House of Commons - Public Administration

Select Committee on Public Administration Third Report

ACCESS TO INFORMATION AND THE RIGHT OF PRIVACY

10. One of the most difficult and crucial issues that the Freedom of Information Act needs to address is the extent to which the public's right of access to information may override the individual citizen's right of privacy. Some of the issues of confidentiality involved are illustrated in the box below. This is the least satisfactory aspect of the proposed Act. It has been seriously complicated by the fact that there are three pieces of legislation which deal with these matters which have been, or are to be introduced separately: the Human Rights Bill; the Data Protection Bill; and the Freedom of Information Bill. We have serious doubts that the regime proposed strikes the right balance between privacy and openness, or indeed whether it will be workable.

PRIVACY VS THE RIGHT TO KNOW: WHAT SORT OF

INFORMATION RAISES THESE PROBLEMS?

"Foster carers do not have the legal right of access to the records of the children and young people in their care. To give carers direct access would not only conflict with the rights of children to confidentiality, but also would not be practicable because of the nature of the records... Social Service Departments (SSDs) have a statutory duty to pass on all of the information that carers need to care for each child in placement... However, in practice, social workers make decisions about what information it is appropriate to pass on, and what is not. NFCA often hears from foster carers who find that crucial information about the child and his or her circumstances is not passed on. In the worst scenario, a foster carer may welcome into their home a young person who has already abused other children, without being told of this".[16] National Foster Care Association.

In a judgment in March (R v Chief Constable of North Wales Police and others ex parte P.Thorpe and another), Lord Woolf decided that the police had acted lawfully in informing the owner of a caravan site of the presence there of a couple who had been released after serving prison sentences for sexual offences against children. The Times 19 March 1998, p.5.

The fees earned by individual barristers from legal aid have hitherto been treated as confidential. But in April 1998 payments to the 20 solicitors' firms and 20 barristers who received the largest sums of money from the legal aid fund in 1996-97 were published by the Lord Chancellor's Department. HC Deb 28 April 1998, 311 cols 65-7W.

Do the press or public have a right to know the whereabouts of high profile prisoners, or is this personal information which should not be released?

Should a doctor be allowed to warn a patient that his or her partner is HIV positive, without the patient's consent?

Should employers be able to ascertain whether a job applicant has a criminal record, by requiring the applicant to request a copy of his or her own criminal record and then produce it to the employer (so-called "enforced subject access")?

PRIVACY AND FREEDOM OF INFORMATION IN THREE COUNTRIES

Canada

The Canadian Human Rights Act 1977 included a right of access to personal files and established a Privacy Commissioner. In 1982 FOI was introduced under the Access to Information Act, enforced by an Information Commissioner; whilst access to personal files remained under a separate regime in the Privacy Act 1982. There are thus dual access regimes. A prisoner who wants to see his own file applies under the Privacy Act; while if he wants information about the custodial regimes in different prisons he must apply under the Access to Information Act. A journalist seeking information about the prisoner must also apply under the Access to Information Act, but may not learn very much: the Access to Information Act prohibits disclosure of third party personal information, as defined in the Privacy Act. The hinge between the two Acts is the definition of personal information in section 3 of the Privacy Act, which is the governing statute.

Australia

Australia is the reverse of Canada. The federal government legislated first for FOI in the Freedom of Information Act 1982 and then enacted a Privacy Act in 1988. The dominant regime is FOI. The 1982 Act introduced a single access regime for personal files and official information, with the same set of exemption provisions, and with common enforcement machinery through the Ombudsman and the Administrative Appeals Tribunal. A prisoner in Australia seeking access to his own file would apply under the FOI Act.

The Privacy Act contains the standard information privacy principles based on OECD guidelines. It covers mainly the public sector and is supervised by a Privacy Commissioner. Principle 6 covers access to records containing personal information, but this is made subject to the exemption provisions in the FOI Act. Access to personal records continues to be under the FOI Act. It would be possible to use the Privacy Act to obtain access to personal records, but most citizens do not because the route under the FOI Act is better charted and the Privacy Commissioner offers little encouragement. With limited resources the Privacy Commissioner has opted for an educational role, encouraging good practice in observing the information privacy principles, and rarely using his enforcement powers. The Privacy Commissioner will investigate a complaint of denial of access, but only after the applicant has exhausted remedies under the FOI Act.

New Zealand

New Zealand legislated first for FOI in the Official Information Act 1982. This introduced separate access regimes for personal and official information within the same statute. Personal information was meant to be more readily available, with fewer grounds for refusing disclosure. Enforcement of access to both personal and official information lay through the Ombudsman.

New Zealand established a Privacy Commissioner in 1991, and the Privacy Act 1993 removed the right of access to personal information from the 1982 Act and re-enacted it alongside privacy protection principles. Access to personal information is now under the 1993 Act, with enforcement by the Privacy Commissioner. As in Canada, third party requests for personal information (the journalist asking for the whereabouts of a prisoner) are under the Official Information Act, with enforcement by the Ombudsman; and as in Canada, requests for mixed personal/official information can present problems, because they have to be dealt with under different statutes with different sets of rules.

The first Privacy Commissioner, Bruce Slane, has been a high profile exponent and defender of privacy issues. His rulings are sometimes at odds with those of the Ombudsman, and the seeds of institutional conflict are emerging there too. The Privacy Commissioner is gradually extending his role, and with it the definition of privacy.

Ev. pp. 182-3.

11. In most countries which have separate privacy and Freedom of Information regimes, there is an inevitable conflict between the two competing values. The story of the relationship between the two in Australia and New Zealand indicates the possible results:

"Australia has had a relatively weak Privacy Commissioner, who has not established a separate access regime under the 1988 Privacy Act; who has not succeeded in extending the privacy legislation to the private sector; and who has acquiesced in FOI being the governing statute. In New Zealand by contrast the Privacy Commissioner has been highly effective in arguing for the separate access regime in the new Privacy Act 1993; and in upholding privacy as a value. Freedom of Information observers remark on the chilling effect which the Privacy Act is beginning to have on Freedom of Information disclosures and on information policy more generally. In part this results from public ignorance or misinterpretation of the provisions of the Privacy Act; but in part it is because the Privacy Commissioner is an effective operator".[17]

The box opposite summarises the relationship between privacy and Freedom of Information regimes in other countries.

Protection for the individual's right of privacy

12. The UK does not have a single law defending individuals' privacy; but two Bills currently under consideration deal with privacy rights. The first of these is the Human Rights Bill, which will make provision in order to give fuller effect in UK domestic law to the European Convention on Human Rights. Article 8 of the Convention says that:

(a) "Everyone has the right to respect for his private and family life, his home and his correspondence

(b) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".

The freedoms in Article 8 are balanced by the freedom of expression in Article 10 of the Convention which includes the right to receive and impart information.

13. One of the purposes of the new Data Protection Bill is to protect the confidentiality of personal information held by private and public sector bodies; it also provides a right of access to enable individuals to check whether information held by authorities about them is accurate (the second aspect is dealt with below, paras. 17 to 21). The Bill supersedes the 1984 Data Protection Act, and is based on the EC Data Protection Directive. The Bill is expected to be enacted by the end of the current session of Parliament (as required under the Directive). The Directive stresses its origin in a concern for the right to privacy: "in accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to processing of personal data".[18] The Bill places certain conditions on the disclosure of personal data, which are outlined in the box below. The White Paper says that the Data Protection Act will provide the basis for the protection of the individual's right to privacy against the right of access to information held by the Government.

PROTECTION AGAINST DISCLOSURE OF PERSONAL INFORMATION UNDER THE

DATA PROTECTION BILL

The first of the Data Protection Principles says that personal data should not be disclosed unless at least one of a number of conditions is met. Among the conditions are:

- The subject of the data has agreed to its disclosure

- The processing is necessary

(a) for the administration of justice,

(b) for the exercise of any functions conferred on any person by or under any enactment,

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person

- The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (the Secretary of State may by order specify particular circumstances in which this condition is, or is not, taken to be satisfied).

At least one of a set of further conditions apply if the data consists of "sensitive personal data" about an individual's racial or ethnic origin, political opinions, religious or other beliefs, health, sexual life, or offences committed by him. These include the condition relating to the exercise of functions enforced on a person by an enactment, as above.

In addition, Clauses 33 and 34 of the Bill says that personal data are exempt from various requirements of the Data Protection Act if

- the data consist of information which the data controller is obliged by or under any enactment to make available to the public, whether by publishing it, by making it available for inspection, or otherwise, whether free, or on payment of a fee

- the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

The situation where disclosure of information about himself or herself to an individual would result in disclosure of information about another person (a third party) is dealt with in Clause 7(4):

(4) Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

(a) the other individual has consented to the disclosure of the information to the person making the request,

(b) the information is contained in a health record and the other individual is a health professional who has compiled or contributed to that health record, or

14. Freedom of Information and these two pieces of legislation inevitably pull in different directions. On the one hand, there is a risk that by taking a liberal approach to Freedom of Information the UK may find itself in breach of Article 8 of the European Convention on Human Rights. On the other, there is a risk that over-scrupulous concern for privacy may prevent the disclosure of information of legitimate concern to the public. The Lord Chancellor sought to reassure us about the conflict between the Convention and the Freedom of Information Act: "the important thing, I think, is that the Human Rights Bill represents a floor of rights; it does not represent a maximum of rights, it is a floor of rights beneath which people should not fall. These are minimum rights. However, there is nothing in the Human Rights Bill which prevents the freedoms and rights of individuals being enhanced above that floor. This is exactly what the Freedom of Information Bill does".[19] We agree with him on the Article 10 side, but whether that solved the Article 8 infringement problem is another matter. It might be added that the Council of Europe, which is responsible for the Convention, in 1981 recommended to Member States that they implement Freedom of Information laws.[20]

15. The difficulty for Freedom of Information represented by the Data Protection Bill is not easily assessed. In any conflict between the two regimes, the Data Protection Bill may well take precedence, because it is derived from European Community law. The Data Protection Registrar, Mrs Elizabeth France, argued that "there would be recourse to the European Courts directly if we were to deny people the rights which were contained in the Data Protection Bill".[21] If the Freedom of Information Bill were not drafted so as to be compatible with the Data Protection Directive, she said, "the courts would make it clear if challenged that in the case of an individual the Data Protection Bill's requirements would be the ones which took precedence".[22] Furthermore, the Registrar gave us an indication of what her approach will be to finding a balance between privacy and freedom of information: in cases relating to information supplied in confidence she was, she said, likely to "start from the position that processing such data in order to disclose it without the consent of the individual or some over-riding compelling public interest (such as the saving of life or the prevention or detection of serious crime) is either unlawful or unfair processing of personal data ... it is wrong to have to satisfy any test of harm in order to protect personal records from disclosure to third parties. Indeed, there is a strong public interest in preserving the privacy and confidentiality of individuals [which] will only be overridden (in the absence of consent) on limited compelling grounds of public interest or for the protection of the vital interests of individuals".[23] On the other hand, the provisions in the Data Protection Bill appear to allow for the disclosure of information without the consent of a third party if it is done "under any enactment", which would presumably include the Freedom of Information Bill. The White Paper seems surprisingly phlegmatic about the possibility of conflicts about the disclosure of personal information and their resolution. It says that "in the unlikely event of a dispute arising between the Commissioner and Registrar, on which they were unable to reach agreement, this would ultimately be resolved by the courts".[24] This may be true, but strikes us as an abdication of responsibility for drafting clear legislation, which avoids recourse to the courts except where unavoidable.

16. The right to privacy has a head start; the Government should ensure that the right of access to information is not left behind. We accept the Data Protection Registrar's view that preserving the privacy and confidentiality of individuals is a vital interest, which should be overridden only on careful consideration and for good reasons. But there must be a mechanism to ensure that it can be overridden where necessary and in a systematic way. In the absence of a joint Data Protection and Freedom of Information regime, there needs to be careful consideration to ensuring a proper balance between the two values of privacy and openness which does not stifle Freedom of Information early on. We recommend that the Government clarify to what extent it believes that the Data Protection Bill will work to prevent access by third parties to information about an individual, and how it is proposed that the Data Protection Bill is to provide the protection for the individual's right to privacy against the right to information held by the Government.

Access to personal information

17. Besides protecting the individual's rights of privacy, the Data Protection Act is also the vehicle for a certain type of Freedom of Information. The Data Protection Act 1984 gives individuals the right of access to information relating to themselves which is held on computer. Under the new Data Protection Bill they are also to gain the right of access to information relating to themselves held in ordinary (or "paper" or "manual") files. The Box opposite shows the main provisions concerned). The Freedom of Information Act, when enacted, is, in addition, supposed to give individuals another system of gaining access to information which directly relates to them. The Government has argued in the White Paper that it should therefore be possible for anyone to find out what is held by public authorities about themselves under either the Data Protection Act or the Freedom of Information Act. There would in other words be considerable overlap between the two regimes: they will, according to the White Paper, cover the same ground in providing access for an individual to data held about them by public authorities. This raises the possibility of a confusing and messy patchwork of different provisions under which one may obtain access to one's own file. How the system works for individuals is crucial: overseas experience suggests that a great majority of requests are likely to involve personal information. The White Paper suggests that these problems can be overcome. It says that "as far as is practicable, we will align the systems for access to personal information under Data Protection and Freedom of Information. This is likely to include the means of access, time limits for reply, charges and appeals... In addition the Government proposes that public authorities will have a duty to ensure that any significant difference between the two regimes is made known to any applicant who might be affected by such a difference".[25]

18. The access rights in the two pieces of legislation, however, will be very different. The Freedom of Information Bill will allow access to all records; the Data Protection Bill as introduced will allow access only to computerised, or "structured" personal files—information arranged "either by reference to individuals or by reference to criteria relating to individuals, in such a way that particular information relating to a particular individual is readily accessible" [clause 1]. The two pieces of legislation will have different exclusions and exemptions. For example, personal data processed for purposes of the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty is exempt from the right of access to personal data under the Data Protection Bill in any case where disclosure would prejudice those purposes [clause 28]—a straightforward exemption based on a test of harm. Under the Freedom of Information Bill some of the same data may be completely excluded as information relating to the investigation and prosecution functions of the police, prosecutors and other bodies carrying out law enforcement work; or it may be exempt because it could "substantially harm the effectiveness of law enforcement or encourage the avoidance or evasion of tax"; or it may be disclosed because it would not cause substantial harm or because it was in the public interest to disclose it. Again, under the Data Protection Bill, a Minister will be able to issue a certificate exempting certain descriptions of personal data from most of the provisions of the Act on the grounds of national security; there will, however, be an appeal to the Data Protection Tribunal on the grounds that the decision to issue the certificate was not reasonable [clause 27]. The same information could be totally excluded from the Freedom of Information Bill, and therefore placed beyond the possibility of reference to the Information Commissioner, because it relates to the security services; or it could be exempt under the "national security" specified interest. An individual searching for personal files is likely to be left bewildered. Just as likely, the Information Commissioner and Data Protection Registrar[26] may make incompatible decisions in similar areas. The Data Protection Registrar told us that her "biggest worry is [that] slight differences in emphasis in the two bits of legislation may lead two statutory bodies to what amounts to conflict simply over definition of terms".[27]

ACCESS TO PERSONAL INFORMATION UNDER

THE DATA PROTECTION BILL

Clause 7(1):

"7.—(1) Subject to the following provisions of this section and to section 8, an individual is entitled—

(a)  to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
(b)  if that is the case, to be given by the data controller a description of—

(i)  the personal data of which that individual is the data subject,
(ii)  the purposes for which they are being or are to be processed, and
(iii)  the recipients or classes of recipients to whom they are or may be disclosed,

(c)  to have communicated to him in an intelligible form—

(i)  the information constituting any personal data of which that individual is the data subject, and
(ii)  any information available to the data controller as to the source of those data, and

(d)  where the processing any automatic means of personal data of which that individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.

(2) A data controller is not obliged to supply any information under subsection (1) except in response to a request in writing and on payment of such fee (not exceeding the prescribed maximum) as he may require".

The various exemptions to this are set out in Clauses 27 to 37 (which include a power to make further exemptions). The chief headings under which exemptions may be used are: safeguarding national security; prevention or detection of crime; the apprehension or prosecution of offenders; and the assessment or collection of any tax or duty.

19. In fact, we discovered in the course of our inquiry that it may be impossible to have Data Protection and Freedom of Information regimes covering the same areas in any case. The Cabinet Office told us in April that their most recent legal advice was that they had been advised that overlapping Freedom of Information and Data Protection Regimes would be legally undesirable.[28] The Lord Chancellor confirmed this: "we will of course need to dovetail the legislation in due course. It will be necessary to bring together in a sensible way individual rights of access to public sector personal data about individuals. There is more than one possible way of doing this, and the Government is considering the best way forward".[29] If there is to be no "overlap", there should be only a single regime for access to one's own personal information—at least where it is held in the form covered by the Data Protection Bill. In effect, this will mean that all requests by a person for access to information about him or herself will be dealt with under the Data Protection Act; requests for access to information about others will be dealt with under the Freedom of Information Act.

20. This is a fundamental change in the scope of the Data Protection Bill, and its relationship with Freedom of Information to be putting forward at such a very late stage. It will greatly extend the scope of the Data Protection Bill, and reduce the scope of the proposed Freedom of Information Bill, if Freedom of Information is no longer to cover access to personal files. It will also greatly increase the responsibilities of the new Data Protection Commissioner, and correspondingly reduce those of the Information Commissioner. In future the champion of individuals' access to their personal files will be the Data Protection Commissioner and not the Information Commissioner. This gives us cause for concern because in the past the Data Protection Registrar has proposed that she should concentrate her limited resources on major data systems and high risk data processing, leaving individuals to pursue their claims for subject access through the courts.[30] The DPR's operations have not been previously oriented towards assisting individuals to gain access to their own files. Such requests form only ten per cent of her complaints caseload, and she lacks the resources to help individuals to enforce access when it is denied.[31] The Data Protection Act itself is not oriented towards subject access. That is apparent from its title, which is about the denial of access, and from the convoluted language of its access provisions (see the box on page xxi). If the Government wants a simple, accessible regime for individuals to see their own personal files, the Data Protection Act does not readily provide it. Furthermore, under the Data Protection Bill, although the Registrar can issue an enforcement notice to order a data controller to permit access to the information requested, the data controller may appeal on very wide grounds to a Data Protection Tribunal to try to prevent access [see clause 47]. Under the Freedom of Information proposals, there will not be a similar right of appeal against the Information Commissioner's determination, and this should make access more likely. We recommend that if the Data Protection Registrar is really going to provide the only means of enforcing access to information held by a public authority about oneself then she should be enabled to fulfill this role at least as effectively as the Information Commissioner could do under the Freedom of Information legislation. This means that the provisions in the Data Protection Bill relating to access to personal information should give rights of access by individuals at least as great as those proposed in the Freedom of Information White Paper, and should avoid placing obstructions in the way of that access (for example by allowing appeals against the Registrar's decision to force disclosure) greater than those presented in the Freedom of Information Bill.

21. We freely acknowledge that finding a workable balance between the right to privacy and the right of access to information is bound to be difficult. Some of the problems we have discussed might have been averted by taking a decision to legislate on Data Protection and Freedom of Information jointly, perhaps by dealing with the two regimes in a single Bill, or at least in two Bills that might have been considered in Parliament close together. We accept that there were problems doing this, as the Data Protection Directive required legislation by October 1998: but it would not have been impossible to overcome that hurdle. We regret that an opportunity was not taken to consider joining the Freedom of Information and Data Protection regimes in order to make a more coherent and more workable system for access to personal information. We are most unhappy that the Government has been so vague about the relationship between the Freedom of Information proposals and the Data Protection Bill, and that it seems that it has not until very recently got to grips with the problems involved in reconciling the two. It is essential that the conflicts we have identified are resolved, and resolved soon. There must be a simple and comprehensible system for individuals to gain access to their own information, which avoids the complexities presented by differing access regimes and ensures that the right of access is effectively enforced.

Third party appeals

22. The White Paper asks for views on whether a mechanism should be established to allow third parties to appeal against decisions to release information which they believe would cause "substantial harm" to their interests.[32] As the Data Protection Registrar pointed out, Article 6 of the European Convention on Human Rights says that "in the determination of his civil rights ... everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law".[33] It seems difficult, therefore, to prevent such a system of appeal even if it were wished to do so. We agree that a system of appeals for third parties is essential. This does, of course, cause a number of practical problems. DSS have a great difficulty with it: the process of providing access to records could be complicated and delayed if the third party or parties had to be consulted about the release of their information in each case. "The Department will therefore be keen to explore the scope for procedures to avoid, as much as possible, the need to contact third parties at the time an access request is made. Letting third parties know in advance that information may be disclosed could be one way forward... Where a third party is aware of the possibility of disclosure there should be no need for further contact following an access request".[34] DTI make a similar point: "we would not wish, in the extreme, to be required unnecessarily by the Act to ask third parties whether they would object to the disclosure of information which they had provided to the Department in circumstances where the information was manifestly suitable for public consumption (eg was already in the public domain) and where the third party clearly could have no sustainable objection to its further promulgation".[35] It may be difficult to find the third party concerned; the public authority may not have a contact address for the person. Appeals would need to be heard before disclosure, and there may, in some circumstances, be compelling reasons to release information before an appeal can be dealt with. We are also concerned about the possibility of accidental or wrongful disclosure of commercial or other confidential information which causes damage or distress, and the legal implications this would have. It is not clear from the White Paper whether this possibility has been fully considered.