When the Isle of Man Information Commissioner upholds a freedom of information complaint, the finding is rarely "you ticked the wrong box". It is usually something more uncomfortable: the authority could not show why it did what it did. Recent decisions point to the same root causes again and again — missed deadlines, exemptions applied without justification, and searches nobody can evidence. These are not FOI admin errors. They are governance failures, and they are fixable.
This matters because freedom of information on the Island is a statutory obligation, not a courtesy. Under the Freedom of Information Act 2015, any person resident in the Isle of Man has the right to request information held by the public authorities listed in Schedule 1 to the Act. If a requester is dissatisfied, they can ask the authority for an internal review and then complain to the Isle of Man Information Commissioner, whose decisions are published. For a public body, that published decision is a matter of record — which is precisely why the reasoning behind every refusal needs to stand up before it is sent, not after.
The scale is real, and so is the scrutiny
Freedom of information is now a steady operational load across Isle of Man Government. The Information Commissioner's Office and the Office of Cyber Security and Information Assurance (OCSIA) publish quarterly statistics, and they show 988 FOI requests in 2025 — broadly in line with recent years (1,075 in 2023, 987 in 2024) — concentrated in the busiest departments such as Infrastructure, Manx Care, Education, Sport and Culture, and the Treasury.
The same figures show where the pressure tells. Around 91% of requests were answered on time over the latest period and roughly 83% were published — which means close to one in eleven responses missed the statutory deadline, and a meaningful share were not published at all. The Commissioner currently has around 25 complaints awaiting investigation. None of that is a crisis, but it is a clear signal: the system works most of the time, and is tested precisely at the points where governance is weakest.
Where authorities keep getting caught out
1. Missing the statutory deadline
The Act sets a statutory time limit of 20 working days for responding, and the Commissioner has been consistent that workload and staffing pressures do not excuse a breach. A late response is the most visible failure of all because it needs no legal argument to establish — the clock either ran out or it did not.
The governance issue underneath is rarely laziness; it is the absence of a system. Authorities that breach deadlines tend to lack request triage, capacity planning, or any integration of FOI into normal operational workflows. The fix is unglamorous and effective: a defined intake-to-response process, ownership, and visibility of where each request sits.
2. Misapplied exemptions and "blanket" refusals
The Act distinguishes absolute exemptions from qualified exemptions, and the two are not interchangeable. Qualified exemptions require a documented public interest test — a reasoned judgement that the public interest in withholding outweighs the public interest in disclosure. The recurring error is treating a request defensively: applying a broad confidentiality exemption across an entire body of material, or failing to distinguish information received from third parties from information the authority created itself.
That is not a defensible position. Misunderstanding the scope of an exemption produces an unlawful refusal, and "we always withhold this kind of thing" is not a public interest test. Defensible practice means mapping each piece of withheld information to a specific exemption and recording the reasoning — what was considered, what was concluded, and why.
3. Searches nobody can evidence
A surprising share of complaints turn not on the law but on records management. Authorities are expected to carry out reasonable searches and to be able to demonstrate what was searched and why. Where the search approach is not reasoned or documented, the authority struggles to show it has actually located everything it holds — and the Commissioner is left unable to accept that it has.
This is a governance gap dressed up as an FOI problem. The remedy is FOI-ready records management: search protocols that are repeatable and auditable, and a simple record of "how we searched and why" attached to each response.
4. The vexatious label, misused
Authorities sometimes try to set aside a request as vexatious. The threshold for doing so is high, and it must be clearly evidenced. Reaching for the label without justification does not make a difficult request go away — it creates a fresh, more challengeable decision, and it can read as a culture resistant to transparency. A clear, evidence-based assessment framework for vexatious requests protects the authority far better than an instinct does.
5. The FOI and data protection overlap
FOI does not operate in isolation from data protection. Responses frequently contain personal data, and the duty of transparency has to be reconciled with obligations under Isle of Man data protection law. Weak redaction and anonymisation — or systems that inadvertently expose information about requesters or third parties — turn an FOI response into a data protection incident. Privacy has to be designed into the FOI process, not bolted on at the end.
From reactive to defensible
The thread running through all of this is the same. The authorities that struggle are not the ones with bad intentions; they are the ones that cannot, when challenged, explain their decisions from their own file. Good FOI governance is simply the ability to answer four questions on demand: What did we consider? What did we conclude? Why? And would the Commissioner understand our reasoning from the record?
Those are not questions you want to be answering for the first time when a complaint lands. They are questions a structured FOI governance framework answers in advance — through documented decision-making, defensible exemption and public-interest assessments, auditable searches, and proactive disclosure that reduces repeat demand.
We help Isle of Man public authorities move from reactive FOI handling to structured, defensible governance that stands up to regulatory scrutiny — decision frameworks aligned to the Act, internal review processes that hold, and the records and reasoning to back them.
Talk to Knight about an FOI governance review for your authority.
Frequently asked questions
Who decides FOI complaints on the Isle of Man?
The Isle of Man Information Commissioner. After a public authority's response and internal review, a dissatisfied requester can complain to the Commissioner, who issues a published decision notice. This is the Isle of Man regulator — separate from the UK's Information Commissioner's Office.
What is the most common reason FOI refusals fail?
Refusals tend to fail not because an exemption could never apply, but because the authority cannot evidence its reasoning — a qualified exemption applied without a documented public interest test, a "blanket" refusal across all material, or a search that cannot be demonstrated. The decision, not just the outcome, has to be defensible.
How do we make our FOI handling more defensible?
Treat FOI as a governance process, not an ad-hoc task: a clear intake-to-response workflow within the statutory deadline, exemption decisions mapped to the Act with recorded public-interest reasoning, auditable search protocols, and redaction that respects data protection obligations. The test is whether the Commissioner could follow your reasoning from your file alone.
