Home > yourrights > the right to know/data protection act > data protection act
> Data Protection Act exemptions
Data Protection Act exemptions
Data controllers can withhold certain kinds of exempt information from you - the main exemptions are set out below. One of the weaknesses of the DPA is that you need not be told whether exempt information has been withheld. You have no right to be told whether you have been given access to the full file or only an edited version. You may even get a deliberately ambiguous reply to your request, such as ‘We hold no data on you, which we are required to disclose to you.’ This could mean that no information is held on you, or that there is a file, but everything in it is regarded as exempt.
Nevertheless, it is worth asking if anything has been held back: it may be difficult for the person involved to evade a direct question. If you suspect you have been refused access to information that is not genuinely exempt you can ask the Information Commissioner to investigate.
The main exemptions apply to:
Personal Information about Someone Else
This will not normally be released to you without that person’s consent. However, the DPA does allow such information to be disclosed without consent if this is reasonable in all the circumstances. In deciding whether it is reasonable, the controller must consider in particular whether a duty of confidentiality is owed to the other person, what efforts have been made to obtain the person’s consent, and whether the person is capable of giving consent or has expressly refused it.
If the information can be disclosed to you in a way that does not identify the individual - for example, by deleting the name of the individual or other identifying features - then you are entitled to it.
Information Identifying Someone who has Supplied Information about You
It is not enough for the data controller to suspect that you might be able to identify the individual concerned. The information must itself be enough to identity the person. The information someone else supplies about you is not exempt - unless its disclosure would in itself identify who had supplied it.
Only identifiable individuals, not organisations, are protected. Thus information that would reveal that a former employer had supplied information about you would not be exempt unless you would be able to identify the particular individual - for example, a particular manager. This exemption does not protect the identity of a health professional, social worker or teacher who has provided information that is recorded on your health, social work or educational record. This is discussed further below.
Law Enforcement
Personal data held for the purpose of preventing or detecting crime, apprehending or prosecuting offenders, or assessing and collecting any tax or duty are exempt if disclosure would prejudice one of those purposes.
The exemption is not restricted to bodies such as the police or Inland Revenue. So, information about suspected fraud held by a bank or a social security officer could also be covered.
Not all law enforcement information is necessarily exempt. If you are the victim of a crime you may be able to see what is held about you without much risk of prejudicing the purpose for which the record is held. But if you are the suspect, the chance of the information being withheld will be much greater.
Information revealing how anyone is classified under a system for assessing potential tax evasion or benefit fraud is exempt where the exemption is required in the interests of the operation of the system.
National Security
Information can be withheld from you on national security grounds. You can challenge a refusal to disclose by going to the Information Commissioner in the normal way unless a Cabinet minister has issued a certificate stating that the exemption is required in order to safeguard national security. In this case, you could apply to the Information Tribunal, which could overturn the certificate, but only on the very limited grounds that the minister had no reasonable grounds for issuing it, or it may be able to declare that the certificate does not apply to the personal data in question. Alternatively, you could apply to the Investigatory Powers Tribunal or IPT (which deals with issues relating to national security) on the basis that the refusal to disclose was not justified on national security grounds and therefore not protected by the certificate. The IPT may then look ‘behind the scenes’ to check whether the refusal was acceptable.
References
References are exempt in many, but not all, cases. You will have no right to obtain a confidential reference from the person or body that gave it, even if it could be disclosed without identifying the individual concerned. But you would be entitled to see a reference held by the person to whom it was supplied (for example, an employer who has turned down your job application), except where this would identify the individual who gave it. The fact that it may identify the organisation that gave it is not relevant. Even information identifying the individual who gave the reference might have to be disclosed if it was reasonable to do so in all the circumstances.
Negotiations
Information is exempt if it would reveal the data controller’s intentions in relation to any negotiations with you and if disclosure would prejudice those negotiations. General opinions and intentions towards you are, however, not exempt.
Examination Marks and Examiners’ Comments
These are exempt - but only for a time. You are entitled to see these 40 days after the examination results have been announced or five months after your request has been received, whichever is shorter.
Other Exemptions
The DPA contains many other exemptions. For example, for data used solely in connection with an individual’s personal or family affairs; for data kept solely for statistical, historical or research purposes and published anonymously; for data processed for the publication of journalistic, literary or artistic material; and for lawyer-client communications.
Nevertheless, it is worth asking if anything has been held back: it may be difficult for the person involved to evade a direct question. If you suspect you have been refused access to information that is not genuinely exempt you can ask the Information Commissioner to investigate.
The main exemptions apply to:
Personal Information about Someone Else
This will not normally be released to you without that person’s consent. However, the DPA does allow such information to be disclosed without consent if this is reasonable in all the circumstances. In deciding whether it is reasonable, the controller must consider in particular whether a duty of confidentiality is owed to the other person, what efforts have been made to obtain the person’s consent, and whether the person is capable of giving consent or has expressly refused it.
If the information can be disclosed to you in a way that does not identify the individual - for example, by deleting the name of the individual or other identifying features - then you are entitled to it.
Information Identifying Someone who has Supplied Information about You
It is not enough for the data controller to suspect that you might be able to identify the individual concerned. The information must itself be enough to identity the person. The information someone else supplies about you is not exempt - unless its disclosure would in itself identify who had supplied it.
Only identifiable individuals, not organisations, are protected. Thus information that would reveal that a former employer had supplied information about you would not be exempt unless you would be able to identify the particular individual - for example, a particular manager. This exemption does not protect the identity of a health professional, social worker or teacher who has provided information that is recorded on your health, social work or educational record. This is discussed further below.
Law Enforcement
Personal data held for the purpose of preventing or detecting crime, apprehending or prosecuting offenders, or assessing and collecting any tax or duty are exempt if disclosure would prejudice one of those purposes.
The exemption is not restricted to bodies such as the police or Inland Revenue. So, information about suspected fraud held by a bank or a social security officer could also be covered.
Not all law enforcement information is necessarily exempt. If you are the victim of a crime you may be able to see what is held about you without much risk of prejudicing the purpose for which the record is held. But if you are the suspect, the chance of the information being withheld will be much greater.
Information revealing how anyone is classified under a system for assessing potential tax evasion or benefit fraud is exempt where the exemption is required in the interests of the operation of the system.
National Security
Information can be withheld from you on national security grounds. You can challenge a refusal to disclose by going to the Information Commissioner in the normal way unless a Cabinet minister has issued a certificate stating that the exemption is required in order to safeguard national security. In this case, you could apply to the Information Tribunal, which could overturn the certificate, but only on the very limited grounds that the minister had no reasonable grounds for issuing it, or it may be able to declare that the certificate does not apply to the personal data in question. Alternatively, you could apply to the Investigatory Powers Tribunal or IPT (which deals with issues relating to national security) on the basis that the refusal to disclose was not justified on national security grounds and therefore not protected by the certificate. The IPT may then look ‘behind the scenes’ to check whether the refusal was acceptable.
References
References are exempt in many, but not all, cases. You will have no right to obtain a confidential reference from the person or body that gave it, even if it could be disclosed without identifying the individual concerned. But you would be entitled to see a reference held by the person to whom it was supplied (for example, an employer who has turned down your job application), except where this would identify the individual who gave it. The fact that it may identify the organisation that gave it is not relevant. Even information identifying the individual who gave the reference might have to be disclosed if it was reasonable to do so in all the circumstances.
Negotiations
Information is exempt if it would reveal the data controller’s intentions in relation to any negotiations with you and if disclosure would prejudice those negotiations. General opinions and intentions towards you are, however, not exempt.
Examination Marks and Examiners’ Comments
These are exempt - but only for a time. You are entitled to see these 40 days after the examination results have been announced or five months after your request has been received, whichever is shorter.
Other Exemptions
The DPA contains many other exemptions. For example, for data used solely in connection with an individual’s personal or family affairs; for data kept solely for statistical, historical or research purposes and published anonymously; for data processed for the publication of journalistic, literary or artistic material; and for lawyer-client communications.
