Department for Constitutional AffairsFreedom of information

|© Crown Copyright & Disclaimer

Home > People's rights > Freedom of Information > Practitioners > Full exemptions guidance > Section 40 > Chapter 1

FOI full exemptions guidance

Section 40 - Personal Information

Chapters: 01 | 02 | 03 | 04 | 05 | 06 | annex A | annex B

Chapter 01: The exemption under section 40:

Stating the exemption

Section 40 of the Freedom of Information Act provides that:

  1. Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
  2. Any information to which a request for information relates is also exempt information if-
    • (a) it constitutes personal data which do not fall within subsection (1), and
    • (b) either the first or the second condition below is satisfied.
  3. The first condition is-
    • (a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of "data" in section 1(1) of the Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene-
      • (i) any of the data protection principles, or
      • (ii) section 10 of that Act (right to prevent processing likely to cause damage or distress), and
    • (b) in any other case, that the disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles if the exemptions in section 33A(1) of the Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded.
  4. The second condition is that by virtue of any provision of Part IV of the Data Protection Act 1998 the information is exempt from section 7(1)(c) of that Act (data subject's right of access to personal data).
  5. The duty to confirm or deny-
    • (a) does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1), and
    • (b) does not arise in relation to other information if or to the extent that either-
      • (i) the giving to a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene any of the data protection principles or section 10 of the Data Protection Act 1998 or would do so if the exemptions in section 33A(1) of that Act were disregarded, or
      • (ii) by virtue of any provision of Part IV of the Data Protection Act 1998 the information is exempt from section 7(1)(a) of that Act (data subject's right to be informed whether personal data are being processed).
  6. In determining for the purposes of this section whether anything done before 24th October 2007 would contravene any of the data protection principles, the exemptions in Part III of Schedule 8 to the Data Protection Act 1998 shall be disregarded.
  7. In this section-
    • "the data protection principles" means the principles set out in Part I of Schedule 1 to the Data Protection Act 1998, as read subject to Part II of that Schedule and section 27(1) of that Act;
    • "data subject" has the same meaning as in section 1(1) of that Act;
    • "personal data" has the same meaning as in section 1(1) of that Act.

Background to section 40

1.1 This provision governs the way in which decisions about the disclosure of personal information need to be approached under the FOI Act. It has its origins in a few relatively simple policy propositions, namely that:

1.2 The detail of these policy propositions as provided for in the legislation is, however, quite highly refined, and the structure of section 40 is complex. That is because of the need to integrate the FOI Act securely with the provisions of the DPA, and also because the policy itself had to be in accordance with the European law which underlies the DPA. Both of these constrained the way in which FOI Act dealt with access to personal information, and resulted in a provision which needs to be considered with some care.

1.3 Section 40 is also complex because it achieves a number of different things. Structurally speaking, the starting place is that the rights of access created by section 1 of the FOI Act do apply to the personal information of individuals. But:

Section 40 therefore limits application of the FOI Act rights of access to personal information in a number of ways, in each case by reference to provisions of the DPA.

Relationship with the data protection regime

1.4 The DPA implements a European Directive (Directive 95/46/EC). The Directive is a limited privacy regime, which itself has its origins as a single market measure, underpinned by Article 8 of the European Convention on Human Rights. The data protection regime operates by regulating the handling - including the disclosure - of certain personal information. Section 40 of the FOI Act ensures that the DPA protections, particularly those relating to the disclosure of information, are preserved under the FOI Act.

1.5 One aspect of the DPA regime provides individuals with a right of access to their own personal information, but there are a number of exemptions from this right of access. Section 40 also deals with the relationship between the DPA access scheme and the right of access under the FOI Act.

1.6 As this exemption refers directly to some provisions of the DPA and uses some DPA terminology, an understanding of some of the key terms and mechanisms in the DPA is needed in order to apply this exemption and a brief overview of the most important provisions is provided in Annex A. If there is any doubt over the interpretation of the DPA and the application of this exemption, legal advice should be sought.

Approaching this exemption

1.7 Personal information falling outside section 40 must be disclosed on request. But when responding to any request for information which involves the disclosure of information which relates to individuals, regard should be had to section 40, particularly if the information is not otherwise exempt under another section of the see also section 5 below). That is because, if personal information is exempt under section 40, then either it must be disclosed in accordance with the DPA or it must be withheld under the FOI Act: disclosure of exempt information may expose a public authority to a complaint of breach of the DPA by the subject of the information. Very many requests for government information are likely to include requests for information falling within section 40. The definition of personal information is wide (although not unlimited) and may be engaged by a range of seemingly incidental references to identifiable individuals. That will by no means always mean that section 40 applies, but care is likely to be needed to determine whether it does or not.

1.8 It is also particularly important to be alert in this context to the possibility of complying with the requirements of both the FOI Act and the DPA by means of redaction. If a request for information would include information falling within section 40, then it may be possible simply to eliminate that information from a disclosure by 'anonymising' it.

1.9 Decisions on the disclosure or withholding of personal information must be considered within the precise terms of section 40. Some of the terms it uses have special legal meanings (see Annex A). This guidance is intended to help navigate the application of section 40 to requests for information - it should in this context be read together with the guidance on DPA.


© Crown Copyright