This means that the approach to s. 40 will generally remain the same as under the earlier law – if the applicant wants his or her own information, the matter should be treated as a subject access request under data protection legislation (s. 40(1) FOIA); if the applicant wants access to personal data about other people, consideration needs to be given to the fairness, lawfulness and necessity of disclosing such information (the first data protection principle). If disclosure would not be fair or lawful or would be disproportionate, the information is absolutely exempt (s. 40(2) and s. 40(3A) FOIA).

A further exemption

One point to note is a new additional alternative ground of exemption (s. 40(4A)). If the information is third party personal data and wouldn’t be disclosed to the data subject him/herself in consequence of a subject access request (because of an exemption from the right of subject access under GDPR/the Data Protection Act 2018), it need not be disclosed in consequence of a request under FOIA.

This ground of exemption for FOIA purposes is a ‘qualified exemption’ and therefore subject to the public interest test. However, given the data subject him/herself wouldn’t get to see it under GDPR/the DPA, is hard to imagine circumstances where the public as a whole (including the data subject) would get to see such information under FOIA.

How Capsticks can help

Neither the website nor the ICO’s guidance on s. 40 FOIA yet incorporate the updated legislation, and so we link to it here for ease of reference.

We will be sending further briefings out about the other changes brought about by the Data Protection Act 2018 over the next few weeks, but if you have any questions regarding information law, including GDPR, the new Data Protection Act or the Freedom of Information Act, please contact Andrew Latham, Tracey Lucas or Ian Cooper. Capsticks advises on all aspects of Freedom of Information law, including handling responses to requests, ICO complaints, and Information Tribunal appeals.