Data protection and freedom of information - the interaction
- Data Protection Act 1988 (DPA)
- Freedom of Information (Scotland) Act 2002 (FoISA)
Personal information - what does the Freedom of Information Act say?
Section 38 of FoISA deals with personal information. Section 38(1) exempts absolutely personal data of which the applicant is the subject.
If the applicant is asking for information about him or herself, the FoISA does not entitle him to receive it. However, any such request automatically becomes a subject access request under the DPA and must be treated as such. This means that despite the exemption under FoISA, the applicant has a right to his or her information under the DPA.
If the applicant is asking about for information about someone else, FoISA does apply. Requests for such "third party data" can be refused if disclosure would breach any of the data protection principles (Section 38(1)(b)).
The data protection principles
The following is extracted from the Information Commissioner's 'Awareness Guidance 1 - Personal Information'.
The DPA contains eight principles which, taken together, form the basic standard to which those processing personal data must operate. The first principle requires personal data to be processed fairly and lawfully. In practice this will be the key issue when considering an application for third party data.
Disclosure would be unlawful if:
- There would be a breach of confidence. (Please note, however, that simply marking a document as confidential does not necessarily make it so.) It is likely to arise where relatively sensitive information has been provided to an authority in the expectation that it would not be disclosed. Examples include medical information or personal financial details.
- There is a law forbidding disclosure, for instance the Official Secrets Act.
The concept of "fairness" is harder to define, although in practice it ought not to be difficult to judge whether it would be unfair to someone to pass on their information without consent. The sorts of questions which should be asked include:
- Would the disclosure cause unnecessary or unjustified distress or damage to the person who the information is about?
- Would the third party expect that his or her information might be disclosed to others?
- Had the person been led to believe that his or her information would be kept secret?
- Has the third party expressly refused consent to disclosure of the information?
Private or public lives?
In thinking about fairness, it is likely to be helpful to ask whether the information relates to the private or public lives of the third party. Information which is about the home or family life of an individual, his or her personal finances, or consists of personal references, is likely to deserve protection. By contrast, information which is about someone acting in an official or work capacity should normally be provided on request unless there is some risk to the individual concerned.
While it is right to take into account any damage or distress that may be caused to a third party by the disclosure of personal information, the focus should be on damage or distress to an individual acting in a personal or private capacity. The exemption should not be used, for instance, as a means of sparing officials embarrassment over poor administrative decisions.
It is often believed that the DPA prevents the disclosure of any personal data without the consent of the person concerned. This is not true. The purpose of the DPA is to protect the private lives of individuals. Where information requested is about the people acting in a work or official capacity then it will normally be right to disclose.