In this section, we have included some examples of common scenarios and the information you should include in your refusal notice.
Scenario one: The requested information is (or would be, if you held it) entirely the requester’s personal data.
You should handle the request as a subject access request (SAR).
You should issue a refusal notice under FOIA refusing to confirm or deny that you hold the requested information. You should cite section 40(5A) to refuse to confirm or deny and explain how you have decided that the requested information is, or would be if you held it, the requester’s own personal data.
You do not need to issue a refusal notice under the EIR. However, we recommend you respond to the requester by explaining that regulation 5(3) says that the EIR does not apply to their personal data. You should explain you will handle the request as a SAR.
In any case, this must not delay your response under the DPA2018 or UK GDPR as appropriate.
Scenario two: The requester’s personal data is mixed with another person’s personal data. You cannot disclose the requester’s personal data without disclosing third-party personal data.
If you cannot separate the requester’s personal data from those of the third party, you should handle the request in its entirety as a subject access request. This means that you should consider also the third-party personal data under Article 15 of the UK GDPR.
You should issue a refusal notice under FOIA refusing to confirm or deny that you hold the requested information. You should cite section 40(5A) and explain how you have decided that the requested information is, or would be if it were held, the requester’s personal data.
You do not need to issue a refusal notice under the EIR. However, we recommend you respond to the requester by explaining that regulation 5(3) says that the EIR does not apply to their personal data. You should explain you will handle the request as a SAR.
In any case, this must not delay your response under the DPA2018 or UK GDPR as appropriate.
Scenario three: You can separate the requester’s personal data from the third-party personal data. You have relied on the first condition (contravention of the data protection principles) to the third-party personal data.
If you can separate the requester’s personal data from the third-party personal data, you should handle the request:
- as a SAR for the requester’s own personal data;
- as a request under FOIA or the EIR for the third-party personal data.
You should issue a refusal notice under FOIA refusing to confirm or deny holding the information which is the requester’s personal data. You should cite section 40(5A) and explain how you have decided that this information is, or would be if you held it, the requester’s personal data.
You do not need to issue a refusal notice under the EIR. However, we recommend you respond to the requester by explaining that regulation 5(3) says that the EIR does not apply to their personal data.
For the remaining information, if you have decided that you can confirm holding the third-party personal data and the first condition is satisfied, your refusal notice should cite section 40(2) or reg 13(2A).
You should explain how disclosing the third-party personal data would contravene the data protection principles. You should also explain how you have separated the third-party personal data from the requester’s personal data.
In any case, this must not delay your response under the DPA2018 or UK GDPR as appropriate.
Scenario four: The requested information is (or would be, if you held it) third-party personal data. Confirmation or denial would contravene the data protection principles.
If the requested information is exclusively third-party personal data and you have decided confirmation or denial would contravene the data protection principles, you should issue an NCND response under FOIA. You should cite section 40(5B)(a)(i) or (ii) in the case of requests for unstructured manual data.
If you are handling the request under the EIR, you should issue an NCND response citing regulation 13(5A)(a) and 13(5B)(a)(i), or (ii) in the case of unstructured manual data.
In either case, you should explain why confirming or denying holding the requested information would contravene principle (a). Explain how you considered the legitimate interest assessment.
If you confirm holding the third-party personal data but have decided that the first condition is satisfied, you should cite FOIA section 40(2) with section 40(3A), or EIR regulation 13(2A). You must explain how you reached your decision in your refusal notice.