Implementation Issues
There is no doubt that there is an important link between FOI(S)A 2002 and the DPA and section 38 is drafted in such a way as to ensure the rights under DPA are not interfered with. Any section 38 exemption will have to be carefully applied as, in certain cases, there will be a overlap of rights of an individual under DPA and a public authority’s duty to disclose information under FOI(S)A 2002. Public authorities will have to ensure that they look carefully at the individual requesting personal data as there are a number of different scenarios which could occur:
1. If the request is for personal data about the individual the request is a subject access request and must be considered under the terms of the DPA.
2. If the request is for personal data about a third party but the individual is acting on behalf of the data subject this is also a subject access request and must be considered under the terms of the DPA.
3. If the request is for personal data about a third party but is not on behalf of the data subject this is a freedom of information request and must be considered under the terms of the FOI(S)A 2002.
It is important to remember that it is the OIC based in Wilmslow, England who is responsible for the promotion and enforcement of the DPA even if the request is made within Scotland. There is some concern about the difficulties which may arise should the Scottish Information Commissioner determine that information should be released under the FOI(S)A 2002 but the OIC rules that disclosure would be a breach of the Data Protection Principles. In order to try and limit the difficulties which may arise over time the Scottish Information Commissioner and the Information Commissioner have signed a Memorandum of Understanding (‘MOU’) setting out the relationship between the parties in relation to freedom of information legislation. The intention is that the parties will co-operate with and provide assistance to each other in performance of their respective duties. A copy of the MOU is available on the SIC website at www.itspublicknowledge.info
Should an individual make a request under the FOI(S)A for information which is personal information of which the applicant is the subject, the information is exempt from release under that Act. 15 Should a public authority decide to apply the exemption they are required to send the applicant a refusal notice. 16
A further complication may exist where an individual seeks information about themselves which does not fall under the definition of ‘personal data’ and cannot be considered a subject access request under the DPA. Although the Freedom of Information (Scotland) Act 2002 (Consequential Modifications) Order 2004 (detailed above) extends the definition of personal data in the DPA to include all recorded information held by a public authority, given the judgement in the Durant case (also mentioned above), there may be a limited amount of information which a data subject cannot access under the DPA but can access under FOI(S)A. Public authorities should make certain that applicants’ rights under both FOI legislation and the DPA are complied with and information is released when individuals are entitled to receive it. It is essential to remember that all requests for information which are made in writing and which include a name and address for correspondence should be treated as requests under the Freedom of Information (Scotland) Act 2002 even if the DPA is specifically mentioned in the request. If the information is exempt under section 38(1)(a) of FOISA, then a refusal notice should be issued to the applicant. However, the public authority should then go on to treat the request as a subject access request in the normal way.
Charging for personal information which is outwith the DPA definition.
A final complication comes when a Scottish public authority have to deal with a request for ‘unstructured personal data’ which they hold. This type of information, although dealt with under the DPA, is charged using the UK fees regulations 17 which govern the Freedom of Information Act 2000. This means that Scottish public authorities need to be aware of the UK Fees Regulations as they will need to apply them in these circumstances. The reason for this, slightly confusing difference is that it is appreciated that unstructured personal data may be very difficult to find and allows authorities to refuse to provide the information if the cost of doing so goes beyond the ‘appropriate limit’ set in the Regulations.
Footnotes
15 FOI(S)A 2002, s38(1)(a).
16 FOI(S)A 2002, s16.
17 The Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004.