When might we disclose documents to the public?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
You are responsible for complying with your obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018) and, where relevant, other information rights legislation, including the Freedom of Information Act 2000 (FOIA). Whilst we make every effort to make sure this guidance is accurate at the time of publication (31 July 2025), we make no guarantees or representations that it will remain up-to-date or ensure compliance. Where appropriate, seek further guidance or advice before disclosing information in the specific circumstances. If you would like to suggest improvements to this guidance, please leave us feedback.
When might we disclose documents to the public?
This guidance will help you if you are disclosing documents to the public. Any organisation may disclose documents to the public generally, for example, if publishing information online.
Public authorities also have specific responsibilities under FOIA and the Environmental Information Regulations 2004 (EIR) to respond to requests for information and proactively publish certain information. FOIA also includes specific requirements about providing certain datasets in a reusable format.
Public authorities may publish information online (eg under a publication scheme, in a disclosure log, or via a third-party platform such as What Do They Know). All disclosures made under FOIA or EIR are considered disclosures to the public generally, rather than a disclosure to a requester only.
Public sector bodies covered by the Re-use of Public Sector Information Regulations 2015 (RPSI) may also receive requests to re-use information that they produce as part of their public task. However, RPSI does not normally apply to information that is exempt from disclosure under information access legislation. Personal information is not subject to RPSI regulations if access to that information is excluded or restricted under information access legislation, or incompatible with data protection legislation.
Organisations may also disclose documents to specific members of the public, rather than the wider public. For example, organisations may disclose documents to update a customer, or to respond to a SAR under data protection legislation.
When do we need to remove personal information from documents before disclosing them?
Before disclosing documents that include personal information, you must generally:
- make sure you comply with the data protection principles and individual rights before disclosing any personal information;
- only disclose personal information if you can do so lawfully, fairly and transparently; and
- consider any relevant individual rights, such as the right to object.
Organisations responding to SARs may find that the personal information requested also contains the personal information of another person. The other person’s personal information is exempt from disclosure under the Data Protection Act 2018 (DPA 2018) unless either the other person consents, or it is reasonable to disclose the information without their consent.
If you are a public authority, personal information is exempt from disclosure under section 40 of FOIA and regulation 13 of EIR, if certain conditions apply.
When considering a request for re-use of public sector information under RPSI regulations, public authorities should consider whether the request includes personal information. Personal information is not subject to RPSI regulations if access to that information is:
- excluded or restricted under information access legislation; or
- incompatible with data protection legislation.
This guidance provides examples of ways to remove personal information from a copy of the document before disclosure, where appropriate. When deciding whether this is appropriate, you must comply with relevant obligations under UK GDPR and relevant information access legislation. You could use a retention schedule to help you know when it is appropriate to remove personal information permanently.
Further reading – ICO guidance
- Freedom of information guidance and resources | ICO Publication schemes: a guide
- Datasets (sections 11, 19 and 45)
- Guide to the Environmental Information Regulations
- Section 40 and Regulation 13 – personal information
- Guide to RPSI
- A guide to the data protection principles
- Lawful basis
- Individual rights - guidance and resources
- Subject access requests (also known as SARs or right of access)
- Data sharing: a code of practice