Data Protection and Freedom of Information

GreySquirrel

The interplay between the Data Protection Acts and the FOI Acts is very relevant.

The Data Protection Commissioner uses a very broad concept of “personal data”.

The Information Commissioner uses a very narrow concept of “personal information”.

As the FOI Acts override the Data Protection Acts, “personal data” which is protected by the Data Protection Acts can be released using the Information Commissioner’s very narrow concept of “personal information”.

The Oireachtas could not have intended to give protection to a broad concept of “personal data” only to have that protection removed by the Information Commissioner’s narrow interpretation of “personal information”.

Furthermore the Data Protection Acts apply to public bodies AND non-public bodies. The FOI Acts apply only to public bodies.

So, while “personal data” in non-public bodies is fully protected, “personal data” in public bodies is not fully protected because of the Information Commissioner’s very narrow concept of “personal information”. The Oireachtas could not have intended that scenario.

RangeR

GreySquirrel wrote: »

The Information Commissioner uses a very narrow concept of “personal information”.
.
.
.
As the FOI Acts override the Data Protection Acts, “personal data” which is protected by the Data Protection Acts can be released using the Information Commissioner’s very narrow concept of “personal information”.
.
.
.
So ... “personal data” in public bodies is not fully protected because of the Information Commissioner’s very narrow concept of “personal information”.

Got any links to back that up?

GreySquirrel

Yup. I'll try and post them next week.

GreySquirrel

From the Office of the Data Protection Commissioner:


I refer to your recent email to this Office.

I can advise that this matter was raised with the Commissioner by the Joint Committee on Finance and the Public Service and he responded as follows:

"The Freedom of Information and Data Protection Acts were enacted
separately by the Oireachtas. The two legislative codes support the right of an individual to have access to personal data that a public body holds
on them. They both restrict the right of third parties (including the
general public) to have access to personal data about an individual without
that individual’s consent. In most cases, the two codes complement one
another in respect of these two rights.

The FOI Acts provide for a balancing of the rights to privacy and to public information. There may be occasions where, under FOI legislation, personal data is released on the grounds that the individual’s right to privacy should be overridden in the public interest.

The Oireachtas has explicitly provided in Section 1(5) of the Data Protection Acts that “a right conferred by (this) Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997 ….the Commission and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other”.
Section 8(e) of the Data Protection Acts provides that restrictions on the processing of personal data do not apply where this is “required by or under any enactment”.

What these provisions appear to mean in practice is that, if a decision is made under FOI legislation to release personal data, this should not normally give rise to any issue of incompatibility with DP legislation.

There are some differences between the definition of “personal information”
in the FOI Acts and “personal data” in the DP Acts. There are also differences in the detailed provisions for access by an individual to
her/his own information. The Department of Finance FOI Central Policy
Unit’s Notice No. 23 (enclosed for reference) offers guidance to public bodies on how to harmonise their approaches to granting access whether the request is made under the Freedom of Information or Data Protection Acts.
It sets out procedural arrangements which seek to ensure that those seeking information are given the best possible response to a request for their personal information regardless of which Act the request is made under.

I enclose an extract from the 2004 Annual Report of this Office which deals in more detail with the issue of the overlap between the two legislative codes.

The issue of whether the two legislative codes should be further harmonised would be a matter for the Government and the Oireachtas."

The CPU note referred to in the Commissioner's reply can be accessed at the following link:
http://www.dataprotection.ie/docs/%22Important_new_data_protection_guidance_for_all_public_/411.htm

The Annual Report extract can be accessed at the following link (page 39 - Appendix I):
http://www.dataprotection.ie/documents/annualreports/annual_report_2004.pdf

I hope that this is of assistance.

***

Maeve McDonough, Freedom of Information Law (2nd ed., Thomson Round Hall, Dublin, 2006), p.398.

From 14-28:

The approach taken by the Information Commissioner in these cases is in keeping with that adopted by the UK Court of Appeal in Durant and Financial Services Authority.41 Referring to the definition of personal data in the UK Data Protection Act 1998, viz. “data which
relate to a living individual who can be identified”, the court took
the view that in order to amount to personal data, the data|concerned must affect a person’s privacy either in the sense of
being biographical in a significant sense or having the individual
as its focus rather than some other transaction or event.

41 [2003] E.W.C.A. Civ. 1746.

***

From the Office of the Data Protection Commissioner:

I can advise that Durant does not apply in this jurisdiction and this Office follows the guidance within the Article 29 Working Party Opinion
4/2007 on personal data.