Dunhill v Information Commissioner and Bolton NHS Foundation Trust [2025]

Ruby Ashby

Reading time: 2 minutes

Under the Freedom of Information Act 2000 (FOIA) a person is entitled to the following from a public body:

  • To be informed whether it holds the information specified (this is known as “the duty to confirm or deny”); and
  • If so, to receive the information.

There are certain exemptions to the above rights. Section 40(5B)(a)(i) of the FOIA creates an exemption from the duty to confirm or deny where doing so would contravene any of the data protection principles under the UK GDPR and/or the Data Protection Act 2018. In practice, this means that a public authority is exempt from the duty if confirming or denying would disclose personal data about an identifiable individual.

Background

Lawrence Dunhill, a journalist for the Health Service Journal, submitted a FOIA request to Bolton NHS Foundation Trust in October 2023. He sought copies of all governance reviews since June 2022, including one conducted by PwC following allegations within the Trust’s leadership.

In response to the request, the Trust confirmed that it held some relevant information but refused to confirm or deny whether it held the PwC review, citing the exemption set out within Section 40(5B)(a)(i) of the FOIA.

Unhappy with the response, Mr Dunhill lodged a complaint with the Information Commissioner’s Office (ICO). The ICO upheld the position adopted by the Trust. Mr Dunhill appealed this decision to the First-Tier Tribunal.

The issues for determination by the Tribunal were as follows:

  1. Whether the Trust was entitled to refuse to confirm or deny holding the PwC review; and
  2. Whether the ICO had misapplied the exemption in relation to the rest of the data requested.

Tribunal’s Decision

The Tribunal pointed out that the ICO was mistaken on one key point in its determination of the complaint. They had assumed that the Trust had given a neither confirm nor deny response to the whole of Mr Dunhill’s request. This was not the case. As set out above, the Trust had actually accepted that it held some of the information requested. The ‘neither confirm nor deny’ response was limited to the PwC review alone.

The Tribunal ultimately concluded that the ICO had misapplied the exemption in Section 40(5B)(a)(i). The ICO had treated the exemption as absolute. The Tribunal clarified that it is a qualified exemption and therefore the public interest test should be applied. A public body when choosing to rely on this exemption should weigh up privacy v transparency. Applying this test, the Tribunal concluded that Mr Dunhill’s request was in the public interest. The Tribunal therefore disagreed that the Trust was entitled to rely upon Section 40(5B)(a)(i).

The appeal was ultimately allowed. The Tribunal substituted a new decision notice requiring the Trust to respond substantively to the PwC review element of the request within 28 days.

How can we help?Tribunal's Powers Under DPA

Ruby Raine-Ellerker is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.

If you need any advice, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our our online enquiry form.

Contact us
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.
Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us