The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

When can we refuse a request for information?

When can we refuse a request for information?

In brief

A requester may ask for any information that is held by a public authority. However, this does not mean you are always obliged to provide the information. In some cases, there will be a good reason why you should not make public some or all of the information requested.

You can refuse an entire request under the following circumstances:

  • It would cost too much or take too much staff time to deal with the request.
  • The request is vexatious.
  • The request repeats a previous request from the same person.

In addition, the Freedom of Information Act contains a number of exemptions that allow you to withhold information from a requester. In some cases it will allow you to refuse to confirm or deny whether you hold information.

Some exemptions relate to a particular type of information, for instance, information relating to government policy. Other exemptions are based on the harm that would arise or would be likely arise from disclosure, for example, if disclosure would be likely to prejudice a criminal investigation or prejudice someone’s commercial interests.

There is also an exemption for personal data if releasing it would be contrary to the Data Protection Act.

You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. This may be, for example, information you receive from the security services, which is covered by an absolute exemption. However, most exemptions are not absolute but require you to apply a public interest test. This means you must consider the public interest arguments before deciding whether to disclose the information. So you may have to disclose information in spite of an exemption, where it is in the public interest to do so.

If you are refusing all or any part of a request, you must send the requester a written refusal notice. You will need to issue a refusal notice if you are either refusing to say whether you hold information at all, or confirming that information is held but refusing to release it.

In more detail


When can we refuse a request on the grounds of cost?

The Act recognises that freedom of information requests are not the only demand on the resources of a public authority. They should not be allowed to cause a drain on your time, energy and finances to the extent that they negatively affect your normal public functions.

Currently, the cost limit for complying with a request or a linked series of requests from the same person or group is set at £600 for central government, Parliament and the armed forces and £450 for all other public authorities. You can refuse a request if you estimate that the cost of compliance would exceed this limit. This provision is found at section 12 of the Act.

You can refuse a request if deciding whether you hold the information would mean you exceed the cost limit, for example, because it would require an extensive search in a number of locations. Otherwise, you should say whether you hold the information, even if you cannot provide the information itself under the cost ceiling.

When calculating the costs of complying, you can aggregate (total) the costs of all related requests you receive within 60 days from the same person or from people who seem to be working together.

How do we work out whether the cost limit would be exceeded?

You are only required to estimate whether the limit would be exceeded. You do not have to do the work covered by the estimate before deciding to refuse the request. However, the estimate must be reasonable and must follow the rules in the Freedom of Information (Appropriate Limit and Fees) Regulations 2004.

When estimating the cost of compliance, you can only take into account the cost of the following activities:

  • determining whether you hold the information;
  • finding the requested information, or records containing the information;
  • retrieving the information or records; and
  • extracting the requested information from records.

The biggest cost is likely to be staff time. You should rate staff time at £25 per person per hour, regardless of who does the work, including external contractors. This means a limit of 18 or 24 staff hours, depending on whether the £450 or £600 limit applies to your public authority.

You cannot take into account the time you are likely to need to decide whether exemptions apply, to redact (edit out) exempt information, or to carry out the public interest test.

However, if the cost and resources required to review and remove any exempt information are likely to be so great as to place the organisation under a grossly obsessive burden then you may be able to consider the request under Section 14 instead. (vexatious requests).

Please see 'Dealing with vexatious requests' for further details about refusing requests which impose a grossly oppressive burden.

Note that although fees and the appropriate limit are both laid down in the same Regulations, the two things must not be confused:

  • The cost of compliance and the appropriate limit relate to when a request can be refused.
  • The fees are what you can charge when information is disclosed.

See What should we do when we receive a request? for the rules on charging a fee.

For further information, read our more detailed guidance:

What if we think complying with the request would exceed the cost limit?

If you wish to use section 12 (cost limit) of the Act as grounds for refusing the request, you should send the requester a written refusal notice. This should state that complying with their request would exceed the appropriate cost limit. However, you should still say whether you hold the information, unless finding this out would in itself incur costs over the limit.

There is no official requirement for you to include an estimate of the costs in the refusal notice. However, you must give the requester reasonable advice and assistance to refine (change or narrow) their request. This will generally involve explaining why the limit would be exceeded and what information, if any, may be available within the limits.

Example
“You have asked for all the details of expenses claims made for food or drink between 1995 and 2010.

No forms have been kept for the period before 1999. Between 1999 and 2006, these forms were submitted manually and are not stored separately or sorted by type of expenditure but are filed in date order along with other invoices and bills. We estimate that we have at least 10,000 items in these boxes, and we would have to look at every page to identify the relevant information. Even at 10 seconds an item, this would amount to more than 27 hours of work.

However, records since 2007 are kept electronically and we could provide these to you.”

You should not:

  • give the requester part of the information requested, without giving them the chance to say which part they would prefer to receive;
  • fail to let the requester know why you think you cannot provide the information within the cost limit;
  • advise the requester on the wording of a narrower request but then refuse that request on the same basis; or
  • tell the requester to narrow down their request without explaining what parts of their request take your costs over the limit. A more specific request may sometimes take just as long to answer. For instance, in the example above, if the requester had later asked only for expenses claims relating to hotel room service, this would also have meant searching all the records.

If the requester refines their request appropriately, you should then deal with this as a new request. The time for you to comply with the new request should start on the working day after the date you receive it.

If the requester does not want to refine their request, but instead asks you to search for information up to the costs limit, you can do this if you wish, but the Act does not require you to do so.

Can we charge extra if complying with a request exceeds the cost limit

Yes, if complying with a request would cost you more than the £450 or £600 limit, you can refuse it outright or do the work for an extra charge.

If you choose to comply with a request costing over £450 or £600, you can charge:

  • the cost of compliance (the costs allowed in calculating whether the appropriate limit is exceeded); plus
  • the communication costs (see What should we do when we receive a request?); plus
  • £25 an hour for staff time taken for printing, copying or sending the information.

You should not do this work without getting written agreement from the requester that they will pay the extra costs. You should also give the requester the option of refining their request rather than paying extra. The ‘time for compliance’ clock is paused in these circumstances, until you receive payment.

For further information, read our more detailed guidance:

When can we refuse a request as vexatious?

As a general rule, you should not take into account the identity or intentions of a requester when considering whether to comply with a request for information. You cannot refuse a request simply because it does not seem to be of much value. However, a minority of requesters may sometimes abuse their rights under the Freedom of Information Act, which can threaten to undermine the credibility of the freedom of information system and divert resources away from more deserving requests and other public business.

You can refuse to comply with a request that is vexatious. If so, you do not have to comply with any part of it, or even confirm or deny whether you hold information. When assessing whether a request is vexatious, the Act permits you to take into account the context and history of a request, including the identity of the requester and your previous contact with them. The decision to refuse a request often follows a long series of requests and correspondence.

The key question to ask yourself is whether the request is likely to cause a disproportionate or unjustifiable level of distress, disruption or irritation.

Bear in mind that it is the request that is considered vexatious, not the requester. If after refusing a request as vexatious you receive a subsequent request from the same person, you can refuse it only if it also meets the criteria for being vexatious.

You should be prepared to find a request vexatious in legitimate circumstances, but you should exercise care when refusing someone’s rights in this way.

For further information, read our more detailed guidance:

When can we refuse a request because it is repeated?

You can refuse requests if they are repeated, whether or not they are also vexatious. You can normally refuse to comply with a request if it is identical or substantially similar to one you previously complied with from the same requester. You cannot refuse a request from the same requester just because it is for information on a related topic. You can do so only when there is a complete or substantial overlap between the two sets of information.

You cannot refuse a request as repeated once a reasonable period has passed. The reasonable period is not set down in law but depends on the circumstances, including, for example, how often the information you hold changes.

Example
"Please could you send me the latest copy of your register of interests? You kindly sent me a copy of this two years ago but I assume it may have been updated since then. Also I no longer have the copy you sent previously.”

This request is not repeated because a reasonable period has elapsed.

What if we want to refuse a request as vexatious or repeated?

You should send the requester a written refusal notice. If the request is vexatious or repeated, you need only state that this is your decision; you do not need to explain it further. However, you should keep a record of the reasons for your decision so that you can justify it to the Information Commissioner’s Office if a complaint is made.

If you are receiving vexatious or repeated requests from the same person, you can send a single refusal notice to the applicant, stating that you have found their requests to be vexatious or repeated (as appropriate) and that you will not send a written refusal in response to any further vexatious or repeated requests.

This does not mean you can ignore all future requests from this person. For example, a future request could be about a completely different topic, or have a valid purpose. You must consider whether the request is vexatious or repeated in each case.

For further information, read our more detailed guidance:

When can we withhold information under an exemption?

Exemptions exist to protect information that should not be disclosed, for example because disclosing it would be harmful to another person or it would be against the public interest.

The exemptions in Part II of the Freedom of Information Act apply to information. This may mean that you can only apply an exemption to part of the information requested, or that you may need to apply different exemptions to different sections of a document.

You do not have to apply an exemption. However, you must ensure that in choosing to release information that may be exempt, you do not disclose information in breach of some other law, such as disclosing personal information in breach of the Data Protection Act. Nor do you have to identify all the exemptions that may apply to the same information, if you are content that one applies.

You can automatically withhold information because an exemption applies only if the exemption is ‘absolute’. However, most exemptions are not absolute but are ‘qualified’. This means that before deciding whether to withhold information under an exemption, you must consider the public interest arguments. This balancing exercise is usually called the public interest test (PIT). The Act requires you to disclose information unless there is good reason not to, so the exemption can only be maintained (upheld) if the public interest in doing so outweighs the public interest in disclosure.

Example
The BBC received a request for two contracts relating to licence fee collection. The Commissioner accepted that some of the information in the contracts was commercially sensitive and it was likely that it would prejudice the BBC’s commercial interests. However, this was not significant enough to outweigh the need for the BBC to be accountable for its use of public money, as well as the importance of informing an ongoing consultation about the licence fee.

(ICO decision notice FS50296349)

In this case, even though the information fell within an exemption, the public interest favoured disclosure.

You can have extra time to consider the public interest. However, you must still contact the requester within the standard time for compliance to let them know you are claiming a time extension.

When can we use an exemption to refuse to say whether we have the information?

In some cases, even confirming that information is or is not held may be sensitive. In these cases, you may be able to give a ‘neither confirm nor deny’ (NCND) response.

Whether you need to give a NCND response should usually depend on how the request is worded, not on whether you hold the information. You should apply the NCND response consistently, in any case where either confirming or denying could be harmful.

Example
“Please could you send me the investigation file relating to the murder committed at 23 Any Street on 12 January 2011?”

In this case, assuming the murder was publicly reported, the police could confirm that they held some information on the topic, without giving the contents.

“Please could you send me any information you have linking Mr Joe Bloggs to the murder committed at 23 Any Street on 12 January 2011”

In this case the police do not confirm whether they hold any such information. If they do have information, this could tip off a suspect, and may be unfair to Mr Bloggs. If they don’t have the information, this could also be valuable information for the murderer. So the police would give the same response, whether or not they hold any such information.

Unless otherwise specified, all the exemptions below also give you the option to claim an exclusion from the duty to confirm or deny whether information is held, in appropriate cases.

If you think you may need to claim an exclusion from the duty to confirm or deny whether you hold information, then you will need to consider this duty separately from the duty to provide information. You will need to do this both:

  • when you decide whether an exemption applies; and
  • when you apply the public interest test.

If it would be damaging to even confirm or deny if information is held, then you must issue a refusal notice explaining this to the requester. In this situation we would not expect you to go on to address the separate question of whether any information that is held should be disclosed, at this stage. You will need to do this only if the requester successfully appeals against your NCND response and you do actually hold some information.

However, if you decide that you are willing to confirm or deny whether information is held, and you do in fact hold some information, then you will need to immediately go on to consider whether that information should be disclosed.

For further information, read our more detailed guidance:

What exemptions are there?

Some exemptions apply only to a particular category or class of information, such as information held for criminal investigations or relating to correspondence with the royal family. These are called class-based exemptions.

Some exemptions require you to judge whether disclosure may cause a specific type of harm, for instance, endangering health and safety, prejudicing law enforcement, or prejudicing someone’s commercial interests. These are called prejudice-based exemptions.

This distinction between ‘class-based’ and ‘prejudice-based’ is not in the wording of the Act but many people find it a useful way of thinking about the exemptions.

The Act also often refers to other legislation or common law principles, such as confidentiality, legal professional privilege, or data protection. In many cases, you may need to apply some kind of legal ‘test’ - it is not as straightforward as identifying that information fits a specific description. It is important to read the full wording of any exemption, and if necessary consult our guidance, before trying to rely on it.

The exemptions can be found in Part II of the Act, at sections 21 to 44.

What is ‘prejudice’ and how do we decide whether disclosure would cause this?

For the purposes of the Act, ‘prejudice’ means causing harm in some way. Many of the exemptions listed below apply if disclosing the information you hold would harm the interests covered by the exemption. In the same way, confirming or denying whether you have the information can also cause prejudice. Deciding whether disclosure would cause prejudice is called the prejudice test.

To decide whether disclosure (or confirmation/denial) would cause prejudice:

  • you must be able to identify a negative consequence of the disclosure (or confirmation/denial), and this negative consequence must be significant (more than trivial);
  • you must be able to show a link between the disclosure (or confirmation/denial) and the negative consequences, showing how one would cause the other; and
  • there must be at least a real possibility of the negative consequences happening, even if you can’t say it is more likely than not.

For further information, read our more detailed guidance:

Section 21 – information already reasonably accessible

This exemption applies if the information requested is already accessible to the requester. You could apply this if you know that the requester already has the information, or if it is already in the public domain. For this exemption, you will need to take into account any information the requester gives you about their circumstances. For example, if information is available to view in a public library in Southampton, it may be reasonably accessible to a local resident but not to somebody living in Glasgow. Similarly, an elderly or infirm requester may tell you they don’t have access to the internet at home and find it difficult to go to their local library, so information available only over the internet would not be reasonably accessible to them.

When applying this exemption, you have a duty to confirm or deny whether you hold the information, even if you are not going to provide it. You should also tell the requester where they can get it.

This exemption is absolute, so you do not need to apply the public interest test.

For further information, read our more detailed guidance:

Section 22 – information intended for future publication

This exemption applies if, when you receive a request for information, you are preparing the material and definitely intend to publish it and it is reasonable not to disclose it until then. You do not need to have identified a publication date. This exemption does not necessarily apply to all draft materials or background research. It will only apply to the material you intend to publish.

You do not have to confirm whether you hold the information requested if doing so would reveal the content of the information.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Sections 23 and 24 – security bodies and national security

The section 23 exemption applies to any information you have received from, or relates to, any of a list of named security bodies such as the security service. You do not have to confirm or deny whether you hold the information, if doing so would reveal anything about that body or anything you have received from it. A government minister can issue a certificate confirming that this exemption applies.

This exemption is absolute, so you do not need to consider the public interest test.

The section 24 exemption applies if it is “required for the purpose of safeguarding national security”. The exemption does not apply just because the information relates to national security.

A government minister can issue a certificate confirming that this exemption applies and this can only be challenged on judicial review grounds. However, the exemption is qualified by the public interest test.

Section 25 is not an exemption, but gives more detail about the ministerial certificates mentioned above.

For further information, read our more detailed guidance:

Sections 26 to 29

These exemptions are available if complying with the request would prejudice or would be likely to prejudice the following:

  • defence (section 26);
  • the effectiveness of the armed forces (section 26);
  • international relations (section 27);
  • relations between the UK government, the Scottish Executive, the Welsh Assembly and the Northern Ireland Executive (section 28);
  • the economy (section 29); or
  • the financial interests of the UK, Scottish, Welsh or Northern Irish administrations (section 29).

Section 27 also applies to confidential information obtained from other states, courts or international organisations.

All these exemptions are qualified by the public interest test.

For further information, read our more detailed guidance:

Section 30 – investigations

Section 31 – prejudice to law enforcement

The section 30 exemption applies to a specific category of information that a public authority currently holds or has ever held for the purposes of criminal investigations. It also applies to information obtained in certain other types of investigations, if it relates to obtaining information from confidential sources.

When information does not fall under either of these headings, but disclosure could still prejudice law enforcement, section 31 is the relevant exemption.

Section 31 only applies to information that does not fall into the categories in section 30. For this reason sections 30 and 31 are sometimes referred to as being mutually exclusive. Section 31 applies where complying with the request would prejudice or would be likely to prejudice various law enforcement purposes (listed in the Act) including preventing crime, administering justice, and collecting tax. It also protects certain other regulatory functions, for example those relating to health and safety and charity administration.

Both exemptions are qualified by the public interest test.

For further information, read our more detailed guidance:

Section 32 – court records

This exemption applies to court records held by any authority (though courts themselves are not covered by the Act).

To claim this exemption, you must hold the information only because it was originally in a document created or used as part of legal proceedings, including an inquiry, inquest or arbitration.

This is an unusual exemption because the type of document is relevant, as well as the content and purpose of the information they hold.

This exemption is absolute, so you do not need to apply the public interest test. You also do not have to confirm or deny whether you hold any information that is or would fall within the definition above.

For further information, read our more detailed guidance:

Section 33 – prejudice to audit functions

This exemption can only be used by bodies with audit functions. It applies where complying with the request would prejudice or would be likely to prejudice those functions.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 34 – parliamentary privilege

You can use this exemption to avoid an infringement of parliamentary privilege. Parliamentary privilege protects the independence of Parliament and gives each House of Parliament the exclusive right to oversee its own affairs. Parliament itself defines parliamentary privilege, and the Speaker of the House of Commons can issue a certificate confirming that this exemption applies; the Clerk of the Parliaments can do the same for the House of Lords.

This exemption is absolute, so you do not need to apply the public interest test.

For further information, read our more detailed guidance:

Section 35 – government policy

Section 36 – prejudice to the effective conduct of public affairs

These two sections form a mutually exclusive pair of exemptions in the same way as section 30 and section 31.

The section 35 exemption can only be claimed by government departments or by the Welsh Assembly Government. It is a class-based exemption, for information relating to:

  • the formulation or development of government policy;
  • communications between ministers;
  • advice from the law officers; and
  • the operation of any ministerial private office.

Section 35 is qualified by the public interest test.

For policy-related information held by other public authorities, or other information that falls outside this exemption but needs to be withheld for similar reasons, the section 36 exemption applies.

The section 36 exemption applies only to information that falls outside the scope of section 35. It applies where complying with the request would prejudice or would be likely to prejudice “the effective conduct of public affairs”. This includes, but is not limited to, situations where disclosure would inhibit free and frank advice and discussion.

This exemption is broad and can be applied to a range of situations.

Example
A council refused to disclose a list of schools facing financial difficulties, because this could damage the schools’ ability to recruit pupils, as well as making schools less likely to co-operate and share financial information freely with the council (ICO decision notice FS50302293).

A university refused to disclose a complete list of staff email addresses. On a previous occasion when email addresses had been disclosed, this led to a security attack, as well as an increase in spam, phishing, and emails directed inappropriately (ICO decision notice FS50344341).

The Cabinet Office refused to release details of the discussions between political parties that took place between the general election and the formation of the coalition government. This was necessary to ensure that a stable government could be formed, as politicians needed to be able to freely discuss their differences as well as seek impartial advice from the civil service (ICO decision notice FS50350899).

Section 36 differs from all other prejudice exemptions in that the judgement about prejudice must be made by the legally authorised qualified person for that public authority. A list of qualified people is given in the Act, and others may have been designated. If you have not obtained the qualified person’s opinion, then you cannot rely on this exemption. The qualified person’s opinion must also be a “reasonable” opinion, and the Information Commissioner may decide that the section 36 exemption has not been properly applied if he finds that the opinion given isn’t reasonable.

In most cases, section 36 is a qualified exemption. This means that even if the qualified person considers that disclosure would cause harm, or would be likely to cause harm, you must still consider the public interest. However, for information held by the House of Commons or the House of Lords, section 36 is an absolute exemption so you do not need to apply the public interest test.

For further information, read our more detailed guidance:

Section 37 – communications with the royal family and the granting of honours

This exemption has been changed since the Freedom of Information Act was first published, so you should refer to an up-to-date copy at www.legislation.gov.uk.

It covers any information relating to communications with the royal family and information on granting honours. This exemption is absolute in relation to communications with the monarch, the heir to the throne, and the second in line of succession to the throne, so the public interest test does not need to be applied in these cases.

All other information under the scope of this exemption is qualified, so the public interest test must be applied.

For further information, read our more detailed guidance:

Section 38 – endangering health and safety

You can apply the section 38 exemption if complying with the request would or would be likely to endanger anyone’s physical or mental health or safety. In deciding whether you can apply this exemption, you should use the same test as you would for prejudice. This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 39 – environmental information

You should deal with any request that falls within the scope of the Environmental Information Regulations 2004 under those Regulations. This exemption confirms that, in practice, you do not also need to consider such requests under the Freedom of Information Act.

Only public authorities that are covered by the Regulations can rely on this exemption. A small number of public authorities, including the BBC and other public service broadcasters, are not subject to the Environmental Information Regulations. They should handle requests for environmental information under the Freedom of Information Act.

This exemption is qualified by the public interest test, but because you must handle this type of request under the Environmental Information Regulations, it is hard to imagine when it would be in the public interest to also consider it under the Freedom of Information Act.

Section 40(1) – personal information of the requester

This exemption confirms that you should treat any request made by an individual for their own personal data as a subject access request under the Data Protection Act 1998. You should apply this to any part of the request that is for the requester’s own personal data. They should not be required to make a second, separate subject access request for these parts of their request. See our Guide to Data Protection – the rights of individuals (principle 6) for advice on how to handle subject access requests.

If the information contains some of the requester’s personal data plus other non-personal information, then you will need to consider releasing some of the information under the Data Protection Act and some under the Freedom of Information Act.

This exemption is absolute, so you do not need to apply the public interest test.

Requested information may involve the personal data of both the requester and others. For further information, read our guidance:

Section 40(2) – data protection

This exemption covers the personal data of third parties (anyone other than the requester) where complying with the request would breach any of the principles in the Data Protection Act.

If you wish to rely on this exemption, you need to refer to the Data Protection Act as the data protection principles are not set out in the Freedom of Information Act. More details can be found in our Guide to Data Protection – data protection principles.

This exemption can only apply to information about people who are living; you cannot use it to protect information about people who have died.

The most common reason for refusing information under this exemption is that it would be unfair to the individual concerned. Section 40(2) is an absolute exemption, so you do not need to apply the public interest test. However, you may need to consider the public interest when applying the data protection principles.

Section 40 includes other provisions for people’s data protection rights, and these provisions are qualified by a public interest test.

For further information, read our more detailed guidance:

Section 41 – confidentiality

This exemption applies if the following two conditions are satisfied:

  • you received the information from someone else; and
  • complying with the request would be a breach of confidence that is actionable (further information about what is meant by actionable is provided in our detailed guidance below).

You cannot apply this exemption to information you have generated within your organisation, even if it is marked “confidential”. However, you can claim it for information you originally received from someone else but then included in your own records.

To rely on this exemption, you must apply the legal principles of the common law test of confidence, which is a well established though developing area of law.

This exemption is absolute so you do not need to apply the public interest test. However, you will still need to consider the public interest in disclosure, because the law of confidence recognises that a breach of confidence may not be actionable when there is an overriding public interest in disclosure.

You should carefully consider how you use confidentiality clauses in contracts with third parties and set reasonable levels of expectations about what may be disclosed.

For further information, read our more detailed guidance:

Section 42 – legal professional privilege

This applies whenever complying with a request would reveal information that is subject to ‘legal professional privilege’ (LPP) or the equivalent Scottish rules. LPP protects information shared between a client and their professional legal advisor (solicitor or barrister, including in-house lawyers) for the purposes of obtaining legal advice or for ongoing or proposed legal action. These long-established rules exist to ensure people are confident they can be completely frank and candid with their legal adviser when obtaining legal advice, without fear of disclosure.

This exemption is qualified by the public interest test.

For further information, read our more detailed guidance:

Section 43 – trade secrets and prejudice to commercial interests

This exemption covers two situations:

  • when information constitutes a trade secret (such as the recipe for a branded product); or
  • when complying with the request would prejudice or would be likely to prejudice someone’s commercial interests.

Both parts of this exemption are qualified by the public interest test.

For further information, read our more detailed guidance:

Section 44 – prohibitions on disclosure

You can apply this exemption if complying with a request for information:

  • is not allowed under law;
  • would be contrary to an obligation under EU law; or
  • would constitute contempt of court.

This exemption is often used by regulators. For example, the Information Commissioner is prohibited by section 59 of the Data Protection Act from disclosing certain information he has obtained in the course of his duties, except in specified circumstances.

The Freedom of Information Act does not override other laws that prevent disclosure, which we call ‘statutory bars’.

This exemption is absolute, so you do not need to apply the public interest test, but bear in mind that some statutory bars may refer to the public interest.

For further information, read our more detailed guidance:

Can we withhold information about people who have died?

The Data Protection Act does not cover information about people who have died, so you cannot rely on a section 40 exemption to withhold this type of information.

This may be a particular issue if you are a public authority that holds sensitive information such as health or social care records. Where you receive a request for this kind of information about someone who has died, the most appropriate exemption is likely to be section 41 (confidentiality). This is because the information would originally have been provided to a healthcare practitioner or social worker in confidence, and we consider this duty of confidentiality to extend beyond death.

Information about people who have died is likely to be covered by an exemption, because the Freedom of Information Act is about disclosure ‘to the world’ and it would often be inappropriate to make this type of information public. However, some requesters may have rights that allow them personally to access the information. For instance, the Access to Health Records Act 1990 gives the personal representative of the deceased (eg the executor of their will) the right to access their medical records. If you receive a request from someone who has the right to access the records in this way, you can refuse the request under section 21 (reasonably accessible) and handle the request under the Access to Health Records Act.

For further information, read our more detailed guidance:

Can we have extra time to consider exemptions?

No, but if the exemption is qualified you can have extra time to consider the public interest test. In doing so you must:

  • identify the relevant exemption(s) before you can claim any extra time for the public interest test; and
  • write and let the requester know why you are claiming extra time.

When and how do we apply the public interest test?

If the exemption you wish to apply is qualified, then you will need to do a public interest test, even if you know the exemption applies.

If you think that you may need to claim an exclusion from the duty to confirm or deny, then you will need to consider the public interest test for this duty. You will need to do this separately from the public interest test for the duty to provide information.

For ‘neither confirm nor deny’ cases (NCND) the public interest test involves weighing the public interest in confirming whether or not information is held against the public interest in refusing to do this. The public interest in maintaining the exclusion from the duty to confirm or deny would have to outweigh the public interest in confirming or denying that information is held, in order to justify an NCND response.

Similarly, when considering whether you should disclose information, you will need to weigh the public interest in disclosure against the public interest in maintaining the exemption. You must bear in mind that the principle behind the Act is to release information unless there is a good reason not to. To justify withholding information, the public interest in maintaining the exemption would have to outweigh the public interest in disclosure.

Note that the wording of the test refers to the public interest in maintaining the exemption (or exclusion). In other words, you cannot consider all the arguments for withholding the information (or refusing to confirm whether it is held), only those which are inherent in the exemption or exclusion ie relate directly to what it is designed to protect.

Example
A government department is seeking to rely on section 35 to withhold information relating to the development of a controversial policy.

It argues that disclosure would:
a) have a negative impact on the ongoing discussions about this policy;
b) discourage ministers and civil servants from openly debating controversial or unpopular options when discussing similar policies in the future;
c) cause stress and upset to the people involved;
d) potentially lead to threats or harassment.

While a) and b) are legitimate public interest considerations for this exemption, c) and d) are not. Instead, they may suggest that section 38 (health and safety) or section 40 (data protection) might be relevant.

You can withhold information only if it is covered by one of the exemptions and, for qualified exemptions, the public interest in maintaining the exemption outweighs the public interest in disclosure. You must follow the steps in this order, so you cannot withhold information because you think it would be against the public interest without first identifying a specific exemption.

For further information, read our more detailed guidance:

How much extra time can we have to consider the public interest test?

The law says you can have a “reasonable” extension of time to consider the public interest test. We consider that this should be no more than an extra 20 working days, which is 40 working days in total to deal with the request.

To claim this extra time, you must:

  • contact the requester in writing within the standard time for compliance;
  • specify which exemption(s) you are seeking to rely on; and
  • give an estimate of when you will have completed the public interest test.

You must identify the relevant exemptions and ensure they can be applied in this case, for example, by considering the prejudice test before you do this. You cannot use the extra time for considering whether an exemption applies. You should release any information that is not covered by an exemption within the standard time.

When you have come to a conclusion on the balance of the public interest, you should:

  • disclose the information; or
  • write to the requester explaining why you have found that the public interest favours maintaining the exemption.

Is there anything else we need to know about exemptions?

Certain exemptions do not apply to historical records. Originally, a historical record was a record over 30 years old, although this has now been amended to 20 years by the Constitutional Reform and Governance Act 2010. This reduction is being phased in gradually over 10 years. In effect, from the end of 2013 the time limit is 29 years. It will reduce by another year every year until it reaches 20 years at the end of 2022. Other exemptions expire after 60 or 100 years. A full list of these can be found in section 63 of the Act.

When deciding whether or not an exemption applies, you will usually need to consider what information is already in the public domain. If the requested information or similar information is already publicly available, then this may affect:

  • whether the requested disclosure will still cause prejudice;
  • whether the test for applying a class-based exemption is still met;
  • where the balance of the public interest lies.

These will be important considerations in many cases.

For further information, read our more detailed guidance:

If we are relying on an exemption to refuse the request, what do we need to tell the requester?

If you are relying on an exemption, you must issue a written refusal notice within the standard time for compliance, specifying which exemptions you are relying on and why.

If you have already done a public interest test, you should explain why you have reached the conclusion that the public interest in maintaining the exemption outweighs the public interest in disclosure.

If you are claiming extra time to consider the public interest test, you will not be able to give a final refusal notice at this stage, but you should explain which exemptions you are relying on. If your final decision is to withhold all or part of the information, you will need to send a second refusal notice to explain your conclusion on the public interest test.

If you are withholding information but are still required to reveal that you hold the information, you should also remember to do this.

What do we have to include in a refusal notice?

You must refuse requests in writing promptly or within 20 working days (or the standard time for compliance) of receiving it.

In the refusal notice you should:

  • explain what provision of the Act you are relying on to refuse the request and why;
  • give details of any internal review (complaints) procedure you offer or state that you do not have one; and
  • explain the requester’s right to complain to the ICO, including contact details for this.

For further information, read our more detailed guidance:

What if we are withholding only parts of a document?

Often you can withhold only some of the information requested. In many cases, you can disclose some sections of a document but not others, or you may be able to release documents after having removed certain names, figures or other sensitive details (called ‘redaction’).

The Act does not lay down any rules about redaction. The following are guidelines for good practice.

  • Make sure redaction is not reversible. Words can sometimes be seen through black marker pen or correction fluid. On an electronic document, it is sometimes possible to reverse changes or to recover an earlier version to reveal the withheld information. Ensure that staff responding to requests understand how to use common software formats, and how to strip out any sensitive information. Take advice from IT professionals if necessary.
  • In particular, take care when using pivot tables to anonymise data in a spreadsheet. The spreadsheet will usually still contain the detailed source data, even if this is hidden and not immediately visible at first glance. Consider converting the spreadsheet to a plain text format (such as CSV) if necessary.
  • Give an indication of how much text you have redacted and where from. If possible, indicate which sections you removed using which exemption.
  • Provide as much meaningful information as possible. For example, when redacting names you may still be able to give an indication of the person’s role, or which pieces of correspondence came from the same person.
  • As far as possible, ensure that what you provide makes sense. If you have redacted so much that the document is unreadable, consider what else you can do to make the information understandable and useful for the requester.
  • Keep a copy of both the redacted and unredacted versions so that you know what you have released and what you have refused, if the requester complains.

You may also wish to refer to the Redaction Toolkit produced by the National Archives.

What if the requester is unhappy with the outcome?

Under the Act, there is no obligation for an authority to provide a complaints process. However, it is good practice (under the section 45 code of practice) and most public authorities choose to do so.

If you do have a complaints procedure, also known as an internal review, you should:

  • ensure the procedure is triggered whenever a requester expresses dissatisfaction with the outcome;
  • make sure it is a straightforward, single-stage process;
  • make a fresh decision based on all the available evidence that is relevant to the date of the request, not just a review of the first decision;
  • ensure the review is done by someone who did not deal with the request, where possible, and preferably by a more senior member of staff; and
  • ensure the review takes no longer than 20 working days in most cases, or 40 in exceptional circumstances.

When issuing a refusal notice, you should state whether you have an internal review procedure and how to access it. If a requester complains even when you have not refused a request, you should carry out an internal review if they:

  • disagree with your interpretation of their request;
  • believe you hold more information than you have disclosed; or
  • are still waiting for a response and are unhappy with the delay.

Even if your internal review upholds your original decision (that, as at the date of the request, the information was exempt from disclosure) you may wish to release further information if circumstances have changed and your original concerns about disclosure no longer apply. You are not obliged to do this but it may resolve matters for the requester and reduce the likelihood of them making a complaint to the Information Commissioner if you do.