its position by the internal review response at the latest. The Commissioner will also find breaches of s17 if the authority later seeks to rely on an exemption which it did not mention to the requester either in its refusal notice or its internal review (see [[LTT63]]).


The Commissioner acknowledges that the Tribunal in King took the position that the relevant cut-off point was the date upon which a valid complaint was made to the ICO and that the Tribunal in Mcintyre seemed to suggest that this point was the conclusion of the internal review.  
* Findings on section 10 (time limits) are based on the findings for s1(1). Again, section 10 is not a general time limits section, but refers to the time for compliance with s1(1)(a) and (b). If there are breaches of both 1(1)(a) and (b) then there will also be s10(1) breaches for each of these failures. If there is no duty under section 1(1)(a) or (b) then there are no related breaches of s1O. A late refusal notice is a breach of 17(1).


The Commissioner’s approach will be to consider the position at the time of the completion of the internal review although in some cases he will look at the circumstances as they stood at the time for statutory compliance (*). Such cases will include where the public authority has failed to carry out an internal review or where no valid response to the request was made at all.
In order to apply the principles, you should follow these steps:


This should not be taken to imply that breaches of sections 1, 10 and 17 must always be included in decision notices where those elements of the request have been resolved during the course of the investigation (indeed to do so would limit the opportunity to fully utilise the robust case handling policy - see link below). The Commissioner does not need to seek the complainant’s permission to withdraw these elements of the complaint and he will use the ‘scope of the case’ section of a decision notice to set out which elements of a case have been investigated in full and are covered by the decision notice. If it is considered necessary to record breaches of the Act, in relation to the parts of a request which have been resolved, the decision notice may do so.  
# Determine what obligations the authority was under at the date of the request, i.e. whether it was required to confirm that it held or did not hold information and whether it was it required to disclose any information
# Identify the "cut off point" for determining procedural breaches. In other words, if an internal review was carried out, determine when you consider this to have been completed. If no internal review was carried out, calculate the date for compliance under s10 (usually 20 working days, but see note below).
# Identify what actions the authority ought to have taken but had failed to take by the cut off point. This will give you the breaches of 1(1)(a) and 1(1)(b).
# Identify whether the authority had given an adequate refusal notice by the time of the cut-off point. This will give you any breaches of s17 in so far as it relates to the content of the refusal notice. Remember that the refusal notice must include any exemptions which the authority relied on at any point including during the investigation,
# In addition, if the authority had a duty under 1(1)(a) and/or 1(1)(b) and did not meet the statutory time for compliance, find related breaches of 10(1).


'''(*) - Note '''
If the authority refused the request but did not issue its refusal notice within the statutory time for compliance there is a breach of s17(1).


The date for statutory compliance is usually 20 working days after the date of the request. This has been extended for specific public authorities and in certain circumstances in accordance with the ‘Time for Compliance Regulations’ see LTT47.  
Below is a table setting out the potential breaches arising in relation to sections 1 and 10. Section 17 breaches are covered in a separate section later in this line.


In addition, under s10(3) a public authority may extend the time for compliance where it is necessary to do so in order to properly consider the public interest in maintaining an exemption. In such cases the public authority is still required to cite and explain the exemption claimed within the 20 working days. The extension can only be for as long as is reasonable in all the circumstances. The Commissioner’s Good Practice Guidance 4 indicates that in no case should this be more than an additional 20 working days, i.e. 40 working days in total. Therefore where a public authority takes longer than 40 working days to comply with a request it will have breached s10(1) unless the Commissioner is persuaded that such an extension is reasonable because of exceptional circumstances. Any extension beyond the additional 20 working days may however raise good practice issues and should be referred to the Enforcement team.


Below is a table setting out the potential breaches arising in relation to sections 1, 10 and 17.
'''Breaches of s1(1) and s10'''


'''Instructions for using the Table '''
Breaches of s1(1) and s10 are based on what you have found the authority should have done (i.e. what it would have done had it come to the same decision as the Commissioner). You must start by determining what the authority should have done, that is, whether it was under any obligation to confirm what information it held and to disclose it. If you are only investigating the 1(1)(a) duty, see the additional notes at the end of the table. If you are not making a finding as to what obligations the authority was under at the time of the request, do not use this table but see the Gateway [[LTT187]].


Upon completion of an investigation there will be one of four outcomes; (1) the information requested is not held, (2) the information is held and should be released, (3) the information is held but should not be released, (4) the public authority is not required to confirm or deny whether the information is held.  
The table below gives the breaches of 1(1)(a), 1(1)(b) and 10 which have occurred in a number of scenarios. This should be read in conjunction with the section below on s17.


Once the case outcome has been determined then use the table to identify what the public authority’s obligations were in those circumstances and what breaches arise if the public authority has failed to meet those obligations. '''It is important to read the whole section of the table that relates to the particular outcome you have reached''' in order to fully determine the public authority’s obligations in those circumstances. (Note: it is conceivable that you will reach different outcomes in respect to different pieces of information captured by a request).
Upon completion of an investigation there will be one of five outcomes:


*(1) the information requested is not held (and the authority is required to confirm this)
*(2) the public authority is not required to confirm or deny whether the information is held
*(3) the authority is required to confirm or deny whether the information is held but the Commissioner has not reached a finding (yet) on whether the information should be disclosed
*(4) the information is held but was not required to be released
*(5) the information is held and should have been released
Note that you may reach different outcomes in respect to different pieces of information captured by a request.
Once the case outcome has been determined then use the table to identify what the public authority’s obligations were in those circumstances and what breaches of sections 1(1) and 10 arise if the public authority has failed to meet those obligations. '''It is important to read the whole section of the table that relates to the particular outcome you have reached''' in order to fully determine the public authority’s obligations in those circumstances.


{| border="1"  
{| border="1"  
Line 80: Line 97:
! Additional information
! Additional information
|-
|-
| '''Information requested is not held'''
| '''(1) Information requested is not held, but the authority should have said this'''
| s1(1)(a)
| s1(1)(a)
| PA should confirm to the complainant that the information is not held
| PA should have confirmed to the complainant that the information is not held
| The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance (*)
| The Commissioner will find a PA in breach of s1(1)(a) if confirmation has not provided by the completion of the internal review or the time for statutory compliance
|-
|-
|  
|  
| s10(1)
| s10(1)
| PA should provide confirmation within 20 working days
| PA should have provided confirmation within the statutory time for compliance
| If the PA does not carry out this action within 20 working days, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review or the time for statutory compliance (*)
| If the PA has not carried out this action within the time for statutory compliance, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review
|-
|-
| '''Information requested is disclosable and should be provided'''
| '''(2) PA is not required to confirm or deny whether information is held'''
| s1(1)(a)
| s1(1)(a)
| PA should confirm to the complainant that the information is held
| PA is not required to confirm or deny whether the information is held and should provide a refusal notice
| The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance (*)
|
|-
|
| s10(1)
| PA should provide confirmation within 20 working days
| If the PA does not carry out this action within 20 working days, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review or the time for statutory compliance (*)
|-
|-
|  
|  
| s1(1)(b)
| s1(1)(b)
| PA should provide the information to the complainant
| There is no obligation under 1(1)(b) if 1(1)(a) does not apply.
| The Commissioner will find a PA in breach of s1(1)(b) if information is not provided by the completion of the internal review or the time for statutory compliance (*)  
| No breach
|-
|-
|  
|  
| s10(1)
| s10
| PA should provide the information within 20 working days
| s10 refers to the time for compliance with s1(1) so does not apply
| If the PA does not carry out this action within 20 working days, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review or the time for statutory compliance (*)
| No breach
|-
|-
|  
| '''(3) The public authority was obliged to confirm or deny whether information is held'''
| s17(1)(a), (b), (c)


s17(3)(b)
(where the Commissioner is investigating the authority's reliance on an exclusion from 1(1)(a))
 
| s1(1)(a)
s17(5)
| No exclusion applied and so the PA was required to confirm or deny whether information is held
 
| The Commissioner will find a PA in breach of 1(1)(a) if confirmation or denial has not been provided by the completion of the internal review (or the time for statutory compliance)
s17(7)
| If the public authority (incorrectly) refused to provide the information the refusal notice being relied upon at the date of the completion of the internal review or the time for statutory compliance (*), must comply with the requirements of section 17
 
This may be an amended refusal notice issued at the internal review stage, or the original refusal notice if the public authority did not make any amendments to the original refusal notice at the internal review stage
| Breaches should be specified down to section number and sub-section of the exemption claimed (see LTT101)
 
If the public authority fails to state that it is relying upon section 12 or 14 the Commissioner will find a breach of section 17(5) (subject to s17(6))
|-
|-
|  
|  
| s17(1) or s17(5)
| s1(1)(b)
| Any refusal notice should be issued within 20 working days
| The Commissioner is not in position to make a finding on whether the information is disclosable.
| The Commissioner will find a PA in breach of s17(1) if any element of the refusal notice relating to the application of exemptions, which is being relied upon at the completion of the internal review or the time for statutory compliance (*), is introduced outside of the 20 working day period
| Do not find a breach (this may be the subject of a future investigation).
|-
|
| s10(1)
| PA should have provided confirmation or denial within the statutory time for compliance
| If the PA has not carried this out within the statutory time for compliance then the Commissioner will find a breach of 10(1).
|-
| '''(4) Information requested is not disclosable and should not be provided'''


The Commissioner will find a PA in breach of section 17(5) if a refusal on the grounds of s12 or 14 is issued late
(applies where either the authority has not claimed an exclusion from 1(i)(a) or else this has been dealt with and rejected in a previous decision notice)
|-
| '''Information requested is not disclosable and should not be provided'''
| s1(1)(a)
| s1(1)(a)
| PA should confirm to the complainant that it holds the information requested
| PA should have confirmed to the complainant that it holds the information requested
| The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance (*)
| The Commissioner will find a PA in breach of s1(1)(a) if confirmation was not provided by the completion of the internal review or the time for statutory compliance.
|-
|-
|  
|  
| s10(1)
| PA should provide this confirmation within 20 working days
| If the public authority does not carry out this action within 20 working days, the Commissioner will find a breach of section 10(1) regardless of the date of the completion of the internal review or the time for statutory compliance (*)
|-
|
| s1(1)(b)
| s1(1)(b)
| PA will not have breached this section if it is not required to provide the information requested
| The authority was not under an obligation to disclose the information
|
| No breach
|-
|-
|
|  
| s17(1)(a), (b), (c)
| s10(1)
 
| PA should have provided confirmation that information is held within the statutory time for compliance
s17(3)(b)
| If the public authority has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of the date of any internal review
|The refusal notice being relied upon at the date of completion of the internal review or the time for statutory compliance (*), must comply with the requirements of section 17
 
This may be an amended refusal notice issued at the internal review stage, or the original refusal notice if the public authority did not make any amendments to the original refusal notice at the internal review stage
|
|-
|-
|
| '''(5) Information requested is disclosable and should be provided'''
| s17(5)


s17(7)
(applies where either the authority has not claimed an exclusion from s1(1)(a) or else this has been dealt with and rejected in a previous decision notice — it is not possible to come to a conclusion on 1(1)(b) if the authority is claiming an exclusion from the duty to confirm or deny)
| Subject to s17(6)
|-
|
| s17(1) or s17(5)
| Any refusal notice should be issued within 20 working days
| The Commissioner will find a PA in breach of s17(1) if any element of the refusal notice relating to the application of exemptions, which is being relied upon at the completion of the internal review ort the time for statutory compliance (*), is introduced outside of the 20 working day period.


The Commissioner will find a PA in breach of section 17(5) if a refusal on the grounds of s12 or 14 is issued late.
| s1(1)(a)
| PA should have confirmed to the complainant that the information is held
| The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance
|-
|-
| '''PA is not required to confirm or deny whether information is held'''
|  
| s1(1)(a)
| s1(1)(b)
| PA is not required to confirm or deny whether the information is held and should provide a refusal notice
| PA should have provided the information to the complainant
|
| The Commissioner will find a PA in breach of s1(1)(b) if information is not provided by the completion of the internal review or the time for statutory compliance.
|-
|-
|  
|  
| s17(1)(a), (b), (c)
| s10(1)
 
| PA should have communicated the information within the statutory time for compliance.
s17(3)(a)
| If the PA has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of any internal review. There will be two breaches of s10(1) if the authority has failed to meet the statutory time limits in relation to both 1(1)(a) and 1(1)(b).
 
|-
s17(7)
|}
| PA should issue a refusal notice specifying why it is excluded from the duty to confirm or deny including assessment of the PIT where relevant
 
The refusal notice being relied upon at the date of completion of the internal review or the time for statutory compliance (*), must comply with the requirements of section 17.


This may be an amended refusal notice issued at the internal review stage, or the original refusal notice if the public authority did not make any amendments to the original refusal notice at the internal review stage
| Breaches should be specified down to section number and sub-section of the exemption claimed (see [[LTT101]])


'''Note''': Where a public authority relies on s.12, a public authority will be in breach of s.17(5) if it fails to provide a refusal notice citing this.
Note that in practice breaches of 1(1)(b) are only likely to be found where the authority is still refusing to disclose this information. Where information has been disclosed during the investigation, the Commissioner will not reach a decision on whether s1(1)(b) applied at the date of the request (see [[LTT???|LTT A]]). Breaches of s1(1)(a) can however be included if the authority confirmed that the information was held after the internal review (or statutory time for compliance) but before the DN is issued, as long as the investigation has established that the 1(1)(a) duty existed at the time of the request.


There will be an additional breach of s.17(5) where a public authority fails to issue such a refusal notice within the time limit for statutory compliance.
|-
|
| s17(1)
| PA should issue the refusal notice within 20 working days
| The Commissioner will find a PA in breach of s17(1) if any element of the refusal notice which is being relied upon at the date of completion of the internal review or the time for statutory compliance (*), is introduced outside of the 20 working day period
|-
|}


'''The statutory time for compliance'''


The date for statutory compliance is usually 20 working days after the date of the request. This has been extended for specific public authorities and in certain circumstances in accordance with the ‘Time for Compliance Regulations’ see [[LTT47]].


We have set out a number of example scenarios, which may assist case officers in identifying which breaches apply. This is absolutely not an exhaustive list. Case officers are requested to contact the Policy team, prior to drafting a DN, should they be unsure as to which breaches apply.  
In addition under s10(3) a public authority may extend the time for compliance where it is necessary to do so in order to property consider the public interest in maintaining an exemption. In such cases the public authority is still required to cite and explain the exemption claimed within the 20 working days. The extension to the time limit in s10(3) applies only where it is necessary in order to consider the application of the public interest test, i.e. where a qualified exemption is engaged.


'''Example 1'''
Moreover, the extension can only be for as long as is reasonable in all the circumstances. The Commissioner’s Good Practice Guidance 4 indicates that in no case should this be more than an additional 20 working days, i.e. 40 working days in total. Therefore where a public authority takes longer than 40 working days to comply with a request it will have breached s10(1) unless the Commissioner is persuaded that such an extension is reasonable because of exceptional circumstances. Any extension beyond the additional 20 working days may however raise good practice issues and should be referred to the Enforcement team.


* A public authority states that it does not hold the information requested.
If the authority has not provided an internal review, then the statutory time for compliance will also be the last date at which it can comply with its obligations. If it has not done so by that date then it will be in breach.
* It provides this confirmation after 30 working days (and no internal review is carried out).  
* The ICO is satisfied that the information is not held.  


''Outcome ''


* The Commissioner will find the PA to have breached section 1(1)(a) (we are not required to consider section 1(1)(b) as we are satisfied the information isn’t held).
'''Breaches of s17'''
* The Commissioner will find the public authority has breached section 10(1), by failing to respond within 20 working days.
* The failure to carry out an internal review should be referred to the Enforcement team to establish if this is a general approach.
* The DN will not require any steps to be taken, although where the public authority does not generally provide an internal review, this should be referred to in the ‘other matters’ section.


'''Example 2 '''
Section 17 requires the authority to accurately convey its position as to why it is refusing a request. Therefore, the outcome of the request is not relevant — there is no breach of s17 for citing an exemption which did not apply.


* A public authority issues a refusal notice which confirms they hold the requested information and also explains which exemption they believe is engaged and why.  
* There will be breaches of s17(1)(a), (b) and/or (c), 17(5) or 17(7) if the public authority refused the request but failed to issue a refusal notice complying with those sections (as relevant) at or before the internal review, or at the statutory time for compliance if no internal review was carried out.
* The refusal notice is issued 36 working days after the request.
* Breaches of s17 will also be found if the authority seeks to rely on another exemption during the investigation which it had not mentioned at or before internal review (see [[LTT63]])
* The public authority carries out an internal review 30 workinq days thereafter i.e. 66 working days after the date of the request.
* There will additionally be a breach of s17(1) if the authority issued its refusal notice later than 20 working days (or as extended by the Time for Compliance Regulations).
* The ICO considers that the information should be provided to the complainant.  


''Outcome ''
Where the public authority is seeking to rely on a qualified exemption, there will be a breach of s17(1) if it fails to notify the requester of this within 20 working days (or as extended by the Time for Compliance Regulations) and a breach of 17(3) if it takes more than a further 20 working days to communicate the outcome of the public interest test.


* The Commissioner will find the public authority has complied with section 1(1)(a).
Note that there is one limited circumstance (relating to vexatious or repeated requests — see s17(6)) in which an authority is not required to provide any refusal notice.
* The Commissioner will find the public authority in breach of section 10(1) by failing to confirm within 20 working days.
* The Commissioner will find the public authority in breach of section 1(1)(b) for incorrectly refusing to make the requested information available by the date of the internal review.
* The Commissioner will find the public authority in breach of section 10(1) for failing to provide the requested information within 20 working days.
* The Commissioner will find the public authority in breach of section 17(1) by issuing the refusal notice late.
* The Commissioner will find the public authority has complied with sections 17(1)(a), (b) and (c) by explaining which exemption it believed was applicable and why.
* The completing of the internal review outside of the Commissioner’s guidance should be referred to the Enforcement team and included in an ‘other matters’ section of the decision notice.  


'''Example 3 '''


* A public authority issues a refusal notice which confirms they hold the requested information but it does not cite an exemption or explain why the information is to be withheld.
'''Further guidance on 1(1)(a) only cases'''
* The refusal notice is issued after 44 working days and the public authority does not carry out an internal review.
* The ICO considers that the information should be withheld from the complainant.


''Outcome ''
When a public authority has claimed an exclusion from the duty to confirm or deny, the DN will relate only to section 1(1)(a). The decision notice itself cannot confirm or deny whether information is held as the authority may appeal the Commissioners decision and the Commissioner must not undermine this right of appeal by disclosing that information is (or is not) held. Therefore no finding on 1(1)(b) can be included in the decision notice.


* The Commissioner will find the public authority in breach of section 1(1)(a).
If the Commissioner does not accept the authority's reliance on an exclusion from the duty to confirm or deny, then the decision notice will order the authority to confirm or deny whether information is held and, in relation to any information which may be held, to either disclose it or issue a valid refusal notice.
* The Commissioner will find the public authority in breach of section 10(1) for failing to provide this confirmation within 20 working days.
* The Commissioner will find the public authority has not breached section 1(1)(b) as the information is considered exempt from disclosure.
* The Commissioner will find the public authority in breach of 17(1) by providing the refusal notice late.
* The Commissioner will find the public authority in breach of sections 17(1)(b) and (c) by issuing a technically defective refusal notice.
* The failure to carry out an internal review should be referred to the Enforcement team.
* The DN will not require any steps to be taken but in most cases will make reference to the lack of internal review in an ‘other matters’ section.  


'''Example 4 '''
The following breaches will be included in the ON’


* A public applicant requests two items of information, (i) and (ii).
* s1(1)(a)
* The public authority issues a refusal notice after 29 workinq days and confirms that it holds the requested information but claims request (i) is exempt under sections 38 and 40 of the Act and that the information relating to request (ii) is exempt under section 41 of the Act. Both of the exemptions are stated in full and the public authority explains why it believes they are applicable. The public interest test is also explained in full, where relevant.
* s10(1) related to the breach of 1(1)(a)
* At the internal review stage the public authority decides that it claimed the wrong exemptions in relation to request (i) and that section 41 applies to both requests.
* any breaches of s17 as per the explanation on s17 above
* The applicant complains to the ICO about the continued withholding of the information.
* The ICO decides the exemptions were correctly applied.


''Outcome ''
If the authority subsequently confirms that it holds information but refuses to release it this may result in a further complaint to the Commissioner.


::''Request (i) ''
If a subsequent DN is issued, breaches will be investigated and recorded as normal following this line, i.e. as at the time of the internal review or the time for compliance with the original request, rather than as at the time for compliance with the earlier decision notice. Failure to comply with the decision notice would be dealt with as contempt of court instead. However, it is not necessary to repeat any breaches which have already been found in the earlier DN. Rather, the later DN can include a line referring to the earlier one and confirming that these findings still stand.


* The Commissioner will find the public authority has complied with section 1(1)(a).
* The Commissioner will find the public authority has breached section 10(1) by failing to confirm it held the information within 20 working days.
* The Commissioner will not find the public authority to have breached section 1(1)(b) as it is not required to provide the information.
* The Commissioner will find the public authority has breached section 17(1) because it issued the refusal notice late.
* The Commissioner will find the public authority has not breached sections 17(1)(a), (b) and (c) because the original refusal notice was amended by the completion of the internal review.


'''EIR'''


::''Request (ii) ''
Although this line refers to the FOIA, the principles outlined in the "Commissioner's approach" section above would also apply to cases under the EIR, reading in the equivalent provisions. The main differences are as follows:


* The Commissioner will find the public authority has complied with section 1(1)(a).  
* The statutory time for compliance will be 20 working days in all cases, except where the authority can legitimately extend it to 40 due to the volume and complexity of the information.
* The Commissioner will find the public authority has breached section 10(1) by failing to confirm it held the information within 20 working days.
* Public authorities are under a legal obligation to provide an internal review in relation to EIR requests — see [[LTT191]]
* The Commissioner will find the public authority has not breached section 1(1)(b) as it is not required to provide the information.
* "Not held" is an exception under the EIR, so a refusal notice would be required
* The Commissioner will find the public authority has breached section 17(1) as it issued its refusal notice late.  
* Whereas the right to information is split into two parts in the FOIA, s1(1)(a) and s1(1)(b), both aspects are covered by reg 5(1) of the EIR. There are very limited circumstances in which an authority can claim an exclusion from the duty to confirm or deny under the ElR however such cases should dealt with as for s1(1)(a) cases (described above) with the exception that any breach of this obligation would be phrased as "reg 5(1) in so far as it requires the authority to confirm or deny whether it holds information".
* The Commissioner will find the public authority has complied with sections 17(1 )(a), (b) and (c).

Latest revision as of 18:17, 12 February 2011

  • FOI/EIR: FOI
  • Section/Regulation: s1, s10, s17, s50(4)
  • Issue: Finding in breach of sections 1, 10 or 17
  • Source: Policy Team, IT, GS
  • Details: Bowbrick / Nottingham City Council; King / DWP (20 March 2008); McIntyre / MOD (11 February 2008)
  • Related Lines to Take: LTT39, LTT47, LTT63, LTT101, LTT187, LTT191
  • Related Documents: Awareness Guidance 11, EA/2005/0006 (Bowbrick), EA/2007/0085 (King), EA/2007/0068 (McIntyre), Robust case handing Policy; Good Practice Guidance No.5
  • Contact: LA/HD/KP
  • Date: 18/01/2011
  • Policy Reference: LTT29
  • © Copyright Information Commissioner's Office, re-used with permission
  • Original source linked from here: LTT


Line to take

A breach of s1(1)(b) will arise if the authority was obliged at the time of the request to disclose information, and failed to do so. A breach of 1(1)(a) will similarly arise where the authority had an obligation to confirm or deny that information was held and did not do so. Breaches of s17, on the other hand, are based on whether the authority accurately communicated its reasons for refusing the request, not on whether it was correct to do so

The Commissioner will consider what, if any, procedural breaches of s1(1)(a), 1(1)(b) and the subsections of s17 have occurred at the time of completion of the internal review. If the public authority has not taken the opportunity to carry out an internal review, then the Commissioner will consider the position as it stands at the statutory time limit for compliance under s.10.

Therefore, if the information is disclosable, the Commissioner will find a breach of s1(1)(b) where the public authority has failed to provide that disclosable information at the time of the completion of the internal review. There may also be additional breaches of sections 10 and/or 17 relating to the time limits.


Further Information

Background

Section 1 of the FOIA provides:

“(1) Any person making a request for information to a public authority is entitled -
(a) to be informed in writing by the public authority whether it holds the information of the description specified in the request, and
(b) if that is the case, to have that information communicated to him.”

Section 10(1) of the FOIA provides:

“...a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.”


The Commissioner’s approach

The main principles guiding the Commissioners approach are as follows:

  • The Commissioner's role is not to look at what the requester has received by the time the DN is issued, but to assess how the public authority dealt with the request (King v ICO & DWP EA/2007/0085). However, the authority does get an opportunity at the internal review to reconsider its decision and correct any errors:
“...the Act encourages or rather requires that an internal review must be requested before the Commissioner investigates a complaint under s50. Parliament clearly intended that a public authority should have the opportunity to review its refusal notice and if it got it wrong to be able to correct that decision before a complaint is made...” (Mcintyre v ICO & MoD - [EA/2007/0068]).
Therefore, any procedural breaches, other than those relating to time limits, should be based on what the authority had done by the time of the internal review.
If the authority does not take the opportunity to review its decision then the "cut off point" is the statutory time for compliance (normally 20 days — but see note below). This means that an authority which does not offer an internal review is at a disadvantage in relation to information which is disclosed, for example, after 30 days.
Note that this relates only to the finding of breaches. Whether an obligation under 1(1)(a) or 1(1)(b) exists, or whether an exemption can be relied upon, must still be determined by reference to the circumstances at the time of the request. So if the authority was under an obligation to disclose information at the time of the request, it will be found in breach of 1(1)(b) if it did not do so at least by the completion of the internal review.
  • Findings on 1(1)(a) and 1(1)(b) are based on what the authority should have done, i.e. what it would have done had it come to the same decision as the Commissioner. Note that section 1(1) is not just a general duty to respond to a request. It relates specifically to the two separate duties to confirm or deny that information is held (1(1)(a)) and to communicate the information (1(1)(b)). Therefore if an exemption applies there will be no breach of 1(1)(b). Similarly if there is an exclusion from the duty to confirm or deny, there will be no breach of either 1(1)(a) or 1(1)(b).
If you have not investigated whether any exemptions applied at the date of the request. for example because the authority disclosed the information during the investigation, then you will not be able to make a determination on sections 1(1)(a) and (b). In this case. you should not use this line but refer to [Gateway] LTT187.
  • Section 17 (refusal notices) requires an authority to accurately communicate any exemptions it is relying on, whether or not the Commissioner subsequently determines that those exemptions are correct. In other words, it is not dependent on the outcome of the rest of the case. Breaches of s17(1) (a), (b) and (c) will be decided according to whether the authority had accurately communicated its position by the internal review response at the latest. The Commissioner will also find breaches of s17 if the authority later seeks to rely on an exemption which it did not mention to the requester either in its refusal notice or its internal review (see LTT63).
  • Findings on section 10 (time limits) are based on the findings for s1(1). Again, section 10 is not a general time limits section, but refers to the time for compliance with s1(1)(a) and (b). If there are breaches of both 1(1)(a) and (b) then there will also be s10(1) breaches for each of these failures. If there is no duty under section 1(1)(a) or (b) then there are no related breaches of s1O. A late refusal notice is a breach of 17(1).

In order to apply the principles, you should follow these steps:

  1. Determine what obligations the authority was under at the date of the request, i.e. whether it was required to confirm that it held or did not hold information and whether it was it required to disclose any information
  2. Identify the "cut off point" for determining procedural breaches. In other words, if an internal review was carried out, determine when you consider this to have been completed. If no internal review was carried out, calculate the date for compliance under s10 (usually 20 working days, but see note below).
  3. Identify what actions the authority ought to have taken but had failed to take by the cut off point. This will give you the breaches of 1(1)(a) and 1(1)(b).
  4. Identify whether the authority had given an adequate refusal notice by the time of the cut-off point. This will give you any breaches of s17 in so far as it relates to the content of the refusal notice. Remember that the refusal notice must include any exemptions which the authority relied on at any point including during the investigation,
  5. In addition, if the authority had a duty under 1(1)(a) and/or 1(1)(b) and did not meet the statutory time for compliance, find related breaches of 10(1).

If the authority refused the request but did not issue its refusal notice within the statutory time for compliance there is a breach of s17(1).

Below is a table setting out the potential breaches arising in relation to sections 1 and 10. Section 17 breaches are covered in a separate section later in this line.


Breaches of s1(1) and s10

Breaches of s1(1) and s10 are based on what you have found the authority should have done (i.e. what it would have done had it come to the same decision as the Commissioner). You must start by determining what the authority should have done, that is, whether it was under any obligation to confirm what information it held and to disclose it. If you are only investigating the 1(1)(a) duty, see the additional notes at the end of the table. If you are not making a finding as to what obligations the authority was under at the time of the request, do not use this table but see the Gateway LTT187.

The table below gives the breaches of 1(1)(a), 1(1)(b) and 10 which have occurred in a number of scenarios. This should be read in conjunction with the section below on s17.

Upon completion of an investigation there will be one of five outcomes:

  • (1) the information requested is not held (and the authority is required to confirm this)
  • (2) the public authority is not required to confirm or deny whether the information is held
  • (3) the authority is required to confirm or deny whether the information is held but the Commissioner has not reached a finding (yet) on whether the information should be disclosed
  • (4) the information is held but was not required to be released
  • (5) the information is held and should have been released

Note that you may reach different outcomes in respect to different pieces of information captured by a request.

Once the case outcome has been determined then use the table to identify what the public authority’s obligations were in those circumstances and what breaches of sections 1(1) and 10 arise if the public authority has failed to meet those obligations. It is important to read the whole section of the table that relates to the particular outcome you have reached in order to fully determine the public authority’s obligations in those circumstances.

Case outcome Relevant section of the Act Description of action required by PA (failure to take such action will constitute a breach) Additional information
(1) Information requested is not held, but the authority should have said this s1(1)(a) PA should have confirmed to the complainant that the information is not held The Commissioner will find a PA in breach of s1(1)(a) if confirmation has not provided by the completion of the internal review or the time for statutory compliance
s10(1) PA should have provided confirmation within the statutory time for compliance If the PA has not carried out this action within the time for statutory compliance, the Commissioner will find a breach of section 10(1) regardless of the date of the internal review
(2) PA is not required to confirm or deny whether information is held s1(1)(a) PA is not required to confirm or deny whether the information is held and should provide a refusal notice
s1(1)(b) There is no obligation under 1(1)(b) if 1(1)(a) does not apply. No breach
s10 s10 refers to the time for compliance with s1(1) so does not apply No breach
(3) The public authority was obliged to confirm or deny whether information is held

(where the Commissioner is investigating the authority's reliance on an exclusion from 1(1)(a))

s1(1)(a) No exclusion applied and so the PA was required to confirm or deny whether information is held The Commissioner will find a PA in breach of 1(1)(a) if confirmation or denial has not been provided by the completion of the internal review (or the time for statutory compliance)
s1(1)(b) The Commissioner is not in position to make a finding on whether the information is disclosable. Do not find a breach (this may be the subject of a future investigation).
s10(1) PA should have provided confirmation or denial within the statutory time for compliance If the PA has not carried this out within the statutory time for compliance then the Commissioner will find a breach of 10(1).
(4) Information requested is not disclosable and should not be provided

(applies where either the authority has not claimed an exclusion from 1(i)(a) or else this has been dealt with and rejected in a previous decision notice)

s1(1)(a) PA should have confirmed to the complainant that it holds the information requested The Commissioner will find a PA in breach of s1(1)(a) if confirmation was not provided by the completion of the internal review or the time for statutory compliance.
s1(1)(b) The authority was not under an obligation to disclose the information No breach
s10(1) PA should have provided confirmation that information is held within the statutory time for compliance If the public authority has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of the date of any internal review
(5) Information requested is disclosable and should be provided

(applies where either the authority has not claimed an exclusion from s1(1)(a) or else this has been dealt with and rejected in a previous decision notice — it is not possible to come to a conclusion on 1(1)(b) if the authority is claiming an exclusion from the duty to confirm or deny)

s1(1)(a) PA should have confirmed to the complainant that the information is held The Commissioner will find a PA in breach of s1(1)(a) if confirmation is not provided by the completion of the internal review or the time for statutory compliance
s1(1)(b) PA should have provided the information to the complainant The Commissioner will find a PA in breach of s1(1)(b) if information is not provided by the completion of the internal review or the time for statutory compliance.
s10(1) PA should have communicated the information within the statutory time for compliance. If the PA has not carried out this action within the statutory time for compliance, the Commissioner will find a breach of section 10(1) regardless of any internal review. There will be two breaches of s10(1) if the authority has failed to meet the statutory time limits in relation to both 1(1)(a) and 1(1)(b).


Note that in practice breaches of 1(1)(b) are only likely to be found where the authority is still refusing to disclose this information. Where information has been disclosed during the investigation, the Commissioner will not reach a decision on whether s1(1)(b) applied at the date of the request (see LTT A). Breaches of s1(1)(a) can however be included if the authority confirmed that the information was held after the internal review (or statutory time for compliance) but before the DN is issued, as long as the investigation has established that the 1(1)(a) duty existed at the time of the request.


The statutory time for compliance

The date for statutory compliance is usually 20 working days after the date of the request. This has been extended for specific public authorities and in certain circumstances in accordance with the ‘Time for Compliance Regulations’ see LTT47.

In addition under s10(3) a public authority may extend the time for compliance where it is necessary to do so in order to property consider the public interest in maintaining an exemption. In such cases the public authority is still required to cite and explain the exemption claimed within the 20 working days. The extension to the time limit in s10(3) applies only where it is necessary in order to consider the application of the public interest test, i.e. where a qualified exemption is engaged.

Moreover, the extension can only be for as long as is reasonable in all the circumstances. The Commissioner’s Good Practice Guidance 4 indicates that in no case should this be more than an additional 20 working days, i.e. 40 working days in total. Therefore where a public authority takes longer than 40 working days to comply with a request it will have breached s10(1) unless the Commissioner is persuaded that such an extension is reasonable because of exceptional circumstances. Any extension beyond the additional 20 working days may however raise good practice issues and should be referred to the Enforcement team.

If the authority has not provided an internal review, then the statutory time for compliance will also be the last date at which it can comply with its obligations. If it has not done so by that date then it will be in breach.


Breaches of s17

Section 17 requires the authority to accurately convey its position as to why it is refusing a request. Therefore, the outcome of the request is not relevant — there is no breach of s17 for citing an exemption which did not apply.

  • There will be breaches of s17(1)(a), (b) and/or (c), 17(5) or 17(7) if the public authority refused the request but failed to issue a refusal notice complying with those sections (as relevant) at or before the internal review, or at the statutory time for compliance if no internal review was carried out.
  • Breaches of s17 will also be found if the authority seeks to rely on another exemption during the investigation which it had not mentioned at or before internal review (see LTT63)
  • There will additionally be a breach of s17(1) if the authority issued its refusal notice later than 20 working days (or as extended by the Time for Compliance Regulations).

Where the public authority is seeking to rely on a qualified exemption, there will be a breach of s17(1) if it fails to notify the requester of this within 20 working days (or as extended by the Time for Compliance Regulations) and a breach of 17(3) if it takes more than a further 20 working days to communicate the outcome of the public interest test.

Note that there is one limited circumstance (relating to vexatious or repeated requests — see s17(6)) in which an authority is not required to provide any refusal notice.


Further guidance on 1(1)(a) only cases

When a public authority has claimed an exclusion from the duty to confirm or deny, the DN will relate only to section 1(1)(a). The decision notice itself cannot confirm or deny whether information is held as the authority may appeal the Commissioners decision and the Commissioner must not undermine this right of appeal by disclosing that information is (or is not) held. Therefore no finding on 1(1)(b) can be included in the decision notice.

If the Commissioner does not accept the authority's reliance on an exclusion from the duty to confirm or deny, then the decision notice will order the authority to confirm or deny whether information is held and, in relation to any information which may be held, to either disclose it or issue a valid refusal notice.

The following breaches will be included in the ON’

  • s1(1)(a)
  • s10(1) related to the breach of 1(1)(a)
  • any breaches of s17 as per the explanation on s17 above

If the authority subsequently confirms that it holds information but refuses to release it this may result in a further complaint to the Commissioner.

If a subsequent DN is issued, breaches will be investigated and recorded as normal following this line, i.e. as at the time of the internal review or the time for compliance with the original request, rather than as at the time for compliance with the earlier decision notice. Failure to comply with the decision notice would be dealt with as contempt of court instead. However, it is not necessary to repeat any breaches which have already been found in the earlier DN. Rather, the later DN can include a line referring to the earlier one and confirming that these findings still stand.


EIR

Although this line refers to the FOIA, the principles outlined in the "Commissioner's approach" section above would also apply to cases under the EIR, reading in the equivalent provisions. The main differences are as follows:

  • The statutory time for compliance will be 20 working days in all cases, except where the authority can legitimately extend it to 40 due to the volume and complexity of the information.
  • Public authorities are under a legal obligation to provide an internal review in relation to EIR requests — see LTT191
  • "Not held" is an exception under the EIR, so a refusal notice would be required
  • Whereas the right to information is split into two parts in the FOIA, s1(1)(a) and s1(1)(b), both aspects are covered by reg 5(1) of the EIR. There are very limited circumstances in which an authority can claim an exclusion from the duty to confirm or deny under the ElR however such cases should dealt with as for s1(1)(a) cases (described above) with the exception that any breach of this obligation would be phrased as "reg 5(1) in so far as it requires the authority to confirm or deny whether it holds information".
Retrieved from "https://foiwiki.com/foiwiki/index.php?title=Line_to_take_-_LTT29_-_Finding_in_breach_of_sections_1,_10_or_17&oldid=20310"