By Kieron JH
The Ministry of Justice is now telling some Freedom of Information requesters to upload a scan of their passport and a utility bill before it will even treat their FOI as valid.
Not for national security material. Just to ask ordinary questions the law already covers. You can read one of the MoJ’s template responses in full here: MoJ ID request response (PDF).
What FOI Actually Requires
Section 8 of the Freedom of Information Act 2000 says a valid request must:
- be in writing,
- state the name of the applicant, and
- give an address for correspondence.
That is it. No passport, no utility bill, no identity check as a precondition. You can read the wording yourself on legislation.gov.uk: FOIA 2000, section 8.
The phrase “real name” does not appear anywhere in FOIA, and it does not appear in the Data Protection Act either. Parliament never defined “real name” as a legal category. It is a label the ICO uses in guidance, for example in What makes a valid request and Recognising a request under FOIA, to mean a name that actually identifies a person, not a joke handle, not “exactly as printed on a passport plus verified address”.
Even WhatDoTheyKnow, which has to sit in the middle of all this, points out that “the law does not provide detailed guidance on exactly what counts as a real name” in its own privacy and anonymity guidance.
Turning that loose guidance phrase into “show us your passport and a utility bill or your request is not valid” is something the MoJ has chosen to do. It is not something the legislation told them to do.
What MoJ Is Doing Instead
In template letters sent via WhatDoTheyKnow, the MoJ Disclosure and Library Team says it is “unable at this time to confirm the validity” of requests because the requester may be using a pseudonym. It then demands:
- one piece of photo ID, such as a passport or driving licence, and
- a second document with name and address, such as a utility bill or bank statement.
Until you hand those over, your FOIs are not treated as valid at all.
This is framed as a reaction to “a volume of requests” and applied as a blanket policy. In practice it creates an identity gate in front of FOI that simply does not exist in the Act.
The WhatDoTheyKnow Problem
WhatDoTheyKnow is a public archive, that is the point. Requests and responses are published and searchable.
Asking people, in that setting, to upload:
- passport or driving licence scans, and
- recent utility bills, council tax bills or bank statements,
is reckless. Even if someone tries to send them “privately”, the risk of exposure is obvious.
None of this is required to answer the question “what recorded information do you hold about X”. It clashes directly with UK GDPR principles of data minimisation and necessity.
Why People Use Aliases On WDTK
Many users do not want their full legal identity permanently tied to every FOI they make. That includes:
- survivors of abuse,
- ex offenders or people with controversial cases,
- whistleblowers and frontline staff,
- disabled or neurodivergent people already under heavy scrutiny.
A stable alias on WhatDoTheyKnow can be basic self protection. Authorities still receive a name and a valid contact address. They can still answer. The law is satisfied.
Treating the use of a consistent alias as suspicious by default, then demanding passport level ID to “fix” it, punishes the people who have the most reason to be careful.
FOI Is Meant To Be Applicant Blind
FOI is supposed to ignore who you are and focus on what you are asking. Same question, same answer, whether you are a journalist, a prisoner, or a random citizen.
Once a department says “no passport, no validity”, applicant blind goes out of the window. Access to information is now conditional on handing over extra personal data that FOIA never asked for.
Putting The ICO On The Spot
I have taken this to the Information Commissioner, because this goes beyond one department being awkward with one requester. A central department is using ICO “real name” guidance to justify an ID gate on FOI.
The ICO now needs to answer some simple questions:
- Can a public authority run a blanket policy that FOIs are not valid unless the requester supplies passport ID and proof of address?
- Is that compatible with section 8 FOIA and with the ICO’s own guidance on valid requests and “real name”?
- Is it acceptable, from a UK GDPR perspective, to push people toward uploading identity documents to a public FOI platform?
If This Happens To You
If you get the same demand:
- Do not upload ID documents to WhatDoTheyKnow.
- State clearly that your request is valid under section 8 because it includes a name and an address for correspondence.
- Ask the authority to identify the specific legal or ICO basis for requiring passport level ID and a utility bill.
- Treat ongoing refusal as a refusal for FOI purposes and escalate to internal review, then the ICO.
- Tell WhatDoTheyKnow support, so they can see the pattern too.
Further Reading
- ICO Freedom of Information guidance hub
- WhatDoTheyKnow, privacy and anonymity guidance
- Recorder says “cannabis is illegal, full stop” and why that matters
- Ki-Ki and TRA, keeping this site free while raising the bar on security
This Is Not Just “One Difficult Requester”
Policies like this hit hardest the people who most need FOI, families seeking answers, whistleblowers, disabled people, ex offenders, anyone trying to hold a publicly funded body to account.
If the Ministry of Justice wants to turn FOI into an ID gated service, the regulator and the public have every right to push back.
If you have received similar responses from the MoJ or other departments, you can contact me at [email protected] with examples.
Be First to Comment