Part II Exempt information
40 Personal information.
(1)
Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject.
(2)
Any information to which a request for information relates is also exempt information if—
(a)
it constitutes personal data which F1does not fall within subsection (1), and
(b)
F2the first, second or third condition below is satisfied.
F3(3A)
The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—
(a)
would contravene any of the data protection principles, or
(b)
would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(3B)
The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).
F4(4A)
The third condition is that—
(a)
on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or
(b)
on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.
F5(5A)
The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).
(5B)
The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—
(a)
giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—
(i)
would (apart from this Act) contravene any of the data protection principles, or
(ii)
would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;
(b)
giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);
(c)
on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);
(d)
on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.
F6(6)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F7(7)
In this section—
“the data protection principles” means the principles set out in—
(a)
Article 5(1) of the GDPR, and
(b)
section 34(1) of the Data Protection Act 2018;
“data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);
“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act).
(8)
In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.