The Scottish Information Commissioner - It's Public Knowledge
Share this Page
Tweet this page:
Text Size Icon

- Text Size Up | Down

Book Icon

Personal Information - section 38

The exemptions: the main points

Section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) contains four exemptions, all relating to personal information.  Information is exempt from disclosure if it is:

  • the personal data of the person requesting the information (section 38(1)(a));
  • the personal data of a third party – but only if other conditions apply (section 38(1)(b));
  • personal census information (section 38(1)(c)); or
  • a deceased person’s health record (section 38(1)(d)).

The section 38 exemptions can be complex to apply.  You are advised to consider them methodically, referring to our briefing (below)  as you go to be sure you are applying the correct tests.

Note The exemptions in sections 38(1)(a) and (b) regulate the relationship between FOISA and the Data Protection Act 1998 (the DPA). However, a new law, the EU-wide General Data Protection Regulation (GDPR) Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data will apply in the UK from 25 May 2018. The government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR. Up to date information about the GDPR can be found on the (UK) Information Commissioner data protection reform website.


Duration

The exemptions in sections 38(1)(a) and (b) can be applied regardless of how old the information is.  In practice, this will be limited because the exemptions can only be applied if the information relates to living individuals.  The exemptions do not apply to personal information of deceased people.
The exemptions in sections 38(1)(c) and (d) don’t last forever.  In general, they do not apply to information that is more than 100 years old.


Section 38 and the public interest test 

The exemptions in section 38 are generally absolute, which means that they are not subject to the public interest test.  However, in two situations, the exemption in section 38(1)(b) is subject to the public interest test.  This means that, even if the exemption applies, the information must be disclosed unless the public interest in withholding the information outweighs the public interest in disclosing it.  This is looked at in more detail in the briefing.


Section 38 and neither confirm nor deny

Where any of the exemptions in section 38 applies, a public authority can refuse to confirm or deny whether it holds the information, provided the authority is satisfied that revealing whether the information exists or is held would be contrary to the public interest (section 18 of FOISA).

The briefing contains a flowchart which looks at responding to requests for third party personal data under section 38(1)(b).  It is part of a wider flowchart, which looks at the whole of section 38, but which it is difficult to reproduce in A4.  The wider flowchart is available below to download.


Download the briefing and wider flowchart

PDF iconBriefing Section 38 - Personal Information

PDF icon

Section 38 Flowchart 

 

Page last updated 09 December 2016

 

 

 

 

Back to Top