Type to search

Partnership & Enquiries

Email: info@privacyneedle.com

Contact Us
Legislation & Policy

How Long Do Organisations Have to Respond to FOI Requests? UK 20 Day Rule Explained (2026)

Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited April 15, 2026
Share
How Long Do Organisations Have to Respond to FOI Requests

If you are asking how long organisations in the UK have to respond to Freedom of Information requests, the answer is straightforward:

Most public authorities must respond within 20 working days.

This rule comes from Section 10 of the Freedom of Information Act 2000 (FOIA) and applies to councils, government departments, NHS bodies, schools, police forces, universities, and other public authorities.

In this detailed 2026 guide, we explain the UK’s 20 day FOI rule, when extensions are allowed, what happens if an authority delays, and what rights requesters have.

Quick Answer: What Is the UK 20 Day FOI Rule?

Under the Freedom of Information Act 2000, organisations normally have:

20 working days to respond to an FOI request

This means:

  • weekends do not count
  • bank holidays do not count
  • the countdown starts on the first working day after receipt

Public authorities in the UK must usually respond to Freedom of Information requests within 20 working days under the Freedom of Information Act 2000. The clock starts on the first working day after the request is received.

What Counts as a “Working Day”?

A working day means:

  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday

excluding:

  • Saturdays
  • Sundays
  • public holidays
  • bank holidays

For example:

If you submit an FOI request on Friday, day 1 is Monday.

If you submit it on a Sunday, day 1 is still Monday.

FOI Response Time Table

Request SentDay 1 StartsLatest Standard Response Date
MondayTuesday4 weeks later (approx.)
FridayMonday4 weeks later (approx.)
SundayMonday4 weeks later (approx.)

Because it is based on working days, the actual calendar time is usually around 28 to 30 days.

The Law Behind the 20 Day Rule

The legal basis is Section 10 of the Freedom of Information Act 2000.

The ICO explains that organisations must respond:

promptly and no later than the twentieth working day following receipt

This applies whether the response is:

  • disclosure of the information
  • confirmation information is not held
  • refusal notice
  • request for clarification

The 20 day period is considered the maximum standard limit, not the target.

Authorities are still expected to reply as soon as reasonably practicable.

Important: It Is 20 Working Days, Not 20 Calendar Days

This is one of the most common misunderstandings.

Many people wrongly assume 20 days means less than three weeks.

It actually means 20 business days, which is closer to four weeks.

Example

Request submitted: 1 April 2026 (Wednesday)
Day 1: 2 April 2026 (Thursday)
Expected deadline: around 29 April 2026

This excludes weekends and public holidays.

Can Organisations Take Longer Than 20 Days?

Yes, but only in specific circumstances.

1. Public Interest Test Extension

Where the authority needs more time to consider whether an exemption applies and the public interest test must be assessed, they may extend the deadline.

The ICO states this is usually:

up to an additional 20 working days

This means the total may become 40 working days.

Example Situations

  • national security concerns
  • law enforcement exemptions
  • commercial confidentiality
  • policy discussions
  • third party consultations

2. Clarification Needed

If your request is unclear, the authority can pause the clock and ask for clarification.

The response period does not begin until clarification is received.

Example:

Instead of asking:

“Send all records”

Ask:

“Please provide all email correspondence relating to the data breach investigation between January and March 2026.”

This makes it easier to process.

Real World Example

A council receives an FOI request asking for:

“all complaints made about CCTV surveillance policy in 2025”

Because the request is clear and specific, the council must respond within 20 working days.

If it intends to withhold part of the information using an exemption, it still must issue a response or notice within that timeframe.

What Happens If They Miss the Deadline?

If the organisation fails to respond within 20 working days, it may be in breach of FOIA.

The first step is usually to request an internal review.

Internal Review Time

The ICO recommends internal reviews should usually be completed within:

20 working days

and in complex cases no more than:

40 working days

When to Escalate to the ICO

If the authority still does not respond, you can complain to the Information Commissioner’s Office (ICO).

The ICO regulates FOI compliance in the UK and can investigate delayed or unlawful refusals.

This is especially useful where:

  • the deadline has passed
  • no refusal notice was given
  • the authority is ignoring follow ups
  • excessive delays continue

Special Rule for Schools

Schools sometimes operate under a slightly different timeframe.

The ICO notes that for schools the response time may be:

20 school days or 60 working days if shorter

This is an important exception in 2026 searches.

FOI vs SAR Response Time

People often confuse FOI requests with Subject Access Requests (SARs).

TypeTime Limit
FOI request20 working days
SAR under UK GDPR1 calendar month

FOI concerns public information.

SAR concerns your personal data.

This distinction is critical for privacy and data protection compliance content.

FAQ

How long do UK councils have to reply to FOI requests?

Usually 20 working days.

Is it 20 days or 20 working days?

It is 20 working days, excluding weekends and bank holidays.

Can they extend beyond 20 days?

Yes, where exemptions require a public interest assessment, usually up to 40 working days total.

What if they ignore my FOI request?

Ask for an internal review, then escalate to the ICO if necessary.

Final Expert Verdict

In 2026, the UK FOI response rule remains clear:

20 working days is the standard legal deadline

However, organisations may lawfully extend this in limited circumstances involving exemptions, public interest assessments, or unclear requests.

For requesters, understanding this rule helps you know when a delay is lawful and when it may amount to non compliance.

  1. Information Commissioner’s Office (ICO): https://ico.org.uk
  2. UK Freedom of Information Act 2000: https://www.legislation.gov.uk/ukpga/2000/36/contents
Tags:
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited

Ikeh James Ifeanyichukwu is a Certified Data Protection Officer (CDPO) accredited by the Institute of Information Management (IIM) in collaboration with the Nigeria Data Protection Commission (NDPC). With years of experience supporting organizations in data protection compliance, privacy risk management, and NDPA implementation, he is committed to advancing responsible data governance and building digital trust in Africa and beyond. In addition to his privacy and compliance expertise, James is a Certified IT Expert, Data Analyst, and Web Developer, with proven skills in programming, digital marketing, and cybersecurity awareness. He has a background in Statistics (Yabatech) and has earned multiple certifications in Python, PHP, SEO, Digital Marketing, and Information Security from recognized local and international institutions. James has been recognized for his contributions to technology and data protection, including the Best Employee Award at DKIPPI (2021) and the Outstanding Student Award at GIZ/LSETF Skills & Mentorship Training (2019). At Privacy Needle, he leverages his diverse expertise to break down complex data privacy and cybersecurity issues into clear, actionable insights for businesses, professionals, and individuals navigating today’s digital world.

    • 1
Previous Article

You Might also Like

Who regulates GDPR in the UK?
Who Regulates Data Protection in the UK? Full Guide to the ICO, UK GDPR and Your Rights (2026)
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited April 15, 2026
Regulates Data Protection in the UK
Who Regulates Data Protection in the UK?
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited April 15, 2026
Nigerian Banks with the Highest Mobile App Security
Nigerian Banks with the Highest Mobile App Security in 2026
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited April 14, 2026
Nigerian Payment Gateways Comparison:
Nigerian Payment Gateways Comparison: Security and Features
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited April 13, 2026

Leave a Reply

Your email address will not be published. Required fields are marked *

  • Rating

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Popular Posts

You Should Read the Terms & Conditions
Why You Should Read the Terms & Conditions (At Least Once)
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited December 15, 2025
privacy_by_design_2025
How to Integrate Privacy by Design Into Your Tech Stack in 2025 | (Download The PDF Checklist)
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited September 29, 2025
Meta’s New Privacy Policy Under Fire – What Users Should Know
Meta’s New Privacy Policy Under Fire – What Users Should Know
mistura bolarinwa October 1, 2025
NIST Cybersecurity Framework Explained
Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited September 25, 2025

Related Stories

Who regulates GDPR in the UK?
Who Regulates Data Protection in the UK? Full Guide to the ICO, UK GDPR and Your Rights (2026)
Regulates Data Protection in the UK
Who Regulates Data Protection in the UK?
Nigerian Banks with the Highest Mobile App Security
Nigerian Banks with the Highest Mobile App Security in 2026
Nigerian Payment Gateways Comparison:
Nigerian Payment Gateways Comparison: Security and Features
About Us | Contact | Privacy Policy | Disclaimer © All rights reserved Privacy Needle 2025.