Freedom of information

What are the responsibilities for making information available to the public under the Freedom of Information Act?

The Freedom of information Act 2000 covers any recorded information held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by the Freedom of information (Scotland) Act 2002.

NHS organisations, including NHS GP practices (under most contracts), are considered to be public authorities for the purposes of freedom of information (FOI) legislation.

Public authorities must:

  • routinely make information available to the public under the model publication scheme.
  • respond appropriately to freedom of information requests from the public.
  • make sure to respond to FOI requests within 20 working days.
  • respect patient confidentiality and data protection law.

Freedom of information law

Freedom of information legislation aims to make public bodies more accountable and increase public confidence.

Under the law, public bodies, including GP practices, must:

  • proactively publish and update information about their activities
  • respond to requests for information from members of the public.

Making information available

Public authorities must produce a guide to information (a publication scheme) setting out:

  • what information you routinely publish
  • how this information can be accessed (ideally, it will be available on your website)
  • what charge, if any, will be made for access to the information (generally only for expenses incurred, such as postage)
  • contact details, so people can request information.

There should be a process for reviewing and updating published information.

Certain information is exempt from FOI, notably where disclosure is prohibited by law, and where what has been requested constitutes personal data, which is subject to data protection legislation requirements. Exceptions are also made for information that is still in draft form or archived/difficult to access. We would advise you to seek our advice if you're unsure.

England, Wales and NI

The Information Commissioner's Office (ICO) expects you to adopt its model publication scheme and has published guidance and a template for GP practices and healthcare bodies. It covers seven types of information, outlined below.

  • Who the practice is and what you do - doctors in the practice, contact details, opening hours and other staffing details.
  • What you spend and how you spend it (current and previous financial year) - total cost to the PCO of contracted services, audit of NHS income.
  • What your priorities are and how you are doing (current and previous year) - plans for developing and providing NHS services.
  • How you make decisions (current and previous year) - records of decisions made in the practice affecting the provision of NHS services.
  • Your policies and procedures (practices should state if policy is 'not held' as well as listing any additional ones) - policies, protocols and procedures concerning staff employment; delivery of services; equality and diversity; health and safety; complaints; and records management (eg retention and destruction), data protection, the handling of requests for information, the patients' charter.
  • Lists and registers - it's unlikely that practices will have any publicly available register or list and the ICO advises that 'none held' can be entered here.
  • The services you offer - current NHS services provided and any charges, information leaflets and out-of-hours arrangements.


The Scottish Information Commissioner (SIC) has also produced a model publication scheme and general guidance for public authorities. Both are available on this website. The SIC is only responsible for Scotland's freedom of information laws - the ICO retains UK-wide responsibility for data protection matters.

Although similar in scope, the Scottish scheme has nine classes of information. Compliance with the model publication scheme is highly recommended, but not compulsory, and an authority is expected to notify the SIC when it's first adopted.

If a public authority does not use the model publication scheme, then it must seek the approval of the SIC for its chosen publication scheme. It's worth noting that, currently, all Scottish authorities have adopted the SIC model publication scheme.

Responding to requests for information

Under FOI, you must respond to all requests for information from the public and release information if the request falls within the scope FOI legislation, unless you have a good reason not to.

The ICO and the SIC have produced good practice guidance on what to do if you receive a request, which is summarised below.

  • Check it meets the criteria for a valid FOI request. It should be in writing, include the requester's real name and a correspondence address, and describe the information requested. The ICO says requesters do not have to ask for a specific document (although they may do so) - eg, they may ask for information about a particular topic.
  • Even if the request is not valid, you cannot ignore it. You still have an obligation to provide advice and assistance, which would usually involve telling the requester how to make a valid request under FOI.
  • If the person is asking for their own personal data, you should deal with it as a subject access request under data protection law.
  • Seek clarification as soon as possible if you're unsure what the requester wants.
  • Respond to requests within a maximum of 20 working days.
  • Inform the applicant of any charges and obtain their agreement. The ICO says charges should be 'justifiable, clear and kept to a minimum'. Legitimate charges might include photocopying and postage.
  • If you hold the information, you should normally send it to the applicant using the means they have requested (email, post).
  • Redact any sensitive personal data from documents before sending and seek professional advice if necessary.

Refusing a request

There are limited circumstances in which you can refuse an FOI request.

  • You do not hold the information - the ICO expects you to have made an adequate, documented search and will consider how thorough you have been in the event of a complaint. If you know the information is held by another authority, you should verify this and advise the applicant.
  • The information is exempt, such as confidential data about a patient.
  • It would cost too much or take too much staff time to deal with the request.
  • The request is vexatious. Take care, as you cannot label a request as vexatious because you believe it has little value or you don't like the way it has been made. However, you can take into account the context and history of a request, including the identity of the requester and your previous contact with them. The ICO says: 'The key question to ask yourself is whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation.'
  • The request repeats a previous request from the same person.

If you are refusing an FOI request, send the applicant a written refusal notice explaining why their request is being refused and citing the relevant provision of the FOI Act. You should also give details of your complaints procedure and their right to complain to the ICO or the SIC. However, you should keep a record of the reasons for your decision, as you may be required to justify it. Contact us for advice if you're unsure.

If an applicant is unhappy with how you've managed their request, it's good practice to review it. A review should be carried out by someone senior, who was not involved in responding to the original request. It should usually take no longer than 20 days.

Enforcing FOI law

You may be breaching FOI law if you do any of the following:

  • fail to respond adequately to a request for information
  • fail to adopt the model publication scheme (in England, Wales and NI), or do not publish the correct information
  • deliberately destroy, hide or alter requested information to prevent it being released. This is considered a criminal offence in the Acts.

Compliance with FOI law is enforced by the ICO or SIC, depending on jurisdiction. They have powers to:

  • serve information notices, requiring you to provide the specified information within a certain time period
  • serve enforcement notices where there has been a breach of FOI law, requiring you to take (or refrain from taking) specified steps to comply
  • issue recommendations, eg improving staff training
  • issue decision notices detailing the outcome of a complaint investigation
  • prosecute those who commit criminal offences under the Acts.

You have a right to appeal against decisions by the ICO/SIC, but you should obtain expert legal advice.

This page was correct at publication on 31/10/2022. Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.