United Kingdom · FOIA & UK GDPR

FOI requests and subject access, on one ICO-aligned platform

AccessPoint runs Freedom of Information Act requests and UK GDPR data subject access requests together — the 20-working-day and one-month clocks, the ICO's oversight, breach notification, and DPIAs — inside your own Microsoft 365 tenant.

United Kingdom at a glance

FOI response deadline
20 working days (FOIA section 10)
DSAR response deadline
One month, extendable by two further months for complex or numerous requests
Fees
No fee for standard FOI requests; the section 12 cost limit is £600 (central government) or £450 (other authorities); first DSAR copy free
Breach notification
To the ICO within 72 hours where feasible (Article 33 UK GDPR)
Impact assessments
DPIA required for high-risk processing (Article 35 UK GDPR)
Oversight
Information Commissioner's Office (ICO); FOIA appeals to the First-tier Tribunal
Languages
English, with Welsh and other languages configurable

Built for United Kingdom

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

FOIA request lifecycle

Intake to disclosure on the 20-working-day clock, with the absolute and qualified exemptions, the public-interest test, section 12 cost limits, and Tribunal-ready records, all on Microsoft 365.

UK GDPR subject access

Run DSARs on the one-month clock with the two-month extension, identity verification, exemptions, and third-party redaction — beside your FOI requests, not in a separate system.

72-hour breach notification

Log a personal data breach, assess the risk to rights and freedoms, and get a live checklist of what must reach the ICO within 72 hours and the individuals affected.

DPIAs and records of processing

Run Article 35 DPIAs for high-risk processing and keep the Article 30 record of processing, on the same assessment engine, with a defensible export.

ICO and Tribunal

Track complaints to the ICO and FOIA appeals to the First-tier Tribunal, each with its own clock, an investigation workspace, and a guided disposition.

In your own tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud and no offshore processing.

One office, two duties, one platform

Most UK public bodies answer to the ICO for both FOI and data protection. AccessPoint runs them together.

A council or department fields Freedom of Information requests on a 20-working-day clock and data subject access requests on a one-month clock — two regimes, one regulator. Running them in separate tools means two inboxes, two audit trails, and two ways to miss a deadline. AccessPoint puts FOI requests, DSARs, breach notification, and DPIAs on one platform in your own tenant, aligned to the ICO, so the whole information-rights mandate lives in one system. The Data (Use and Access) Act 2025 is now reforming the framework — including a codified 'stop-the-clock' where a controller reasonably needs clarification or to verify identity — and AccessPoint tracks those changes as they commence.

FOIA, 20 working days The full exemption catalogue and the public-interest test, Tribunal-ready.
DSAR, one month Access and rectification with third-party redaction and the extension rule.
ICO-aligned Decision-notice, enforcement, and breach workflows mapped to the regulator.

Configured out of the box

Installing the uk-dpa-foia configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • FOIA 2000 and the UK GDPR / DPA 2018 as the legal-authority spine
  • The 20-working-day FOI clock and the one-month DSAR clock, on UK working-day calendars
  • The FOIA exemption catalogue — absolute and qualified — with the public-interest test
  • Section 12 cost-limit handling (£600 / £450) and fee notices
  • Data-subject request types — access, rectification, erasure, restriction, portability
  • Article 33 and 34 breach-notification rules for the ICO on the 72-hour clock
  • Article 35 DPIA questionnaires and the Article 30 ROPA register
  • ICO complaint and First-tier Tribunal appeal grounds and dispositions
  • Data (Use and Access) Act 2025 reforms tracked as they commence

United Kingdom Questions

Does AccessPoint cover both FOIA and UK GDPR requests?

Yes. One UK configuration ships both — FOIA 2000 requests on the 20-working-day clock and UK GDPR data subject access requests on the one-month clock — with their exemptions, the section 12 cost limit, and the ICO's complaint and appeal routes reflected in the workflows.

How does it handle the ICO and the Tribunal?

AccessPoint's complaints and appeals module tracks complaints to the Information Commissioner's Office and FOIA appeals to the First-tier Tribunal (General Regulatory Chamber), each with its own statutory clock, an investigation workspace, and a guided disposition that records the outcome.

Does it reflect the Data (Use and Access) Act 2025?

Yes. The DUAA received Royal Assent on 19 June 2025 and reforms UK data protection in phases through 2025 and 2026 — including a codified 'stop-the-clock' where a controller reasonably needs clarification or to verify identity, and the ICO's transition to the Information Commission. AccessPoint reflects these changes as they commence.

Where does UK data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, documents, assessments, and audit history never leave your control — no third-party cloud, no vendor access, and no offshore processing.

Run FOI and Subject Access in One Platform

Try AccessPoint free for 30 days, pre-configured for the United Kingdom. No credit card required.

Start Free Trial