Skip to main content
Home

How do you apply section 41?

Contents

The test under section 41 hinges on a successful cause of action for a breach of confidence. That is, an “actionable” breach of confidence. 

To rely on section 41, you must show that: 

  • confirming or denying holding the information or 
  • disclosing it

would 

  • lead you to breach a duty of confidence you owe; and
  • someone could sue you for that breach; and
  • they would be likely to win. 

If you are considering disclosure of the information, you must also show you obtained it from someone else. 

This can be the person who communicated it to you in the first place or another third party. It can also be another public authority. 

Section 41 may not be relevant to you if you’re a government department. For more information about this, read the section “What if you are a government department?”.

Section 41 comprises two sub-sections. Section 41(1) deals with the disclosure of the information whilst section 41(2) deals with the duty to confirm or deny that you hold it. 

In the sections below, we explain in detail the steps to follow when relying on section 41. 

Can you confirm or deny holding the information?

Under section 1(1)(a) of FOIA, people have a right to know if you hold the information they’ve requested. In most cases, you can confirm this.  

However, sometimes, confirming or denying that you hold the information can – in itself – disclose exempt information or harm the interests an exemption protects. 

In these circumstances, the legislation allows you to not comply with section 1(1)(a) and issue a “neither confirm nor deny” response (“NCND”). 

In the case of section 41, sub-section 2 says that you don’t have to confirm or deny holding the information if doing so would result in an actionable breach of confidence. 

Unlike section 41(1), you don’t have to demonstrate you obtained the information from someone else. 

This is because the purpose of an NCND response is to leave it entirely open as to whether you hold the information or not. Saying who you obtained it from would reveal that you do hold it. This would undermine the purpose of giving an NCND response under section 41(2).

Apart from this difference, you can follow the section “Would disclosure to the public constitute an actionable breach of confidence?” of this guidance to help you decide if confirmation or denial would constitute an actionable breach of confidence. 

However, you’ll need to apply this test based on what would be revealed by your confirmation or denial if you held the information. 

In other words, to rely on section 41(2), you must show that your confirmation or denial would reveal the contents of confidential information, if held, and this would expose you to an actionable breach of confidence. 

It’s unlikely you’ll have to rely on section 41(2) very often. This provision is most likely to be relevant in situations where a request is very specific.

Example 

A council is the lead member of a Safeguarding Adults Board, established to offer support to adults at risk of abuse or neglect in the local area. The council receives the following requests about safeguarding notifications.  

Request one

“Can I please have information about the number and type of safeguarding notifications you have received in the area between 2020 and 2022?”

In this scenario, the council should be able to confirm or deny holding the information because the request is framed in general terms. Confirming they hold the information is unlikely to reveal anything sensitive.

Request two 

“Can I please have information about the number and type of safeguarding notifications you have received from Charity X and Y between 2020 and 2022?”

In this scenario, the council could issue a “neither confirm nor deny” response. This is because the request is very narrow. The council would risk revealing whether the named charities had made safeguarding notifications. This may, in itself, amount to a breach of confidence.

Read our detailed guidance on When to refuse to confirm or deny holding information if you’d like to know more about this topic. 

Have you obtained the information from any other person? 

Once you’ve established you can confirm holding the information, you need to decide if you can disclose it or whether it’s exempt under section 41(1). 

Section 41(1) comprises of two limbs: section 41(1)(a) and section 41(1)(b). 
Under limb 41(1)(a), you must show that you “obtained” the information from “any other person”. This is normally the person who gave the information to you with an expectation, explicit or implied, that you would keep it confidential.

This could be a person, another public authority, a company, a corporation or any other type of legal entity.  

This limb of the exemption can cover situations where you obtained the information from an external third-party as part of your functions, such as information about: 

  • people’s medical conditions or financial situation; 
  • incident reports;
  • protected disclosures; 
  • safeguarding.

Example

In decision notice FS50625038, the Information Commissioner decided that the public authority had obtained the information from another person. As a result, the Commissioner decided section 41(1)(a) was engaged. 

The applicant had requested information about the number and nature of whistleblowing reports about charities, broken down by the name of the charity. 

The public authority was the Charity Commission. As the regulator of charities, the Commission is a prescribed person under the Public Interest Disclosure (Prescribed Persons Order) 2014. In this role, they can receive reports about suspected wrongdoing in charities in England and Wales. 

The Commissioner found that this information was information obtained from any other person and, consequently, section 41(1)(a) was engaged. 

At para. 13, the Commissioner said: 

“the nature of the requested information is such that it would have to have been obtained from a third party either via a whistleblowing report or an SIR [ie serious incident report]. Information on serious incidents of abuse would have initially been received from allegations made to the Charity Commission from third parties. Similarly, by its very nature, a whistleblowing report is information provide[d] to the Charity Commission by an anonymous third party”. 

What about information you’ve produced yourself?

Information you’ve produced yourself is not usually covered by section 41(1)(a). This is because normally it’s not considered information provided by another person. 

Example

In decision notice IC-144583-B8L3, the Commissioner decided that the public authority was not entitled to rely on section 41(1)(a) to refuse to disclose information which they had given to Stonewall for the purpose of the Workplace Equality Index 2020. 

The public authority was the then Department for Digital, Culture, Media and Sport, now called the Department for Culture, Media and Sport (DCMS). 

The applicant had requested: 

  • a copy of the information DCMS had provided to Stonewall for the purpose of DCMS’ rating on Stonewall’s 2020 Index, and 
  • the rating Stonewall gave DCMS.

The Commissioner noted that the first part of the request did not engage section 41(1)(a) because this was not information “obtained by” DCMS from another person. Rather, this was information created by DCMS and given to Stonewall for the purpose of the Index. 

By contrast, the Commissioner accepted that the second part of the request met the test under section 41(1)(a) because it was information “obtained by” DCMS from any other person, ie Stonewall.

Section 41(1)(a) can sometimes cover information you obtained from your own employees or agency workers. This applies if it’s not information they produced as part of their employment. For example, an employee would be considered “another person” if they were: 

  • acting as a whistleblower;
  • raising concerns in their role as a trade union official;
  • providing evidence to an internal investigation.

Example

In Egan v The Information Commissioner ([2022] UKFTT 00529 (GRC), 20 December 2023), the First-tier Tribunal accepted that section 41(1)(a) applied to information the authority had received by its own employees during an internal investigation. 

The applicant had requested a copy of the investigation report the authority produced following staff concerns about a hospital’s physiotherapy practices during the Covid pandemic. 

The Tribunal agreed with the Commissioner that: 

“(…) the [s41(1)(a)] exemption can apply to personal judgments or opinions provided by employees during an investigation. The exemption would not apply to employees who disclose information in the course of their employment while acting in their capacity as an employee. 

On the facts of this case, it appears that the individuals who were interviewed were not providing information while acting solely in the course of their employment. They were providing personal statements including opinions as part of an investigation into patient safety, in accordance with their obligations as registered health professionals. 

We therefore find that section 41 is engaged by the information relating to interviews with staff members.” [para. 51]

Section 41(1)(a) can also cover information you produced internally if it is a record of confidential information given to you by another person. 

These types of records include: 

  • a transcript of the verbal testimony given by an employee at an internal disciplinary hearing;
  • a set of minutes that record the views expressed by a stakeholder or contractor during a meeting with the authority;
  • a written note detailing a conversation with a member of the public that took place over a confidential advice line;
  • a doctor’s observations of a patient’s symptoms, recorded during a consultation; 
  • an x-ray image of a patient taken by a hospital.

Example

In Department for Business, Enterprise and Regulatory Reform ('DBERR') v ICO and Friends of the Earth (EA/2007/0072, 29 April 2008), the then Information Tribunal (now called First-tier Tribunal) accepted that an internally created document engaged section 41(1)(a). This was because the document was a record of the confidential information obtained by another party. 

The applicant had requested information about the meetings and correspondence between the then DBERR’s ministers and senior civil servants and the Confederation of British Industry (“CBI”). 

DBERR claimed section 41 in relation to some information obtained from the CBI at the meetings, which they had recorded in a departmental note. 

The Information Commissioner had decided that this information wasn’t covered because it was a record the authority themselves had created. 

DBERR challenged the decision at Tribunal. They argued that such an approach “confuses the information imparted and the form in which it is recorded, or the party by whom it is recorded. The consequences of such an application, for example, are that highly confidential information passed by an informant to a police officer would be protected if it was recorded in a letter sent to the police by that source, but would not be protected if the police officer met the source, had a conversation, and then recorded it in a memorandum or statement. This privileges the accident of form (or record) over content, and cannot be correct.” [para. 78]. 

The Tribunal accepted the Department’s submissions on this point. 

What if the information is a mix of internally generated information and information you obtained by another person?

When the requested information is a mixture of information you created and information given to you by another person, section 41(1)(a) will generally cover only the latter. 

As a rule, you should separate the information obtained from external third parties from the internally generated information. 

Example

In decision notice IC-167774-S3X4, the Information Commissioner decided that the conclusions in a report produced by the authority did not engage section 41(1)(a). 

The applicant had requested a copy of a report produced following an analysis of “Lost to Follow Up” patients in the period between April 2020 and August 2021. 

The public authority was NHS England. 

The authority claimed section 41(1)(a) on the basis that the report contained information they had received by external third parties, namely the Clinical Commissioning Groups (‘CCGs’) and NHS Provider Trusts. 

At para. 18, the Commissioner said he accepted “it [ie the information] was obtained from another person, apart from the conclusion which he has decided has been generated by NHSE because it makes recommendations which were clearly not provided by the third-party organisations, nor does it refer to individual Trusts”. 

However, you must always check if the information you created reveals the contents of confidential information you obtained from someone else. If it does, section 41(1)(a) could apply to both. 

This can happen when your own analysis, interpretation or comments are very specific to the information you received. Examples of this are common in requests for medical or social care records. In these circumstances, a request would capture: 

  • information obtained by another party, ie the patient or person in care; and 
  • internally generated information, ie the medical or care professional’s assessment or comments. 

In these scenarios, it’s likely the content of the two are very closely intertwined. 
When you cannot separate the information you obtained from someone else from the information you created, you should treat all of the information as having been received from another party for the purpose of section 41(1)(a). 

Example

An applicant submitted a request for information to a hospital, asking for a copy of a report on patients’ deaths during or after surgery. 

The report includes both: 

•    information the hospital had received from other people, ie the patients’ medical records and history; and
•    information the hospital created itself, ie a detailed account of the course of treatment given to the patients. 

The information the authority created is likely to be sufficiently specific that its content would also reveal the contents of the information received from the patients. 

Therefore, it’s likely section 41(1)(a) would cover both. 

What about information included in a contract?  

The traditional common law of confidence developed to protect confidential contractual information. 

However, generally, you won’t be able to claim section 41 for confidential information in a contract you’ve entered into with a third party. 

This is because this type of information is not considered to be information “obtained by” an authority from any other person for the purpose of section 41(1)(a). 

Rather, the terms of a contract are normally considered to have been mutually agreed by the parties to the contract.

Example

In Department of Health v The Information Commissioner (EA/2008/0018, 18 November 2008), the then Information Tribunal (now called First-tier Tribunal) found that the terms of the contract between the authority and a private company had been “mutually agreed and therefore not obtained by either party” [para. 34]. 

The applicant had requested a copy of a contract between the then Department of Health (“DoH”) and Methods Consulting Limited (“Methods”), setting out the provision of an electronic recruitment service for the NHS. 

DoH refused to disclose the information under section 41 and 43 of FOIA. 

During the appeal, the authority argued that they had obtained all the information in the contract from Methods. The authority claimed they had provided very little input into the process of drafting the contractual terms. 

The Tribunal rejected this argument. After reviewing the evidence, the Tribunal found that: 

“it is clear that DoH undertook a detailed review of all the proposals and made suggestions of substance, often before a draft had been proposed. The installation of DoH ideas from the Invitation To Tender or discussions certainly negates the assertion that the information in the Contract was obtained from Methods just because it appeared in a document they compiled subsequently” [para. 33].

The Tribunal concluded that the contents and terms of the contract had been mutually agreed by both parties. 

As a result, section 41(1)(a) was not engaged [para. 37].

The same applies to the terms of any form of agreement you have with a third party, not just a formally signed contract.

Example

In Derry City Council v The Information Commissioner (EA/2006/0014, 11 December 2006), the then Information Tribunal (now called First-tier Tribunal) decided that information setting out an agreement between the authority and an airline company was not covered by section 41(1)(a). 

The applicant had requested information about the agreement between Derry City Council and Ryanair airlines for the use of the city airport, in particular the charges applied for using the airport facilities. 

This information was contained in a fax sent by Ryanair to the council a few years before the request. The fax was marked “private and confidential”. The airline and the council never entered into a formal contract. However, they conducted their business based on the terms set out in the fax. 

At para. 32(d), the Tribunal said: 

“The facts of this appeal do not, of course, involve a formal contract signed by the public authority and a third party, but a communication from such a third party setting out the terms which it considered acceptable. (…)  It is apparent (…) that the two parties conducted their business arrangement by reference to the terms set out in the fax. On that basis we believe that the fax must be treated in the same way as a formal contract signed on behalf of each party – it falls outside the exemption.”

As a result, the Tribunal found that section 41(1)(a) was not engaged. 

Section 41(1)(a) could cover certain types of contractual information. You should decide this on a case-by-case basis, depending on the individual circumstances of the case. Information that could be covered includes: 

  • technical information you received from the other party, such as a detailed description of a contractor’s industrial process. This is likely to feature in separate schedules, although it can sometimes form part of the main body of the contract; 
  • information about the other party’s pre-contractual negotiating position;
  • factual information, including the names of companies and other types of organisations to a settlement agreement or an application, where there’s an expectation of confidentiality about their identity.

Example

In Browning v. Information Commissioner and Department for Business, Innovation and Skills ('DBIS') ([2014] EWCA Civ 1050, 30 July 2014), the Court of Appeal (“CoA”) decided that the names of the companies who had applied for export licences from DBIS was information “obtained by” the authority for the purpose of section 41(1)(a). 

The applicant had submitted a request for information about which companies applied for export licences to Iran in the first and second quarter of 2008. 

DBSI relied on section 41 and argued that the companies had an expectation their identity would remain confidential. This was because revealing they were involved in this type of trade would expose them to potential losses. 

At para. 39, the CoA accepted that the identity of the applicant companies was information “obtained from them through the medium of their applications. It is fanciful to suggest that their confidentiality rights could be put in jeopardy by the way in which the public authority chose, for internal purposes, to process the information.”

Based on the CoA’s authority, the Upper Tribunal (“UT”) has made a similar decision in the context of the identities of parties to a settlement agreement. 

In The Information Commissioner v Ian Driver and Thanet District Council [2020] UKUT 333 (AAC) , the UT decided that the names of exporters in a settlement agreement were “non-negotiable facts” which were covered by section 41(1)(a) [para. 30]. 

In this case, the applicant had requested information about the settlement agreements concluded by Thanet District Council with exporters of livestock. 

The council had imposed a ban on this type of exports following an incident in the port of Ramsgate. The High Court had subsequently ruled that the ban was unlawful, and that the council was liable for damages. The council made settlement agreements with several exporters affected by the ban. 

Following the request, the council disclosed most of the requested information, save for the names of the exporters. 

The Upper Tribunal agreed with the Information Commissioner that this information was “obtained by” the authority for the purpose of section 41(1)(a).

Would disclosure to the public constitute an actionable breach of confidence?

Once you’re satisfied you obtained the information from another party, you must go on to consider if disclosing it to the public would expose you to a successful cause of action for a breach of confidence.  

This means you have to:

  • first, decide if the disclosure would result in a breach of confidence; 
  • then, consider if the breach is “actionable”. That is, if the person bringing a claim for the breach would be likely to win.

Would disclosure constitute a breach of confidence?  

To decide if the disclosure would result in a breach of confidence, you should follow the three-part test set out by Judge Megarry in the High Court decision in Coco v A.N. Clark (Engineers) LtD [1969] RPC 41 [para. 47]. This is often called the “Coco test”. 

There are three elements to the test. These are: 

  1. The information must have the “necessary quality of confidence”.
  2. The information was imparted in circumstances importing an obligation of confidence. 
  3. There is an unauthorised use of the information. 

If you’re applying the Coco test to rely on section 41(2), ie to give a neither confirm nor deny response, you should apply it based on what would be revealed if you held the information. 

That is, if you held the information: 

  • Would it have the necessary quality of confidence? 
  • Would it have been imparted in circumstances importing an obligation of confidence? 
  • Would confirming or denying holding the information be an unauthorised use of it which would cause detriment to the person to whom you would owe a duty of confidence? 

Sometimes, you won’t have to consider detriment. We explain more about this in the section “There is an unauthorised use of the information”. 

Does the information have the necessary quality of confidence?

The first part of the Coco test is demonstrating that the information is confidential in nature. Generally, there are two indicators that can help you decide this. These are: 

  • inaccessibility of the information; and
  • its value. 

Inaccessibility

The first indicator of confidentiality is the inaccessibility of the information. Information cannot be confidential if it’s widely available.

In the High Court decision in Coco v A.N. Clark (Engineers) LtD [1969] RPC 41 [para. 20], Judge Megarry said: 

“…there can be no breach of confidence in revealing something to others which is already common knowledge.”

To be protected as confidential, you must show that it is: 

  • generally inaccessible to the public; and
  • not public knowledge.

Inadvertently sharing the information could result in loss of confidence.

Example

In Case v The Information Commissioner and Colehill Parish Council (EA/2013/0045, 12 November 2013), the First-tier Tribunal decided that section 41 was not engaged because the disputed information did not have the “basic attribute of inaccessibility” [para. 89]. 

The applicant had requested a copy of a letter about the installation of memorials in a cemetery. The letter had been referenced in the minutes of a public meeting of the Joint Management Committee (“JMC”) of three parish councils responsible for the cemetery. 

The applicant submitted the request to all three councils. Colehill Parish Council took the lead in responding. They refused disclosing the information by relying on section 41. They argued that the sender of the letter to the council had an expectation that they would keep it confidential. 
The Tribunal rejected this claim and decided that the letter did not have the necessary quality of confidence. It found that the letter: 

  • made no reference to confidentiality; and
  • the sender seemed to expect that the public meeting of the JMC would discuss the letter’s contents.

As a result, the Tribunal concluded: 

“In our view the information in the disputed letter was capable of having the necessary quality of confidence. It was not trivial, but was information of significance. But there is a live question in this case whether the information in fact had the necessary quality of confidence at the time when the request for it was made.” [para. 88]

“In our judgment, at least most of it did not, because the basic attribute of inaccessibility was not present. The letter, and much of the information in it, was mentioned at the public meeting of the JMC. 

Any member of the public could have listened to what was said and asked to look at the letter. After the meeting the minutes were distributed to the three constituent councils and made available to a substantial number of people, all without any suggestion of confidentiality. At the next subsequent meetings of those councils any member of the public could have asked to see the material documents, being both the minutes and the letter. (…) Accordingly, much of the information was readily accessible to anyone interested in it.” [para. 89]

Generally, if the information is in the public domain, it will not have the necessary quality of confidence. We consider that information is in the public domain when it is realistically accessible to the general public at the time of your response to the request.  

Information does not necessarily stay in the public domain indefinitely. Therefore, you should always assess the extent to which the information is publicly accessible based on the specific circumstances of the case at the time of your response. At the latest, this is the time when you must issue your response in accordance with FOIA statutory timeframes.

However, in the case of commercial confidentiality, we consider confidentiality is permanently lost if the information has entered the public domain at any time, regardless of whether the material is no longer accessible at the time of your response. 

Normally, information that was previously disclosed in response to an FOI request is considered information in the public domain. Therefore, it’s unlikely to have the necessary quality of confidence for the purpose of the first limb of the Coco test.

In Office of Government Commerce v The Information Commissioner and HM Attorney General ([2008] EWHC 737 (Admin), 11 April 2008), the High Court explained: 

“Disclosure under FOIA is always to the person making the request under section 1. However, once such a request has been complied with by disclosure to the applicant, the information is in the public domain. It ceases to be protected by any confidentiality it had prior to disclosure.” [para. 72]

Confidential information shared with a limited number of people does not automatically enter the public domain. Unless the recipients place it in the public domain or share it more widely, the information will usually keep its confidential status if shared with a limited audience on condition of confidentiality.

Example

In HRH The Prince of Wales v Associated Newspaper Ltd [2006] EWHC 522 (Ch), the High Court held that the information still retained the necessary quality of confidence even though the owner had shared the information with some people. 

The information was the handwritten travel journals of the then Prince of Wales. Copies of the journals were circulated to a limited circle of friends with an expectation they were not for further sharing. 

An employee in the Prince of Wales’s private office supplied copies of the diaries to a newspaper, which published extracts from one of the journals. 

The Prince of Wales sought an order to restrain the publication of the remaining journals. 

The newspaper opposed this, arguing the contents of the journals were not confidential because they had been shared with numerous people in the prince’s private circle. 

The High Court rejected this argument and decided that the material had not lost its confidentiality even though it had been shared with some people. The Court said: 

“it is obvious that the claimant regarded his journals as private and confidential. The envelopes in which copies were circulated to persons outside the Private Office were so marked. It is also obvious that staff within the Private Office were not free to treat them as other than confidential [para. 73] 

(…)

As to the number of people to whom journals were circulated, the point is only relevant if it can be said that the distribution of the journals was so widespread that it could not be supposed that there was any expectation that their contents would be kept confidential (…) the evidence was that the recipients were individually selected by the claimant, that each received his/her copy under cover of a signed letter from the claimant” [para. 74]

If you wish to know more about the effect of information in the public domain on your handling of an FOI request, read our detailed guidance on Information in the public domain

You should generally consider information that has entered the public domain as no longer having the necessary quality of confidence. However, you should always assess the confidentiality of information on a case-by-case basis, considering the: 

  • scope of the request; 
  • exact content of the requested information; and 
  • circumstances existing at the time of your response. 

In particular, you should consider: 

  • Is the information still in the public domain at the relevant time? As mentioned, information does not necessarily remain in the public domain forever.
  • Would disclosure of the requested information reveal something new or give new context to something not known? 

Example

In Bluck v The Information Commissioner and Epsom and St Helier University NHS Trust (EA/2006/0090, 17 September 2007), the Tribunal found that the information had not lost the necessary quality of confidence even though some related information had been previously shared and was known to the Appellant. 

The applicant had requested information about their daughter’s death in hospital. Five years after their daughter’s death, the applicant had learned the hospital had admitted liability for the death. The hospital had also reached a settlement with the widower as the next of kin. 

Some information about the death was in the public domain. However, the Tribunal did not accept this resulted in a loss of confidentiality of the specific information that had been requested. 

The Tribunal concluded that the records:

“contain a certain amount of information, beyond that contained in earlier correspondence, press statements and court documents disclosed to the Appellant without restriction. In our view that body of non-disclosed information retains the necessary quality of confidence and would be capable of forming the basis of a claim for breach of confidence.” [para. 16]

How did the information enter the public domain? For example, similar information might have entered the public domain as a result of a mistake, poor practice, leak or a breach of confidence. In such a situation, you should not assume the information has lost confidentiality. 

Example 

In S v The Information Commissioner and The General Register Officer (EA/2006/0030, 9 May 2007), the Tribunal rejected the argument that the information was not subject to a duty of confidence because the General Register Office (“GRO”) had shared similar information before. 

The Tribunal said: 

“The inconsistency of approach in this case appears to be indicative of a lack of good practice and/or understanding of the scope and remit of FOIA within the GRO rather than evidence that there is no duty of confidentiality.” [para. 86]

Value

The second indicator of whether information has the necessary quality of confidence is its value. The duty of confidence does not apply to trivial or trite information.

In HM Attorney General v The Observer Limited and others [1990] 1 AC 109, Lord Goff said: 

“the duty of confidence applies neither to useless information, nor to trivia” (page. 29)

This doesn't mean the information has to be highly sensitive. However, it should be significant in some way, worthy of protection in the sense that a person has a genuine interest in its contents remaining confidential. 

The value of information can be relative. If you believe the confider or the person who the information is about would clearly attach some importance to it, you should treat it as more than trivial.

Example

In the GRO example mentioned before, the Tribunal said: 

“the Informant has attached a great deal of emotional significance to this information and that she feels that to have it disclosed by a third party against her wishes would cause her distress. On this basis we are satisfied that to the Informant it is clearly information worthy of protection” [para. 36]

You should also treat as more than trivial information about personal matters. People’s privacy warrants protection simply because people have a right for their private lives to remain private. 

The law of confidence has evolved to recognise this principle, especially after the introduction of the Human Rights Act (1998).

For more information on this, please read the section “How does section 41 apply in the context of requests for private information?”.

Was the information imparted in circumstances importing an obligation of confidence?

Once you’ve established the information has the necessary quality of confidence, you must go on to consider the second part of the Coco test. 
This part deals with the circumstances in which you received the information. The second limb of the test requires you to address this question: did you receive the information in circumstances which would have created an expectation in the confider that the information they were communicating would be kept confidential and not widely shared? 

This expectation could be either explicit or implicit. 

There are circumstances in which it is clear you are being given information in confidence because the confider has explicitly asked you to treat the information as confidential. For example, a contractor tendering in a public procurement exercise might share some technical information by attaching explicit restrictions on sharing it further. Similarly, you might collect or be given information based on explicit assurances you will treat it as confidential.

Example

In Martin-Clark v The Information Commissioner and Homes for Haringey ([2023] UKUT 245 (AAC), 3 October 2023), the Upper Tribunal decided that the First-tier Tribunal was right to conclude that information the authority had obtained by third parties as part of an audit “on condition of confidentiality” was information provided in circumstances importing an obligation of confidence. This had also been made explicit in the terms of reference for the audit. [para. 61 – 63]

Explicit conditions attached to the information can be a helpful indicator that the confider expects you to treat the information as confidential. However, this is not necessarily a determinative factor. You should assess each request on its merits, carefully considering the contents of the information and the circumstances in which you received it.

Example

In Busby v The Information Commissioner and The Home Office ([2023] UKFTT 00305 (GRC), 9 January 2023), the First-tier Tribunal rejected the authority’s claim that a report sent by another authority as “confidential” contained information communicated in circumstances importing an obligation of confidence. 

The applicant had requested from the Home Office a copy of a report making recommendations about illegal substance misuse. The report was produced by the Advisory Council on the Misuse of Drugs (“ACMD”). ACMD is a non-departmental public body responsible for advising government about drug-related issues. ACMD had sent the report to the Home Office, explicitly marking it as “confidential”. 

On appeal, the Tribunal rejected the Home Office’s claim that the information was shared in circumstances which gave rise to a duty of confidence. 

The Tribunal concluded: 

“41(1) FOIA (…) is often claimed where there is a documented obligation of confidentiality between two parties (…). 

The terms of reference between ACMD and the Home Office clearly create a relationship of transparency unless exceptional circumstances apply, and such circumstances are to be explained. We have seen no explanation for the claimed non-transparency in relation to this report. 

(…) the Home Office simply accepted that it was not intended for publication, as it was the only ACMD report which was marked ‘confidential’. 

ACMD has not provided us with any evidence about why it affixed the word ‘confidential’ to the report. The use of the term ‘confidential’ is not explained in the report itself or its covering letter. (…) 

It does not seem to us that an actionable duty of confidence can be created merely by the use of the word ‘confidential’ alone, if the surrounding circumstances do not support the importation of a duty of confidence.” [para. 43 – 45]

The section about “Protectively marked documents” has more advice on this topic. 

There are other situations where the expectation of confidentiality is implicit. 

Normally, an implicit duty of confidence attaches to information shared in certain professional settings or given to you for the discharge of certain functions as a public authority. 

The following categories of information are likely to attract confidence:  

  • People’s health information shared in the context of a patient-doctor relationship. 
  • Information someone gave you as part of a complaint, investigation or reporting of safeguarding or abuse concerns.
  • Information shared with you as part of the discharge of your functions as a public authority. 

There may be circumstances when it’s not obvious someone is sharing information with you based on conditions of confidentiality. In such circumstances, misunderstandings can happen. This is because, when an obligation of confidence is implicit, there is always the risk that you and the confider may have different expectations.

In these situations, you should apply the “reasonable person” test. In the High Court decision in Coco v A.N. Clark (Engineers) LtD [1969] RPC 41, Judge Megarry explained this as follows:

“if the circumstances are such that any reasonable man standing in the shoes of the recipient of the information would have realised that upon reasonable grounds the information was being given to him in confidence, then this should suffice to impose upon him the equitable obligation of confidence. (…)” [page. 48, para. 15]

If you’re still in doubt, you could consult those affected by the disclosure of the information. If you choose to do so, this must not delay your response to the request.

Example

In the GRO example cited earlier, the Tribunal accepted that the information was communicated in circumstances where the confider had an implied expectation that GRO would keep the information confidential. 

The confider was the person who registered their partner’s death. This was subsequently disputed by the family of the deceased. 

When registering the death, the confider attended a “question and answer” session to provide certain details about the death. This session was confidential. 

After the deceased’s family disputed the registration, the GRO sent a letter to the confider asking them to clarify the information provided during the “question and answer” session. 

The applicant requested a copy of the confider’s response. The GRO withheld this under section 41(1) of FOIA. 

The Tribunal noted that: 

  • the GRO’s letter did not give a specific undertaking of confidentiality to the recipient; and 
  • the confider also did not mark the response as information provided on the condition that it should remain confidential. 

Nonetheless, the Tribunal accepted the confider letter was shared in circumstances importing an implicit obligation of confidence. This is because the letter was about information normally given in the “question and answers” session when registering the death. On evidence, these sessions are subject to conditions of confidentiality.

Would there be an unauthorised use of the information? 

The third part of the Coco test is the unauthorised use of the information. This means using the information in a way which is not compatible with its confidential nature. 

What about “detriment”? 

Detriment is the harm which could come to the confider through your unauthorised use of their information. 

If the request captures information about people’s private lives, you don’t have to show that the confider would experience detriment through its use. Disclosing people’s private information is an intrusion into their privacy and would interfere with people’s human right for respect of their private and family life. The loss of privacy resulting from an unauthorised disclosure is a form of detriment in its own right. 

We explain more about this in the section “How does section 41 apply in the context of requests for private information?”.

By contrast – when applying section 41 to requests for commercially sensitive information – we expect you to show how the unauthorised use of the information would be detrimental to the person you owe the duty of confidence to.

Example

In Higher Education Funding Council for England v The Information Commissioner and Guardian News and Media LtD (EA/2009/0036, 13 January 2010), the then Information Rights Tribunal (now called First-tier Tribunal) decided that, in the context of commercial confidence, an authority must show that detriment to the confider would result from the unauthorised use of the information [para. 44]. 

The applicant had requested information from the Higher Education Funding Council for England (“HEFCE”) about the state of buildings in certain higher education institutions (“HEIs”). HEFCE was a non-departmental public body responsible for funding teaching and research in universities and colleges in England. They kept a database of information about the management of land and buildings by HEIs. The HEIs voluntarily sent the information for the HEFCE to include in the database. 

The Tribunal noted that the information was of commercial nature. It accepted the information had the necessary quality of confidence and HEFCE had obtained it in circumstances importing an obligation of confidence. However, the Tribunal rejected HEFCE’s claim that showing detriment was not an essential requirement. 

At para. 44, the Tribunal concluded “that the HEFCE must prove detriment flowing from disclosure before the hypothetical cause of action may be said to have been established (and the exemption thereby triggered).”

Could someone bring a claim against you for breaching confidence?

Applying the Coco test helps you decide if disclosing the information to the public would lead you to breach a duty of confidence you owe. 

Once you’re satisfied it would, you need to consider if someone could bring a legal action against you for that breach. In other words, could someone sue you for breaching confidence? 

The person bringing the action could be: 

  • the person from whom you originally obtained the information; or 
  • any other person to whom you owe the duty. 

The person could also be a legal person, ie an organisation or another public authority. 

Sometimes, more than one person may be entitled to bring an action for breach of confidence.

Example

A school provides a local authority with a copy of a confidential report concerning pupils’ levels of truancy. A local newspaper subsequently makes an FOI request to the authority for a copy of this report. 

The report includes names of the pupils concerned and the details of the disciplinary measures taken against them. It also contains information that the pupils’ parents gave to the school ‘in confidence’. 

In this case, the authority would owe a duty of confidence to: 

  • the school itself, which originally gave the information to the local authority; and 
  • the parents who gave information to the school, which fed into the report. 

If the local authority were to disclose information in the report to the newspaper, both the school and individual parents could bring a claim against the local authority for breach of confidence.

You don’t have to identify specific people likely to bring a claim. However, we expect you to show there would be people who would have the right to take legal action against you for breaching confidence.  

The duty of confidence remains even if the person you owed the duty to dies. In these cases, you would have to consider if there is a personal representative of that person who could sue you for breaching confidence. 

We explain more about this in the section “How does section 41 apply in the context of requests for information about deceased people?”.

Would the claim be “actionable”? 

Once you’re satisfied there is someone who could bring a claim against you for breach of confidence, you must consider if the claim is “actionable”. “Actionable” does not mean arguable.

When Parliament was debating the Freedom of Information Bill, Lord Falconer of Thoroton, the sponsoring Minister of the Bill, explained the meaning of “actionable” as follows: 

“... the word "actionable" does not mean arguable (…) It means something that would be upheld by the courts; for example, an action that is taken and won.” (Hansard Vol.619, col. 176)

Tribunals have confirmed that "actionable" in the context of section 41 means demonstrating the claim would be likely to succeed based on the balance of probabilities. That is, it is more likely than not that the person bringing the claim would win. 

In the Higher Education Funding Council for England example cited above, the Tribunal decided that a public authority had to show that a breach of confidence would succeed on the balance of probabilities to engage section 41. 

The Tribunal said: 

“Our conclusion (…) is that the HEFCE must establish that disclosure would expose it to the risk of a breach of confidence claim which, on a balance of probabilities, would succeed. (…) Establishing that such a claim would be arguable is not sufficient to bring the exemption into play.” [para. 30]

Would you have a public interest defence to the claim? 

A claim for breach of confidence is not actionable when you can show that breaching a duty of confidence you owe to someone is in the public interest. This is called a “public interest defence”.

This requires you to carry out a balancing exercise, even though section 41 is an absolute exemption. This balancing exercise is not the same as doing a public interest test when you rely on a qualified exemption. Rather, the purpose of the balancing exercise under section 41 is to decide if you would be able to defeat a claim for breach of confidence on public interest grounds.

In HM Attorney General v The Observer Limited and others [1990] 1 AC 109, Lord Goff of Chieveley explained: 

“although the basis of the law's protection of confidence is that there is a public interest that confidences should be preserved and protected by the law, nevertheless that public interest may be outweighed by some other countervailing public interest which favours disclosure.” [page. 29]

To decide if confidentiality could be overridden, you need to apply a test of proportionality. The courts have adopted this approach to acknowledge the need to apply the provisions of the Human Rights Act 1998 for the purpose of protecting the fundamental human rights guaranteed under the European Convention on Human Rights.

In London Regional Transport v The Mayor of London [2001] EWCA Civ 1491, the Court of Appeal described the task as follows: 

“Proportionality (…)  is the tool (…) which the Court has adopted (…)  for deciding a variety of Convention [on human rights] issues including, for the purposes of the qualifications to Arts. 8 to 11, what is and is not necessary in a democratic society. (…) Does the measure meet a recognised and pressing social need? Does it negate the primary right or restrict it more than is necessary? Are the reasons given for it logical?” [para. 57] 

When considering refusing information under section 41 of FOIA, the right that is at risk of interference is the right to freedom of expression. This right includes receiving and imparting information and ideas (article 10(1)). 

The article 10(1) right to freedom of expression is qualified. The legitimate grounds which justify restricting it are set out in article 10(2). These grounds include safeguarding information received in confidence. 

In practice, this means that you would have a public interest defence to a claim for breach of confidence if you can show that: 

  • maintaining the confidence restricts the article 10(1) right to freedom of expression more than is necessary; and
  • the restriction is not proportionate to the recognised social need of fostering freedom of expression. 

We examine the relevant factors you need to consider in the sections below. 
If the request relates to information about private matters, the exercise is about striking a balance between two competing fundamental rights: the right to respect for private and family life (article 8(1)) and the right to freedom of expression. 

For more information about this, please read the section “How do we apply section 41 in the context of requests for private information?”.

Public interest defence arguments

Generally, the courts have refused to protect the confidentiality of information where upholding confidentiality would result in: 

  • covering up wrongdoing. This is the so-called “defence of iniquity”;
  • hindering the public from being informed about issues of major public concern; and
  • misleading or misinforming the public. 

This means you may have a public interest defence to a claim for breach of confidence when disclosing the information to the world at large would: 

  • reveal evidence of misconduct or illegality. This can include evidence of misfeasance, maladministration or negligence. 

Example

In decision notice FS50882004, the Information Commissioner decided that a Welsh Health Board was not entitled to rely on section 41 to withhold a copy of an investigation report into the quality of care in a hospital’s mental health unit (the ‘Robin Holden’ report). 

The Commissioner took the view that the Board would have had an overriding public interest defence to a breach of confidence because the report revealed the existence of clinical negligence, which was putting vulnerable patients at risk. 

Amongst the public interest arguments enabling the Board to justify the breach of confidence, the Commissioner noted: 

“(…) there is a strong public interest in the disclosure of the information as it indicates that there was a very serious and concerning situation on two of the wards at the Hergest Unit responsible for the care of vulnerable adults. [para. 40]

Additionally, there were wider concerns regarding the quality and safety of care provided to mental health patients in other areas falling within the Health Board’s responsibility (…) suggesting that the concerns identified in the Holden Report were more widespread.” [para. 41]

As a result, the Commissioner ordered disclosure of the report subject to redaction of some personal information which could be withheld under section 40(2) of FOIA.

You don’t have to establish as a matter-of-fact wrongdoing occurred. However, you need to be able to show you had reasonable grounds to believe the allegations were well-founded.

In HM Attorney General v The Observer Limited and others [1990] 1 AC 109, Lord Goff of Chieveley said: 

“a mere allegation of iniquity is not of itself sufficient to justify disclosure in the public interest. Such an allegation will only do so if (…) having regard to all the circumstances of the case, the allegation in question can reasonably be regarded as being a credible allegation from an apparently reliable source.” [page 29]. 

  • enable the public to:
    • be informed about matters of public concern; 
    • understand how decisions were made; and 
    • scrutinise and challenge those decisions, especially when they involve spending large sums of public money or significantly affect people’s lives. 

Example

In the London Regional Transport decision mentioned before, the Court of Appeal upheld the High Court’s decision to refuse to restrain publication of an independent consultant’s report about the award process to create a Public-Private Partnership (“PPP”) arrangement for upgrading and maintaining the London Underground. 

The report doubted the feasibility of the proposed arrangement, in particular its value for money. 

The then Mayor of London intended to publish a redacted version of the report. 

The London Regional Transport (“LRT”) and the London Underground LtD (“LUL”) sought an injunction to prevent the publication. The claimants argued publishing the report would result in a breach of confidence owed to the companies bidding for the PPP contracts. 

In upholding the High Court’s decision to refuse restraining publication, the Court of Appeal said: 

“The guiding principle is to preserve legitimate commercial confidentiality while enabling the general public (…) to be informed of serious criticism, from a responsible source, of the value for money evaluation which is a crucial part of the PPP for the London Underground. That is a very important public interest (…) which must go into the scales on proportionality.” [LJ Walker, para. 50]

“The report is on one view a set of contested opinions about the bidding process; but on another it is an expert and adverse evaluation of it, the very fact of which is of public importance. Whether or not undertakings of confidentiality had been signed, both domestic law and Art. 10(2) (…) recognise the legitimacy of disclosure, undertakings [of confidentiality] notwithstanding, if the public interest in the free flow of information and ideas will be served by it.” [LJ Sedley, para. 55]

  • help to “set the record straight”, thereby enabling the public to have an accurate account of matters of public importance. 

Example

A police force partners with a supplier for the use of a new breathalyser to test suspected drunk drivers. The police talk about this at a press conference and claim the new breathalyser is incredibly accurate in measuring alcohol concentration in a driver’s breath. 

Partial leaked documents containing confidential information from the supplier reveal there were concerns about the accuracy of the new equipment. 

A journalist submits a freedom of information request for a full copy of the documents and data about the breathalyser’s reliability. 

In this case, the police had publicly claimed the breathalysers were very accurate. However, the leaked documents suggest otherwise. 

Breaching confidence owed to the supplier in such a case could be justifiable on public interest grounds. 

This is because releasing the information would correct the false impression the police gave at the press conference about the breathalyser’s accuracy. 

There’s also a public interest in disclosing information enabling the debate over an issue of public concern, ie the reliability of equipment used by the police to detect and convict potential drunk drivers. 

Arguments in favour of maintaining confidence

As explained before, the law of confidence rests on the general principle that people have a right to expect that information they shared in confidence remains confidential. 

Safeguarding this principle is in the public interest.

In Associated Newspapers Limited v HRH The Prince of Wales ([2006] EWCA Civ 1776, 21 December 2006), the Court of Appeal said: 

“There is an important public interest in the observance of duties of confidence (…) a significant element to be weighed in the balance is the importance in a democratic society of upholding duties of confidence that are created between individuals” [para. 67]

As a public authority, complying with your duty of confidence is crucial to the relationship of trust you have with people and other organisations. 

Breaching confidence can seriously undermine this relationship. In turn, this would harm the public interest because it would: 

  • discourage people from providing information you need to perform your functions effectively, or from reporting concerns which could expose wrongdoing;

Example

The trading standards department of a local authority has received several complaints from members of the public over the safety of a product sold by a local company. The local authority gives assurances that they treat all complaints in confidence. 

The local authority informs the company that they have received letters of complaint about the product. The company submits an FOI request asking for copies of the complaints. 

In this scenario, releasing the contents of the letters in breach of confidence could deter members of the public from bringing consumer complaints to the local authority’s attention. 

This would not be in the public interest because it would prevent the public authority from receiving valuable intelligence and make it more difficult to enforce consumer and trading laws in the local area. 

  • put contractors and suppliers off from participating in public procurement. This would also impair your ability to secure the best deal possible when procuring services and goods.

Example

In decision notice FS50496241, the Information Commissioner decided that the public authority was entitled to rely on section 41 to withhold information about suppliers’ experience and approaches to business. 

The applicant had requested from the University of Sussex a copy of a business case setting out proposals to outsource catering and facilities management. Some stakeholders had opposed this project. 

During the Commissioner’s investigation, the authority disclosed most of the requested information. However, they relied on section 41 to withhold information about suppliers’ experience and approaches to business. Some suppliers consented to the disclosure of the information. However, other suppliers were concerned that disclosing this information would allow their competitors to gain a competitive edge over them when trying to win over potential clients and submitting offers. 

The Commissioner found section 41 was engaged because the University would not have a public interest defence to the breach of confidence. 

The Commissioner noted: 

“the remaining withheld information does contain some frank information about suppliers’ experiences, expertise or lack of it in certain areas. He agrees that this information could be useful to competitors, as it identifies their strengths and potential weaknesses which could then be to their disadvantage.” [para. 31]

“the majority of the report in question has now been released – the only information that remains is information that was supplied to the university on a confidential basis and which would be likely to cause commercial detriment to those firms that supplied it if it were to be released. He does not consider the remaining information would add to public debate or help those opposed to the project to voice their concerns or understand more clearly the university’s proposals.” [para. 37]

How do we balance competing arguments? 

As explained before, you should apply a proportionality test when balancing the above competing arguments to decide if you would have a public interest defence to a breach of confidence claim. 

When you disclose information in response to an FOI request, you are effectively placing it in the public domain. That will result in the information losing its confidentiality. 

The courts have recognised that a duty of confidence can be breached in the public interest. However, that does not mean that the public interest is best served by a disclosure to the world at large. Sometimes, disclosure of some information or disclosure to a limited audience may be more appropriate. 

Therefore, you need to consider: 

  • the nature and significance of the confidential information;  
  • the extent to which disclosing it is necessary to achieve the legitimate aim of giving effect to the article 10(1) right on freedom of expression. We have set out the legitimate grounds for this purpose in the section “Public interest defence arguments”; and
  • whether releasing it in the public domain is a proportionate way to achieve that aim. 

Disclosing information you received in confidence to the whole world is unlikely to be a proportionate measure when: 

  • there are alternative ways to achieve the legitimate aim, without encroaching on people’s right to have their confidences respected as recognised by article 10(2);
  • there is already information in the public domain which furthers the relevant aim; and
  • it would have a disproportionate impact on the confider compared to the value of the information and the reason for sharing it with you.

Example

In Graves v The Information Commissioner ([2022] UKFTT 00245 (GRC), 5 July 2022), the First-tier Tribunal (“FtT”) upheld the Commissioner’s decision that the authority was entitled to rely on section 41 to withhold the witness statements given as part of an investigation about the quality of care in a hospital’s mental health unit. 

As discussed in this example, the Commissioner had ordered the authority to disclose a copy of the investigation report (the “Robin Holden” report). 

In this case, the applicant asked for the transcripts of the statements of the staff members who gave testimony during the investigation. 

The Tribunal acknowledged that “there is an extremely significant public interest in transparency in relation to the operation of mental health services in North Wales (…). We accept that this interest remains extremely significant despite the passage of time since the Holden Report because of the ongoing serious concerns, the evidence of recent serious incidents including deaths of patients and the evidence that not all matters raised in the Holden Report have been satisfactorily addressed.” [para. 72] 

However, it decided that the public interest was met by the imminent publication of the Holden Report, which included anonymised extracts from the staff testimonies. 

The FtT argued that the report “was an independent report. It detailed and dealt fairly with the concerns of those interviewed. It quoted extensively from the testimonies, including quotes relating to the allegations of bullying, the difficulties in reporting SUIs and nutritional neglect. It made critical findings and a total of 19 recommendations for improvements. The Commissioner’s decision that the Holden Report and its appendix be published in our view significantly reduces the public interest in the publication of the verbatim records of the testimonies themselves.” [para. 73]

This example shows that breaching the duty of confidence owed to the whistle-blowers by releasing the full transcripts of their interviews was not a proportionate way to achieve the legitimate aim of informing the public and enabling scrutiny of a serious issue, ie the poor quality of care in a hospital which was putting vulnerable patients at risk. 

This is because: 

  • the Health Board had acted upon the concerns raised by the whistleblowers;
  • an independent third-party had conducted a thorough investigation which resulted in a comprehensive report, including making recommendations to address the issues raised;
  • the Information Commissioner had ordered the disclosure of the report;
  • whistleblowers and staff members would be inhibited from coming forward and speak candidly in the future if they could not trust the assurance the full testimony would be treated as confidential; and
  • if the hospital had not acted on some of the recommendations, other avenues were available to address that failure. For example, relevant regulatory bodies had the power to further investigate and could obtain a copy of the testimonies if it would assist with the investigation. 

By contrast, disclosing the report of the investigation was necessary to meet the public interest because:

  • staff members had serious concerns about patient care in the hospital, and they had agreed to act as witnesses to ensure something was done about that;
  • the investigation had completed a few years before the request. There was a public interest in allowing the public to know if and how the recommendations had been implemented, and hold the public authority to account if not; and
  • there was evidence the same issues existed in other hospitals for which the Health Board was responsible. 

When balancing competing arguments to decide if you have a public interest defence to a claim for breach of confidence, the weight to attach to each relevant factor will depend on the value of the information and the circumstances of the case.

In Campbell v MGN Ltd ([2004] UKHL 22, 6 May 2004)), Baroness Hale of Richmond explained: 

“What was the nature of the freedom of expression which was being asserted on the other side? There are undoubtedly different types of speech, (…), some of which are more deserving of protection in a democratic society than others. (…) The free exchange of information and ideas on matters relevant to the organisation of the economic, social and political life of the country is crucial to any democracy. Without this, it can scarcely be called a democracy at all.” [para. 148]

This means that it’s unlikely breaching confidence is justifiable when the information adds little to the debate over issues of public importance in a meaningful way. 

Remember that the balancing exercise for the purpose of section 41 is different from the public interest test you carry out under section 2 of FOIA. 

Read our guidance on The public interest test if you wish to know more about this topic.  

The purpose of section 41 is to protect information shared with you in confidence. As explained before, the test is “otherwise than under the Act”, ie it’s based on the law of confidence. The default is the principle that you should maintain that confidence unless a public interest defence is available to you.

If you decide that you would not have a public interest defence to an actionable claim for breach of confidence, section 41 is engaged. You must not disclose the information. 

If you decide that you can justify breaching confidence in the public interest, section 41 is not engaged. You must disclose the information unless you can show another exemption applies.