Skip to main navigationSkip to main content
The University of Southampton
Interdisciplinary Centre for Law, Internet and Culture (iCLIC)

Henry Pearce and Prof. Sophie Stalla-Bourdillon’s new article accepted for publication in the European Journal of Law and Technology

Published: 13 February 2019

Henry Pearce and Prof. Sophie Stalla-Bourdillon’s new article entitled “Rethinking the “release and forget” ethos of the Freedom of Information Act 2000: why developments in the field of anonymisation necessitate the development of a new approach to disclosing data” has been accepted for publication in the European Journal of Law and Technology in 2019.

The Freedom of Information Act 2000 (FOIA) gives individuals the right to request and receive access to information held by public authorities. Under the FOIA, a public authority releasing requested information has no post-release obligations to monitor any subsequent uses of that information, nor are any specific obligations imposed on the recipient of the information. It is made clear in the FOIA, however, that in most circumstances any information that constitutes personal data (i.e. any information relating to an identified or identifiable living individual) will be exempt from freedom of information requests.

In the last few years the interplay between freedom of information requests and data protection law has been considered by UK courts in several interesting cases. By and large, these cases have focused on issues relating to the anonymisation of personal data. Under UK and EU data protection legislation data that have been anonymised so that they can no longer be used to identify an individual are considered anonymous, and thus not personal data. As anonymous data are not personal data they are not exempt from freedom of information requests made under the FOIA. Operating under this premise, UK courts have begun to order public authorities to release datasets containing anonymised personal data to individuals who have requested access.

As the FOIA imposes no post-release obligations on the releaser or recipient of requested information it can be said to endorse a “release and forget” approach to disclosing data. In the context of datasets containing anonymised personal data, however, this approach is problematic. Recent work undertaken in the field of anonymisation has revealed that total and infallible anonymisation of personal data is not possible. Instead, it has been convincingly demonstrated that anonymisation is highly context-dependant, and that the success of attempts to anonymise data will be contingent on a range of factors such as the environment into which the data are to be released, how that environment might change over time, the identity and range of the recipients of the data, and the future purposes to which those data will be turned. As a result, the “release and forget” approach upon which the FOIA appears to be premised is not fit for purpose.

The function of this article is twofold. First, it argues that the approach to anonymisation and personal data taken by the FOIA is detached from contemporary authoritative understandings of these concepts and should be rethought. Second, having outlined the limitations of the current approach, the article proposes a new model for disclosing data under the FOIA based on notions of privacy and data protection by design.

 

Privacy Settings