The ICO exists to empower you through information.

Section 40 and Regulation 13 – personal information

Share Download options

Pages

Format

Latest updates - 13 December 2023

13 December 2023

  • This detailed guidance includes pieces of guidance which were previously separate. The pieces merged into this one are: “information exempt from the right of access”, “neither confirm nor deny in relation to personal data”, “personal data of both the requester and others”.
  • We have clarified our position about what you need to consider when deciding if the requested information is personal data and if people can be identified. You can find this change in the sections “What is personal data?” and “Can people be identified?
  • We have clarified the meaning of “otherwise than” under section 40 of FOIA and regulation 13 of the EIR. We have also clarified why principle (a) of the UK GDPR is the one mostly likely to be contravened if you disclose personal information in response to an FOI request. You can find this change in “Part three: The first condition – would disclosure contravene the data protection principles?
  • We have further explained our position about what you need to consider when conducting a legitimate interest assessment to decide if you can disclose personal information in response to an FOI or EIR request. You can find this change in Part three, section “Would disclosure be lawful?”, sub-section “Does lawful basis (f) – legitimate interests – apply?
  • We have included more examples from our decisions notices and from Tribunal decisions to help you apply the personal information exemption in practice.

This detailed guidance discusses the exemptions and exceptions relating to personal data under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR). It is written for use by public authorities.

If you receive a request for personal data under FOIA or the EIR, you should use this guidance to help you decide how to respond. The guidance is divided into five parts which identify the key questions you need to address.

We have used plain language as far as possible. However, we’ve sometimes used some technical and legal terms for accuracy.

The guidance refers to the processing of personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). For more information see our guidance for organisations.