A Guide to Information Management An introduction to the Freedom of Information Act 2000 and the Data Protection Act 1998.
This paper seeks to set out an introduction to the obligations on public bodies that handle data which relate to their own organisations or to someone else – often called Information Governance. This is an area where common law principles, obligations under contracts and imposed professional obligations apply as well as statutory schemes under the Acts, and so it is important to understand the framework of laws which relate to information governance. This should not be taken as a definitive guide to the law on Information Governance but is designed so that lawyers will have an idea where to look next.
Professional Obligations under the GMC Code of Conduct The obligations of professionals to respect the confidentiality of material they hold are set out in professional rules. For example the duties on doctors regarding confidentiality start with paragraph 37 of Good Medical Practice 2006 which provides:
“Patients have a right to expect that information about them will be held in confidence by their doctors. You must treat information about patients as confidential, including after a patient has died. If you are considering disclosing confidential information without a patient's consent, you must follow the guidance in with Confidentiality: Protecting and providing information” The separate GMC Guide: Confidentiality: Protecting and providing information 1 was published in 2004 to clarify the framework in which doctors must work. The principles are explained as follows:
1
http://www.gmc-uk.org/guidance/current/library/confidentiality.asp#1
1
“1. Patients have a right to expect that information about them will be held in confidence by their doctors. Confidentiality is central to trust between doctors and patients. Without assurances about confidentiality, patients may be reluctant to give doctors the information they need in order to provide good care. If you are asked to provide information about patients you must: •
inform patients about the disclosure, or check that they have already received information about it;
•
anonymise data where unidentifiable data will serve the purpose;
•
be satisfied that patients know about disclosures necessary to provide their care, or for local clinical audit of that care, that they can object to these disclosures but have not done so;
•
seek patients’ express consent to disclosure of information, where identifiable data is needed for any purpose other than the provision of care or for clinical audit – save in the exceptional circumstances described in this booklet;
•
keep disclosures to the minimum necessary; and
•
keep up to date with and observe the requirements of statute and common law, including data protection legislation.
2. You must always be prepared to justify your decisions in accordance with this guidance” Perhaps the most difficult area is where a doctor feels that disclosure must be made in the public interest, even against the wishes of the patient. The Guidance, which very largely follows the common law, provides as follows:
“Disclosures in the public interest 22. Personal information may be disclosed in the public interest, without the patient’s consent, and in exceptional cases where patients have withheld consent, where the benefits to an individual or to society of the disclosure outweigh the public and the patient’s interest in keeping the information confidential. In all cases where you consider disclosing information without
2
consent from the patient, you must weigh the possible harm (both to the patient, and the overall trust between doctors and patients) against the benefits which are likely to arise from the release of information. 23. Before considering whether a disclosure of personal information ‘in the public interest’ would be justified, you must be satisfied that identifiable data are necessary for the purpose, or that it is not practicable to anonymise the data. In such cases you should still try to seek patients’ consent, unless it is not practicable to do so, for example because: •
the patients are not competent to give consent (see paragraphs 28 and 29); or
•
the records are of such age and/or number that reasonable efforts to trace patients are unlikely to be successful; or
•
the patient has been, or may be violent; or obtaining consent would undermine the purpose of the disclosure (eg disclosures in relation to crime); or
•
action must be taken quickly (for example in the detection or control of outbreaks of some communicable diseases) and there is insufficient time to contact patients.
24. In cases where there is a serious risk to the patient or others, disclosures may be justified even where patients have been asked to agree to a disclosure, but have withheld consent (for further advice see paragraph 27). 25. You should inform patients that a disclosure will be made, wherever it is practicable to do so. You must document in the patient’s record any steps you have taken to seek or obtain consent and your reasons for disclosing information without consent. 26. Ultimately, the ‘public interest’ can be determined only by the courts; but the GMC may also require you to justify your actions if a complaint is made about the disclosure of identifiable information without a patient’s consent. The potential benefits and harms of disclosures made without consent are also considered by the Patient Information Advisory Group in considering
3
applications for Regulations under the Health and Social Care Act 2001. Disclosures of data covered by a Regulation are not in breach of the common law duty of confidentiality. Disclosures to protect the patient or others 27. Disclosure of personal information without consent may be justified in the public interest where failure to do so may expose the patient or others to risk of death or serious harm. Where the patient or others are exposed to a risk so serious that it outweighs the patient’s privacy interest, you should seek consent to disclosure where practicable. If it is not practicable to seek consent, you should disclose information promptly to an appropriate person or authority. You should generally inform the patient before disclosing the information. If you seek consent and the patient withholds it you should consider the reasons for this, if any are provided by the patient. If you remain of the view that disclosure is necessary to protect a third party from death or serious harm, you should disclose information promptly to an appropriate person or authority. Such situations arise, for example, where a disclosure may assist in the prevention, detection or prosecution of a serious crime, especially crimes against the person, such as abuse of children” There are a few areas where there are limitations on the above public interest disclosures in particular concerning notifiable diseases under the Public Health (Control of Diseases) Act 1984 and Public Health (Infectious Diseases) Regulations 1988 and some very specific rules for hospital doctors (but interestingly not GPs) under the NHS Trusts and Primary Care Trusts (Sexually Transmitted Diseases) Directions 2000. Under the latter Directions NHS bodies and PCTs are under the following obligation: “Every NHS trust and Primary Care Trust shall take all necessary steps to secure that any information capable of identifying an individual obtained by any of their members or employees with respect to persons examined or treated for any sexually transmitted disease shall not be disclosed except-
4
(a) for the purpose of communicating that information to a medical practitioner, or to a person employed under the direction of a medical practitioner in connection with the treatment of persons suffering from such disease or the prevention of the spread thereof, and (b) for the purpose of such treatment or prevention” Although breach of GMC principles will largely result in a doctor coming before the Fitness to Practice panel, the common law is influenced by professional obligations and vice versa. Thus, in W v. Egdell [1990] 2 WLR 471 the Court of Appeal considered a case where a consultant psychiatrist had disclosed a medical report to the Home Office about an offender’s dangerousness without the patient’s permission even though he had been retained as an expert for the patient and the patient’s solicitors had decided not to use the report (which was hardly surprising in the circumstances). The Court of Appeal upheld the right of the doctor to disclose as it held that:
“the maintenance of the duty of confidence by a doctor to his patient was not a matter of private but of public interest; that the public interest in maintaining that confidence had to be balanced against the public interest in protecting others against possible violence”
A common law duty of confidence. The classic definition of where the common law imposes a duty of confidentiality on a person now derives from the speech of Lord Goff in AG v. Guradian Newspapers [1990] 1 AC 109 [the Spycatcher case] where Lord Goff said as follows at 281:
“.. a duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others. I have used the word "notice" advisedly, in order to avoid the (here unnecessary) question of the extent to which actual 5
knowledge is necessary; though I of course understand knowledge to include circumstances where the confidant has deliberately closed his eyes to the obvious. The existence of this broad general principle reflects the fact that there is such a public interest in the maintenance of confidences, that the law will provide remedies for their protection”
However it is also important now to reflect on the balance between the article 8 right for privacy and the article 10 right for freedom of expression since these are often in direct contradiction. This contradiction has been worked out by the House of Lords in Campbell v. MGN [2004] 2 AC 457, a case involving Naomi Campbell who sued for damages for the Daily Mirror printing pictures of her leaving a meeting of narcotics anonymous. It was also worked out more recently in Mosley v News Group Newspapers Ltd. [2008] EWHC 1777, a judgement of Mr. Justice Eady which is as interesting for its legal analysis as for its subject matter – well almost.
The Data Protection Act 1998 The Data Protection Act (“DPA”) requires all organisations which handle personal information to comply with a number of important principles regarding privacy and disclosure. Thus the Act applies to both public and private bodies and indeed anyone who holds information in a systematic way which relates to other people. What is data under the DPA? Section 1 defines “data” as follows: “data” means information which— (a)
is being processed by means of equipment operating automatically in
response to instructions given for that purpose, (b)
is recorded with the intention that it should be processed by means of
such equipment, (c)
is recorded as part of a relevant filing system or with the intention that it
should form part of a relevant filing system, . . .
6
(d)
does not fall within paragraph (a), (b) or (c) but forms part of an
accessible record as defined by section 68; or (e)
is recorded information held by a public authority and does not fall within
any of paragraphs (a) to (d); Hence the definition of “data” is wider for a public authority than for private individuals. What is processing of data? Section 1 also defines “processing” data as follows: “processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— (a)
organisation, adaptation or alteration of the information or data,
(b)
retrieval, consultation or use of the information or data,
(c)
disclosure of the information or data by transmission, dissemination or
otherwise making available, or (d)
alignment, combination, blocking, erasure or destruction of the
information or data; Thus merely holding data even without carrying out further operations to the data is processing for the purposes of the Act. The Act states that anyone who processes personal information must comply with eight principles in Schedule 1 of the Act. The Act also allows people to find out what personal information is held about them by making a subject access request. This covers information held electronically and in some paper records, and includes credit reference details. If members of the public think they're being prevented from seeing information they're entitled to, they can ask the Information Commissioner for assistance. The Information Commissioner's Office is responsible for looking after their rights and 7
making sure personal information isn't misused. Complaints are usually dealt with informally, but if this isn't possible, enforcement action can be taken by the Information Commissioner. All organisations which hold data as data controllers (and they should be registered with the Information Commissioner's office) must make sure that they comply with the Data Protection Act. The Information Commissioner provides the following kinds of guidance to find out how to comply: •
Good practice notes
•
Codes of practice
•
Technical guidance notes
The eight principles of data protection are set out in Schedule 1 of the DPA and are as follows:
“1.
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless— (a)
at least one of the conditions in Schedule 2 is met, and
(b)
in the case of sensitive personal data, at least one of the
conditions in Schedule 3 is also met. 2.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4
Personal data shall be accurate and, where necessary, kept up to date.
5
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
8
6
Personal data shall be processed in accordance with the rights of data subjects under this Act.
7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
Part II of Schedule 1 provides interpretive provisions to assist with the meaning of each of the principles. Hence for example the guidance on the sixth principle states:
“A person is to be regarded as contravening the sixth principle if, but only if— (a)
he contravenes section 7 by failing to supply information in accordance
with that section, (b)
he contravenes section 10 by failing to comply with a notice given under
subsection (1) of that section to the extent that the notice is justified or by failing to give a notice under subsection (3) of that section, (c)
he contravenes section 11 by failing to comply with a notice given under
subsection (1) of that section, or (d)
he contravenes section 12 by failing to comply with a notice given under
subsection (1) or (2)(b) of that section or by failing to give a notification under subsection (2)(a) of that section or a notice under subsection (3) of that section”
9
What is Personal Data? There is a considerable debate about what is and what is not personal data. Section 1 defines personal data as follows:
“personal data” means data which relate to a living individual who can be identified— (a)
from those data, or
(b)
from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; It is important to note that the above definition contains an “or” and so can be satisfied by either limb. The Court of Appeal expressed a limited view of the meaning of personal data in Durant v Financial Services Authority [2003] EWCA Civ 1746. In that case the Court said as follows:
“.. not all information retrieved from a computer search against an individual's name or unique identifier is personal data within the Act. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject's involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with
10
whom he may have been involved or some transaction or event in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person's or body's conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity”
The ICO has offered some practical advice as follows: “A name is the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context. By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual. (Obviously, if two John Smiths, father and son, work at the same place then the name, John Smith, and company name alone will not uniquely identify one individual, more information will be required)”
A person has a right to access personal data about themselves but not personal data about others. This is a right to data – to information – not to documents. Hence there may well be occasions where the right to access data is fulfilled even though the documents that are provided are redacted to protect the personal data of others.
In order to process personal data lawfully it is necessary for a data controller to comply with all of the provisions of Schedule 1 and at least one of the following conditions in Schedule 2 to lawfully process personal data. The Schedule 2 conditions are:
“1.
The data subject has given his consent to the processing.
2
The processing is necessary— (a)
for the performance of a contract to which the data subject is a
party, or 11
(b)
for the taking of steps at the request of the data subject with a
view to entering into a contract. 3
The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4
The processing is necessary in order to protect the vital interests of the data subject.
5
The processing is necessary— (a) (aa) (b)
for the administration of justice, for the exercise of any functions of either House of Parliament, for the exercise of any functions conferred on any person by or
under any enactment, (c)
for the exercise of any functions of the Crown, a Minister of the
Crown or a government department, or (d)
for the exercise of any other functions of a public nature
exercised in the public interest by any person. 6
(1)
The processing is necessary for the purposes of legitimate
interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject” (2) The [Secretary of State] may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied”
12
Sensitive Personal Data There are extra protections exist under the DPA for “sensitive personal data”. This is defined in section 2 of the Act as follows:
“In this Act “sensitive personal data” means personal data consisting of information as to— (a)
the racial or ethnic origin of the data subject,
(b)
his political opinions,
(c)
his religious beliefs or other beliefs of a similar nature,
(d)
whether he is a member of a trade union (within the meaning of the
Trade Union and Labour Relations (Consolidation) Act 1992, (e)
his physical or mental health or condition,
(f)
his sexual life,
(g)
the commission or alleged commission by him of any offence, or
(h)
any proceedings for any offence committed or alleged to have been
committed by him, the disposal of such proceedings or the sentence of any court in such proceedings” In order to process sensitive personal data lawfully the data controller must comply with Schedule 1, one of the conditions in schedule 2 and at least one of the conditions in schedule 3. The schedule 3 conditions are much tighter and are as follows:
“1.
The data subject has given his explicit consent to the processing of the personal data.
13
2
(1)
The processing is necessary for the purposes of exercising or
performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment. (2)
The [Secretary of State] may by order— (a)
exclude the application of sub-paragraph (1) in such cases
as may be specified, or (b)
provide that, in such cases as may be specified, the
condition in subparagraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied. 3
The processing is necessary— (a)
in order to protect the vital interests of the data subject or another
person, in a case where— (i)
consent cannot be given by or on behalf of the data subject,
(ii)
the data controller cannot reasonably be expected to
or
obtain the consent of the data subject, or (b)
in order to protect the vital interests of another person, in a case
where consent by or on behalf of the data subject has been unreasonably withheld. 4
The processing— (a)
is carried out in the course of its legitimate activities by any body
or association which— (i)
is not established or conducted for profit, and
(ii)
exists for political, philosophical religious or trade-union
purposes, 14
(b)
is carried out with appropriate safeguards for the rights and
freedoms of data subjects, (c)
relates only to individuals who either are members of the body or
association or have regular contact with it in connection with its purposes, and (d)
does not involve disclosure of the personal data to a third party
without the consent of the data subject. 5
The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
6
The processing— (a)
is necessary for the purpose of, or in connection with, any legal
proceedings (including prospective legal proceedings), (b)
is necessary for the purpose of obtaining legal advice, or
(c)
is otherwise necessary for the purposes of establishing,
exercising or defending legal rights. 7
(1)
The processing is necessary—
(a)
for the administration of justice,
(aa) (b)
for the exercise of any functions of either House of Parliament, for the exercise of any functions conferred on any person by or
under an enactment, or (c)
for the exercise of any functions of the Crown, a Minister of the
Crown or a government department. (2)
The [Secretary of State] may by order—
15
(a)
exclude the application of sub-paragraph (1) in such cases as
may be specified, or (b)
provide that, in such cases as may be specified, the condition in
subparagraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied. 7A
(1)
The processing—
(a)
is either— (i)
the disclosure of sensitive personal data by a person as a
member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or (ii)
any other processing by that person or another person of
sensitive personal data so disclosed; and (b)
is necessary for the purposes of preventing fraud or a particular
kind of fraud. (2)
In this paragraph “an anti-fraud organisation” means any
unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes.] 8
(1)
The processing is necessary for medical purposes and is
undertaken by— (a)
a health professional, or
(b)
a person who in the circumstances owes a duty of confidentiality
which is equivalent to that which would arise if that person were a health professional.
16
(2)
In this paragraph “medical purposes” includes the purposes of
preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services. 9
(1)
The processing—
(a)
is of sensitive personal data consisting of information as to racial
or ethnic origin, (b)
is necessary for the purpose of identifying or keeping under
review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and (c)
is carried out with appropriate safeguards for the rights and
freedoms of data subjects. (2)
The [Secretary of State] may by order specify circumstances in
which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects. 10
The personal data are processed in circumstances specified in an order made by the [Secretary of State] for the purposes of this paragraph”
Exemptions under the DPA There is a long list of exemptions under DPA, as every government department lined up during the drafting of the Bill to argue that their functions should be exempt from the provisions of the Bill. Some areas are obvious such as that for national security, criminal investigations and taxation. The exemption in respect of healthcare is in section 30(1) and reads as follows: “The Secretary of State may by order exempt from the subject information provisions, or modify those provisions in relation to, personal data consisting 17
of information as to the physical or mental health or condition of the data subject” The Secretary of State has issued the Data Protection (Subject Access Modification) (Health) Order 2000 which applies to personal data consisting of information as to the physical or mental health or condition of the data subject. It provides under paragraph 5(1) as follows: “Personal data to which this Order applies are exempt from section 7 in any case to the extent to which the application of that section would be likely to cause serious harm to the physical or mental health or condition of the data subject or any other person” If the data controller is not a health professional there is a requirement to consult a health professional before the exemption is claimed under paragraph 5(2). There are also provisions which expressly prevent information relating to children from being disclosed to a parent in the following circumstances in response to a request by a parent if it has been : “(a)
provided by the data subject (the child) in the expectation that it would
not be disclosed to the person making the request; (b)
obtained as a result of any examination or investigation to which the
data subject (the child) consented in the expectation that the information would not be so disclosed; or (c)
which the data subject (the child) has expressly indicated should not be
so disclosed” The right to maintain the confidentiality of medical treatment provided to a child was recently upheld in Axon, R (on the application of) v Secretary of State for Health & Anor [2006] EWHC 37 (Admin) although interestingly there was no reference to the above order in the judgment. This case in turn followed the well known case of Gillick v West Norfolk and Wisbech Health Authority [1986] 1 AC 112.
18
The Order gives the same rights as a child to a data subject who is incapable of managing his own affairs and where that person has been appointed by a court to manage those affairs. Section 31 is an exemption for those engaged in regulatory activities. It states:
“(1)
Personal data processed for the purposes of discharging functions to
which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions” The regulatory activities include “any relevant function which is designed for protecting members of the public against: “(i)
financial loss due to dishonesty, malpractice or other seriously improper
conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, (ii)
financial loss due to the conduct of discharged or undischarged
bankrupts, or (iii)
dishonesty, malpractice or other seriously improper conduct by, or the
unfitness or incompetence of, persons authorised to carry on any profession or other activity” Hence the GMC, GDC and other health regulators would potentially be within the scope of the section. There are other exemptions in schedule 7 which include confidential references. The paragraph states: “Personal data are exempt from section 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of—
19
(a)
the education, training or employment, or prospective education, training
or employment, of the data subject, (b)
the appointment, or prospective appointment, of the data subject to any
office, or (c)
the provision, or prospective provision, by the data subject of any
service” The Data Protection Act sets up a system whereby the Information Commissioner regulates the release of data by data controllers. Any member of the Public can appeal to the Information Commissioner about a failure to process information lawfully under section 42 which states: “A request may be made to the Commissioner by or on behalf of any person who is, or believes himself to be, directly affected by any processing of personal data for an assessment as to whether it is likely or unlikely that the processing has been or is being carried out in compliance with the provisions of this Act” The Information Commissioner can then seek information from the data controller and make a determination under section 45. It is a criminal offence to fail to comply with a ruing from the Information Commissioner under section 47. However the data controller has a right of appeal under section 48 to the Information Tribunal whose powers are set out in Schedule 6 and which operates under the Information Tribunal (Enforcement Appeals) Rules 2005. The Information Tribunal, formerly known as the Data Protection Tribunal, hears appeals from notices issued by the Information Commissioner under: •
Freedom of Information Act 2000 (FOIA)
•
Data Protection Act 1998 (DPA)
•
The Privacy and Electronic Communications Regulation 2003 (PECR)
•
The Environmental Information Regulations 2004 (EIR)
20
When a Minister of the Crown issues a certificate on grounds of national security, a special panel of the Information Tribunal called the National Security Appeals Panel (NSAP), manages and hears any appeals. Except for NSAP cases, a panel composed of the Chairman or a Deputy Chairman along with two Non Legal Members, all appointed by the Lord Chancellor, hears appeals at venues across the United Kingdom. The oral hearings are open to the public. Details can be found at http://www.informationtribunal.gov.uk. The Act contains many “grey” areas where the judgment of the data controller is called upon before a decision needs to be made about whether to process information in a particular way under the Act. There is a limited amount of guidance from the Information Commissioner’s office which can be useful although there is a tendency for the Information Commissioner to err on the side of retention of personal information (as well as erring on the side of disclosure of public information) and some decisions of the Information Tribunal. However in the end it is often a case of “taking a view” on an unreported area. In taking such a view the structure of the Act, the principles under the Directive which underlies it and previous decisions in other areas are all relevant. The Freedom of Information Act 2000. The other major piece of legislation which governs information management is the Freedom of Information Act 2000 (FOIA). This Act was brought in to put the disclosure of official information by public bodies on a statutory footing. It has proved to be very helpful to journalists in extracting official information that public bodies would prefer to keep secret and has been a busy-bodies’ charter. However the extent to which it has changed the behaviour of government bodies and made them more open in their dealings with the public is probably unproven at this stage. A White Paper was published by the new Labour government in 1998 called “Your Right to Know: The Government's proposals for a Freedom of Information Act”. The opening to that White Paper explained the reasoning as follows: “Unnecessary secrecy in government leads to arrogance in governance and defective decision-making. The perception of excessive secrecy has become
21
a corrosive influence in the decline of public confidence in government. Moreover, the climate of public opinion has changed: people expect much greater openness and accountability from government than they used to” At the heart of the Act was a commitment that any member of the public was, subject to the exemptions under the Act, entitled to see any government document. This was explained as follows: “2.6 This is at the heart of the Act. The Government sees it as taking the general form of a right, exercisable by any individual, company or other body to records or information of any date held by the public authority concerned in connection with its public functions. "... by any individual, company or other body"
2.7 Anybody can apply for information. Applicants will not need to demonstrate or state their purpose in applying for information. All requests will be considered equally on their contents, not on the stated or presumed intentions of the applicant. "... to records or information ..." However when the draft Freedom of Information Bill was eventually published many of the commitments made in the Bill had been substantially watered down by the Whitehall machine (and as the new government realised that making information open to the public could become a political liability for the incumbent government). The passage of the Bill was stormy and amendment after amendment was conceded to bring the Bill back to nearly the set of commitments in the White Paper. However the result was a Bill that is not easy to use because it has a complex architecture. The primary right is in section 1(1) which provides: “(1) Any person making a request for information to a public authority is entitled— (a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and
22
(b) if that is the case, to have that information communicated to him” Hence there are 2 separate rights here – the right to be told whether a government body has information and then to obtain copies of the information. Section 1(4) defines the extent of the duty as follows: “The information— (a) in respect of which the applicant is to be informed under subsection (1)(a), or (b) which is to be communicated under subsection (1)(b), is the information in question held at the time when the request is received, except that account may be taken of any amendment or deletion made between that time and the time when the information is to be communicated under subsection (1)(b), being an amendment or deletion that would have been made regardless of the receipt of the request” Thus there is no duty to obtain information from other bodies or create information for the purpose of the Act. Types of exemption under FOIA There are two types of exemption under the Act – absolute exemptions and qualified exemptions. This comes from section 2(1) which provides: “Where any provision of Part II states that the duty to confirm or deny does not arise in relation to any information, the effect of the provision is that where either— (a) the provision confers absolute exemption, or (b) in all the circumstances of the case, the public interest in maintaining the exclusion of the duty to confirm or deny outweighs the public interest in disclosing whether the public authority holds the information, 23
section 1(1)(a) does not apply” Section 2(1)(b) contains the “public interest test”. It is clear that there is a presumption in the test in favour of disclosure because the duty to make the case for withholding the information in the public interest lies on the public body which is seeking to withhold the information. Section 2(3) then lists the absolute exemptions and by implication all others are qualified exemptions. These are: •
section 21: Information accessible to applicant by other means
•
section 23: Information supplied by, or relating to, bodies dealing with security matters
•
section 32: Court records, etc
•
section 34 Parliamentary privilege
•
section 36 so far as relating to information held by the House of Commons or the House of Lords: Information where the release would be prejudicial to effective conduct of public affairs
•
section 40: Personal information (but see below)
•
section 41: Information provided in confidence, and
•
section 44: Other prohibitions on disclosure
Thus all other information held by public bodies is subject to a public interest test. This includes information which is subject to legal professional privilege. Section 16 places a duty on public bodies to help those who are trying to extract information from the public body in the following form: “(1) It shall be the duty of a public authority to provide advice and assistance, so far as it would be reasonable to expect the authority to do so, to persons who propose to make, or have made, requests for information to it. (2) Any public authority which, in relation to the provision of advice or assistance in any case, conforms with the code of practice under section 45 is to be taken to comply with the duty imposed by subsection (1) in relation to that case” 24
The appropriate limit and how to apply it. There is a limit on what public authorities are required to do under FOIA. If the request is for a large amount of information, public bodies should consider if complying with the request would exceed the 'appropriate limit' of £600 for central government, Parliament and the armed forces or £450 for other public authorities under the fees regulations. If complying with a request would exceed the appropriate limit, public bodies can refuse the request. However, they should help the requester to try to narrow or refine the request. As an alternative public bodies can also consider charging. If complying with the request would exceed the appropriate limit (so public bodies do not have a duty to provide the information) they can still charge for, for example, the costs of photocopying, printing and posting 2 . The activities that public bodies should assess when assessing whether the appropriate limit will be exceeded are limited to those that an authority can reasonably expect to incur in: •
determining whether it holds the information requested
•
locating the information or documents containing the information
•
retrieving such information or documents
•
extracting the information from the document containing it (including editing or redacting information)
£25 is the standard hourly rate that all authorities must use to calculate the staff costs of answering requests. Vexatious and Repeated Requests Section 14 provides for vexatious requests. It states: “(1) Section 1(1) does not oblige a public authority to comply with a request for information if the request is vexatious.
2
Taken from the government guide at http://www.justice.gov.uk/guidance/foi-step-by-step.htm
25
(2) Where a public authority has previously complied with a request for information which was made by any person, it is not obliged to comply with a subsequent identical or substantially similar request from that person unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request” The Ministry of Justice Guide states that a request may be vexatious if it seeks information of a frivolous nature, if it is likely to cause distress or irritation without justification or if it is aimed at disrupting the work of an authority or harassing individuals in it. Repeated requests is one which is identical or substantially similar to a previous request from the same person (with which the public authority has complied) may be refused under section 14, unless a reasonable interval has elapsed between it and the previous response. Whether a request is vexatious is determined by the information requested, not the person making the request. An individual can make as many requests for information as he or she wishes. Each of their requests must be considered on a case-by-case basis (although it may be appropriate to reject substantially similar requests under section 14(2). Vexatiousness needs to be assessed with reference to all the circumstances of an individual case. However, if a request is not a genuine endeavour to access information for its own sake, but is aimed at disrupting the work of an authority, or harassing individuals in it, then it may well be vexatious. The Information Tribunal has found that the history and context of a request are important in assessing if it is vexatious, taking account of such matters as: •
the requester already being in possession of the information requested
•
the use of tendentious language, suggesting that the requester's true purpose is to argue rather than to seek information
•
the requester seeking to reopen issues already visited
•
the lack of justification for a request likely to cause distress or irritation. (A distinction was drawn between unjustified distress or irritation caused by a 26
vexatious freedom of information request and the justified distress or irritation which might be caused by the issue of a parking ticket.) The Tribunal found that a request that on its face is reasonable but forms part of a wider trend of vexatious behaviour can be vexatious. The Information Commissioner's Office has also issued guidance on vexatious requests. It agrees that history and context are important and it has published a set of criteria that form a suggested general approach. This is contained in the ICO freedom of information 'Awareness Guidance 22: Vexatious and repeated requests'. Making a decision on whether to release the information. Information is required to be released within 20 working days of the request unless an exemption in the Freedom of Information Act applies, for example if: •
any of the information is personal information
•
the information is now, or will soon be publicly available
•
any of the other exemptions in the Act apply - for example, for reasons relating to defence, the economy or the effective conduct of public affairs
Some of these exemptions are absolute exemptions. This means that if information is covered by the exemption in question you are not required to release it (and, in some cases, are not permitted to release it). Other exemptions are subject to the public interest test. If the information in question falls under such an exemption, you must consider whether the public interest factors in favour of withholding the information outweigh those in favour of release. If they do not, you must release the information; if they do, you must release it. The Ministry Guide sets out some working assumptions 3 but this is Guidance and must be treated with some care.
3
http://www.justice.gov.uk/guidance/foi-assumptions.htm
27
Personal Data under the DPA The section on Personal Data requires a little analysis. It starts with section 40(1) which provides: “Any information to which a request for information relates is exempt information if it constitutes personal data of which the applicant is the data subject” Hence the applicant must apply under the DPA (where there is a fee) and not the FOIA (where data is free) for information about themselves. The interaction between the 2 Acts is shown in sections 40(2) and (3) of FOIA which provide: (2) Any information to which a request for information relates is also exempt information if— (a) it constitutes personal data which do not fall within subsection (1), and (b) either the first or the second condition below is satisfied. (3) The first condition is— (a) in a case where the information falls within any of paragraphs (a) to (d) of the definition of “data” in section 1(1) of the Data Protection Act 1998, that the disclosure of the information to a member of the public otherwise than under this Act would contravene— (i) any of the data protection principles, or (ii) section 10 of that Act (right to prevent processing likely to cause damage or distress), and (b) in any other case, that the disclosure of the information to a member of the public otherwise than under this Act would contravene any of the data protection principles if the exemptions in section 33A(1) of the Data Protection Act 1998 (which relate to manual data held by public authorities) were disregarded.
28
(4) The second condition is that by virtue of any provision of Part IV of the Data Protection Act 1998 the information is exempt from section 7(1)(c) of that Act (data subject’s right of access to personal data). The definition of data is at page 6 above. The key issue here is that if a public body holds personal data about an individual where the concept of personal data is defined by the DPA, there is an exemption from disclosure under FOIA. However it is only an absolute exemption under FOIA in respect of personal information of which the individual is the data subject or “under subsection (2) so far as relating to cases where the first condition referred to in that subsection is satisfied by virtue of subsection (3)(a)(i) or (b) of that section” The ICO has published Guidance about these confusing sections 4 which looks at what is considered “fair” for the processing of personal data held by public bodies. It states: “The concept of “fairness” is harder to define, although in practice it ought not to be difficult to judge whether it would be unfair to someone to pass on their information without consent. The sorts of questions which should be asked include:
• Would the disclosure cause unnecessary or unjustified distress or damage to the person who the information is about? • Would the third party expect that his or her information might be disclosed to others? Is disclosure incompatible with the purposes for which it was obtained? • Had the person been led to believe that his or her information would be kept secret? • Has the third party expressly refused consent to disclosure of the information? 4
http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/awareness _guidance%20_1_%20personal_information_v2.pdf
29
• Does the legitimate interest of a member of the public seeking information about a public authority, including personal information, outweigh the rights, freedoms and legitimate interests of the data subject?” This Guidance looks at the hard issues of what can be disclosed about public officials and advises: “An issue which will often arise is whether the Data Protection Act prevents the disclosure of information about members of staff. Applying the criteria suggested above, if the information requested consists of job functions, grades or decisions which they have made in their official capacities, then disclosure would normally be made. On the other hand, information such as home addresses or internal disciplinary matters would not normally be disclosed. While it would be wrong to disclose bank account details of staff, it would be unlikely to be unfair to publish details of expenses incurred in the course of official business, information about pay bands, or, in the case of senior staff, details of salaries and other benefits. While this information clearly does relate to staff personally, there is a strong public interest in provision of information about how a public authority has spent public money” There are a host of other specific exemptions which we can of course discuss in detail at a later stage but I hope that this provides an overview of information governance.
David Lock – 21st August 2008 No5 Chambers 0870 203 5555
[email protected] www.no5.com
30
