Data Protection vs. Freedom of Information

Data Protection vs. Freedom of Information: Access and Personal Data

PAUL TICHER
Copyright Date: 2008
Published by: IT Governance Publishing
Pages: 67
https://www.jstor.org/stable/j.ctt5hh4kj
  • Cite this Item
  • Book Info
    Data Protection vs. Freedom of Information
    Book Description:

    Freedom of information is often mentioned in the same breath as data protection. In fact, the legal position is more complicated. Whereas data protection is about protecting individuals, freedom of information is about open government. The Data Protection Act is mainly concerned with the confidentiality and security of information, but the purpose of the Freedom of Information Act is to encourage the disclosure of information. Nevertheless, the Data Protection Act does permit ‘subject access’, whereby an individual can obtain a copy of the information held about them; it is at this point that the two pieces of legislation overlap. This authoritative pocket guide is designed to help information professionals, particularly in the public sector, understand the requirements of both Acts together with the ways in which they intersect. The guide looks at the restrictions on disclosure under the Freedom of Information Act, including the circumstances in which a request under the Freedom of Information Act must be declined, so as to protect personal data. The pocket guide also considers situations where disclosure of information about individuals under the Freedom of Information Act would not be in breach of the Data Protection Act because of the public interest in such disclosure.

    eISBN: 978-1-905356-73-7
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
  2. FOREWORD
    (pp. 5-6)
    Alan Calder

    The Freedom of Information Act (FOI) was a milestone in UK legislation and, for the first time, the lid was legally lifted on a lot of what the UK government was doing in the name of the citizens of the country. While the FOI applies only to public sector organisations, it covers a wide range of information. The Data Protection Act, which applies equally in both the public and private sector, had already given individuals the right to find out what information was being held about them, and to insist on having that information kept accurate and up to date....

  3. ABOUT THE AUTHOR
    (pp. 7-7)
  4. Table of Contents
    (pp. 8-8)
  5. CHAPTER 1: FREEDOM OF INFORMATION AND THE DATA PROTECTION ACT
    (pp. 9-10)

    The Freedom of Information Act 2000, which came into force on 1 January 2005, is essentially about promoting open government. It is primarily a means of increasing transparency in official decision-making and procedures, and enabling citizens to hold government to account.

    There are two main themes to the Act:

    encouraging public authorities to publish more information as a matter of course, through ‘publication schemes’; and

    providing a right of access to unpublished information held by (or on behalf of) public authorities.

    The Act is applicable in England, Wales and Northern Ireland. There is a separate piece of legislation in Scotland,...

  6. CHAPTER 2: OVERVIEW OF THE FREEDOM OF INFORMATION ACT
    (pp. 11-15)

    Because the Freedom of Information Act is essentially about open and accountable government, it applies directly only to ‘public authorities’. The Act establishes a list of public authorities, and makes provision for organisations to be added to or removed from the list as required¹.

    It also provides for two other categories of public authority. These are:

    bodies not eligible for the main list, but which are designated by the Secretary of State because they are exercising ‘functions of a public nature’ or ‘providing under a contract made with a public authority any service whose provision is a function of that...

  7. CHAPTER 3: RESTRICTIONS ON DISCLOSURE UNDER THE FREEDOM OF INFORMATION ACT
    (pp. 16-18)

    Although the underlying aim of the Act is greater transparency in government, there is clearly a range of information which should not be released because of the adverse consequences of doing so.

    There is exemption for a wide range of matters where secrecy is paramount, or where revealing the information would be detrimental to the activity, such as:

    security, defence and international relations;

    law enforcement, audits and other investigations;

    information about the economy and information relating to the formulation of government policy, or whose release would be ‘[prejudicial] to effective conduct of public affairs’, but not, generally, the statistical information...

  8. CHAPTER 4: APPLICATION OF THE FREEDOM OF INFORMATION ACT TO ORGANISATIONS THAT ARE NOT PUBLIC AUTHORITIES
    (pp. 19-20)

    The Act specifies that ‘… information is held by a public authority if … it is held by another person on behalf of the authority’.

    The implication of this is that where a service is contracted out, information held by the contractor (whether a commercial or non-commercial organisation), would be subject to freedom of information. Note, however, that the information is, technically, still ‘held’ by the public authority. In other words, a Freedom of Information Act request would have to be made to the authority, which would, in turn, have to obtain the information from the contractor in order to...

  9. CHAPTER 5: FREEDOM OF INFORMATION ACT PROCEDURE AND TIME LIMITS
    (pp. 21-26)

    A request under the Freedom of Information Act must:

    be made in writing (for which e-mail counts) ⁶;

    state the name of the applicant and an address for correspondence;

    describe the information requested.

    The request does not have to mention the Freedom of Information Act, so any written request for information to a public authority must be considered as a potential, if not actual, valid request.

    There has been some discussion on whether the applicant must give their real name. It can be argued that the main reason for requiring a name and address must be to ensure that the...

  10. CHAPTER 6: RESTRICTIONS ON DISCLOSURE OF PERSONAL DATA
    (pp. 27-28)

    One of the specific exemptions in the Freedom of Information Act (s.40) relates to personal data. The Act uses the definition of ‘personal data’ found in the Data Protection Act (discussed below).

    Where the data relates to the person making the request, the exemption is absolute. In this case, the information cannot be released in response to a freedom of information request, but it can be released to the applicant as a subject access request under the Data Protection Act. This is discussed in Chapter 11.

    Where the data relates to someone else (such as a staff member of the...

  11. CHAPTER 7: WHAT IS PERSONAL DATA?
    (pp. 29-34)

    In order to meet the definition of personal data in the Data Protection Act, information must be ‘personal’ and it must also be ‘data’. The personal part of the definition is relatively straightforward, referring to data about:

    identifiable;

    living;

    individuals.

    It therefore does not apply to information about companies or organisations, but it could apply to named contacts within those organisations. It does not apply to data which is completely anonymous, but it does apply if you can identify the people from the data combined with other information you hold (or if anyone you disclose it to could identify them)....

  12. CHAPTER 8: THE DATA PROTECTION PRINCIPLES
    (pp. 35-42)

    We have seen that personal data about applicants themselves cannot be provided under a Freedom of Information Act request; it must be handled under the Data Protection Act.

    Where the information is personal data about someone other than the applicant, the opposite is true: the data cannot be released under data protection (except in some cases, discussed in Chapter 11, where the information is linked to information about the data subject), but may be the subject of a freedom of information request.

    However, there is an absolute exemption for a disclosure of personal data which would breach any of the...

  13. CHAPTER 9: WHEN SHOULD PERSONAL DATA BE RELEASED?
    (pp. 43-49)

    There are two situations in which information about individuals may be included in material released under freedom of information:

    Where the information does not qualify as personal data because the person(s) is not identifiable or their identity is entirely incidental.

    Where the information is personal data – because it is about the individual(s) in some way – but where there is no breach of the data protection principles in disclosing itandthe public interest in disclosure outweighs any individual interest in non-disclosure.

    Category (e) (unstructured manual data) is exempt from most of the data protection principles apart from principle...

  14. CHAPTER 10: SUBJECT ACCESS UNDER THE DATA PROTECTION ACT
    (pp. 50-57)

    In principle a data subject has the right to know all the personal data that a data controller holds about them. If they make a request to see information about them held by a public authority, even if they mistakenly quote the Freedom of Information Act in their request, it should be treated as a subject access request.

    The basic position is that when someone makes a valid subject access request they are entitled to:

    be told whether any of their personal data is being processed by or on behalf of the data controller;

    be given a description of the...

  15. CHAPTER 11: REQUESTS MADE BY ONE PERSON ON BEHALF OF ANOTHER
    (pp. 58-61)

    Anyone can make a freedom of information request. There should never be any question of someone making a request on behalf of someone else: they may as well just make the request in their own right and share the response with the other person.

    However, the Data Protection Act is different, because a subject access request asks for information about the data subject themselves. In most cases the data subject will be able to make the request directly. However, they don’t have to: someone else may be entitled to act on their behalf, they can ask someone else to act...

  16. CHAPTER 12: CHECKLIST FOR DISCLOSING INFORMATION UNDER THE FREEDOM OF INFORMATION ACT WHERE INDIVIDUALS ARE MENTIONED IN THE INFORMATION
    (pp. 62-62)

    1 Is the request valid (in writing, with a name and address)?

    2 Does the request relate to personal data about the applicant? If so, treat the request (or that part of the request) as a subject access request under the Data Protection Act. Handle any third party information that is bound up with the applicant’s data as a potential exemption under the Data Protection Act.

    3 Do you have enough information to locate the information requested? If not, ask the applicant for the information you need.

    4 In respect of the freedom of information request: is the information where...

  17. APPENDIX: GLOSSARY
    (pp. 63-65)
  18. ITG RESOURCES
    (pp. 66-67)