Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

About this detailed guidance

This guidance discusses how the exemptions contained in sections 23 and 24 interact and is written for use by public authorities. Read it if you have questions not answered in the Guide, or to understand how both exemptions relate to one another and when they can be used together.

In detail

What is the purpose of this guidance?

There is often significant overlap between the matters protected by sections 23 and 24; the work of the security bodies is to protect national security and revealing information about their work or involvement in particular issues may well undermine national security. Sections 23(1) and 24(1) provide exemptions from the duty to disclose and are mutually exclusive in that public authorities can only apply section 24(1) to information that hasn’t been supplied by, or relates to, a security body.

As a consequence, citing either exemption can itself reveal something about the nature of the information being withheld. For example, if a public authority withheld information using section 23(1) it would be clear that the withheld information did relate to a security body. Whereas, the use of section 24(1), on its own, would mean that the information did not relate to a security body. This has led public authorities to apply the exemptions from the duty to confirm or deny whether information is held in order to avoid having to use section 23(1) or 24(1), even when it is clear that the requested information is held.

The exemptions from the duty to confirm whether information is held are known as the “neither confirm nor deny” (NCND) provisions. The NCND provisions provided by sections 23(5) and 24(2) are not mutually exclusive.

This guidance first sets out the correct application of sections 23(5) and 24(2). It then addresses the issues raised by the mutual exclusivity of sections 23(1) and 24(1). It next addresses the issues raised by partial disclosure of requested information or partial confirmation that information is held. The guidance concludes by considering other issues relevant to the application of sections 23 and 24 and how they should be addressed. 

What exemptions are contained in sections 23 and 24 of FOIA?

Section 23 states:

(1) Information held by a public authority is exempt information if it was directly or indirectly supplied to the public authority by, or relates to, any of the bodies specified in subsection (3).

(5) The duty to confirm or deny does not arise if, or to the extent that, compliance with section 1(1)(a) would involve the disclosure  of any information (whether or not already recorded) which was directly or indirectly supplied by, or relates to, any of the bodies specified in subsection (3).

Section 24 states: 

(1) Information which does not fall within section 23(1) is exempt information if exemption from section 1(1)(b) is required for the purposes of safeguarding national security.

(2) The duty to confirm or deny does not arise if, or to the extent that, exemption from 1(1)(a) is required for the purposes of safeguarding national security.

The exemptions in sections 23 and 24 from the duty to disclose requested information are specifically set out in sections 23(1) and 24(1).

The exemptions in sections 23 and 24 from the duty to confirm whether information is held, known collectively as the ‘neither confirm nor deny’ (NCND) provisions, are specifically set out in sections 23(5) and 24(2).

Section 23(5) is an absolute exemption and therefore not subject to the public interest test.

Section 24(2) is a qualified exemption and therefore subject to the public interest test.

How do we apply sections 23(5) and 24(2) of FOIA?

Unlike the exemptions from the duty to disclose requested information, the exemptions from the duty to confirm or deny whether information is held in sections 23(5) and 24(2) are not mutually exclusive. This means that you can apply both exemptions to the same request.

This view was confirmed by the First-tier Information Rights Tribunal in The All Party Parliamentary Group on Extraordinary Rendition v Information Commissioner and the Foreign and Commonwealth Office (EA/2011/0049-0051 3 May 2012) (paragraph 109).

Applying sections 23(5) and 24(2) to the same request

Section 1(1)(a) requires you to confirm whether or not you hold the requested information. However, section 2(1) allows you to respond by refusing to confirm or deny whether you hold the requested information.

If section 23(5) is engaged there is no need for you to also consider the application of section 24(2) in order to remove the obligation to confirm or deny. You could rely solely on section 23(5). Where you consider that one exemption provides sufficient protection, we would encourage you to rely on one exemption.

However, we recognise that some public authorities are concerned that inferences would be drawn if they were to rely on only one exemption. For example, if you only relied on section 23(5) there is a risk that people would infer that security bodies were in fact involved. There may be no obvious grounds for drawing such a conclusion, but the risk remains that those hostile to UK interests could perceive the use of one exemption on its own as revealing something particular about the activities of the security bodies.

As a consequence, some public authorities consider it prudent to apply both NCND provisions. Because the exemptions are not mutually exclusive this does not present a problem. However, where you cite both exemptions, FOIA requires each to actually be engaged. In other words, you must apply each exemption independently, on its own merits. It is not correct to engage one exemption and then attempt to apply the other on the grounds that something would be revealed by relying on just one alone. Each exemption must be engaged separately, based on what would be revealed by confirming or denying whether you hold the requested information.

Example

In ICO decision notice FS50665716 the Commissioner considered a request about the use of covert communications data capture technology. Nottinghamshire Police had refused to confirm or deny whether it held any information within the scope of the request relying on both exemptions at sections 23(5) and 24(2). 

The Commissioner accepted that, if they held the requested information, it was highly likely that it would have been supplied by, or would relate to, a section 23(3) body and therefore section 23(5) was engaged. Given the subject matter of the request, the Commissioner also found that the exemption from the duty to confirm or deny was required for the purpose of safeguarding national security and therefore section 24(2) was equally engaged.

Example 

In ICO decision notice FS50626814 the Commissioner considered a request for the number of individuals who had been arrested after returning to the UK on suspicion of fighting on behalf of terrorist groups in Iraq and Syria, broken down by their gender and the group they were suspected of fighting for. The Home Office had refused to confirm or deny whether it held any information within the scope of the request relying on both exemptions at sections 23(5) and 24(2).

The Commissioner accepted that, if they held the requested information, it was highly likely that it would have been supplied by, or would relate to, a section 23(3) body and therefore section 23(5) was engaged. Given the subject matter of the request, the Commissioner also found that the exemption from the duty to confirm or deny was required for the purpose of safeguarding national security and therefore section 24(2) was equally engaged.

The examples above demonstrate that both exemptions are engaged in their own right because of what confirmation or denial would reveal. Remember that section 24(2) is qualified so you must also conduct the public interest test in relation to the application of section 24(2).

In many situations where the request is in the territory of national security, both exemptions apply in their own right. This is because confirming or denying that you hold the requested information in these circumstances will itself disclose information about a security body. The phrase “in the territory of national security” is used by the ICO but does not actually appear in the legislation. For further information, read our detailed guidance on Section 23 (security bodies).  

When applying s24(2) it is appropriate to consider whether confirming or denying would reveal information about the involvement or non-involvement of a security body, which in turn could undermine national security. If it does, then section 24(2) is engaged. Section 24(2) would still have been engaged on its own merits, independently of section 23(5), albeit for the same reason. This approach is demonstrated by revisiting the previous examples.

Example

In the previous examples, when considering the application of section 24(2), it would have been legitimate for Nottinghamshire Police and the Home Office to consider whether confirming or denying that they held the requested information would both relate to a security body and also undermine national security. The onus is on them to justify their application of section 24(2). They must carry out the public interest test for the application of section 24(2).

Although in many situations where the request is in the territory of national security both exemptions will apply in their own right, there will be some requests where only one of the two exemptions is engaged.

Example

The Home Office receives a request for the address of Government Communications Headquarters (GCHQ), a body listed in section 23(3). Technically, releasing a statement that the Home Office holds the address of GCHQ is the disclosure of information relating to a s23 body and therefore the exemption provided by section 23(5) is engaged.

However, the address of GCHQ is available from a government website and there is a general presumption that the Home Office will be aware of GCHQ’s address. Therefore there will be no threat to national security if the Home Office confirms it holds the address. There are no grounds for applying section 24(2).

This may seem a rather extreme example. However, it serves to demonstrate that there will be occasions when only section 23(5) would apply.

The ICO’s approach to complaints about the application of the NCND provisions

When we receive a complaint about a public authority’s use of sections 23(5) and 24(2), we will consider the application of each exemption separately, in line with the approaches set out in the guidance Section 23 (security bodies) and Section 24 (national security). The ICO reserves the right to be informed whether the information is held and, if so, to have access to it. However, in the majority of cases, we anticipate that we will consider the application of NCND provisions without knowing whether the information is held.

We recognise the concerns that some public authorities have about using either of these exemptions on their own because of the inferences that might be drawn about the involvement or non-involvement of a security body. Where this is an issue, we will reach a decision on each exemption separately, but will carefully consider how any decision notice is articulated to avoid inferences being inappropriately drawn.

How do we apply sections 23(1) and 24(1) of FOIA?

Sections 23(1) and 24(1) are mutually exclusive. This means they cannot be applied to the same information.

Although you could respond to many requests that raise national security concerns using the NCND provisions, there will be situations when it is obvious that you hold the information. This may be as a result of official statements to that effect. In these situations the use of NCND would serve little purpose. In these cases we would encourage you to confirm that you hold the information.

When it is obvious that you hold the information, but not obvious whether its contents relate to a security body, this in itself may be worthy of protection. The dilemma for you is that relying on either section 23(1) or section 24(1) alone, would reveal whether the requested information relates to a security body.

In these circumstances, you should not attempt to apply the NCND provisions in order to avoid citing an exemption from the duty to disclose the actual information. Even though relying on just one of the exemptions from the duty to disclose information would itself reveal something of the nature of the information, this is not a basis for engaging sections 23(5) or 24(2). As discussed above, the only basis for applying sections 23(5) or 24(2), or both, is what would be revealed by confirmation or denial that you hold the information.

When it is obvious that you hold the information and therefore you see no value in refusing to confirm or deny, or if the NCND provisions can’t be engaged on the facts of the case, you will be faced with the problem of applying either section 23(1) or section 24(1). We have developed an approach to deal with this situation which is set out below.

Applying sections 23(1) and 24(1) “in the alternative”

The fact that you can only apply section 24(1) to information that is not protected by section 23(1) can present a problem if you do not want to reveal whether a section 23 security body is involved in an issue. If you could only cite section 24(1) in your refusal notice, this would disclose that no section 23 body was involved. Conversely, if you only cite section 23(1), this would clearly reveal the involvement of a security body. To overcome this problem, the ICO allows you to cite both exemptions “in the alternative” when necessary. This means that although only one of the two exemptions can actually be engaged, you may refer to both exemptions in your refusal notice. 

Example

In this hypothetical example, the government announces that a terrorist suspect, Mr X, has been apprehended but very few details are released. This prompts an FOI request to the Home Office for information on the circumstances of the arrest. 

It may well be that the arrest was the result of a well-executed, intelligence-led, security operation. However it is equally plausible that the local police made the arrest following a report that someone had been acting suspiciously and the significance of the arrest was only realised later. 

It is clear, because of the government’s announcement, that the public authority would hold information on the circumstances of the arrest, but it may not want to reveal whether a security body was involved. If it relied on section 23(1), it would reveal the involvement of a security body, or if it relied on section 24(1) then this would reveal the security bodies were not involved. Therefore, rather than having to identify the actual exemption that they are relying on, they are able to cite sections 23(1) and 24(1) in the alternative.

Example

In ICO decision notice FS50846550 the Commissioner considered a request for the number of citizenship deprivation orders issued to dual British-Pakistani nationals over a two-year period. The applicant argued it was a matter of public record that a number of British-Pakistani individuals had been deprived of their citizenship. Based on confidential submissions from the Home Office, the Commissioner accepted that the requested information engaged the exemption at section 23(1) and in the alternative, the exemption at section 24(1).

The background to this situation is that public authorities were concerned that only relying on either section 23(1) or section 24(1) would reveal the involvement, or not, of a security body. To avoid this issue they applied the NCND provisions of both exemptions.

The ICO is satisfied that allowing public authorities to cite sections 23(1) and 24(1) in the alternative is the pragmatic solution to this issue. There are benefits to the applicant in that they at least receive confirmation that you hold the information. In addition, you do not appear to be unnecessarily obstructive by refusing to confirm whether you hold information when it is obvious  that you do.

Refusal notices

When you cite sections 23(1) and 24(1) in the alternative, you need to consider the contents of your refusal notice. Technically, section 17(1) requires you to specify the exemption you are relying on. However, it is important in these circumstances that the refusal notice effectively disguises which provision actually applies. Therefore, the ICO will accept a refusal notice which cites both exemptions, stating that you are citing them in the alternative and then explaining why each one could apply. As section 24 is qualified, the refusal notice should also explain your application of the public interest test to that provision.

Example

In the previous hypothetical example, relying on the NCND provision would serve little purpose. Rather, the public authority should explain in their refusal notice that:

  • they are withholding the information; and
  • in the circumstances of the case, it is not appropriate to provide any information that would undermine national security or reveal the extent of any involvement of the security bodies in the arrest of Mr X.

They are therefore applying sections 23(1) and 24(1) in the alternative, which means only one of the two exemptions is actually engaged but it is not appropriate to say which one.

The level of detail that you can provide when explaining why each exemption could apply will depend very much on the circumstances. In some cases it will be very apparent how each exemption could apply.

Example

In the previous example, it would be possible for the public authority to explain that section 23(1) applies to information that relates to one of the listed security bodies. And so, if one of those bodies had been involved in the arrest, providing the requested information would inevitably disclose information relating to one of those bodies. If this were the case, the information would be exempt under section 23(1). The refusal notice should also state that it was possible that no section 23 security body was involved in the arrest. But that disclosing the information could reveal what aspects of Mr X’s behaviour attracted the attention of police. This would prejudice national security and in such circumstances the information could be withheld in order to safeguard national security.

The refusal notice should also explain why the public interest favours maintaining section 24(1).

It may be appropriate for you to consider applying s17(4), in cases where it proves more difficult to explain why the exemptions apply or, in the case of section 24, why the public interest favours maintaining the exemption. This subsection disapplies the obligation to provide such explanations where to do so would itself involve the disclosure of exempt information.

Considering the public interest in maintaining section 24(1)

Where you have applied sections 23(1) and 24(1) in the alternative, you also need to consider the consequences of applying the public interest test to section 24(1). Could the public interest test overturn the application of section 24(1) and so prevent the use of the two exemptions in the alternative?

Where you have applied sections 23(1) and 24(1) in the alternative, only one of them will actually be engaged.

There are two situations where you will cite the exemptions in the alternative.

Firstly, the information does not relate to a section 23 security body, but you consider that section 24(1) is engaged and that the public interest favours maintaining the exemption. In this case, you will be satisfied that the public interest favours maintaining the exemption by the time you consider the need to cite the two exemptions in the alternative.

The second scenario is where the requested information engages section 23(1). In these cases the application of section 24(1) and the public interest test is only conjectural. It makes sense that in this scenario the hypothetical public interest test for section 24(1) will always favour maintaining the exemption.

The ICO’s approach to complaints about the application of section 23(1) and section 24(1)

If a complaint is made to the ICO, you need to explain to us which exemption you are actually relying on. We then investigate the application of that exemption in line with the approaches set out in the guidance Section 23 (security bodies) and Section 24 (national security). In the majority of cases, this means that we will need access to the information. However, in some section 23(1) cases and, exceptionally, some section 24(1) cases, we may be able to make a decision based on submissions, reasoned explanations and confidential discussions alone.

The ICO can find that either the exemption was not engaged or, in the case of section 24(1), that the public interest did not favour maintaining the exemption. However, we are very aware of the importance of protecting national security and where section 24(1) is engaged the Commissioner would not decide lightly that the balance of the public interest test favours disclosure. You should also remember that when section 23(1) is cited, the ICO could find that the information does not relate to a section 23 security body.

Where the ICO finds in favour of a public authority, the decision notice does not allude to which exemption has actually been applied. It simply says that the Commissioner is satisfied that one of the two exemptions cited is engaged and that, if the exemption is section 24(1), the public interest favours withholding the information. Any decision notice upholding a complaint simply says that the Commissioner is not satisfied that either of the two exemptions is engaged, or that, in the case of section 24(1) being engaged, the public interest favours disclosure. In either scenario, the decision notice does not reveal which exemption the public authority is actually relying on.

Can we confirm we hold requested information and also rely on the NCND provisions?

You may confirm you hold at least some of the requested information but may still wish to conceal whether or not you hold additional information that either relates to a national security body or could undermine national security. In such a scenario you could respond to a request by confirming you hold some information, and then either disclose the information or withhold it, relying on appropriate exemptions. You could then also refuse to confirm or deny whether you hold any additional information, citing either sections 23(5), or 24(2), or both.

Example

In ICO decision notice FS50845427 the Commissioner considered a request for emails held by the Nigerian section in the Foreign and Commonwealth Office (FCO) containing key words relating to an oil field. The FCO relied on sections 23(5) and 24(2) as the basis for refusing to confirm or deny whether it held any further information within the scope of the request other than that which it had already disclosed or withheld. The Commissioner found that on the balance of probabilities, further information about the subject matter of the request, if held, could be related to one or more bodies identified in section 23(3). The Commissioner also found that confirming or denying whether the FCO held any further information within the scope of the request would be likely to reveal whether or not the security bodies were in any way involved in the subject matter of the request. Therefore, the exemption in section 24(2) was required for the purposes of safeguarding national security.

However, if the request is for a specific file and you have confirmed that it is held, then there is no scope for relying on the NCND provisions because there is no additional information within the scope of the request.

Example

In ICO decision notice FS50694170 the Commissioner considered a request for a copy of a named Cabinet Office file transferred to The National Archives but closed to the public. In addition to the exemptions relied on to withhold the file, the Cabinet Office sought to rely on sections 23(5) and section 24(2) to refuse to confirm or deny whether it held any further information. The Commissioner found that, given the specific wording of the request, it was illogical for the Cabinet Office to adopt a NCND position in relation to any ‘further information’ simply because the complainant had not requested any further information. Rather, the complainant had simply asked for a named file which the Cabinet Office had confirmed that it held. Consequently, given that sections 23(5) and 24(2) simply remove the obligation to confirm or deny whether the requested information is held, and such confirmation had already been given, there was no basis for the Cabinet Office to also seek to rely on sections 23(5) and 24(2).

You should therefore consider how a request is worded and whether it provides you with the scope for confirming that you hold some of the information and also relying on the NCND provisions to refuse to confirm or deny whether you hold any additional information.

What else should we consider?

Where information, potentially exempt under sections 23(1) and 24(1), is withheld under other exemptions

There can be situations when, although the requested information could relate to national security matters, you confirm you hold the information but withhold it under other exemptions. You may be concerned that because you have not used sections 23(1) and 24(1) to withhold the information, people will assume that the information does not relate to national security issues or a security body. In these cases, you could explain to the applicant that nothing can be inferred from your response about whether the withheld information would or would not also be exempt under either of these sections.

Example

The Ministry of Defence (MOD) receives a request for the patrol logs of ships patrolling the coast off Somalia to prevent piracy. It is standard procedure for ships to keep patrol logs. It is clear that the MOD holds information falling within the scope of the request. However, on this occasion the MOD has grounds for withholding all the information requested under sections 26 (defence) and 27 (international relations) of the FOIA. 

In addition, it could explain that nothing can be inferred from the fact that sections 23(1) or 24(1) have not been cited, as to whether the contents of the withheld information relate to a security body or could undermine national security.

There is nothing in FOIA that prevents you from giving this additional explanation. However, it is only something that you have provided over and above your obligations under FOIA. In the above example, the public authority only relied on the exemptions in sections 26 and 27 of FOIA. Accordingly, these are the only provisions that the ICO would consider if we received a complaint.

In effect, all the additional explanation does is remind the applicant what is, or is not, safe to infer by you not citing sections 23(1) or 24(1) and instead relying on other exemptions. If this is all you wish to achieve, the ICO has no objection. However, you should consider whether raising the application of sections 23(1) and 24(1) does more harm than good by alerting the applicant to the possibility that those sections may be relevant to the request.

Attempting to use sections 23(5) and 24(2) to disguise the content of the information

What you cannot do is attempt to use the NCND provisions of sections 23(5) and 24(2) to refuse to confirm or deny whether the withheld information is also exempt under sections 23(1) or 24(1).

Example

Returning to the previous example, the public authority could not respond as follows:

‘The information is exempt under sections 26 and 27 and furthermore we are applying sections 23(5) and 24(2) to refuse to confirm or deny whether the information is also exempt under either sections 23(1) or 24(1).’

Sections 23(5) and 24(2) remove the obligation to confirm or deny whether you hold  the requested information. They have nothing to do with refusing to confirm or deny which exemptions you have applied to the withheld information.

Further Reading

There are other exemptions which may be relevant to this guidance and you may want to read our guidance on these exemptions as well:

Section 23 (security bodies) the work of the security bodies will often touch on issues of national security.

Section 24 (national security) the work of the security bodies will often touch on issues of national security.

Section 26 (defence) there are links between national security and the defence of the UK.

Section 27 (international relations) disclosing information that would undermine national security may also be prejudicial to international relations.

Section 38 (health and safety) disclosing information that would undermine national security could also endanger someone’s physical or mental health.

These examples are not exhaustive. Other exemptions may apply. As always, it is the specific circumstances of a case that will dictate the application of exemptions.