2. RIGHT TO
PERSONAL INFORMATION
2.1 The general overlap between FOI and privacy protection
is dealt with in Chapter 4 of the White Paper. It addresses several
areas of overlap and conflict.
2.2 In many jurisdictions, FOI laws are used principally
by individuals to obtain information held about them by Government.
That subject access roÃle is largely filled in the UK in
the case of automated data, by data protection legislation. That
law will be extended in part to manual files as a result of the
Directive 95/46/EC, but there are already statutory rights to
some manual records in the UK such as housing and education records.
2.3 FOI laws are in principle distinguishable from privacy
access laws because they give access to a wide range of Government
information to the public at large. Access is to information held
by government, rather than by any organisation. The rationale
is that for a strong political democracy there should be wide
access to information held by public bodies. The right of an individual
to access to information under privacy laws is justified because
information about an individual held or used by any organisation
might be used to the prejudice of that individual's rights and
access is a means of protecting the person's rights as an individual
rather than as a citizen of a democracy.
2.4 The Registrar warmly welcomes the Government's declaration
at paragraph 4.6 of the White Paper:
"We intend to ensure that the regimes for freedom of
information and the protection of personal privacy accommodate
each other. The two regimes must perform differing functions as
efficiently as possible with the potential for conflict kept to
a minimum."
Paragraph 4.7 is equally welcome in saying that:
"Any Freedom of Information Act must provide adequate
protection for an individual from any unwarranted invasion of
personal privacy caused by an application from a third party.
In practice, for the Freedom of Information Act in the United
Kingdom, the new Data Protection Act will provide the basis for
this protection."
2.5 The greatest scope for conflict between enforcement authorities
lies in an inherent conflict between FOI and privacy rules. FOI
is about obtaining information from government and that might
include information about other individuals. That is to say one
man's Freedom of Information might be breach of another's privacy.
Privacy rights are not absolute. There will be cases where privacy
should be overridden in the public interest. The difficulty is
in settling how to apply that test and this memorandum returns
to the issue in looking specifically at parts of Chapter 2 of
the White Paper.
2.6 It would be disappointing if, merely because the institution
providing services to an individual happened to be the State,
an individual were to receive a lower standard of privacy protection
in the name of Freedom of Information. Medical records should
be subject to strict confidentiality by whomsoever they are held
and not put at risk of, for example, arguments that the detail
of individuals cases must be known in order to assess the efficiency
and effectiveness with which public services are provided.
2.7 The proposals in paragraphs 4.9 to 4.11 of the White
Paper are significant extensions of the rights of individuals.
They render redundant much of the discussion in the public sector
about the difficulty and timing of the extension to manual records
of data protection law by the 1995 Data Protection Directive.[1]
2.8 The clear provision for remedies for individuals on the
lines of those found in Data Protection legislation will be advantageous.
It is not entirely clear whether those rights will be enforceable
in the courts, as is likely to be required as a consequence of
the Data Protection Directive, or through the Information Commissioner.
The enforcement process ought to apply the same principles under
whichever legislative regime the data are dealt with. So, for
example, it would be helpful to adopt a similar approach to the
correction of inaccuracy in which there is no re-writing of history
or tampering with original documents, but clear contra entries
and references to erroneous factual content need to be made in
the record, and resultant summary records may need to be rewritten
or replaced. There is clearly scope in this as in other areas
for divergence between the Information Commissioner and the new
Data Protection Commissioner (as the Government has proposed to
rename the Registrar).
2.9 Data Protection and FOI could be enforced either by the
same machinery or, as the Government proposes, by separate Commissioners.
In some jurisdictions - such as the Canadian provinces - enforcement
of privacy and information rights is given to a single Commissioner.
In other jurisdictions (eg federal Canada), the jurisdiction is
divided. Indeed, FOI can be enforced by administrative or political
process rather than by a formal legal process as usually applies
in the case of data protection and privacy access laws. In the
case of the UK, individuals can enforce their own data protection
subject access rights in the Courts. The Registrar recognises
the difficult decision the Government faced in deciding which
FOI enforcement process to choose. Her concern is that the potential
conflicts should be recognised and procedures established for
their resolution. The Registrar has previously expressed a preference
for resolving some of the potential difficulties canvassed in
this Memorandum by placing enforcement of privacy and FOI - at
least so far as concerns personal information - in the hands of
the same authority. The Government has decided in favour of an
Information Commissioner for enforcement of FOI. That route has
the policy advantage of exposing to public examination any conflict
of view or principle between the FOI and privacy regimes. Mechanisms
of consultation, co-ordination, and conflict resolution would
be welcome in order to avoid the institutional conflict found
at federal level in Canada.
2.10 Where jurisdiction is divided, there is scope for disagreement.
An individual will have access rights under both privacy and FOI
laws, and on appeal to the enforcement authorities might find
one authority supporting the appeal on its merits and the other
opposing. Administrative co-operation should solve that problem.
More intractable is where the authorities reach different views
because of apparently minor technical differences in the law.
So privacy laws might stress the importance of access to the individual
whereas FOI might have more extensive exemptions for the protection
of the administration. As a first step, the proposal in paragraph
4.13 of the White Paper that the two enforcement officials should
consult and exchange information is an excellent step in the right
direction. If intractable disputes are, however, to be left to
the Courts, some basis for resolution could usefully be provided
in statute. One route might be to turn the dispute into a fundamental
rights issue to be resolved as the courts will deal with issues
arising under the Human Rights Bill when enacted. The scope for
disagreement between Data Protection and Information Commissioners
can be greatly reduced by a careful tailoring of the legislation
to ensure that so far as possible similar principles are to be
applied by both.
2.11 The Registrar suggests one possibility to assist administering
FOI Law. Access to information issues are often mixed with other
problems or complaints or are the means to expose other problems.
So exercising a right of subject access under data protection
legislation might reveal not a breach of data protection legislation,
but perhaps some administrative matter dealt with either by the
Information Commissioner or the Parliamentary Commissioner. Similarly,
an FOI request might reveal matters best dealt with under the
Registrar's jurisdiction. In order to facilitate co-operation
in cases such as these and to economise on the resources used
by investigative bodies, it might be possible to bring the Registrar
and the Commissioners together in some collegiate body. The separate
formal jurisdictions would remain, but the collegiate body could
jointly look at issues crossing jurisdictional boundaries. It
might also prove to be a helpful means of developing considered
advice to Parliament on the general development of information
law. This approach is similar to the one the Registrar has proposed
in relation to the handling of Human Rights issues.
3. LEGAL PROCEEDINGS
3.1 Paragraph 2.21 of the White Paper makes clear that FOI
should not undermine law enforcement and that consequently certain
information will be excluded from the Act. We understand that
to mean that this information will be excluded from the scope
of the Act and not that there will be a law enforcement exemption
subject to the substantial harm and public interest tests. Paragraph
3.11 of the White Paper provides for an exemption to apply to
information over and above that excluded from the scope of the
new Act. It is not clear what the scope of the exemption will
be.
3.2 The Registrar is a law enforcement official. She has
been faced with issues relating to the disclosure of information
obtained in an investigation.
3.3 She would take the view that no distinction for FOI purposes
should be drawn between criminal and civil enforcement proceedings.
Sometimes civil proceedings (eg planning or data protection enforcement)
are a preliminary to criminal enforcement; sometimes an investigation
will start with the possibility of either civil or criminal enforcement
as a result. The Registrar has the power to obtain evidence by
warrant as a preliminary step in civil enforcement. The implied
duty of confidence in such compulsory cases ought to be protected.
The wide exclusion from the scope of FOI seems in principle proper
and should apply equally in civil and criminal cases.
4. LEGAL PROFESSIONAL
PRIVILEGE
4.1 Paragraph 2.22 of the White Paper indicates the FOI Act
will not apply to advice which would normally be protected by
legal professional privilege. It is not clear whether the exclusion
will apply only to the advice or to all information in respect
of which legal professional privilege could be claimed.
4.2 The Registrar has some experience of a similar exemption
in the Data Protection Act 1984 ("the 1984 Act"). She
has been advised that information once privileged is always privileged.
It is a one-way trap door through which information slips into
an exempt category never to return, even though the need for exemption
on its merits has long passed. The Registrar would not wish to
see the same problem created by the FOI Act for the Information
Commissioner.
1 Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free
movement of such data, Official Journal of the European Communities
L281, Vol 38, 23 November 1995, ISSN 0378-6978 Copies of the text
can be obtained from the Stationery Office. The text can also
be found on the Internet at: http://www2.echo.lu/legal/en/dataprot/dataprot.html. Back