The ICO exists to empower you through information.

What do FOIA and the EIR say about requests for personal information?

Share Download options

Pages

Format

Section 40 of FOIA and regulation 13 of the EIR say that personal information is exempt from disclosure under these access regimes when certain conditions are met.

These provisions exist to balance the public right to access official information against people’s privacy rights.

You should not withhold information just because it is personal data. You can disclose personal information in response to an FOI or EIR request when you can show that the relevant conditions set out in section 40 and regulation 13 are not satisfied. 

However, you must not disclose personal information under FOIA or the EIR if:

  • it is the personal data of the requester; or
  • it is the personal data of someone else (a third party); and
    • disclosure would contravene the data protection principles under data protection legislation (first condition); or
    • disclosure would contravene a valid objection to the processing of personal data (second condition); or
    • the data is exempt from the right of access under data protection legislation (third condition).

FOIA and the EIR also include provisions setting out when you should respond by neither confirming nor denying (‘NCND’) holding the requested personal information.

Whose data is it? Relevant condition FOIA EIR
The requester’s own personal data N/A

40(1)

40(5A) [NCND]

5(3)

No NCND provisions
Third party's personal data

Condition one

(breach of DP principles)

40(2) and

40(5B)(a)(i) or (ii) [NCND]


40(3A)

13(5A)(a) & 13(5B)(a)(i) or (ii) [NCND]

13(2A)

Condition two

(objection to processing)

The public interest test applies

40(2) and

40(5B)(b) [NCND]

40(3B)

13(5A)(b) & (5B)(b) [NCND]

13(5A)(b) & (5B)(b) [NCND – intelligence services processing]

13(2B)(a)

13(2B)(b) [intelligence services processing]

Condition three

(information exempt from the right of access under DP)


The public interest test applies

40(2) and


40(5B)(c) or (d) [NCND]

40(4A)(a) or (b)
(general processing or law enforcement processing)

13(5A)(b) & (5B)(c), (d) or (e) [NCND]


13(3A)(a) or (b)
(general processing or law enforcement processing)

13(3A)(c)
(intelligence services processing)

This flow chart shows how you should approach requests for personal data when you are relying on the first condition.

Flowchart to show the decision making process for deciding when receiving a request for personal information

An accessible, written description of this diagram (suitable for screen readers) is available here.