In today’s data-driven world, the need for transparency and accountability in government and public bodies is more important than ever. The Freedom of Information (FOI) Act plays a crucial role in ensuring that citizens have access to information held by public authorities. However, in a time where data protection is a growing concern, there’s a delicate balance to be struck between promoting openness and safeguarding personal privacy. This blog post explores the intersection of FOI and data protection, highlighting how these two principles work together—and sometimes conflict—in the digital age.

What is the Freedom of Information (FOI) Act?

The Freedom of Information Act (FOI) grants the public the right to access records and documents held by government institutions and public bodies. In essence, it is a tool for ensuring government transparency, allowing citizens to request data such as policy documents, internal reports, emails, and other forms of communication between public bodies. FOI laws are designed to promote openness, encourage citizen participation in government affairs, and hold public authorities accountable for their actions.

However, the right to access information is not absolute. Governments and public bodies can withhold certain information based on exemptions—for example, national security, commercial confidentiality, or personal privacy.

The FOI applies to most public bodies but does not apply to private organisations.

What is Data Protection?

Data protection refers to the laws, policies, and practices designed to safeguard personal information from misuse, unauthorised access, or loss as well as providing data subjects more control over their data through enforcement of their rights. It’s the legal framework that governs how personal data is collected, processed, stored, and shared. Key principles of data protection include transparency, fairness, data minimisation, and the right to access and correct personal data.

In the UK, data protection laws are governed by regulation such as the Data Protection Act (2018) (DPA). This regulation grant individuals rights over their personal data, including the right to access, rectify, and delete their information.

FOI and Data Protection: The Conflict

At first glance, FOI and data protection might seem to be two sides of the same coin.  However, one promotes information transparency, while the other protects privacy so naturally there are instances where the two principles may come into conflict.

• Public Right to Know vs. Personal Privacy: FOI laws empower the public to access documents and records that may contain personal information about individuals. This could include private correspondence, medical records, or data related to law enforcement investigations. On the other hand, data protection laws aim to protect personal data from being disclosed unlawfully. In cases where the information requested under FOI contains personal data, public authorities must carefully consider whether disclosing this information violates an individual’s rights.
• Exemptions and Redactions: One way public bodies balance the right to access information and the need to protect personal privacy is by applying exemptions or redactions. For example, under the DPA, personal data can be withheld or redacted if it can be linked to individuals. FOI requests involving personal information might lead to the redaction of names, addresses, or other identifiers that could infringe on the data subjects.
• Sensitive Data: A higher risk point of contention arises with the disclosure of sensitive data, which could include health, financial, or legal information. In these cases, both FOI and data protection laws impose restrictions. While FOI laws may allow the release of certain government-held records, again, data protection regulations prohibits disclosure if the data is sensitive and could cause harm to individuals.

Key Principles for Balancing FOI and Data Protection

To navigate the intersection of FOI and data protection, several principles and practices come into play:

1. Assessing the Public Interest: One of the key tenets of FOI is that there is often a public interest in disclosing information, especially regarding government decision-making, spending, or policies. When FOI requests are made, public bodies must weigh the public interest in disclosing the information against the rights of the individuals whose data may be contained in those records. If the disclosure serves a legitimate public interest (e.g., uncovering corruption, holding the government accountable), it may override individual privacy concerns.
2. Redaction of Personal Data: If a requested document contains personal data, public authorities may redact or anonymize certain information to protect privacy while still releasing the rest of the document. This ensures that the public’s right to access information is preserved, while personal privacy is safeguarded.
3. Balancing Exemptions: Both FOI and data protection laws include exemptions for specific situations. For example, while FOI allows for the withholding of information for reasons like national security or legal privilege, data protection laws may allow the withholding of personal data if its disclosure would infringe on an individual’s privacy rights. Public bodies must carefully navigate these exemptions to ensure they are complying with both sets of laws.
4. Processing Data Requests Responsibly: Under data protection laws, public bodies are required to process personal data fairly and lawfully. This includes ensuring that any information disclosed under FOI requests does not violate data protection principles. Authorities must also be transparent about the data they hold and provide individuals with the ability to access their personal information if requested, subject to the FOI and data protection rules.

Real-World Examples of FOI and Data Protection in Action

1. Health Data: A typical example of where FOI and data protection intersect is the release of health-related information. While FOI requests might be made for public health data or medical research records, the data protection rights of individuals must be considered to ensure that personal health details are not disclosed without consent.
2. Government Transparency vs. Privacy: FOI has been used by journalists and activists to expose government spending, decision-making, and accountability. However, disclosing information such as internal emails or documents may sometimes contain personal details of individuals, such as public servants’ personal contact information, requiring redaction under data protection laws.
3. Legal and Investigative Records: FOI requests involving legal documents or investigative records often contain personal details related to individuals involved in legal proceedings. Public authorities may have to withhold certain details to protect the privacy and rights of those individuals, even when the release of other aspects of the document serves the public interest.

Conclusion: Striking the Right Balance

The relationship between the Freedom of Information (FOI) Act and data protection is complex, but crucial to maintaining a just and democratic society. While FOI ensures transparency and accountability in public bodies, data protection laws safeguard individuals’ privacy and personal rights. Public authorities must strike a careful balance between these two principles, ensuring that personal data is protected while upholding the public’s right to access information.

The tools available in balancing an FOI request are applying exemptions and redacting personal details.  Ideally, this will be the default approach, but in the unlikely event that personal data must be disclosed, the most appropriate lawful basis for this is ‘public interest’.  Data protection law requires that public interest is documented and justified.  Following this approach ensures that public sector bodies can ensure that FOI requests are handled responsibly, ensuring both transparency and privacy are respected in the digital age.

Ultimately, the goal is to empower citizens to hold public bodies accountable while respecting the rights of individuals, making sure both transparency and privacy coexist in harmony. 

ProvePrivacy allows organisations to manage FOI requests, helping in the management of the process and maintaining a clear record of actions taken to respond to the request.  Get in touch today to see how ProvePrivacy can help your organisation manage, evidence and report on FOI requests.