Skip to main content

How to comply with your information request obligations at a time of organisational change

During organisational change, when do we have to comply with our information request obligations?

When new public authorities are created or existing ones merge, it is important to know when your organisation is covered by information rights law.

Many new organisations are subject to these laws from the date they are established as a legal entity by legislation.

For merged organisations, these laws may come into effect immediately. They are covered by information rights law in the new form from the first day of operation, for example, when:

  • machinery of government changes;
  • local government organisations merge; or
  • local government organisations set up new bodies.

However, these circumstances do not apply to every organisation. You should refer to the relevant legislation to ensure you are complying with your statutory duties.

What issues do we need to consider about meeting our obligations during organisational change?

It is crucial, particularly at times of change in service delivery, that you meet your statutory information request obligations. This means that requesters are not disadvantaged by receiving responses late or not at all.

Public authorities can encounter a number of issues in complying with information rights laws following a change, including:

  • uncertainty about which organisations hold pieces of information after a transition;
  • information rights teams being split up and losing expertise; and
  • delays in setting up new teams that can process requests.

How will this guide help us meet our obligations?

This guide will support you as a new or merged organisations in complying with your obligations to respond to:

  • information requests under the Freedom of Information Act (FOIA);
  • information requests under the Environmental Information Regulations (EIR); and
  • subject access requests under the UK General Data Protection Regulation (UK GDPR).

It specifically covers information management and handling information requests, looking at what you should aim to achieve and the actions you should take to do this.

These are circumstances many organisations face but we do not cover every scenario. Refer to the relevant legislation when considering the individual circumstances of your organisational change and seek independent legal advice as necessary.

As the regulator, we consider the specific circumstances caused by any changes, but we expect you to comply with the individual information rights provided by the legislation during times of organisational change and may consider enforcement action if appropriate.

Information management

What should we aim to achieve?

This section covers how you can ensure legal compliance and good practice in information management. This covers your considerations about who holds information following an organisational change.

You should aim to:

  • have robust and legally compliant information management processes that ensure information is not lost and is readily accessible so you can provide it in response to information requests without delay; and
  • For merged organisations – still apply all principles of good information management throughout a period of transition.

How can we achieve this?

You should take the following actions:

  • Establish what information is held, where it is held, and ensure it is accessible to information request handlers.
  • Have governance procedures in place, such as an information asset register. You should include clear instructions covering information retention and deletion schedules.
  • Consider your organisation’s approach to proactive publication. As a minimum, you must publish information as part of your statutory duty to adopt and maintain a publication scheme (FOIA) and the requirement to progressively make information available by easily accessible electronic means (EIR).
  • Staff should use corporate communication channels to communicate with colleagues. If staff need to use non-corporate communication channels during the transition period, you should follow our guidance, including:
    • have clear rules around which channels may be permitted;
    • make these channels accessible for searches in response to information requests, where relevant; and
    • have processes to support staff to transfer information back to your corporate record
For merged organisations

You should take the following actions:

  • Establish a clear consultation process between merging organisations, including information request handlers and subject matter experts. This ensures the transition is efficient and well-communicated and you can clearly identify and mitigate risks.
  • Appoint teams or people responsible for accessing information before, or immediately following, a transition.
  • Understand and communicate how information management changes will impact request handling. This allows staff to respond to requests efficiently.
  • Establish who will hold the information following the transition. (For example, if a service is transferred from organisation A to organisation B, the organisations may agree that all information will be transferred to B, or that historic information will remain with A.)

Under your UK GDPR duties, you should:

  • Update your privacy notice and explain any changes made to the SAR process, including who the contact is.

Handling information requests

What should we aim to achieve? 

This section covers your statutory obligations when handling requests and how organisational change impacts them.

You must aim to:

  • respond to requests promptly and within the statutory deadlines of 20 working days for requests under FOIA or EIR, and one month for subject access requests (SARs) under the UK GDPR; and
  • For merged organisations – you should make sure requesters are not disadvantaged by organisational changes. 

How can we achieve this?

You should take the following actions:

  • Ensure senior leadership understand your organisation’s obligations to provide information, building a culture of transparency. This has been previously outlined by the Commissioner’s open letter for senior leaders to take transparency seriously from March 2024. Senior leadership should provide continuous support for staff, including appropriate staff appointments and escalation procedures to oversee these areas. 
  • Raise awareness amongst staff and train them about their legal obligation to respond to information requests. Highlight how to recognise a request and where they send them to. Your training should cover the criminal offence at section 77 of FOIA and section 170-173 of the Data Protection Act 2018 (DPA)(as amended by the Data Use and Access Act 2025).
  • Establish a network of colleagues who information request handlers can ask to provide them with information when responding to requests.
  • Share regular information about your statutory compliance duties with senior leaders so they are aware of any issues and can help mitigate any risks quickly.

Under your UK GDPR duties, if you are a joint controller, you must:

    • have a transparent arrangement in place with the other joint controller(s) which sets out how you will deal with SARs. You could choose to specify a central point of contact. However, people must still be able to exercise their rights against each controller.

For merged organisations

You should take the following actions:

  • Where possible, respond to requests before changes come into effect. Take an empathetic approach with requesters. Consider communicating organisational changes and the potential impact this will have for information request handling.
  • If the obligations transfer to the newly merged organisation, you must ensure don’t extend the timeframe for response. (For example, if an organisation receives a request eight working days before the point of change, the new organisation with responsibility for handling requests about the relevant information will only have 12 working days left to respond if it is an FOIA request, or the remainder of the month since receiving the request for a SAR.)
  • If the obligations don’t transfer to the newly merged organisation, ensure you clearly and promptly explain this to the requester.
  • If a service has moved and information has transferred between organisations, but both organisations still exist, the organisation who originally received the request must search for any information you hold for your own purposes and anything you now hold on behalf of any other organisations. 
    • If you find you hold information, you must deal with that element of the request in the normal way for both FOI requests and SARs. If you find you don’t hold any relevant information either yourself or on behalf of another organisation, you must inform the requester. 
    • If you find information held on behalf of another organisation, or you don’t hold any relevant information, but are aware another organisation does, you should contact the requester promptly. Under your duties to provide advice and assistance under the section 16 and in accordance with the section 45 code of practice, you should either:
    • advise the requester to make a new request to the organisation that now holds that information for the purposes of FOIA  ; or
    • transfer the request to the organisation that now holds the information for the purposes of FOIA. You should only transfer the request with the requester’s consent; some requesters may have concerns about you passing on their details.

Under your UK GDPR duties, you should:

    • confirm to the requester that your organisation doesn’t control any of the information they requested, so you cannot provide a direct response to their request; and
    • advise the requester that you hold information on behalf of another organisation and you can transfer their request to the other organisation for a response.
  • If you find another organisation now holds the information on your behalf, you must seek that information as soon as possible to respond to the request within the relevant deadline.
  • If an organisation has existing complaints with the ICO, you could put a clear process in place to show who is responsible for the complaint case load following transition. You could document and communicate the stage of each complaint, including any relevant legal compliance deadlines (eg with decision, information or enforcement notices). You could also assign a member of staff with appropriate training and knowledge to oversee live tribunal appeals.