INFORMATION COMMISSIONER AND TRIBUNAL DECISIONS - NEXT FOI CASE LAW UPDATE 6TH JUNE 2024. RESERVE YOUR PLACE NOW!

“Gagging clause” prevents naming of companies that misuse personal data

Companies that misuse personal information about people will be protected from public criticism by a “gagging clause” in new data protection legislation, according to the Campaign for Freedom of Information.

Under the Data Protection Bill, now going through the House of Commons, the Data Protection Commissioner (as the present Data Protection Registrar will be known) will commit a criminal offence if she discloses information about any identifiable business or individual, other than in very limited circumstances. The Campaign says this will prevent her identifying individual companies that may have been obtaining personal information about individuals by deception or selling private information for commercial purposes. She will not be able to reveal whether she has received complaints about a particular company, whether an enforcement notice has been served on it for breaching data protection rules, or even whether the Commissioner has merely held discussions with it. Such information about identifiable businesses will normally be disclosable only in court, or with the company’s consent.

In a letter to the Home Office minister George Howarth MP, the Campaign for Freedom of Information has complained about this restriction, saying it will “create considerable unnecessary secrecy”, harm the work of the Data Protection Commissioner and undermine the government’s Freedom of Information proposals. According to the Campaign’s director, Maurice Frankel, similar restrictions on disclosure in other legislation “deny the public information about problems and create suspicion about the diligence of the authority, whose inability to offer a proper explanation for apparent inaction is likely to damage its public reputation.”

The restriction, in clause 56 of the Data Protection Bill, makes the release of information about identifiable businesses or individuals an offence unless it is “for the purposes of, and…necessary for the discharge of….any functions under this Act”. Mr Frankel said that disclosures to a journalist or even an MP will usually not be “necessary” in these terms, adding: “If they are not ‘necessary’ they will be illegal. The prospect of committing an offence is likely to prevent the Commissioner disclosing any information about such matters”. The Registrar herself has said that the restriction will cause her staff “to be unnecessarily guarded in future”.

Under the government’s proposals for a Freedom of Information Act, the public will have a right to any official information, unless disclosure would cause “substantial harm” to specified interests such as commercial confidentiality or personal privacy. The government has said that wherever possible existing legal restrictions on disclosure will be amended to bring them into line with this approach. Mr Frankel says the new data protection restriction“goes against this trend, not only by establishing a new secrecy provision while government policy is to remove them, but by applying its scope so widely and indiscriminately”. Its effect will be to prevent the public obtaining access to information about the Data Protection Commissioner’s work, even though other regulatory bodies will have to disclose such information.

The government says the restriction is necessary because the European Data Protection Directive, which the Bill implements, requires that regulatory authorities be bound by “professional secrecy”. However, the Campaign questions whether the Directive requires such absolute secrecy, pointing out that it specifically states that “the principle of public access to official documents…[can] be taken into account when implementing the principles set out in this Directive”. The Campaign says that if there has to be a new offence it should apply only to disclosures which cause “substantial harm” to a company’s commercial interests, and not to any and all information about an identifiable business. The Data Protection Registrar has herself questioned whether a new offence is required at all.

The Data Protection Commissioner will have a limited public interest defence to any charge of improper disclosure of information. But the Campaign says this is drafted in extremely restrictive terms. The disclosure will have to be “necessary” in the public interest, not just desirable. And it will only apply if the public interest is “substantial”. The Campaign points out that most of the Bill’s public interest provisions – such as that which allows a newspaper to publish personal data, in the public interest – do not use the term “substantial”, and are much easier to meet.

Notes

The Data Protection Bill has completed its passage in the Lords and is near the end of its Commons committee stage. It implements the European Data Protection Directive, which improves the protection given to personal information held on individuals. The directive must be in force by October of this year. The new Act will replace the existing Data Protection Act of 1974 which applies primarily to personal information about individuals held on computer. The new Act will extend to some manually held records as well. The 1974 Act does not prohibit the Registrar from disclosing information.

The government’s freedom of information proposals were published in a white paper last December (Your Right to Know, Cm 3818). The government has promised to publish a draft Freedom of Information bill for consultation by the summer.

Scroll to Top