Successes and setbacks: ICO reports on FOI compliance across NHS trusts in England
- Date 24 July 2025
- Type Blog
This year marks a significant milestone - 20 years since the Freedom of Information (FOI) Act came into force. For two decades, this legislation has empowered people to ask questions, seek transparency, and hold public bodies to account on the issues that matter most to them.
As the regulator for FOIA, one of our core responsibilities is to enforce information rights laws and ensure that public organisations are meeting their legal obligations. As part of this, we’ve taken a closer look at how one vital part of the public sector - NHS trusts in England - are performing when it comes to FOI compliance.
The good news? Most trusts are treating FOI with the seriousness that is required. However, a small number still show significant room for improvement and that’s where we step in.
Why did we decide to focus on NHS trusts in England?
We regularly receive complaints about FOI compliance, particularly around timeliness of responses and associated backlogs. These issues not only frustrate requesters but also put organisations at risk of enforcement action.
As part of our regular monitoring in this space, we issued enforcement notices to University College London Hospitals NHS Foundation Trust and Portsmouth Hospitals University NHS Trust earlier this year - both for having poor FOI compliance and backlogs dating back several years.
In our continued attempt to get a better picture of compliance in this space, we decided to take a wider look at other trusts across England. Our goal: to identify both strengths and areas for improvement, so we can share learnings and better target our support and guidance.
Using our FOI handling performance template, we selected a representative sample – 31 trusts, or around 15% of NHS trusts across England, varying in size and location. We visited eight of these trusts to hear directly from staff about their experiences, challenges, and successes.
We also reviewed our casework data and analysed publicly available information to build a comprehensive picture of FOI performance in the sector.
What we found
Rates for compliance with the statutory deadline ranged hugely from 10% to 100%. The average compliance rate across each NHS trust was 82%. We will continue promoting our tools to help this improve.
Within our sample, smaller NHS trusts appeared to perform better than larger trusts:
- Small trusts (less than 5,000 employees) had an average compliance rate of 92% and a backlog of three requests
- Medium trusts (5,000 to 10,000 employees) had an average compliance rate of 83% and a backlog of 13 requests
- Large trusts (with over 10,000 employees) reported an average compliance rate of 71%, alongside a backlog of 86 requests.
Based on our sample and the complaints closed during the 2024/25 financial year, the data indicates that only around 0.4% of FOI requests received by NHS trusts in England result in a complaint being dealt with by the ICO – suggesting that on the whole, NHS trusts are doing pretty well.
However, there are clear challenges that several trusts brought to our attention:
- An increase in the volume and complexity of requests without an increase in resources and capacity to deal with them.
- Priority cannot be given to FOI over care when information requested needs to be provided by a frontline health professional.
- Concerns that releasing information about IT systems and cyber security may leave trusts vulnerable to cyber-attacks.
Action we’ve taken
We identified a small number of trusts who need to take immediate steps to improve their FOI compliance. This relates to extensive backlogs of FOI requests and prolonged wait times for responses. As a result, we’ve taken regulatory action to help them make the necessary improvements:
- Nottingham University Hospitals NHS Trust - Significantly low compliance rate of 17% and almost 200 requests over a year old - resulting in an enforcement notice.
- Manchester University Hospitals NHS Trust – Some shortcomings in relation to FOI compliance, however steady improvements are being made – resulting in a practice recommendation.
- Greater Manchester Mental Health Trust – Progress made following a 2022 independent review. However, between April 2024 and May 2025, we received six complaints about delayed FOI responses. The Trust admitted to having backlog of 20 requests, including five over nine months old in the final financial quarter of 2024/25 – resulting in a practice recommendation.
- Guys & St Thomas NHS Trust – Significant backlog of FOI requests, resulting in a compliance rate of just 33% in March 2024. This has since improved to 61% in May 2025 and the Trust is in communications with the ICO on ways to further improve its resilience and future compliance – resulting in a practice recommendation.
What can NHS trusts learn?
Following this deep-dive and enforcement action taken as a result, we encourage all trusts to:
- Put thorough processes in place for FOI request handling across service areas with a minimal impact on frontline staff where possible.
- Establish network of contacts and dedicated FOI champions considering frequent movement of staff in healthcare environment.
- Raise awareness to improve understanding of how FOI operates in relation to requests from companies seeking commercial information.
- Publish commonly requested information such as that relating to agency staff, recruitment, prescribing, waiting lists and in-sourcing/out-sourcing.
- Make sure senior leaders have regular sight of their organisation’s performance against its statutory duties so they can take early action when needed.
What’s next?
We face record levels of complaints and significant pressure on our resources, but we will continue to focus as much as possible on addressing systemic issues within public sector bodies.
In a direct response to feedback from FOI practitioners in NHS trusts across England, we are actively exploring new ways to provide targeted support, including:
- Guidance on IT system disclosures - helping organisations understand what information can be safely released without increasing the risk of cyber-attacks.
- Bitesize, sector-specific resources - building on recent messaging guidance for GPs, we aim to expand this approach to other sectors.
Beyond this, we continue to monitor and engage with a wide range of sectors to ensure strong compliance with FOI legislation and where necessary, we will take action to drive improvement. For example, we recently issued practice recommendations to both the Attorney General’s Office and the Cabinet Office, highlighting areas for development and offering support to implement change.
We remain committed to supporting public bodies in meeting their FOI obligations, even in the face of growing pressures. By listening to practitioners, tailoring our guidance, and taking action where needed as we aim to uphold transparency and accountability across the public sector.