Right to Information and Privacy.pdf

Access to InformationProgram The Right to Information

and Privacy: Balancing Rights and Managing Conflicts

David Banisar

Canadian InternationalDevelopment Agency

Agence canadiennedeveloppment internationalThe World Bank

World Bank Institute

GOVERNANCE WORKING PAPER SERIES

WORKING PAPER

The Right to Informationand Privacy: BalancingRights and ManagingConflicts

David Banisar*

* David Banisar is senior legal counsel for Article 19, the Global Campaign for Free Expression, in London, UK. He isalso a nonresident fellow at the Center for Internet and Society at Stanford Law School, Stanford, CA. Previously, hewas the director of the Freedom of Information Project of Privacy International in London; a research fellow at theKennedy School of Government at Harvard University, Cambridge, MA; and a cofounder and policy director of theElectronic Privacy Information Center in Washington, DC. He has served as an adviser and consultant to numerous or-ganizations, including the Council of Europe, the Organisation for Economic Co-operation and Development, and theUnited Nations Development Programme.

2011 The International Bank for Reconstruction and Development / The World Bank1818 H Street NWWashington DC 20433Telephone: 202-473-1000Internet: www.worldbank.orgE-mail: [email protected]

All rights reserved

The findings, interpretations, and conclusions expressed in this volume do not necessarily re-flect the views of the Canadian International Development Agency (CIDA), the governmentof Canada, executive directors of the World Bank, or the governments those directors repre-sent. The World Bank does not guarantee the accuracy of the data included in this work.

This report has been commissioned by the Access to Information (ATI) Program at the WorldBank Institute (WBI) and supported financially by the CIDA-WBI Governance Program.

The WBI Access to Information Program seeks to connect key ATI stakeholders tojointly identify, prioritize, and implement actions for effective ATI adoption and implemen-tation. The program aims to improve in-country capacity for the formulation, implementa-tion, use, and enforcement of ATI legislation through regional knowledge exchange and net-working, and by fostering the capacity of multistakeholder coalitions to undertake effectiveATI reforms.

iii

Contents

Acknowledgments.......................................................................................v

Acronyms and Abbreviations......................................................................vii

Executive Summary ....................................................................................1

1. Introduction ..........................................................................................3

2. Rights Defined.......................................................................................5

2.1 The Right to Information...................................................................................5

2.2 The Right to Privacy ..........................................................................................6

3. Complements and Conflicts in RTI and Privacy Laws ...............................9

3.1 Complementary Roles of RTI and Privacy .........................................................9

3.2 Conflicts between RTI and Privacy Interests .....................................................12

3.3 Balancing the Rights of Access and Privacy .......................................................16

4. Legislation ...........................................................................................17

4.1 Model 1A Single RTI and Privacy Law .........................................................17

4.2 Model 2Separate RTI and Privacy Laws: Managing Conflicts.........................18

5. Oversight.............................................................................................23

5.1 Two BodiesSeparate RTI and Privacy Commissions.......................................23

5.2 One BodyA Single RTI and Privacy Commission .........................................24

6. Case Studies.........................................................................................27

6.1 Ireland...............................................................................................................27

6.2 Mexico .............................................................................................................28

6.3 Slovenia.............................................................................................................29

6.4 United Kingdom...............................................................................................30

7. Conclusion ..........................................................................................33

Endnotes ..................................................................................................35

References ................................................................................................39

Boxes

3.1 Using Publicly Available Personal Information to Fight Fraud............................14

4.1 Elements to Determine Fairness ........................................................................20

Figure

3.1 Complement and Conflict of Privacy and the Right to Information....................9

Contentsiv

I would like to thank Heather Brooke, BojanBugaric, Elizabeth Dolan, Maurice Frankel,Juan Pablo Guerrero Amparn, KatherineGunderson, Gus Hosein, Jose Luis Marzal,Natasa Pirc Musar, Maeve McDonagh, LinaOrnelas Nuez, Graham Smith, and NigelWaters for providing information and advice;

and peer reviewers Alvaro Herrero, MariaMarvn Laborde, and Andrea Ruiz for theircomments. I would also like to thank mycolleagues at Article 19; and the World BankInstitutes Marcos Mendiburu, AranzazuGuillan-Montero, and Luis Esquivel for theirassistance.

v

Acknowledgments

vii

Acronymsand Abbreviations

ACHPR African Commission on Human and Peoples Rights

ACLU American Civil Liberties Union

APEC Asia-Pacific Economic Cooperation

ATIP access to information and privacy

CCPR United Nations Covenant on Civil and Political Rights

CSA Canadian Standards Association International

DCMS Department for Culture, Media, and Sport

DPA Data Protection Act

EC European Commission

ECHR European Convention for the Protection of Human Rights and Fundamental Freedoms

ECOWAS Economic Community of West African States

EFF Electronic Frontier Foundation

EHRR European Human Rights Report

EO European Ombudsman

EPIC Electronic Privacy Information Center

ETS European Treaty Series

EU European Union

EUECJ Court of Justice for the European Communities

EWHC High Court of England and Wales

FOI freedom of information

FOIA Freedom of Information Act

IACHR Inter-American Commission on Human Rights

ICO Information Commissioners Office

IFAI Instituto Federal de Acceso a la Informacin y Proteccin de Datos

MP member of parliament

NJSBA New Jersey State Bar Association

NZLC New Zealand Law Commission

OAS Organization of American States

ODNI Office of the Director of National Intelligence

OECD Organisation for Economic Co-operation and Development

OSCE Organization for Security and Co-operation in Europe

PI Privacy International

RCMP Royal Canadian Mounted Police

RTI right to information

UDHR Universal Declaration of Human Rights

UKHL United Kingdom House of Lords

UN United Nations

UNHRC United Nations Human Rights Council

USC United States Code

USDA United States Department of Agriculture

Acronyms and Abbreviationsviii

The right to privacy and the right to infor-mation are both essential human rights in themodern information society. For the mostpart, these two rights complement each oth-er in holding governments accountable toindividuals. But there is a potential conflictbetween these rights when there is a demandfor access to personal information held by

government bodies. Where the two rightsoverlap, states need to develop mechanismsfor identifying core issues to limit conflictsand for balancing the rights. This paper ex-amines legislative and structural means tobetter define and balance the rights to priva-cy and information.

Executive Summary

1

Introduction

1

3

In the words of Michel Gentot (n.d.) duringhis term as president of the French NationalData Processing and Liberties Commission,freedom of information and data protectionare two forms of protection against theLeviathan state that have the aim of restoringthe balance between the citizen and the state(p. 1).

On first inspection, it would appear thatthe right of access to information and theright to protection of personal privacy are ir-reconcilable.1 Right to information (RTI)laws provide a fundamental right for any per-son to access information held by govern-ment bodies. At the same time, right to pri-vacy laws grant individuals a fundamentalright to control the collection of, access to,and use of personal information about themthat is held by governments and private bod-ies. However, the reality is more complex.Privacy and RTI are often described as twosides of the same coinmainly acting ascomplementary rights that promote individ-uals rights to protect themselves and to pro-mote government accountability.

The relationship between privacy andRTI laws is currently the subject of consid-erable debate around the globe as countriesare increasingly adopting these types of leg-

islation.To date, more than 50 countries haveadopted both laws.

Privacy is increasingly being challengedby new technologies and practices. The tech-nologies facilitate the growing collection andsharing of personal information. Sensitivepersonal data (including biometrics andDNA makeup) are now collected and usedroutinely. Public records are being disclosedover the Internet. In response to this set ofcircumstances, more than 60 countries haveadopted comprehensive laws that give indi-viduals some control over the collection anduse of these data by public and private bod-ies. Several major international conventionshave long been in place in Europe, and newones are emerging in Africa and Asia.

At the same time, the publics right to in-formation is becoming widely accepted. RTIlaws are now common around the world,with legislation adopted in almost 90 coun-tries. Access to information is being facilitatedthrough new information and communica-tions technologies, and Web sites containingsearchable government records are becomingeven more widely available. Internationalbodies are developing conventions, and rele-vant decisions are being issued by interna-tional courts.

4 The Right to Information and Privacy: Balancing Rights and Managing Conflicts

Availability, legislation, and judicial deci-sions have led to many debates about rulesgoverning access to personal informationthat is held by public bodies. As equal humanrights, neither privacy nor access takes prece-dence over the other. Thus it is necessary toconsider how to adopt and implement thetwo rights and the laws that govern them ina manner that respects both rights. There isno easy way to do this, and both rights must

be considered in a manner that is equal andbalanced.

This paper will examine the two rightsand the conflicts that arise, and will describeinstitutional models to ensure the exercise ofboth rights. It will present short case studiesfrom four countries (Ireland, Mexico, Slove-nia, and the United Kingdom) that haveadopted different models for addressing theconflicts, describing how those models work.

52

Rights Defined

2.1 The Right toInformation

The right of access to information held bygovernment bodies (RTI) provides that indi-viduals have a basic human right to demandinformation held by government bodies. Itderives from the right of freedom of expres-sion to seek and receive information,2 andis recognized worldwide as a human right.3

Under this right, any person may make a re-quest to a public body; the body is legally re-quired to respond and provide the informa-tion, unless there is a legally compellingreason to refuse the request.

The RTI is a requisite for the very exer-cise of democracy (OAS 2003).4 Democra-cy is based on the consent of the citizens, andthat consent turns on the government in-forming citizens about its activities and rec-ognizing their right to participate. The col-lection of information by governments isdone on behalf of its citizens, and the publicis only truly able to participate in the demo-cratic process when it has information aboutthe activities and policies of the government.5

The RTI is also an important tool forcountering abuses, mismanagement, and cor-ruption and for enforcing essential economicand social rights. Civic activists in Rajasthan,

India, have used it to ensure that the poor getthe food they are entitled to receive fromcorrupt food distributors (Calland and Tilley2002), and an angry mother in Thailand usedit in her efforts to learn why her daughterwas not allowed into a top-quality school(Coronel 2001). It also is commonly used byenvironment-focused nongovernmental or-ganizations to reveal pollution dangers incommunities.

The right is typically recognized at thenational level through constitutional provi-sions and national laws. Some of this legisla-tion has existed for more than 200 years. Sec-tion 6 of the Swedish Freedom of the PressAct (adopted in 1766) set the principle thatgovernment records were open to the publicby default and granted citizens the right todemand documents from government bod-ies. The 1789 French Declaration of theRights of Man called for information aboutthe budget to be made freely available: Allthe citizens have a right to decide, either per-sonally or by their representatives, as to thenecessity of the public contribution; to grantthis freely; to know to what uses it is put.Most nations have adopted laws in the past20 years.

Today, nearly 90 countries around theworld have adopted a national law or regula-tion that sets out specific rights and duties for


facilitating access to information (see Banisar[2006]).6 The following elements are typical-ly found in national RTI laws:

A right of an individual, organization, orlegal entity to demand information frompublic bodies, without having to show alegal interest in that information.

A duty of the relevant body to respondand provide the information. This includesmechanisms for handling requests andtime limits for responding to requests.

Exemptions to allow the withholding ofcertain categories of information. Theseexemptions include the protection of na-tional security and international relations,personal privacy, commercial confiden-tiality, law enforcement and public order,information received in confidence, andinternal discussions. Exemptions typicallyrequire that some harm to the interestmust be shown before the material can bewithheld.

Internal appeals mechanisms for request -ors to challenge the withholding of infor-mation.

Mechanisms for external review of thewithholding of information.This includessetting up an external body or referringcases to an existing ombudsman or to thecourt system.

Requirement for government bodies toaffirmatively publish some types of infor-mation about their structures, rules, andactivities.This is often done using infor-mation and communications technologies.

2.2 The Right to Privacy

Privacy is a broad concept relating to theprotection of individual autonomy and therelationship between an individual and soci-

ety (including governments, companies, andother individuals). Privacy is considered es-sential in protecting an individuals ability todevelop ideas and personal relationships. Al-though it is often summarized as the rightto be left alone, it encompasses a wide rangeof rightsincluding protection from intru-sions into family and home life, control ofsexual and reproductive rights, and commu-nications secrecy.7 It is commonly recog-nized as a core right that underpins humandignity and such other values as freedom ofassociation and freedom of speech.8

The definitions of privacy and what is sen-sitive personal information vary among coun-tries and individuals on the basis of past expe-riences and cultural understandings. Somecultures focus on community rights over in-dividual rights; others, such as countries inEurope, are sensitive to privacy rights becauseof abuses going back to World War II. In mat-ters relating to modern information and com-munications technologies, there is more agree-ment about the importance of privacy and thecontrol of information (this will be covered inmore detail later in this report).9

The legal right to privacy is recognized innearly every national constitution and in mostinternational human rights treaties, includingthe Universal Declaration of Human Rights,10

the International Covenant on Civil and Po-litical Rights,11 the European Convention onHuman Rights,12 the American Declarationof the Rights and Duties of Man,13 and theAmerican Convention on Human Rights.14

International bodies, including the EuropeanCourt of Human Rights and the United Na-tions (UN) Human Rights Committee, alsohave ruled on the right to privacy.15

In the information age, the right to priva-cy has evolved to address issues relating tothe collection, use, and dissemination of per-sonal data in information systems. New tech-

Rights Defined 7

nologies have driven the collection of per-sonal information by governments and pri-vate bodies into databases of unprecedentedbreadth and depth. Governments and privateorganizations that collect information relatedto government services and obligations (in-cluding tax, medical, employment, criminal,and citizenship records) and identificationtechnologies (including identity card sys-tems, fingerprints, and DNA mapping) havequickly evolved and expanded. New com-munications technologies create and collectsubstantial records about individuals in theprocess of providing communications. Serv-ices run by governments and private opera-tors collect information about individuals,including emails, records of persons commu-nicated with, lists of Web sites visited, andmobile locations. And, of course, peopleshare information through social networkingsites. All of these have led to concerns aboutabuses, including misuse of information forunlawful purposes and identity theft.

Since the 1960s, principles governing thecollection and handling of this information(known as fair information practices) havebeen developed and adopted by national gov -ernments and international bodies (OECD[1980]; also see U.S. Department of Health,Education and Welfare [1973]; and CSA[1996]). The principles generally are these:

Collection limitation principleThereshould be limits to the collection of per-sonal data; and all such data should be ob-tained by lawful and fair means and, whereappropriate, with the knowledge or con-sent of the data subject.

Data quality principlePersonal datashould be relevant to the purposes forwhich they are to be used; and, to the ex-tent necessary for those purposes, should beaccurate, complete, and kept up-to-date.

Purpose specification principleThepurposes for which personal data are col-lected should be specified no later than atthe time of data collection; and the subse-quent use should be limited to fulfillingthose purposes, or fulfilling such otherpurposes as are compatible with the statedpurposes and specified on each occasionwhere a change of purpose occurs.

Use limitation principlePersonal datashould not be disclosed, made available, orotherwise used for purposes other thanthose specified above, except under thefollowing conditions: with the consent ofthe data subject, or by the authority of law.

Security safeguards principleRea -son able security safeguards should be usedto protect personal data against such risksas loss or unauthorized access, destruction,use, modification, or disclosure.

Openness principleThere should bea general policy of openness about devel-opments, practices, and policies relating topersonal data. Means of establishing theexistence and nature of personal data andthe main purposes of their use should bereadily available, as should the identityand usual residence of the data controller.

Individual participation principleAn individual should have the righta. to obtain from a data controller (or

otherwise) a confirmation that the datacontroller either does or does not havedata relating to the individual;

b. to obtain such data within a reason-able time at a charge (if any) that is not ex-

cessive, in a reasonable manner, and in a form that is readily intelligible

to the receiving individual;c. to be given reasons if a request made

under subparagraphs (a) and (b) is de-

nied, and to be able to challenge suchdenial; and

d. to challenge relevant data and, if thechallenge is successful, have the data rec-tified, completed, amended, or erased.

Accountability principleA data con-troller should be accountable for comply-ing with measures that give effect to theprinciples stated above.

These principles have been incorporatedinto important international treaties on dataprotection by the Council of Europe (1981)and the European Union (EC 1995); theyhave also been adopted by the UN GeneralAssembly (1990) and the CommonwealthSecretariat (2002). Similar principles are un-der consideration by the Asia-Pacific Eco-nomic Cooperation (APEC) forum16 andthe Economic Community of West AfricanStates (ECOWAS 2008).17

Of those international instruments, theEuropean Union (EU) Data Protection Di-rective is now the most influential, havingbeen adopted by the 27 EU member-states(plus three European Economic Area coun-tries) and by numerous other countries inAfrica, Europe, and Latin America that tradewith the EU.The directive takes a broad ap-proach to personal information. Personal dataare defined as any information relating to anidentified or identifiable natural person (datasubject); an identifiable person is one whocan be identified, directly or indirectly, in par-ticular by reference to an identification num-ber or to one or more factors specific to hisphysical, physiological, mental, economic, cul-tural or social identity (Directive 95/46/EC,

sec. 2[a]).18 Under a decision from the Euro-pean Court of Human Rights, these data in-clude information collected under public em -ployment.19

National constitutions also have beenevolving to specifically recognize the controlof personal data as a right. Many recent con-stitutions include specific rights to protectthe collection and use of personal data in in-formation systems.20 Many countries in LatinAmerica include a right of habeas data tocontrol and access personal data. The May2010 Constitution of Kenya states, Everyperson has the right to privacy, which in-cludes the right not to have . . . informationrelating to their family or private affairs un-necessarily required or revealed (sec. 31).

What is more directly related to the subjectof this report is the fact that the governmentsof more than 60 countries around the worldhave adopted comprehensive data protectionacts based on the fair information practices thatapply to personal data held by the public andprivate sectors (see EPIC/PI [2007]).21 Anum ber of other countriesincluding theUnited States,22 Georgia,23 and Thailand24have adopted legislation that protects only per-sonal data held by government bodies. Malay -sia recently adopted a law that protects person-al data held by companies, but has not adoptedlegislation protecting personal informationheld by governments.25 In a significant numberof countries where no data protection law hasbeen adopted, there may be more general pro-visions in the criminal and civil codes that re-strict the use of personal information (seeEPIC/PI [2007]).

The Right to Information and Privacy: Balancing Rights and Managing Conflicts8

Right to information (RTI) and privacy lawscan both complement and conflict with eachother, depending on the situation. As figure3.1 shows, the two rights play different rolesin most cases, and only in a small number ofcases do they overlap and lead to potentialconflict.

3.1 ComplementaryRoles of RTI andPrivacy

RTI and privacy often play complementaryroles. Both are focused on ensuring the ac-countability of powerful institutions to indi-viduals in the information age.The Councilof Europe stated in a 1986 recommendationthat the roles are not mutually distinct butform part of the overall information policyin society (Council of Europe 1986). TheU.K. data protection registrar noted, Dataprotection and freedom of information canbe seen as complementary rights, with thepotential to be mutually supportive in prac-tice.26 Lszl Majtnyi (2002), the first par-liamentary commissioner for data protectionand freedom of information in Hungary, saysthat the common purpose of the two rightsis to continue maintaining the non-trans-

parency of citizens in a world that has under-gone the information revolution while ren-dering transparent the state.

In many countries, the two rights are in-tertwined constitutionally. Under the con-cept of habeas dataa constitutional rightthat permits individuals to demand access totheir own information and to control itsusecountries in Latin America have adopt-ed both types of laws.27 Santiago Canton (thefirst Organization of American States specialrapporteur for freedom of expression and theexecutive secretary of the Inter-AmericanCommission on Human Rights) said, Theaction of habeas data, or the right to obtainpersonal information contained in public orprivate databases, has been very important in

Figure 3.1: Complement and Conflict ofPrivacy and the Right to Information

Source: Authors illustration.

Protecting personal data

Potentialconflict

Access togovernmentinformation

Complements andConflicts in RTI andPrivacy Laws

3

9


many countries in exacting accountabilityfor human rights abuses and helping coun-tries scarred by human rights abuses recon-cile and move forward, which can only beaccomplished by exposing the truth andpunishing the guilty.28

In many cases, the two rights overlap in acomplementary manner. Both rights providean individual access to his or her own per-sonal information from government bodies,and privacy laws allow for access to personalinformation held by private entities. Theyalso mutually enhance each other: privacylaws are used to obtain policy information inthe absence of an RTI law, and RTI laws areused to enhance privacy by revealing abuses.

Obtaining Personal InformationHeld by Government Bodies

The most obvious commonality between thetwo types of laws is the right of individuals toobtain information about themselves that isheld by government bodies. This access is animportant safeguard to ensure that individualsare being treated fairly by government bodiesand that the information kept is accurate.

When a country has both laws, the gen-eral approach is to apply the data protectionact to individuals requests for personal infor-mation; requests for information that con-tains personal data about other parties arehandled under the right to information act.In some jurisdictions, such as Bulgaria andIreland, applications by people for their ownpersonal information can be made underboth acts.29 In these cases, it is possible thatslightly different outcomes may result be-cause of the differences in exemptions andoversight bodies. Often, data protection lawsgive greater rights for access to personal in-formation because there is a stronger right ofaccess. In Ireland, the official policy guidance

notes, ones own personal information willvery often be released under FOI [freedomof information], while under the Data Pro-tection Act there is a presumption in favourof access to ones own personal data (Gov-ernment of Ireland 2006). In cases wherethere is a request for information about theindividual and other persons, both acts willbe considered.

In some countries, the RTI act is the pri-mary legislation used by individuals to accesstheir own personal information held by gov-ernment departments. In Australia, all requestsunder the Privacy Act are filtered through theFreedom of Information Act (FOIA), result-ing in more than 80 percent of all FOIA re-quests being from people seeking their owninformation (Law Reform Commission 2010).In Ireland, where both laws allow for individ-uals access, even with the presumption above,the FOIA is still the act most people use: ap-proximately 70 percent of all requests aremade by individuals for their own informa-tion.30

In countries such as India and SouthAfrica, where there is no general privacy lawgiving individuals a right of access to theirown records, the RTI laws are the only meansto access personal records. In India, RTI lawsare regularly used by advocates for the poorto obtain records on distribution of food sub-sidies to show that individuals names havebeen forged and records have been falsified.31

Some RTI acts also provide for privacyprotections where there is no general privacylaw. In South Africa, section 88 of the Promo-tion of Access to Information Act providesthat, in the absence of other legislation (cur-rently under consideration), public and pri-vate bodies must make reasonable efforts toestablish internal measures to correct personalinformation held by the relevant bodies.32

Complements and Conflicts in RTI and Privacy Laws 11

Applying Privacy Laws to ObtainInformation from the Private Sector

Typically, RTI laws do not apply to the pri-vate sector, except where the body is con-ducting government functions (such as wherea contractor is operating a hospital). Only afew countries, including South Africa, haveadopted RTI laws that extend the right of ac-cess to nongovernment bodies for their non-government functions.33

Data protection laws provide an impor-tant complement to RTI provisions by ex-tending individuals right of access to privatebodies. As noted above, more than 60 coun-tries have adopted comprehensive data pro-tection laws that apply to private organiza-tions as well as to government bodies. Theselaws give individuals the right to obtain per-sonal information from private bodies. Theuse of the laws may reveal abuses by corpo-rations or other private organizations, such asmalfeasance by banks, information and com-munication technology companies, and pre-vious employers.34

Using Privacy Laws to Obtain Policy Information

In the absence of an RTI law, privacy anddata protection acts can be used to reveal im-portant policy information. As mentioned atthe beginning of this section, habeas data hasbeen used to demand accountability and in-formation. In a similar manner, Article 8 ofthe European Convention on Human Rightshas been used often to obtain personal infor-mation, and the article has granted the disclo-sure of nonpersonal information in some cas-es. In 1998, using Article 8 as a basis, theEuropean Court of Human Rights ruled thatin cases where a lack of information couldendanger their health, individuals may de-mand information from government bodies:

The Court reiterates that severe environ-mental pollution may affect individualswell-being and prevent them from enjoyingtheir homes in such a way as to affect theirprivate and family life adversely. . . . In theinstant case the applicants waited, right upuntil the production of fertilisers ceased in1994, for essential information that wouldhave enabled them to assess the risks theyand their families might run if they contin-ued to live at Manfredonia, a town partic-ularly exposed to danger in the event of anaccident at the factory.35

Data protection laws can also be used toobtain government information that shedslight on policy. Prior to the United King-doms adoption of its FOIA, the Data Pro-tection Act was used by individuals to obtaininformation from government bodies (seeHencke [2001]; Hencke and Evans [2002,2003]; BBC News [2001]). Even followingthe implementation of the FOIA, reportershave used the Data Protection Act to discov-er that officials have been spying on theirphone records to discover their sources of in-formation (Daily Mail 2006).

Using RTI to Promote Privacy

In many countries, RTI laws are a primarytool used by privacy advocates to identifyabuses and to campaign effectively againstthem. In the United States, groups such as theAmerican Civil Liberties Union, the Electron-ic Privacy Information Center, and the Elec-tronic Frontier Foundation routinely use theU.S. FOIA and state laws to demand govern-ment records on new and existing governmentprograms (communications surveillance, bodyscanners, and spying on groups) and use therecords to campaign against those programsand proposals.36 In the United Kingdom, the


Taxpayers Alliance37 and Genewatch overseethe government, using the FOIA; and State-watch uses the European Unions (EU) accessregulations to oversee the EU bodies.

3.2 Conflicts betweenRTI and PrivacyInterests

Inevitably, as figure 3.1 shows, there are over-laps in RTI and privacy interests that canlead to conflicts. Governments collect largeamounts of personal information, and some-times there is a demand to access that infor-mation for various reasons. The requestorsinclude journalists investigating stories, civilsociety groups fighting for accountability, in-dividuals demanding to know why a deci-sion was made in a certain way, companiesseeking information for marketing purposes,and historians and academics researching re-cent and not-so-recent events.

Every national RTI law has an exemptionfor personal privacy. As discussed in the fol-lowing section, these laws vary greatly. Asnoted earlier, many countries have adoptedseparate privacy and data protection laws thatmay interact with the RTI law in determin-ing the release of information.

Given the often complex relationship be-tween privacy and RTI laws, the conflict fre-quently arises from misunderstandings aboutwhat is intended to be protected. Officialsmust deal with numerous issues: Should offi-cials names and other details be consideredprivate? Is information in public registersavailable for any use? Are court and criminalrecords public? Clarity in law, policy, andpractice to limit these problems is essential.

These issues have taken on greater im-portance as information increasingly is beingdisclosed in database format and over Inter-

net sites. Questions about the relevance ofdata protection laws for the reuse of personalinformation (even if it is publicly available)are important. Under EU data protectionlaw, the mere public access to informationdoes not mean it can be used for any purpose(Working Party 1999).

In many countries, the privacy exemptionis one of the exemptions used most often. Inthe United States, the exemptions for personalprivacy (b6) and law enforcement rec ords con-cerning individuals (b7c) have consistentlybeen the two most-used exemptions. Thesedata include the names of recipients of homeloans, citizenship records, and criminal records.In Canada, the privacy exemption was used in31 percent of all denialsfar more than thenext-most-used exemption (see U.S. Depart-ment of Justice [2010]; Government of Canada[2002]; and U.K. Ministry of Justice [2009]).

The following sections will review someof the common types of information that arerequested and the conflicts that arise.

Information about Public Officials

Many of the records held by public bodiescontain information that identifies officialswho were involved in the subject at somepoint. This includes the names of officialswho wrote memorandums, attended meet-ings, and approved decisions. Other recordscontain contact information, official expen-ditures, or e-mail and phone logs. It is usefulto categorize this information as relating totheir official capacities.

Government bodies also hold more di-rectly personal information about officials,including their biographical data, photo-graphs, salary records, employment records,home addresses, records of financial assets,and medical histories.

There is no global consensus about whichinformation is nonpersonal and which is per-


sonal. As discussed above, the right of privacyis complex and defined by each culture.Thereare some points that can be summarized:

Official capacitiesOverall, the ma-jority of countries take the position thatmost information relating to official ca-pacities is not considered personal infor-mation for the purposes of withholding.It may be considered personal because itrelates to a particular identifiable individ-ual, but generally is not related to his orher personal or family life and is less likelyto be sensitive. In most cases, documentscannot be withheld just because an offi-cials name is listed as the author or recip-ient of a document. In 2007, the Euro-pean Ombudsman found that it wasmal administration for the European Par-liament to refuse to disclose the expensesof members of parliament, including theirtravel and subsistence allowances (EO2007). The Irish and U.K. informationcommissions have also ordered the releaseof parliament members expense infor-mation, whereas all U.S. congressional ex-penditures are published biannually.

Employment informationAlthoughthere is variation across cases, informationmore closely related to an officials per-formance in his or her job (including ex-act salary38 and details of employee per-formance reviews) is withheld in manyjurisdictions and is available in others.39

Personal lifeInformation relating sole-ly to a public employees personal liferather than to his or her public actions isless likely to be released. Medical recordsof nonelected officials are generally con-sidered sensitive and are not released inany system.40 For officials, criminal recordsnot related to their positions are oftenwithheld (for example, see Scottish Infor-mation Commissioner [2009]). There is a

general recognition that personal infor-mation about senior officials should bemore available than that of junior officials.So although the salaries of junior officialsmay not be made available or only byscale rather than by exact numbers, thesalaries of more-senior officials may be af-firmatively published. Similarly, require-ments for asset disclosure forms are im-posed in more than 100 countries forsenior and elected officials, and some maybe publicly available.41 Biographical dataof decision makers and those who are be-ing considered for very-senior positionsare more commonly released than thosefor more-junior positions.

Elected officialsThere is also signifi-cant agreement that information aboutelected or high-rank public officials is lessrestricted, even when it relates to theirpersonal lives. In 2004, the EuropeanCourt of Human Rights said, the publichas a right to be informed . . . that is, cer-tain circumstances can even extend to as-pects of the private life of public figures,particularly where politicians are con-cerned.42 In Hungary, the ConstitutionalCourt ruled in 1994 that there are nar-rower limits to the constitutional protec-tion of privacy for government officialsand politicians appearing in public [. . .than to that of] the ordinary citizen.43 InIndia, the Supreme Court ruled that thecriminal records of persons running forparliament should be released.44 In somecases, the medical records of the highest-ranking officials (such as the president)may be publicly released.45

Information Held by Governmentsabout Private Individuals

Governments also hold a significant amountof information about private individuals. Thisis why data protection or privacy laws were

first conceived and continue to be adopted.The materials include great amounts of bu-reaucratic records with information that mostpeople consider sensitivesuch as rec ords re-lating to citizens interactions with govern-ment bodies for taxation and to their healthcare. In the majority of jurisdictions, most ofthese records are considered private.46

Court Records

There is no consensus on access to courtrecords. In Europe, court records naming in-dividuals are considered very sensitive (seeLeith and McDonagh [2009]); in the UnitedStates, it has been a matter of long-standingprinciple that the information is public.47 InHungary, the data protection and freedom ofinformation commissioner negotiated anagree ment between the police and mediathat access would be provided to criminalcases, but only the individuals initials wouldbe used until charges were filed (Govern-ment of Hungary 1998b).

There has been increasing sensitivity overaccess in many countries as more records havebecome available via computer networks, andthere is greater concern about financial infor-mation being used for fraudulent purposes(see NJSBA [2002] and Cannon [2004]). Inresponse to these concerns, many courts nowredact certain types of information, such as fi-nancial data and identification numbers, priorto making material publicly available electron-ically (see Administrative Office of the U.S.Courts [2008]). In Europe, many countries re-quire that identities be removed from cases bebefore they are made public.

Social Program Records

There are also differences of opinion over therelease of information relating to social sup-port programs. In most developed countries,

there is sensitivity about individuals receivingsocial support, so personal information heldby government bodies is not generally madepublic.48

In some developing countries, however,many of these records are publicly releasedand play a crucial role in fighting corruption.In India, all people are guaranteed the rightto a certain annual minimum of food andemployment. A key element of ensuring thatthese guarantees are protected is making themuster rolls and other information publiclyavailable so that social audits may be accom-plished.49This information is increasingly be-ing made available on the Internet.50 InMex ico, registers of scholarship recipientsand other social beneficiaries are made avail-able online.51This information can be crucialfor identifying fraud in these programs. Box3.1 points out two examples of fraud discov-ered through a review of public information.

Public Registers

An increasing controversy relates to access toinformation in public registers, such as birth,

Box 3.1: Using Publicly AvailablePersonal Information to Fight Fraud

In India, a review of the data by a single in-dividual using information gathered underthe National Rural Employment GuaranteeScheme found that millions of rupees werebeing siphoned off because fake identitycards in the names of children and publicemployees were created and used. Previoussocial audits had not revealed the fraud.

In Mexico, an analysis of the agriculturalsubsidies register by the transparency advo-cacy group FUNDAR found that the familiesof the minister of agriculture and wanteddrug barons were receiving public money.



marriage, and death registers; electoral regis-ters; land records; lists of license holders; andother similar records. In many countries,there has been a long history of public accessto these records. However, concern over theiruse for commercial purposes, for stalking, andfor other reasons not related to their originalpurposes has grown as the registers have beendigitized and made available over the Internet(see NZLC [2008]). Countries vary widely intheir approaches to making public registersavailable and to permitting third parties toreuse the information for other reasons.52

Some countries laws limit disclosure ofinformation for certain reasons, such as com-mercial purposes. The New Zealand publicregister privacy principles state, Personal in-formation obtained from a public registershall not be re-sorted, or combined withpersonal information obtained from any oth-er public register, for the purpose of makingavailable for valuable consideration personalinformation assembled in a form in whichthat personal information could not be ob-tained directly from the register.53 In 1999,the U.S. Supreme Court upheld a law thatrestricted access to a computerized list of re-cently arrested individuals for use in com-mercial marketing.54 The U.K. governmentmakes available a limited version of the elec-toral roll (from which people may opt tohave their names removed) that can be usedfor commercial purposes, and it prohibits useof the full roll for such purposes.

Following a review of legislation relatedto public registers and public access, the NewZealand Law Commission recently recom-mended that any legislation that creates apublic register keep the following principlesin mind:

free flow of information, transparency,

privacy interests (including the protectionof personal information),

accountability for fair handling of person-al information, and

public safety and security (NZLC 2008).

Professional Records

Government bodies also maintain records re-lating to people who have more of a businessrelationship with government, includingthose who donate money and meet with of-ficials in their capacity as employees of acompany or organization. In this regard, thereis an increasing demand that lobbyists be reg-istered and that such information be madepublic.55

In general, these individuals are consid-ered to have less of a private interest guaran-tee because the information is related to theirprofessional activities rather than to theirpersonal opinions or lives. U.K. and U.S. tri-bunals have found that in the absence ofcompelling reasons to the contrary, the iden-tities of corporate lobbyists should be re-vealed.56 However, the European Court ofJustice ruled recently that businesspeoplewho met with officials could have theirnames withheld.57

Public Subsidies for BusinessPurposes

Governments also often provide subsidies toindividuals as a business matter, in areas suchas agriculture. There has been considerabledebate over agricultural subsidies in Euro-pean countries in the past few years, with theresult that most of the information is nowpublicly available.58 There is a growing agree-ment that these records are not particularlysensitive because they relate to a business ac-tivity (although they may reveal the amountof income that a small farmer may receive ina single year). However, the European Court


of Justice recently ruled that information inthis area concerning individuals must be re-stricted.59

Misuse of the Privacy Exemption

Not all arguments for privacy made by offi-cials are legitimate. A conflict sometimes aris-es when government officials attempt toshield their decision making from scrutiny bymisrepresenting their demand for secrecy asa privacy interest. Documents and informa-tion are withheld, claiming privacy of offi-cials or of third parties. In Argentina, the gov-ernment claimed that information aboutofficial spending on advertising was personalinformation (see Knight Center [2010]).Former U.K. Cabinet Secretary Sir RichardWilson, the highest-ranking U.K. civil ser-vant, best articulated this belief, testifying, Ibelieve that a certain amount of privacy is es-sential to good government.60

The misuse of privacy exemptions oftenleads to needless conflict between the mediaand privacy campaigners as the media comesto believe that any privacy law is an attemptto hide government activities. As noted byAustralian freedom of information expertNigel Waters (2002), There is a continuedproblem of privacy exemptions in FOI lawbeing misused and getting privacy a bad

name. This makes a major contribution tothe widespread jaundiced media view of pri-vacy law, even though it is not actually priva-cy law that is to blame.

3.3 Balancing the Rightsof Access and Privacy

It should again be emphasized that the RTIand privacy are not always conflicting rights.They are both laws designed, in part, to ensurethe accountability of the state. The importantissue is how the legislation and the imple-menting and oversight bodies balance the tworights. As discussed above, both the RTI andprivacy are internationally recognized humanrights with long histories and important func-tions. Under human rights law, typically noright is accorded a greater weight than anoth-er.61The rights must be decided on a case-by-case basis with a view toward the relative im-portance of various interests.

* * *

The next chapter will discuss legislative andstructural means to minimize conflicts be-tween the two rights.

17

4

Legislation

In the past 10 years, there has been a markedconvergence of policy and legislation in bothright to information (RTI) and data protec-tion laws. Most data protection laws followthe structure of the Council of Europe Con-vention for the Protection of Individualswith Regard to Automatic Processing of Per-sonal Data and the European Union (EU)Data Protection Directive. There is more di-vergence around RTI laws, but they general-ly follow the principles set out in precedingchapters of this report. The convergence inboth areas results from the influence of inter-national treaties and agreements and the ef-forts of a more global civil society connectedthrough modern communication technolo-gya society that is constantly sharing ideasand good practices.

There has also been convergence in de-veloping policies on the relationship be-tween RTI and privacy laws and how best tomake them interact. Although no consensuson good practice has yet emerged, a numberof common areas are now clear. This chapterwill review the most common policy choicesmade by governments and highlight theirstrengths and weaknesses.

4.1 Model 1A SingleRTI and Privacy Law

For those jurisdictions that have not adoptedeither law but plan to do so, one possibility isto adopt both laws in a single act. This allowsfor common definitions and internal consis-tency and for limiting conflict and establish-ing a balance from the start. Here are severalexamples:

In Canada, Bill C-43, adopted in 1982,contained both the Access to InformationAct and the Privacy Act.The two sectionsthen became separate laws with separatecommissions to enforce them, but withcommon definitions and relationships.The Canadian Supreme Court has de-scribed the two laws as a seamless codewith complementary provisions that canand should be interpreted harmonious-ly.62 Many Canadian provincial laws alsoaddress both rights in a single law.

In Hungary, the 1992 Act on the Protec-tion of Personal Data and Public Accessto Data of Public Interest is both a gener-


al RTI law and a data protection law thatprotects personal information held bypublic and private bodies.63 It created asingle oversight body with jurisdictionover both. The parliamentary commis-sioner for data protection and freedom ofinformation oversees them.

In Mexico, the Federal Law on Trans-parency and Access to Public Informationlists both access to information and theprotection of privacy for records held byfederal government bodies as its primarygoals. It is overseen by the Federal Institutefor Access to Information (more com mon -ly known by its Spanish acronym IFAI).More recently, legislation to extend its re-mit to include personal data held by theprivate sector has been adopted.

In Thailand, the Official Information Actboth gives citizens rights to access infor-mation held by government bodies andcontrols how government bodies may usepersonal data. Both are overseen by theOfficial Information Council. Legislationto protect records held by the private sec-tor is currently being debated.

There are some disadvantages to adoptinga single act to address both rights. For one,having both functions together may causelegislative confusion over the intent of thelaws and may lead to opposition by someparties who would otherwise support oneact or another. A more practical issue is thecomplexity of the legislation, which maylead to legislators being unwilling to reviewit because they lack the time.64 An act thatcovers both areas comprehensively will needto be as detailed as two single acts becausethere is little overlap in the two (except forthe definitions and the oversight body).

4.2 Model 2SeparateRTI and Privacy Laws:Managing Conflicts

In many jurisdictions, either an RTI or a dataprotection law has been adopted and is inforce, or a decision has been made to intro-duce the laws as separate pieces of legislation.Therefore, the new law or laws must beadopted in a way that ensures the greatestharmony between the operations of the twolaws. If the goal of harmony is ignored at theoutset, the laws will conflict and further leg-islative efforts will be required later.

Here are some important considerationswhen adopting new legislation:

Definition of personal informationIdeally, a common definition will be usedfor both acts. If not, then the definitionsfrom both laws will be considered eachtime that access to personal informationis sought.

Primacy of legislationBecause bothaccess to information and privacy areequally fundamental rights, neither lawmay arbitrarily trump the other. How willthe legislation address this issue?

Privacy exemption in RTI lawAllnational RTI laws provide for the with-holding of personal information. There iswide variance in the scope of these ex-emptions, ranging from a presumptionthat all information is private and shouldbe withheld to a presumption of open-ness with limited exceptions for sensitiveinformation.

Subject access requestsAs noted ear-lier in this report, some jurisdictions allowfor individuals to request their own per-

Legislation 19

sonal information under either act. A bet-ter choice would be to select one act thatgives greater access and to focus those re-quests through that law. In most Europeancountries, this is the Data Protection Act.

Oversight and appealsWhat type ofbody will rule on the balancing of therights? It should be a specialized body thatcan develop clear standards on the subject.

Personal Information Defined

Data protection laws typically take an expan-sive view of what is personal information.EU Directive 95/46/EC, section 2(a), definespersonal information broadly as any infor-mation that identifies an individual. Suchbreadth can lead to a conflict with the RTIbecause the core principle of data protectionis that information collected for one purposeshould not be used for other purposes with-out the consent of the individualand thisis often viewed as covering everything thatmentions a person.

Countries have addressed this in differentways. The Canadian access to informationand privacy acts use a single definition in thePrivacy Act that sets out in detail the bound-aries of personal information and public in-formation. In contrast, the Irish Freedom ofInformation Act (FOIA) and the Data Pro-tection Act use different definitions, but re-quire that the FOIA definition be used whenconsidering the exemption.

Some countries define in more detail thetypes of information to be protected. Doingso enables the legislature to define some ofthe boundaries rather than leave them to theoversight bodies or courts to determine.

Many laws specifically exclude informa-tion relating to public functions from cover-age under the privacy exemption. As notedbefore, Canadas Privacy Act includes de-tailed descriptions of both personal informa-

tion and what is excluded from the defini-tion in relation to public activities. In SouthAfrica, the Promotion of Access to Informa-tion Act65 requires that disclosure of informa-tion be declined if it would involve the un-reasonable disclosure of personal informationabout a third party, including a deceased in-dividual. However, the information can bedisclosed if it is about an individual who is orwas an official of a public entity and if it re-lates to the position or functions of the indi-vidual, including, but not limited to

the fact that the individual is or was anofficial of that public body;

the title, work address, work phone num-ber, and other similar particulars of theindividual;

the classification, salary scale, or remuner-ation and responsibilities of the positionheld or services performed by the indi-vidual; and

the name of the individual on a recordprepared by the individual in the courseof employment (section 34).

Curiously, a few laws passed more recent-lyincluding the Indian Right to Informa-tion Act and the Indonesian Act on PublicInformation Disclosure66do not providefor a definition of private information; theyrely instead on common language definitionsfor interpretation.

Fairness and Data Protection

In many countries, the privacy exemptionrequires that all personally identifiable infor-mation must be withheld. Frequently, theRTI law specifically defers to the law on dataprotection for the definition of personal in-formation to be protected and the rules gov-erning its release. This approach is found inmany European countries, including Croatia,


Kosovo, Romania, Slovakia, and the UnitedKingdom.

Under this approach, it is then necessaryto use the data protection law to determineif information can be released. An initial in-quiry will determine if consent has been ob-tained and can be used to justify the releaseof the information. A best practice is to in-form individuals at the time of collectionthat the information may be made publicunder RTI legislation.67 If consent from theperson is not forthcoming, the data protec-tion principles must be reviewed to deter-mine if release can be justified.

Among the pertinent principles, fairnessis the most important one to consider. Fair-ness typically depends on the circumstancesunder which the information was collectedand the expectation at that time that the in-formation would be used in certain ways. Ifthe processing (in this case, the public release)of the information can be found to be fair, itcan proceed and the information can be dis-closed. Box 4.1 sets out guidelines used bythe U.K. government to determine fairness.

Public Interest Test

Increasingly, many RTI laws provide for abalancing test to be used when determiningwhether personal information should be re-leased. Under this test, even if the informa-tion is determined to be personal and its re-lease would cause harm, it may be disclosedif it is found that the public interest in releaseis more important than the privacy interest.This allows for independent arbiters such ascommissions, courts, or ombudsmen to weighthe different values and determine, case bycase, when information should be released.This test is used to evaluate privacy interestsin a number of countries, including Ireland,New Zealand, Slovenia, and the UnitedStates.

In the United States, the primary privacyexemption protects personnel and medicalfiles and similar files the disclosure of whichwould constitute a clearly unwarranted inva-sion of personal privacy.68 The courts havefound that there is an implicit public interesttest balancing the individuals right to pri-vacy against the basic purpose of the FOIAto open up agency action to the light ofpublic scrutiny.69

The Slovenian information commissionerhas identified some areas where public inter-est would be strong:

where the disclosure will assist public un-derstanding of an issue of current nationaldebate,

Box 4.1: Elements to DetermineFairness

Source: U.K. Ministry of Justice 2008.

The U.K. Ministry of Justice recommendsthat the following factors be used in deter-mining if disclosure under the U.K. FOIAwould be considered fair:

How the information was obtained.

The data subjects likely expectationsregarding the disclosure of the informa-tion. For example, would the party ex-pect that his or her information mightbe disclosed to others? Or had the per-son been led to believe that his or herinformation would be kept secret?

The effect that disclosure would haveon the data subject. For example,would the disclosure cause unneces-sary or unjustified distress or damageto the data subject?

Whether the party expressly refusedcon sent to disclosure of the information.

The content of the information.

The public interest in disclosure of theinformation.

Legislation 21

where the issue has generated public orparliamentary debate,

where proper debate cannot take placewithout wide availability of all relevantinformation,

where an issue affects a wide range of in-dividuals or companies,

where the issue affects public safety orpublic health,

where the release of information wouldpromote accountability and transparencyin decision making, and

where the issue concerns the making orspending of public money (Pirc Musar2006).

In a leading case in Ireland, the Irish in-formation commissioner set out public inter-est arguments to consider when balancingrequests for information:

The public interest in the public havingaccess to information.

The public interest in the accountabilityof elected representatives.

The public interest in a free and informeddebate on the level of remuneration/ex-penses paid to elected representatives.

The public interest in accountability foruse of public funds.

The public interest in an individualsright to privacy in respect of informationrelating to his/her financial affairs.

The possibility of damage to the imageof Parliament as an institution in theevent of reduced public confidence in theintegrity of members of the Houses ofthe Oireachtas.

The public interest in the entitlement ofmembers of the Houses of the Oireachtas(Irish national parliament) to discharge

their Constitutional responsibilities with-out being put in a position where theyare or may be subjected to unjust attackfor claiming financial entitlements whichare theirs as a matter of law and theamounts of which are not, in the normalcourse, relevant to the members perform-ance as a public representative.

The possibility of prejudice to, or distortionof, the democratic process by equation, inthe eyes of members of the public, of thelevel of payment of expenses to memberswith individual performance of members,with possible adverse consequences for thecareers of individual members.

The possibility that disclosure of recordswhich are, or may not be, comparable,and which are likely to be used for com-parison purposes, may mislead the publicand result in comment based on partiallyor wholly unreliable conclusions whichmay be damaging to the interests of in-dividual members.

The possibility that such comparisons mayresult in certain members being forced torelease further personal information relat-ing to their financial affairs in order to dealwith inaccurate public speculation as totheir income and to repair perceived dam-age to their interests.70

Thus, it is clear from the different modelsdescribed above that both the RTI and thedata protection laws must clearly define howpersonal information is going to be consid-ered. Under the most effective legislation,this is set out lucidly and provides for specificboundaries on types of personal informationto be protected and a balancing test that ex-amines both harms and the public interest(Pirc Musar 2010).

23

5

Oversight

All national right to information (RTI) lawshave some form of external appeals mecha-nism. In approximately two thirds of coun-tries (roughly 60), an independent oversightbody such as a commission or ombudsmanhas been empowered to receive appeals andmake determinations or recommendationson the release of information.71These bodiescan play an important role in balancing pub-lic interest with the release of personal data.

A very strong trend exists for countries tocreate information commissioner offices thatcan decide appeals and provide oversight andguidance. There is a roughly even split in ju-risdictions that have created a commissionbetween those that have separate bodies tohandle the RTI and data protection andthose that have a single body to handle both.Each model has its pros and cons.

5.1 Two BodiesSeparate RTI andPrivacy Commissions

Many countries have created separate bodiesfor enforcing the RTI and the protection ofprivacy. The bodies may have a single func-tion or have other duties assigned to them.

A few countries have created an independ-ent RTI commission as a single-function body.These countries include Belgium, Canada,France, and Portugal. More commonly, an al-ready existing ombudsmans office also en-forces the RTI law. This is the situation inNew Zealand, Peru, and the Scandinaviancountries. A few jurisdictions (such as Ireland)have adopted an RTI commission that alsoserves as the ombudsman, but with additionalpowers.

In nearly all countries, the data protectionor privacy commission is an independentbody. This is partly because of requirementsunder European Union law that data protec-tion commissions be independent.72

There are benefits to having two bodies.A separate commission for each of the tworights can create clear champions for suchrights, unencumbered by the need to balancepotentially competing interests. As stated byCanadian Information Commissioner JohnGrace:

The values of openness and privacy eachhas a clearly identifiable and unambiguousadvocate. While both commissioners are re-quired by law to reasonably balance accessrights and privacy rights, each has a clear


mandate to be a lightening [sic] rod for, andchampion of, one of the two values.73

This could be particularly important whenone is a new right that is not yet establishedin the public mind and the other has longbeen accepted and championed by a body.

A primary concern of having two bodiesis that there will be conflict between thetwoand that could become messy, expen-sive, and embarrassing. In Canada, there havebeen public fights between the two commis-sions for both policy and political reasons(see Government of Canada [2001]).There isalso concern that public bodies and the pub-lic will receive conflicting advice from thetwo commissioners when they disagree. Asnoted by the Canadian Access to Informa-tion Review Task Force in 2002:

An institution is required to notify the Pri-vacy Commissioner before making such adisclosure, where this can reasonably bedone. A situation can arise where the Infor-mation Commissioner advises the institu-tion to disclose personal information in thepublic interest, but the Privacy Commis-sioner advises the institution to protect theinformation on the grounds that the publicinterest in the case does not clearly out-weigh the invasion of privacy that could re-sult from disclosure. This puts the institu-tion in the difficult position of havingcon flicting recommendations from the twoCommissioners (Government of Canada2002, p. 59).74

If there are two commissioners, there willneed to be a mechanism to resolve conflicts.Previously, the Slovenian system used an ad-ministrative dispute institute. The Slovenianinformation commissioner found that thesystem was inefficient:

Two bodies which operate in an area soclosely interlinked would inevitably comeinto conflicting situations [with] the insti-tute of an administrative dispute as a toolfor settling such conflicts. Such a manner ofsettling mutual conflicts though, would, dueto the long time periods of dispute resolu-tions, mean a lessened legal certainty (PircMusar 2006).

Finally, not related to the scope of this re-port but quite relevant to many countries,there is an economic concern relating to thecost of two commissions. It may be difficultto justify two commissions in small jurisdic-tions when economic situations are difficultor as governments are cutting back to createa new body.

When there are two agencies, there shouldbe formal agreements to cooperate to mini-mize conflicts. In New Zealand, the privacycommissioner and the ombudsman have a for-mal consultation process that requires the om-budsman to consider the views of the privacycommissioner before determining whether torelease personal information (Slane 2002). InIreland, the Data Protection Act requires thetwo bodies to cooperate.

5.2 One BodyA SingleRTI and PrivacyCommission

Countries increasingly have been creatingsingle commissions to handle both access toinformation and privacy protection. Coun-tries and jurisdictions that have adopted thismodel include Estonia, Hungary, Malta, Mex-ico, Serbia, Thailand, and the United King-dom at the national level; and many Canadi-an provinces, German lnder, Mexican states,and Swiss cantons at the subnational level.

Oversight 25

In most cases, an existing commission isgiven additional authority with the adoptionof new legislation. In the United Kingdom,the Data Protection Commission evolvedinto the Information Commission. A similarprocess also occurred in Germany, Malta, andSwitzerland. In Slovenia, the two bodies weremerged into a single new commission headedby the previous information commissioner.

The most significant benefit of having asingle body is the shared expertise and re-duction of conflict. As noted earlier, there isa strong interrelation between the two rights.Although they have some areas of conflict,there also are strong areas of commonality.

Having a single body can reduce the pos-sibility of institutional conflict. In practice,many requests for information under RTIlegislation will relate to personal informa-tion; having this dual expertise will allow forbetter balancing. Elizabeth France (1999), theU.K. data protection registrar, commentedduring the legislative process in June 1999:

The possibility of institutional conflictwhich would exist were there to be separateCommissioners for freedom of informationand data protection matters is avoided.Working within one institution should al-low more focused and effective considerationthan working across institutional bound-aries. Any tension will be contained withinthe institution. Making the actual decisionabout where the balance should lie betweendata protection and freedom of informationin a particular case will not be less difficultbecause there is one commissioner. However,with experience and understanding of bothissues in-house, the decision process itselfshould be eased.

It is also easier for the public to have asingle point of contact with public bodies to

better exercise their rights. The Sloveniancommissioner has found that having one en-tity resulted in greater awareness of bothrights:

The merged body also insures for its greatervisibility as well as unification of the entirelegal practice of the field. It will also increasethe awareness of all other government bod-ies while carrying out the stated legislativeprovisions to the benefit of all applicants(Pirc Musar 2006).

The creation of a single body with bothpowers also reduces the likelihood that pub-lic bodies can misuse data protection, know-ing that their decisions are subject to reviewby an oversight body that is an expert inboth areas of legislation. As Lszl Majtnyi,the first Hungarian information commis-sioner, stated in his first report, [i]t goeswithout saying that nobody can lawfully ob-struct the freedom of information and thepress in the name of data protection (Gov-ernment of Hungary 1998a, p. 73).

There is also an important economic ar-gument to having only a single body. Noneof the administrative costssuch as humanresources, technical infrastructure, and ad-ministrative supportare duplicated. Whenthe Canadian information and privacy com-missioners, who shared common corporateservices, split apart in 2002, the costs for bothbodies increased by an estimated Can$1 mil-lion each.

The strongest drawback to adopting asingle-commission model is the danger thatone interest may be stronger or perceived asmore powerful and that the bodies do notequally protect or balance both interests(Tang 2002). Any conflicts are likely to bedecided internally rather than publicly, wherethey would receive a public viewing and de-


bate. The Canadian privacy commissionerworried that it would diminish or dilutethe profile of privacy at a time when therewere profound privacy challenges.75

An imbalance could be especially prob-lematic where one law has a greater consti-tutional protection or has been in force for asignificantly longer period of time. In theUnited Kingdom, this concern led to thecreation of two distinctly separate workforcesfor the different rights inside the informationcommission (which had previously been en-forcing only data protection rights). Only af-ter five years are the two workforces beingmerged.

There is also a concern that a single bodymay not be provided with adequate resourcesto take on additional dutiesduties that aresignificantly different in some ways. In Aus-tralia, the Tasmania ombudsman (who is alsothe information commissioner and the in-tegrity commissioner, and who holds severalother posts) recently expressed concern that

new functions added to his mandate have re-sulted in additional work without enough re-sources being provided (ABC News 2009).

There is no clear answer for every juris-diction on the issue of whether it is better tohave one commission or two. Countries maywish to create a new institution to ensurethat the profile of one of the rights is clearlypromoted and not diluted by other func-tions. In other cases, an existing body (suchas an ombudsman) may be appropriate. And,of course, economic or political concernsmay dictate one model over the other.

* * *

In the next chapter, both oversight modelswill appear in the case studies presentedthereincluding one jurisdiction that hasswitched from one model to the other. Thediscussion will examine some of the benefitsand limitations of the different models.

27

6

Case Studies

6.1 IrelandIrelands Data Protection Act was adopted in1988 and amended in 2005 to implementthe European Union (EU) data protectiondirective. The act created the Office of theData Protection Commission as an oversightand enforcement body. Irelands Freedom ofInformation Act (FOIA), adopted in 1997,created an Office of Information Commis-sion to enforce the act. The government ap-pointed the ombudsman to act jointly as theinformation commissioner.The second com-missioner was also jointly appointed as om-budsman. Under the Data Protection Act,the Commissioner and the InformationCommissioner shall, in the performance oftheir functions, co-operate with and provideassistance to each other (sec. 1[5][b]).

The definition of privacy in the two actsis not identical. Section 2 of the FOIA de-fines personal information as data about anidentifiable person that is normally knownonly to the individual or members of thefamily, or friends, of the individual, or isconfidential. It provides 12 paragraphs of ex-amples of what is personal information, in-cluding educational, medical, psychiatric orpsychological history, financial affairs, reli-gion, and tax and identification numbers.

These definitions are followed by three para-graphs of information expressly excludedfrom the definition of personal information,including the activities of an officeholder ofa public body and those providing publicservices under contract, and opinions of theindividual regarding the public body (includ-ing its staff).

Separately, the Data Protection Act definespersonal information as data relating to a liv-ing individual who is or can be identified ei-ther from the data or from the data in con-junction with other information that is in, oris likely to come into, the possession of the datacontroller (sec. 1[1]). However, to ensure thatthere is no conflict between that act and theFOIA, section 1(5)(a) of the Data ProtectionAct provides a specific exemption for release ofpersonal information under the FOIA. This isconsidered by a leading commentator (Mc-Donagh 2006) to be a trumping of the pri-vacy right, but subject to constitutional protec-tions and international obligations.

Individuals may request personal informa-tion about themselves from government bod-ies under either the Data Protection Act orthe FOIA. Most requests to public bodies aremade under the latter, except requests to bod-ies that are not covered by the FOIAsuch asthe Guardi (police) and the private sector.


Under section 28 of the FOIA, personalinformation must be withheld unless (1) it isabout the requestor, (2) the person givesconsent, (3) the information is of a class thatis publicly available or the person has beennotified that it is part of that type of class, or(3) its release is necessary to avoid a seriousand imminent danger to the life or health ofan individual (see Government of Ireland[2006]).

The exemption is subject to a public in-terest test that allows for the release of the in-formation if the public interest that the re-quest should be granted outweighs thepub lic interest that the right to privacy of theindividual to whom the information relatesshould be upheld or if it benefits the indi-vidual.The information commissioner ruledin 1999 that the expenses of members ofparliament (MPs) should be released as amatter of public interest. In that case, thecommissioner examined the questions aboutfinancial privacy and public spending:

As a general proposition I would accept that,when an individual discloses details of his/her financial affairs including details of fi-nancial transactions with third parties to apublic body, there is an understanding thatthe information is given in confidence. How-ever, does such an understanding normallyexist in relation to the payment of publicmoney to individuals, be they members ofthe Oireachtas [Parliament] or employees ofa public body? It is pertinent to recall at thispoint that the information at issue in thiscase concerns amounts paid to individuals todefray expenses incurred by them in dis-charging their functions as public representa-tives. The payments do not arise out of someprivate activities or private aspect of theirlives. On this point they can be distinguishedfrom, say, a payment made to a claimant un-

der the Social Welfare Acts, where there is anexpenditure of public money but the pay-ment derives from some private aspect of theclaimants life such as family circumstancesor inadequacy of means (Government of Ire-land 1999).

Since that time, the commissioner has ex-amined numerous other cases related to pri-vacy and access. The breakdown of cases in-dicates that this question is the one mostexamined by the office. Other informationthat has been ordered released under thepublic interest test includes payments of agri-cultural subsidies and the names of and pay-ments to experts, outside lawyers, and senioracademics.76 In a recent settled case, thecommissioner negotiated a settlement for therelease of detailed expenditure records indatabase form from the Department of Arts,Sport and Tourism to allow for easy compar-isons (Sheridan 2010). However, a complaintabout the decision has been filed with theData Protection Commission.77

6.2 Mexico

Mexico adopted the Federal Law on Trans-parency and Access to Public Information in2002.78 The law states that its objective is toboth promote transparency and protect per-sonal information held by public bodies. Itdoes not apply to personal data held by pri-vate bodies. In 2010, the Federal Law onProtection of Personal Data Held by Individ-uals was adopted.79The more recent law ap-plies to personal data held by private compa-nies and individuals. Personal information isdefined as any information concerning anidentified or identifiable natural person. Anew initiative is being considered by Con-gress to revise and extend the data protection

Case Studies 29

provisions of the right to information (RTI)law to improve the protection of informationheld by federal bodies.

As part of a federal system, each of the 32states has adopted its own access to informa-tion law, and many are considering data pro-tection laws. In the Federal District (MexicoCity), both RTI and data protection lawshave been adopted, and a single commissionhandles both issues.80

The 2002 RTI law created a Federal In-stitute for Access to Information (IFAI) tomonitor federal government bodies compli-ance with both access to information andprotection of personal data legislation. TheIFAI was changed into the Federal Institutefor Access to Public Information and DataProtection with the adoption of the 2010act, and will now have the authority to en-force the protection of personal informationheld by the private sector.

Personal information is defined in articleII(2) of the law as [a]ll information con-cerning an individual, identified or identifi-able, including their ethnic or racial origin,or related to their physical, moral or emo-tional characteristics, their personal and fam-ily life, residence, telephone number, patri-mony, ideology, political opinions, religiousor philosophical beliefs or convictions, phys-ical or mental health, sexual preferences, orany other similar preferences that could havean impact on their intimacy. Article 18 pro-tects personal data as confidential and thusexempt from release. Personal data related topublic spending or present in public reg-istries is not considered confidential.

According to chapter IV of the 2010 law,federal public bodies are required to provideindividuals access to their own informationand details on the procedures for correctingthat information to ensure that all handlingis adequate, appropriate and moderated in

connection with the purposes for whichthey were obtained; to ensure it is accurate,updated, and corrected it if it is incorrect;and to ensure that it is kept secure.

The IFAI rules on all appealed cases con-cerning access to government-held informa-tion. Many of these cases relate to the per-sonal information of third parties, bothofficials and members of the public; and theyhave required the IFAI to balance the tworights. In balancing these rights, the institutebalances public accountability against pro-tecting personal data (Irazbal and Nez2009). In the cases, some of the factors haveincluded the public interest in knowingabout criminal prosecutions, the importanceof the public being aware of the elements ofa scientific investigation, and the value ofpublic accountability when public funds arespent. In cases where privacy has been up-held, the IFAI has analyzed whether the re-lease of information would give the publicinsight into the performance of the data sub-jects or their suitability for their jobs. Follow-ing such analysis, it decided that releasewould not provide such insight, and so de-nied release of the information. In a differentcase (one that sought the telephone numbersof wildlife units), another decision wasreached and the numbers were released. TheIFAI has also denied release of informationfrom the Mexican Population Registereven though the information was not con-sidered confidentialbecause it was availableelsewhere.

6.3 Slovenia

The Personal Data Protection Act was adopt-ed in 1999 and replaced in 2005 with a newact based on EU Directive 95/46/EC. Thelaw created an Inspectorate for Protection of


Personal Data within the Ministry of Justiceas its oversight and enforcement body. TheAccess to Public Information Act was adopt-ed in 2003. The law created a commissionerfor access to public information to enforce itsprovisions.

The two commissions were merged intoa single information commissioner by theInformation Commissioner Act in 2005.There were concerns that the inspectoratefor data protection was not as strong and in-dependent as required under EU rules. Priorto the merger of the offices, disputes werehandled through the initiation of an admin-istrative dispute; however, no cases were filed.Following the merger, the National Supervi-sor for Data Protection was established underthe authority of the information commis-sioner, and staff was substantially increased.

Slovenias Access to Information Act al-lows for the withholding of informationwhen the disclosure . . . would constitute aninfringement of the protection of personaldata in accordance with the Act governingthe protection of personal data. Personaldata are defined in the Data Protection Act asany data relating to an individual, irrespec-tive of the form in which it is expressed. Anindividual is defined as an identified oridentifiable natural person to whom personaldata relates; an identifiable natural person isone who can be identified, directly or indi-rectly, in particular by reference to an identi-fication number or to one or more factorsspecific to his physical, physiological, mental,economic, cultural or social identity, wherethe method of identification does not incurlarge costs or disproportionate effort or re-quire a large amount of time. However, thecommissioner has said that, based on a Con-stitutional Court ruling, a name is not suffi-cient to constitute personal data in the ab-sence of other identifying data.81

Under the Access to Information Act, ac-cess cannot be withheld if it is related to theuse of public funds or information related tothe execution of public functions or employ-ment relationship of the civil servant. It alsocontains a public interest test that providesthat the access to the requested informationis sustained, if public interest for disclosureprevails over public interest or interest ofother persons not to disclose the requestedinformation.

Under the decisions of the commissioner,the public interest in the release of informa-tion is the issue that has been examined nu-merous times.82 The commissioner has or-dered the release of information relating tothe misconduct of officials because it is in thepublic interest83 and the release of the nameof a job applicant who was already a publicservant,84 and has denied release of videosurveillance records from the state prosecu-tors office.85

6.4 United Kingdom

The United Kingdom first adopted the DataProtection Act in 1984, in response to theCouncil of Europes Convention for theProtection of Individuals with Regard toAutomatic Processing of Personal Data.86

The act created a data protection registrar toenforce it. In 1998, the act was replaced toimplement EU Data Protection Directive95/46/EC, which changed the data protec-tion registrar into the data protection com-mission and granted it stronger powers. In2000, the FOIA was adopted. The act trans-formed the data protection commission intothe information commission, with authorityto enforce both acts.

When the FOIA proposal was first con-sidered, the government position was that

Case Studies 31

there would be a separate information com-mission. In the end, the government revisedits position, stating,

Dual enforcement regimes raise serious co-ordination problems, are confusing to appli-cants, wasteful of resources and require com-plicated procedures to ensure that issues ofprivacy and access to information have bothbeen p

Right to Information and Privacy.pdf

Documents

Transcript of Right to Information and Privacy.pdf