FOIA Section 40 Exemption: Difference between revisions
From FOIwiki
Jump to navigationJump to search
Alex skene (talk | contribs) No edit summary |
John Cross (talk | contribs) m (Section40 moved to FOIA Section 40 Exemption) |
(No difference)
| |
Revision as of 23:00, 14 July 2008
Section 40: Personal Information
Section 40 concerns personal data within the meaning of the Data Protection Act 1998. Section 40 applies to two distinct types of requests for information:
- if a request asks for the personal data of the applicant himself, the information is exempt; and
- if a request asks for the personal data of someone else then that information will be exempt if its disclosure would contravene any of the data protection principles in the Data Protection Act 1998 (or certain other provisions of the Data Protection Act 1998).
Key points:
- If information is exempt under section 40 because it is the personal data of the applicant then its disclosure must be considered under the subject access provisions in the Data Protection Act 1998; the Act may require the disclosure of information which would otherwise have been exempt under the FOI Act.
- For most government departments that receive requests for personal data of someone other than the applicant, the application of section 40 will in most circumstances turn on whether disclosure of the information to a member of the public would be 'unfair'.
- Officials must be alive to the need to consult experts where the application of section 40 is difficult or unclear: getting a decision wrong may result in breach of the Data Protection Act 1998.
- The majority of section 40 is not subject to a public interest balance.
What the law says
40 Personal information
- (1) Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
- (2) Any information to which a request for information relates is also exempt information if—
- (a) it constitutes personal data which do not fall within subsection (1), and
- (b) either the first or the second condition below is satisfied.
- (3) The first condition is—
- (a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the [1998 c. 29.] Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene—
- (i) any of the data protection principles, or
- (ii) section 10 of that Act (right to prevent processing likely to cause damage or distress), and
- (b) in any other case, that the disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles if the exemptions in section 33A(1) of the [1998 c. 29.] Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded.
- (a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the [1998 c. 29.] Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene—
- (4) The second condition is that by virtue of any provision of Part IV of the [1998 c. 29.] Data Protection Act 1998 the information is exempt from section 7(1)(c) of that Act (data subject’s right of access to personal data).
- (5) The duty to confirm or deny—
- (a) does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1), and
- (b) does not arise in relation to other information if or to the extent that either—
- (i) the giving to a member of the public of the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene any of the data protection principles or section 10 of the [1998 c. 29.] Data Protection Act 1998 or would do so if the exemptions in section 33A(1) of that Act were disregarded, or
- (ii) by virtue of any provision of Part IV of the [1998 c. 29.] Data Protection Act 1998 the information is exempt from section 7(1)(a) of that Act (data subject’s right to be informed whether personal data being processed).
- (6) In determining for the purposes of this section whether anything done before 24th October 2007 would contravene any of the data protection principles, the exemptions in Part III of Schedule 8 to the [1998 c. 29.] Data Protection Act 1998 shall be disregarded.
- (7) In this section—
- “the data protection principles” means the principles set out in Part I of Schedule 1 to the [1998 c. 29.] Data Protection Act 1998, as read subject to Part II of that Schedule and section 27(1) of that Act;
- “data subject” has the same meaning as in section 1(1) of that Act;
- “personal data” has the same meaning as in section 1(1) of that Act.
Decision Notices
tbc
