Archives for personal files

Response to ‘Making Open Data Real’ consultation

Response to the Cabinet Office’s ‘Making Open Data Real’ consultation. The response emphasises the extent to which the government’s vision of improvements to accountability, service quality, efficiency, choice and citizen empowerment depend on the FOI Act, since (a) although data may highlight discrepancies in performance, the broader right of access provided by the FOI Act is needed to understand what is behind them and (b) the ‘right to data’ proposals are being implemented for public authorities by amendments to the FOI Act itself. It also points out that both the FOI Act and open data proposals will be undermined by the contracting out provisions of the Health and Social Care Bill and the Localism Bill. Finally, it argues that the abuse of copyright restrictions, which the government’s amendments address, is not restricted to datasets but applies to ordinary disclosures under the FOI Act.

Access to information held in complaints files

Updated October 2011.

This letter to the Deputy Commissioner, David Smith, raises a number of concerns about the Information Commissioner’s data protection guidance on ‘Access to Information Held in Complaints Files’. The Deputy Commission replied to the letter saying the Campaign’s comments would be taken into account should the guidance be revised.


Data Protection Act subject access consultation response

The Campaign has published its response to the consultation by the Lord Chancellor’s Department on the subject access provisions of the Data Protection Act. It is calling for people to have the right (a) to know when information has been withheld from them under one of the DPA exemptions; (b) to be able to appeal to the Information Tribunal against decisions of the Information Commissioner, and (c) for the DPA exemptions to be made subject to a public interest test.

Court of Appeal letter

The Campaign has supported an application to the Court of Appeal for leave to appeal against a county court decision on the right of access to manual files under the Data Protection Act. The court had held that the files in question were not part of a “relevant filing system” and were therefore not covered by the Act. But the judge ruled that even if the files had been covered by the Act, in the exercise of his discretion, he would not have ordered their disclosure in this case, a decision which the Campaign has questioned. (The Court of Appeal has since given leave to appeal.)

NHS Executive’s response

Reply to the Campaign’s letter concerning patient’s rights and the Data Protection Act 1998.
Read More

Access to manual health records and the DPA 1998

This May 2000 letter to the Department of Health explains the Campaign’s concerns about the loss of patients’ rights as a result of the repeal of most of the Access to Health Records Act 1990 and the incorporation of its provisions into the Data Protection Act 1998.
Read More

Amendments to the Data Protection Bill

A series of amendments to the Data Protection Bill were drafted by the Campaign for Freedom of Information and tabled by Richard Shepherd MP at the bill’s report stage in the House of Commons on 2 July 1998. The amendments (which appeared as numbers 15-17 on the order paper) were all debated, but none of them was passed. This briefing explains their purpose.


The amendments reflect concern about a new prohibition on the release of information in clause 59 of the Bill. This will make it an offence for the Data Protection Commissioner (as the present Data Protection Registrar will be known) or her staff to disclose information about any identifiable business or individual, other than in very limited circumstances. The offence would be committed even if the disclosure caused no harm, for example, to commercial confidentiality. No such offence exists under the current Data Protection Act.

The clause is likely to prevent the Commissioner from publicly identifying business which have been found to be misusing personal data about individuals, for example, by obtaining data through deception or selling private information for commercial purposes. The Commissioner may be unable to reveal that:

she has received large numbers of complaints about a particular company

a company has failed to respond to requests to improve its practices

an enforcement notice has been served against a firm

Equally, it may be an offence to reveal that:

a business has agreed to correct a problem without formal action

a complaint had proved unfounded.

The Registrar has herself expressed concern at this new provision, which she says may “require her and her staff to be unnecessarily guarded in future“.1 The result may be both to deny the public information which it ought to have, and to undermine public confidence in the Commissioner’s work by preventing her for explaining what action she has taken to deal with complaints relating to matters of public concern.

The offence is not limited to disclosures likely to cause actual harm, but will be caused by any disclosure of any information about an identifiable business. This :

* contradicts the policy established by the last government. Its 1993 Open Government white paper provided that in any new offences involving the disclosure of information “the presumption will be in favour of the inclusion of a harm test“.2

* is also inconsistent with the present government’s proposals for a Freedom of Information (FOI) Act. The FOI white paper proposes that information should only be withheld where disclosure would cause either “harm” or “substantial harm” to specified interests. Existing statutory restrictions on disclosure are being reviewed with a view to repealing or amending those which do not reflect the proposed harm tests.3

During the Data Protection Bill’s Committee stage in the House of Commons, an amendment was tabled by Mr John Greenway to restrict the offence to information which “is potentially damaging”. This was not accepted by the Government.4

The Government says that the new offence is required by the European Data Protection Directive, which states that national supervisory authorities must be subject to “a duty of professional secrecy”. However:

* the Registrar’s view, as expressed this January, is that this obligation can be met without a new criminal offence.

* The Directive itself contains a number of pro-disclosure provisions would permit a far more balanced approach. These include Recital 72, which states: “this Directive allows the principle of public access to official documents to be taken into account when implementing the principles set out in this Directive” and Recital 63 which states that supervisory authorities “must help to ensure transparency of processing“.

The Government maintains that the restriction is not as serious as it appears because the Commissioner has a discretion to release information under Clause 51(2). This states:

“The Commissioner shall arrange for the dissemination in such form and manner as he considers appropriate of such information as it may appear to him expedient to give to the public about the operation of this Act, about good practice, and about other matters within the scope of his functions under this Act…”

However, precedent under similar provisions suggests that this may be of limited value. For example, the Health and Safety Commission and Executive are prohibited from disclosing information unless it is for the purpose of their functions 5 but are also required to ensure that people concerned with matters relevant to the purposes of the Health and Safety at Work Act are “kept informed of, and adequately advised on” those matters.6 It interprets these two requirements restrictively, and says that it is prohibited from revealing information about individual premises unless to do so “would directly prevent risk…[or] is necessary to protect health and safety“.7 Requests for information about identifiable premises from people who are not themselves in danger – including Members of Parliament, researchers and journalists – are usually refused.

The explicit prohibition on releasing information about identifiable businesses is therefore likely to override the Commissioner’s general discretion to release information, unless under clause 59(2)(c), disclosure is “for the purposes of, and is necessary for, the discharge of…any functions under this Act“. It will be extremely difficult to demonstrate that a particular disclosure is necessary for any function under the Act. If the function can be discharged without the disclosure, the disclosure will not be necessary – and would be illegal.

Clause 59(2) also permits disclosure in certain other limited circumstances, for example, where the information is publicly available already; the individual or business concerned consents to the disclosure; or where disclosure is made in connection with legal proceedings. It also provides a limited, and highly restrictive, public interest defence.

The proposed amendments

The amendments would:

1. require the Commissioner to maintain a public register of enforcement notices. The disclosure of these notices might otherwise be an offence

2. permit (but not require) the Commissioner to reveal the results of an assessment of whether a particular business is complying with the Act. At present, this information can only be revealed to the person asking for the assessment. Its disclosure to an MP or journalist could be an offence

3. strengthen the public interest defence available to the Commissioner or her staff

Amendment 15

Page 24, line 28, [Clause 40] at end insert:
‘(7A) The Commissioner shall maintain a register containing:

(a) a copy of every enforcement notice issued under this section;

(b) such other particulars relating to such notices as the Secretary of State may by order prescribe.

(7B) The provisions of sections 19(6) and (7) shall apply in relation to the register maintained under this section as they do in relation to the register maintained under section 19(1).’


Under clause 40(1) the Commissioner may serve an enforcement notice where it appears to her that a data controller is contravening any of the data protection principles.8 The notice may require the controller to take specified action or stop processing data.

The amendment would require a register of such notices to be set up (new subclause 7A). The register would have to be available to the public free of charge at all reasonable times Certified copies of entries from the register could be obtained on payment of any prescribed fee. This is done by new subclause 7B, which applies the existing provisions of clause 19(6) and (7) which relate to the main Data Protection Register, to this new register. Those provisions are as follows:

19 (6) The Commissioner –

(a) shall provide facilities for making the information contained in tthe entries in the register available for inspection (in visible and legible form) by members of the public at all reasonable hours and free of charge, and

(b) may provide such other facilities for making the information contained in those entries available to the public free of charge as he considers appropriate.

(7) The Commissioner shall, on payment of such fee, if any, as may be prescribed by fees regulations, supply any member of the public with a  duly certified copy in writing of the particulars contained in any entry made in the register.

The amendment would bring the Data Protection Bill into line with existing legislation such as the Environment and Safety Information Act 1998 and the Environmental Protection Act 1990 9 which require the establishment of public registers of enforcement notices about environmental and safety hazards.

Subparagraph (b) of the amendment would allow the Secretary of State, by order, to require that other information relating to such notices be included on the register. This would allow the fact that a notice had been cancelled (under clause 41), or was the subject of an appeal (under clause 48) to also be recorded. It might also permit the person on whom the notice had been served to add a statement of explanation or mitigation to the register.

Consequential Amendment

Page 41, line 4, [Clause 67], at end insert “section 40(7A)(b)”

The preceding amendment would create a new order making power. This will require a consequential amendment to clause 67, which deals with the procedures by which orders are to be introduced. The amendment indicates that this order would be made under the affirmative procedure.

Amendment 16

Page 25, line 20 [clause 42] at end insert –

‘and may, if he considers it appropriate, inform any other person’


Under clause 42(1) a person who believes that he or she has been directly affected by any processing of personal data may ask the Commissioner for an assessment of whether the processing breaches the Act’s requirements. After carrying out the assessment the Commissioner must inform the applicant “to the extent that he considers appropriate…of any view formed or action taken as a result” [clause 42(4)(b)].

However, while the applicant must be informed of the outcome, the Commissioner may commit an offence under Clause 59 by revealing the same information to any other person. Thus, even though there may have been a well publicised complaint about a particular practice, the Commissioner may not tell anyone (including a journalist, MP or another potentially affected person) about her findings.

The amendment allows (but does not require) the Commissioner to make such disclosures. (However, a requirement may arise under the proposed Freedom of Information Act).

The discretion is appropriate in this case, since where a complaint relates purely to the circumstances of an individual applicant, wider disclosure may not be appropriate. However, where the issue is of general concern, and affects large numbers of people, disclosure may be justified – for example, if it reveals that a bank is failing to safeguard personal data about its customers.

(Note: There is no reason why the level of disclosure proposed in the amendment should be thought to contravene the “obligation of professional secrecy” required by the Directive, given that the Directive also provides that supervisory authorities “must help to ensure transparency of processing” [Recital 63])

Amendment 17

Page 36, line 44 [Clause 59]

leave out “necessary for reasons of substantial” and insert “in the”


A public interest test is available, under clause 59(2)(e), should the Commissioner (or a member of her staff) be prosecuted for an offence relating to the disclosure of information. The test is particularly restrictive. Amendments 17 and 18 both seek to remove some of the restrictive features.

Clause 59(2)(e) provides that no offence is committed if:

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary for reasons of substantial public interest”

This means that it would have to be established that:

* the disclosure was “necessary”, not just desirable, in the public interest;

* the public interest related to the “rights and freedoms or legitimate interests” of others – a term which does not on the face of it acknowledge the public interest in the accountability of the Commissioner’s work; and

* the public interest itself would have to be “substantial”.

It is hard to see why this public interest test should be set out so strictly, particularly as most of the Bill’s other public interest tests are less demanding. For example, there is no requirement that the public interest be “substantial” before a newspaper can publish personal data, under the public interest test in clause 32(1)(b).

Amendment 17 would remove the requirement that the disclosure be “necessary” and that the public interest be “substantial”. The defence as amended would read:

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is in the public interest”

Amendment 18

Page 36, line 44 [Clause 59]

leave out “substantial”

This is an alternative to Amendment 17. It would delete the word “substantial” but retain the word “necessary”. The amended provision would then read:

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary for reasons of public interest”

It is effectively identical to Amendment 46 tabled by the Home Secretary. Under the Home Secretary’s amendment the provision would read:

“having regard to the rights and freedoms or legitimate interests of any person, the disclosure is necessary in the public interest”

The word “necessary” would remain a problem under both Amendments 18 and 46. A disclosure which was only “desirable” in the public interest, but not “necessary” would not be permitted, under these amendments.

Campaign for Freedom of Information, July 2, 1998


1. Data Protection Registrar, ‘Data Protection Bill: Criminal Disclosures by the Commissioner’s Staff’, 29.1.98

2. Open Government, July 1993, Cm2290, para 8.40

3. Your Right to Know, December 1997, Cm 3818, para 3.20

4. Data Protection Bill, Standing Committee D, 10th sitting, 2 June 1998 (morning) cols 266-270

5. Health and Safety at Work Act 1974, sections 28(3)(b) and 28(7)(a)

6. Health and Safety at Work Act 1974, section 11(2)(b)

7. Health & Safety Executive, General Administrative Procedures, No. 1, August 1995, para 1.B11

8. Eg if personal data is being obtained unfairly or unlawfully, in contravention of the First Data Protection Principle

9. See section s20(1), 64(1) and 122(1) of the 1990 Act which require registers containing enforcement notices relating to premises subject to Integrated Pollution Control, waste disposal and genetically modified organisms.

Letter from Home Office minister Lord Williams of Mostyn, about confidentiality clauses in the Data Protection Bill

Reply to the Campaign’s letter concerning secrecy and the operation of the new data protection legislation. (The Data Protection Registrar subsequently said that she found the Campaign’s views on this issue “persuasive” and did not agree with the views expressed by the Home Office in this letter.)

Letter to George Howarth MP, Home Office minister, about confidentiality clauses in the Data Protection Bill

June 2, 1998

Dear Mr Howarth,

I am writing to express our concern about the confidentiality clause in the Data Protection Bill, which we believe is likely to lead to considerable unnecessary secrecy about the operation of the data protection legislation.
Read More

Access to personal files and the new EU Data Protection Directive

A new right of access to manual files had to be introduced by October 1998 to comply with an EU Directive. In this response to a Home Office consultation document the Campaign set out some of its views on the Directive. It called for existing rights of access under the Data Protection Act to be improved and expressed concern that some other rights (eg to see credit, school and medical records) could be weakened if they were consolidated into the proposed new legislation.