The ICO exists to empower you through information.

Latest updates

14 August 2023 - We have included the following new Further Reading resource:

  • Keeping internal consultations on FOI requests timely and transparent - a short guide for public authorities

About this detailed guidance

This guidance discusses section 24 of FOIA, the national security exemption, in detail and is written for use by public authorities. Read it if you have questions not answered in the Guide or if you need a deeper understanding to help you apply this exemption in practice.

In detail

What exemptions are contained in section 24 of FOIA?

Section 24(1) provides that information which does not fall within section 23(1) of FOIA is exempt information, if exemption from section 1(1)(b) is required for the purposes of safeguarding national security. (Section 1(1)(b) is the duty to communicate.)

Section 24(2) provides an exemption from the duty to confirm or deny whether information is held, where the exemption is required for the purposes of safeguarding national security.

Both exemptions in section 24 are subject to the public interest test.

How do we apply section 24(1) of FOIA?

In broad terms section 24(1) allows a public authority not to disclose information if you consider that releasing the information would make the UK or its citizens more vulnerable to a national security threat. To understand the exemption better it is important to look more closely at the language used.

National security

Although there is no definitive definition of national security, the Information Tribunal for Norman Baker v the Information Commissioner and the Cabinet Office (EA/2006/0045 4 April 2007) provided the following:

  • “national security” means the security of the United Kingdom and its people;
  • the interests of national security are not limited to actions by an individual which are targeted at the UK, its system of government or its people;
  • the protection of democracy and the legal and constitutional systems of the state are part of national security as well as military defence;
  • action against a foreign state may be capable indirectly of affecting the security of the UK ; and
  • reciprocal co-operation between the UK and other states in combating international terrorism is capable of promoting the United Kingdom’s national security.

Required for the purpose of

The exemption applies where withholding the information is “required for the purposes of safeguarding national security”. Required is taken to mean that the use of the exemption is reasonably necessary.

“Required” is defined by the Oxford English Dictionary as “to need something for a purpose” which could suggest the exemption can only be applied if it is absolutely necessary to do so to protect national security. However, the Commissioner’s interpretation is informed by the approach taken in the European Court of Human Rights where interference to human rights can be justified where it is “necessary” in a democratic society for safeguarding national security. Necessary in this context is taken to mean something less than absolutely essential but more than simply being useful or desirable. Therefore, we interpret required as meaning reasonably necessary.

Example

This approach was explained in ICO decision notice FS50178276 which concerned a request to the Metropolitan Police for information on a terrorist plot to attack London. The Commissioner found that the term requires: “…means reasonably necessary. It is not sufficient for the information sought simply to relate to national security; there must be a clear basis for arguing that disclosure would have an adverse effect on national security before the exemption is engaged.” This approach was also endorsed by the Information Tribunal in Philip Kalman v Information Commissioner and the Department of Transport (EA/2009/0111 8 July 2010).

It is not necessary to show that disclosing the information would lead to a direct or immediate threat to the UK. In a time of global terrorism our national security can depend on cooperating with others. This can involve protecting allies, cooperating with other countries in the fight against terrorism, as well as building relations with other prospective allies. This means that you can engage the exemption to prevent a disclosure that would have adverse consequences for one of these partners, even if disclosure would not result in a direct or immediate risk of attack on the UK or its citizens.

Example

Support for this approach is also taken from Secretary of State for the Home Department v Rehman 2001 UKHL 47. Lord Slynn found that:

“To require the matters in question to be capable of resulting ‘directly’ in a threat to national security limits too tightly the discretion of the executive in deciding how the interests of the state, including not merely military defence but democracy, the legal and constitutional systems of the state need to be protected. I accept that there must be a real possibility of an adverse effect on the United Kingdom for what is done by the individual under inquiry but I do not accept that it has to be direct or immediate.”

Safeguarding national security also includes protecting potential targets even if there is no evidence that an attack is imminent. 

Example

In the ICO decision notice FS50308040, the Commissioner considered a request to West Yorkshire Fire and Rescue Service (WYFRS) for the details of its fleet of vehicles. WYFRS operated the National Control Centre for fire and rescue services which coordinates incidents of national significance. The request had been refused on national security grounds. WYFRS argued that disclosing the information would provide sufficient information for someone to clone its vehicles. This would provide a means for its headquarters to be infiltrated. 

Although there was no evidence presented that an attack was being planned, the Commissioner accepted that the control centre was a realistic target and that the explanation of how the information could be used was plausible. Therefore the Commissioner found s24(1) was engaged.

We also recognise that terrorists can be highly motivated and may go to great lengths to gather intelligence. This means there may be grounds for withholding seemingly harmless information on the basis that it may assist terrorists when pieced together with other information they may obtain. 

Example

In Peter Burt v Information Commissioner and the Ministry of Defence (EA/2011/0004 20 September 2011) the First-tier Tribunal found that disclosing the report of a visit by officials to an enriched uranium facility in the United States could undermine national security. The Ministry of Defence was concerned that the technical information could assist those who wished to make their own nuclear weapons. The First-tier Tribunal accepted that there was a risk that this technical information could be combined with other information to provide a complete picture of how to build a nuclear device.

Example

In the ICO decision notice FS50368290, the Commissioner considered a request to the Metropolitan Police Service for the previous year’s cost of the Royal Protection Unit. The police argued that the information could be compared to other information, in the public domain, and that this would provide terrorists with intelligence on the relative vulnerabilities of members of the Royal family. 

Although “mosaic” arguments arise when considering other exemptions, the issue in these cases is whether combining the requested information with other information in the public domain will cause harm. In section 24 cases, the issue extends to whether the requested information will be useful if combined with other information that terrorists may already have or could obtain.

It may be harder to say what additional information terrorists have access to or what they may pick as a target. This means it may be difficult to justify the application of section 24 in some cases. However, the ICO will consider each case on its own merits and you always need to be able to explain why you consider that disclosing the information could harm national security.

Sections 24(1) and 23(1) are mutually exclusive

Section 24(1) can only be applied to information that does not fall within section 23(1). Therefore you cannot apply it to the same information, but there may be circumstances where you can cite it in the alternative. This means that although only one of the two exemptions can actually be engaged, you may refer to both exemptions in your refusal notice. This is explained in our detailed guidance How sections 23 and 24 interact.

How do we apply the neither confirm nor deny provisions?

Section 1(1)(a) of FOIA requires a public authority to confirm whether you hold the information that has been requested. Section 24(2) provides an exemption from this duty. This allows you to neither confirm nor deny whether you hold requested information. The exemptions from the duty in section 1(1)(a) are collectively referred to as the neither confirm nor deny (NCND) provisions.

When considering the application of NCND provisions, you are not restricted to only considering the consequences of the actual response that you are required to provide under section 1(1)(a). For example, if you do not hold the information, you are not limited to only considering what would be revealed by confirming that this is the case. You can also consider what would be revealed if you had to deny you held the information. It is sufficient to demonstrate that either a hypothetical confirmation or a hypothetical denial would engage the exemption.

It is not necessary to show that both potential responses would engage the exemption. However, you may wish to consider whether it is necessary to do so in some cases in order to effectively disguise the actual position.

When considering section 24(2), the same interpretation of “national security” and approach to “required for the purposes of” are applied as in section 24(1). The onus is on you to demonstrate there is a link between confirming or denying that you hold the information and the alleged harm to national security. Again, the causal effect does not have to be immediate or direct.

Example 

In this hypothetical example, tensions have developed between two neighbouring foreign states in a politically volatile region. At the centre of the problem are the activities of a small political group which campaigns for the rights of a particular tribal group. Its campaign is mainly targeted against one of the two states. There is a real risk of this escalating into armed conflict. The relationships with both countries are important to our fight against terrorism. Therefore the UK attempts to mediate between the two countries. While this crisis is ongoing, the Foreign, Commonwealth & Development Office (FCDO) receives a request for details of meetings that are planned between senior diplomats or ministers and the political group at the centre of the crisis. 

The FCDO is concerned that disclosing whether the UK government has any intentions to meet with the political group would compromise the UK’s relations with the state which is the main target of that party’s campaign. This could result in that state withdrawing cooperation with the UK in the fight against international terrorism. The impact on national security may not be immediate but the FCDO could still consider the application of section 24(2) to neither confirm nor deny that they held such information. Clearly, there might also be grounds for considering other exemptions, for example, the exemption in respect of international relations (section 27), or even the formulation of government policy (section 35).

Example

In the ICO decision notice FS50633090, the applicant had asked whether Network Rail used visual analytics software in conjunction with CCTV cameras at Edinburgh Waverley station and whether there were audio recorders at the station. The Commissioner accepted that confirming or denying whether these more advanced surveillance techniques were undertaken at the station would in itself reveal information which could facilitate an attack either by informing an assessment of possible strengths or by highlighting vulnerabilities. This information would be of value in assisting those with intent on making an informed assessment of the likelihood of carrying out a successful attack at the station. There was no need to evidence that issuing a confirmation or denial in response to the request would result in an immediate threat to the UK or its citizens.

Sections 23(5) and 24(2) are not mutually exclusive

This means you can apply them to the same information but you cannot cite them “in the alternative”. Read our more detailed guidance How sections 23 and 24 interact for further information.

How do we consider the balance of the public interest?

Both the exemption from the duty to confirm whether you hold the information and the exemption from the duty to disclose the requested information are subject to the public interest test. Both exemptions are only engaged when it is reasonably necessary to do so to prevent national security being undermined. There is an obvious and weighty public interest in safeguarding national security. However this does not elevate the exemptions to the status of absolute ones.

The public interest in disclosure may be equally real and, when restrictions are placed on the rights and freedoms of the public, it is important that the public are reassured that those measures are both proportionate and effective.

The public interest in maintaining the section 24 exemptions

For either of the exemptions contained in section 24 to be engaged, compliance with the relevant duty under section 1(1) must undermine national security. The public interest test provides you with an opportunity to explain the severity of the damage that would be caused, so it can be weighed against the public interest in disclosure.

Example

In Philip Kalman v Information Commissioner and the Department for Transport EA/2009/0111 referred to above, a request had been made for the details of government directives issued to airports on the procedures for searching passengers using a particular airline. Having satisfied itself that section 24 was engaged, the First-tier Tribunal went on to consider the public interest in withholding the information.

The First-tier Tribunal found that the nature of the risk added weight to the public interest in withholding the information. The consequences of a successful terrorist attack on a plane were so great that even if there was only a low risk that disclosing the information would aid such an attack, there was a very strong public interest in withholding the information. 

Not every disclosure will have the same potential consequences as the Kalman case and you should not attempt to elevate section 24 to the status of an absolute exemption. However, the example demonstrates that once the exemption is engaged the nature of the potential harm that could be caused is an important factor, even if the chance of that harm occurring is relatively low. However, this does not mean that you can consider any risk, regardless of how unlikely it is to occur. If the threat was so fanciful that the use of the exemption was not reasonably necessary to safeguard national security, section 24 would not be engaged in the first place. Once that “reasonably necessary” threshold is met however, the potential consequences of disclosure are important factors when considering the public interest.

Public interest in disclosing the information

Even though the ICO gives significant weight to safeguarding our national security, it is important to give proper consideration to the public interest in disclosing information.

Some of the relevant factors are described below.

Safeguarding national security can involve covert activities which may give rise to concerns over civil liberties and human rights. It is important that the public are reassured these activities are proportionate to the risks. Procedures such as security checks or other restrictions may be imposed on the public. The public are more likely to cooperate with security measures if they understand the need for them and, again, are satisfied that they are proportionate to the risks they are seeking to address. The public also have a natural concern that the measures in place to safeguard national security are effective. 

There may also be public interest arguments very specific to the information requested.

Example

Returning to Philip Kalman v Information Commissioner and the Department for Transport EA/2009/0111, the Tribunal noted that deliberately obstructing the measures which were introduced by these government directives is a criminal offence. Therefore, the public had an interest in knowing whether they were legally obliged to submit to searches. In Kalman this was referred to as the “secret law” argument (ie that the public should have access to the source of any legal obligations they were under). The First-tier Tribunal accepted this as a valid argument.

However, ultimately the public interest in preventing acts of terrorism targeting air travel outweighed this public interest argument.

When considering the public interest in favour of disclosure, you need to check that the information does in fact serve the public interest that is being argued.

Example

In Peter Burt v Information Commissioner and the Ministry of Defence EA/2011/0004 referred to above, the requested information was a report by the UK Atomic Weapons Establishment (AWE) produced after a visit to a facility in the US.

One public interest argument advanced by the appellant in favour of disclosure was that the information would shed light on the activities of AWE. However the withheld information related purely to the technical details of the US facility and said nothing about the activities of AWE.  

The public interest of the UK

The public interest inherent in maintaining section 24 relates to safeguarding the UK’s national security. It follows that the exemption is concerned with the public interest of the UK and its citizens. As discussed earlier, in an age of global terrorism, the security of the UK often depends on cooperation with other countries. Therefore you need to consider whether disclosing information will discourage that cooperation. 

Furthermore, UK public authorities may hold information which has implications for another country’s national security. However, when considering the public interest in maintaining section 24, you can only consider the importance to the UK in withholding the information. This does not mean however that the impact on other countries is totally irrelevant, as demonstrated by the example below.

Returning to Peter Burt v Information Commissioner and the Ministry of Defence EA/2011/0004, disclosing details of a US nuclear facility could prejudice the US’s national security. If the UK disclosed such information it is likely that the US would consider withdrawing its cooperation with AWE. It is this threat to Anglo- US cooperation that has the potential to undermine the UK’s national security and is the route by which the exemption is engaged.

This must feed through into consideration of the public interest test. The issue is how the US will react in terms of its cooperation with the UK and the impact this will have on the UK’s national security. It is not the severity of the damage to the US’s domestic security that is of direct concern for these purposes.

The focus on the UK’s interests applies equally when considering the public interest in favour of disclosure. It is possible that a disclosure could benefit the interests of another state, including one opposed to the UK. Clearly the value of the disclosure to a state opposed to the UK is not a relevant factor when considering the public interest in disclosure.

How does the ICO investigate complaints about the application of section 24?

When investigating complaints about the application of section 24(1), the ICO needs to be satisfied that the exemption from the duty to disclose the information is required for the purpose of safeguarding national security. If so, we also need to consider the public interest test. In the majority of cases the ICO will need access to the information in order to undertake these assessments. However, the Commissioner recognises that within those public authorities which regularly handle this kind of information there will be staff with significant expertise and experience of national security issues. In some cases, which the Commissioner expects will be rare, the Commissioner may be prepared to consider the issues based on submissions and reasoned explanations from, or confidential discussions with, such staff, or both. The description of the information in the request itself is likely to be relevant in this case.

For complaints about the application of s24(2), generally the ICO will be able determine whether the NCND provisions apply without knowing whether the information requested is actually held. However, in some cases we may need to know whether you hold the information and in a very limited number of cases, the Commissioner will require access to the information. This is most likely to be necessary to determine where the public interest lies when considering the public interest test.

Ministerial certificates

Section 24 contains a provision for a Minister of the Crown to issue a certificate stating the exemption is engaged.

Under section 24(3), a Minister can issue a certificate stating that either the exemption from the duty to disclose the information (section 24(1)), or exemption from the duty to confirm whether the requested information is held (section 24(2)), is required for the purpose of safeguarding national security.

The certificate can also have a prospective effect. This means that it may apply to information not currently held, or requested, at the time the certificate is issued, but which the public authority envisages it may hold in the future.

A certificate issued under section 24(3) is conclusive proof that the exemption is engaged.

Although a certificate issued under section 24(3) engages the section 24 exemptions, this is not the end of the matter. You are still required to consider the public interest test. If a complaint is received, the ICO will also make a decision on where the balance of the public interest lies.

Further reading

There are other exemptions which may be relevant to section 24 and you may want to read our guidance on these exemptions:

  • Section 23 (security bodies) the work of the security bodies will often touch on issues of national security.
  • Section 26 (defence) there are links between national security and the defence of the UK.
  • Section 27 (international relations) disclosing information that would undermine national security may also be prejudicial to international relations.
  • Section 38 (health and safety) disclosing information that would undermine national security could also endanger someone’s physical or mental health.

These examples are not exhaustive. Other exemptions may apply. As always, it is the specific circumstances of a case that will dictate the application of exemptions.

Internal Consultation Resource - Keeping internal consultations on FOI requests timely and transparent.