Freedom of Information and data protection
Freedom of Information and data protection
Advice on the interaction of the Freedom of Information and the Data Protection laws was given in the House of Lords in a Scottish context. It was said that,
‘There is much force in Lord Marnoch's observation in the Inner House that, as the whole purpose of Freedom of Information (Scotland) Act 2002 ("FOISA 2002") is the release of information, it should be construed in as liberal a manner as possible:  CSIH 58, 2007 SC 231, para 32. But that proposition must not be applied too widely, without regard to the way the Act was designed to operate in conjunction with Data Protection Act 1998 ("DPA 1998"). It is obvious that not all government can be completely open, and special consideration also had to be given to the release of personal information relating to individuals. So while the entitlement to information is expressed initially in the broadest terms that are imaginable, it is qualified in respects that are equally significant and to which appropriate weight must also be given. The scope and nature of the various exemptions plays a key role within the Act's complex analytical framework.
‘Section 2(1) FOISA 2002 distinguishes between exemptions which are absolute and those which are not. A provision which confers absolute exemption is not subject to a public interest test. Other exemptions are. Among the absolute exemptions is that for "personal data" within the meaning given to that expression by section 1(1) of DPA 1998: FOISA 2002, section 38. According to the Explanatory Notes, p 6, this section is intended to ensure that FOISA does not interfere with DPA 1998. Any information which constitutes personal data of which the applicant is the data subject is exempt from the obligation which section 1 FOISA 2002 imposes on the public authority: section 38(1)(a). The right of the data subject to obtain access to that information is confined to that which the individual is given by sections 7 to 9 DPA 1998. Any information which constitutes personal data other than that of which the applicant is the data subject is also exempt if it satisfies one or other of two conditions which are designed to preserve the application of DPA 1998 to that information. This is the effect of section 38(1)(b), section 38(2) and section 38(3)… In my opinion there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down. The references which that Act makes to provisions of DPA 1998 must be understood in the light of the legislative purpose of that Act, which was to implement Council Directive 95/46/EC. The guiding principle is the protection of the fundamental rights and freedoms of persons, and in particular their right to privacy with respect to the processing of personal data: see recital 2 of the preamble to, and article 1(1) of, the Directive. Recital 34 and article 8(1) recognise that some categories of data require particularly careful treatment. Section 2 DPA 1998, which defines the expression "sensitive personal data", must be understood in the light of this background…’
Per Lord Hope of Craighead in Common Services Agency v Scottish Information Commissioner (Scotland)  UKHL 47.
The facts of this case were a request had been made to the Scottish Services Agency on behalf of a member of the Scottish Parliament, to supply him with details of all incidents of childhood leukaemia for both sexes by year from 1990 to 2003 for all the DG (Dumfries and Galloway) postal area by census ward. the Agency refused the request. He was told that the Agency did not hold these details for 2002 or 2003 as the data relating to these years was still incomplete. As for the earlier years, there was a significant risk of the indirect identification of living individuals due to the low numbers resulting from the combination of the rare diagnosis, the specified age group and the small geographic area. As a result it was personal data within the meaning of section 1(1) of DPA and was exempt information for the purposes of FOISA 2002. The Agency also maintained that it owed a duty of confidence equivalent to that of the clinicians to whom the information had originally been made available.
On application to the Scottish Information Commissioner under section 47 FOISA 2002 for a decision whether his request for information had been dealt with in accordance with Part I of the Act the Commissioner said that he was satisfied that the disclosure of the information requested would breach the first principle and that it should not be released. Its release could be said to be unlawful if it could be said to constitute a breach of confidence. It would also be unfair, as a person would not expect their diagnosis of leukaemia to be placed in the public domain and would expect it to remain confidential. But he said that this did not mean that information should not have been provided. The Commissioner referred to a process to be followed when handling statistics where there is a potential risk of disclosure of personal information as a result of small cell counts known as "barnardisation". Barnardisation is a method of rendering the information, so far as it is possible to do so, anonymous.
Decision: Allowing the appeal it was held that if the Commissioner finds that the information is sensitive personal data and that none of the conditions in Schedule 3 are met, it will not be possible for the data at ward census level to be released without contravening the first data protection principle.
It was ordered that the application be remitted to the Commissioner so that he can examine the facts in the light of the judgment of the House and determine whether the information can be sufficiently anonymised for it not to be "personal data". If he decides that it cannot be so anonymised, he will need then to consider whether its disclosure will comply with the data protection principles. In order to satisfy the first of the data protection principles listed in Schedule 1 he will need to decide whether information in that form would also be "sensitive personal data", so that at least one of the conditions in Schedule 3 DPA must be met as well as at least one of the conditions in Schedule 2.)
4th Edition » | Chapter 23