A whistle-stop tour of the US Freedom of Information Act

The US Freedom of Information Act is important for promoting government transparency and accountability. With over 100 federal agencies which fall under the scope of the FOIA and enacted in 1967, the law allows citizens to remain informed on federal government activity and enables them to hold officials accountable. 

FOIA requests have been steadily increasing over the past few years, with departments like the Department of Homeland Security and the Department of Justice receiving the largest volume of requests per year. 

Under the law, federal agencies must disclose any information requested (barring any of the 9 listed exemptions). Fulfilling obligations under the Act does not need to be overly burdensome and agencies can comply with the law while still keeping personal or sensitive data secure. 


Who can make FOIA requests?

FOIA requests can be made by “any person”, regardless of citizenship - including:

  • Private individuals, including foreign citizens,

  • Universities,

  • Corporations,

  • Partnerships, 

  • Associations,

  • Businesses, and 

  • State, local, or foreign governments.

Exceptions to who is considered “any person” includes cases in courts concerning fugitives, and foreign governments making requests to US intelligence communities.

FOIA requests must be made in writing and contain reasonable descriptions of the records being requested - most times, these can be received either online, through email, or fax. There is no central authority to handle FOIA requests and so requests are addressed to the specific agency. 


What information can be released?

As per the FOIA, requesters are entitled to request “agency records”. What constitutes “agency records” rests on a two-part test:

  1. Records are created or obtained by an agency. This can include photographs, videos, print documents, emails and electronic records.

  2. Under agency control at the time of the FOIA request. This means that the agency is within its rights to factor in whether the record is heavily read or relied on in-house, or to what extent it is integrated into its record-keeping system. The intent of the record’s creator to perhaps retain or relinquish control can also be considered, and/or the agency can decide to use or dispose of the information altogether if they deem necessary.

However, there are 9 exceptions to what information can be released: 

  1. Classified national defence and foreign relations information,

  2. Internal agency rules and practices,

  3. Information that is prohibited from disclosure by another law,

  4. Trade secrets and other confidential business information,

  5. Inter-agency or intra-agency communications that are protected by legal privileges,

  6. Information involving matters of personal privacy,

  7. Certain information compiled for law enforcement purposes,

  8. Information relating to the supervision of financial institutions, and/or

  9. Geological information on wells.

Additionally, there are three special law enforcement record exclusions, including ongoing criminal investigations, informant records, and FBI/foreign intelligence records. Federal agencies are entitled to withhold information which they believe could harm someone protected by these exemptions. 

The Act does not require agencies to create new records, conduct research, analyse data, or answer questions when responding to requests.

Provided the request made falls outside one of the exceptions and the agency is considered to have sufficient control over the records, agencies must respond to the request within 20 working days. 

In certain circumstances, the request can be processed on an expedited basis. For example, if not completing the request poses a threat to someone’s life or physical safety, or if there is an urgent need to inform the public about an actual or alleged Federal Government activity - primarily by journalists. 


What does the law say about children’s data?

In the UK, although The Online Safety Bill is still being discussed, we do not yet have legislation that specifically addresses how children’s data is handled. But, the UK GDPR and the Data Protection Act 2018 outline how to handle the sensitivity of children’s data. 


How to respond to a video FOIA request: step-by-step

Step 1: Log the request and send an acknowledgement letter with a tracking number. 

Step 2: Verify the identity of the requester or their authorisation to request information about another person.

Note: if the information being requested relates to another person and could invade their privacy, you are entitled to not fulfil the request. 

Step 3: Determine if the requested information is already publicly available.

Step 4: Use Secure Redact to redact personal data in videos. You can review and adjust the privacy masking to your specified and requested needs (e.g. making one person visible whilst everyone else is blurred).

Step 5: Download the redacted video and provide the information to the requester, explaining any redactions or exemptions.

Step 6: Log and close the request.

If the applicant is unhappy with their response, they may submit an administrative appeal. Provided the reasons for non-disclosure are covered under the exemptions, there should be no need to worry. 

Regardless of the particular exemption that may apply, it is essential to keep open communication with the applicant and explain both how the Act works and why their specific information cannot be provided.


Need help with automated video redaction for FOIA requests?

Previous
Previous

The HITECH Act: safeguarding patient privacy in the digital age

Next
Next

Is your business prepared for the CCPA/CPRA?