The House of Lords has recently ruled on the balance to be struck between freedom of information and the protection of personal data. Emma Di Giacomo explains

In Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, a freedom of information request was made to the Scottish Common Services Agency for details of the incidents of childhood leukaemia in the Dumfries and Galloway area during the period 1990-2003.

The agency refused to release this information on the basis that there was a significant risk of identification of the people concerned due to the low number of such incidents and the small geographical area involved.

The agency relied on the exemption under section 38 of the Freedom of Information (Scotland) Act 2002 that exempts personal data from disclosure under the act. The exemption is reproduced in the Freedom of Information Act 2000 at section 40 and so the decision in this case, while not binding in England and Wales, will no doubt affect the interpretation of this particular exemption in the UK.

The decision was appealed to the Scottish Information Commissioner, who ordered the agency to disclose the information in an anonymised form. The agency did not believe the recommended method of anonymisation provided sufficient protection to the people concerned, and it appealed.

The decision

The law lords ruled that the definition of "personal data" under the Data Protection Act includes data from which a person can be identified, but that personal data does not include information that has been rendered fully anonymous. If the information cannot be rendered fully anonymous, they ruled that it is then necessary to consider whether its disclosure would breach any of the data protection principles. If not, the exemption under the Freedom of Information (Scotland) Act cannot be used and the information should be disclosed.

They held that it was reasonable to expect a public body to take the time to anonymise data, where possible, in order to comply with a freedom of information request.

Implications

The case demonstrates that a public authority is required to anonymise data, where possible, in order to comply with a freedom of information request, rather than simply relying on the "personal data" exemption.

The decision therefore recognises the right people have to the appropriate protection of their personal data, but indicates that the right of the public to access information under the act should also be respected by anonymising data where possible so as to be able to comply with a request.

The decision also sets out how public authorities should approach the issue of anonymisation - data should be anonymised in such a way so as to ensure that people cannot be identified from the information.

When responding to a request for information including personal data, consideration should be given to whether the personal data can be fully anonymised and, if so, whether the time required to do this would exceed the appropriate limit under the act. If it would exceed this limit, then the request can be refused. If not, the information should be disclosed in its fully anonymised form.

Organisations should also consider whether disclosure would breach any of the data protection principles, specifically the principles of fair and lawful processing. If so, or if the information cannot be rendered fully anonymous, the request can be refused under the personal data exemption.