Rethinking the “release and forget” Ethos of the Freedom of Information Act 2000: Why Developments in the Field of Anonymisaton Necessitate the Development of a New Approach to Disclosing Data
The Freedom of Information Act 2000 (FOIA) gives individuals the right to request and receive access to information held by public authorities. Under the FOIA, a public authority releasing requested information has no post-release obligations to monitor any subsequent uses of that information, nor are any specific obligations imposed on the recipient of the information. It is made clear in the FOIA, however, that in most circumstances any information that constitutes personal data (i.e. any information relating to an identified or identifiable living individual) will be exempt from freedom of information requests.
In the last few years the interplay between freedom of information requests and data protection law has been considered by UK courts in several interesting cases. By and large, these cases have focused on issues relatng to the anonymisaton of personal data. Under UK and EU data protecton legislation data that have been anonymised so that they can no longer be used to identify an individual are considered anonymous, and thus not personal data. As anonymous data are not personal data they are not exempt from freedom of information requests made under the FOIA. Operating under this premise, UK courts have begun to order public authorities to release datasets containing anonymised personal data to individuals who have requested access.
As the FOIA imposes no post-release obligations on the releaser or recipient of requested informaton it can be said to endorse a “release and forget” approach to disclosing data. In the context of datasets containing anonymised personal data, however, this approach is problematic. Recent work undertaken in the feld of anonymisation has revealed that total and infallible anonymisaton of personal data is not possible. Instead, it has been convincingly demonstrated that anonymisation is highly context-dependant, and that the success of attempts to anonymise data will be contingent on a range of factors such as the environment into which the data are to be released, how that environment might change over time, the identity and range of the recipients of the data, and the future purposes to which those data will be turned. As a result, the “release and forget” approach upon which the FOIA appears to be premised is not fit for purpose.
The function of this article is twofold. First, it argues that the approach to anonymisation and personal data taken by the FOIA is detached from contemporary authoritative understandings of these concepts and should be rethought. Second, having outlined the limitations of the current approach, the article proposes a new model for disclosing data under the FOIA based on notons of privacy and data protection by design.
EJLT is an open access journal, aiming to disseminate academic work and perspectives as widely as possible to the benefit of the author and the author’s readers. It is the assumption of the EJLT that authors who publish in the journal wish their work to be available as freely and as widely as possible through the open access publishing channel.
Authors who publish with EJLT will retain copyright and moral rights in the underlying work but will grant all users the rights to copy, store and print for non-commercial use copies of their work. Commercial mirroring may also be carried out with the consent of the journal. The work must remain as published – without redaction or editing – and must clearly state the identity of the author and the originating EJLT url of the article. Any commercial use of the author’s work - apart from mirroring - requires the permission of the author and any aspects of the article which are the property of EJLT (e.g. typographical format) requires permission from EJLT.
Authors can sometimes become no longer contactable (through, for example, death or retirement). If this occurs, any rights in the work will pass to the European Journal of Law and Technology which will continue to make the work available in as wide a manner as possible to achieve the aims of open access and ensuring that an author's work continues to be available. An author - or their estate - can recover these rights from EJLT by providing contact information.
The European Journal of Law and Technology holds rights in format, publication and dissemination.
EJLT, as a non-commercial organisation - which receives donations to allow it to continue publishing – must retain information on reader access to journal articles. This means that we will not give permission to mirror the journal unless we can be provided with full details as to reader access to each and every journal article. We prefer and encourage deep linking rather than mirroring. Encouragement is thus given for all users – commercial and non-commercial – to provide indexes and links to articles in the EJLT where the index or link points to the location of the article on the EJLT server, rather than to stored copies on other servers.
Please contact the European Journal of Law and Technology if you are in any doubt as to what this statement of use covers.