“promptly and in any event…”

The Freedom of Information Act 2000 section 10(1) says:

a public authority must comply with section 1(1) promptly and in any event not later than the twentieth working day following the date of receipt.

In their guidance on time limits for compliance with the Freedom of information Act, the Information Commissioner’s Office maintains that the requirement to respond “promptly” is separate and additional to the duty to respond “not later than the twentieth working day”:

21. The obligation to respond promptly means that an authority should comply with a request as soon as is reasonably practicable.
22. Whilst this is linked to the obligation to respond within 20 working days, it should be treated as a separate requirement.
23. An authority will therefore need to both respond promptly and within 20 working days in order to comply with section 10(1).
24. Authorities should regard the 20 working day limit as a ‘long stop’, in other words the latest possible date on which they may issue a response.
25. It also follows that an authority which provides its response close to, or on, the final day of the 20 working day limit ought to be able to both account for, and justify, the length of time taken to comply with the request.

Fine and dandy so far; “promptly” and “not later than the 20th working day” are separate.
The Data Protection Act section 7(8) says:

a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

Ah, “promptly and in any event“, that phraseology is familiar. So I guess that these are two separate requirements, yes? Authorities should respond to simple / easy Subject Access Requests under the Data Protection Act “promptly” and thus well before the “prescribed period” (40 days) long stop, yes?
Here’s what the Information Commissioner’s Office has to say in their Subject Access Code of Practice.

The duty to comply promptly with a SAR clearly implies an obligation to act without unreasonable delay but, equally clearly, it does not oblige you to prioritise compliance over everything else. The 40-day long-stop period is generally accepted as striking the right balance in most cases between the rights of individuals to prompt access to their personal data and the need to accommodate the resource constraints of organisations to which SARs are made. Provided that you deal with the request in your normal course of business, without unreasonable delay, and within the 40-day period, you are likely to comply with the duty to comply promptly.

So for SARs the ICO defines “promptly” as “within the 40-day period.
I asked the ICO about this, and they said:

Having considered your request, we have come to the view that any differences to the text in the guidance you cite are superficial rather than of any real substance, and simply reflect the fact that they were drafted by different people at different times, about different legislation, hence are not identically worded.
Although the promptness reference is explained in slightly different terms in our data protection and freedom of information guidance we do not consider that there is any difference in the position we take. Both are explained as being ‘long-stop’ provisions, indicating that 20 or 40 working days is the maximum amount of time that can be taken to respond. The FOI guidance states that public authorities will need to be able account for or justify the length of time taken to comply and the DPA guidance states that SARs need to be dealt with both within 40 days and without unreasonable delay. This goes to the same point, that the time taken to respond has to be reasonable/justifiable as well as within 20/40 days in order for the response to be considered as prompt.

I respectfully disagree. The ICO’s FOI guidance states that authorities will have to prove that they comply with both the requirement to respond “promptlyand the requirement to respond “not later than the twentieth working day“. Yet the ICO’s SAR Code of Practice states that provided a data controller has responded within the 40 working day limit, they will automatically have complied with the duty to respond “promptly“.

A mountain out of a molehill, perhaps, an esoteric difference – but I wonder why the ICO are taking the line that responses to subject access requests don’t have to be supplied any more promptly than 40 days. If Parliament had meant purely “within 40 days” they would no doubt have said just that and left the “promptly and in any event” out. No doubt that’s the ICO’s reasoning for time limits for Freedom of Information. So why so different for Subject Access Requests?

No doubt there are more important things to worry about, I know, but this bugs me. I’ve got it out of my system for a while now, I’ll shut up, don’t worry.


The esteemed Jon Baines has drawn my attention to the Tribunal caselaw on the subject.

Jon Baines’ blog on the subject is informative. My summary of the Judge’s decision is this:

  • It takes time to do a proper FOI response, check it throughly and do a good job
  • Promptly” doesn’t mean immediately, it is more akin to “without delay
  • In the case he was looking at, it had been responded to “promptly” because it was “well within” the 20 working day limit
  • There may be other cases where an authority will have to account for the time it took to respond

I guess that this says that there “may” be times when the Authority hasn’t responded “promptly” even where it has met the 20 working day long stop so is in keeping with the ICO’s guidance on FOI timescales, but it’s not exactly definitive…