Skip to main content
Home

Section 40 flowchart description

Question 1: “Is the request for personal data?

  • If the answer to question 1 is no, the request is not exempt under Section 40 or regulation 13.
  • If the answer to question 1 is yes go to Question 2.

Question 2: “Is that person the requester?

  • If the answer to question 2 is yes, the treat as a subject access request under the UK GDPR or DPA2018.
  • If the answer to question 2 is no then go to Question 3

Question 3: condition one. Consider Principle (a) and lawful processing. Is the information special category data?

  • If the answer to question 3 is yes, is there a condition for processing this data?

    Either:
    • explicit consent; or
    • data manifestly made public by the data subject.

If yes, go to question 5

If no,

      • processing is unlawful (or unfair) and disclosure would contravene principle (a).
      • Withhold the information.
      • Issue a refusal notice explaining which subsection applies and why.

If the answer to question 3 is no, go to question 4. 

Question 4: is the information criminal offence data?

  • If the answer to question 4 is yes, is there a condition for processing this data?

    Either
    • explicit consent; or
    • data manifestly made public by the data subject.

      If yes, go to question 5

      If no,
      • Processing is unlawful (or unfair) and disclosure would contravene principle (a).
      • Withhold the information.
      • Issue a refusal notice explaining which subsection applies and why.

• If no go to Question 5.

Question 5: “Is there an Article 6 basis for processing? (legitimate interest test)”

  • If the answer to question 5 is yes then go to question 6.
  • If the answer to question 5 is no,
    • Processing is unlawful (or unfair) and disclosure would contravene principle (a).
    • Withhold the information.
    • Issue a refusal notice explaining which subsection applies and why.

Question 6: “Is disclosure fair and transparent?

If the answer to question 6 is Yes 

  • Disclosure would not contravene data protection principles (condition one).
  • Consider condition two: would disclosure contravene the right to object?
  • If yes, conduct a public interest test.
  • Consider condition three: would the requested data be exempt from the right of subject access?
  • If yes, conduct a public interest test.
  • You could test condition two and three before condition one

 

If the answer to question 6 is no,

  • Processing is unlawful (or unfair) and disclosure would contravene principle (a).
  • Withhold the information.
  • Issue a refusal notice explaining which subsection applies and why.