The Freedom of Information Act 2000 (FOIA) enables individuals and organisations to access information from public authorities. It does this by requiring public authorities to publish certain information about their activities and providing a mechanism for requesting information from public authorities, i.e. freedom of information requests (FOI requests).
'Public authorities' are defined in FOIA and include government departments, local authorities and other government-funded bodies such as the NHS, police, armed forces and The Big Lottery Fund. Charities are not 'public authorities' and so are not directly subject to FOIA's requirements (save in the case of a corporate charity wholly owned by one or more public authorities). Despite this, a charity may nonetheless be affected by FOIA, for example:
- an individual may contact charity staff claiming a right to information under FOIA
- the charity may provide information to a public authority that becomes disclosable under FOIA in the hands of the public authority
- in some circumstances, the charity may be required to hand over information following a FOIA request to a public authority, on account of their relationship with the authority
Furthermore, there is an ongoing debate about extending FOIA to private organisations (including charities) delivering public services and a recent report from the Information Commissioner's Office (ICO) supports this.
Although charities are unlikely to be subject to FOIA, they may still receive FOI requests. Such requests may quote the legislation and look official, so there is some risk of staff responding in the belief that they are required to do so. This may result in the inadvertent disclosure of confidential information or personal data, which may be unlawful.
FOI requests are only one type of request that may be received; individuals may, for example, submit a subject access request (SAR) or request information that is routinely provided to beneficiaries or available via the charity's website. The request may not always correctly identify what it actually is, e.g. a SAR may be described as a FOI request, or vice versa.
It is therefore sensible for charities to have in place policies and procedures for dealing with requests for information. Relevant staff should be trained to recognise the different types of requests and respond appropriately, and all staff who may be contacted should understand where to refer any requests seeking information.
If a genuine FOI request is received, the enquirer can generally be informed that the charity is not obliged to provide the information, but it might be helpful to direct them to any publicly available sources or a public authority that may have access to it. For SARs, the charity will need to have procedures in place to ensure that the requirements of GDPR and the Data Protection Act 2018 are adhered to.
Information 'held' by public authorities
In some circumstances, information belonging or relating to a charity may be disclosable under FOIA because it is considered to be held by or on behalf of a public authority.
This often occurs where a charity applies for or enters into an agreement with a public authority and either hands over information to the authority, or information relating to the arrangement can be accessed or is required by the authority. For example:
- a charity bids for a public services contract from a public authority to deliver education, housing or health services and submits information to the authority as part of the tender process. This information may be disclosable under FOIA
- a charity enters a grant agreement with a public authority, which requires the charity to provide reports on performance of the agreement. This information may be disclosable under FOIA
- a charity enters a public services contract with a public authority and generates significant internal information relating to performance of the contract. It is possible that some of this information may be disclosable under FOIA
Separately, the Charity Commission holds information on charities, including information submitted by them, and may be asked to disclose this via a FOI request.
Even if information is within the scope of FOIA, there are exemptions that may prevent information from being disclosed. These include where disclosure would constitute an actionable breach of confidence, where information would prejudice commercial interests or where information constitutes personal data.
Therefore, it is sometimes possible to prevent information being disclosed where it is particularly sensitive. However, simply marking something 'confidential' or 'personal data' will not in itself prevent disclosure; it will depend on the nature of the information.
Dealing with public authorities
If you are involved in agreements with public authorities, you will almost certainly need to consider the potential impact of FOIA on your relationship. It is best to understand this at the outset of the relationship, to avoid difficulties arising following a FOI request. The following points are particularly relevant:
- agreements with public authorities often contain provisions relating to FOIA that oblige the other party to provide information when requested. These should be scrutinised carefully, to ensure that the authority is not securing access to information that it has no right to under the FOI regime. It is best practice for the contract to say which categories of information are considered disclosable, non-disclosable and exempt under FOIA
- the charity should have robust internal systems and policies to manage information generated in relation to agreements with public authorities. Ideally, information should be recorded, classified (including in terms of whether it is disclosable to the public authority) and stored accordingly. Information should only be sent to the authority where required. Records should be kept of what information is provided to the authority and why and these should be reviewed to ensure the correct data is being sent
- information that is genuinely confidential or contains personal data should be marked as such, as this will at least flag that a FOIA exemption should be considered
Separately, when communicating with the Charity Commission, for example in relation to serious incidents, charities should only submit information that is necessary, should avoid including personal data and should clearly state where the charity considers the information to be confidential or attract any other FOIA exemption.