Section 40 and Regulation 13 – personal information
Latest updates - 11 July 2024
11 July 2024
- We have clarified that, when you are considering if you can disclose personal information in response to an FOI/EIR request, you must assess under data protection legislation if the disclosure would be lawful. This applies also when considering giving a “neither confirm nor deny” response. You can find this change in the section What do FOIA and the EIR say about requests for personal information?
- We have clarified that we consider section 40(5B) and regulation 13(5A)(a) are absolute. You don’t have to carry out a public interest test. You can find this change in Part II, section “First condition: would confirming or denying contravene the data protection principles?”
- We have clarified that we don’t consider that the presumption in favour of disclosure applies in the context of the application of regulation 13 of the EIR. You can find this change in the section What do FOIA and the EIR say about requests for personal information?
13 December 2023
- This detailed guidance includes pieces of guidance which were previously separate. The pieces merged into this one are: “information exempt from the right of access”, “neither confirm nor deny in relation to personal data”, “personal data of both the requester and others”.
- We have clarified our position about what you need to consider when deciding if the requested information is personal data and if people can be identified. You can find this change in the sections “What is personal data?” and “Can people be identified?”
- We have clarified the meaning of “otherwise than” under section 40 of FOIA and regulation 13 of the EIR. We have also clarified why principle (a) of the UK GDPR is the one mostly likely to be contravened if you disclose personal information in response to an FOI request. You can find this change in “Part three: The first condition – would disclosure contravene the data protection principles?”
- We have further explained our position about what you need to consider when conducting a legitimate interest assessment to decide if you can disclose personal information in response to an FOI or EIR request. You can find this change in Part three, section “Would disclosure be lawful?”, sub-section “Does lawful basis (f) – legitimate interests – apply?”
- We have included more examples from our decisions notices and from Tribunal decisions to help you apply the personal information exemption in practice.
This detailed guidance discusses the exemptions and exceptions relating to personal data under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR). It is written for use by public authorities.
If you receive a request for personal data under FOIA or the EIR, you should use this guidance to help you decide how to respond. The guidance is divided into five parts which identify the key questions you need to address.
We have used plain language as far as possible. However, we’ve sometimes used some technical and legal terms for accuracy.
The guidance refers to the processing of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). For more information see our guidance for organisations.