Changeflow GovPing Data Privacy & Cybersecurity ICO Decision: DfC breached FOIA for Universal C...
Routine Enforcement Amended Final

ICO Decision: DfC breached FOIA for Universal Credit info

Favicon for ico.org.uk ICO Decision Notices
Filed March 12th, 2026
Detected March 17th, 2026
Email

Summary

The UK's Information Commissioner's Office (ICO) found the Department for Communities (DfC) breached the Freedom of Information Act (FOIA) by failing to confirm it held requested Universal Credit information within 20 working days and by not issuing a timely refusal notice. No further steps are required.

View original document View source feed page

What changed

The Information Commissioner's Office (ICO) has issued a decision notice finding that the Department for Communities (DfC) breached sections 1 and 10 of the Freedom of Information Act (FOIA) by failing to confirm it held requested information about Universal Credit claimants within the statutory 20-working-day period. Additionally, the DfC breached section 17 of the FOIA by failing to issue a timely refusal notice, specifically citing section 12 (appropriate limit) as justification for not providing the information. Although the DfC eventually provided the information and confirmed it held it at the time of the request, the Commissioner determined these procedural failures constituted a breach.

While the ICO found breaches occurred, it has decided not to require any further steps to be taken by the DfC. This decision implies that while procedural compliance failures were identified, the subsequent actions of the DfC in providing the information and the nature of the breaches did not warrant mandatory corrective actions or penalties. Regulated entities, particularly government agencies, should note that failure to adhere to FOIA timelines and proper refusal notice procedures can result in a finding of breach, even if the information is eventually disclosed.

Source document (simplified)

Department for Communities

  • Date 12 March 2026
  • Sector Central government
  • Decision(s) FOI 1: Upheld, FOI 10: Upheld, FOI 17: Upheld The complainant requested information about Universal Credit claimants. The Department for Communities (DfC) stated that it did not hold the information requested. During the course of the Commissioner’s investigation DfC confirmed that it did hold the information requested at the time the request was received. It stated that it should have issued a refusal notice relying on section 12 (appropriate limit) of the FOIA as compliance with the request would have exceeded the appropriate limit. In addition, DfC provided the information requested during the course of the Commissioner’s investigation. The Commissioner’s decision is that DfC breached sections 1 and 10 of FOIA as it failed to confirm the requested information was held within 20 working days of receipt of the request. The Commissioner also finds that DfC breached section 17 of the FOIA for failing to issue a refusal notice stating it was relying on section 12 of the FOIA within the appropriate time limit. The Commissioner does not require any steps to be taken as a result of this notice.

Related changes

Favicon for ico.org.uk ICO Decision Notice: Council Failed to Respond to FOI Request
Priority review Mar 17, 2026 ICO Decision Notices Data Privacy & Cybersecurity
Favicon for ico.org.uk ICO Upholds FOI Complaint Against Epping Forest Council
Priority review Mar 17, 2026 ICO Decision Notices Data Privacy & Cybersecurity
Favicon for ico.org.uk ICO Decision Notice: Mid Sussex District Council - EIR Request
Routine Mar 17, 2026 ICO Decision Notices Data Privacy & Cybersecurity
Favicon for www.revenue.nh.gov NH Revenue Administration Hires New Assistant Commissioner and Director
Routine Mar 17, 2026 www.revenue.nh.gov Tax
Favicon for tax.hawaii.gov State Office Closure Due to Severe Weather
Routine Mar 17, 2026 tax.hawaii.gov Tax
Favicon for www.oregon.gov Oregon State PUC Website Error
Routine Mar 17, 2026 Rulemakings.aspx Energy

Source

Favicon for ico.org.uk
ICO Decision Notices ico.org.uk/action-weve-taken/decision-notices
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
ICO
Filed
March 12th, 2026
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Minor

Who this affects

Applies to
Government agencies
Geographic scope
gb

Taxonomy

Primary area
Government Contracting
Operational domain
Compliance
Topics
Information Access Public Administration

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 163 Consumer Protection 29 Courts & Legal 206 Data Privacy & Cybersecurity 58 Defense & National Security 48 Education 20 Energy 93 Environment 81 Government & Legislation 240 Healthcare 104 Housing 15 Immigration 8 Insurance 16 Labor & Employment 104 Pharma & Drug Safety 68 Securities & Markets 69 Tax 48 Telecom & Technology 34 Trade & Sanctions 113 Transportation 53

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when ICO Decision Notices publishes new changes.

Free. Unsubscribe anytime.