Earlier this year, the Information Commissioner's Office (ICO) published a guidance document recommending some steps for public authorities (Authorities) to take when entering into outsourcing arrangements to help them comply with their freedom of information obligations.

This guidance has been issued in the context of wider discussions around how to achieve greater transparency about the services and functions outsourced by Authorities and the role that the Freedom of Information Act 2000 (FOIA) plays in this. This note deals with the recommendations made in relation to the contracting process. More general information on these discussions can be found here and here.

Transparency by design

There have been growing calls for greater transparency around how suppliers deliver outsourced services, in particular given the desire for public scrutiny around how tax payers' money is spent.

The ICO recommends that Authorities should adopt a "transparency by design" approach when drawing up an outsourcing contract. In particular, it recommends that Authorities: (a) proactively publish as much information as possible in open formats; (b) are upfront around what in-scope information is held by them and their suppliers; and (c) put in place measures to enable them to respond effectively to FOIA requests. In relation to the latter, the ICO recommends that Authorities seek to agree with their suppliers a general approach to responding to FOIA requests and giving access to information before entering into their outsourcing agreements. The recommended steps are detailed below.

Actions to take during the contracting process

The ICO recommends that Authorities do the following:

  • Agreeing what information is held: The outsourcing contract should define, by way of a broad list, what information regarding the outsourced service is considered to be subject to FOIA [1]. This might include performance data that the Authority has the right to see, information that the Authority passes to the supplier and information that passes from the supplier to the Authority on termination. Such a list would not be definitive and, in the event of a dispute, the ICO would make its own decision as to which information can be withheld and which information must be disclosed. However, the ICO notes that addressing these issues at the outset should: "save time in the long run, remove ambiguities and promote consistency".
  • Consider information held by subcontractors: Information held by a subcontractor may be subject to FOIA. Therefore: (a) the list of FOIA information set out in the contract should include information held by subcontractors; and (b) the contract should include a requirement for the supplier to obtain this information from the subcontractors as required. 
  • Format of information provided: The ICO recommends that the supplier and the Authority use open data formats to improve the usability of the data and ensure greater transparency.
  • Setting out responsibilities in handling FOIA requests: The outsourcing contract should detail the procedures to be followed when a FOIA request is received. This would typically include: (a) obliging the supplier to transfer FOIA requests to the Authority; (b) giving the Authority the sole right to decide what will be disclosed or withheld; and (c) obliging the supplier to assist the Authority in answering requests. The use of standard clauses, such as clause 22 of the Model Services Contract[2], is helpful in setting out the procedures to be followed and the responsibilities of both parties.
  • Considering exemptions: Once the list of information likely to fall within the scope of FOIA has been agreed and documented, the Authority and the supplier should identify potentially sensitive areas and types of information that may be subject to FOIA exemptions [3]. The ICO thinks that this list of potentially exempt information (which may change over the term of the contract) may sit better in a working document rather than the contract itself.

To assist with the above, the ICO has suggested that it may be helpful for the Authority to carry out a "transparency impact assessment" before entering into an outsourcing arrangement, including to identify the types of information that are likely to be generated as part of the outsourcing and the information that is likely to be requested under FOIA.


The ICO's guidance on outsourcing and FOIA does not have the force of law. However, it does provide a benchmark against which an Authority's compliance with FOIA is likely to be evaluated. Therefore, Authorities would be expected to have regard to the recommendations and take the suggested steps towards greater transparency and the inclusion of FOIA-related information in outsourcing contracts.

That said, it remains to be seen how the ICO's recommendations will be implemented by Authorities in practice. Finalising large scale public-sector outsourcings already requires significant time and effort. It will therefore be interesting to see the extent to which, and how, Authorities and suppliers undertake the additional upfront work recommended in the ICO's guidance. Equally interesting to see will be how the ICO treats Authorities who fail to carry out the recommended actions, as this will inevitably influence how Authorities respond to the guidance in the longer term.