Department for Constitutional AffairsFreedom of information

|© Crown Copyright & Disclaimer

Home > People's rights > Freedom of Information > Practitioners > Full exemptions guidance > Section 40 > Annex B

FOI full exemptions guidance

Section 40 - Personal Information

Chapters: 01 | 02 | 03 | 04 | 05 | 06 | annex A | annex B

Annex B: The "conditions" in Schedules 2 and 3

Schedule 2

  1. The data subject has given his consent to the processing.
  2. The processing is necessary-
    • (a) for the performance of a contract to which the data subject is a party, or
    • (b) for the taking of steps at the request of the data subject with a view to entering into a contract.
  3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
  4. The processing is necessary in order to protect the vital interests of the data subject.
  5. The processing is necessary-
    • (a) for the administration of justice,
    • (b) for the exercise of any functions conferred on any person by or under any enactment,
    • (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
    • (d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
    1. The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
    2. The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

Schedule 3

  1. The data subject has given his explicit consent to the processing of the personal data.
    1. The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.
    2. The Secretary of State may by order-
      • (a) exclude the application of sub-paragraph (1) in such cases as may be specified, or
      • (b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
  3. The processing is necessary-
    • (a) in order to protect the vital interests of the data subject or another person, in a case where-
      • (i) consent cannot be given by or on behalf of the data subject, or
      • (ii)the data controller cannot reasonably be expected to obtain the consent of the data subject, or
    • (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
  4. The processing-
    • (a) is carried out in the course of its legitimate activities by any body or association which-
      • (i) is not established or conducted for profit, and
      • (ii) exists for political, philosophical, religious or trade-union purposes,
    • (b) is carried out with appropriate safeguards for the rights and freedoms of data subjects,
    • (c) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and
    • (d) does not involve disclosure of the personal data to a third party without the consent of the data subject.
  5. The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
  6. The processing-
    • (a) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
    • (b) is necessary for the purpose of obtaining legal advice, or
    • (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
    1. The processing is necessary-
      • (a) for the administration of justice,
      • (b) for the exercise of any functions conferred on any person by or under an enactment, or
      • (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
    2. The Secretary of State may by order-
      • (a) exclude the application of sub-paragraph (1) in such cases as may be specified, or
      • (b) provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.
    1. The processing is necessary for medical purposes and is undertaken by-
      • (a) a health professional, or
      • (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.
    2. this paragraph "medical purposes" includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
    1. The processing-
      • (a) is of sensitive personal data consisting of information as to racial or ethnic origin,
      • (b) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and
      • (c) is carried out with appropriate safeguards for the rights and freedoms of data subjects.
    2. The Secretary of State may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.
  10. The personal data are processed in circumstances specified in an order made by the Secretary of State for the purposes of this paragraph.

The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417) , made under paragraph 10 of Schedule 3, specifies the following circumstances (amongst others):

    1. The processing-
      • (a) is in the substantial public interest;
      • (b) is necessary for the purposes of the prevention or detection of any unlawful act; and
      • (c) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes.
    2. In this paragraph, "act" includes a failure to act.
  2. The processing-
    • (a) is in the substantial public interest;
    • (b) is necessary for the discharge of any function which is designed for protecting members of the public against-
      • (i) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person, or
      • (ii) mismanagement in the administration of, or failures in services provided by, any body or association; and
    • (c) must necessarily be carried out without the explicit consent of the data subject . being sought so as not to prejudice the discharge of that function.
    1. The disclosure of personal data-
      • (a) is in the substantial public interest;
      • (b) is in connection with -
        • (i) the commission by any person of any unlawful act (whether alleged or established),
        • (ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or
        • (iii) mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established);
      • (c) is for the special purposes as defined in section 3 of the Act; and
      • (d) is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.
    2. In this paragraph, "act" includes a failure to act.
  4. The processing-
    • (a) is in the substantial public interest;
    • (b) is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and
    • (c) is carried out without the explicit consent of the data subject because the processing-
      • (i) is necessary in a case where consent cannot be given by the data subject,
      • (ii) is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject, or
      • (iii) must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service.

The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (SI 2002/2095), also made under paragraph 10 of Schedule 3 provides additional circumstances in respect of processing by "elected representatives".


© Crown Copyright