Chapters: 01 | 02 | 03 | 04 | 05 | 06 | annex A | annex B
4.1.1 If information is the personal data of the person making the request, it will be exempt under Part (1) of section 40. In other words, if a request for information which constitutes personal data is received from the 'data subject', it is exempt from the FOI Act.
4.1.2 As explained above, if one particular item of information is the personal data of both the data subject and another individual this will still be exempt under Part (1) of this exemption. An example would be a request for what someone has said about the applicant - that would be data 'relating to' both the applicant and the other person. This has to be contrasted, as explained above, with a request for information about the applicant and information about someone else where the 'third party' data are not also the personal data of the applicant. An example of this would be a request for a department's records about the applicant and the applicant's family. In those cases, only the personal data of the applicant falls within section 40(1); the other personal data has to be considered separately under section 40(2).
4.1.3 It will be very rare that all the information sought in a request is exempt under Part (1) of section 40. This will usually only happen where the request is expressed in terms which clearly signal its identity as a subject access request within the terms of the DPA (for example, a request for "all my personal data", or for "everything I am entitled to under the DPA" or "my subject access rights"). A request, for example, for:
amounts to a request for information which may well include - but goes wider than - section 40(1) and must be treated as such.
4.1.4 Although information which falls within Part (1) of section 40 is exempt from the FOI Act, it must then be treated as a subject access request under section 7 of the DPA (provided it meets the requirements set out in section 7(2) and (3) of the DPA). Regard must be had to the relevant guidance on handling subject access requests under the DPA.
4.1.5 Section 40(1) constitutes an absolute exemption; the public interest test does not apply.
4.1.6 If information constitutes the personal data of the applicant, the duty to confirm or deny will also be excluded in respect of that information. The duty will be excluded even if confirmation or denial would not itself have disclosed personal data.
4.2.1 Part (2) of section 40 relates to information which constitutes the personal data of a third party (which is not at the same time the personal data of the applicant). In summary, the personal data of a third party will be exempt if its disclosure to a member of the public would:
Each of these categories is explained further below.
4.2.2 In determining whether information falls within category (i) or category (ii), no regard must be had to the FOI Act. This is the effect of the words "otherwise than under this Act" in section 40(3)(a): public authorities must assess the applicability of this part of section 40 as if the FOI Act did not exist.
4.2.3 In addition, no regard must be had to the identity of the person who has requested the information (other than to ascertain that they are not the data subject). Public authorities must assess the applicability of this part of section 40 as if they were disclosing the information to 'a member of the public' and not to the specific applicant.
4.2.4 The impact of both of these points is explained further below.
(i) Information whose disclosure would contravene any of the data protection principles.
4.2.5 If the information constitutes the personal data of a third party (that is, a person other than the applicant) and its disclosure to a member of the public would contravene one or more of the data protection principles, the information will be exempt under section 40(3)(a)(i) (or section 40(3)(b)), and the FOI Act request must be refused.
4.2.6 The data protection principles constitute an 8-point statutory code for the processing of personal data. They are set out in Part I of Schedule 1 to the DPA (see Annex A for a summary of the data protection principles). Public authorities must observe all of the data protection principles when processing personal data.
4.2.7 The principle which is most likely to be relevant to the disclosure of information under the FOI Act is the first principle. This requires information to be:
These particular aspects of the data protection principles are considered in more detail below. But possible breaches of other data protection principles should also be borne in mind. In particular, the disclosure of inaccurate personal data is likely to breach the fourth principle.
4.2.8 A disclosure will breach the requirement for "lawful" processing if it breaches a statutory provision or other legal principle. For example, if disclosure to a member of the public would constitute an actionable breach of a duty of confidentiality at common law or would contravene section 6 of the Human Rights Act 1998, it will be 'unlawful'. If a disclosure would be unlawful in this sense, another exemption from the FOI Act will often apply (see in particular the guidance on section 44) and public authorities must consider which exemption or exemptions it is most appropriate to cite in refusing the request. It will not usually be necessary to identify section 40(2) in this context, since contravention of the data protection principles adds little to the primary illegality.
4.2.9 If a public authority does not have the power, in a public law sense, to disclose the information to a member of the public then the disclosure of that information will be unlawful. In other words, if disclosure to a member of the public would be ultra vires then it would breach the first data protection principle and the information will be exempt under Part (2) of section 40. Whether or not a public authority has the vires to disclose information to a member of the public is a question of construing that body's public law powers. As the words "otherwise than under this Act" emphasise, no regard may be had to the FOI Act in determining whether or not a public authority has the power to disclose information to a member of the public; public authorities must ask whether, aside from under the FOI Act, they could lawfully disclose the information to a member of the public. If they would not have the power to disclose the information then the information will be exempt under Part (2) of section 40. (NB. A non-statutory government department has power to disclose information to a member of the public in the proper discharge of its duties. The position may be less clear in respect of public authorities which are statute-based or otherwise have limited vires.)
4.2.10 The concept of "fairness" is less concrete than "lawfulness" and depends on consideration of not only the circumstances surrounding the proposed disclosure of information but also the circumstances in which the information was obtained. The paragraphs below explain specific considerations which apply when considering the question of whether disclosure would be 'fair' for the purposes of the first data protection principle. However, in summary, the following factors may be relevant:
4.2.11 Part II of Schedule 1 to the DPA sets out some binding guidance on the interpretation of this principle: data controllers must provide certain information to data subjects and must have regard to whether the person from whom the data are obtained have been deceived or misled as to the purposes for which their data are to be processed.
4.2.12 There will be circumstances where the disclosure of information in response to a particular person who has made an FOI Act request would not be 'unfair processing' due to the identity of that person and their motive for the request. However, to apply section 40, public authorities must not ask whether disclosure to the applicant would be unfair but whether disclosure to a member of the public would be unfair. If disclosure to a member of the public would be unfair, the information will be exempt. (NB. Disclosure to a member of the public is different from disclosure to the public at large; the test requires you to think about disclosure to an individual, albeit one without any special characteristics, rather than general publication.)
4.2.13 No regard can be had to the FOI Act when determining whether disclosure to a member of the public would be fair. The fact that, when a person provided information to a public authority, they were aware of the legal potential for disclosure under the FOI Act is irrelevant. The question of fairness of a disclosure must be addressed as if the FOI Act did not exist.
4.2.14 If disclosure of the information to a member of the public would not meet one of the conditions in Schedules 2 and (where relevant) 3 of the DPA, its disclosure will automatically breach the first data protection principle and the information will be exempt under section 40(2) (see Annex B for a full list of the conditions in Schedules 2 and 3). These conditions are, however, minimum requirements. Even if a condition is met, the processing may still be 'unfair' and in breach of the first data protection principle.
4.2.15 One of the conditions in Schedule 2 to the DPA must be met in the case of every disclosure; if no condition can be met, a disclosure will automatically breach the data protection principles and section 40(2) of the FOI Act will apply. In addition, a condition in Schedule 3 must also be satisfied in the case of a disclosure of "sensitive personal data" (see Annex A for an explanation of this category). The conditions which are most likely to be met by disclosure by a public authority to a member of the public are considered below.
4.2.16 Again, no regard may be had to the FOI Act when considering whether disclosure would meet one of these conditions and public authorities must assess whether disclosure to a member of the public would breach one of these conditions; the fact that disclosure to the particular applicant would meet one of these conditions is irrelevant.
4.2.17 Paragraph 5 of Schedule 2 to the DPA provides for a disclosure to be potentially fair if it is necessary "for the exercise of any functions of the Crown, a Minister of the Crown or a government department" or "for the exercise of any... functions of a public nature exercised in the public interest by any person". So far as Schedule 3 is concerned, a disclosure of sensitive personal data will be potentially 'fair' if it is "necessary for the exercise of any functions of the Crown, a Minister of the Crown or a government department". If the test of "lawfulness" is met (see paragraphs 3.2.8 and 3.2.9), then this condition is liable also to be met: to the extent that the disclosure of information to a member of the public would represent a lawful discharge of the public authority's duties, such disclosure is liable also to be "necessary" for the exercise of its "functions".
4.2.18 Paragraph 6 of Schedule 2 to the DPA also provides for a 'condition' that the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. But there is no provision corresponding to this in Schedule 3.
4.2.19 Each case must be considered on its merits, but there is no particular reason to think that these conditions will be difficult to satisfy in the case of requests for information from the public to central government. That being so, a disclosure of the personal data of a third party is more likely to breach the first data protection principle - and therefore engage section 40(2) DPA - on the grounds of 'unfairness' at large, rather than on the grounds that the disclosure fails to meet one of the conditions in Schedule 2 and, where necessary, Schedule 3.
4.2.20 The position may be less clear for public authorities which are statute-based or otherwise have limited vires. In these circumstances, the 'conditions' for fair processing will have to be applied to the particular circumstances of any individual request for information.
4.2.21 In order to apply this part of section 40, careful regard must be had not only to the detailed requirements of the data protection principles but also to the exemptions from those principles which are contained in Part IV of the DPA. If the disclosure of information would be exempt from one of the data protection principles, its disclosure to a member of the public would not breach that principle and the FOI Act exemption at section 40(2) will not apply.
4.2.22 Although some of the DPA exemptions protect similar interests to the FOI Act exemptions there are some very important differences. The exemptions in Part IV of the DPA only exempt information from certain aspects of the DPA: some exemptions deal with the subject access provisions, others only with certain of the data protection principles. If it appears that disclosure would breach one or more of the principles within the meaning of Part (2) of section 40, careful regard must be had not only to whether an exemption applies but also to whether that exemption applies to the specific principle or principles that would otherwise be breached. If there is any doubt over whether an exemption from any of the data protection principles applies, advice should be sought.
4.2.23 In the special case of "category (e) data", considered below, different rules about exemption from the data protection principles apply.
4.2.24 As explained above, section 40(3)(a) exempts personal data whose disclosure to a member of the public, otherwise than under the FOI Act, would breach any of the data protection principles. But there is a class of personal data to which the majority of the data protection principles do not apply. This is the data falling within the new paragraph (e) of the definition of personal data in the DPA, which has been added by Part VII of the FOI Act. This is explained more fully in Annex A, but "category (e) data" is basically unstructured 'manual data' held by a public authority. This kind of personal data is quite likely to be incidentally involved in requests for information.
4.2.25 By virtue of section 33A of the DPA, wide, additional exemptions from the data protection principles are provided in respect of this personal data. However, section 40(3)(b) of the FOI Act provides that, for the purposes of disclosure of personal data of a third party, the position in respect of category (e) data is to be the same as for other personal data: a public authority must consider whether, if there were no special exemptions for category (e) data, their disclosure would breach the principles. Section 40(5)(b)(i) has the same effect in respect of the duty to confirm whether information is held: when determining whether confirmation or denial would contravene any of the data protection principles, category (e) data are to be treated as if there were no special exemptions from the data protection principles.
4.2.26 In other words, for the purpose of considering whether to disclose the personal data of a third party in response to a request for information, all categories of personal data are to be treated equally for the purposes of considering whether disclosure would breach one of the data protection principles. The principles are subject to exemptions in all cases - but not to the 'special exemptions' for category (e) data.
4.2.27 The exemption from the duty to disclose personal data where to do so would breach a data protection principle is an absolute exemption; the public interest test in section 2 of the FOI Act does not apply.
4.2.28 If confirming or denying that information is held would itself contravene any of the data protection principles then the duty to confirm or deny will be excluded. The exclusion of the duty to confirm or deny is subject to the public interest test: even if confirming or denying would breach any of the principles, that exclusion may only be maintained if the public interest in its maintenance outweighs the public interest in confirmation or denial.
4.2.29 Having said that, however, the DPA enacts an EC Directive and ensures that the privacy of individuals is protected; the data protection principles are the principal mechanism for securing this protection. Section 44 provides an exemption for information whose disclosure is prohibited by or under an enactment or by European law: if confirmation or denial would breach one of the principles then it would breach the DPA and the duty to confirm or deny would be excluded under section 44.
4.2.30 If the duty to confirm or deny is excluded, there is no need to go on to consider exemption from the duty to provide the information under section 1(1)(b).
(ii) Information whose disclosure would breach section 10 of the DPA
4.2.31 As explained in Annex A, if a public authority data controller has received a notice under section 10 of the DPA which requires it to cease or not to begin processing any of that person's personal data on the grounds that the processing would cause or be likely to cause substantial and unwarranted damage or distress to him or another, it is obliged to comply with that notice if it is valid.
4.2.32 If a public authority data controller has received a notice which, perhaps amongst other things, requires it not to disclose particular items of personal data to a member of the public (or at all), and that public authority does not challenge the justifiability of that notice, those personal data will be exempt from disclosure under the FOI Act by virtue of section 40(3)(a)(ii).
4.2.33 The public interest test applies to this part of section 40: if disclosure would breach section 10 of the DPA, it is necessary to ask whether, in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosure. The fact that the data controller has received notification that the disclosure of this information to a member of the public is likely to cause substantial and unwarranted damage or distress will attract considerable weight. A particularly strong public interest in favour of disclosure will usually be required if the public interest in maintaining this exemption is to be outweighed (see also the general paragraph above on 'the public interest')
4.2.34 If a public authority receives a request for information which constitutes personal data in relation to which it has received a notice under section 10 of the DPA, the questions to be asked are:
If so, the information must not be disclosed.
4.2.35 The duty to confirm or deny is excluded if confirmation or denial that the information is held would itself contravene a notice received under section 10 of the DPA. The public interest balancing test applies to this exclusion: the public authority must consider whether, in all the circumstances of the case, the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in complying with the duty. Similar considerations apply to the exclusion of the duty to confirm or deny as to the exemption from the duty to provide information (see also paragraphs 2.6 and 2.7 on 'the public interest' generally).
4.2.36 If the duty to confirm or deny is excluded, there is no need to go on to consider exemption from the duty to communicate the information to the applicant under section 1(1)(b).
4.2.37 In respect of the duty to provide information under FOI Act, there is no exemption for category (e) data (unstructured manual data held by a public authority) whose disclosure would breach section 10 of the DPA. There is no possibility of a disclosure of those data being in breach of section 10; they are exempt from section 10 of the DPA by virtue of section 33A of that Act.
4.2.38 But in relation to the duty to confirm or deny whether information is held, category (e) data are to be treated in the same way as the other categories of data, that is they are to be treated as if section 10 did apply; if confirmation or denial in respect of category (e) data would breach section 10, the duty to confirm or deny will be excluded. In the same way as for data falling within categories (a) to (d), this exclusion is subject to the public interest balancing test. On the face of it, this 'notional' application of section 10 DPA is likely to have little effect, since section 10 cannot be breached otherwise than in the context of a very practical sequence of steps about which it is hard to hypothesise.
(iii) Information which would be exempt from the right of subject access created by section 7(1)(c) of the DPA by virtue of any of the provisions of Part IV of that Act.
4.2.39 As explained above and in Annex A to this Chapter, the DPA includes a right of access for individuals to their own personal data. The DPA includes a number of exemptions from that right of access (the exemptions are contained in Part IV of the DPA). If a request is received for the personal data of a third party, that is, for information which is personal data of a person other than the applicant, then that information will not be disclosable under the FOI Act if the subject of those data could not access it under the DPA because of one of the DPA exemptions. As explained, the exemptions from the DPA right of access differ significantly from the FOI Act exemptions.
4.2.40 The DPA subject access exemptions protect a range of interests in the non-disclosure of personal data which are incompatible with the data subject's right of access. If a data subject himself would not be able to access the information by way of a subject access request, because of a DPA subject access exemption, the information will not be available to anyone else under the FOI Act right of access (section 40(3)(b)). Section 40 thereby ensures that the right of access to information under the FOI Act does not jeopardise the interests protected by the DPA exemptions.
4.2.41 By way of example, paragraph 1 of Schedule 7 to the DPA [footnote 1] provides an exemption from the subject access provisions for personal data which consist of 'a reference given or to be given in confidence by the data controller for the purposes of....the education, training or employment, or prospective education, training or employment, of the data subject'. If "A", a public authority and the former employer of person X, gave a confidential reference to person "B", who was considering whether or not to employ X, person X would not be entitled to access any of his personal data contained in that reference by way of a subject access request to A: that information is excluded from the right of subject access by paragraph 1 of Schedule 7. To turn to the consequences of this for the FOI Act: if person Y requests, from authority A, access to personal data of A which are contained in that reference, that information will be exempt under section 40 as X himself, the data subject, could not have obtained the personal data due to their being exempt from section 7(1)(c) of the DPA.
4.2.42 This part of section 40 is subject to the public interest test: a public authority can only maintain the exemption if, in all the circumstances of the case, the public interest in favour of maintaining this exemption outweighs the public interest in disclosure. In addition to the general factors referred to in paragraphs 2.6 and 2.7 above, it will also be necessary to ascertain the interest which is protected by the exemption from the right of subject access in Part IV of the DPA and have regard to the extent to which that interest needs to be protected by maintaining this exemption under Part (2) of section 40.
4.2.43 As explained above, section 7(1)(a) of the DPA includes a right for data subjects to be informed by a data controller whether that data controller is processing personal data of which that individual is the subject. This roughly correlates to the FOI Act duty to confirm or deny. If the subject of personal data would not be entitled to be informed by the data controller whether that data subject's data were being processed (because those data would be exempt from that right by virtue of an exemption in Part IV) then that information will be exempt from the FOI Act duty to confirm or deny. This exclusion of the duty to confirm or deny is subject to the public interest test.
4.2.44 This exemption applies to category (e) data in the same way as data which fall within categories (a) to (d) of the definition.