Skip to main content

What do FOIA and the EIR say about requests for personal information?

Contents

Section 40 of FOIA and regulation 13 of the EIR say that personal information is exempt from disclosure under these access regimes when certain conditions are met.

These provisions exist to balance the public right to access official information against people’s privacy rights.

You should not withhold information just because it is personal data. You can disclose personal information in response to an FOI or EIR request when you can show that the relevant conditions set out in section 40 and regulation 13 are not satisfied. 

However, you must not disclose personal information under FOIA or the EIR if:

  • it is the personal data of the requester; or
  • it is the personal data of someone else (a third party); and
    • disclosure would contravene the data protection principles under data protection legislation (first condition); or
    • disclosure would contravene a valid objection to the processing of personal data (second condition); or
    • the data is exempt from the right of access under data protection legislation (third condition).

FOIA and the EIR also include provisions setting out when you should respond by neither confirming nor denying (‘NCND’) holding the requested personal information.

Section 40 of FOIA and Regulation 13 of the EIR import the legal test to assess the lawfulness of a disclosure from data protection legislation.

This means that – when you respond to an FOI or EIR request asking for personal information – you must assess under data protection legislation if disclosing it to a general member of the public would be legitimate.

For this reason, we also take the view that – if you are dealing with a request for personal data under the EIR because the information is also environmental –the presumption in favour of disclosure does not apply.

Whose data is it? Relevant condition FOIA EIR
The requester’s own personal data N/A

40(1)

40(5A) [NCND]


5(3)

No NCND provisions

Third party's personal data

Condition one

(breach of DP principles)

40(2) and

40(5B)(a)(i) or (ii) [NCND]


40(3A)

13(5A)(a) & 13(5B)(a)(i) or (ii) [NCND]

13(2A)

Condition two

(objection to processing)

The public interest test applies

40(2) and

40(5B)(b) [NCND]

40(3B)

13(5A)(b) & (5B)(b) [NCND]

13(5A)(b) & (5B)(b) [NCND – intelligence services processing]

13(2B)(a)

13(2B)(b) [intelligence services processing]

Condition three

(information exempt from the right of access under DP)


The public interest test applies

40(2) and


40(5B)(c) or (d) [NCND]

40(4A)(a) or (b)
(general processing or law enforcement processing)

13(5A)(b) & (5B)(c), (d) or (e) [NCND]


13(3A)(a) or (b)
(general processing or law enforcement processing)

13(3A)(c)
(intelligence services processing)

This flow chart shows how you should approach requests for personal data when you are relying on the first condition.

An accessible, written description of this diagram (suitable for screen readers) is available here.