FOIA 2000 Vs. GDPR | An Analysis
Together with the General Data Protection Regulation 2018 and the Freedom of Information Act 2000, people have the right to view or access confidence bearing information. These regulations illustrate the necessity for proper management of data throughout various organizations and enable the disclosure of information within the constitutional time limit.
Failure to comply with the regulations provided by these Acts could lead to negative press, prosecution, and/or a severe penalty.
General Data Protection Regulation (GDPR)
The GDPR places legal liability on institutions that keep your private data to guarantee that:
- it is processed legally and equitably;
- it is obtained for specific, overt and lawful reasons;
- it is precise and updated;
- it is secured from unsanctioned retrieval or unintended loss.
The GDPR enables suspects and their legal representation, doctors, relatives of patients, or employees to see personal information kept by the particular institutions about them. This encompasses all forms of documents. Whether in hard copy or digital, preserved on networks or databases, x-rays, photos, hospital cards, and mails. Requests by staff may include access to data about employees or information on their discipline.
The time frame for responding to a records request is one month (30 days)
The Freedom of Information Act 2000
The Freedom of Information Act seeks to improve public sector transparency and accountability, which involves institutions of government, boards, clinics, teachers, and law enforcement. The Act accords the citizens an opportunity to access reliable information held by an institution that could potentially offer a better sense of how it conducts its duties, the decision-making procedures, and how public funds are used.
The Environmental Information Regulations, in conjunction with the Freedom of Information Act, empowers the public with the ability to ask for information regarding the environment held by any organization.
Examples of requests organizations received on freedom of information include:
- Access to information on claims for expenses;
- Contract forms and charges;
- Amount and justification for discontinuing activities;
- Access to data on conformance with the European Working Time Regulations;
- How cooperative an organization is concerning Freedom of Information demands?
Just like GDPR, requests in compliance with the freedom of Information also do have a contractual time frame. Once the application is received by the institution involved, the clock starts, and they have 20 business days to avail the data. It is imperative that once a request is obtained, it is forwarded immediately to the Freedom of Information department.
Differences between FOIA and GDPR
FOIA encompasses information stored by public institutions and not demands for private information on the individual making the request. FOIA is restricted to enabling access to information in the public domain.
The legislation under GDPR safeguards private information. This offers everyone the constitutional right to access data collected on them (through a Subject Access Request) and, in certain situations, to deter other individuals from seeing, using, or storing your personal information.
To ensure that your data is secure, FOIA does not allow the public to retrieve information that is exempted from access by GDPR.
When you request for personal data on a different person, the demand will be addressed under the FOIA rules, but the GDPR guidelines will be used to establish whether the data can be disclosed.
If releasing the information would violate the terms of the GDPR, then the request is denied.
How GDPR affects FOIA
The General Data Protection Regulation (GDPR) can impact the Freedom of Information Act 2000 (FOIA). Section 40, which ties FOIA with the Data Protection Act of 1998(‘ DPA’) — the legislation that the GDPR would substitute, has the most significant influence on FOIA. There is also a collateral impact: under GDPR, organizations like public institutions are required to register their adherence, this implies that there will be no room whatsoever for public institutions to hide since they are obligated to be open to the people.
Taking a closer look at section 40 of the FOIA, there are two reasons for the exceptions on personal data:
- When a person submits an FOI application for his or her personal information, this should thus be considered as a Subject Access Request as covered by DPA (section 40(1) FOIA);
- Adhering to the FOIA query would disclose private information belonging to third parties and disclosure of such information would be contrary to the core values of the DPA (section 40(2) FOIA) — thus needing analysis as to whether abuse of personal data would occur upon disclosure.
GDPR does not have any effect on the first form of FOI filing, although government authorities are required to become acquainted with and refer to the current GDPR rules concerning Subject Access Requests. On the other hand, the introduction of GDPR has increased uncertainty in terms of handling the second type of FOI request — in which different individuals’ data are concerned.
How GDPR promotes accountability and documentation and its impact
GDPR focuses more heavily on transparency and accountability than its predecessor, the Data Protection Act (DPA). This is essential in itself for government bodies to pay close attention to, since it lies within the scope of their duties to be open and accountable to the public. The fundamental goal of FOIA is to permit any individual citizens to obtain access to any recorded data kept by a public body. Unless an exception arises, any record held by a public body may be released within FOIA: these include all records retained by an agency concerning its compliance with data protection. If the person requesting for data asks for information regarding the data security methods of a public organization, it may be difficult to answer such FOIA requests if the disclosure of these records would reveal non-compliance to GDPR, or worse, it suggests that no enforcement steps for data protection have been taken, especially when there are no records to disclose. There won’t be any concealment. The GDPR enforcement measures by public agencies are as strong as in the public sphere, which will result in more significant criticism and also potentially a negative impact on reputation if compliance attempts are in any way inadequate.
One instance of the updated stipulations for transparency is in Article 30 of the GDPR, which demands that institutions must keep records of processing operations. Each organization is expected to record the following data clearly:
- Identity and contact details of the controller (individual in charge of record-keeping and processing), representative of the controller, and the officer in charge of data protection;
- Summary of the reasons for the collection of private information;
- Classification of types of data subjects and groups of personal data;
- Groups of users to whom the personal information will be released, including third-party recipients or international agencies;
- The time limits proposed for the deletion of the various data categories;
- A summary of an organization’s technological and internal privacy measures put in place to secure private data. It is available to data requesters to obtain a copy of such a document. Public authorities are expected to publish the requested information unless a great reason not to disclose such data exists.
It’s not only a necessity to keep a log of the information processing activity, but it is also vital that the specifics of the processing are appropriately documented and that they comply with data protection regulations. For instance, in the recorded documentation, the explanation of reasons for collecting personal data has to be written down in the privacy statement of the public body. If not, the public authority could be justly blamed for failing to be forthright and open about how they handle personal data.
Additionally, public institutions are obligated to record any infringements of personal data (Article 33(5) GDPR), which covers all the details regarding the breach of data, its consequences, and any corrective actions undertaken. This report becomes’ registered information’ for public bodies and, therefore, can be disclosed under the FOIA. If the record shows repeated violations, exposing a recorded list of data breaches may contribute to broader exposure of data protection deficiencies.
In conclusion, since the implementation of GDPR in May 2018, it appears that public agencies have experienced specific preliminary difficulties with respect to the enforcement of the exemption under section 40(2) when the requested data includes personal information belonging to a third party. The foundation of ‘legitimate interests’ that public authorities used to depend on to excuse the release of personal information is no longer relevant. Consequently, it has proven difficult for public authorities to disclose personal data through FOIA. Accordingly, the release of private information via FOIA has posed a problem for public bodies.
Moreover, bearing in mind the primary goal behind FOIA — increasing public bodies’ transparency, rendering their operational procedures and decision-making processes transparent to the general populace — there is no way for public organizations to hide any half-hearted attempts to comply with GDPR. This transparency now also applies to compliance with GDPR, which expressly mandates that certain documents be in order and to be classified as ‘recorded information.’ There is currently no excuse for complying with data protection for public organizations subject to FOIA.