Proposed EU Data Protection Regulation and Research

Man Reading Book and Sitting on Bookshelf in LibraryDavid Erdos believes a bid to tighten European data protection will have a chilling impact on social science and humanities research.  He writes:

Even with the advent of Web 2.0, data protection law is still often seen as technical and only narrowly applicable. Technical abstruseness aside (and data protection’s reputation here is certainly deserved), this understanding could not be more wrong. The existing European data protection framework really is breathtaking in scope. It applies to anything done electronically with any information about an identified or identifiable person – possibly including the dead. According to the European Union, even innocuous details in the public domain are protected (perhaps even the title of an author’s book). Moreover, if the information reveals the particulars of, for example, a person’s ethnic origin, political opinions, religious belief, trade union membership, health or criminality, then it is classed as “sensitive” and subject to even tighter controls. The European data protection framework is not only broad but often onerous. Barring specific exceptions (including a liberal one that can be invoked for journalism, literature and the arts), there is a presumption that individuals will be informed about the processing of data about them and given a right to object, that the processing of “sensitive” personal information will be banned and that no personal information will be transferred outside the European Economic Area without “adequate protection”.

So the popular perception of data protection is woefully inaccurate – which leads to a radical underestimation of the threat these regulations pose to the enjoyment of other fundamental rights and the pursuit of legitimate activities. Nowhere is this more the case than in social science and humanities research. Since the advent of the EU’s framework in the 1990s, researchers have witnessed dramatic restrictions on their freedom to use “sensitive” data and to deploy covert methods. Coupled with the growth of sometimes intrusive “ethical review” policies, the barriers and burdens placed in the way of even ordinary, innocuous, yet socially beneficial research and on researchers have become considerable.

It might have been hoped that the proposed EU Data Protection Regulation would provide an opportunity to reverse this. But if the European Parliament’s recently published draft amendments are anything to go by, the converse is true.

Contunue reading here.

This article was originally published in the 14-20 February 2013 edition of Times Higher Education and is published with the author’s permission. You can also read it on the Constitutional Law website.

The draft EU DP Regulation will be examined in our forthcoming 1 hour Data Protection Update Webinar :

Can Spiderman make a Freedom of Information request?

Has your public authority ever received an FOI request from Justin Case, Barb Dwyer or Stan Still? Would these even be valid requests? According to a survey of FOI officers published by the Constitution Unit, the average council receives 47 information requests a month. The media now make around a third of all requests but members of the public still account for the most number at 37%. Increasingly FOI officers come across unusual names when dealing with such requests.

Can the use of an apparently fictitious name or pseudonym invalidate an otherwise valid FOI request? Section 8 of the Act states that a request must be in writing, state the name of the applicant and an address for correspondence and must describe the information requested. Most FOI officers I have trained seem to think that they have the right to ask for the “real name” of the requestor. According to the Information Commissioner’s Guidance  this view is correct:

“…the use of a false or fictitious name is not acceptable. Therefore, where a public authority receives a request from a person using an obvious pseudonym, there is no obligation to comply with the request;”

The Guidance goes on:

“In most cases, it will be reasonable for a real name to comprise a name by which the person making the request is widely known and/or is regularly used by that person and which is not an obvious pseudonym or fictitious name.”

The Commissioner does explain later that a common sense approach should be taken. Even when an obvious pseudonym has been used, as good practice a public authority should still consider the request even though technically it can be regarded as invalid. He advises that this approach could be adopted in cases where identity is not relevant to the request and, in view of the general principle in FOI of disclosure to the world at large, where the authority is content to disclose the information.

I think the Commissioner’s guidance is flawed in that it encourages public authorities to focus too much on the identity of the requestor and not on the information being requested.  Let us go back to basics.

Section 8 only requires the applicant to state his/her name. I have always advised clients that a name is a just what the requestor chooses to call him/herself. The Commissioner’s guidance encourages the public authority to speculate whether a given name is a pseudonym or fictitious. How can a public authority be sure that a given name is so? Where can it check that a name is real? I am not aware of any comprehensive official register of names in the UK. And not everyone is on the electoral roll.

The names in the first paragraph of this article are real names uncovered by researchers from a parenting group after trawling through online telephone records. Other they found include Pearl Button, Jo King and Tim Burr.

In any event a public authority cannot insist on a real or “proper” name from an FOI requestor as there is no such concept in English Law. A person can call themselves anything. They are not restricted to what is on their birth certificate. People change their name by deed poll (though they do not have to use such a document) to fit in with their lifestyle or to emulate their favourite celebrity. If a public authority receives an FOI request signed “Amy Winehouse” or “Michael Jackson” are they going to reject it or ask for proof that the King and Queen of Pop have risen again? What about a request from Facebookdotcom Forwardslash Mountaindew UK? These are all real names of living people.  (Honest! Click Here )

When researching this article, I found some interesting (and real) names on The Monster Raving Loony Party’s list of 2010 election candidates . Step forward Mr Nick The Flying Brick Delves, Chinners Chinnery and Hairy Knorm Davidson. If the Commissioner’s advice is correct, it seems that these names are real enough to allow the user to stand for election to the Mother of All Parliaments but not real enough to make an FOI request (without providing documentary evidence).

In 2011 a council purportedly claimed that the Information Commissioner’s Office (ICO) had backed its stance of asking an FOI requester to prove his identity. Upon receiving a request from a Buck U. Fogal, for expenditure over £500 for the clearance of three streets, the council asked for two forms of identification.  In its response to the requestor, it seemed to be implying that the ICO had agreed with this approach. If this is true, it is not in accordance with the Act. Another council has it seems been implementing an equally dubious system of randomly seeking proof of identity .

FOI is applicant blind and so the identity of the requestor should not be an issue. There are 23 exemptions under Part 2 of the Act, which can be relied upon if there is a problem in disclosing the requested information. A public authority cannot and should not ask who is making the request. There are exceptions to this general rule of course. For example where the requestor is asking for personal data (section 40). Sometimes the use of a pseudonym together with other factors such as volume and frequency of requests many lead to a request being deemed to be vexatious under section 14 of the Act (see the Tribunal Decision in Duke v IC and University of Salford (EA/2011/0060 26th July 2011). But these are exceptions and not the rule.

My advice to public authorities is, if you get an FOI request giving a name which you believe is fictitious then treat it is a valid request and focus on whether a Part 2 exemption from disclosure applies.

So back to the question posed at the start of this article; can Spiderman make a Freedom of Information request?

The answer is no… but just tell him to the look on the Web! (boom boom!).

Ibrahim Hasan will be latest FOI developments and cases in his FOI Update workshop in Birmingham on 13th March. For those wanting an international recognized qualification in FOI, the ISEB Certificate in Freedom of Information  starts in Birmingham on 26th March

%d bloggers like this: