The Information Commissioner has ordered the Department for Business and Trade (DBT) to retrosepectively review thousands of Freedom of Information responses over concerns that they may be inadequate following the machinery of government (MoG) reorganisation of February 2023 and warned other departments subject to MoG reorganisation that the problem may extend beyond the DBT.
The DBT was established in February 2023 when the Department for Business, Energy and Industrial Strategy (BEIS) and the Department for International Trade (DIT) were divided into three new departments: DBT, the Department for Energy Security and Net Zero (DESNZ) and the Department for Science, Innovation and Technology (DSIT). DBT inherited all former DIT records and some relating to its responsibilities following the transfer of functions from the former BEIS.
The enforcement notice traces its origins to a complaint about a single FOI request submitted on 8 August 2024. During the course of the Commissioner's investigation, DBT provided submissions explaining in detail how the time taken to carry out the association of records with relevant departments meant that an inadequate search had been conducted in response to that request. This, it said, had since been rectified as a result of activities undertaken between February and May 2025.
Digital archives were migrated from the former BEIS into DBT as late as November 2024. Paper records associated with DBT were not formally identified until February 2025, and the formal transfer agreement officially transferring them to DBT did not occur until 8 July 2025, more than two years after the department was created.
DBT's Records and Knowledge Team was aware that DIT had file collections held by an external information management company, Restore, but did not hold catalogue lists of which paper records were being held on its behalf. As a result, when FOI requests came in during that period, searches were conducted against an incomplete picture of what the department actually held.
Having established that individual requests had been inadequately handled, the Commissioner turned to the systemic question: how many requests submitted since February 2023 might similarly have received responses that failed to consider all the information DBT held?
The Commissioner met with DBT on 20 June 2025. DBT stated that it was confident it was now aware of all its records but could not confirm that requests submitted prior to 11 June 2025 had all been responded to fully, due to it not being aware of all the information held.
DBT's own assessment, provided to the Commissioner in September 2025, pointed to a rapidly growing caseload. Requests to the department had increased year on year by 62% from 2023 to 2024, with a further projected 20% increase from 2024 to 2025 and it argued that resource was better directed at its current caseload than a retrospective review of closed cases.
DBT conducted a keyword search of the 223 requests that had been subject to internal review from 1 January 2022 to 11 June 2025, and concluded that 37 required further assessment. After applying exclusions - including cases relying on section 12 (cost limit) and section 14 (vexatious requests), cases already referred to the ICO, and cases where no new information would affect the outcome - DBT concluded that "minimal retrospective action is required".
The Commissioner did not accept that analysis. The Commissioner does not accept that DBT has no obligation to retrospectively review cases for which it may have held information that it was unaware of at the time of its responses. This is particularly relevant for those applicants who accepted the responses provided by DBT and did not complain to the Commissioner about the outcomes.
The Commissioner also rejected DBT's position that only those requests that had been subject to internal review should be considered. Whether or not an internal review was requested does not indicate that only those requests should be revisited. Requestors who did not seek an internal review should not be disadvantaged as a result of not being aware there may have been grounds to challenge the initial response.
The Commissioner considered the appropriate timeframe for retrospective review to be from the inception of DBT following the MoG changes through to the point it had full operational control of its records: February 2023 to 11 June 2025.
The ICO ordered that DBT must have revisited all FOIA and Environmental Information Regulations requests submitted between 7 February 2023 and 11 June 2025, and must have contacted requestors on all requests it considers were not previously subject to adequate searches by 31 December 2026. Requestors must be asked whether they wish DBT to revisit their requests, and given one calendar month to respond. Where requestors accept that offer, DBT must provide a substantive reconsidered response within 20 working days of receiving the reply. Requests where DBT applied section 12 or section 14 of FOIA, and requests already the subject of a section 50 complaint to the Commissioner, may be excluded.
DBT is also required to provide monthly progress updates to the Commissioner from 1 June 2026 until the steps are fully complete.
The Commissioner expressed concern that other departments could be affected by MoG changes resulting in searches for information being hindered or restricted, and noted that MoGs differ in scale, with some creating minor internal moves and others creating multiple department shifts.
DBT is required by 1 June 2026 to share its lessons learned activity with the Cabinet Office so that it can be considered in terms of the support offered to other departments when any future MoG changes take place. The Commissioner noted that DBT's existing lessons learned exercise focused on the general transfer of records and did not specifically cover FOI matters, a gap he considered needed to be addressed. The ICO added that any government departments subject to MoG changes in future should be made aware of the lessons learned exercises that have taken place so that they consider as swiftly as possible how best to handle their FOIA and EIR responsibilities.
The full enforcement notice (reference ENF0988377) is available on the ICO's website.
