Part 2Exempt Information

38 Personal information

1

Information is exempt information if it constitutes—

a

personal data of which the applicant is the data subject;

F4b

personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));

c

personal census information; or

d

a deceased person’s health record.

F12A

The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—

a

would contravene any of the data protection principles, or

b

would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

2B

The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the F7UK GDPR (general processing: right to object to processing).

F23A

The third condition is that—

a

on a request under Article 15(1) of the F8UK GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or

b

on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.

F54

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

5

In this section—

  • F6the data protection principles” means the principles set out in—

    1. a

      Article 5(1) of the F9UK GDPR, and

    2. b

      section 34(1) of the Data Protection Act 2018;

  • data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

  • F10...

  • health record” has the meaning assigned to that term by section 1(1) of the Access to Health Records Act 1990 (c.23); and

  • personal census information” means any census information—

    1. a

      as defined in section 8(7) of the Census Act 1920 (c.41); or

    2. b

      acquired or derived by virtue of sections 1 to 9 of the Census (Great Britain) Act 1910 (c.27),

    which relates to an identifiable person or household.

  • F11personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);

  • F11the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).

F35A

In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the F12UK GDPR would be contravened by the disclosure of information, Article 6(1) of the F12UK GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

6

In section 8(7) of the Census Act 1920 (penalties), in the definition of “personal census information”, at the end there is added “ but does not include information which, by virtue of section 58(2)(b) of the Freedom of Information (Scotland) Act 2002 (asp 13) (falling away of exemptions with time), is not exempt information within the meaning of that Act ”.