Brodies TechBlog

Yesterday I attended a very interesting seminar at the University of Dundee’s Centre for Freedom of Information.

The topic under consideration was the interaction between freedom of information and data protection legislation, and in particular how the law seeks to balance the “right to know” (the basic premise of freedom of information) and the privacy rights of the individual.

Christine O’Neill, Head of Brodies’ Public Sector Services Group, gave an excellent presentation on key case law to date, looking at where the law stands following the House of Lords’ decision last July in the case of Common Services Agency v Scottish Information Commissioner.

There was general consensus that the law in the UK on this issue is badly in need of clarification, in particular given the importance of the competing interests at stake.  The interaction between freedom of information and data protection legislation relies heavily on how we define “personal data” – the personal information to which data protection legislation applies. Broadly speaking, personal data is any information about a living individual from which that individual can be identified. However the decision in the CSA case (which dealt with statistical information about the incidence of childhood leukaemia in Dumfries and Galloway) has left information lawyers struggling to understand precisely how the “identifiable” element of the statutory definition should be interpreted, in particular in cases where an organisation tries to anonymise personal information in order to permit its release.

Comments from David Banisar of Privacy International supported a general view that the problems currently being encountered in the UK, in seeking to reconcile these two bodies of legislation, stem mainly from the wording of the UK’s Data Protection Act 1998. Many other jurisdictions around the world have both freedom of information and data protection legislation, but appear to have succeeded in achieving a smoother and more effective interaction between the two regimes than we have to date.

More developments are in the pipeline, with the Scottish Information Commissioner preparing to give his further decision on the CSA case in the coming months and another case (this time on the incidence of registered sex offenders living in certain postcode sectors) heading to the Court of Session.  This looks set to present more difficult issues, both from a policy and a technical, legal perspective.

Ultimately, it is looking increasingly likely that a satisfactory level of clarity will be achieved only through suitable amendments to the DPA. However, any light which further case law can shed on the issue in the meantime would be very welcome indeed.