The Freedom of Information (FOI) Act

Manage the risk of disclosure of confidential information


The Freedom of Information (FOI) Act relates to public sector bodies. However, these organisations regularly engage with private sector companies in the provision of goods and services.

This creates a situation where any information your business shares with public authorities may be subject to an FOI request, and is potentially at risk of disclosure.

Risk of FOI disclosure

Types of information at risk of disclosure under the FOI Act include, eg:

  • information that you give to regulators in reports, annual returns, investigations, etc
  • public tenders or contracts information
  • your responses to public consultations
  • information relating to planning procedures and proposed developments

Public authorities could also hold confidential or commercially sensitive information on your business, eg your financial records or contract details. This sort of information may be exempt from the FOI Act. See FOI and commercially sensitive information.

How to manage the risk of FOI disclosure

You cannot entirely avoid the risks associated with passing information to public authorities. However, you can lessen them in a number of ways. For example:

  • If the information is confidential or commercially sensitive, think carefully if it is necessary to disclose it. If it is, make it clear by labelling it 'confidential' or 'restricted'. Submit it separately to the rest of the less-sensitive information to reduce the risk of accidental disclosure. Keep in mind that the exemption that applies to confidential information is a very narrow one and that it only applies in the very limited circumstances. It will not automatically apply to all documents marked 'confidential'. For more information, see the ICO's guidance on information provided in confidence.

  • Don't rely on blanket confidentiality clauses. Look at terms and conditions for dealing with public authorities and try to minimise the impact of the Act.

  • Try to establish consultation rights in your contract, ie the right to be informed before the public authority makes any disclosure. This may give you a chance to take action to protect your business before the information goes public.

  • Set clear internal policies and procedures for the release of information to public authorities. Record the information you share with them and review it regularly. Consider assigning FOI responsibility to an individual staff member or team.

  • Train your staff on FOI requirements, data protection and the potential risk of information disclosure.

If someone makes an FOI request, public authorities will have to release this information (subject to a number of exemptions). See FOI exemptions: absolute and qualified.

While FOI can present a certain risk for your business, it can also provide an opportunity to gain useful information. For example, information about procurement criteria, decisions, previous contracts and even competitors.

Find out how to use FOI to your business advantage.