FOIMan discovers that the government has an answer to ‘legitimate’ concerns over the GDPR and FOI.
One of the concerns of the Information Commissioner and many observers in relation to the General Data Protection Regulation (GDPR), is that it could potentially lead to less information about individuals being disclosed under FOI. Obviously protecting personal data is important but it shouldn’t stop legitimate public debate around things like MPs’ expenses or council Chief Executives’ pay.
The reason this is an issue is that the s.40 exemption for personal data – or at least the part of it that is most often relevant – revolves around the data protection principles set out currently in schedule 1 of the Data Protection Act 1998 (DPA). The first and most relevant of these says that data must be processed fairly and lawfully. In determining whether a disclosure of information is lawful, authorities have to consider whether it is justified by reference to a condition in schedule 2 of DPA. The condition that most often applies to FOI disclosures is that there is a legitimate interest in disclosing the information that can only be met by the disclosure. This has to be balanced against the rights of the individual. It is this condition that has led to lots of personal information about pay, expenses and so much besides entering the public domain.
The problem is that whilst GDPR more or less replicates the first principle, and the conditions as well, it explicitly says that public authorities can’t use the legitimate interests condition. In other words, potentially there could be no legal mechanism to justify disclosures of personal information in the public interest.
Schedule 18 of the Data Protection Bill 2017, the first draft of which was published yesterday, addresses this by the simple expedient of saying that as far as FOI is concerned, the GDPR bar on public authorities using legitimate interests to justify use of data can be ignored. If this survives the passage of the Bill, the gateway for lawful disclosures of personal data under FOI will remain open. Which is good news for public sector accountability.
FOIMan completes his exploration of the EIRs with an article on the reasons why requests for environmental information can be refused.
Just as with FOIA, requests for environmental information held by public authorities can be refused in specified circumstances. For the last few issues of PDP’s Freedom of Information Journal, I have been writing about the EIRs, and in the last of the series (available here) I look at the exceptions that can be used to justify withholding environmental information.
I’ve brought all three articles together to form a Guide to the Environmental Information Regulations so that you can easily access them at any time. This can be found in the drop down list under the ‘Free Resources’ section of the FOIMan site. All my PDP articles can also be found there on the ‘Articles’ page.
FOIMan examines the similarities and differences between FOIA and the Environmental Information Regulations.
A few months ago I started a series in PDP’s Freedom of Information Journal on the Environmental Information Regulations (EIRs), starting with an examination of the definition of environmental information. Here I bring you the second instalment in the series which looks at how FOIA and the EIRs differ.
I’ve just written the third and final part in the series which covers the exceptions in the EIRs. You’ll be able to read that in the next issue of the journal or right here on the FOIMan site later in the summer. Once they’re all available, I’ll put them all in one place in the Resources section so they will act as a comprehensive guide to the EIRs.
FOIMan examines a new right to access information about yourself that will become law next year, and considers what organisations will be obliged to do to comply with it.
We’re constantly submitting information about ourselves to companies and other organisations. Everytime we sign up for a new energy deal, we have to input our details. The same if we want to move bank, or credit card. Even if we want to be able to listen to music or watch films from a streaming service. And everytime we have to re-input those details, even though they’re more or less the same. Imagine if you could just get Apple to transfer the details you gave them to Spotify. Or ask your credit card provider to give your transaction history to their rival so you can find out if you can get a better deal.
Well…from next year you will be able to. The General Data Protection Regulation (GDPR) introduces a new “right to portability” (not potability, as it’s often misspelled – it’s not a right to your own personal drinking water). What does it involve?
What does it do?
It gives data subjects (individuals) a right to be provided with information they have provided to data controllers (businesses and other organisations) in a machine-readable and re-usable format. If the data subject prefers, data controllers will have to transfer their data directly to another data controller.
What does it cover?
Data provided by the data subject that is being processed by automated means (i.e. this won’t apply to data held in paper files) where the data controller relies on consent or a contract with the data subject to justify collection and use of the data (from the list of conditions at Article 6).
According to the Article 29 Working Party (A29WP), data which the data subject has “provided” will include both the information supplied directly by the data subject, but also raw data collected from observation such as smart meter data, activity logs, web usage or search history. It won’t cover any data that results from analysis of the observed data.
Some facts about portability
- you’re expected to remind people of this right whenever you collect data directly from them, and also tell them if you start collecting data by “observation” within a month
- requests for data to be “ported” will have to be processed “without undue delay”, and normally no later than a month after receipt of the request
- fees can only be charged where a request is “manifestly unfounded or excessive”; the A29WP comment that this is going to be rare with portability requests as the data should be relatively easy to extract, prepare and disclose given that the right only applies to automated data
- data must be disclosed “in a structured, commonly used and machine-readable format”; the A29WP interprets this as a format supporting re-use and suggests commonly used open formats should be used for release such as CSV, XML or JSON
- where there are reasonable doubts about the identity of a requester, proof of ID can be requested; this is perhaps less likely to be an issue with portability requests than with, say, subject access requests, as in most cases there will be existing methods to authenticate a person’s identity (e.g. username and password)
- when a data controller complies with a request to transfer data, they are responsible for its security during transfer – for example, by using end-to-end encryption. Once it gets to its destination however, the recipient is responsible for it – whether that be the data subject or another data controller to which the data has been transferred
- generally data being ported is still subject to the data protection principles and other GDPR rules; e.g. data subjects should be able to restrict what data is transferred and data controllers in receipt of data should not process more of it than they need
- contracts with other companies that process data on the data controller’s behalf (i.e. data processors) should specify requirements to facilitate portability requests
- Article 20 specifies that the right to portability shall not adversely affect the rights of others; third parties have rights too.
- This doesn’t mean that, for example, where someone crops up in the data subject’s bank account as a payee, a bank would have to redact their details before transferring the data.
- However, in certain cases (A29WP cite social networks as an example) it will be appropriate to seek third parties’ consent at any point where they transact with the data controller (e.g. Facebook’s privacy permissions might indicate that a “friend” could seek to export their account data including data about their friends; the privacy permissions portal might allow individuals to indicate that they don’t want their data to be included in such exports).
- Where data is transferred to another data controller, that organisation won’t be able to extract the details of third parties from the data and, for example, send them marketing using those details.
- it’s worth noting that many companies already provide facilities to “port” data; a government initiative in the UK called “MiData” has been working towards developing an industry standard here for some years. If you’ve ever downloaded your bank statement as a spreadsheet, you’ve effectively made a data portability request. GDPR, though, now makes this a right, and potentially there will be many businesses in particular who haven’t worried about this that will now have to prepare for the possibility of receiving such a request.
The above are just my notes and thoughts on how portability will work. For further (and more authoritative) information, consult the following:
Note: I’ll be delivering a webinar on the portability right for Act Now Training on 23 June 2017. Visit their website for further details.