The Scottish Information Commissioner - It's Public Knowledge
Share this Page
Tweet this page:
Text Size Icon

- Text Size Up | Down

Book Icon

Personal Information - section 38 - under the OLD rules


Exclamation Icon

Data protection laws have changed. Please do not use the guidance on this page for any information requests received on or after 25 May 2018.


This is when both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) came into effect.

The new DPA 2018 amends section 38 of the Freedom of Information (Scotland Act 2002 (FOISA and regulation 11 of the Environmental Information (Scotland) Regulations 2004 (the EIRs). The changes affect when personal data can, and can't be disclosed in response to a FOISA or EIRs request.

Read our new draft guidance on personal information under the new rules Draft Briefing on Section 38 under the new rules

Up to date information about the GDPR can be found on the (UK) Information Commissioner data protection reform website

We're continuing to publish the guidance under the old rules (below) because a small number of authorities and applicants may still need to refer to it for any older cases appealed to the Commissioner.

The exemptions: the main points

Section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) contains four exemptions, all relating to personal information.  Information is exempt from disclosure if it is:

  • the personal data of the person requesting the information (section 38(1)(a));
  • the personal data of a third party – but only if other conditions apply (section 38(1)(b));
  • personal census information (section 38(1)(c)); or
  • a deceased person’s health record (section 38(1)(d)).

The section 38 exemptions can be complex to apply.  You are advised to consider them methodically, referring to our briefing (below)  as you go to be sure you are applying the correct tests.


The exemptions in sections 38(1)(a) and (b) can be applied regardless of how old the information is.  In practice, this will be limited because the exemptions can only be applied if the information relates to living individuals.  The exemptions do not apply to personal information of deceased people.
The exemptions in sections 38(1)(c) and (d) don’t last forever.  In general, they do not apply to information that is more than 100 years old.

Section 38 and the public interest test 

The exemptions in section 38 are generally absolute, which means that they are not subject to the public interest test.  However, in two situations, the exemption in section 38(1)(b) is subject to the public interest test.  This means that, even if the exemption applies, the information must be disclosed unless the public interest in withholding the information outweighs the public interest in disclosing it.  This is looked at in more detail in the briefing.

Section 38 and neither confirm nor deny

Where any of the exemptions in section 38 applies, a public authority can refuse to confirm or deny whether it holds the information, provided the authority is satisfied that revealing whether the information exists or is held would be contrary to the public interest (section 18 of FOISA).

Download the briefing

PDF iconBriefing Section 38 - Personal Information


Page last updated 12 July 2018





Back to Top