The Scottish Government

« Previous | Contents | Next »

Listen

SCOTTISH EXECUTIVE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002:OPEN LEARNING WORKBOOK

MODULE 17
INTERFACE WITH DATA PROTECTION - HOW DOES FREEDOM OF INFORMATION FIT WITH DATA PROTECTION? APPLICATION FOR INFORMATION BY THOSE OTHER THAN THE SUBJECT OF THE DATA

17.1 CONTENT AND LEARNING OBJECTIVES

This module explains how personal privacy is protected so that the right of access under freedom of information does not jeopardise people's privacy. It sets out the issues which have to be reconciled when dealing with access rights and the privacy of individuals. It explains the way this is being handled in the legislation and the reasoning behind the decision to do it in this way. The module follows on from 15 and 16. Once you have worked your way through this module you should understand:

• How there can be tensions between the rights of access and privacy
• The exemption which is applied to protect the right of privacy
• Why the exemption takes the form of a set of rules to decide whether the right of privacy or the right of access takes precedence
• How those rules apply

In this module requests which are made for information about another individual are referred to as "third party requests" for information.

SUGGESTED TIME ALLOCATION: 1 hour

17.2 LEARNING MATERIALS

Personal information the disclosure of which would interfere with the legitimate privacy of another person is exempt from the right of access. Although the aim and effect of this exemption is to protect the personal privacy of living individuals it does not refer to the protection of privacy. The exemption is set out in a rather technical way. There are three aspects to the exemption. One aspect of the exemption is absolute and the other two are non-absolute.

17.2.1 What information about people is covered?

Personal data as defined in the DPA (as extended by further legislation) are covered by this exemption. Companies or public bodies do not have a right of privacy protected by this exemption, although the confidentiality of their information may be protected under other exemptions.

17.2.2 What about information about those who have died?

In the Freedom of Information (Scotland) Act 2002 there are some specific rules which allow the public authority to protect the privacy of those who have died. This applies to the health records of those who have died and to personal information from past censuses.

These are records consisting of information relating to the physical or mental health of an individual that have been made by or on behalf of a health professional in connection with the care of that individual. It must be possible for the holder of the health record to be able to identify the individual to which it relates either from the record alone or from the record and other information held by them. Personal census information is information which relates to an identifiable person or household and was acquired as part of a census.

In both cases the information will remain unobtainable for 100 years after the relevant record was created.

Otherwise the Access to Health Records Act 1990 provides that the deceased patient's personal representative and any person who may have a claim arising out of the patient's death, may apply for that patient's health records. In Scotland, this would usually be done by the executor of the deceased person's estate. However in many cases such information will also relate to others who are still living, for example family members and their privacy rights should be borne in mind.

17.2.3 Why is the exemption arranged in such a technical way?

It reflects the protection given to personal data by the Data Protection Act 1998. There is a European Directive on data protection so the UK has to have a Data Protection Act which complies with the Directive. If the protection given to personal data was reduced because of rights of access under freedom of information, the UK could be taken to the European Court. The exemption has therefore been framed to make sure that this should not happen.

17.2.4 Is personal information exempt from all of the requirements of the FOISA?

No. Apart from the access exemption the usual rules apply such as the provision of advice and assistance, charging provisions, locating the information sought, refusals and the inclusion of information in publication schemes.

17.2.5 What are the three aspects of the exemption?

1. Personal data will be exempt if the disclosure of the information to a member of the public would breach the standards for protection of personal data in the data protection principles (See module 15 for an overview of the principles).

2. Personal data will be exempt if the authority would not provide it to the person themselves if he or she made a subject access request under the DPA. (This means that all the subject access exemptions come into consideration, including the new exemption in relation to personnel information). (See module 15 for an overview of the subject access exemptions).

3. Personal data will be exempt where the individual has lodged an objection under the Data Protection Act and that objection has been accepted by the public authority.

17.2.6 Are these absolute or non-absolute exemptions?

Where the authority is considering withholding information because it would be a breach of the principles to provide it, the exemption is absolute. However this does not mean that the authority can ignore the question of the public interest in making a disclosure. This is because under the principles the authority has to consider the fairness of any disclosure. However the presumption under the principles will be to protect privacy rather than to provide access.

Where the authority is considering withholding information on the grounds that the information would not be given to the subject or that the authority has already accepted an objection to the processing, these exemptions are non-absolute and the authority has to consider the public interest before refusing access.

17.2.7 Does the authority have to tell the applicant whether they hold the information?

Generally where a third party request is made, even if the information itself is exempt, the authority must still tell the applicant whether it holds it by serving a refusal notice.

17.2.8 If this exemption applies do I still need to look at the other exemptions?

The FOISA exemptions must also be considered as the exemption to protect personal privacy is not an exclusive one.

17.2.9 Applying the principles

It will not always be easy to decide whether a disclosure of personal information under the FOISA will be in breach of the principles. The disclosure should be regarded as being a disclosure into the public domain. The identity of the applicant or the applicant's reasons for wanting the information are not relevant to the decision whether to disclose.

The following issues should be considered when making a decision on disclosure:

• is the information subject to a legal obligation of confidence in the hands of the authority?
• does the information fall into one or more of the categories of sensitive personal data under the Data Protection Act?
• in what circumstances was the information obtained or collected? In particular was the individual made aware that the authority might be asked to disclose the information under the FOISA?
• is the individual a public figure or a private person?
• is the information concerned with the person's private life or his or her public or professional life?
• is the information to be transferred overseas?
• is the data information that the individual might object to being disclosed?
• are there strong reasons in the public interest that would make it fair to disclose even if the individual raised objections?

Overall would it be unfair to the individual in all the circumstances of the case to disclose the information?

If the authority considers that it wishes to disclose or that disclosure is a possibility it should notify the individual and take account of his or her wishes. The authority does not have to be bound by the individual's wishes but should take them into account.

17.2.10 Applying the subject access exemptions

This is a non-absolute part of the exemption, so even though an authority would be able to refuse to provide the information to the individual, it may choose to disclose under FOISA if it considers that the public interest in providing the information is sufficiently strong.

The subject access exemptions cover a wide range of circumstances ranging from cases where the provision of information would prejudice the prevention or detection of crime to withholding examination marks until the results of public examinations are announced.

Several of the exemptions are similar to ones found in the FOISA. Authorities should ensure that they are familiar with the range of subject access exemptions in the DPA.

17.2.11 Applying the right of objection

An individual who is the subject of personal data has a right under the DPA to lodge a formal objection to processing under section 10 DPA. The individual has to specify the processing in question and assert that the continued processing would cause substantial unwarranted damage or distress to him or another. A data controller must consider any such objection and notify the individual whether he is prepared to accept the notice. If the data controller is not prepared to do so the individual can apply to a court for an order requiring the controller to accept the notice.

Where there has been a gap of time between the acceptance of a notice by the authority and a request, the authority should check with the individual that the objection still stands before refusing an access request in reliance on such a notice.

17.4 SUMMARY

If someone makes a request for information about another living individual, this will be handled under the Freedom of Information (Scotland) Act, but data protection considerations will still apply. The authority will not have to provide the information

• if the disclosure would breach the data protection principles;
• if the authority would not provide the information to the data subject themselves if they requested it or if the individual has lodged an objection under the Data Protection Act which has been accepted by the authority;

If the authority decides that it may wish to disclose the information after applying these considerations, it should notify the individual and take account of their wishes. The authority does not have to be bound by the views of the individual.

17.5 KEYWORDS

17.6 REFERENCES

Section 38 FOISA Personal Information

17.7 RESOURCES

UK Information Commissioner:
www.informationcommissioner.gov.uk

17.8 SELF ASSESSMENT CHECKLIST

1. Data under the Data Protection Act 1998 is defined as information relating to any living individual who can be identified by that information, so the privacy of those who have died is not protected. TRUE or FALSE ?

2. Information acquired as part of a census is only protected from the right of access where the information relates to an identifiable person or household. TRUE or FALSE ?

3. If an individual makes a request for information about a third party under the FOISA, a public authority must consider the exemptions to subject access requests under the Data Protection Act 1998. TRUE or FALSE ?

4. If an individual lodges an objection to disclosure of information under the Data Protection Act 1998 the public authority is obliged to withhold that information if such information becomes the subject of a FOISA request. TRUE or FALSE?

5. If a request is made for information that is the subject of a section 10 objection, the authority should notify the data subject that a request has been made. TRUE or FALSE ?

Click here for answers

17.9 WHAT THEY SAID?

"When freedom of information regimes are discussed exemptions always get a lot of attention and they are perhaps, understandably, seldom popular. There is no doubt that the right of access must be carefully balanced against the right to privacy and confidentiality and the need to ensure that sensitive information is properly protected. We have sought to find the right balance and, in doing so have tipped the scales decisively in favour of openness" (Jim Wallace - MSP)

17.10 CASE STUDY

(this continues from the story in Module 16)

When Paul Hammond's wife, Mandy, was in hospital she underwent surgery which involved the use of a new technique. The technique seemed to solve her problems at the time, but over the year the problems have reoccurred, but much worse and she is now in a great deal of pain as a consequence of the operation.

One day Mandy opens the post and there is a letter from a research student asking if he can come and interview her about how the operation went and her subsequent recovery. Mandy is very upset and cannot believe that the hospital has given her details to the researcher.

Task

1. When the student contacted the hospital asking for information about third parties, what sort of request would he have made?

2. Should the hospital have contacted Mandy before it gave her details to the researcher?

3. It turns out that Mandy was given a standard document before her operation advising her that her records might be made available to researchers who might want to contact her in the future. Mandy had totally forgotten about this document. Does she have any rights to object? Was the hospital allowed to give her such a document?

4. Could the hospital have given the researcher Mandy's records after removing all references to her?

« Previous | Contents | Next »