Freedom of information exemptions—personal information
Produced in partnership with Paul Gibbons
Freedom of information exemptions—personal information

The following Public Law guidance note Produced in partnership with Paul Gibbons provides comprehensive and up to date legal information covering:

  • Freedom of information exemptions—personal information
  • Scope of the exemption
  • What is personal data?
  • Requests by the applicant for their own personal data
  • Requests for personal data relating to another individual
  • What is the correct process for considering fairness and lawfulness?
  • Justifying disclosure and legitimate interests
  • Neither confirm nor deny
  • Employee data
  • Environmental information regulations and personal information

This Practice Note considers the exemption for personal information under section 40 of the Freedom of Information Act 2000 (FIA 2000).

Scope of the exemption

This is a class-based exemption. Most of its elements are absolute, but two aspects are qualified (ie subject to a public interest test). The exemption’s aim is to avoid a conflict between the data protection regime, which protects personal data, and the objectives of the FIA 2000 to increase transparency and accountability.

The General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) introduced substantial amendments to EU and UK data protection law, replacing the Data Protection Act 1998 (DPA 1998) and Directive 95/46/EC, the Data Protection Directive from 25 May 2018. In connection with the GDPR, the Data Protection Act 2018 (DPA 2018) made consequential amendments to various legislation, including FIA 2000.

The DPA 2018 introduces four distinct data protection regimes into UK data protection law. It covers the processing of personal data:

  1. within the scope of the GDPR—assisting and supplementing the adoption of the GDPR into UK law by providing permitted national derogations/exceptions to the requirements of the GDPR

  2. outside the scope of the GDPR—applying GDPR standards to additional areas of processing not covered by the GDPR and EU law, such as the processing of unstructured manual files by public authorities, this regime is known as