Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy.

Slides:

Advertisements

Similar presentations

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Advertisements

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

NIGB Legal requirements for use of personal data in research OnCore UK / NRES Training workshop Ethical Principles relating to consent for use of samples.

NATIONAL INFORMATION GOVERNANCE BOARD

Chief Inspector Donald Thomson ACPOS FOI Coordinator Policing, the Public Interest and FOI.

Privacy and FOI Compliments and Conflicts David Banisar Privacy International © Privacy International 2009.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DAVID ARCHARD PROFESSOR OF PHILOSOPHY What does it mean to have a right of participation?

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Why Won’t You Talk to Me? The Crown perspective

THE CHILDCARE COURT PROCESS WHAT IS REQUIRED FROM ALL AGENCIES?

Proactive Interventions: Incorporating a Children’s Rights Approach

Role of and Duties of Plan Commission Members Ralph E. Booker.

ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.

Statistical Disclosure Control Philip Johnston, Information Services Division, NHSNSS ScotPHO training course, 1 April 2011.

Quo vadis, FoI…? Dr Renate Gertz School of Law University of Glasgow.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.

Benevolence – How does this fit in to the Test for Liberty?

EU: Bilateral Agreements of Member States

The National Academy of Sciences of Ukraine Kyiv University of Law Anna Vasilchenko Department of International Law Group IL-41.

Transparency in Public Administration – FOI and EIR

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Data Protection Overview

1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.

Exemptions and the Public Interest Test Louise Townsend - Masons.

LAWYERS ETHICS Poverty Law II Irene M. Opsahl. APPLICABLE PROFESSIONAL RULES  Minnesota Rules of Professional Conduct 

European Ombudsman Access to environmental information Task Force on Access to Information Geneva, 4 December 2014.

The Human Rights Act 1998 Mechanism Sections 1 and 2 of the HRA 1998.

The Heart of the Matter: supporting family contact for fostered children.

Personal beliefs and medical practice Asad; Lale`; Rob;

INTERNATIONAL LAW PARMA UNIVERSITY International Business and Development International Market and Organization Laws Prof. Gabriele Catalini.

Updated 12/02/2007 Relevant Laws Relevant Laws ContraceptionContraception, Sterilisation and Abortion Act 1977 (CS&A Act) CS & A Amendment 1978, 1990 AbortionCare.

APPLICATION FOR ACCESS (PAIA) Mandatory protection (which must be refused in terms of Chap 4 subject to S46) DENIAL OF ACCESS (PAIA) Internal Appeal to.

Understanding decision making - Prosecuting complaints Karen Mobbs Director of Proceedings Health Care Complaints Commission Patrick Griffin Barrister.

Some wrong turns for ‘personal data’ Graham GreenleafGraham Greenleaf, UNSW Interpreting Privacy Principles: Chaos or Consistency? Sydney, 17 May 2006.

Public rights of access to information Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services.

Mental Capacity Act and the Deprivation of Liberty Safeguards Andrea Gray Mental Health Legislation Manager Welsh Government.

Access to Public Information in Slovenia Nataša Pirc Musar, LL.B. Commissioner for Access to Public Information The Hague – 24 th -25 th November, 2004.

The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.

Data Protection & FOI Data Protection: Background Human Right to Privacy Unenumerated right under Irish Constitution Explicit right under European Convention.

Choice and Control in my life Round table Discussion on legal Capacity legislation Belfast, 26 th November Betreuungsgesetz of 1992 – the German Example.

Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.

A QUESTION OF FAITH: RELIGION AND BELIEF IN EUROPE Equinet LWG 2011 Jayne Hardwick Moderator Equinet – Legal Working Group.

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

Participation in the Process of Brownfield Regeneration Dagmar Petríková, Matej Jaššo „This project has been funded with support from the European Commission.

The EU and Access to Environmental Information Unit D4 European Commission, Directorate General for the Environment 1.

EUROPEAN CONVENTION ON HUMAN RIGHTS Regional protection of human rights.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.

František Nonnemann Skopje, 10th October 2012 JHA Data protection and re-use of PSI as a tool for public control–CZ approach.

Rights Responsibilities and Advocacy Module: 6cf005 Session Eight ‘Best interests’ of the child.

TRIDENT – A SOCIAL BUSINESS THE MENTAL CAPACITY ACT A provider perspective on the implications for the Housing, Care and Support Sector Anthony McCool,

Brussels Privacy Symposium on Identifiability

Brussels Privacy Symposium on Identifiability

Overview General Data Protection Regulation (GDPR)

Viewing the GDPR Through a De-Identification Lens

Amandine Jambert - IT Experts Department

The activity of Art. 29. Working Party György Halmos

Is Data Protection a Fundamental Right Protecting the Individual?

ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.

ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.

ACCOUNTING ETHICS Conf.univ.dr. Victor-Octavian Müller.

ACCOUNTING ETHICS Lect. Victor-Octavian Müller, Ph.D.

“Seven-minute Staff Meeting”

Presentation transcript:

Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy rights Christine ONeill 23 September 2009 © Brodies 2009

Overview Re-cap: some basics The approach of the Court of Session The judgment of the House of Lords Learning Points

Re-cap – What is personal data? Section 1(1) DPA personal data means data which relate to a living individual who can be identified – from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

The EU perspective - What is personal data? DPA implements Directive 95/46/EC Article 1 personal data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

The EU perspective - identification Recital 26 of Directive says Whereas the principles of protection must apply to any information concerning an identified or identifiable person: whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; whereas the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable

Re-cap – the Durant decision Durant -v- Financial Services Authority [2003] EWCA Civ 1746 English Court of Appeal Subject access request seeking access to documents generated by the FSA in response to a complaint. FSA had disclosed much of the information sought but refused to disclose some as it did not relate to Durant Durant argued that, as he was the source of the material, all of the information generated by the FSA in response to his complaint was his personal data

UK perspective – the Durant decision FSA argued that the phrase relate to had to be construed more narrowly, so that the information had to refer to, or concern, Durant Court of Appeal rejected Durants argument The Court recognised that information about an individual would be his personal data if it was about him/her because it would relate to that individual

UK perspective – the Durant decision However, mere mention of an individual in a document would not necessarily amount to that individuals personal data unless it fell within a continuum of relevance or proximity to the individual Guidance Biographical in a significant sense - beyond involvement in matter that has no personal connotations Focused on the individual – not something else e.g. another person or event In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity

Re-cap – Mr Collies request Request for information on incidents/incidences of childhood leukaemia in Dumfries & Galloway, broken down by census ward. CSA offered to provide aggregated data but refused to provide numbers for each census ward as the small numbers involved could give rise to a risk of indirect identification of living individuals. SIC ordered that the CSA disclose the information in perturbed or barnardised form unless Mr Collie would prefer aggregated annual data.

The Approach of the Court of Session CSA appealed SICs decision on a number of grounds including on the basis that barnardised data constituted personal data Court of Session rejected the CSAs appeal on the basis that the barnardised data no longer had the individuals as its focus and was not biographical in any meaningful sense the focus of the data was on the incidence of the leukaemia – not the children Relied on Durant analysis of relates to

The Approach of the House of Lords Common Services Agency –v- Scottish Information Commissioner [2008] 1 W. L. R High level principles Anonymisation and the definition of personal data How to deal with data protection principles

The Approach of the House of Lords High Level Principles In my opinion there is no presumption in favour of the release of personal data under the general obligation that FOISA lays down (Lord Hope) the system of regulation of data processing under the 1998 Act remains in place, but the Parliament has grafted on to it provisions for third parties to obtain information without the operation of the pre-existing system of protection for data subjects being compromised (Lord Rodger)

The Approach of the House of Lords Anonymisation and the definition of personal data relate to requirement - Lords expressly refused to consider Durant on basis medical information clearly related to the individuals concerned identification requirement If the data could be fully anonymised then it was no longer personal data and it could be disclosed without the need to consider the data protection principles However, there was no real consensus as to what was meant by full anonymisation or to whom the data had to be anonymous

The Approach of the House of Lords Lord Hope – mere access to other information from which individuals could be identified does not prevent CSA from processing data in a way such that they can no longer be identified Lord Rodger where using "reasonable means" the data controller can still identify the individuals to whom it relates =>personal data if it becomes "impossible" for the data controller to make a connection between the data and the individuals to whom it relates => not personal data Baroness Hale – only approach issue of identifiability from perspective of intended recipient

The Approach of the House of Lords The Data Protection Principles Fair and lawful processing Schedules 2 and 3 Condition 6 of Schedule 2

The Approach of the House of Lords The Data Protection Principles the proper course would be for [the application] to be remitted to the Commissioner so that he can examine the facts…and determine whether the information can be sufficiently anonymised for it not to be personal data Striking the right balance …would raise issues of fact as to which no findings have been made and which only the Commissioner is in a position to determine

Summary of Learning Points Giving data protection its place Anonymising personal data is the best and the worst solution Unusually for FOI the factual matrix has a very important role to play For the courts, the process may be more important than the outcome

Centre for Freedom of Information The childhood leukaemia case – learning points in dealing with the balance between access to information and privacy rights Christine ONeill 23 September 2009 © Brodies 2009