The Scottish Information Commissioner - It's Public Knowledge
Tweet this page:
Text Size Icon

- Text Size Up | Down


Personal Information - section 38

Published 03 September 2018

Exclamation Mark IconThe GDPR and the DPA 2018 came into effect on 25 May 2018 and made many changes to data protection laws in the UK (and the rest of Europe).  Anyone using this guidance should be aware that the cases and decisions it refers to were decided in line with the Data Protection Act 1998 (which is no longer in force). Although many of the key principles involved remain very similar under the new rules, care is required to ensure that the new regime is complied with.  This guidance will be updated as new decisions are issued and as further guidance on data protection is published by the Information Commissioner's Office  which enforces and regulates data protection throughout the whole of the UK, including Scotland. 

About section 38

Section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) contains four exemptions, all relating to personal information.  Information is exempt from disclosure if it is:

  • the personal data of the person requesting the information (section 38(1)(a));
  • the personal data of a third party – but only if other conditions apply (section 38(1)(b));
  • personal census information (section 38(1)(c)); or
  • a deceased person’s health record (section 38(1)(d)).

The exemptions in sections 38(1)(a) and (b) regulate the relationship between FOISA, the General Data Protection Regulation and the Data Protection Act 2018


The exemptions in section 38(1)(a) and (b) can be applied regardless of how old the information is.  In practice, this will be limited because the exemptions can only be applied if the information relates to living individuals.
The exemptions in section 38(1)(c) and (d) don’t last forever.  In general, they don’t apply to information that is more than 100 years old.

Section 38 and the public interest test

The exemptions in section 38 are mostly absolute, which means that they are not subject to the public interest test.  However, in two specific situations, the exemption in section 38(1)(b) is subject to the public interest test.  This means that in these situations, even if the exemption applies, the personal data must be disclosed unless the public interest in withholding the personal data outweighs the public interest in disclosing it.  This is explained in more detail in the briefing.

Section 38 and neither confirm nor deny

Where any of the exemptions in section 38 applies, a public authority can refuse to confirm or deny whether it holds the information, provided it is satisfied that revealing whether the information exists or is held would be contrary to the public interest (section 18 of FOISA).

Download the briefing

PDF icon

Section 38 exemption briefing

Previous version of this briefing

If you'd like us to send you the previous version of this briefing on section 38 (under the old rules, before the GDPR and DPA 2018), please contact us.

Personal information and the EIRs

See our briefing on the exception for personal information under the EIRS - Regulation 11 Personal information


Back to Top