The IT Law Wiki


More than 46 countries around the world now have freedom of information laws. They span several centuries, with Sweden enacting its first access to information law in 1766. Elsewhere in Europe, Finland enacted a freedom of information law in 1951 and Ireland did so recently. Scotland has an access to information law and the Freedom of Information Act came into force in England and Wales in 2005. A number of German states have access laws and new members of the European Union – notably those formerly in the Soviet bloc — have enacted access to information laws or are actively considering doing so.

Freedom of information laws provide the legislative direction to ensure a healthy transparency in government operations.


The Australian Freedom of Information Act 1982 (FOI Act) provides a legally enforceable right of access to government documents. It applies to Australian Government ministers and most agencies, although the obligations of agencies and ministers are different.

Most Australian Government agencies are subject to the FOI Act, and must release documents in response to an FOI request unless there is an overriding reason not to do so. Some agencies, such as intelligence agencies, are exempt from the FOI Act altogether. Others, such as some courts and tribunals, are exempt in relation to certain documents.

Ministers are subject only to requests for "official documents of a minister." This means documents relating to their role as a ministers, and not personal or party political documents, or documents about their electoral affairs. Ministers are also not subject to some of the proactive publication requirements the FOI Act places on agencies.

British Columbia[]

British Columbia’s Freedom of Information and Protection of Privacy Act (FIPPA) came into force on October 4, 1993.

United Kingdom[]

The Freedom of Information Act 2000 received Royal Assent on November 30, 2000, and came fully into force on January 1, 2005. It provides clear statutory rights for any member of the public to apply for access to information held by bodies across the public sector, together with a strong enforcement regime.

The main features of the Act are:

  • a general right of access to information held by public authorities in the course of carrying out their public functions, subject to certain conditions and exemptions;
  • in most cases, where information is exempted from disclosure there is a duty on public authorities to disclose where, in the view of the public authority, the public interest in disclosure outweighs the public interest in maintaining the exemption in question;
  • a new office of Information Commissioner, and a new Information Tribunal, with wide powers to enforce the rights created; and
  • a duty imposed on public authorities to adopt a scheme for the publication of information.

The legislation applies to a wide range of public authorities, including Parliament, Government Departments and local authorities, health trusts, doctors' surgeries, publicly funded museums and thousands of other organizations in England, Northern Ireland and Wales. Scotland has a specific Freedom of Information (Scotland) Act 2002.


See Freedom of Information (Scotland) Act 2002

United States[]


Freedom of Information Act of 1974 (FOIA), Pub. L. No. 89-554, 80 Stat. 383 (Sept. 6, 1966; amended 1996, 2002, 2007), codified at 5 U.S.C. §552.


Initially enacted in 1966, after 11 years of investigation, legislative development, and deliberation in the House and half as many years of such consideration in the Senate, and subsequently amended, the Act displaced the ineffective public information section of the Administrative Procedure Act.

Often referred to as the embodiment of “the people’s right to know” about the activities and operations of government, the Act statutorily established a premise of presumptive public access to information held by the federal departments and agencies.[1] The Act was designed to enable any person — individual or corporate, regardless of nationality — to request, without explanation or justification, presumptive access to existing, identifiable, unpublished, executive branch agency records on any topic.

Not supported as legislation or enthusiastically received as law by the executive branch, the FOIA was subsequently amended and modified by congressional legislation, including the Privacy Act of 1974, the Electronic Freedom of Information Act of 1996,[2] and the OPEN Government Act of 2007.

FOIA provides the public with access to information from Federal agencies (but not Congress or Federal courts) either through “affirmative agency disclosure” — publishing information in the Federal Register or on the Internet or making it available in reading rooms — or in response to public requests for disclosure. Public requests for disclosure of records are the best known type of FOIA disclosure. Any member of the public may request access to information held by federal agencies without showing a need or reason for seeking the information.

The statute has become a somewhat popular tool of inquiry and information gathering for various quarters of American society — the press, business, scholars, attorneys, consumers, and environmentalists, among others — as well as some foreign interests. The response to an FOIA request may involve a few sheets of paper, several linear feet of records, or perhaps information in an electronic format.

FOIA Procedures[]

Agencies are required to meet certain time frames for making key determinations: whether to comply with requests (20 business days from receipt of the request); responses to appeals of adverse determinations (20 business days from filing of the appeal); and whether to provide expedited processing of FOIA requests (10 calendar days from receipt of the request). Congress did not establish a statutory deadline for making releasable records available, but instead required agencies to make them available promptly.

Although the specific details of processes for handling FOIA requests vary among agencies, the major steps in handling a request are similar across the government. Agencies receive requests, usually in writing (although they may accept requests by telephone or electronically), which can come from any organization or member of the public. Once received, the request goes through several phases, which include initial processing, searching for and retrieving responsive records, preparing responsive records for release, approving the release of the records, and releasing the records to the requester. Figure 1 is an overview of the process, from the receipt of a request to the release of records.


During the initial processing phase, an FOIA request is logged into the agency's FOIA system, and a case file is started. The request is then reviewed to determine its scope, estimate fees, and provide an initial response to the requester (in general, this simply acknowledges receipt of the request). After this point, the FOIA staff begins its search to retrieve responsive records. This step may include searching for records from multiple locations and program offices. After potentially responsive records are located, the documents are reviewed to ensure that they are within the scope of the request.

During the next two phases, the agency ensures that appropriate information is to be released under the provisions of the act. First, the agency reviews the responsive records to make any redactions based on the statutory exemptions. Once the exemption review is complete, the final set of responsive records is turned over to the FOIA office, which calculates appropriate fees, if applicable. Before release, the redacted responsive records are given a final review, possibly by the agency's general counsel, and then a response letter is generated, summarizing the agency's actions regarding the request. Finally, the responsive records are released to the requester.

Some requests are relatively simple to process, such as requests for specific pieces of information that the requester sends directly to the appropriate office. Other requests may require more extensive processing, depending on their complexity, the volume of information involved, the requirement for the agency FOIA office to work with offices that have relevant subject-matter expertise to find and obtain information, the requirement for a FOIA officer to review and redact information in the responsive material, the requirement to communicate with the requester about the scope of the request, and the requirement to communicate with the requester about the fees that will be charged for fulfilling the request (or whether fees will be waived).

Specific details of agency processes for handling requests vary, depending on the agency’s organizational structure and the complexity of the requests received. While some agencies centralize processing in one main office, other agencies have separate FOIA offices for each agency component and field office. Agencies also vary in how they allow requests to be made. Depending on the agency, requesters can submit requests by telephone, fax, letter, or e-mail or through the Internet. In addition, agencies may process requests in two ways, known as “multitrack” and “single track.”

  • Multitrack processing involves dividing requests into two groups: (1) simple requests requiring relatively minimal review, which are placed in one processing track, and (2) more voluminous and complex requests, which are placed in another track.
  • In contrast, single-track processing does not distinguish between simple and complex requests. With single-track processing, agencies process all requests on a “first-in, first-out” basis.

Agencies can also process FOIA requests on an expedited basis when a requester has shown a compelling need for the information.

As agencies process FOIA requests, they generally place them in one of four possible disposition categories: grants, partial grants, denials, and “not disclosed for other reasons.” These categories are defined as follows:

  • Grants: Agency decisions to disclose all requested records in full.
  • Partial grants: Agency decisions to withhold some records, in whole or in part, because such information was determined to fall within one or more exemptions.
  • Denials: Agency decisions not to release any part of the requested records because all information in the records is determined to be exempt under one or more statutory exemptions.
  • Not disclosed for other reasons: Agency decisions not to release requested information for any of a variety of reasons other than statutory exemptions. The categories and definitions of these “other” reasons for nondisclosure are shown in table 1.


FOIA requests are processed with a presumption of disclosure. When an FOIA request is denied in full or in part or the requested records are not disclosed for other reasons, the requester is entitled to be told the reason for the denial, to appeal the denial, and to challenge it in court. When an FOIA request is denied, agencies will be defended by the Attorney General "only if (1) the agency reasonably foresees that disclosure would harm an interest protected by one of the statutory exemptions, or (2) disclosure is prohibited by law."[3]


Nine categories of information are exempted from FOIA requests. They are:

(1) information properly classified for national defense or foreign policy purposes as secret under criteria established by an executive order;
(2) information relating solely to agency internal personnel rules and practices;
(3) data specifically excepted from disclosure by a statute which either requires that matters be withheld in a non-discretionary manner or which establishes particular criteria for withholding or refers to particular types of matters to be withheld;
(4) trade secrets and commercial or financial information obtained from a person and privileged or confidential;
(5) inter- or intra-agency memoranda or letters that would not be available by law except to an agency in litigation;
(6) personnel, medical, or similar files the disclosure of which would constitute an unwarranted invasion of personal privacy;
(7) certain kinds of investigatory records compiled for law enforcement purposes;
(8) certain information relating to the regulation of financial institutions; and
(9) geological and geophysical information and data, including maps, concerning wells.

Some of these exemptions, such as the one concerning trade secrets and commercial or financial information, have undergone considerable judicial interpretation.[4]

Agencies within the federal intelligence community are prohibited from making any record available to a foreign government or a representative of same pursuant to an FOIA request.

Dispute Resolution[]

A person denied access to requested information, in whole or in part, may make an administrative appeal to the head of the agency for reconsideration. After this step, an appeal for further consideration of access to denied information may be made in federal district court.[5]


Agencies responding to FOIA requests are permitted by the statute to charge fees for certain activities — records search, duplication, and review — depending upon the type of requester, such as a commercial user; an educational or noncommercial scientific institution, whose purpose is scholarly or scientific research; a news media representative; or the general public. However, requested records may be furnished by an agency without any charge or at a reduced cost, according to the law, “if disclosure of the information is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in the commercial interest of the requester.”[6]

Application to cybersecurity[]

Sharing of cybersecurity information between the federal government and non-federal entities is widely considered to be an essential need, especially with respect to the protection of critical infrastructure (CI). However, attempts to encourage the private sector to share sensitive CI information with the federal government have, at times, been met with concerns that such records could be subject to public release under FOIA, resulting in potential economic or other harm to the source.

Among the nine exemptions that permit agencies to withhold applicable records are three that may particularly apply to cybersecurity information:

An example of Exemption 3 statute is Section 214 of the Homeland Security Act of 2002, which exempts information about the security of critical infrastructure and protected systems that is voluntarily submitted to an agency covered under the Act, provided that the entity that supplies the information expressly requests the exemption concurrently.

Despite these existing protections, some private-sector entities may still have concerns about public release of sensitive records — that existing laws may not be specific enough to protect particular types of records, or they may be too narrow to protect all records of concern. The White House's Complete Cybersecurity Proposal would have addressed such concerns by applying Exemption 3 to any lawfully obtained information provided to DHS for cybersecurity purposes. The Recommendations of the House Republican Cybersecurity Task Force also suggests that a FOIA exemption may be needed,[9] Adding such broad exemptions to the FOIA, however, could nevertheless prompt concerns about decreases in federal transparency.


  1. At the time of its enactment, the FOIA was regarded as a somewhat revolutionary development. Only two other nations — Sweden and Finland — had comparable law, and in neither case was it as sweeping as the new American model.
  2. The 1996 amendment provided for public access to information in an electronic form or format.
  3. See FOIA Memorandum, 74 Fed. Reg. 4,683 (Jan. 21, 2009).[1] See also Attorney General’s memo.[2]
  4. For sources concerning judicial interpretation of the FOIA, see Litigation Under the Federal Open Government Laws: 2004 (Harry A. Hammitt, David L. Sobel & Tiffany A. Stedman, eds., EPIC Publications and The James Madison Project, 2004); James T. O’Reilly, Federal Information Disclosure (3d ed. 2000).
  5. See U.S. Congress, House Committee on Government Reform, A Citizen’s Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records, H.R. Rep. 109-226, 109th Cong., 1st Sess. (2005).
  6. 5 U.S.C. §552(a)(4)(A)(iii).
  7. The statute must require that the data be withheld from the public in such a manner as to leave no discretion on the issue, establish particular criteria for withholding information or refer to particular types of matters to be withheld, or specifically cite the exemption if enacted after October 28, 2009, the date of enactment of the OPEN FOIA Act of 2009, Pub. L. No. 111-83. These exemptions are also called “b(3) exemptions” because they are created pursuant to 5 U.S.C. §552(b)(3). See also FOIA Exemption 3 Statutes.
  8. Other exemptions may also sometimes apply to cybersecurity information. For further discussion of the FOIA and its exemptions, see Freedom of Information Act (FOIA): Background and Policy Options for the 112th Congress and The Freedom of Information Act and Nondisclosure Provisions in Other Federal Laws.
  9. Specifically, it states, "information sharing within existing structures can be improved through limited safe harbors when private sector entities voluntarily disclose threat, vulnerability, or incident information to the federal government or ask for advice or assistance to help increase protections on their own systems. These protections would need to address concerns about antitrust issues, liability, an exemption from the Freedom of Information Act of 1974 (FOIA), protection from public disclosure, protection from regulatory use by government, and whether or not a private entity is operating as an agent of the government. However, the protection of personal privacy should be at the forefront of any limited legal protection proposal." Recommendations of the House Republican Cybersecurity Task Force, at 11.


See also[]