Select Committee on Public Administration Memoranda


MEMORANDUM 2

Submitted by the Data Protection Registrar

1.  INTRODUCTION

  1.1  This paper sets out the initial views of the Data Protection Registrar ("the Registrar") based on a reading of the draft Freedom of Information Bill ("the draft Bill"). The Registrar may produce a supplementary paper following the forthcoming public debate.

  1.2  The Registrar welcomes the publication of the draft Freedom of Information Bill as a step forward in the progress towards introducing a statutory Freeedom of Information regime. She also welcomes the period of consultation introduced by the publication of the draft Bill and looks forward to participating in the public debate on this issue.

  1.3  The Registrar has focused her comments on the draft Bill on those issues where:

    —  there is a direct date protection or privacy interest;

    —  there are implications for her office;

    —  there are implications for her office as a future "public authority"; and

    —  the experience of her office as a regulatory body is relevant.

2.  FREEDOM OF INFORMATION LEGISLATION: ESTABLISHING THE PURPOSE

  2.1  The Secretary of State for the Home Department, Jack Straw, when making the statement about Freedom of Information to the House of Commons said, "I have spoken today of the need to balance rights. There is a right to know, a right to privacy and a right to confidentiality. For too long, we have given insufficient weight to the right to know. The proposals in the draft Bill seek to redress that balance." [133]

  2.2  Data protection and freedom of information can be seen as complementary rights, with the potential to be mutually supportive in practice. Data protection provides the individual with access to the individual's personal information and Freedom of Information provides the applicant with access to a wider range of information held by public authorities. Where personal information is involved these two rights also interact. A concern—for both data protection and privacy advocates and for Freedom of Information advocates—is where the balance between the two rights will be set and whether in practice one will come to dominate. Although the Registrar recognises that the issue of where the balance should be set is a matter for Ministers and Parliament, her view is that the two rights should be of comparable weight as far as possible, so that the point of balance between the two properly reflects the particular circumstances being considered.

  2.3  The draft Bill establishes how the data protection and freedom of information regimes are to interact but it leaves the balancing point to be established by those implementing, and those overseeing, the regime, as they decide between data protection and privacy interests, and the public interest in disclosure in particular cases. At present the Registrar believes the balance favours data protection and privacy. It is right that the existing protection for personal information should continue and that the data protection legislation should determine the apporach to disclosure of personal information under the Freedom of Information regime.

  2.4  The Registrar's view is that it would be desirable to have greater clarity about the intention of the Freedom of Information legislation. United Kingdom data protection legislation is underpinned by international instruments: The Council of Europe Data Protection Convention[134], the EU Data Protection Directive 95/46/EC[135] and the European Human Rights Convention[136]. These provide a context which can be considered when decisions have to be made or when doubt exists as to the purpose of the legislation. There will be no equivalent underpinning of the United Kingdom's Freedom of Information legislation. The Freedom of Information regime will be determined exclusively by the United Kingdon legislative framework.

  2.5  The Government's stated approach is to encourage openness. The White Paper Your Right to Know[137] stated "The purpose of the Act will be to encourage more open and accountable government by establishing a general statutory right of access to official records and information". The Consulation Paper states "Freedom of Information" is an essential component of the Government's programme to modernise British politics. This programme of constitutional reform aims to involve people more closely in the decisions which affect their lives. Giving people greater access to information is essential to that aim . [138]The draft Bill establishes a "general [statutory] right of access to information held by public authorities",[139] but there is nothing in the draft Bill itself which sets this in a broader context or indicates that the Bill is an instrument promoting disclosure. It does not incorporate the policy approach that openness is to be encouraged.

  2.6  The Registrar understands that Freedom of Information legislation in some other countries includes a purposes statement. There are purposive sections in other United Kingdom legislation. A straightforward purpose statement in this Bill would be helpful to all, especially those making decisions about disclosure in relation to any exemption, not just the personal information exemption. The Bill would benefit from such a statement; there could be no ambiguity about what was intended.

3.  THE INFORMATION COMMISSIONER: OVERSIGHT OF TWO REGIMES

  3.1  The Registrar supports the proposal to establish a new Office of Information Commissioner, who will have oversight of both the Freedom of Information legislation and the Data Protection Act 1998 ("the 1998 Act"). Both laws relate to aspects of information policy and they come together at the point where personal information is considered for disclosure.

  3.2  Technology provides the means, and policy initiatives, such as "Modernising Government"[140], the impetus to develop and adopt integrated electronic information handling practices. Bringing together two elements of information policy in a single office recognises the current drive towards integration of information handling and provides a further argument for pursuing an integrated approach. There is value for all affected by both Freedom of Information and data protection legislation, whether as public authorities, data controllers, applicants or data subjects, in having a single point of contact for information and advice about both.

  3.3  The Information Commissioner, like the Data Protection Commissioner, has a statutory duty to promote good practice by public authorities and to disseminate information about good practice, as he considers appropriate. The Information Commissioner may also give advice on good practice. [141]The Registrar welcomes the strong role for good practice within the Freedom of Information regime and the way this mirrors the approach in the data protection legislation. The Information Commissioner will be able to provide an integrated, coherent approach to good practice, bringing together the different strands of information handling covered by both regimes. This should benefit public authorities and data controllers.

  3.4  Another benefit from bringing both regimes under the oversight of one Information Commissioner will be evident where decisions about third party access to personal information require review by the supervisory authority. Such decisions raise data protection and privacy issues. The possibility of institutional conflict which would exist were there to be separate Commissioners for Freedom of Information and data protection matters is avoided. Working within one institution should allow more focused and effective consideration than working across institutional boundaries. Any tension will be contained within the institution. Making the actual decision about where the balance should lie between data protection and freedom of information in a particular case will not be less difficult because there is one Commissioner. However, with experience and understanding of both issues in-house the decision process itself should be eased.

  4.1  It is right that all access to personal information should involve reference to the 1998 Act, which implements the EU Data Protection Directive 95/46/EC. The Registrar supports this general approach but has concerns about the complexity of the draft Bill's proposals in practice. (These are summarised in Appendix I.) The draft Bill's general approach seems to be based on the assumption that a request for information will fall clearly into a request for information about the applicant or a request for third party information. This is unlikely always to be the case. (A description of what this might mean in practice in Appendix II.) A degree of complexity in the interface arrangements between freedom of information and data protection regimes is inevitable. The issue is whether the draft Bill would produce an unnecessarily complicated interface in practice. The Registrar is concerned that any complexity should be kept to the absolute minimum. Access rights should be easy to administer and simple to understand.

Subject Access

  4.2  Ensuring that all requests for personal information by the individual to whom the information relates are treated as subject access requests is the most appropiate way of dealing with these. A practical problem arises from the extension of the scope of the 1998 Act to cover the extra personal information held by public authorities and the subsequent removal of many of the 1998 Act's key provisions from these data. An unnecessary level of complexity is introduced for both public authority and data subject by this. Where an individual has received a subject access response that includes information falling within the unamended 1998 Act and also information falling within the newly added category, there will be two different sets of rights in relation to the two different sets of data. This approach might provide a simple and straightforward access right, but the situation concerning other rights is neither simple nor straightforward. A simple, clearer approach would be preferable.

  4.3  It would be simpler in practice as well as in the Registrar's view more desirable in principle to apply the 1998 Act in its entirety to the extra information brought within the scope of the 1998 Act. However, there is a case for treating unstructured personal data differently as by definition it would be difficult for public authorities to identify these. Applying the boundary at the structured/unstructured point would be more sensible in practice than applying the boundary at the unamended 1998 Act/additional category point as set out in the draft Bill.

Third Party Access

  4.4  It is relatively straightforward to explain the conceptual basis for the interference arrangements where third parties have requested access: the subject access exemptions determine whether personal information can be withheld from the individual whose information it is; the Data Protection Principles and any applicable section 10 notices govern the general disclosure of personal information under the 1998 Act. It is appropriate that these provisions should determine whether information should be withheld from third parties under the exemption for personal information. However they are likely to prove complicated to operate in practice. It is the Registrar's view that in practice very little information is likely to be disclosable under these provisions. For example, in the case of sensitive personal data, the disclosable information might be restricted to information where explicit consent for the disclosure has been obtained or information is already in the public domain. It is right that personal information should be properly protected. It is a matter for Ministers and Parliament whether very limited disclosure of personal information to third parties is consistent with the objective of Freedom of Information.

  4.5  The draft Bill treats all third party requests for access to personal information in the same way. It makes no distinction between what is public and what is private. Yet it would be possible to make this distinction between an official's public activities ie between personal information relating to an official in the course of his duties, and his private life, ie that relating to him as a private individual. Drawing this distinction would permit different approaches towards disclosure of information related to public activities which might be disclosable, or to private life which should usually receive the same protection afforded to individuals not in the public service. This would extend the quantity of personal information potentially available to third parties.

  4.6  The 1998 Act already provides for those cases where a subject access response includes information about third parties. The 1998 Act sets out the circumstances where it may be reasonable to provide the information requested, if the consent of the individual has not been obtained. [142]It may be possible to use these tests for determining whether disclosure is "reasonable in all the circumstances" as the starting point for disclosures of personal information in response to third party requests. An extra test, or tests, could be added to cover the cases of disclosure of information about officials acting in their public capacity. This approach would be more economical—it would make use of an existing structure with minimal additions—and would provide a simpler approach than that outlined in the draft Bill.

Sections 55 and 56 of the Data Protection Act 1998

  4.7  There are two provisions in the draft Bill which on a straightforward practical level add to the already complicated interface arrangements. They can also be objected to on the grounds of principle. Specific provision is made in the draft Bill to ensure that section 55 and 56 of the 1998 Act do not apply to the additional category of data brought within the 1998 Act for the purposes of the Freedom of Informative regime. [143]Section 56 of the 1998 Act addresses the problem of enforced subject access and section 55 the unlawful obtaining of personal data. These offences were introduced to address specific problems within the United Kingdom. If it is an offence as set out in section 56 to seek to obtain information for the purposes specified in the manner specified, it should be the nature of the purpose and the manner of the obtaining which are the crucial factors in determining whether an offence has been committed, not the way in which the information is stored. Again in the case of obtaining information as set out in section 55, it is surely the nature of the offence and the circumstances in which the offence is commited which are the crucial factors, not the way in which the information is stored. The Registrar does not see the benefit to be derived from inclusion of these provisions and indeed believes them to be bizarre.

5.  EXEMPTIONS

  5.1  Based on her experience of enforcing the 1984 Act, the Registrar's view is that applying exemptions on a case by case basis provides the best approach to achieving the overriding data protection objective of providing subject access wherever possible. There may be an analogous situation with Freedom of Information. Subject access can be seen as the broad equivalent of the Freedom of Information access right. If the intention is to make as much information available as possivle under the Freedom of Information regime then a similar approach should be adopted. Moreover if the intention of the Freedom of Information Act is to align the data protection and Freedom of Information legislation wherever practicable then Ministers may wish to give further consideration to the extent to which the approach to exemptions reflects this objective. The greater the alignment of the two laws the easier it may be in practice for those who have to implement them side by side.

6.  ENFORCEMENT

  6.1  The Registrar strongly supports the creation of the new offence of altering etc records with intent to prevent disclosure which will apply in respect of requests made to public authorities under either the Freedom of Information or data protection legislation. [144]It will reinforce the key message that where an applicant is entitled to information under either Act that information must be provided.

  6.2  The Information Commissioner will have enforcement powers similar to those of the Data Protection Commissioner in respect of the Part I provisions: the power to serve information and enforcement notices. There will also be a power to serve a decision notice which in certain circumstances will serve the same function as an enforcement notice. The appeals procedure from such notices is similar to that set out in the Data Protection Act 1998. Failure to comply with a notice will not be an offence, as it is under the 1998 Act for all except government departments. However the Information Commissioner will be able to certify the failure to the court, where this may be dealt with as if the authority had committed a contempt of court. There is clearly a case to be made for having a parallel approach to that in the 1998 Act but there is at least a means of pursuing non-compliance with a notice. The draft Bill proposals also have the merit of providing that non-compliance with a notice by a government department can be taken a step further than under the 1998 Act.

Discretionary Disclosures

  6.3  The Information Commissioner's enforcement powers in respect of discretionary disclosures are restricted. The Information Commissioner may only ". . . (a) require the authority to make a decision in accordance with that section [14], and (b) specify matters to which the public authority must have regard in making the decision." [145]The Information Commissioner cannot require a public authority to disclose particular information. The Registrar views this limitation on the Information Commissioner's powers as a serious weakness in the enforcement system.

  6.4  The discretionary disclosure provision requires the public authority, where it is not obliged to make a disclosure, to consider making a disclosure having "regard to all the circumstances of the case, including—(a) the public interest in allowing public access to information held by public authorities, and (b) whether the disclosure to the applicant of the information in question would be in the public interest." [146]There is a balance to be struck in making this decision. This seems to be the issue considered in the White Paper Your Right To Know[147] at para 5.1" . . . Cases involving the disclosure of information are often complex and sometimes require fine judgements to be made on whether the public interest in disclosing information should or should not prevail over a competing public interest in withholding information. There is a clear need for an expert review body to exercise such judgements." There is in the draft Bill no review body for those fine decisions involving discretionary disclosures. The Registrar understands that under the Code of Practice on Access to Government Information the Parliamentary Commissioner for Administration may require disclosures of exempt information in the public interest. The Code states that in exempt categories referring to harm or prejudice ". . . the presumption remains that information should be disclosed unless the harm likely to arise from disclosure would outweigh the public interest in making the information available." [148]

  6.5  The Information Commissioner's power to require a public authority to make a proper decision in accordance with clause 14 could prove more illusory than real. Were a public authority so inclined, it could satisfy the requirement to make the decision by mechanistically working through the matters specified by the Information Commissioner. With no further action possible by the Information Commissioner balancing the public interest considerations is a matter only for the public authority.

Practice Recommendations

  6.6  Where the practice of a public authority fails to conform with the practice proposed in its Publication Scheme or in either of the Codes of Practice, the Information Commissioner's powers are restricted to the serving of a practice recommendation, which sets out the steps which, in the Information Commissioner's opinion, should be taken to produce conformity. The draft Bill does not provide for any action to be taken by the Information Commissioner where a public authority fails to implement the steps set out in the practice recommendation. The Information Commissioner would have the option of naming a public authority in, for example, the Annual Report to Parliament. Parliament could, if it chose, then take up the issue. The Registrar's view is that provision should be made in the legislation for a more immediate and sure method of pursuing any failure by a public authority to implement a practice recommendation.

  6.7  The draft Bill should also allow the Information Commissioner to specify a time limit in the practice recommendation.

  6.8  There is also no mechanism for a public authority to appeal against "the opinion" of the Commissioner as expressed in the practice recommendation. With no formal sanction following failure to implement a practice recommendation, it may be possible to argue that a right of appeal is not required. However, is it right that a public authority could be named publicly for failing to implement a recommendation, with whatever consequences might follow, when there had been no formal mechanism for the authority first to present its view to an independent body for consideration alongside the Information Commissioner's opinion?

7.  COSTS

  7.1  It is difficult to comment on fees and appropriate cost limits when these will be set in regulations. The Registrar believes a simple to administer and easy to understand system is what is required.

8.  IMPLEMENTATION AND TRANSITIONAL ISSUES

  8.1  The draft Bill sets an overall timetable for implementation. It also provides for phased or earlier implementation and transitional provisions to be made by order. Implementation is not an immediate issue with a draft Bill published for consultation and pre-legislative scrutiny. However, the Registrar's view, based in part on her experience of the continued delay in announcing a date for implementing the Data Protection Act 1998, is that a firm, fixed and realistic implementation date needs to be set sufficiently far ahead to allow proper forward planning by all parties. [149]The draft Bill's provisions provide for a flexible approach. It would be helpful to have an indication of the likely policy approach.

  8.2  The Registrar recognises that detailed transitional arrangements are likely to be dependent on the implementation policy. Although this would not seem to be a matter for the legislation, one issue that will require addressing is the point at which the Code of Practice on Access to Government Information will cease to apply. If there were to be a phased implementation and any overlap of the Code's application with the Freedom of Information regime then the arrangements should be as clear as possible. Public authorities and applications should be in no doubt about their respective responsibilities and rights.

9.  PARLIAMENTARY COMMISSIONER FOR ADMINISTRATION

  9.1  There is a potential problem involving co-operation between the Information Commissioner and the Parliamentary Commissioner for Administration which could usefully be resolved in the Freedom of Information legislation. Either Commissioner might be asked to take action by complainants about matters which fall not only within their own jurisdiction but within that of the other. It would be in the interests of the complainant if the two offices could co-operate. Without provision in the legislation the Registrar believes such co-operation could involve a breach of privacy. For the Parliamentary Commissioner it would entail breach of the duty imposed by section 11.2 of the Parliamentary Commissioner Act 1967. Although the mechanism requires further consideration and discussion, it seems to the Registrar and to the Parliamentary Commissioner, with whom she has spoken on this point, that the legislation could usefully provide for co-operation between the two offices.

10.  CONCLUDING COMMENTS

  10.1  The Registrar strongly supports the introduction of a Freedom of Information regime with a statutory right of access to information. This should be an important step in broadening the provision of rights in the information area. The Registrar hopes that when the Freedom of Information regime is finally introduced it will be recognised by all as building on the existing Code of Practice on Access to Government Information.

  10.2  The Registrar's overriding concerns are that there should be:

    —  a simple access regime, easy to understand and straightforward to administer; and

    —  an effective supervisory authority, with meaningful powers of enforcement.

  What is needed is a clear legislative framework where there is no doubt or ambiguity about the rights of applicants, the responsibilities of public authorities, and the role of the Information Commissioner. Adding a purpose statement to the legislation could contribute to that clear framework: with such a statement there could be no ambiguity about what was intended.

June 1999




133   HC Deb, 24 May 1999, c.21. Back

134   Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series 108, Strasbourg 1981. Back

135   Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities L281, Vol 38, 23 November 1995. Back

136   Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, European Treaty Series 5. Back

137   Your Right to Know: the Government's Proposals for a Freedom of Information Act, Cm3818, The Stationery Office Limited, December 1997, para 1.2. Back

138   Freedom of Information: Consultation on Draft Legislation, Cm 4355, The Stationery Office Limited, May 1999, para 2. Back

139   Draft Freedom of Information Bill, clause 8. Back

140   Modernising Government, Cm 4310, The Stationery Office Limited, March 1999 Back

141   Draft Freedom of Information Bill, clause 40(1)-(3); Data Protection Act 1998, section 51(1) and (2). 4. PERSONAL INFORMATION AND THE DATA PROTECTION ACT Back

142   Data Protection Act 1998, section 7(4)-(6). Back

143   Draft Freedom of Information Bill, clause 62(2) for section 55; clause 60(4) for section 56. Back

144   Draft Freedom of Information Bill, clause 66. Back

145   Draft Freedom of Information Bill, clause 45(2), see also clause 43(7). Back

146   Draft Freedom of Information Bill, clause 14(3). Back

147   Your Right to Know: the Government's Proposals for a Freedom of Information Act, Cm3818, The Stationery Office Limited, December 1997. Back

148   Open Government, Code of Practice on Access to Government Information, second edition (1997), Introductory section "Reasons for confidentiality" to Part II. Back

149   The Data Protection Act received Royal Assent on 16 July 1998 but at the time of writing (June 1999) no firm implementation date has been announced. Back


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries

© Parliamentary copyright 1999
Prepared 16 August 1999