This page explains how public authorities must handle Freedom of Information requests under the Freedom of Information and Data Protection Act 2026.
Your FOI obligations
- You must accept and process Freedom of Information requests
- Requests must be handled without unnecessary formality
- You must provide reasonable assistance to applicants
Receiving and logging requests
You must have a clear system for receiving and recording requests. You should record the date the request is received to ensure time limits are met.
Time limits and extensions
You must respond within 14 working days.
You may extend the deadline by up to 14 working days only where the request is complex or consultation with another authority is required.
You must give written reasons for any extension.
Free of charge processing
No fee may be charged for Freedom of Information requests. Requests must not be refused because of cost, effort or administrative burden.
Applying exemptions lawfully
You may withhold information only where a lawful exemption applies. Exemptions must be interpreted narrowly and proportionately.
Protecting personal data
Freedom of Information must not be used to disclose personal data. Personal data must be disclosed only through a Subject Access Request.
You must use anonymisation where disclosure is otherwise lawful.
Anonymisation means removing or changing details that could identify a person. This can include names, addresses, identification numbers, contact details and any other information that could be linked to an individual.
Refusals, reviews and IDPO referrals
If you refuse a request, you must explain the reason.
If an applicant complains, the matter may be referred to the Information and Data Protection Office for review.