Part one: Is the request for personal data?
To rely on section 40 or regulation 13, you first need to determine if the requested information is “personal data” as defined in the Data Protection Act 2018 (DPA18).
If the requested information is not personal data, then you cannot rely on these provisions. You must disclose the information unless you can demonstrate another exemption or exception applies.
You should also consider whether the requested information is environmental information. This will help you decide whether to respond to the request under FOIA or the EIR.
If you are not sure, check our guidance What is environmental information?
What is personal data?
You can find the definition of ‘personal data’ in section 3 of the DPA18. The definition is:
3(2) “Personal data” means any information relating to an identified or identifiable living individual.
3(3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to -
(a) an identifier such as a name, an identification number, location data or an online identifier, or
(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Data protection legislation refers to an identifiable individual as a “data subject”.
To establish if the requested information is personal data, you should consider:
- Is the person to whom the information relates to still living? Information about a person who is deceased is not personal data, but other exemptions may be relevant.
The National Archives guide on archiving personal data recommends assuming a lifespan of a 100 years, after which someone is presumed dead unless it is known they’re still alive. If you believe the person is dead, follow our guidance on handling requests for information about deceased people. - Can the person be identified, either directly or indirectly? Someone may still be identifiable even if they cannot be directly identified from the requested information itself. Consider both direct identifiers (eg name, address) and indirect identifiers (eg car registration number).
- Does the information relate to the identifiable individual? For example, is it about the individual, does it tell you something about the individual, or can it be used to make decisions that affect the individual?
For more information about this, read our guidance about the meaning of ‘relates’ to.
Some common examples of personal data include:
- a job title and direct dial telephone number for an individual member of staff;
- details of someone’s qualifications and training;
- the name of someone who complained to a local authority about noise, and details of their complaint;
- the name of a person who drafted a report.
Indirect identifiers could also be personal data. For example:
- a vehicle registration number;
- a national insurance number;
- someone’s date of birth;
- the name of a pet.
Can people be identified?
Sometimes, it’s not obvious if a request captures personal data.
When assessing if a disclosure could lead to people being identified, you need to think about how actual identification is possible. You should consider all the practical steps and all the means reasonably likely to be used by someone who is motivated to identify the people to whom the information relates to.
This is called the ‘motivated intruder’ test.
Who is the motivated intruder?
In Information Commissioner v Magherafelt District Council [2012] UKUT 263 (AAC) (14 June 2012), the Upper Tribunal adopted the following definition of a ‘motivated intruder’:
“a person who starts without any prior knowledge but who wishes to identify the individual or individuals referred to in the purportedly anonymised information and will take all reasonable steps to do so” [para. 37]
In The Information Commissioner v Miller [2018] UKUT 229 (AAC), the Upper Tribunal accepted the Scottish Court of Session’s reasoning in Craigdale Housing Association and Others vs The Scottish Information Commissioner [2010] CSIH 43 that:
“it should be assumed that it is not just the means reasonably likely to be used by the ordinary man on the street to identify a person, but also the means which are likely to be used by a determined person with a particular reason to want to identify the individual (…) using the touchstone of, say, an investigative journalist” [para. 24].
Means of identification are particularly relevant where the information potentially relates to a group of people. If the requested information is about a small number of people, you should not automatically assume it’s their personal data. The key question is: can they be identified with a degree of certainty?
Example
In NHS Business Services Authority vs Information Commissioner and Spivack [2021] UKUT 192 (AAC) (6 August 2021), the Upper Tribunal decided that the FtT was right to conclude an anonymised small dataset did not constitute personal data because the small number of individuals within it could not be identified with any degree of certainty.
The requested information was a list of dispensaries which had supplied a particular drug prescribed to children for epilepsy.
The public authority was the NHS Business Services Authority (‘NHSBSA’). The authority refused to provide the information because the dispensaries had supplied fewer than 5 items. As a result, it argued the small number of people within the dataset could be identified from the data when combined with other information reasonably available in the public domain.
The Upper Tribunal rejected this argument. It concluded that data protection legislation “provides that actual identification is necessary in order for data to be personal data” [para. 37].
At para. 21-22,
“the test remains whether it is possible to identify a specific individual solely by relying on the data available. Identifying a pool that contains or may contain a person covered by the data is not sufficient. Saying that it is reasonably likely that someone is covered by the data is not sufficient. Still less is it sufficient to say that it is reasonably likely that a particular individual may be one of the pool.”
Identification can be time sensitive. That is, the chances someone could be identified can increase or decrease over time depending on the information and means available at a particular moment.
Example
In The Information Commissioner v Miller [2018] UKUT 229 (AAC) the Upper Tribunal accepted the FtT’s finding that, given the passage of time, someone would need very specific details of the circumstances existing at the time to be able to identify the people within an anonymised small dataset.
The applicant had requested statistical information about homelessness in the years between 2009 and 2012. The authority withheld datasets covering small geographical areas under section 40(2) because the data covered a small number of people or households and there was an identification risk.
The Upper Tribunal upheld the First Tier Tribunal’s finding that the information in that case was not personal data. People could potentially identify themselves as part of the small dataset. However, they could not distinguish themselves from other people within that dataset.
At para. 52, the UT concluded:
“it is quite fantastical to suppose that, several years later, there would be anyone sufficiently motivated to try to identify an individual to which the data related. The information in the spreadsheets is not such as is likely to attract those with investigative skills, such as a journalist, to attempt to identify individuals. (…) Even if, which is unlikely, there may be some interest in those who were accommodated at or close to the time, I can see no basis for thinking that it would be of interest to anyone several years later.”
You should also consider:
- if there is any additional available information which could be combined with the requested information to enable identification, such as a media article. This could be information that you do not hold but that members of the general public have access to; and
- the technology available at the time of the request.
Once you’ve reached a conclusion, we recommend you make a record of your reasoning. This will help you to explain your application of the exemption or exception to the requester or to the ICO.
Before relying on the personal information provisions of FOIA and the EIR to refuse a request for third-party personal data, you could consider if you can anonymise the requested information.
Read our guidance on anonymisation to help you with this.
If you need more help deciding if the requested information is personal data, read our guide on what is personal information.
Do you hold it as unstructured manual data?
The UK GDPR does not generally apply to unstructured manual data.
“Unstructured manual data” refers to hard-copy personal data which is held on paper, but not in an organised structure. It is not held in a filing system and is not intended to form part of a filing system. Therefore, the data cannot be easily accessed with reference to an identifier such as a year or name.
Article 2(1A) of the UK GDPR says that unstructured manual data that public authorities process is still personal data. This includes paper records that public authorities do not hold as part of a filing system.
This means that – under FOIA and the EIR – you should treat requests for unstructured manual data in the same way as requests for any other personal information.
Is the requested information the requester’s own personal data?
If all of the requested information is the requester’s own personal data, you should not disclose it under FOIA or the EIR. Instead, you should handle the request as a subject access request (SAR) under the UK GDPR or the DPA18, as applicable.
Section 40(1) of FOIA provides an absolute exemption from disclosure of the requester’s personal data. Section 40(5A) also allows you to neither confirm nor deny holding the information.
Regulation 5(3) of the EIR states that the EIR does not apply to the requester’s personal data at all.
People may sometimes ask for their own personal information under FOIA or the EIR. This can happen because they don’t know what the correct access regime is for getting this information.
When you receive a request which captures personal information, you should first check whose personal data the requester is asking for. If you are not sure, contact the requester for clarification. If you have any doubt about the requester’s identity, you should deal with it as a request for a third party’s personal data.
Once you are satisfied that the requester is asking for their own personal data, you should:
- decide if you can confirm or deny holding the information. Follow Part 2 of this guidance to help you with this;
- If you decide you can confirm holding the information, respond to inform the requester that they do not have a right to access this information under FOIA or that the information is not within scope of the EIR; and
- explain to them that you will handle their request as a SAR under the UK GDPR because this is the most appropriate regime. If you are a competent authority processing personal data for law enforcement purposes, the applicable regime is the DPA18 (Part 3).
Respond to the requester as soon as you can and no later than 20 working days after receiving the request.
Sometimes, requesters can insist on you considering their request under FOIA or the EIR. If this happens, you should issue a refusal notice within 20 working days at the latest.
You must explain to the requester why you are not handling the request under FOIA or the EIR. You must also explain how they can challenge this if they wish. You should inform them that you will respond under the relevant data protection access regime.
Make sure you respond under the UK GDPR or the DPA18 within the relevant statutory timeframes.
See our detailed guidance on the data protection right of access for more information.
Is the requested information the requester and other individuals’ personal data?
If the requested information is personal data about more than one person, you need to treat all of them as separate data subjects.
If you can clearly separate the requester’s personal data from any other person’s personal data, you should treat this part of the request as a subject access request and deal with it under data protection legislation.
We have explained what you should do in the section “Is the requested information the requester’s own personal data?”.
You should then consider whether you can disclose the personal data about the other individual or individuals under FOIA or the EIR. We explain more about this in the section “Is the requested information someone else's personal data?”.
If you cannot separate the mixed information, you should consider all of the requested information as if it were the requester’s personal data.
Therefore, the request will fall within the scope of section 40(1) or, if it’s also environmental information, regulation 5(3). You should treat it as a subject access request. This means you should decide under data protection legislation if you can disclose the other individual’s personal data to the requester.
If you need more information, please read our detailed data protection guidance about how you should handle a subject access request which involves information about other individuals.
Requests for mixed personal data are quite common in the context of requests for access to complaint or investigation files. In these cases, the requester’s own personal data is often inextricably linked to the personal data of the individuals involved in the complaint or investigation process. For example, the officers investigating the complaint or any witnesses who gave a statement.
Example
In decision notice FS50677824, the Information Commissioner took the position that the requested information was mixed personal data. Consequently, she decided that the public authority was entitled to neither nor confirm deny holding the requested information under section 40(5A) of FOIA.
The requester had asked for information about an internal complaint they had made about an investigation into a murder.
The authority said that this information, if held, would be the requester’s personal data and the personal data of the officers involved in the investigation. Therefore, it refused to confirm or deny holding this information.
The Commissioner decided this was correct.
Is the requested information someone else’s personal data (ie third-party personal data)?
If the requested information is the personal data of someone who is not the requester, it is third-party personal data.
This type of personal information is exempt from disclosure under section 40(2) of FOIA or, if it is also environmental information, under regulation 13(1) of the EIR.
Before considering if you can disclose, you must first decide if you can confirm or deny holding the requested third-party personal data.
Read Part 2 of this guidance to help you with this.
If you have decided that you can confirm holding the information, you must go on to consider if section 40(2) or regulation 13 apply.
To rely on the exemption at section 40(2), or the exception at regulation 13, you must show that:
- the requested information is third-party personal data; and
- one of the following three conditions are met:
- First condition: disclosure would contravene one of the data protection principles. In so far as the first condition is met, the section 40(2) exemption is absolute. The same is true for regulation 13(2A).
- Second condition: disclosure would contravene an objection to processing.
- Third condition: the information is exempt from the right of access.
If the second or third conditions are satisfied, you must also do a public interest test.
In most cases, you will only need to consider the first condition.
Further reading
Data protection resources:
- What is personal information?
- Can we identify an individual indirectly from the information we have?
- What is the meaning of relates to?
- Anonymisation: managing data protection risk code of practice
- Right of access
- Right of access when the information requested is about third-parties
- Draft guidance on anonymisation and pseudonymisation
- Privacy-enhancing technologies
Other resources: