Skip to main content
Home

Section 31

Contents

Section 31 is known as the ‘law enforcement’ exemption, but that doesn’t mean its use is limited to police forces or other bodies with investigative powers. It provides an exemption where disclosure of information would, or would be likely to, prejudice the prevention or detection of crime. It also provides a way to withhold information where disclosure would, or would be likely to, prejudice the performance of various other specific public functions.

You should consider:

  • your operations as a public authority; and
  • whether any of the functions listed under section 31 could be left vulnerable to a cyber incident if you disclosed the information .

To rely on this section, you must carry out a public interest test.

Example

The Department for Work and Pensions (DWP) received a request asking about the access rights of different staff groups using the Universal Credit IT system. DWP disclosed a list of job roles and their associated system access privileges but withheld the specific privileges, citing section 31(1)(a).

DWP explained that the withheld information effectively mapped out the access management structure of the Universal Credit Service. It argued that releasing this detail could assist malicious actors in launching targeted spear phishing attacks. The concern was that attackers could use publicly available information, such as LinkedIn profiles where staff describe their roles, in combination with the requested information, to craft convincing phishing messages aimed at specific user groups. DWP’s threat intelligence centre had identified spear phishing as the second-highest threat scenario in its 2021 Annual Strategic Threat Assessment. In 2020, DWP received 192 million emails, half of which were blocked as spam, illustrating the scale of the threat.

We agreed that there was a link between disclosure and an increased risk of unlawful access, and therefore section 31(1)(a) was correctly engaged. We recognised the public interest in understanding how DWP ensures that claimant information is protected, and in promoting transparency around its systems. But this was outweighed by the public interest in safeguarding personal information and ensuring the Universal Credit system was not compromised. We concluded that maintaining the exemption was justified.