What is the connection between FOI and data protection?
The right to access information about the activities of public authorities is established under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR). Under FOIA and EIR, public bodies are required to disclose requested information unless there is a good reason for it being withheld. At the same time, the legal framework governing how organisations can collect, store and use personal information is provided by the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).
Understanding the relationship between information access and data protection laws is vital for public sector information management. Public authorities often receive requests for personal data belonging to individuals other than the requester—referred to as third-party data under Section 40 of the FOIA and Regulation 13 of the EIRs. To comply with UK data protection laws, information access professionals must follow the correct process to ensure that any personal data of third parties is either released or withheld appropriately. In many situations, the processing would likely not be lawful, fair, or transparent under Article 5(1)(a) of the GDPR without the consent of the other parties.
In reality, the risk of personal data breaches arising from FOI responses remains a significant concern. In 2023, a string of incidents revealed that spreadsheets containing hidden personal data of third parties were released through the FOI information-gathering processes.
Course Overview:
This detailed one-day course is intended for individuals with prior experience working with FOIA and EIR requests. The course explores the connections between third-party personal data requests under Section 40 of the Freedom of Information Act 2000 (FOIA) and Article 5(1)(a) of the UK General Data Protection Regulation (GDPR), along with considering how to identify the appropriate legislation to apply.
The course also provides clarity and guidance concerning what information can be released and looks at measures to prevent hidden data from inadvertently being released on request.
Course Contents:
- Right of Access
- The Freedom of Information Act 2000 (FOIA) principles and scope
- Section 84 of the FOIA:
- Held information
- Not Held by a public authority
- Restricted disclosures
- Information and personal data
- Requests for third-party personal data vs. subject access requests (SARs) under UK General Data Protection Regulation (GDPR)
- Privacy responsibilities for datasets under FOI and EIR
- Data Protection Act 2018 (DPA18) amendments to FOIA
- Section 40 FOIA: Third-party data:
- Absolute exemptions
- The Prejudice (Harm) test
- The Public Interest Test
- Third party-data
- Legitimate Interest and Legitimate Interest Assessments (LIAs)
- Datasets and hidden third-party personal data
- ICO warning against using spreadsheets
- CSV files, pivot tables, macros and equations