The ICO exists to empower you through information.

What is the duty to confirm or deny?

Section 1(1)(a) of FOIA says you must tell the requester whether you hold the requested information. This is called “the duty to confirm or deny”.

However, there are cases when doing so can – in itself – disclose exempt information or harm the interest an exemption protects. In these circumstances, you don’t have to say whether or not you hold the information. You can issue a “neither confirm nor deny” response. This is also known as an ‘NCND’ response.

Unlike FOIA, the EIR does not contain an explicit duty to confirm if you hold the information. However, there are situations in which the EIR allows you to respond by neither confirming nor denying holding the requested information. These situations include when you receive requests for a third party’s personal data.

The exclusion from the duty to confirm or deny in relation to personal data is set out in the following provisions:

  • Section 40(5A) and (5B); and
  • Regulation 13(5A) and (5B).

You don’t have to confirm or deny holding the requested personal information when:

  • it is the requester’s personal data and you’re handling the request under FOIA; or
  • it is a third party’s personal data; and
    • confirming or denying would contravene the data protection principles; or
    • confirming or denying would contravene a valid objection to processing; or
    • confirming or denying would itself be exempt from the right of access under data protection legislation.

This applies also to manual unstructured personal data.

Is the requested information personal data, or would it be if you held it?

The first thing to determine is whether the requested information is personal data, or if it would be if you held it.

If you are dealing with the request under the EIR, you must also be satisfied that the information is environmental.

NCND is not about the content of the requested information.

The aim of giving an NCND response is to leave the question of whether or not you hold the information entirely open. This is to ensure that no inferences can be drawn from the fact that you hold or do not hold the information.

This means you can give an NCND response when you do not in fact hold the requested information. In these cases, you can consider the consequences of confirming or denying by reference to hypothetical information you might hold, without first establishing if you do actually hold it.

For example, if you are dealing with a request for information about someone’s disciplinary records, giving an NCND response could be appropriate. This is because confirming or denying whether or not you hold such records risks revealing if that person is, or is not, subject to a disciplinary process.

To help you establish if the request is about personal data, read the section “What is personal data” in this guidance.

You cannot rely on section 40 or regulation 13 if the requested information is not personal data, or would not be if you held it.

You must confirm or deny that you hold the requested information unless you can demonstrate another exemption or exception applies.

Is it the requester’s personal data, or would it be if you held it?

If all of the requested information is the requester’s own personal data, you should claim section 40(5A) of FOIA to respond by not confirming or denying that you hold it.

Information that is the requester’s personal data is exempt from disclosure under section 40(1) of FOIA. Section 40(5A) of FOIA says you are not required to confirm or deny that you hold this information.

You can therefore issue an NCND response to a request under FOIA. Section 40(5A) is an absolute exemption and you do not need to conduct a public interest test.

As mentioned before, this applies whether or not you do actually hold the requested information.

The issue to consider is not whether you hold the requested personal data. Rather, if you did hold it, would this be exempt information under section 40(1)?

Regulation 5(3) of the EIR says the requester’s personal data is not covered by the Regulations.

If the requested information is the requester’s personal data and the information is environmental, you should respond by explaining the requested information is not covered by the EIR.

If you receive an FOI or EIR request for this type of information, you should treat it as a subject access request (SAR) and inform the requester of your doing so.

You should explain to the requester why you are not handling the request under FOIA or the EIR. You should also explain how they can challenge this if they wish.

However, if the requester insists you do respond under FOIA or the EIR, you should issue a refusal notice as soon as possible or within 20 working days.

Your refusal notice should explain why you are refusing the request under FOIA or the EIR. It should also explain that you will respond under the data protection access regime within the relevant statutory timelines.

When relying on neither confirm nor deny provisions, you should draft your refusal notice very carefully to avoid giving away if you actually hold the information. This is particularly important if the requested information contains mixed personal data.

Example

If a requester has asked a public authority for information about incidents of anti-social behaviour directed at their own address, the authority is entitled to respond by neither confirming nor denying whether they hold the information.

This is because the requester’s address constitutes personal data relating to them as an identifiable individual. Therefore, information that the public authority may hold about incidents of anti-social behaviour directed at the requester’s home would be information about them.

The information, if it were held, would be exempt from disclosure under section 40(1). Therefore, under section 40(5A), the public authority is not required to confirm or deny that they hold it.

For more information about this, read the relevant sections in Part 1 of this guidance.

For more information on how to deal with subject access requests, read our data protection guidance on the right of access.

Is it third-party personal data, or would it be if you held it?

If the requested information is (or would be, if you held it) the personal data of someone who is not the requester, it is third-party personal data.

You should also treat the requested information as third-party personal data if:

  • it is (or it would be, if you held it) mixed personal information, ie the requester’s personal data combined with someone else’s personal data, and
  • you cannot separate the two.

You do not have to confirm or deny whether you hold the requested personal information to the extent that confirming or denying:

  • would contravene one of the data protection principles (first condition); or
  • would contravene an objection to processing (second condition); or
  • is exempt from the right of access under data protection legislation (third condition).

First condition: would confirming or denying contravene the data protection principles?

Under section 40(5B)(a)(i) and (ii) of FOIA and regulation 13(5A)(a) and 13(5B)(a)(i) and (ii) of the EIR, you must consider if confirming or denying holding third-party personal data would – in itself – contravene any of the data protection principles in Article 5 of the UK GDPR.

Principle (a) is usually the most relevant. We explain why in section “would disclosure contravene the data protection principles” of Part 3 of this guidance.

This process is similar to assessing if the first condition in section 40(3A) and regulation 13(2A) is satisfied. That is, if disclosing third-party personal data in response to an FOI or EIR request would contravene the data protection principles.

You can follow Part 3 of this guidance to help you decide if confirmation or denial would contravene the data protection principles.

We take the view that – if confirming or denying holding third-party personal data would contravene the data protection principles – the exclusion from the duty to confirm or deny under both FOIA and the EIR is absolute. That is, you don’t have to carry out the public interest test.

Under FOIA, absolute exemptions are listed in section 2(3). Whilst section 40(2) is explicitly listed as being absolute when the first condition is satisfied, the NCND equivalent isn’t. However, our position is that this doesn’t necessarily mean that section 40(5B)(a)(i) and (ii) are qualified exemptions. This is because these provisions rest on the same legal test as section 40(2) when deciding if the first condition is satisfied.

That is, both the exclusion from the duty to confirm or deny and the exemption from disclosure depend on whether there would be a breach of the data protection principles. If the outcome of the assessment is that there would be a breach of the principles, there is no right of access under section 1 of FOIA. Therefore, we take the view that the exclusion from the duty to confirm or deny under section 40(5B)(a)(i) and (ii) is absolute.

The EIR makes it clear that regulation 13(5A)(a), ie the exclusion from the duty to confirm or deny for the purpose of the first condition, is absolute.

If confirming or denying holding the information would not be lawful, fair and transparent, you should issue a refusal notice to give an NCND response.

Example: a police officer’s disciplinary record

In decision notice IC-111481-Y9T6, the Information Commissioner decided that the public authority was correct to refuse to confirm or deny holding the requested information. The Commissioner found confirmation or denial would be unlawful and would therefore contravene principle (a) of the UK GDPR.

The First-tier Tribunal (‘FtT’) upheld the Commissioner’s decision on appeal ([2022] UKFTT 00261 (GRC)).

The requester had asked the Metropolitan Police Service (MPS) for disciplinary records of a former police officer who was now in a senior role at a university.

This would be personal information of an identifiable individual other than the requester, ie the former police officer.

The MPS considered whether confirming or denying holding the information would contravene data protection principle (a).

The MPS relied on art. 6(1)(f) lawful basis, ie legitimate interests. The authority identified the following legitimate interests:

  • Informing student and staff about the person’s disciplinary record because they were in a senior role at the University.
  • A wider legitimate interest in the MPS’ accountability in its disciplinary procedures.

The MPS decided that confirming or denying was necessary to meet these legitimate interests because there wasn’t a less intrusive way.

However, the MPS decided that the former police officer would have a reasonable expectation that the MPS would not confirm or deny to the public that it held their disciplinary information. The MPS also decided that confirmation or denial would cause a significant intrusion of privacy for the individual.

Therefore, the MPS concluded that the legitimate interest in confirming or denying did not outweigh the former police officer’s fundamental rights and freedoms.

As a result, the MPS decided that it could not rely on the legitimate interests lawful basis. This meant that confirming or denying holding the information would be unlawful and, consequently, would contravene data protection principle (a).

The MPS issued an NCND response, citing section 40(5B)(a)(i) of FOIA.

The Commissioner upheld the authority’s decision.

In some cases, the requester may argue that confirming or denying to them would not contravene the data protection principles because they already know that you hold the information. However, FOIA and the EIR are about giving the confirmation or denial “to a member of the public”.

This means that FOIA and the EIR are concerned with disclosure to the world, not just to the person who submitted the request. Therefore, you must consider whether confirming or denying “to a member of the public” would contravene the data protection principles.

Example

Someone complains to their local council about anti-social behaviour by their next-door neighbour. They then submit a request for information about the complaint’s investigation. The council could refuse to confirm or deny holding the information.

The requested information would be the neighbour’s personal data.

The requester already knows of the complaint. However, it’s unlikely that there would be a legitimate interest in telling the world that the neighbour was under investigation. In this instance, confirming holding the information is likely to contravene principle (a).

If the requested information is special category data or criminal offence data, you must also consider the conditions set out in schedule 1 of the DPA18 to determine if confirmation or denial would contravene data protection principle (a). This is in addition to having a lawful basis under Article 6 of the UK GDPR.

Follow Part 3 of this guidance to help you decide if confirming or denying holding this type of personal data would contravene data protection principle (a).

If you cannot demonstrate that confirming or denying holding special category data or criminal offence data would be lawful, fair and transparent, your confirmation or denial is likely to contravene data protection principle (a). You should issue an NCND response.

Example

In decision notice IC-135384-N1D6, the Information Commissioner upheld the authority’s decision to refuse to confirm or deny holding criminal offence data of a former police officer.

The requester had asked Kent Police for information about an allegation of indecent exposure they believed had been made against a former police officer.

Kent Police decided that the requested information, if held, would be criminal offence data because it related to allegations of a criminal offence.

Kent Police considered whether confirming or denying that it held the information would contravene data protection principle (a).

Kent Police considered if it could rely on the relevant special conditions in schedule 1 for processing this type of data. These are:

  • the person’s consent, in this case the former police officer; or
  • if the processing related to personal information clearly made public by the former police officer.

Kent Police decided that it could not identify a special condition for processing. As a relevant additional condition was missing, the authority did not go on to consider an article 6 lawful basis. They decided that confirming or denying would therefore be unlawful because it would contravene principle (a).

Kent Police issued an NCND response, citing section 40(5B)(a)(i) of FOIA. The Information Commissioner decided the authority was entitled to do so.

Second condition: would confirming or denying contravene the right to object?

Under section 40(5B)(b) of FOIA and EIR regulation 13(5B)(b), you must consider if confirming or denying holding the information would contravene an objection made under Article 21 of the UK GDPR.

The EIR regulation 13(5B)(b) also says that the duty to confirm or deny does not arise if it would contravene an objection to intelligence services processing under section 99 in Part 4 of the DPA. The Intelligence Services are subject to the EIR but not to FOIA.

Similarly to condition one, the NCND assessment in condition two takes place “apart from this Act” or, for the EIR, “apart from these Regulations”.

You can follow Part 4 of this guidance to help you assess whether confirming or denying holding the information would contravene the right to object.

These provisions are qualified. Even if you decide that confirmation or denial would contravene the right to object, you must conduct a public interest test. This is to determine if the public interest in maintaining the exclusion from the duty to confirm or deny outweighs the public interest in confirming or denying holding the information.

Third condition: would confirmation be exempt from the right of access under data protection legislation?

Under section 40(5B)(c) and (d) of FOIA and regulation 13(5A)(b) and 13(5B)(c), (d) and (e) of the EIR, you must consider if confirming or denying holding the information is exempt from the right of access because of a data protection exemption.

If you are a competent authority for law enforcement purposes, you must consider exemptions from the right of access under the DPA18 (law enforcement processing).

The Intelligence Services must consider exemptions from the right of access in the context of intelligences service processing. This only applies when the request is for environmental information.

Follow Part 5 of this guidance to help you applying this condition.

These provisions are qualified. You must conduct a public interest test to decide if the public interest favours confirming or denying that you hold the information.