Wednesday, May 16, 2007

Just how public should public information be?

There is a conflict between requirements that some personal information should be made public (such as the contents of electoral registers) and the data protection principle that the disclosure of personal information should be minimised. This conflict becomes acute when public files which were previously hard to access are put online. Is there a qualitative difference between personal information available on paper in a local authority office and that same information coming up as the result of a Google search? Does technology disrupt the balance between the competing interests of publicity and privacy?

This issue was dealt with in the Data Protection Commissioner's 2006 Annual Report
Local Authority: Minutes of council meetings
I received a complaint from a member of the public concerning the publication on a local authority's website of the minutes of the Council's monthly meeting. The complainant informed me that his name and address had appeared in the minutes of the meeting in the context of the sale of lands and properties under the Affordable Housing and Shared Housing Schemes. He expressed concern at the publication of his personal data in this way on a local authority website as well as the ensuing exposure of his personal data on search engines.

My Office contacted the local authority on this matter. We pointed to the important principle outlined in the Annual Report in 2003 that, even where there is legislation providing that information must be made available to the public, this may not always mean that it is appropriate to place such information on a website. On foot of my Office's intervention, the local authority took swift remedial action. It removed the document containing the personal data and edited it in such a way that all names and addresses included on it in respect of the Affordable Housing and Shared Housing Schemes were removed. The local authority also contacted one particular search engine that the complainant was concerned about and sought the deletion of the record from its cache. Finally, the Authority undertook to ensure that the website version of its minutes would, in future, be edited to prevent the disclosure of personal data.
This appears to be a sensible compromise in the individual case, but it leaves several issues open for the future. Strictly speaking, the Data Protection Acts have no application in this situation. (Section 1(4)(b) provides that "This Act does not apply to ... personal data consisting of information that the person keeping the data is required by law to make available to the public".) Consequently one might ask - if legislation requires that certain information be made public, is it appropriate that it should only be made public in a way which is particularly difficult to access? Will this create an unfair disparity in access? More sophisticated searchers will still be able to find the information they seek in person, while the general public who don't know of the availability of this information may be cut off. Should the law recognise different degrees of "publicity" in public information? Is there a parallel with developments in the European Court of Human Rights, where in cases such as Peck the Court is increasingly looking at the extent of the disclosure of personal information to see whether there has been an Article 8 violation?

For an interesting take on these issues in a US context, see Givens, Public Records on the Internet: The Privacy Dilemma.

1 comment:

  1. I think it was injudicious of the councillors to mention the guy in the first place. They should have made the relevant official aware of the official through another channel.

    This is good democratic practice, rather than just a data protection issue. Parliaments and public forums are a good place for discussing general principles and issues; they are really not good places to discuss individual circumstances.

    ReplyDelete