Personal Information

Guidance on the use of FOISA section 38

UPDATED: January 2021

Following Brexit, the UK is no longer subject to the General Data Protection Regulation (GDPR), but is subject to what is known as the "UK GDPR". We have updated our guidance to reflect this change and related amendments to other legislation. Some of the decisions referred to in the briefing were issued before the GDPR, Data Protection Act 2018 and UK GDPR came into force; although the key principles remain very similar, readers need to ensure they comply with the new regime.

We update the guidance as new decisions are issued and further data protection guidance becomes available.

Other recent changes to this guidance

  • "Consent" is no longer suggested as a basis for disclosing personal data in response to an FOI request - in line with recent decisions, our guidance now states "legitimate interest" is the only condition likely to apply in practice
  • Links to other resources now include updated ICO guidance on data protection and Brexit, the UK GDPR Keeling Schedule and the ICO's "Right of Access" guidance in place of the previous "Subject Access Code of Practice"

About section 38

Section 38 of the Freedom of Information (Scotland) Act 2002 (FOISA) contains four exemptions, all relating to personal information. Information is exempt from disclosure if it is:

  • the personal data of the person requesting the information (section 38(1)(a));
  • the personal data of a third party – but only if other conditions apply (section 38(1)(b));
  • personal census information (section 38(1)(c)); or
  • a deceased person's health record (section 38(1)(d)).

The exemptions in sections 38(1)(a) and (b) regulate the relationship between FOISA, the UK General Data Protection Regulation and the Data Protection Act 2018.


The exemptions in section 38(1)(a) and (b) can be applied regardless of how old the information is. In practice, this will be limited because the exemptions can only be applied if the information relates to living individuals.

The exemptions in section 38(1)(c) and (d) don't last forever. In general, they can't be applied to information that is more than 100 years old.

Section 38 and the public interest test

The exemptions in section 38 are mostly absolute, which means that they are not subject to the public interest test. However, in two specific situations, the exemption in section 38(1)(b) is subject to the public interest test. This means that in these situations, even if the exemption applies, the personal data must be disclosed unless the public interest in withholding the personal data outweighs the public interest in disclosing it. This is explained in more detail in the briefing.

Section 38 and neither confirm nor deny

Where any of the exemptions in section 38 applies, a public authority can refuse to confirm or deny whether it holds the information, provided it is satisfied that revealing whether the information exists or is held would be contrary to the public interest (section 18 of FOISA).

Download the briefing

Section 38 exemption briefing

Environmental information

See our briefing on the exception for personal information under the EIRS – Regulation 11 Personal information

Back to Top