Changeflow GovPing Data Privacy & Cybersecurity The Open University FOI Complaint Upheld, Must ...
Priority review Enforcement Amended Final

The Open University FOI Complaint Upheld, Must Issue Fresh Response

Favicon for ico.org.uk ICO Decision Notices
Filed
Detected
Email

Summary

The ICO upheld a complaint against The Open University regarding a Freedom of Information Act request for data security and cybersecurity information. The university had refused to comply, citing section 14 of FOIA (vexatious request). The ICO determined the university is not entitled to rely on section 14. The ICO requires the university to issue a fresh response that does not rely on section 14 of FOIA.

View original document View source feed page

What changed

The ICO's decision notice reverses The Open University's reliance on section 14 of FOIA to refuse an information request about data security and cybersecurity. The university had claimed the request was vexatious, but the ICO found this exemption was improperly applied. The university must now provide a new response to the requester that properly addresses the substance of the request without invoking the vexatious request exception.\n\nAffected parties include public authorities and educational institutions subject to FOIA obligations. They should review their procedures for handling FOI requests and ensure section 14 exemptions are only relied upon where genuinely justified, as the ICO will scrutinize such refusals and require corrective action where the exemption is misapplied.

What to do next

  1. Issue a fresh response to the FOI request
  2. Ensure the fresh response does not rely on section 14 (vexatious request) of FOIA
  3. Comply with FOIA obligations regarding the requested data security and cybersecurity information

Archived snapshot

Apr 14, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

The Open University

  • Date 10 April 2026
  • Sector Education
  • Decision(s) FOI 14: Upheld The complainant has requested The Open University (the university) to disclose information relating to data security and cybersecurity. The university refused to comply with the request citing section 14 of FOIA (vexatious request). The Commissioner’s decision is that the university is not entitled to rely on section 14 of FOIA. The Commissioner requires the university to issue a fresh response in accordance with FOIA which does not rely on section 14.

Named provisions

Section 14 FOIA

Related changes

Favicon for ico.org.uk University of York FOIA Complaint - Not Upheld
Routine Apr 09, 2026 ICO Decision Notices Data Privacy & Cybersecurity
Favicon for ico.org.uk Northamptonshire Police FOI Complaint Upheld - Fresh Response Ordered
Routine Apr 08, 2026 ICO Decision Notices Data Privacy & Cybersecurity
Favicon for ico.org.uk ICO Upholds Complaint - Queen Mary University Failed to Respond to FOIA Request
Priority review Apr 10, 2026 ICO Decision Notices Data Privacy & Cybersecurity

Get daily alerts for ICO Decision Notices

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for ico.org.uk
ICO Decision Notices ico.org.uk/action-weve-taken/decision-notices
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from ICO.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
ICO
Filed
April 10th, 2026
Instrument
Enforcement
Legal weight
Binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Educational institutions Public companies Government agencies
Industry sector
6111 Higher Education
Activity scope
FOI compliance Information requests Public authority obligations
Geographic scope
United Kingdom GB

Taxonomy

Primary area
Data Privacy
Operational domain
Compliance
Topics
Freedom of Information Education

Browse Categories

Agriculture & Food Safety 64 AI Regulation 3 Banking & Finance 291 Consumer Protection 44 Courts & Legal 361 Data Privacy & Cybersecurity 73 Defense & National Security 51 Education 19 Energy 100 Environment 86 Environmental Regulation 8 Financial Regulation 2 Government & Legislation 279 Healthcare 136 Housing 16 Immigration 8 Insurance 58 Labor & Employment 113 Pharma & Drug Safety 104 Public Health 2 Securities & Markets 103 Securities Regulation 6 Tax 65 Telecom & Technology 47 Trade & Sanctions 135 Transportation 57

Get alerts for this source

We'll email you when ICO Decision Notices publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!