Environmental Information Regulations 2004 (S.I. 2004/3391)
307(1)Regulation 13 (personal data) is amended as follows.
(2)For paragraph (1) substitute—
“(1)To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—
(a)the first condition is satisfied, or
(b)the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.”
(3)For paragraph (2) substitute—
“(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—
(a)would contravene any of the data protection principles, or
(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.
(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—
(a)Article 21 of the GDPR (general processing: right to object to processing), or
(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).”
(4)For paragraph (3) substitute—
“(3A)The third condition is that—
(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,
(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or
(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”
(5)Omit paragraph (4).
(6)For paragraph (5) substitute—
“(5A)For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—
(a)the condition in paragraph (5B)(a) is satisfied, or
(b)a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.
(5B)The conditions mentioned in paragraph (5A) are—
(a)giving a member of the public the confirmation or denial—
(i)would (apart from these Regulations) contravene any of the data protection principles, or
(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;
(b)giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 99 of the Data Protection Act 2018 (right to object to processing);
(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);
(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;
(e)on a request under section 94(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.”
(7)After that paragraph insert—
“(6)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”