FOIA Section 40 Exemption
From FOIwiki
Jump to navigationJump to search
Section 40: Personal Information
Section 40 concerns personal data within the meaning of the Data Protection Act 1998. Section 40 applies to two distinct types of requests for information:
- if a request asks for the personal data of the applicant himself, the information is exempt; and
- if a request asks for the personal data of someone else then that information will be exempt if its disclosure would contravene any of the data protection principles in the Data Protection Act 1998 (or certain other provisions of the Data Protection Act 1998).
Key points:
- If information is exempt under section 40 because it is the personal data of the applicant then its disclosure must be considered under the subject access provisions in the Data Protection Act 1998; the Act may require the disclosure of information which would otherwise have been exempt under the FOI Act.
- For most government departments that receive requests for personal data of someone other than the applicant, the application of section 40 will in most circumstances turn on whether disclosure of the information to a member of the public would be 'unfair'.
- Officials must be alive to the need to consult experts where the application of section 40 is difficult or unclear: getting a decision wrong may result in breach of the Data Protection Act 1998.
- The majority of section 40 is not subject to a public interest balance.
What the law says
40 Personal information
- (1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
- (2) Any information to which a request for information relates is also exempt information if—
- (a) it constitutes personal data which do not fall within subsection (1), and
- (b) either the first or the second condition below is satisfied.
- (3) The first condition is—
- (a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the [1998 c. 29.] Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene—
- (i) any of the data protection principles, or
- (ii) section 10 of that Act (right to prevent processing likely to cause damage or distress), and
- (b) in any other case, that the disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles if the exemptions in section 33A(1) of the [1998 c. 29.] Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded.
- (a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the [1998 c. 29.] Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene—
- (4) The second condition is that by virtue of any provision of Part IV of the [1998 c. 29.] Data Protection Act 1998 the information is exempt from section 7(1)(c) of that Act (data subject’s right of access to personal data).
- (5) The duty to confirm or deny—
- (a) does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1), and
- (b) does not arise in relation to other information if or to the extent that either—
- (i) the giving to a member of the public of the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene any of the data protection principles or section 10 of the [1998 c. 29.] Data Protection Act 1998 or would do so if the exemptions in section 33A(1) of that Act were disregarded, or
- (ii) by virtue of any provision of Part IV of the [1998 c. 29.] Data Protection Act 1998 the information is exempt from section 7(1)(a) of that Act (data subject’s right to be informed whether personal data being processed).
- (6) In determining for the purposes of this section whether anything done before 24th October 2007 would contravene any of the data protection principles, the exemptions in Part III of Schedule 8 to the [1998 c. 29.] Data Protection Act 1998 shall be disregarded.
- (7) In this section—
- “the data protection principles” means the principles set out in Part I of Schedule 1 to the [1998 c. 29.] Data Protection Act 1998, as read subject to Part II of that Schedule and section 27(1) of that Act;
- “data subject” has the same meaning as in section 1(1) of that Act;
- “personal data” has the same meaning as in section 1(1) of that Act.
ICO public guidance
The ICO has the following guidance available:
- Personal Information (AG1) – recently updated 11/11/08
- Access to information about public authorities’ employees
- When should names be disclosed?
- Complaints and investigations files – how to approach them
- Guidance on dealing with requests for MP’s correspondence relating to constituents
- Update note: Applying the exemption for third party personal data: the Tribunal’s approach in House of Commons v IC & Leapman, Brooke and Thomas
- Access to information about the deceased
ICO Lines To Take
Relevant Lines to Take |
|
Decision Notices
Complaints upheld / partly upheld (P) | Complaints not upheld |
|
|
Includes DNs up to: 26 April 2010
Information Tribunal Decision
Information tribunal decision EA/2009/0083 related to a FOI request to Cambridgeshire Police in which the requestor sought a copy of a report which contained her, and others' personal information. One key finding was that the whole report ought not be considered personal information; but elements within it which were not personal information ought be released.
Exemptions |
12 21 22 22A 23 24 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |