When Worlds Collide: The interface between Freedom of Information and the Data Protection Act regard - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

When Worlds Collide: The interface between Freedom of Information and the Data Protection Act regard

Description:

SIC = only FOI, not DP as DP = national matter. So: Will SIC obtain policy on personal data ... SIC: personal data relating to professional, not personal lives! ... – PowerPoint PPT presentation

Number of Views:236
Avg rating:3.0/5.0
Slides: 26
Provided by: drrenat
Category:

less

Transcript and Presenter's Notes

Title: When Worlds Collide: The interface between Freedom of Information and the Data Protection Act regard


1
When Worlds Collide The interface between
Freedom of Information and the Data Protection
Act regarding health data Dr Renate Gertz AHRC
Research Centre School of Law University of
Edinburgh
2
The legislation
  • 11 January 2005 Freedom of Information
    legislation England Scotland
  • Purpose
  • General right of access to information held by or
    on behalf of public authorities
  • Promoting culture of openness and accountability
    across public sector

3
cont.
  • 2000 Data Protection Act 1998 came into force
  • Purpose
  • Protects personal data against unlawful
    disclosure to third parties
  • Promotes a spirit of confidentiality.

4
Exemptions to FOI
  • Reasons for withholding information ? exemptions
    from the right to know.
  • Absolute exemptions will always prohibit
    disclosure
  • Qualified exemptions public interest test -
    public interest in maintaining the exemption must
    outweigh public interest in disclosure.

5
The link between the Acts
  • Section 40 section 38 personal data
  • For definition, referral to the Data Protection
    Act
  • ? linking the two Acts

6
Personal Data
  • Personal data
  • S. 1- personal data data which relate to a
    living individual who can be identified- (a) from
    those data, or (b) from those data and other
    information which is in the possession of, or is
    likely to come into the possession of, the data
    controller.
  • S. 2 sensitive personal data personal data
    consisting of information as to (e) his physical
    or mental health or condition ...

7
Personal Data cont.
  • The result
  • Two diametrically opposed pieces of legislation
    spirit of openness v. spirit of confidentiality
  • Two sides of the same coin
  • The problem
  • To find a sensible way of agreeing on a feasible
    compromise

8
The first health data case
  • Common Services Agency (ISD) v Collie
  • Information on childhood leukaemia cases (0-14
    years) in Dumfries and Galloway by year and
    census ward
  • Grounds for refusal combination of rare
    diagnosis, specified age group, small area, low
    numbers identifiability personal data
  • SIC personal data, but barnardised version to
    be provided
  • ISD appeal to the courts.

9
Implications of Collie
  • pure FOI issues
  • powers of the SIC
  • Data Protection FOI interface issues
  • What are personal data?

10
  • Pure FOI Issues

11
FOI Issues
  • S.1 (4) The informationis the information held
    at the time the request is received
  • SIC data to be barnardised still data held?
  • What power does the SIC have?
  • Power to order authority to release data it does
    not hold?
  • Power to instruct authority to do something to
    data so it can be released? s. 15(1) A
    Scottish public authority must, so far as it is
    reasonable to expect it to do so, provide advice
    and assistance to a person who proposes to make,
    or has made, a request for information to it.
  • ? Power to order barnardisation?

12
Implications beyond Collie
  • S 15 to provide advice and assistance
  • How far does this go?
  • What about data not held in a form that can be
    handed over to applicant?
  • Duty to analyse data and arrange into table?
  • Data integration consequences?

13
  • FOI DP Interface Issues

14
Preventing identifiability
  • Most commonly recognised anonymisation
  • Problem legally acceptable level of
    anonymisation Is barnardisation sufficient?
  • Problem connectivity
  • Spirit of DP would prohibit disclosure
  • Spirit of FOI promotes disclosure
  • Tension at interface between regimes Solution
    to substantially remove risk of identification?
    Again What is acceptable?
  • Problem definition

15
Defining personal data
  • Durant case precedent focus on an individual
    or be of biographical significance for the
    individual concerned
  • October 2005 European Commission UK before ECJ
    if personal data definition remains too narrow,
    not in line with the Directive!
  • FOIA refers to DPA will Durant continue to
    provide yardstick for both Acts? ? Ruling against
    UK will affect both England and Scotland.

16
cont.
  • Practical difficulty England, Information
    Commissioner both DP FOI new policies
    applied by one office
  • SIC only FOI, not DP as DP national matter.
  • So Will SIC obtain policy on personal data from
    England before being able to apply it to Scottish
    FOI appeals, because unacceptable if differing
    interpretations of personal data were to
    emerge.

17
Data protection principles
  • 2 new cases requesting surgeon mortality rates
  • Required breach of DP principle fair
    processing
  • SIC personal data relating to professional, not
    personal lives!
  • Problem DPA and FOIA guidance on fairness
    principle differs
  • Applying DPA guidance to FOI unproblematic
  • Applying FOI guidance to DPA direction of
    referral DPA does not refer to FOIA!! New
    legislation trumps old, but what about guidances?

18
  • Collie and the Court of Session

19
The issues
  • In its opinion, the Court of Session discussed
    two main issues
  • 1. Can Barnardised data be considered as held
    by the CSA and are thus the raw data just
    presented in a particular form, or are they
    different data which the CSA was not obliged to
    offer Mr Collie?
  • 2. Do the Barnardised data fell under the
    personal data exemption in section 38 of the
    FOISA in connection with the DPA?

20
Held or not held?
  • The Courts decision
  • Raw data would allow identification in which ward
    a child was diagnosed in any year.
  • Data can be treated to conceal the actual numbers
    e.g. a table containing yes and no in the cells
    , showing whether there had been any diagnoses in
    this year and ward ? shifting focus from
    incidents to incidences ? does not create
    information differing from the raw data.
  • The same for Barnardisation, while at first
    sight, a material change seems to take place,
    the intelligent reader will also be informed by
    a relative footnote that the numbers which he or
    she sees have been Barnardised and so cannot be
    regarded as true numbers. ? Barnardisation
    provides no different information. Result
    Barnardised data is different from the raw data
    only in presentation, not in kind, thus data
    held by the CSA.

21
Personal data or not?
  • Court agreed with the submissions of the SIC,
    stating that the focus had moved away from
    individual children to the more general incidence
    of disease in particular wards in particular
    years.

22
Does that make sense???
  • No, and heres why
  • Court stipulates that Barnardised data are no
    different from the original raw data, only
    presented differently.
  • Court then explains that while original raw data
    are personal data, Barnardised data are not, as
    their focus has shifted.
  • Inconsistency in the Courts reasoning If
    Barnardised data are no different from the raw
    data, then how can the raw data be classified as
    personal data, while the Barnardised data do not
    fall into that category?
  • Only possible way is to assume that the shift in
    focus away from individuals is caused by the
    different presentation. Highly unlikely, when one
    considers the far-reaching consequences the shift
    in focus has for the personal data question and
    the statement by the Court that the different
    presentation does not result in different data.

23
A costly analysis
  • If a public authority holds data, it holds them
    in any imaginably analysed form, as long as the
    costs for analysis dont exceed 600.
  • What if numerous requests come in for the same
    data in a variety of analysed forms?
  • Authority may never have intended this particular
    analysis AND summarised costs may exceed the
    budget!

24
Disclosive but not personal?A gap in the
legislation
  • Disclosive data dont fall under personal data
    but allow conclusions to be drawn to identity of
    data subjects
  • Example FOI request for all postcodes in
    Scotland with no incidences of a condition No
    data subjects no personal data, but effectively
    request for postcodes where condition has been
    diagnosed. ? zero cells in a barnardised table
    are disclosive of incidences of the disease.

25
Next step
  • and to the House of Lords we go!
  • Bets have been placed.
  • So Watch this space!!!
Write a Comment
User Comments (0)
About PowerShow.com