Daradjeet Jagpal: FOI and the GDPR – Uncomfortable Bedfellows?
RSLs up and down the country are working hard to ensure that they are ready for freedom of information (FOI) for 11 November 2019. The interface between FOI and the General Data Protection Regulation (GDPR) is an issue that is likely to come up frequently for RSLs when handling and responding to FOI requests involving personal data. In the first of a series of articles, Daradjeet Jagpal examines the interface and outlines some of the issues for RSLs.
I have spent a fair proportion of my time over the last 7 months discussing FOI with RSLs and working with them on their preparations. One of the issues that has come up over and over again is the link – or rather the inevitable conflict – between FOI and the GDPR. While some may have hoped that the GDPR was done and dusted in May 2018, the GDPR continues to remain relevant in the FOI world that RSLs are now about to enter.
The application of the GDPR is triggered in two new situations for RSLs as bodies subject to FOI. The first is when an FOI request involves disclosure of personal data relating to individuals other than the applicant i.e. third party personal data (the “FOI perspective”). The second is when an RSL receives a subject access request under the GDPR after the FOI “go live” date (the “GDPR perspective”).
Similar GDPR interface provisions exist within the Environmental Information (Scotland) Regulations 2004, which relate to access to environmental information, and which have applied to RSLs since June 2014. The present article only focuses on FOI and the GDPR, as being the most topical for RSLs at the time of writing.
Interface between FOI and the GDPR: the FOI perspective
These are the provisions within the Freedom of Information (Scotland) Act 2002 (FOISA) that seek to resolve the conflict between FOI and the GDPR. FOI is about access to information, while the GDPR concerns protection of personal data. While the two might appear to be irreconcilable, the reality is that the interface between them is dealt with admirably within the FOI personal data exemptions.
There are two absolute exemptions and two non-absolute exemptions (which involve examination of the public interest test before the non-absolute exemptions can be relied upon).
The first absolute exemption applies where an applicant makes an FOI request for access to their own personal data (due mainly to confusion on the part of the applicant as to the scope of FOI). This request must be processed as a subject access request under the GDPR and not an FOI request. It must be refused under FOI and handled and responded to in terms of the GDPR.
The second absolute exemption is where an applicant makes an FOI request which involves the disclosure of third party personal data. Broadly, third party personal data is exempt from disclosure where to disclose it would breach the data protection principles contained within the GDPR, particularly the first principle requiring personal data to be processed lawfully, fairly and transparently.
The two non-absolute exemptions are much more complex and highly unlikely to arise in practice, which is confirmed by a review of the Scottish Information Commissioner’s decisions.
The first is when third party personal data is exempt from disclosure to the applicant where it would also be exempt from disclosure to the third party if they made a GDPR subject access request for it (the subject access exemptions are principally contained within the Data Protection Act 2018 (DPA 2018), which supplements the GDPR in the UK).
The second is when third party personal data is exempt from disclosure to the applicant where disclosure would be inconsistent with that third party’s right to object under the GDPR (which has been exercised by the third party either before or after receipt of the FOI request).
The non-absolute exemptions are complex, involving an intertwining understanding and command of some of the most difficult data protection and access to information law. This is further exacerbated by the application of the public interest test. In my view, it would be a brave RSL indeed who would weigh the public interest balance in favour of disclosure at the expense of a third party’s GDPR rights.
Interface between FOI and the GDPR: the GDPR perspective
This is the aspect of the interface that is seldom considered but is fundamentally important when it comes to RSLs dealing with GDPR subject access requests in the post FOI world.
At the moment, if an RSL receives such a request from an individual for access to their personal data held by it, the RSL must undertake a search across its electronic and paper filing systems for personal data relevant to the request. Paper filing systems are paper files in which papers are organised in a structured manner and within which personal data is accessible according to specific criteria i.e. paper “house files” held by RSLs in which personal data is filed by category.
However, post FOI, particular elements of the DPA 2018 are triggered for RSLs. The result is that in handling subject access requests, RSLs must also consider personal data contained within their manual unstructured files. This covers any personal data that is not contained within the above structured paper filing systems and includes loose-leaf papers (that will not eventually find their way into the structured paper filing system), staff notebook entries and even the sunflower array of post-it notes customarily attached to staff computer monitors, containing individuals’ names and contact telephone numbers.
There are certain parameters around access to personal data within manual unstructured files, such as that the individual must describe the personal data contained within the files before access can be provided. Also, the FOI fee arrangements, and not those contained within the GDPR, apply when calculating the fee to access this personal data within manual unstructured files. Access may therefore be refused if the cost of complying with the request would exceed the “appropriate maximum”.
Uncomfortable bedfellows?
In my experience, the interface between FOI and the GDPR is complex but is resolved seamlessly via the provisions within FOISA and the DPA 2018. They are not uncomfortable bedfellows and can cohabit in relative ease.
RSLs would be best advised to develop their understanding of the interface with a view to being prepared for FOI requests for third party personal data concerning their staff, service users and others and to undertake more thorough searches of a broader range of paper records when handling GDPR subject access requests.
Daradjeet Jagpal (daradjeet@infolawsolutions.co.uk) is legal consultant and director of Information Law Solutions, an independent consultancy providing advisory, training and audit services in Data Protection and Freedom of Information and a leading provider of outsourced Data Protection Officer (DPO) services to RSLs in Scotland (www.infolawsolutions.co.uk).