Appendix A - The Duty to Confirm or Deny
Under section 1(1)(a) of the Freedom of Information Act 2000, any person
making a request for information to a public authority is entitled to be informed in
writing whether it holds the information specified in the request.
Furthermore, the Freedom of Information Act is designed to place information
into the public domain. Therefore, once access to information is granted to one
person under the Act, it is then considered to be public information and may be
communicated to any individual upon request. In accordance with this principle,
the MPS routinely publishes information disclosed under the Freedom of
Information Act on the MPS Internet site1.
The Information Commissioner’s Office (ICO) guidance titled ‘When to refuse to
confirm or deny information is held’ states2:
‘In certain circumstances, even confirming or denying that requested
information is held can reveal information that falls under an exemption. A
public authority may be able to use an exemption to refuse to confirm
whether or not it holds information, if either confirming or denying would
reveal exempt information in itself. A neither confirm nor deny response is more likely to be needed for very
specific requests than for more general or wide ranging requests. It can be important to use a neither confirm nor deny response
consistently, every time a certain type of information is requested,
regardless of whether the information is actually held or not. For this
reason public authorities need to be alert to the possibility of receiving
future requests for the same type of information when handling very
specific or detailed requests.’ ‘There are situations where a public authority will need to use the neither
confirm nor deny response consistently over a series of separate
requests, regardless of whether it holds the requested information. This is
to prevent refusing to confirm or deny being taken as an indication of
whether information is held. Before complying with section 1(1)(a), public
authorities should consider both whether any harm would arise from
confirming that information is held and whether harm would arise from
stating that no information is held. Otherwise, if the same (or same type
of) requests were made on several occasions, a changing response could
reveal whether information was held.’
1 http://www.met.police.uk/foi/disclosure/disclosure_log.htm
2 https://ico.org.uk/media/for-organisations/documents/1166/when_to_refuse_to_confirm_or_deny_section_1_foia.pdf
The table below illustrates the harm that may be caused by being inconsistent
when issuing responses to requests that may require a neither confirm nor deny
(NCND) response.
Request 1
Request 2
Request 3
Request 4
Example A
Not Held
Not Held
NCND
Not Held
Example B
Held
Held
NCND
Held
Example C
NCND
NCND
NCND
NCND
The rows represent examples of difference scenarios. The columns (Requests 1-
4) represent either:
the same request received over a period of time by one or more public
authorities
or
similar requests received at the same time or over a period of time by one
or more public authorities
Example A illustrates the scenario described within the ICO guidance as follows:
‘…a police force may hold information regarding particular properties they
have under surveillance – it is likely that if a request were made for
information about the surveillance of a certain property, this information
would be exempt under section 30 (investigations and proceedings
conducted by public authorities). A public authority could therefore refuse
to confirm or deny whether it holds information about a property under
surveillance.
Furthermore, this would apply even if information was requested about a
property not under surveillance. If a police force only upheld its duty to
confirm or deny where it was not keeping properties under surveillance, an
applicant could reasonably assume that where the police force refused to
confirm or deny, the property named in the request was under
surveillance.’
In this example, an inconsistent response to identical or similar queries over a
period of time indicates that information is held or allows such inferences to be
made which in this scenario would be harmful.
Example B illustrates the following example provided within ICO guidance:
‘A public authority receives a request for information about any prisoners
who are under surveillance. The public authority judges that it would not
be harmful to confirm that they hold information about this topic. However,
if they did not hold such information, then revealing this could be harmful
as it would confirm to prisoners that they were not under surveillance.
Therefore, whether or not information is held, the authority should refuse
to confirm or deny.
If the public authority doesn’t take this consistent approach then the
occasions when it provides a neither confirm nor deny response may
unintentionally imply whether or not information is held.’
‘Although the public authority hasn’t actually denied that information is
held for request 3, the different response could be interpreted as indicating
that this is the case.’
In this example, an inconsistent response to identical or similar queries over a
period of time indicates that information is held or allows such inferences to be
made which in this scenario would be harmful.
Example C illustrates how a consistent response does not provide an indication,
or allow inferences to be made, as to whether or not information is held which
may be necessary a confirmation would be harmful.
Additional ICO guidance3 refers to ‘Mosaic and precedent effects’ stating:
‘Mosaic and precedent effects
21.The prejudice test is not limited to the harm that could be caused by
the requested information on its own. Account can be taken of any harm
likely to arise if the requested information were put together with other
information. This is commonly known as the ‘mosaic effect’. As explained
in the Information Commissioner’s guidance information in the public
domain, the mosaic effect usually considers the prejudice that would be
caused if the requested information was combined with information
already in the public domain.
22. However, some requests can set a precedent, ie complying with one
request would make it more difficult to refuse requests for similar
information in the future. It is therefore appropriate to consider any harm
that would be caused by combining the requested information with the
information a public authority could be forced to subsequently provide if
the current request was complied with. This is known as the precedent
effect.’
The ICO’s ‘When to refuse to confirm or deny information is held’ guidance
further states:
‘It is sufficient to demonstrate that either a hypothetical confirmation or
denial would engage the exemption. In other words, it is not necessary to
show that both confirming and denying information is held would engage
3 https://ico.org.uk/media/for-organisations/documents/1207/law-enforcement-foi-section-31.pdf
the exemption from complying with section 1(1)(a).’ ‘When considering what a confirmation or denial would reveal, a public
authority isn’t limited to considering what the public may learn from such a
response; if it can demonstrate that a confirmation or denial would be
revealing to someone with more specialist knowledge, this is enough to
engage the exclusion to confirm or deny.’
Where such a statement could relate to an identifiable individual, ICO guidance
titled ‘Determining what is personal data’4 may be relevant which in part states:
“When considering identifiability it should be assumed that you are not
looking just at the means reasonably likely to be used by the ordinary man
in the street, but also the means that are likely to be used by a determined
person with a particular reason to want to identify individuals. Examples
would include investigative journalists, estranged partners, stalkers, or
industrial spies.”
The ICO’s ‘When to refuse to confirm or deny information is held’ guidance
further states:
‘The exact wording of the request for information is an important
consideration when deciding whether a public authority should confirm or
deny if it holds the requested information. The more specific the request,
the more likely it is that a public authority will need to give a neither
confirm nor deny response.’
The ICO guidance cited above demonstrates the following:
Exempt information may be revealed by:
o Confirming information is held
o Confirming information is not held
o Inconsistently applying NCND exemptions in response to the same
or similar requests
It is only necessary to demonstrate the harm in one of the above
scenarios for an NCND response to be appropriate
Cumulative prejudice may result from multiple disclosures
It would be sufficient for a public authority to demonstrate that a
confirmation or denial would be revealing to someone with specialist
knowledge
The wording of a request may determine whether an NCND response is
appropriate.
4 https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf