The ICO exists to empower you through information.

These parts of the exemption apply in circumstances where disclosure could harm a regulatory function. The applicable regulatory functions are set out in section 31(2).

Section 31(1)(g)

Section 31(1)(g) states:

31 – (1) Information which is not exempt information by virtue of section 30 is exempt information if its disclosure under this Act would, or would be likely to, prejudice –

(g) the exercise by any public authority of its functions for any of the purposes specified in subsection (2)

Functions for a specified purpose

To engage this part of the exemption you should:

  • identify the public authority that has been entrusted with a function to fulfil one of the purposes listed in subsection (2);
  • confirm that the function has been specifically designed to fulfil that purpose; and
  • explain how the disclosure could harm that function.

The functions in question must be imposed by law or, in the case of government departments, authorised by the Crown. Therefore, we are unlikely to accept that the exemption is engaged unless you can point to legislation which specifically imposes a positive duty on the relevant organisation to fulfil that purpose.

Example

In Driver and Vehicle Licensing Agency v Information Commissioner and Williams (Section 31) [2020] UKUT 334 (AAC), the DVLA argued that they had functions that they exercised for the purpose of ascertaining whether people had either complied with the law or were responsible for improper conduct.

The DVLA was asked to provide information about an investigation it had carried out to establish if parking companies had been unlawfully or unethically passing registered keeper details on to debt recovery firms. The DVLA argued that they had “functions”, provided to them by the Road Vehicle (Registration & Licensing) Regulations 2002 and by the contracts they had in place with the parking companies to decide whether the companies had used the data correctly.

The First Tier Tribunal (FTT) found that the DVLA had not demonstrated that they had the necessary functions. The FTT argued that the DVLA had the power to decide whether a parking company asking for registered keeper data had “reasonable cause” to seek that data. However, that did not extend to giving the DVLA a role in determining whether a parking company, which had reasonable cause to seek the particular data, was subsequently entitled to pass that data on to a third party.

The Upper Tribunal (UT) agreed, accepting that the DVLA had a statutory function to determine whether any person seeking their registered keeper data had reasonable cause to seek that data. However, these statutory functions were exhausted once the DVLA decided that a person did (or did not) have reasonable cause to seek the data. The UT commented that:

“However desirable as a matter of good governance, there is no suggestion [that the statutory function] includes ‘downstream’ audit as to the uses to which such data are put.”

The Upper Tribunal also rejected the DVLA’s argument that the terms of their contract with the parking companies amounted to a function. In broad terms, the contract requires the companies to use the data they receive from the DVLA in accordance with data protection legislation and their own codes of practice. It also gives the DVLA powers to investigate whether data is being used in accordance with the contract. The Upper Tribunal accepted that this was a power the DVLA had, but that it was not a function of the DVLA, it noted that:

“Extending the scope of [the exemption] to include a public authority which seeks to determine whether there has been a breach of contract (however egregious) to which it is just one party would significantly extend the reach of the provision and go well beyond its ordinary meaning.”

In the DVLA case, the ICO was the public authority with the function to ascertain whether the companies had or had not complied with data protection law. In theory, the DVLA could have argued that disclosure would have harmed our functions. However, in this case we had already confirmed that disclosure would not have harmed our work.

You don’t need any of the relevant functions yourself to rely on this part of the exemption. You can still rely on the exemption if you can specify who does have the relevant function and why disclosure would, or would be likely to, harm it.

Example

The Health and Safety Executive (HSE) investigates an accident at a school in which a member of staff was injured. The HSE has specific functions set out in law that require it to “secure the health, safety and welfare of persons at work.”

The school would hold information about the accident. If disclosing the information the school holds could harm the HSE’s investigation, the school could rely on section 31(2)(i) to withhold it. This is because it would harm HSE’s function of securing the “health, safety and welfare of persons at work.”

The basis for engaging the exemption in the example is the harm to the HSE’s function. Although the school would have a general duty as an employer to ensure a safe workplace, we wouldn’t accept that this is a specific function to secure the health, safety and welfare of people at work. The function needs to be specifically entrusted to the relevant public authority, not just something that is incidental to their main functions.

The same approach applies to all the other purposes listed in subsection (2).

Where you claim that disclosure could harm the functions of another public authority, we would usually expect you to have consulted the affected public authority. If you have not consulted the public authority, you will need to demonstrate why it is still reasonable for you to believe that the relevant function would be harmed.

Therefore, in the example above, the school would need to have discussed the matter with the HSE and be clear that the harm could occur before applying the exemption.

Maintaining the voluntary supply of information

People or organisations can help investigations, particularly those falling within section 31(2), by voluntarily providing information to the investigating authority.

Investigations can also take less time (and be more effective) when those under investigation co-operate. This applies even where a regulator can compel a party to supply information. Using such powers often involves bureaucratic or legal procedures which can cause delays.

Co-operation between the regulator and the regulated is important. Organisations are often encouraged to report problems they have had or which they think may happen. This makes sure that the regulator has a full picture of the sector they regulate, before deciding whether (and what kind of) intervention is required.

If you can demonstrate that disclosing information could discourage organisations from having candid discussions with a regulator – or could make the regulator less likely to provide informal guidance – then this exemption may apply.

When deciding whether any of these parts of this exemption apply, you should think about how regulators operate. Many regulators encourage informal dialogue with the organisations they regulate. A flow of information to regulators helps them to spot emerging trends and potential difficulties.

Providing informal guidance before a problem escalates is often more effective than applying a sanction after something goes wrong. This is because early intervention can restrict the amount of harm – or prevent the harm altogether.

You should also take into account the regulator’s ability to require organisations to supply the information. Many regulators have powers, set down in law, that allow them to require access to people or to documents. You may struggle to demonstrate that a disclosure could damage a regulator’s ability to access similar information in future, when they have statutory powers that would allow them to demand the information.

However, you may still rely on the exemption if you can demonstrate that the information is not something that the regulator could demand access to. Alternatively, you could argue that an investigation would be slower or less effective if the regulator had to use their powers every time they needed information.

You would also need to consider whether, in practice, other factors might provide a stronger incentive for organisations or people to carry on supplying information voluntarily, even if their information could be disclosed. For example, organisations may worry about reputational risk if they were seen as not cooperating with an investigation. Some organisations (especially if the information is not particularly sensitive) may take a view that the burden of a regulatory investigation may outweigh any harm to their reputations or commercial interests, from not providing the information.

Equally, someone’s sense of public duty may still motivate them to report problems, even if they believe that their reports may be published. This applies especially if they are confident in remaining anonymous.

Example

In the case of Financial Services Authority (FSA) v Information Commissioner (EA/2008/0061, 16 February 2009), the FSA put forward the argument that “if information like the disputed material had to be disclosed under the Act, firms would be less likely than at present to be open with the FSA and voluntarily supply information raising possible regulatory issues about themselves” and that firms “would be less likely to supply information about their competitors or about developments or conditions in the market generally.” (paragraph 23).

The First Tier Tribunal was not satisfied that disclosure of the requested information would create a real and significant risk of decreasing the amount of information voluntarily provided to the FSA by firms about themselves. They found that the functions at section 31(2)(c) and (d) would not be prejudiced. This conclusion was based on the following factors:

  • Incentives that encourage engagement – the FSA’s Principles for Business require firms to supply information and generally co-operate with the FSA. Firms will also have a natural desire to avoid action being taken against them, such as enforcement action. Even if regulated firms believed that the FSA’s views on the information they had voluntarily supplied may be disclosed in response to future requests under FOIA, these incentives to co-operate with the FSA would still remain in place.
  • Existing risk of publication – firms regulated by the FSA will be aware that if they supply information about themselves voluntarily there is a risk that the information will then be published by the FSA under section 391(4) of the Financial Services and Markets Act 2000 (FSMA).
  • Level of engagement post-FOIA – there was no evidence that the introduction of FOIA had led to firms being less willing to supply information to the regulator.
  • Whether there was a statutory bar to protect information supplied – section 348 of the FSMA exists to protect any information provided on a confidential basis, and so requests for such information would be exempt from disclosure under section 44 of FOIA.

The Tribunal concluded that section 31 was not engaged. However, they emphasised the importance of considering the circumstances of each case. They said that this “does not mean that section 31 can never be relied on to resist disclosure of internal FSA views based on information supplied [to it].” They noted that there may have been a different outcome if the firm made the request during an ongoing investigation or the disclosure “would…have risked the identification of a confidential source or revealed something novel about the FSA’s methods of investigation.”

For the purpose of ascertaining: sections 31(2)(a) – (e)

The first five purposes listed under section 31(2) all include the word “ascertaining”.

In this context, “ascertaining” means that the public authority with the function must have the power to determine the matter in hand with some certainty. They must not only be responsible for the investigation, but they must also have the authority to make a formal decision on compliance with the law or code of practice. This decision could include the power to take direct action, such as revoking licences or imposing fines, or taking a formal decision to prosecute an offender.

Example

In Driver and Vehicle Licensing Agency v Information Commissioner and Williams (Section 31) [2020] UKUT 334 (AAC), the DVLA argued that they had functions that they exercised for the purpose of ascertaining whether people had either complied with the law or were responsible for improper conduct. The DVLA argued that the contracts they had in place to allow parking firms to access their data on the registered keepers of vehicles gave them a role in determining whether parking firms had acted ethically and in line with data protection law. The DVLA argued that they acted within an “investigative arc”, even if the ultimate regulator for data protection matters was the Information Commissioner.

The Upper Tribunal disagreed. They ruled that the First Tier Tribunal was correct when they stated that “to ascertain” meant “to determine or decide an issue”. It did not mean to have collected evidence to pass to another party. The DVLA had no formal role in ensuring compliance with data protection law or any parking company code of practice.– Therefore, they were not responsible for “ascertaining” whether the companies had complied with the law or whether they were responsible for improper conduct.

Section 31(2)(a) states:

31 – (2)(a) the purpose of ascertaining whether any person has failed to comply with the law,

The following examples demonstrate the importance of the relevant public authority having the power to make a formal decision to take action.

Example

Decision notice FS50382936 considered a request for information held by British Waterways about licences to use the waterways. British Waterways explained that boaters were obliged by law to have a licence to use their waterways. One of the licence conditions British Waterways imposed was that boaters could not remain continuously in one place for more than 14 days (apart from at their home mooring).

British Waterways had the authority to police the licensing system, including determining whether any boater was in breach of this condition. The British Waterways enforcement team collected the requested information for this purpose. If the condition was breached, British Waterways could take action against the offender, including prosecuting them or revoking their licences.

It was therefore clear that British Waterways had a function to ascertain whether the boaters had complied with the law. The Commissioner ultimately accepted that disclosing the information would prejudice that function and the exemption was engaged.

Example

In Foreign and Commonwealth Office v Information Commissioner (EA/2011/0011 21 September 2011) the First Tier Tribunal considered a request for information generated by the Foreign and Commonwealth Office (FCO) during an internal investigation into the leak of a confidential letter from the British Ambassador to the United States. One of the exemptions used by the FCO to withhold the information was section 31(1)(g) via 31(2)(a). Leaking the Ambassador’s letter could breach the Official Secrets Act.

The FCO argued that they had a responsibility to find out who was responsible for the leak. They argued that disclosing the information would make it harder for the FCO to track down the culprits both in this case and in the future. However, the Tribunal rejected this argument. They found that the term “… ‘ascertain’ connotes some element of determination…” (paragraph 33). Therefore, although the FCO’s investigation may have identified a suspect, they would have then passed the matter to the appropriate authority to determine whether that suspect had failed to comply with the law. This part of the exemption was not engaged because the FCO did not have an official function to determine guilt.

However, the FCO could ultimately withhold the information. Although the FCO did not have a relevant law enforcement function, disclosure would have impeded the work of other bodies who did have the necessary function.

Section 31(2)(b) states:

31 – (2)(b) the purpose of ascertaining whether any person is responsible for any conduct which is improper,

Improper conduct is about how people conduct themselves professionally. For conduct to be improper, it must be more serious than simply poor performance. It implies behaviour that is unethical or unprofessional.

Bodies whose job it is to uphold professional standards (such as the General Medical Council or the Nursing and Midwifery Council) usually determine whether improper conduct has taken place. This is because part of their job requires them to identify people failing to meet the expected professional standards.

For this exemption to apply, we would generally expect there to be a formal code of conduct that members of a profession are expected to follow and a recognised definition of “improper conduct”. We would also expect a law to support such a code – though this doesn’t always have to be the case.

In order to apply this exemption, you should identify the relevant definition and which elements of any code of conduct it applies to. This exemption applies if disclosure could harm your (or another organisation’s) ability to ascertain whether the parts of the code relating to improper conduct have been breached.

Often, there will be an overlap between ascertaining whether a person’s conduct is improper and ascertaining that person’s fitness or competence to carry on a profession - which is protected by section 31(2)(d).

Example

In Edward Williams v Information Commissioner [2023] UKUT 57 (AAC), the Upper Tribunal was asked to consider whether coroners have the power to “ascertain” whether a person is responsible for any conduct that is improper.

Devon & Cornwall Police had argued that disclosure of information about a particular death in custody would harm, amongst other things, the coroner’s inquest into the particular death.

Coroners have the power, under the Coroners and Justice Act 2009, to ascertain how a deceased person died. This includes, where appropriate, a finding that the deceased was unlawfully killed.

The Upper Tribunal found that the wording of the Coroners and Justice Act did not extend to giving coroners the power to ascertain whether a person had acted improperly. They noted that the Act limited coroners to ascertaining who the deceased person was and how they came by their death, as well as making recommendations in the interests of public safety.

The judge noted that this part of FOIA required the public authority to ascertain whether any person was responsible for improper conduct. They do not consider whether any improper conduct took place. The Coroners and Justice Act specifically forbids coroners from determining whether anyone is criminally liable for the death or where civil liability ought to lie.

Section 31(2)(c) states:


31 – (2)(c) the purpose of ascertaining whether circumstances which would justify regulatory action in pursuance of any enactment exist or may arise,

You can rely on this exemption to withhold any information whose disclosure could make it more difficult for a regulator to regulate effectively.

Many activities and sectors of the economy are subject to statutory regulation. Regulators include:

  • the Food Standards Agency;
  • the Health and Safety Executive (HSE);
  • the water services regulation authority (OFWAT); and
  • the ICO.

Local authorities may also have a number of regulatory responsibilities (such as Trading Standards).

Regulators use a range of measures to ensure compliance with the legislation they are responsible for. These can include:

  • compelling someone to remedy a breach through serving enforcement notices;
  • imposing sanctions such as fines;
  • the administration of a licensing regime (including the revoking of licences where necessary); or
  • publicly censuring someone.

All such measures would be “regulatory action”.

For the exemption to apply, the disclosure would have to, or be likely to, harm the ability of the regulator to determine whether they should take any regulatory action.

Example

In decision notice IC-105415-Z1L2 the requester asked for information provided by the directors of various investment funds. The Financial Conduct Authority (FCA) successfully argued that to regulate effectively, they needed to have candid discussions with the organisations they regulated. Financial institutions would be more likely to raise potential issues with the regulator at an early stage if they were confident that discussions would remain largely private. By acting early, the FCA could prevent a breach of the law becoming more serious or even from happening at all.

The FCA also argued that they needed to preserve a degree of uncertainty, amongst financial institutions, as to where their priorities were focused at any given moment. This prevented institutions from tailoring their responses to the regulator to minimise the likelihood of attracting regulatory attention.

Example

Decision notice FS50379523 concerned a request to the Food Standard Agency (FSA) for information on whether meat from the offspring of cloned livestock had entered the human food chain. At the time of the request, such food was considered “novel food”. Producers of novel food have to contact the FSA, which is then responsible for ensuring that the food is safe and for authorising its sale. Although the FSA authorises the sale of novel food, local authorities decide whether to take action against someone who has failed to apply for authorisation.

The FSA explained that they had not received any applications to authorise selling such meat. Therefore, following newspaper reports that it was being sold to the public, the FSA took steps to identify the producers. They then passed the producers’ identities to the relevant councils. The FSA successfully argued that, at the time of the request, some local authorities were investigating whether to take any action against the meat producers. Disclosing the requested information would harm those investigations.

Section 31(2)(d) states:


31 – (2)(d) the purpose of ascertaining a person’s fitness or competence in relation to the management of bodies corporate or in relation to any profession or other activity which he is, or seeks to become, authorised to carry on.

Section 31(2)(d) states:

“Fitness” refers to the character or suitability of a person for the particular role. “Competence” refers to whether a person has the necessary skills, training and ability to perform that role.

This part of the exemption protects the activities of public authorities such as the Department for Business and Trade (DBT) and the General Medical Council (GMC). DBT has powers under the Company Directors Disqualification Act 1986 to determine the fitness and competence of people to act as company directors. The GMC investigates complaints from patients and determines whether doctors are fit to practice.

As with the other functions described in section 31(2), the function of ascertaining a person’s fitness or competence will usually be set out in law.

Example

In decision notice FS50268922, the GMC argued that exhibits considered at a fitness to practice hearing were exempt under section 31(2)(d). Although the hearing had already taken place and the doctor in question had been struck off the medical register, that decision was being appealed. The matter was therefore still live and the GMC may have needed to reconsider the issues.

The Commissioner found that disclosing the information did have the potential to harm the GMC’s ability to ascertain the doctor’s fitness to carry out their profession.

Section 31(2)(e) states:

31 – (2)(e) the purpose of ascertaining the cause of an accident,

The most obvious public authority with this purpose is the HSE. However, there are others, such as the Marine and Air Accident Investigation Branches. These organisations have functions to investigate accidents involving boats and aircraft respectively.

Example

In decision notice FS50156313, the Air Accident Investigation Branch (AAIB) of the Department of Transport withheld a report into an incident that occurred during a flight. Under the Civil Aviation (Investigation of Air Accidents and Incidents) Regulations 1996, the AAIB has a statutory duty to investigate the cause of air accidents.

There is a distinction between ‘accidents’ and ‘incidents’. Incidents are resolved before the plane’s safety is compromised. An accident involves a compromise to the plane’s safety. If an accident occurs, incident reports can reveal whether the aircraft had any history of problems. This can help identify the cause of the accident.

The Commissioner was satisfied that the exemption could apply to information about incidents. However, the AAIB had to demonstrate that disclosing that information could undermine ongoing or future investigations into accidents.

The Commissioner found that disclosing the information would not harm any investigation. He noted that the AAIB had failed to provide evidence to show disclosure meant that airlines would be less likely to provide such information in future. He also noted that the AAIB had legal powers that they could exercise if airlines were unwilling to provide such information in future. The reputational damage that would likely occur to any airline obstructing an investigation provided a strong incentive for airlines to co-operate with the AAIB.

For the purpose of protecting charities: sections 31(2)(f) – (h)

Sections 31(2)(f)-(h) state:

31 – (2)

(f) the purpose of protecting charities against misconduct or management (whether by trustees or other persons) in their administration,

(g) the purpose of protecting the property of charities from loss or misapplication,

(h) the purpose of recovering the property of charities.

The Charity Commission is the most obvious public authority with functions for these purposes. For example, under section 46 of the Charities Act 2011, the Charity Commission can formally investigate possible misconduct. Importantly, they also have the power, under section 79 of that Act, to suspend a trustee. So not only can they investigate the matter, they have the power to take the necessary steps to protect the charity.

Sometimes, you cannot draw a clear line between protecting charities against misconduct and against loss. Misconduct on behalf of trustees often leads to the loss of a charity’s property. In practice we will usually accept a single set of arguments covering both parts of the exemption. The Charity Commission often relies on 31(2)(c) as well as the charity-specific functions, as they have a function of ensuring general compliance with the law among charities.

The onus will be on you to demonstrate that you, or another organisation, have one or more of the functions described by the particular exemption. You will also need to show how disclosing the requested information could harm the performance of that function.

Example

In decision notice IC-39105-P4N1, a requester asked the Charity Commission for information on how it had handled a previous complaint they had submitted.

The Commissioner agreed that disclosing the withheld information would reveal the details of the Charity Commission’s investigative process. This included the thresholds for potential regulatory action. If this information became widely available, it would assist unscrupulous charities in manipulating their responses to the regulator. It would help to disguise matters that would usually justify regulatory attention.

The Commissioner found that disclosure would prejudice the functions set out at both section 31(2)(c) and 31(2)(f).

For the purpose of health and safety: sections 31(2)(i) – (j)

Sections 31(2)(i) and (j) state:

31 – (2)

(i) the purpose of securing the health, safety and welfare of persons at work, and

(j) the purpose of protecting persons other than persons at work against risk to health or safety arising out of or in connection with actions of persons at work.

Securing the health and safety of employees or protecting the public can be achieved in different ways. In some circumstances, you might take immediate action to halt a dangerous practice. Other times, you may develop codes of practice or training programmes.

When applying either of these parts of the exemption, you must identify the function that could be harmed.

It is harm to the functions of the Health and Safety Executive (HSE) that will most commonly engage the exemptions. This is because the HSE enforces the Health and Safety at Work Act 1974. The HSE therefore exercises their functions for that purpose.

This does not mean that only the HSE could apply the exemption. You may hold information whose disclosure could harm the HSE’s functions.

We recognise that all employers have responsibilities under the Health and Safety at Work Act 1974. They must all ensure a working environment that is safe for staff and any members of the public who may enter it. However, to satisfy section 31(1)(g), you must have a specifically entrusted function as opposed to merely an ancillary duty.

Example

In William Thomas Stevenson v the Information Commissioner and North Lancashire Teaching Primary Care Trust [2013] UKUT 0181 (AAC), the Upper Tribunal commented that health and safety at work legislation “is generally concerned with preventing people being harmed, in the sense of being worse off, physically or mentally, than they would have been if they had not been affected by the work in question”. (paragraph 80)

The judge stated that sections 31(1)(g) and 31(2)(j) “can only apply where protection of the public against health and safety risks are among the public authority’s purposes” (paragraph 79). He also commented that even though a public authority may have a function of protecting the public against health and safety risks, this does not mean that everything they do in exercising that function will necessarily engage section 31(2)(j). For example, where a public authority is carrying out routine monitoring or quality assurance activities, this may, but will not necessarily, engage the exemption.

The judge concluded that, in the circumstances, the Trust’s function of monitoring and improving the standard of healthcare was “a sufficiently important part of the overall structure designed to ensure a safe healthcare system,” rather than an ancillary duty. Therefore, the function fell within section 31(1)(g) and 31(2)(j). He also commented that, in a medical context:

“if the position is that systematically poor healthcare has or may have left patients in a substantially worse position than would have been the case if a reasonably competent standard of care had been provided, the case is capable of falling within s.31(2)(j)” (paragraph 82).

However, the judge also explained that there would be instances in which a public authority exercising their functions to improve healthcare would not fall within the exemption. This is because it could not be said to be “protecting persons…against risk to health and safety”. When providing the example of a trust seeking to reduce their waiting times for replacement hip surgery, he commented that, it would not seem to him that the public authority would “really [be] acting for the purpose of protecting patients against “‘risk to health and safety’” (paragraph 80).