Select Committee on Public Administration Minutes of Evidence


Memorandum submitted by the Data Protection Registrar

1. INTRODUCTION AND WELCOME FOR THE WHITE PAPER

  1.1 The Data Protection Registrar ("the Registrar") is already subject to the Code of Practice on Access to Government Information and expects to be subject to the proposed Freedom of Information Act. From that standpoint, she warmly welcomes the general tenor of the proposals. It has always been the policy of her Office to make as much information publicly available as possible in Guidelines, special publications, Annual Reports, or now on two Internet Web Sites. It is important to emphasise the point made in Chapter 7 of "Your Right to Know" (Cm 3818) ("the White Paper") that openness needs to become part of administrative and official culture. In the experience of the Registrar's Office, the shift in presumption from concealment to disclosure can of itself make a great difference: when presented with a request for information, officers should, and do, react by giving the information unless there is some identifiable compelling reason to the contrary. There are sometimes such reasons and this memorandum will touch on one or two.

2. RIGHT TO PERSONAL INFORMATION

  2.1 The general overlap between FOI and privacy protection is dealt with in Chapter 4 of the White Paper. It addresses several areas of overlap and conflict.

  2.2 In many jurisdictions, FOI laws are used principally by individuals to obtain information held about them by Government. That subject access roÃle is largely filled in the UK in the case of automated data, by data protection legislation. That law will be extended in part to manual files as a result of the Directive 95/46/EC, but there are already statutory rights to some manual records in the UK such as housing and education records.

  2.3 FOI laws are in principle distinguishable from privacy access laws because they give access to a wide range of Government information to the public at large. Access is to information held by government, rather than by any organisation. The rationale is that for a strong political democracy there should be wide access to information held by public bodies. The right of an individual to access to information under privacy laws is justified because information about an individual held or used by any organisation might be used to the prejudice of that individual's rights and access is a means of protecting the person's rights as an individual rather than as a citizen of a democracy.

  2.4 The Registrar warmly welcomes the Government's declaration at paragraph 4.6 of the White Paper:

  Paragraph 4.7 is equally welcome in saying that:

    "Any Freedom of Information Act must provide adequate protection for an individual from any unwarranted invasion of personal privacy caused by an application from a third party. In practice, for the Freedom of Information Act in the United Kingdom, the new Data Protection Act will provide the basis for this protection."

  2.5 The greatest scope for conflict between enforcement authorities lies in an inherent conflict between FOI and privacy rules. FOI is about obtaining information from government and that might include information about other individuals. That is to say one man's Freedom of Information might be breach of another's privacy. Privacy rights are not absolute. There will be cases where privacy should be overridden in the public interest. The difficulty is in settling how to apply that test and this memorandum returns to the issue in looking specifically at parts of Chapter 2 of the White Paper.

  2.6 It would be disappointing if, merely because the institution providing services to an individual happened to be the State, an individual were to receive a lower standard of privacy protection in the name of Freedom of Information. Medical records should be subject to strict confidentiality by whomsoever they are held and not put at risk of, for example, arguments that the detail of individuals cases must be known in order to assess the efficiency and effectiveness with which public services are provided.

  2.7 The proposals in paragraphs 4.9 to 4.11 of the White Paper are significant extensions of the rights of individuals. They render redundant much of the discussion in the public sector about the difficulty and timing of the extension to manual records of data protection law by the 1995 Data Protection Directive.[1]

  2.8 The clear provision for remedies for individuals on the lines of those found in Data Protection legislation will be advantageous. It is not entirely clear whether those rights will be enforceable in the courts, as is likely to be required as a consequence of the Data Protection Directive, or through the Information Commissioner. The enforcement process ought to apply the same principles under whichever legislative regime the data are dealt with. So, for example, it would be helpful to adopt a similar approach to the correction of inaccuracy in which there is no re-writing of history or tampering with original documents, but clear contra entries and references to erroneous factual content need to be made in the record, and resultant summary records may need to be rewritten or replaced. There is clearly scope in this as in other areas for divergence between the Information Commissioner and the new Data Protection Commissioner (as the Government has proposed to rename the Registrar).

  2.9 Data Protection and FOI could be enforced either by the same machinery or, as the Government proposes, by separate Commissioners. In some jurisdictions - such as the Canadian provinces - enforcement of privacy and information rights is given to a single Commissioner. In other jurisdictions (eg federal Canada), the jurisdiction is divided. Indeed, FOI can be enforced by administrative or political process rather than by a formal legal process as usually applies in the case of data protection and privacy access laws. In the case of the UK, individuals can enforce their own data protection subject access rights in the Courts. The Registrar recognises the difficult decision the Government faced in deciding which FOI enforcement process to choose. Her concern is that the potential conflicts should be recognised and procedures established for their resolution. The Registrar has previously expressed a preference for resolving some of the potential difficulties canvassed in this Memorandum by placing enforcement of privacy and FOI - at least so far as concerns personal information - in the hands of the same authority. The Government has decided in favour of an Information Commissioner for enforcement of FOI. That route has the policy advantage of exposing to public examination any conflict of view or principle between the FOI and privacy regimes. Mechanisms of consultation, co-ordination, and conflict resolution would be welcome in order to avoid the institutional conflict found at federal level in Canada.

  2.10 Where jurisdiction is divided, there is scope for disagreement. An individual will have access rights under both privacy and FOI laws, and on appeal to the enforcement authorities might find one authority supporting the appeal on its merits and the other opposing. Administrative co-operation should solve that problem. More intractable is where the authorities reach different views because of apparently minor technical differences in the law. So privacy laws might stress the importance of access to the individual whereas FOI might have more extensive exemptions for the protection of the administration. As a first step, the proposal in paragraph 4.13 of the White Paper that the two enforcement officials should consult and exchange information is an excellent step in the right direction. If intractable disputes are, however, to be left to the Courts, some basis for resolution could usefully be provided in statute. One route might be to turn the dispute into a fundamental rights issue to be resolved as the courts will deal with issues arising under the Human Rights Bill when enacted. The scope for disagreement between Data Protection and Information Commissioners can be greatly reduced by a careful tailoring of the legislation to ensure that so far as possible similar principles are to be applied by both.

  2.11 The Registrar suggests one possibility to assist administering FOI Law. Access to information issues are often mixed with other problems or complaints or are the means to expose other problems. So exercising a right of subject access under data protection legislation might reveal not a breach of data protection legislation, but perhaps some administrative matter dealt with either by the Information Commissioner or the Parliamentary Commissioner. Similarly, an FOI request might reveal matters best dealt with under the Registrar's jurisdiction. In order to facilitate co-operation in cases such as these and to economise on the resources used by investigative bodies, it might be possible to bring the Registrar and the Commissioners together in some collegiate body. The separate formal jurisdictions would remain, but the collegiate body could jointly look at issues crossing jurisdictional boundaries. It might also prove to be a helpful means of developing considered advice to Parliament on the general development of information law. This approach is similar to the one the Registrar has proposed in relation to the handling of Human Rights issues.

3. LEGAL PROCEEDINGS

  3.1 Paragraph 2.21 of the White Paper makes clear that FOI should not undermine law enforcement and that consequently certain information will be excluded from the Act. We understand that to mean that this information will be excluded from the scope of the Act and not that there will be a law enforcement exemption subject to the substantial harm and public interest tests. Paragraph 3.11 of the White Paper provides for an exemption to apply to information over and above that excluded from the scope of the new Act. It is not clear what the scope of the exemption will be.

  3.2 The Registrar is a law enforcement official. She has been faced with issues relating to the disclosure of information obtained in an investigation.

  3.3 She would take the view that no distinction for FOI purposes should be drawn between criminal and civil enforcement proceedings. Sometimes civil proceedings (eg planning or data protection enforcement) are a preliminary to criminal enforcement; sometimes an investigation will start with the possibility of either civil or criminal enforcement as a result. The Registrar has the power to obtain evidence by warrant as a preliminary step in civil enforcement. The implied duty of confidence in such compulsory cases ought to be protected. The wide exclusion from the scope of FOI seems in principle proper and should apply equally in civil and criminal cases.

4. LEGAL PROFESSIONAL PRIVILEGE

  4.1 Paragraph 2.22 of the White Paper indicates the FOI Act will not apply to advice which would normally be protected by legal professional privilege. It is not clear whether the exclusion will apply only to the advice or to all information in respect of which legal professional privilege could be claimed.

  4.2 The Registrar has some experience of a similar exemption in the Data Protection Act 1984 ("the 1984 Act"). She has been advised that information once privileged is always privileged. It is a one-way trap door through which information slips into an exempt category never to return, even though the need for exemption on its merits has long passed. The Registrar would not wish to see the same problem created by the FOI Act for the Information Commissioner.


1   Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities L281, Vol 38, 23 November 1995, ISSN 0378-6978 Copies of the text can be obtained from the Stationery Office. The text can also be found on the Internet at: http://www2.echo.lu/legal/en/dataprot/dataprot.html. Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries

© Parliamentary copyright 1998
Prepared 12 March 1998