Rethinking the “release and forget” Ethos of the Freedom of Information Act 2000: Why Developments in the Field of Anonymisaton Necessitate the Development of a New Approach to Disclosing Data
The Freedom of Information Act 2000 (FOIA) gives individuals the right to request and receive access to information held by public authorities. Under the FOIA, a public authority releasing requested information has no post-release obligations to monitor any subsequent uses of that information, nor are any specific obligations imposed on the recipient of the information. It is made clear in the FOIA, however, that in most circumstances any information that constitutes personal data (i.e. any information relating to an identified or identifiable living individual) will be exempt from freedom of information requests.
In the last few years the interplay between freedom of information requests and data protection law has been considered by UK courts in several interesting cases. By and large, these cases have focused on issues relatng to the anonymisaton of personal data. Under UK and EU data protecton legislation data that have been anonymised so that they can no longer be used to identify an individual are considered anonymous, and thus not personal data. As anonymous data are not personal data they are not exempt from freedom of information requests made under the FOIA. Operating under this premise, UK courts have begun to order public authorities to release datasets containing anonymised personal data to individuals who have requested access.
As the FOIA imposes no post-release obligations on the releaser or recipient of requested informaton it can be said to endorse a “release and forget” approach to disclosing data. In the context of datasets containing anonymised personal data, however, this approach is problematic. Recent work undertaken in the feld of anonymisation has revealed that total and infallible anonymisaton of personal data is not possible. Instead, it has been convincingly demonstrated that anonymisation is highly context-dependant, and that the success of attempts to anonymise data will be contingent on a range of factors such as the environment into which the data are to be released, how that environment might change over time, the identity and range of the recipients of the data, and the future purposes to which those data will be turned. As a result, the “release and forget” approach upon which the FOIA appears to be premised is not fit for purpose.
The function of this article is twofold. First, it argues that the approach to anonymisation and personal data taken by the FOIA is detached from contemporary authoritative understandings of these concepts and should be rethought. Second, having outlined the limitations of the current approach, the article proposes a new model for disclosing data under the FOIA based on notons of privacy and data protection by design.