Personal Information

Guidance on the use of FOISA section 38

A note for readers

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) came into effect in May 2018, making many changes to data protection laws in the UK. Some of the cases and decisions referred to in this briefing were decided in line with the Data Protection Act 1998 (which is no longer in force). Although many of the key principles involved remain very similar under the new rules, readers need to ensure they comply with the new regime.

We update the guidance as new decisions are issued and further data protection guidance becomes available.

Recent changes to this guidance

  • New paragraph on Brexit, with a link to the ICO's website
  • Reference to transitional provisions removed
  • Definition of "personal data" focused on s3 of DPA 2018 rather than GDPR definition (substantially similar)
  • New text about the definition of "relates to"
  • New references to recent decisions under the new rules added to Appendix

About section 38

Section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) contains four exemptions, all relating to personal information. Information is exempt from disclosure if it is:

  • the personal data of the person requesting the information (section 38(1)(a));
  • the personal data of a third party – but only if other conditions apply (section 38(1)(b));
  • personal census information (section 38(1)(c)); or
  • a deceased person's health record (section 38(1)(d)).

The exemptions in sections 38(1)(a) and (b) regulate the relationship between FOISA, the General Data Protection Regulation and the Data Protection Act 2018.


The exemptions in section 38(1)(a) and (b) can be applied regardless of how old the information is. In practice, this will be limited because the exemptions can only be applied if the information relates to living individuals.

The exemptions in section 38(1)(c) and (d) don't last forever. In general, they can't be applied to information that is more than 100 years old.

Section 38 and the public interest test

The exemptions in section 38 are mostly absolute, which means that they are not subject to the public interest test. However, in two specific situations, the exemption in section 38(1)(b) is subject to the public interest test. This means that in these situations, even if the exemption applies, the personal data must be disclosed unless the public interest in withholding the personal data outweighs the public interest in disclosing it. This is explained in more detail in the briefing.

Section 38 and neither confirm nor deny

Where any of the exemptions in section 38 applies, a public authority can refuse to confirm or deny whether it holds the information, provided it is satisfied that revealing whether the information exists or is held would be contrary to the public interest (section 18 of FOISA).

Download the briefing

Section 38 exemption briefing

Environmental information

See our briefing on the exception for personal information under the EIRS – Regulation 11 Personal information

Back to Top