Skip to main content
Home

Section 36

Contents

You can apply the exemption under section 36 (2)(c) where disclosure of information would lead to cyber security issues which “…otherwise prejudice, or would be likely otherwise to prejudice, the effective conduct of public affairs”.

Section 36 operates slightly differently to other exemptions. Usually, you must have the ‘qualified person’ (QP) in your organisation confirm that it is their opinion that the exemption applies.

To rely on this section, you must carry out a public interest test.

Example

The Pension’s Ombudsman received a request for information about a data breach that had affected the requester personally. Along with other information, the requester asked for:

  • details of the third party who had accessed the information;
  • how they were able to access the information; and
  • whether this access was due to a lapse in security from either staff or contractors.

The Pensions Ombudsman withheld the IT-related information under section 36(2)(c). As part of their argument, the public authority’s Chief Operating Officer, who was their QP, gave the opinion that disclosing the requested information might encourage potential criminals to extort the compromised information or attempt a similar attack.

The withheld information was contained within a report that the Pensions Ombudsman had sent to the ICO in our capacity as data protection regulator. The report provided granular information about the breach, including how and why it occurred.

We were satisfied that this information could be used to attack the public authority. Therefore, we were satisfied that the QP’s opinion about withholding that specific information was reasonable, and the exemption was engaged.

For the balance of the public interest, disclosure of the information would encourage transparency, and would demonstrate that a thorough investigation had been carried out. This would provide reassurance to those, including the requester, whose personal information had been compromised. However, it’s not in the public interest to increase the likelihood of any such attacks, which could result in the unlawful disclosure of even more personal information. On balance, we were satisfied that the public interest in withholding the information outweighed the public interest in disclosure.

This is quite a complicated case in which the public authority also attempted to inappropriately apply section 36 to some other information that fell under the scope of the request. But we found that they could rely on section 31 to withhold it. There were also other exemptions discussed about more pieces of information, not related to IT, which were also captured by the request.