Hosted by Dr Henry Pearce, Senior Lecturer in Law
The Freedom of Information Act 2000 (FOIA) gives individuals the right to request and receive access to information held by public authorities. Under the FOIA, a public authority releasing requested information has no post-release obligations to monitor any subsequent uses of that information nor are any specific obligations imposed on the recipient of the information. The FOIA's release model can thus be described as "release and forget".
In most circumstances, personal data (i.e. any information relating to an identifiable individual) are exempt from freedom of information requests. Under EU and UK data protection law, data that have been anonymised by way of so-called "anonymisation techniques", so that they can no longer be used to identify an individual, are not "personal", and thus are not exempt from disclosure under the FOIA. Operating under this premise, public authorities routinely disclose nominally anonymised data to the public.
However, recent developments in the field of anonymisation have demonstrated that perfect (i.e. infallible, irreversible) anonymisation is mathematically impossible. Nominally anonymised data can often be de-anonymised and made "personal" once more. The appropriateness of public authorities releasing such data on a "release and forget" basis is therefore very dubious, as doing so may lead to significant privacy and data protection harms for affected individuals.
In this webinar, Dr Henry Pearce will consider these issues and discuss whether public authority data disclosure practices should be fundamentally rethought.