The ICO exists to empower you through information.

About this detailed guidance

This guidance discusses section 23, the security bodies exemption, of FOIA in detail and is written for use by public authorities. Read it if you have questions not answered in the Guide or if you need a deeper understanding to help you apply this exemption in practice. 

In detail        

What exemptions are contained in section 23 of FOIA?

Section 23(1) provides an exemption for information if it was directly or indirectly supplied to a public authority by, or relates to, any of the bodies specified in subsection (3).

Section 23(3) lists the security bodies which include the Security Service, the Secret Intelligence Service and other similar bodies.

Section 23(5) provides an exemption from the duty to confirm or deny whether information is held if doing so would involve the disclosure of any information (whether or not already recorded) which was directly or indirectly supplied by, or relates to, any of the bodies specified in subsection (3).

How do we apply section 23(1) of FOIA?

Section 23(1) Information supplied by or relating to security bodies

To engage section 23(1), the requested information simply has to have been supplied directly or indirectly by one of the named security bodies, or relates to one of those bodies. As it is a class based exemption there is no need for the disclosure to prejudice the work of those bodies in anyway. For the purpose of this guidance, we will refer to the exemption  as protecting “information relating to the security bodies”.

The security bodies are listed in subsection 3. The list of security bodies can be amended. For example, the Serious Organised Crime and Police Act 2005 created the Serious Organised Crime Agency (SOCA) and they were added to the list. The National Crime Agency was also added to the list following its establishment under the Crime and Courts Act 2013.

The exemption captures information supplied directly by a security body and information originating from a security body that is provided by a third party. In this way the exemption can protect intelligence as it is disseminated through different channels. 

Relates to

The exemption is also engaged where information “relates to” a security body. The term “relates to” is interpreted widely and includes any information concerning or linked to the activities of a security body.


In Lownie v IC & FCO / TNA GIA/2690/2018, (Lownie case) the Upper Tribunal found that the term “relates to” in section 23(1) is capable of embracing “both a direct and indirect connection” (paragraph 59). It also confirmed that the question of whether information was supplied by or relates to a security body is a question of objective fact which, unlike section 24 FOIA, does not require any judgements  concerning matters of national security (paragraph 66).

However, it also means that there will be a point when the connection between the requested information and a security body is too remote to engage the exemption. Therefore, the ICO expects you to consider whether you could disaggregate the requested information in order to separate any information that is too remotely connected to a security body.


In Corderoy and Ahmed v Information Commissioner, Attorney-General and Cabinet Office GI/428/2017 the Upper Tribunal considered whether legal advice given by the Attorney General about a targeted drone attack by the UK Government in Syria that killed two British citizens should be disclosed. The Attorney General’s Office and the Cabinet Office had withheld the advice relying on section 23(1), section 35(1)(c) (Law Officers’ advice) and section 42 (legal professional privilege) of FOIA.

Part of the Tribunal’s considerations was whether section 23(1) applied to the entirety of the contents of the advice or whether they could be disaggregated, so that some of the information within the advice would not be caught by section 23(1).

The Tribunal found that the absolute nature of the exemption in section 23 would prevent disclosure of the advice under FOIA unless: (a) the legal analysis on the lawfulness of the decision to carry out the drone strike could be disaggregated and provided in an intelligible form, and (b) the disaggregated information fell outside the scope of section 23. It is only when conditions (a) and (b) are satisfied that the issue would turn to whether the qualified exemptions in section 35(1)(c) and 42 apply to the disaggregated information. (Paragraph 43).

The Tribunal subsequently found that some of the contents were advice on the lawfulness of the decision to carry out the drone strike fell outside the scope of section 23 FOIA and could be disaggregated from the rest of the legal advice. Although the disaggregated information was of interest to security bodies, Parliament did not intend such information to be covered by section 23 FOIA because “(i) this interest was shared by Parliament and the public because it related and was confined to the legality of Government policy and so (ii) it fell within the qualified exemptions in section 35 and 42 as being legal advice on the formulation of government policy.” (Paragraph 62).

Public authorities should therefore consider whether any disaggregated information that is too remotely connected to a security body is caught by other exemptions. In this case, the Tribunal ultimately concluded that the disaggregated information was exempt from disclosure on the basis of sections 35(1)(c) and 42.

Sections 23(1) and 24(1) are mutually exclusive

Section 24(1) can only be applied to information that does not fall within section 23(1). Therefore you cannot apply it to the same information, but there may be circumstances where you can cite it in the alternative. This means that although only one of the two exemptions can actually be engaged, you may refer to both exemptions in your refusal notice. This is explained in our detailed guidance How sections 23 and 24 interact.

How do we apply the neither confirm nor deny provisions?

Section 1(1)(a) of FOIA requires you to confirm whether you hold the information that has been requested. Section 23(5) provides an exemption from this duty. This allows you to neither confirm nor deny that you hold requested information. The exemptions from the duty in section 1(1)(a) are collectively referred to as the ‘neither confirm nor deny’ (NCND) provisions.

When considering the application of NCND provisions, you are not restricted to only considering the consequences of the actual response that you would be required to provide under section 1(1)(a). For example, if you do not hold the information, you are not limited to only considering what would be revealed by confirming that this is the case. You can also consider what would be revealed if you had to deny the information was held. It is sufficient to demonstrate that either a hypothetical confirmation or a hypothetical denial would engage the exemption.

It is not necessary to show that both potential responses would engage the exemption. However, you may wish to consider whether it is necessary to do so in some cases in order to effectively disguise the actual position.

As with section 23(1), the term “relates to” is interpreted widely. This, together with the fact the exemption extends to information “not already recorded”, means that it has the potential to be applied to a wide range of situations.


In this hypothetical case the Home Office holds information on the investigations conducted by one of the security bodies. 

The Home Office is asked for information on the security body’s investigation into a particular individual, Mr X. If the security body is investigating Mr X, the Home Office will hold information and confirmation that the information is held would reveal this. The fact that the security body is investigating Mr X is clearly information relating to a security body and so section 23(5) is engaged. 

If Mr X is not being investigated, no information will be held. Denying the information is held will in effect reveal that the security body is not currently interested in that individual. Disclosing the fact that the security body is not interested in Mr X is itself information relating to a security body. 

In the above example, either a confirmation or a denial would reveal information relating to a national security body.

However, there may be some situations where one of the possible responses would not disclose information relating to a security body. This includes situations where, if the information is held, it could have originated from a number of sources and not necessarily a security body.


The Home Office receives a request for information on whether permission has ever been granted to tap the phones of a particular company in the defence industry. It is in the public domain that a range of different agencies can be given authority to tap phones. Some of those bodies are listed as security bodies in section 23(3) but others are not, such as the police and HM Revenue and Customs. Therefore confirmation that the company’s phone has been tapped would not necessarily disclose anything about the activities of a security body.

However, if the Home Office denied that it held any information this would reveal that no security body has tapped the phones of the company. This would be information relating to a security body and so section 23(5) would be engaged. 

Providing consistent responses

You can use the NCND provisions to avoid risks caused by providing inconsistent responses to a series of similar requests. This is illustrated in the example below.


Consider the Home Office receives a series of requests for information on allegations that a particular organisation has links with terrorism. If the organisation has not come to the attention of the Home Office at the time of the request then the Home Office may feel able to respond by saying that they do not hold any information.

The same request is then repeated on an annual basis over the next few years.

By year four the Home Office has initiated an investigation and holds a report prepared by MI5. It is no longer able to respond by saying they do not hold any information. However, if it suddenly changes its response and refuses to confirm or deny that they hold the requested information, this shift in position would clearly signal that they have investigated the body since the previous request.

The Home Office could avoid this problem by consistently refusing to confirm or deny that they hold any information from the initial request.

Please note that the need for consistency is restricted to these circumstances, where there is a risk of establishing a pattern that if deviated from would signal a change in the activities of the security bodies. It is not appropriate to automatically provide NCND responses to any request that touches on issues of national security or the work of the security bodies. You need to be able to explain your grounds for applying section 23(5) in the refusal notice and, if necessary, to justify the use of section 23(5) to the ICO. We expect you to explain what series of requests you may receive in the future and why there is a need to respond to those requests in a consistent manner. 

In the territory of national security

Although you can apply section 23(5) to a wide range of requests, there are limits to its use. The request has to be “in the territory of national security”. This phrase is used by the ICO but does not actually appear in the legislation. It means there has to be a realistic possibility that a security body would be involved in the issue the request relates to. There also has to be a realistic possibility that if a security body was involved, the public authority the request is addressed to would hold information relating to its involvement.

Therefore, a request to the Cabinet Office for any information on an alleged plot to assassinate a leading politician would engage section 23(5). It would not, however, be appropriate for a parish council to use section 23(5) to refuse to confirm or deny that it held information on the alleged plot. This is because even if there was such a plot, there is no reason why a parish council would hold any information about it. Therefore the parish council could confirm that it did not hold the requested information without disclosing any information about what the security bodies did or did not know.

Similarly, if the Cabinet Office received a request for information about a meeting, primarily on competition within the retail sector, between the Prime Minister and representatives of the major supermarkets, it could not reasonably apply section 23(5). There is no reason to suspect the security bodies would have an interest in such a meeting and so revealing whether or not they held the information would say nothing about the activities of the security bodies. 

Balance of probabilities test

Section 23(5) provides that a public authority can neither confirm nor deny whether they hold information, if this would disclose information relating to a security body. The term “would” is interpreted as meaning “more likely than not”. The test should be whether on the balance of probabilities, the information requested would relate to, or have been supplied by, a security body. 


In Commissioner of Police of the Metropolis v Information Commissioner (EA/2010/0008 23 May 2010) the Metropolitan Police received a request about how a plot to carry out terrorists attacks had been foiled using information obtained by the US from terrorists held overseas. The request was made following President Bush’s public statement that information obtained in this way had been used to stop such attacks. The Commissioner found that the information, if held, could have been provided to the police through a number of routes and so found that section 23(5) was not engaged because confirmation or denial would not necessarily say anything about the activities of the security bodies. 

However at the First-tier Tribunal the police produced evidence that if they held the information it would have most likely been passed by the United States’ CIA to our security bodies, who would then have informed the police. Therefore confirmation that they held the information would equate to an admission that the security bodies also held the information. 

The First-tier Tribunal found that the test of whether a disclosure ‘would’ relate to a security body was the normal civil standard of proof, known as the balance of probabilities. This means that if it is more likely than not that the information relates to a security body then the exemption is engaged.

Sections 23(5) and 24(2) are not mutually exclusive

This means you can apply them both to the same request but you should not cite them “in the alternative”. This is explained in our detailed guidance How sections 23 and 24 interact.

How does the ICO investigate complaints about the application of section 23?

When we investigate complaints about the application of section 23(1), we need to be satisfied that the information was in fact supplied by a security body or relates to such a body. In certain circumstances we may be prepared to accept a reasoned explanation from you in writing that this is the case. This only applies where it initially appears plausible that all of the information would engage the exemption. The reasoned explanation should confirm that this is the case and satisfy us that the exemption applies. You must provide the reasoned explanation from someone who, because of their seniority and responsibilities, has regular access to information relating to the security bodies and who understands the relationship between the public authority and those bodies. They must also have seen the disputed information.

In some circumstances, it may be less clear that all of the withheld information has been supplied by or relates to a security body, for example due to the wording of the request. It is then not appropriate for us to accept a reasoned explanation of this nature from you as sufficient evidence on its own. We will need to discuss the matter with you in order to gain a better understanding of your grounds for applying the exemption and be satisfied it is in fact engaged. In some cases it will be necessary to see the information in order to understand its nature and provenance. In any event, the ICO reserves the right to require sight of the information and will serve an information notice to do this if necessary. In light of the Upper Tribunal decision in Corderoy and Ahmed v Information Commissioner, Attorney-General and Cabinet Office GI/428/2017 the ICO expects you to consider whether the withheld information could be disaggregated in order to separate any information that is too remotely connected to a security body.

For complaints about the use of section 23(5), we will generally be able to determine whether the NCND provisions apply without knowing whether you actually hold the information. However in exceptional cases the Commissioner may need to know whether you hold the information and may require access to it.

Ministerial certificates

Section 23 contains a provision for a Minister of the Crown to issue a certificate stating the exemption is engaged.

Section 23(2) provides that the Minister can issue a certificate confirming that the information it relates to was directly or indirectly supplied by, or relates to a security body. The certificate may apply to either the actual information requested, or to the information that would be disclosed by confirming or denying that the requested information was held. In other words the certificate can serve to demonstrate that either section 23(1) or section 23(5) is engaged.

A certificate issued under section 23(2) is conclusive proof that the information is covered by the relevant exemption.

When does the public interest test apply to section 23(1)?

Section 23(1) is an absolute exemption which means that it is not generally subject to the public interest test set out in section 2(2) of FOIA. However, there is an exception in the case of some historical records. This is set out in section 64(2) of FOIA.

Section 23(1) is subject to the public interest test when it is applied to information in a historical record held by The National Archives or the Public Records Office Northern Ireland. Originally, a historical record was one over 30 years old, or if forming part of a file, the last entry on that file must be over 30 years old. However this has now been amended to 20 years by the Constitutional Reform and Governance Act 2010. This reduction is being phased in gradually over 10 years. In effect, from the end of 2013 the time limit is 29 years. It will reduce by another year every year until it reaches 20 years at the end of 2022.

Assessing the balance of the public interest

Section 23(1) still applies to a historical record simply on the basis that the information was supplied by or relates to a security body. However, the exemption can only be maintained where the public interest in doing so is greater than the public interest in disclosure. How public authorities should approach the assessment of the balance of the public interest was explained by the Tribunal in the Lownie case.

The Upper Tribunal in Lownie v IC & FCO / TNA GIA/2690/2018 concluded that the starting point for assessing the balance of the public interest in the context of an historical record caught by section 23(1) should be; Parliament has decided that, save for the case of historical records, there is such a powerful interest in non-disclosure that the exemption is absolute.

However, this does not mean that the importance of preserving the secrecy of section 23 bodies disappears in the case of historical records. Rather, in those cases, the public interest in preserving secrecy is weighed with all other relevant considerations for and against disclosure. The fact that the exemption is no longer absolute does not detract from the value to be ascribed to the importance of secrecy but it means that it must be balanced against the public interest in disclosure in the circumstances of each case (paragraphs 83-85).

Further reading

There are other exemptions which may be relevant to section 23 and you may want to read our guidance on these exemptions:

Section 24 (national security) the work of the security bodies will often touch on issues of national security.

Section 26 (defence) there could also be links to the defence of the UK.

Section 27 (international relations) it may also involve co-operation with other States.

Section 38 (health and safety) information relating to the work of the security bodies could also endanger someone’s physical or mental health.

These examples are not exhaustive. Other exemptions may apply. As always, it is the specific circumstances of a case that will dictate the application of exemptions.