FOI Exemptions & Sensitive Data - London

General Governance and Administration England 4 Minutes Read · published February 02, 2026 Flag of England

This guide explains Freedom of Information (FOI) exemptions and the handling of sensitive data for public bodies operating in London, England. It summarises who is covered, the common exemptions used by authorities, how sensitive personal or security-related information is treated, and practical steps to request information or challenge a refusal. Where relevant the guide points to official sources and routes for complaint or appeal so you can act promptly when a public body withholds or redacts records under an exemption.

How FOI applies in London

Most London public bodies and local authorities are subject to the Freedom of Information Act 2000 and must respond to FOI requests unless a specific exemption applies. Requests should be clear, state a postal or email address for reply, and may be subject to a charge for copying or specialist handling where statute allows.

Freedom of Information Act 2000[1]

Make requests as clearly and narrowly as possible to speed up a response.

Common FOI exemptions and sensitive data categories

  • Section 31 - law enforcement exemptions where disclosure would prejudice prevention or detection of crime.
  • Section 40 - personal data where disclosure would breach the Data Protection Act or contravene data subject rights.
  • Section 41 - information provided in confidence.
  • Section 24 - national security and safety of the public sector body (applicable where relevant).
  • Section 43 - commercially sensitive information where disclosure would harm commercial interests.
Exemptions are subject to public interest balancing tests and may not apply automatically.

Penalties & Enforcement

Penalties and enforcement for FOI matters in England are generally administered by the Information Commissioner's Office (ICO). The FOI Act grants the ICO powers to issue decision notices and require public bodies to disclose information or review refusals; criminal offences such as altering, concealing or destroying information are set out in the Act. Specific monetary fines for FOI refusals are not stated on the FOI Act page and may vary depending on the statutory power relied upon.Section 77[1]

  • Fine amounts: not specified on the cited FOI Act page; ICO enforcement outcomes are case-specific and monetary penalties are typically associated with data protection offences rather than FOI refusals.
  • Escalation: decision notices from the ICO, followed by appeal to the First-tier Tribunal (Information Rights). Time limits for appeal are specified by the ICO decision notice.
  • Non-monetary sanctions: enforcement notices, decision notices, and orders to disclose or reprocess requests; criminal prosecution for offences such as unlawful concealment under section 77.
  • Enforcer and complaint pathway: the ICO handles complaints about FOI responses; you can complain to the ICO if a public body refuses or fails to respond properly to an FOI request.ICO FOI guidance[3]
  • Appeal/review routes and time limits: appeals against ICO decision notices are made to the First-tier Tribunal (Information Rights); specific appeal windows are set out on ICO decision notices or tribunal guidance and vary by case.
  • Defences and discretion: public interest balancing tests, reliance on specific exemptions, and application of redaction rather than full refusal are common discretionary approaches.

Common violations and typical outcomes:

  • Failure to respond within 20 working days - outcome: ICO complaint, likely decision notice requiring response; monetary amount: not specified on cited pages.
  • Unlawful disclosure of personal data - outcome: ICO investigation and possible data protection penalties under the DPA.
  • Destruction or concealment of records - outcome: potential criminal prosecution under section 77 of the FOI Act.

Applications & Forms

There is no universal central FOI form; most London public bodies accept written requests by email, web form or post and publish request guidance on their websites. The Greater London Authority provides guidance on making an FOI request to the GLA and a contact route for requests.GLA FOI guidance[2]

Practical steps to request or challenge a disclosure

  • Step 1 - Identify the public body and check its FOI contact details and publication scheme.
  • Step 2 - Submit a clear written request with an address for reply; keep a copy of your request.
  • Step 3 - Await the statutory response within 20 working days unless an exemption or extension applies.
  • Step 4 - If refused or redacted, ask for an internal review from the same public body.
  • Step 5 - If unsatisfied after internal review, complain to the ICO and, if necessary, appeal ICO decisions to the First-tier Tribunal.
Always request an internal review before appealing to the ICO to preserve procedural rights.

Key records and safeguards for sensitive data

When information contains personal or security-sensitive content, authorities commonly apply redaction, rely on section 40 or other exemptions, or refuse disclosure where the public interest does not favour release. Where personal data is involved, compliance with the Data Protection Act and ICO guidance on data sharing and anonymisation is required.

FAQ

Who must respond to an FOI request in London?
Most local authorities, the Greater London Authority and many public bodies operating in London must respond under the FOI Act; exceptions are listed in the Act or secondary legislation.
How long does a public body have to respond?
Public bodies generally have 20 working days to respond to an FOI request, subject to permitted extensions and exemptions.
What can I do if my request is refused?
Ask for an internal review, then complain to the ICO if you remain unsatisfied, and appeal ICO decisions to the First-tier Tribunal where available.

How-To

  1. How to make a valid FOI request: identify the right public body, state your request clearly in writing, provide a contact address, and send by the bodys published FOI channel.
  2. How to request an internal review: ask the public body for an internal review in writing within the timeframe in their refusal letter and keep a copy.
  3. How to escalate: if the internal review does not resolve the matter, complain to the ICO using their online complaint form and follow the ICO guidance on appeals.

Key Takeaways

  • FOI exemptions require a public interest test and are not automatic.
  • Use internal review and the ICO complaints route to challenge refusals.

Help and Support / Resources

    Categories

    General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data