Tag Archives: DPA2018

Personal Data and FOI: to anonymise or not to anonymise

I recently wrote a blog post covering the release of third party personal data under freedom of information laws in both Scotland and the rest of the UK. Requests which seek the release of third party personal data, or where information within the scope of a FOI request constitutes the personal data of a third party, are the most common examples of where freedom of information and data protection overlap; however, they are not the only examples.

On Friday of last week, the Herald contained a piece covering calls which had been made to anonymise FOI requests which are sent to government advisers. These calls follow on from some high profile disagreements between the Scottish Government and journalists. The allegations levelled against the Scottish Government is that ministers and their advisers are having undue influence over what information is and is not released under the Freedom of Information (Scotland) Act 2002; in particular where the request comes from a journalist. The Scottish Information Commissioner is currently carrying out an “intervention” which is looking at this matter alongside one which has a wider remit in relation to the Scottish Government’s handling of FOI requests. It is understood that the Commissioner’s Office will report its findings of these interventions in the next month or so.

These wider issues are not, however, the focus of this blog post. Rather, the focus of this blog post relates to the call to anonymise FOI requests in this way and whether this is a practice that public authorities ought to be following in any event.

The General Data Protection Regulation and the Data protection Act 2018 now govern how organisations, such as public authorities, process personal data. Reducing the data protection framework down to its most basic requirement, data controllers should not be processing the personal data of a data subject unless they have a lawful basis to do so.

When a public authority circulates a request for information, or a proposed response to a request for information, that is not stripped of the personal data of the requester then that would amount to the processing of personal data of which the requester is the data subject. What is the lawful basis of processing in Article 6 of the GDPR which enables the public authority to process the requester’s personal data in that way?  Clearly there is a need for the requester’s personal data to be processed in order to enable the response to be issued to the requester and there will no doubt be some central record which records who has made FOI requests, what the request was for and what the outcome of the request was – if only to enable the authority to respond to an internal review, appeal to the Commissioner or appeal to the tribunal/courts.

The Authority cannot possibly have the consent of the data subject to process their personal data by circulating it around the authority. Consent cannot be inferred in the way that would be necessary in order to rely upon consent. There’s no contract with the data subject which would require the processing of their personal data in this way.

Answering a FOI request is a legal obligation on behalf of the public authority, but is it necessary to provide the name of the requester to the department(s) who need to search for the information or to an official or adviser who is having in put into the response? Probably not, especially when set against the ‘applicant blind’ way in which FOI requests are supposed to be dealt with. Is it necessary in order to protect the vital interests of the data subject or of another natural person? I’d have thought it unlikely. Again, it’s unlikely to be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Finally, it’s unlikely that it would be necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In short, it’s unlikely that it is necessary for those searching for the information or considering the proposed response to know who the requester is. There are, of course, situations where a different course might be required. For example, if considering refusing the request on the grounds that it is vexatious under section 14 of the Freedom of Information (Scotland) Act 2002 or section 14 of the Freedom of Information Act 2000; it will often be necessary to speak with other areas of the organisation, especially persons responsible for handling complaints. In such circumstances it would be necessary for those being consulted to know the identity of the requester, otherwise the evidence required in order to justify reliance upon the vexatious provisions could not be gathered.

In normal circumstances, public authorities should probably be removing personal data such as a requester’s name, place of work and job title (where included) from a request before sending it out to those who need to perform searches for information or those who, in accordance with the authority’s internal procedures, need to approve responses before they’re issued. Only where the identity of the requester is directly relevant to the response, such as where consideration is being given to refusing the request on the grounds that it is vexatious, should the identity of the requester be disclosed otherwise it may amount to a breach of data protection law.

It may be relevant at this juncture to look, briefly, at the applicant blind requirement of freedom of information law. The applicant blind requirement is not specifically provided for within the relevant legislation; however, it has been understood for some considerable time that requests ought to be dealt with in a way that means that they are applicant blind.  The applicant blind requirement is often largely over-stated.  There are clearly situations where the applicant’s identity will be relevant; for example is it a request for that person’s own personal data or is it a vexatious/repeated request or are you aware of any disability which may mean that you need to make reasonable adjustments in terms of the Equality Act 2010?  If public authorities applied the applicant blind requirement absolutely and slavishly, it would cause difficulties in those situations and also in others.

The purpose of the applicant blind test is to ensure that, other than where the exemption necessitates it, the requester’s identity does not form part of the decision in whether to apply an exemption or in the application of the public interest balancing test. Anonymising FOI requests when they go out to the wider organisation or to selected individuals for comment/approval assists to ensure that the applicant blind aspect of the FOI regime is also complied with.

Alistair Sloan

If you require advice and assistance in connection with a freedom of information or data protection matter then contact Alistair Sloan on 0141 229 0880. Alternatively you can send Alistair and E-mail.

Data Protection Act 2018

Earlier this week the House of Lords and the House of Commons completed their game of ping pong with the Data Protection Bill and it completed its journey through the Parliamentary procedure; a journey which began when the Bill was introduced to the House of Lords by the Department for Culture, Media and Sport (DCMS) in September 2017.  Almost eight months later, and after quite a bit of amendment, the Bill has now received Royal Assent to become the Data Protection Act 2018.

It is expected that the various pieces of secondary legislation which are required to bring the Act into force and make transitional provisions will be signed by a Minister in the DCMS later today or tomorrow to ensure that the Act comes into force on Friday.

The new Data Protection Act 2018 does a number of things: (1) it deals with those areas within the GDPR, such as exemptions, which have been left to Member States to deal with individually; (2) applies the GDPR (with appropriate medications) to areas which are not within the competence of the European Union; and (3) gives effect to the Law Enforcement Directive (which should have been in place by the 6th May 2018, but better late than never).

Data Protection law has become much more complex than was the case under the Data Protection Act 1998; it requires individuals to look in many more places to get a proper handle upon what the law requires (and that’s before we start to get decisions from the European and domestic courts).

There has been an indication by some campaign groups that there might be an early challenge to the immigration exemption within the Bill which will have an impact upon the information that data subjects can obtain from the Home Office under the subject access provisions within the GDPR.  It will certainly be interesting to see whether such a challenge is in fact made and what the outcome of it is – and of course, we will cover any decision on that point should one be made by a court.

Alistair Sloan

If you require further information in relation any data protection or privacy law concern then please do contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on twitter for news and updates concerning data protection, privacy and freedom of information.