The ICO exists to empower you through information.

Exemptions

Share Download options

Pages

Format

At a glance 

The Freedom of Information Act contains a number of exemptions that allow you to withhold information from a requester. In some cases it will allow you to refuse to confirm or deny whether you hold information.

Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.

There is also an exemption for personal data if releasing it would be contrary to the UK General Data Protection Regulation (the UK GDPR) or the Data Protection Act 2018 (the DPA2018).

You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. This may be, for example, information you receive from the security services, which is covered by an absolute exemption. However, most exemptions are not absolute but require you to apply a public interest test. This means you must consider the public interest arguments before deciding whether to disclose the information. So you may have to disclose information in spite of an exemption, where it is in the public interest to do so.

In brief

When can we withhold information under an exemption?

Exemptions exist to protect information that should not be disclosed, for example because disclosing it would be harmful to another person or it would be against the public interest.

The exemptions in Part II of the Freedom of Information Act apply to information. This may mean that you can only apply an exemption to part of the information requested, or that you may need to apply different exemptions to different sections of a document.

You do not have to apply an exemption. However, you must ensure that in choosing to release information that may be exempt, you do not disclose information in breach of some other law, such as disclosing personal information in contravention of the UK GDPR or the DPA 2018. Nor do you have to identify all the exemptions that may apply to the same information, if you are content that one applies.

You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. However, most exemptions are not absolute but are ‘qualified’. This means that before deciding whether to withhold information under an exemption, you must consider the public interest arguments. This balancing exercise is usually called the public interest test (PIT). The Act requires you to disclose information unless there is good reason not to, so the exemption can only be maintained (upheld) if the public interest in doing so outweighs the public interest in disclosure.

Example
The BBC received a request for two contracts relating to licence fee collection. The Commissioner accepted that some of the information in the contracts was commercially sensitive and it was likely that it would prejudice the BBC’s commercial interests. However, this was not significant enough to outweigh the need for the BBC to be accountable for its use of public money, as well as the importance of informing an ongoing consultation about the licence fee.

(ICO decision notice FS50296349)

In this case, even though the information fell within an exemption, the public interest favoured disclosure.

You can have extra time to consider the public interest. However, you must still contact the requester within the standard time for compliance to let them know you are claiming a time extension.

When can we use an exemption to refuse to say whether we have the information?

In some cases, even confirming that information is or is not held may be sensitive. In these cases, you may be able to give a ‘neither confirm nor deny’ (NCND) response.

Whether you need to give a NCND response should usually depend on how the request is worded, not on whether you hold the information. You should apply the NCND response consistently, in any case where either confirming or denying could be harmful.

Example
“Please could you send me the investigation file relating to the murder committed at 23 Any Street on 12 January 2011?”

In this case, assuming the murder was publicly reported, the police could confirm that they held some information on the topic, without giving the contents.

“Please could you send me any information you have linking Mr Joe Bloggs to the murder committed at 23 Any Street on 12 January 2011”

In this case the police do not confirm whether they hold any such information. If they do have information, this could tip off a suspect, and may be unfair to Mr Bloggs. If they don’t have the information, this could also be valuable information for the murderer. So the police would give the same response, whether or not they hold any such information.

Unless otherwise specified, all the exemptions below also give you the option to claim an exclusion from the duty to confirm or deny whether information is held, in appropriate cases.

If you think you may need to claim an exclusion from the duty to confirm or deny whether you hold information, then you will need to consider this duty separately from the duty to provide information. You will need to do this both:

  • when you decide whether an exemption applies; and
  • when you apply the public interest test.

If it would be damaging to even confirm or deny if information is held, then you must issue a refusal notice explaining this to the requester. In this situation we would not expect you to go on to address the separate question of whether any information that is held should be disclosed, at this stage. You will need to do this only if the requester successfully appeals against your NCND response and you do actually hold some information.

However, if you decide that you are willing to confirm or deny whether information is held, and you do in fact hold some information, then you will need to immediately go on to consider whether that information should be disclosed.

For further information, read our more detailed guidance:

What exemptions are there?

Some exemptions apply only to a particular category or class of information, such as information held for criminal investigations or relating to correspondence with the royal family. These are called class-based exemptions.

Some exemptions require you to judge whether disclosure may cause a specific type of harm, for instance, endangering health and safety, prejudicing law enforcement, or prejudicing someone’s commercial interests. These are called prejudice-based exemptions.

This distinction between ‘class-based’ and ‘prejudice-based’ is not in the wording of the Act but many people find it a useful way of thinking about the exemptions.

The Act also often refers to other legislation or common law principles, such as confidentiality, legal professional privilege, or data protection. In many cases, you may need to apply some kind of legal ‘test’ - it is not as straightforward as identifying that information fits a specific description. It is important to read the full wording of any exemption, and if necessary consult our guidance, before trying to rely on it.

The exemptions can be found in Part II of the Act, at sections 21 to 44.

Can we withhold information about people who have died?

The UK GDPR and the DPA 2018 do not cover information about people who have died, so you cannot rely on a section 40 exemption to withhold this type of information.

This may be a particular issue if you are a public authority that holds sensitive information such as health or social care records. Where you receive a request for this kind of information about someone who has died, the most appropriate exemption is likely to be section 41 (confidentiality). This is because the information would originally have been provided to a healthcare practitioner or social worker in confidence, and we consider this duty of confidentiality to extend beyond death.

Information about people who have died is likely to be covered by an exemption, because the Freedom of Information Act is about disclosure ‘to the world’ and it would often be inappropriate to make this type of information public. However, some requesters may have rights that allow them personally to access the information. For instance, the Access to Health Records Act 1990 gives the personal representative of the deceased (eg the executor of their will) the right to access their medical records. If you receive a request from someone who has the right to access the records in this way, you can refuse the request under section 21 (reasonably accessible) and handle the request under the Access to Health Records Act.

For further information, read our more detailed guidance:

Is there anything else we need to know about exemptions?

Certain exemptions do not apply to historical records. A historical record is one over 20 years old. Other exemptions expire after 60 or 100 years. A full list of these can be found in section 63 of the Act.

When deciding whether or not an exemption applies, you will usually need to consider what information is already in the public domain. If the requested information or similar information is already publicly available, then this may affect:

  • whether the requested disclosure will still cause prejudice;
  • whether the test for applying a class-based exemption is still met;
  • where the balance of the public interest lies.

These will be important considerations in many cases.

For further information, read our more detailed guidance: