The contents of this e-mail are confidential and may be privileged. Please refer to the notice at the foot of this e-mail before reading any further.
I enclose a section of our newsletter on the Durant case which dealt
with this.
TEXT BEGINS
FOI and the right of access by anybody
For public sector bodies only, the Freedom of Information (FOI)
legislation adds a
further layer of complication, in that all recorded personal information
with an
individual as its focus, irrespective of structure, will be personal
data and subject
to the right of access and correction by the individual concerned (from
January
2005, when the FOI legislation comes fully into force for most UK public
authorities).
All information held by a public authority will, subject to an
exemption, also be
accessible either via the 1998 Act or under FOIA. This is how it will
work.
The FOIA enacted by the Westminster Parliament modifies the definition
of "data"
under section 1 of the 1998 Act so that "data" now covers all recorded
information held by a public authority, whether electronically or on
paper, while
"information" under section 84 of FOIA must also be recorded
information. So as
soon as FOIA is in force, "data" under the 1998 Act will also be
"information"
under FOIA and vice-versa.
Recorded information which is not personal data under the 1998 Act will
nevertheless be information under FOIA, so any recorded information held
by a
public authority must either be accessible via the 1998 Act or under
FOIA (subject
to exemptions, of course). The Scottish FOIA works in the same way.
Note that if recorded personal information which does not have an
individual as
its focus is not personal data, then this personal information will be
accessible by
any applicant under FOI rules (i.e. subject to an FOI exemption).
However, because
of the nature of public sector work, there is a very often a duty of
confidence
towards the individuals in connection with their interaction with a
public authority.
In most cases, recorded information about that individual which is owed
on duty
of confidence will be personal data.
But let us suppose that there is a class of personal information which
is about an
individual, but which nevertheless does not qualify as personal data,
and the
individual concerned is owed a duty of confidence. In such a case, an
applicant for
information under FOIA who is not the individual to whom the duty of
confidence
is owed can expect to find the exemption which relates to
confidentiality being
applied to bar access.
But this exemption is not available to the public authority where the
applicant is
the individual who is the subject of the information - it will not be a
breach of
confidentiality to disclose confidential information about the applicant
to the
applicant.
In other words, under FOIA an applicant who is an individual the subject
of the
information will gain access to all his personal information, subject to
the
application of relevant exemptions. But we do not expect any
confidential
information about individuals to leak into the public domain as a result
of an FOI
right of access to information.
Does FOI create a gap?
In the case of public authorities, there are concerns that personal
information
which pre-Durant could have been considered to be personal data, could
become
subject to disclosure in response to a FOI request from any applicant.
Take the minutes of a public authority meeting, which name the
individuals
attending and the decisions they were involved with - and suppose for
simplicity
that the decisions do not relate to another individual (i.e. we are not
dealing with
a decision such as one to suspend Joe Soap from work, or to pay Jim
Smith an
extra five hundred pounds). Suppose the minutes state that "Fred Bloggs
attended
a meeting at which it was decided to buy cement from the Barnsley Cement
Company" and this is followed by details of the cement order.
In our view, a recorded name concerning a living individual in this
context amounts
to personal data (and there could be other bits of information about
Fred set out
in the minutes which will be his personal data). The data protection
interface could
be applied to the name (and any other personal data); this could result
in the name
being redacted.
This is not the result achieved by following the OIC's advice (with
which we
disagree). He has gone on the record to say that "Where an individual's
name
appears in information the name will only be personal data where its
inclusion in
the information affects the named individual's privacy" and that "mere
reference
to a person's name where the name is not associated with any other
personal
information" is not "normally" personal data".
On that basis the names of officials could be released to applicants
because they
would not be personal data of the individuals so named and therefore
exempt
under the FOI rules.
The argument, based on the this advice, would be as follows. Consider
the court's
test to determine whether there are personal data about Fred Bloggs. To
be
personal data, the data have to focus on a specific individual (NO - the
focus of
the data is on a cement order), and have to contain information which is
"biographical in a significant sense" (NO - the data are about a cement
order and
mention of Fred Bloggs in conjunction with the order is an incidental
factor). Do
the data comprise information that "affects his privacy, whether his
personal or
family life, business or professional capacity?". If there is no special
significance in
Fred Bloggs being mentioned in conjunction with the order, then the
answer is
"no". It follows that the there is no reason founded in data protection
why the
name of the individual making the order should not be released.
Of course, where there are reasons why the information about who made
the
order or who was present when the decision was taken, is significant
(e.g. because
Mrs Bloggs owns shares in the Barnsley Cement Company), such that the
information could impact on Fred's privacy, then the information about
who made
the decision is personal data. The circumstances will need to be tested
in each
case.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Watson, Patrick
Sent: 08 September 2004 08:28
To: [log in to unmask]
Subject: Re: Interaction between DPA and FOI
The point that I am trying to clarify is whether chronologically
maintained manual personnel files escape disclosure under both the DPA
and FOIA. When I put this to OIC I was told that chronologically
ordered manual personnel files did not meet the definition of a relevant
filing system and were not disclosable. I then asked whether a data
subject could access this same personnel file under FOIA and was told no
as it contained personal data. The OIC cannot have it both ways.
There is no doubt that manual personnel files are crammed full of
personal data and this makes the Durant decision illogical. Personnel
files probably hold more personal data than any other file in the
organisation and current and former staff will find bizarre that they
cannot get any form of access to it under DPA or FOIA. Have we got a
situation that excludes this employment area from any effective scrutiny
by data subjects.
Patrick
-----Original Message-----
From: DREW Nic [mailto:[log in to unmask]]
Sent: 07 September 2004 15:32
To: [log in to unmask]
Subject: Re: [data-protection] Interaction between DPA and FOI
FOIA introduces a new category of data (category e ) into the DPA, but
only for public authorities. This category will widen access to personal
data,that Durant might have prevented, but has an exemption for access
to personnel data. See sections 68 and 69 of the FOIA.
Nic
-----Original Message-----
From: Watson, Patrick [mailto:[log in to unmask]]
Sent: 07 September 2004 10:56
To: [log in to unmask]
Subject: Interaction between DPA and FOI
Can colleagues help me to clarify some issues relating to the
interaction between data protection and FOI. Many manual files
including personnel files do not meet the Court of Appeal (Durant)
definition of a relevant filing system and are therefore not disclosable
under the subject access provisions of the DPA. If a file is not
considered to be personal data then what access is there to this file by
the data subject through FOI?
Thanks
Patrick
Email has been scanned by www.emf-systems.com for viruses and SPAM
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Email has been scanned by www.emf-systems.com for viruses and SPAM
Email has been scanned by www.emf-systems.com for viruses and SPAM
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
________________________________________________________________________
____________________________
This e-mail has been scanned for all viruses by Star Internet using
MessageLabs SkyScan services. For more information visit:
www.star.net.uk.
________________________________________________________________________
______________________________
We are delighted to announce that Masons has been shortlisted for recognition in this year's LOTIES Awards (Legal Office Technology Innovation Awards).The annual awards are organised by In Brief Magazine. We would be grateful if you would take five minutes to vote for us!
Voting closes on 22nd October. Please visit
www.masons.com/php/page.php?page_id=eloties4400 for further details
If you have received this e-mail in error, do not use the contents of the e-mail or disclose it to any other person. Please notify us by reply, or telephone our London office on +44 (0) 20 7490 4000, and then delete the e-mail. We believe, but do not warrant, that this e-mail and its attachments are virus-free, but you should check. Masons may monitor traffic data of both business and personal e-mails. By replying to this e-mail, you consent to Masons' monitoring the content of any e-mails you send to or receive from Masons. Masons is not liable for any opinions expressed by the sender where this is a non-business e-mail.
Masons is an international law firm with offices in London, Bristol, Edinburgh, Glasgow, Leeds, Manchester, Brussels, Hong Kong and Shanghai. Further information about the firm and a list of partners are available for inspection at 30 Aylesbury Street, London EC1R 0ER or from our web site at www.masons.com. Each of our offices is regulated by the relevant local law society.
This e-mail has been scanned for all viruses by Star Internet using MessageLabs SkyScan services. For more information visit: www.star.net.uk.
_________________________________________________________________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|