The Right to Information and Privacy: Balancing Rights and

Access to InformationProgram The Right to Information

and Privacy: Balancing Rights and Managing Conflicts

David Banisar

Canadian InternationalDevelopment Agency

Agence canadiennedeveloppment internationalThe World Bank

World Bank Institute

GOVERNANCE WORKING PAPER SERIES

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

Pub

lic D

iscl

osur

e A

utho

rized

WB111640

Typewritten Text

WB111640

Typewritten Text

80740

WORKING PAPER

The Right to Informationand Privacy: BalancingRights and ManagingConflicts

David Banisar*

* David Banisar is senior legal counsel for Article 19, the Global Campaign for Free Expression, in London, UK. He isalso a nonresident fellow at the Center for Internet and Society at Stanford Law School, Stanford, CA. Previously, hewas the director of the Freedom of Information Project of Privacy International in London; a research fellow at theKennedy School of Government at Harvard University, Cambridge, MA; and a cofounder and policy director of theElectronic Privacy Information Center in Washington, DC. He has served as an adviser and consultant to numerous or-ganizations, including the Council of Europe, the Organisation for Economic Co-operation and Development, and theUnited Nations Development Programme.

© 2011 The International Bank for Reconstruction and Development / The World Bank1818 H Street NWWashington DC 20433Telephone: 202-473-1000Internet: www.worldbank.orgE-mail: [email protected]

All rights reserved

The findings, interpretations, and conclusions expressed in this volume do not necessarily re-flect the views of the Canadian International Development Agency (CIDA), the governmentof Canada, executive directors of the World Bank, or the governments those directors repre-sent. The World Bank does not guarantee the accuracy of the data included in this work.

This report has been commissioned by the Access to Information (ATI) Program at the WorldBank Institute (WBI) and supported financially by the CIDA-WBI Governance Program.

The WBI Access to Information Program seeks to connect key ATI stakeholders tojointly identify, prioritize, and implement actions for effective ATI adoption and implemen-tation. The program aims to improve in-country capacity for the formulation, implementa-tion, use, and enforcement of ATI legislation through regional knowledge exchange and net-working, and by fostering the capacity of multistakeholder coalitions to undertake effectiveATI reforms.

iii

Contents

Acknowledgments.......................................................................................v

Acronyms and Abbreviations......................................................................vii

Executive Summary ....................................................................................1

1. Introduction ..........................................................................................3

2. Rights Defined.......................................................................................5

2.1 The Right to Information...................................................................................5

2.2 The Right to Privacy ..........................................................................................6

3. Complements and Conflicts in RTI and Privacy Laws ...............................9

3.1 Complementary Roles of RTI and Privacy .........................................................9

3.2 Conflicts between RTI and Privacy Interests .....................................................12

3.3 Balancing the Rights of Access and Privacy .......................................................16

4. Legislation ...........................................................................................17

4.1 Model 1—A Single RTI and Privacy Law .........................................................17

4.2 Model 2—Separate RTI and Privacy Laws: Managing Conflicts.........................18

5. Oversight.............................................................................................23

5.1 Two Bodies—Separate RTI and Privacy Commissions.......................................23

5.2 One Body—A Single RTI and Privacy Commission .........................................24

6. Case Studies.........................................................................................27

6.1 Ireland...............................................................................................................27

6.2 Mexico .............................................................................................................28

6.3 Slovenia.............................................................................................................29

6.4 United Kingdom...............................................................................................30

7. Conclusion ..........................................................................................33

Endnotes ..................................................................................................35

References ................................................................................................39

Boxes

3.1 Using Publicly Available Personal Information to Fight Fraud............................14

4.1 Elements to Determine Fairness ........................................................................20

Figure

3.1 Complement and Conflict of Privacy and the Right to Information....................9

Contentsiv

I would like to thank Heather Brooke, BojanBugaric, Elizabeth Dolan, Maurice Frankel,Juan Pablo Guerrero Amparán, KatherineGunderson, Gus Hosein, Jose Luis Marzal,Natasa Pirc Musar, Maeve McDonagh, LinaOrnelas Nuñez, Graham Smith, and NigelWaters for providing information and advice;

and peer reviewers Alvaro Herrero, MariaMarván Laborde, and Andrea Ruiz for theircomments. I would also like to thank mycolleagues at Article 19; and the World BankInstitute’s Marcos Mendiburu, AranzazuGuillan-Montero, and Luis Esquivel for theirassistance.

v

Acknowledgments

vii

Acronymsand Abbreviations

ACHPR African Commission on Human and People’s Rights

ACLU American Civil Liberties Union

APEC Asia-Pacific Economic Cooperation

ATIP access to information and privacy

CCPR United Nations Covenant on Civil and Political Rights

CSA Canadian Standards Association International

DCMS Department for Culture, Media, and Sport

DPA Data Protection Act

EC European Commission

ECHR European Convention for the Protection of Human Rights and Fundamental Freedoms

ECOWAS Economic Community of West African States

EFF Electronic Frontier Foundation

EHRR European Human Rights Report

EO European Ombudsman

EPIC Electronic Privacy Information Center

ETS European Treaty Series

EU European Union

EUECJ Court of Justice for the European Communities

EWHC High Court of England and Wales

FOI freedom of information

FOIA Freedom of Information Act

IACHR Inter-American Commission on Human Rights

ICO Information Commissioner’s Office

IFAI Instituto Federal de Acceso a la Información y Protección de Datos

MP member of parliament

NJSBA New Jersey State Bar Association

NZLC New Zealand Law Commission

OAS Organization of American States

ODNI Office of the Director of National Intelligence

OECD Organisation for Economic Co-operation and Development

OSCE Organization for Security and Co-operation in Europe

PI Privacy International

RCMP Royal Canadian Mounted Police

RTI right to information

UDHR Universal Declaration of Human Rights

UKHL United Kingdom House of Lords

UN United Nations

UNHRC United Nations Human Rights Council

USC United States Code

USDA United States Department of Agriculture

Acronyms and Abbreviationsviii

The right to privacy and the right to infor-mation are both essential human rights in themodern information society. For the mostpart, these two rights complement each oth-er in holding governments accountable toindividuals. But there is a potential conflictbetween these rights when there is a demandfor access to personal information held by

government bodies. Where the two rightsoverlap, states need to develop mechanismsfor identifying core issues to limit conflictsand for balancing the rights. This paper ex-amines legislative and structural means tobetter define and balance the rights to priva-cy and information.

Executive Summary

1

Introduction

1

3

In the words of Michel Gentot (n.d.) duringhis term as president of the French NationalData Processing and Liberties Commission,freedom of information and data protectionare “two forms of protection against theLeviathan state that have the aim of restoringthe balance between the citizen and the state”(p. 1).

On first inspection, it would appear thatthe right of access to information and theright to protection of personal privacy are ir-reconcilable.1 Right to information (RTI)laws provide a fundamental right for any per-son to access information held by govern-ment bodies. At the same time, right to pri-vacy laws grant individuals a fundamentalright to control the collection of, access to,and use of personal information about themthat is held by governments and private bod-ies. However, the reality is more complex.Privacy and RTI are often described as “twosides of the same coin”—mainly acting ascomplementary rights that promote individ-uals’ rights to protect themselves and to pro-mote government accountability.

The relationship between privacy andRTI laws is currently the subject of consid-erable debate around the globe as countriesare increasingly adopting these types of leg-

islation.To date, more than 50 countries haveadopted both laws.

Privacy is increasingly being challengedby new technologies and practices. The tech-nologies facilitate the growing collection andsharing of personal information. Sensitivepersonal data (including biometrics andDNA makeup) are now collected and usedroutinely. Public records are being disclosedover the Internet. In response to this set ofcircumstances, more than 60 countries haveadopted comprehensive laws that give indi-viduals some control over the collection anduse of these data by public and private bod-ies. Several major international conventionshave long been in place in Europe, and newones are emerging in Africa and Asia.

At the same time, the public’s right to in-formation is becoming widely accepted. RTIlaws are now common around the world,with legislation adopted in almost 90 coun-tries. Access to information is being facilitatedthrough new information and communica-tions technologies, and Web sites containingsearchable government records are becomingeven more widely available. Internationalbodies are developing conventions, and rele-vant decisions are being issued by interna-tional courts.

4 The Right to Information and Privacy: Balancing Rights and Managing Conflicts

Availability, legislation, and judicial deci-sions have led to many debates about rulesgoverning access to personal informationthat is held by public bodies. As equal humanrights, neither privacy nor access takes prece-dence over the other. Thus it is necessary toconsider how to adopt and implement thetwo rights and the laws that govern them ina manner that respects both rights. There isno easy way to do this, and both rights must

be considered in a manner that is equal andbalanced.

This paper will examine the two rightsand the conflicts that arise, and will describeinstitutional models to ensure the exercise ofboth rights. It will present short case studiesfrom four countries (Ireland, Mexico, Slove-nia, and the United Kingdom) that haveadopted different models for addressing theconflicts, describing how those models work.

5

2

Rights Defined

2.1 The Right toInformation

The right of access to information held bygovernment bodies (RTI) provides that indi-viduals have a basic human right to demandinformation held by government bodies. Itderives from the right of freedom of expres-sion to “seek and receive information,”2 andis recognized worldwide as a human right.3

Under this right, any person may make a re-quest to a public body; the body is legally re-quired to respond and provide the informa-tion, unless there is a legally compellingreason to refuse the request.

The RTI is “a requisite for the very exer-cise of democracy” (OAS 2003).4 Democra-cy is based on the consent of the citizens, andthat consent turns on the government in-forming citizens about its activities and rec-ognizing their right to participate. The col-lection of information by governments isdone on behalf of its citizens, and the publicis only truly able to participate in the demo-cratic process when it has information aboutthe activities and policies of the government.5

The RTI is also an important tool forcountering abuses, mismanagement, and cor-ruption and for enforcing essential economicand social rights. Civic activists in Rajasthan,

India, have used it to ensure that the poor getthe food they are entitled to receive fromcorrupt food distributors (Calland and Tilley2002), and an angry mother in Thailand usedit in her efforts to learn why her daughterwas not allowed into a top-quality school(Coronel 2001). It also is commonly used byenvironment-focused nongovernmental or-ganizations to reveal pollution dangers incommunities.

The right is typically recognized at thenational level through constitutional provi-sions and national laws. Some of this legisla-tion has existed for more than 200 years. Sec-tion 6 of the Swedish Freedom of the PressAct (adopted in 1766) set the principle thatgovernment records were open to the publicby default and granted citizens the right todemand documents from government bod-ies. The 1789 French Declaration of theRights of Man called for information aboutthe budget to be made freely available: “Allthe citizens have a right to decide, either per-sonally or by their representatives, as to thenecessity of the public contribution; to grantthis freely; to know to what uses it is put.”Most nations have adopted laws in the past20 years.

Today, nearly 90 countries around theworld have adopted a national law or regula-tion that sets out specific rights and duties for


facilitating access to information (see Banisar[2006]).6 The following elements are typical-ly found in national RTI laws:

• A right of an individual, organization, orlegal entity to demand information frompublic bodies, without having to show alegal interest in that information.

• A duty of the relevant body to respondand provide the information. This includesmechanisms for handling requests andtime limits for responding to requests.

• Exemptions to allow the withholding ofcertain categories of information. Theseexemptions include the protection of na-tional security and international relations,personal privacy, commercial confiden-tiality, law enforcement and public order,information received in confidence, andinternal discussions. Exemptions typicallyrequire that some harm to the interestmust be shown before the material can bewithheld.

• Internal appeals mechanisms for request -ors to challenge the withholding of infor-mation.

• Mechanisms for external review of thewithholding of information.This includessetting up an external body or referringcases to an existing ombudsman or to thecourt system.

• Requirement for government bodies toaffirmatively publish some types of infor-mation about their structures, rules, andactivities.This is often done using infor-mation and communications technologies.

2.2 The Right to Privacy

Privacy is a broad concept relating to theprotection of individual autonomy and therelationship between an individual and soci-

ety (including governments, companies, andother individuals). Privacy is considered es-sential in protecting an individual’s ability todevelop ideas and personal relationships. Al-though it is often summarized as “the rightto be left alone,” it encompasses a wide rangeof rights—including protection from intru-sions into family and home life, control ofsexual and reproductive rights, and commu-nications secrecy.7 It is commonly recog-nized as a core right that underpins humandignity and such other values as freedom ofassociation and freedom of speech.8

The definitions of privacy and what is sen-sitive personal information vary among coun-tries and individuals on the basis of past expe-riences and cultural understandings. Somecultures focus on community rights over in-dividual rights; others, such as countries inEurope, are sensitive to privacy rights becauseof abuses going back to World War II. In mat-ters relating to modern information and com-munications technologies, there is more agree-ment about the importance of privacy and thecontrol of information (this will be covered inmore detail later in this report).9

The legal right to privacy is recognized innearly every national constitution and in mostinternational human rights treaties, includingthe Universal Declaration of Human Rights,10

the International Covenant on Civil and Po-litical Rights,11 the European Convention onHuman Rights,12 the American Declarationof the Rights and Duties of Man,13 and theAmerican Convention on Human Rights.14

International bodies, including the EuropeanCourt of Human Rights and the United Na-tions (UN) Human Rights Committee, alsohave ruled on the right to privacy.15

In the information age, the right to priva-cy has evolved to address issues relating tothe collection, use, and dissemination of per-sonal data in information systems. New tech-

Rights Defined 7

nologies have driven the collection of per-sonal information by governments and pri-vate bodies into databases of unprecedentedbreadth and depth. Governments and privateorganizations that collect information relatedto government services and obligations (in-cluding tax, medical, employment, criminal,and citizenship records) and identificationtechnologies (including identity card sys-tems, fingerprints, and DNA mapping) havequickly evolved and expanded. New com-munications technologies create and collectsubstantial records about individuals in theprocess of providing communications. Serv-ices run by governments and private opera-tors collect information about individuals,including emails, records of persons commu-nicated with, lists of Web sites visited, andmobile locations. And, of course, peopleshare information through social networkingsites. All of these have led to concerns aboutabuses, including misuse of information forunlawful purposes and identity theft.

Since the 1960s, principles governing thecollection and handling of this information(known as “fair information practices”) havebeen developed and adopted by national gov -ernments and international bodies (OECD[1980]; also see U.S. Department of Health,Education and Welfare [1973]; and CSA[1996]). The principles generally are these:

• Collection limitation principle—Thereshould be limits to the collection of per-sonal data; and all such data should be ob-tained by lawful and fair means and, whereappropriate, with the knowledge or con-sent of the data subject.

• Data quality principle—Personal datashould be relevant to the purposes forwhich they are to be used; and, to the ex-tent necessary for those purposes, should beaccurate, complete, and kept up-to-date.

• Purpose specification principle—Thepurposes for which personal data are col-lected should be specified no later than atthe time of data collection; and the subse-quent use should be limited to fulfillingthose purposes, or fulfilling such otherpurposes as are compatible with the statedpurposes and specified on each occasionwhere a change of purpose occurs.

• Use limitation principle—Personal datashould not be disclosed, made available, orotherwise used for purposes other thanthose specified above, except under thefollowing conditions: with the consent ofthe data subject, or by the authority of law.

• Security safeguards principle—Rea -son able security safeguards should be usedto protect personal data against such risksas loss or unauthorized access, destruction,use, modification, or disclosure.

• Openness principle—There should bea general policy of openness about devel-opments, practices, and policies relating topersonal data. Means of establishing theexistence and nature of personal data andthe main purposes of their use should bereadily available, as should the identityand usual residence of the data controller.

• Individual participation principle—An individual should have the righta. to obtain from a data controller (or

otherwise) a confirmation that the datacontroller either does or does not havedata relating to the individual;

b. to obtain such data within a reason-able time° at a charge (if any) that is not ex-

cessive,° in a reasonable manner, and° in a form that is readily intelligible

to the receiving individual;c. to be given reasons if a request made

under subparagraphs (a) and (b) is de-

nied, and to be able to challenge suchdenial; and

d. to challenge relevant data and, if thechallenge is successful, have the data rec-tified, completed, amended, or erased.

• Accountability principle—A data con-troller should be accountable for comply-ing with measures that give effect to theprinciples stated above.

These principles have been incorporatedinto important international treaties on dataprotection by the Council of Europe (1981)and the European Union (EC 1995); theyhave also been adopted by the UN GeneralAssembly (1990) and the CommonwealthSecretariat (2002). Similar principles are un-der consideration by the Asia-Pacific Eco-nomic Cooperation (APEC) forum16 andthe Economic Community of West AfricanStates (ECOWAS 2008).17

Of those international instruments, theEuropean Union (EU) Data Protection Di-rective is now the most influential, havingbeen adopted by the 27 EU member-states(plus three European Economic Area coun-tries) and by numerous other countries inAfrica, Europe, and Latin America that tradewith the EU.The directive takes a broad ap-proach to personal information. Personal dataare defined as “any information relating to anidentified or identifiable natural person (‘datasubject’); an identifiable person is one whocan be identified, directly or indirectly, in par-ticular by reference to an identification num-ber or to one or more factors specific to hisphysical, physiological, mental, economic, cul-tural or social identity” (Directive 95/46/EC,

sec. 2[a]).18 Under a decision from the Euro-pean Court of Human Rights, these data in-clude information collected under public em -ployment.19

National constitutions also have beenevolving to specifically recognize the controlof personal data as a right. Many recent con-stitutions include specific rights to protectthe collection and use of personal data in in-formation systems.20 Many countries in LatinAmerica include a right of habeas data tocontrol and access personal data. The May2010 Constitution of Kenya states, “Everyperson has the right to privacy, which in-cludes the right not to have . . . informationrelating to their family or private affairs un-necessarily required or revealed” (sec. 31).

What is more directly related to the subjectof this report is the fact that the governmentsof more than 60 countries around the worldhave adopted comprehensive data protectionacts based on the fair information practices thatapply to personal data held by the public andprivate sectors (see EPIC/PI [2007]).21 Anum ber of other countries—including theUnited States,22 Georgia,23 and Thailand24—have adopted legislation that protects only per-sonal data held by government bodies. Malay -sia recently adopted a law that protects person-al data held by companies, but has not adoptedlegislation protecting personal informationheld by governments.25 In a significant numberof countries where no data protection law hasbeen adopted, there may be more general pro-visions in the criminal and civil codes that re-strict the use of personal information (seeEPIC/PI [2007]).

The Right to Information and Privacy: Balancing Rights and Managing Conflicts8

Right to information (RTI) and privacy lawscan both complement and conflict with eachother, depending on the situation. As figure3.1 shows, the two rights play different rolesin most cases, and only in a small number ofcases do they overlap and lead to potentialconflict.

3.1 ComplementaryRoles of RTI andPrivacy

RTI and privacy often play complementaryroles. Both are focused on ensuring the ac-countability of powerful institutions to indi-viduals in the information age.The Councilof Europe stated in a 1986 recommendationthat the roles are “not mutually distinct butform part of the overall information policyin society” (Council of Europe 1986). TheU.K. data protection registrar noted, “Dataprotection and freedom of information canbe seen as complementary rights, with thepotential to be mutually supportive in prac-tice.”26 László Majtényi (2002), the first par-liamentary commissioner for data protectionand freedom of information in Hungary, saysthat the common purpose of the two rightsis “to continue maintaining the non-trans-

parency of citizens in a world that has under-gone the information revolution while ren-dering transparent the state.”

In many countries, the two rights are in-tertwined constitutionally. Under the con-cept of habeas data—a constitutional rightthat permits individuals to demand access totheir own information and to control itsuse—countries in Latin America have adopt-ed both types of laws.27 Santiago Canton (thefirst Organization of American States specialrapporteur for freedom of expression and theexecutive secretary of the Inter-AmericanCommission on Human Rights) said, “Theaction of habeas data, or the right to obtainpersonal information contained in public orprivate databases, has been very important in

Figure 3.1: Complement and Conflict ofPrivacy and the Right to Information

Source: Author’s illustration.

Protecting personal data

Potentialconflict

Access togovernmentinformation

Complements andConflicts in RTI andPrivacy Laws

3

9


many countries in exacting accountabilityfor human rights abuses and helping coun-tries scarred by human rights abuses recon-cile and move forward, which can only beaccomplished by exposing the truth andpunishing the guilty.”28

In many cases, the two rights overlap in acomplementary manner. Both rights providean individual access to his or her own per-sonal information from government bodies,and privacy laws allow for access to personalinformation held by private entities. Theyalso mutually enhance each other: privacylaws are used to obtain policy information inthe absence of an RTI law, and RTI laws areused to enhance privacy by revealing abuses.

Obtaining Personal InformationHeld by Government Bodies

The most obvious commonality between thetwo types of laws is the right of individuals toobtain information about themselves that isheld by government bodies. This access is animportant safeguard to ensure that individualsare being treated fairly by government bodiesand that the information kept is accurate.

When a country has both laws, the gen-eral approach is to apply the data protectionact to individuals’ requests for personal infor-mation; requests for information that con-tains personal data about other parties arehandled under the right to information act.In some jurisdictions, such as Bulgaria andIreland, applications by people for their ownpersonal information can be made underboth acts.29 In these cases, it is possible thatslightly different outcomes may result be-cause of the differences in exemptions andoversight bodies. Often, data protection lawsgive greater rights for access to personal in-formation because there is a stronger right ofaccess. In Ireland, the official policy guidance

notes, “one’s own personal information willvery often be released under FOI [freedomof information], while under the Data Pro-tection Act there is a presumption in favourof access to one’s own personal data” (Gov-ernment of Ireland 2006). In cases wherethere is a request for information about theindividual and other persons, both acts willbe considered.

In some countries, the RTI act is the pri-mary legislation used by individuals to accesstheir own personal information held by gov-ernment departments. In Australia, all requestsunder the Privacy Act are filtered through theFreedom of Information Act (FOIA), result-ing in more than 80 percent of all FOIA re-quests being from people seeking their owninformation (Law Reform Commission 2010).In Ireland, where both laws allow for individ-uals’ access, even with the presumption above,the FOIA is still the act most people use: ap-proximately 70 percent of all requests aremade by individuals for their own informa-tion.30

In countries such as India and SouthAfrica, where there is no general privacy lawgiving individuals a right of access to theirown records, the RTI laws are the only meansto access personal records. In India, RTI lawsare regularly used by advocates for the poorto obtain records on distribution of food sub-sidies to show that individuals’ names havebeen forged and records have been falsified.31

Some RTI acts also provide for privacyprotections where there is no general privacylaw. In South Africa, section 88 of the Promo-tion of Access to Information Act providesthat, in the absence of other legislation (cur-rently under consideration), public and pri-vate bodies must make reasonable efforts toestablish internal measures to correct personalinformation held by the relevant bodies.32

Complements and Conflicts in RTI and Privacy Laws 11

Applying Privacy Laws to ObtainInformation from the Private Sector

Typically, RTI laws do not apply to the pri-vate sector, except where the body is con-ducting government functions (such as wherea contractor is operating a hospital). Only afew countries, including South Africa, haveadopted RTI laws that extend the right of ac-cess to nongovernment bodies for their non-government functions.33

Data protection laws provide an impor-tant complement to RTI provisions by ex-tending individuals’ right of access to privatebodies. As noted above, more than 60 coun-tries have adopted comprehensive data pro-tection laws that apply to private organiza-tions as well as to government bodies. Theselaws give individuals the right to obtain per-sonal information from private bodies. Theuse of the laws may reveal abuses by corpo-rations or other private organizations, such asmalfeasance by banks, information and com-munication technology companies, and pre-vious employers.34

Using Privacy Laws to Obtain Policy Information

In the absence of an RTI law, privacy anddata protection acts can be used to reveal im-portant policy information. As mentioned atthe beginning of this section, habeas data hasbeen used to demand accountability and in-formation. In a similar manner, Article 8 ofthe European Convention on Human Rightshas been used often to obtain personal infor-mation, and the article has granted the disclo-sure of nonpersonal information in some cas-es. In 1998, using Article 8 as a basis, theEuropean Court of Human Rights ruled thatin cases where a lack of information couldendanger their health, individuals may de-mand information from government bodies:

The Court reiterates that severe environ-mental pollution may affect individuals’well-being and prevent them from enjoyingtheir homes in such a way as to affect theirprivate and family life adversely. . . . In theinstant case the applicants waited, right upuntil the production of fertilisers ceased in1994, for essential information that wouldhave enabled them to assess the risks theyand their families might run if they contin-ued to live at Manfredonia, a town partic-ularly exposed to danger in the event of anaccident at the factory.35

Data protection laws can also be used toobtain government information that shedslight on policy. Prior to the United King-dom’s adoption of its FOIA, the Data Pro-tection Act was used by individuals to obtaininformation from government bodies (seeHencke [2001]; Hencke and Evans [2002,2003]; BBC News [2001]). Even followingthe implementation of the FOIA, reportershave used the Data Protection Act to discov-er that officials have been spying on theirphone records to discover their sources of in-formation (Daily Mail 2006).

Using RTI to Promote Privacy

In many countries, RTI laws are a primarytool used by privacy advocates to identifyabuses and to campaign effectively againstthem. In the United States, groups such as theAmerican Civil Liberties Union, the Electron-ic Privacy Information Center, and the Elec-tronic Frontier Foundation routinely use theU.S. FOIA and state laws to demand govern-ment records on new and existing governmentprograms (communications surveillance, bodyscanners, and spying on groups) and use therecords to campaign against those programsand proposals.36 In the United Kingdom, the


Taxpayers’ Alliance37 and Genewatch overseethe government, using the FOIA; and State-watch uses the European Union’s (EU) accessregulations to oversee the EU bodies.

3.2 Conflicts betweenRTI and PrivacyInterests

Inevitably, as figure 3.1 shows, there are over-laps in RTI and privacy interests that canlead to conflicts. Governments collect largeamounts of personal information, and some-times there is a demand to access that infor-mation for various reasons. The requestorsinclude journalists investigating stories, civilsociety groups fighting for accountability, in-dividuals demanding to know why a deci-sion was made in a certain way, companiesseeking information for marketing purposes,and historians and academics researching re-cent and not-so-recent events.

Every national RTI law has an exemptionfor personal privacy. As discussed in the fol-lowing section, these laws vary greatly. Asnoted earlier, many countries have adoptedseparate privacy and data protection laws thatmay interact with the RTI law in determin-ing the release of information.

Given the often complex relationship be-tween privacy and RTI laws, the conflict fre-quently arises from misunderstandings aboutwhat is intended to be protected. Officialsmust deal with numerous issues: Should offi-cials’ names and other details be consideredprivate? Is information in public registersavailable for any use? Are court and criminalrecords public? Clarity in law, policy, andpractice to limit these problems is essential.

These issues have taken on greater im-portance as information increasingly is beingdisclosed in database format and over Inter-

net sites. Questions about the relevance ofdata protection laws for the reuse of personalinformation (even if it is publicly available)are important. Under EU data protectionlaw, the mere public access to informationdoes not mean it can be used for any purpose(Working Party 1999).

In many countries, the privacy exemptionis one of the exemptions used most often. Inthe United States, the exemptions for personalprivacy (b6) and law enforcement rec ords con-cerning individuals (b7c) have consistentlybeen the two most-used exemptions. Thesedata include the names of recipients of homeloans, citizenship records, and criminal records.In Canada, the privacy exemption was used in31 percent of all denials—far more than thenext-most-used exemption (see U.S. Depart-ment of Justice [2010]; Government of Canada[2002]; and U.K. Ministry of Justice [2009]).

The following sections will review someof the common types of information that arerequested and the conflicts that arise.

Information about Public Officials

Many of the records held by public bodiescontain information that identifies officialswho were involved in the subject at somepoint. This includes the names of officialswho wrote memorandums, attended meet-ings, and approved decisions. Other recordscontain contact information, official expen-ditures, or e-mail and phone logs. It is usefulto categorize this information as relating totheir official capacities.

Government bodies also hold more di-rectly personal information about officials,including their biographical data, photo-graphs, salary records, employment records,home addresses, records of financial assets,and medical histories.

There is no global consensus about whichinformation is nonpersonal and which is per-


sonal. As discussed above, the right of privacyis complex and defined by each culture.Thereare some points that can be summarized:

• Official capacities—Overall, the ma-jority of countries take the position thatmost information relating to official ca-pacities is not considered personal infor-mation for the purposes of withholding.It may be considered personal because itrelates to a particular identifiable individ-ual, but generally is not related to his orher personal or family life and is less likelyto be sensitive. In most cases, documentscannot be withheld just because an offi-cial’s name is listed as the author or recip-ient of a document. In 2007, the Euro-pean Ombudsman found that it wasmal administration for the European Par-liament to refuse to disclose the expensesof members of parliament, including theirtravel and subsistence allowances (EO2007). The Irish and U.K. informationcommissions have also ordered the releaseof parliament members’ expense infor-mation, whereas all U.S. congressional ex-penditures are published biannually.

• Employment information—Althoughthere is variation across cases, informationmore closely related to an official’s per-formance in his or her job (including ex-act salary38 and details of employee per-formance reviews) is withheld in manyjurisdictions and is available in others.39

• Personal life—Information relating sole-ly to a public employee’s personal liferather than to his or her public actions isless likely to be released. Medical recordsof nonelected officials are generally con-sidered sensitive and are not released inany system.40 For officials, criminal recordsnot related to their positions are oftenwithheld (for example, see Scottish Infor-mation Commissioner [2009]). There is a

general recognition that personal infor-mation about senior officials should bemore available than that of junior officials.So although the salaries of junior officialsmay not be made available or only byscale rather than by exact numbers, thesalaries of more-senior officials may be af-firmatively published. Similarly, require-ments for asset disclosure forms are im-posed in more than 100 countries forsenior and elected officials, and some maybe publicly available.41 Biographical dataof decision makers and those who are be-ing considered for very-senior positionsare more commonly released than thosefor more-junior positions.

• Elected officials—There is also signifi-cant agreement that information aboutelected or high-rank public officials is lessrestricted, even when it relates to theirpersonal lives. In 2004, the EuropeanCourt of Human Rights said, “the publichas a right to be informed . . . that is, cer-tain circumstances can even extend to as-pects of the private life of public figures,particularly where politicians are con-cerned.”42 In Hungary, the ConstitutionalCourt ruled in 1994 that there are “nar-rower limits to the constitutional protec-tion of privacy for government officialsand politicians appearing in public [. . .than to that of] the ordinary citizen.”43 InIndia, the Supreme Court ruled that thecriminal records of persons running forparliament should be released.44 In somecases, the medical records of the highest-ranking officials (such as the president)may be publicly released.45

Information Held by Governmentsabout Private Individuals

Governments also hold a significant amountof information about private individuals. Thisis why data protection or privacy laws were

first conceived and continue to be adopted.The materials include great amounts of bu-reaucratic records with information that mostpeople consider sensitive—such as rec ords re-lating to citizen’s interactions with govern-ment bodies for taxation and to their healthcare. In the majority of jurisdictions, most ofthese records are considered private.46

Court Records

There is no consensus on access to courtrecords. In Europe, court records naming in-dividuals are considered very sensitive (seeLeith and McDonagh [2009]); in the UnitedStates, it has been a matter of long-standingprinciple that the information is public.47 InHungary, the data protection and freedom ofinformation commissioner negotiated anagree ment between the police and mediathat access would be provided to criminalcases, but only the individuals’ initials wouldbe used until charges were filed (Govern-ment of Hungary 1998b).

There has been increasing sensitivity overaccess in many countries as more records havebecome available via computer networks, andthere is greater concern about financial infor-mation being used for fraudulent purposes(see NJSBA [2002] and Cannon [2004]). Inresponse to these concerns, many courts nowredact certain types of information, such as fi-nancial data and identification numbers, priorto making material publicly available electron-ically (see Administrative Office of the U.S.Courts [2008]). In Europe, many countries re-quire that identities be removed from cases bebefore they are made public.

Social Program Records

There are also differences of opinion over therelease of information relating to social sup-port programs. In most developed countries,

there is sensitivity about individuals receivingsocial support, so personal information heldby government bodies is not generally madepublic.48

In some developing countries, however,many of these records are publicly releasedand play a crucial role in fighting corruption.In India, all people are guaranteed the rightto a certain annual minimum of food andemployment. A key element of ensuring thatthese guarantees are protected is making themuster rolls and other information publiclyavailable so that social audits may be accom-plished.49This information is increasingly be-ing made available on the Internet.50 InMex ico, registers of scholarship recipientsand other social beneficiaries are made avail-able online.51This information can be crucialfor identifying fraud in these programs. Box3.1 points out two examples of fraud discov-ered through a review of public information.

Public Registers

An increasing controversy relates to access toinformation in public registers, such as birth,

Box 3.1: Using Publicly AvailablePersonal Information to Fight Fraud

In India, a review of the data by a single in-dividual using information gathered underthe National Rural Employment GuaranteeScheme found that millions of rupees werebeing siphoned off because fake identitycards in the names of children and publicemployees were created and used. Previoussocial audits had not revealed the fraud.

In Mexico, an analysis of the agriculturalsubsidies register by the transparency advo-cacy group FUNDAR found that the familiesof the minister of agriculture and wanteddrug barons were receiving public money.



marriage, and death registers; electoral regis-ters; land records; lists of license holders; andother similar records. In many countries,there has been a long history of public accessto these records. However, concern over theiruse for commercial purposes, for stalking, andfor other reasons not related to their originalpurposes has grown as the registers have beendigitized and made available over the Internet(see NZLC [2008]). Countries vary widely intheir approaches to making public registersavailable and to permitting third parties toreuse the information for other reasons.52

Some countries’ laws limit disclosure ofinformation for certain reasons, such as com-mercial purposes. The New Zealand publicregister privacy principles state, “Personal in-formation obtained from a public registershall not be re-sorted, or combined withpersonal information obtained from any oth-er public register, for the purpose of makingavailable for valuable consideration personalinformation assembled in a form in whichthat personal information could not be ob-tained directly from the register.”53 In 1999,the U.S. Supreme Court upheld a law thatrestricted access to a computerized list of re-cently arrested individuals for use in com-mercial marketing.54 The U.K. governmentmakes available a limited version of the elec-toral roll (from which people may opt tohave their names removed) that can be usedfor commercial purposes, and it prohibits useof the full roll for such purposes.

Following a review of legislation relatedto public registers and public access, the NewZealand Law Commission recently recom-mended that any legislation that creates apublic register keep the following principlesin mind:

• free flow of information,• transparency,

• privacy interests (including the protectionof personal information),

• accountability for fair handling of person-al information, and

• public safety and security (NZLC 2008).

Professional Records

Government bodies also maintain records re-lating to people who have more of a businessrelationship with government, includingthose who donate money and meet with of-ficials in their capacity as employees of acompany or organization. In this regard, thereis an increasing demand that lobbyists be reg-istered and that such information be madepublic.55

In general, these individuals are consid-ered to have less of a private interest guaran-tee because the information is related to theirprofessional activities rather than to theirpersonal opinions or lives. U.K. and U.S. tri-bunals have found that in the absence ofcompelling reasons to the contrary, the iden-tities of corporate lobbyists should be re-vealed.56 However, the European Court ofJustice ruled recently that businesspeoplewho met with officials could have theirnames withheld.57

Public Subsidies for BusinessPurposes

Governments also often provide subsidies toindividuals as a business matter, in areas suchas agriculture. There has been considerabledebate over agricultural subsidies in Euro-pean countries in the past few years, with theresult that most of the information is nowpublicly available.58 There is a growing agree-ment that these records are not particularlysensitive because they relate to a business ac-tivity (although they may reveal the amountof income that a small farmer may receive ina single year). However, the European Court


of Justice recently ruled that information inthis area concerning individuals must be re-stricted.59

Misuse of the Privacy Exemption

Not all arguments for privacy made by offi-cials are legitimate. A conflict sometimes aris-es when government officials attempt toshield their decision making from scrutiny bymisrepresenting their demand for secrecy asa privacy interest. Documents and informa-tion are withheld, claiming privacy of offi-cials or of third parties. In Argentina, the gov-ernment claimed that information aboutofficial spending on advertising was personalinformation (see Knight Center [2010]).Former U.K. Cabinet Secretary Sir RichardWilson, the highest-ranking U.K. civil ser-vant, best articulated this belief, testifying, “Ibelieve that a certain amount of privacy is es-sential to good government.”60

The misuse of privacy exemptions oftenleads to needless conflict between the mediaand privacy campaigners as the media comesto believe that any privacy law is an attemptto hide government activities. As noted byAustralian freedom of information expertNigel Waters (2002), “There is a continuedproblem of privacy exemptions in FOI lawbeing misused and getting privacy a bad

name. This makes a major contribution tothe widespread jaundiced media view of pri-vacy law, even though it is not actually priva-cy law that is to blame.”

3.3 Balancing the Rightsof Access and Privacy

It should again be emphasized that the RTIand privacy are not always conflicting rights.They are both laws designed, in part, to ensurethe accountability of the state. The importantissue is how the legislation and the imple-menting and oversight bodies balance the tworights. As discussed above, both the RTI andprivacy are internationally recognized humanrights with long histories and important func-tions. Under human rights law, typically noright is accorded a greater weight than anoth-er.61The rights must be decided on a case-by-case basis with a view toward the relative im-portance of various interests.

* * *

The next chapter will discuss legislative andstructural means to minimize conflicts be-tween the two rights.

17

4

Legislation

In the past 10 years, there has been a markedconvergence of policy and legislation in bothright to information (RTI) and data protec-tion laws. Most data protection laws followthe structure of the Council of Europe Con-vention for the Protection of Individualswith Regard to Automatic Processing of Per-sonal Data and the European Union (EU)Data Protection Directive. There is more di-vergence around RTI laws, but they general-ly follow the principles set out in precedingchapters of this report. The convergence inboth areas results from the influence of inter-national treaties and agreements and the ef-forts of a more global civil society connectedthrough modern communication technolo-gy—a society that is constantly sharing ideasand good practices.

There has also been convergence in de-veloping policies on the relationship be-tween RTI and privacy laws and how best tomake them interact. Although no consensuson good practice has yet emerged, a numberof common areas are now clear. This chapterwill review the most common policy choicesmade by governments and highlight theirstrengths and weaknesses.

4.1 Model 1—A SingleRTI and Privacy Law

For those jurisdictions that have not adoptedeither law but plan to do so, one possibility isto adopt both laws in a single act. This allowsfor common definitions and internal consis-tency and for limiting conflict and establish-ing a balance from the start. Here are severalexamples:

• In Canada, Bill C-43, adopted in 1982,contained both the Access to InformationAct and the Privacy Act.The two sectionsthen became separate laws with separatecommissions to enforce them, but withcommon definitions and relationships.The Canadian Supreme Court has de-scribed the two laws as a “seamless codewith complementary provisions that canand should be interpreted harmonious-ly.”62 Many Canadian provincial laws alsoaddress both rights in a single law.

• In Hungary, the 1992 Act on the Protec-tion of Personal Data and Public Accessto Data of Public Interest is both a gener-


al RTI law and a data protection law thatprotects personal information held bypublic and private bodies.63 It created asingle oversight body with jurisdictionover both. The parliamentary commis-sioner for data protection and freedom ofinformation oversees them.

• In Mexico, the Federal Law on Trans-parency and Access to Public Informationlists both access to information and theprotection of privacy for records held byfederal government bodies as its primarygoals. It is overseen by the Federal Institutefor Access to Information (more com mon -ly known by its Spanish acronym IFAI).More recently, legislation to extend its re-mit to include personal data held by theprivate sector has been adopted.

• In Thailand, the Official Information Actboth gives citizens rights to access infor-mation held by government bodies andcontrols how government bodies may usepersonal data. Both are overseen by theOfficial Information Council. Legislationto protect records held by the private sec-tor is currently being debated.

There are some disadvantages to adoptinga single act to address both rights. For one,having both functions together may causelegislative confusion over the intent of thelaws and may lead to opposition by someparties who would otherwise support oneact or another. A more practical issue is thecomplexity of the legislation, which maylead to legislators being unwilling to reviewit because they lack the time.64 An act thatcovers both areas comprehensively will needto be as detailed as two single acts becausethere is little overlap in the two (except forthe definitions and the oversight body).

4.2 Model 2—SeparateRTI and Privacy Laws:Managing Conflicts

In many jurisdictions, either an RTI or a dataprotection law has been adopted and is inforce, or a decision has been made to intro-duce the laws as separate pieces of legislation.Therefore, the new law or laws must beadopted in a way that ensures the greatestharmony between the operations of the twolaws. If the goal of harmony is ignored at theoutset, the laws will conflict and further leg-islative efforts will be required later.

Here are some important considerationswhen adopting new legislation:

• Definition of personal information—Ideally, a common definition will be usedfor both acts. If not, then the definitionsfrom both laws will be considered eachtime that access to personal informationis sought.

• Primacy of legislation—Because bothaccess to information and privacy areequally fundamental rights, neither lawmay arbitrarily trump the other. How willthe legislation address this issue?

• Privacy exemption in RTI law—Allnational RTI laws provide for the with-holding of personal information. There iswide variance in the scope of these ex-emptions, ranging from a presumptionthat all information is private and shouldbe withheld to a presumption of open-ness with limited exceptions for sensitiveinformation.

• Subject access requests—As noted ear-lier in this report, some jurisdictions allowfor individuals to request their own per-

Legislation 19

sonal information under either act. A bet-ter choice would be to select one act thatgives greater access and to focus those re-quests through that law. In most Europeancountries, this is the Data Protection Act.

• Oversight and appeals—What type ofbody will rule on the balancing of therights? It should be a specialized body thatcan develop clear standards on the subject.

Personal Information Defined

Data protection laws typically take an expan-sive view of what is personal information.EU Directive 95/46/EC, section 2(a), definespersonal information broadly as any infor-mation that identifies an individual. Suchbreadth can lead to a conflict with the RTIbecause the core principle of data protectionis that information collected for one purposeshould not be used for other purposes with-out the consent of the individual—and thisis often viewed as covering everything thatmentions a person.

Countries have addressed this in differentways. The Canadian access to informationand privacy acts use a single definition in thePrivacy Act that sets out in detail the bound-aries of personal information and public in-formation. In contrast, the Irish Freedom ofInformation Act (FOIA) and the Data Pro-tection Act use different definitions, but re-quire that the FOIA definition be used whenconsidering the exemption.

Some countries define in more detail thetypes of information to be protected. Doingso enables the legislature to define some ofthe boundaries rather than leave them to theoversight bodies or courts to determine.

Many laws specifically exclude informa-tion relating to public functions from cover-age under the privacy exemption. As notedbefore, Canada’s Privacy Act includes de-tailed descriptions of both personal informa-

tion and what is excluded from the defini-tion in relation to public activities. In SouthAfrica, the Promotion of Access to Informa-tion Act65 requires that disclosure of informa-tion be declined if it “would involve the un-reasonable disclosure of personal informationabout a third party, including a deceased in-dividual.” However, the information can bedisclosed if it is about an individual who is orwas an official of a public entity and if it re-lates to the position or functions of the indi-vidual, including, but not limited to

• the fact that the individual is or was anofficial of that public body;

• the title, work address, work phone num-ber, and other similar particulars of theindividual;

• the classification, salary scale, or remuner-ation and responsibilities of the positionheld or services performed by the indi-vidual; and

• the name of the individual on a recordprepared by the individual in the courseof employment (section 34).

Curiously, a few laws passed more recent-ly—including the Indian Right to Informa-tion Act and the Indonesian Act on PublicInformation Disclosure66—do not providefor a definition of private information; theyrely instead on common language definitionsfor interpretation.

Fairness and Data Protection

In many countries, the privacy exemptionrequires that all personally identifiable infor-mation must be withheld. Frequently, theRTI law specifically defers to the law on dataprotection for the definition of personal in-formation to be protected and the rules gov-erning its release. This approach is found inmany European countries, including Croatia,


Kosovo, Romania, Slovakia, and the UnitedKingdom.

Under this approach, it is then necessaryto use the data protection law to determineif information can be released. An initial in-quiry will determine if consent has been ob-tained and can be used to justify the releaseof the information. A best practice is to in-form individuals at the time of collectionthat the information may be made publicunder RTI legislation.67 If consent from theperson is not forthcoming, the data protec-tion principles must be reviewed to deter-mine if release can be justified.

Among the pertinent principles, fairnessis the most important one to consider. Fair-ness typically depends on the circumstancesunder which the information was collectedand the expectation at that time that the in-formation would be used in certain ways. Ifthe processing (in this case, the public release)of the information can be found to be fair, itcan proceed and the information can be dis-closed. Box 4.1 sets out guidelines used bythe U.K. government to determine fairness.

Public Interest Test

Increasingly, many RTI laws provide for abalancing test to be used when determiningwhether personal information should be re-leased. Under this test, even if the informa-tion is determined to be personal and its re-lease would cause harm, it may be disclosedif it is found that the public interest in releaseis more important than the privacy interest.This allows for independent arbiters such ascommissions, courts, or ombudsmen to weighthe different values and determine, case bycase, when information should be released.This test is used to evaluate privacy interestsin a number of countries, including Ireland,New Zealand, Slovenia, and the UnitedStates.

In the United States, the primary privacyexemption protects “personnel and medicalfiles and similar files the disclosure of whichwould constitute a clearly unwarranted inva-sion of personal privacy.”68 The courts havefound that there is an implicit public interesttest “balancing the individual’s right to pri-vacy against the basic purpose of the FOIAto open up agency action to the light ofpublic scrutiny.”69

The Slovenian information commissionerhas identified some areas where public inter-est would be strong:

• where the disclosure will assist public un-derstanding of an issue of current nationaldebate,

Box 4.1: Elements to DetermineFairness

Source: U.K. Ministry of Justice 2008.

The U.K. Ministry of Justice recommendsthat the following factors be used in deter-mining if disclosure under the U.K. FOIAwould be considered fair:

• How the information was obtained.

• The data subject’s likely expectationsregarding the disclosure of the informa-tion. For example, would the party ex-pect that his or her information mightbe disclosed to others? Or had the per-son been led to believe that his or herinformation would be kept secret?

• The effect that disclosure would haveon the data subject. For example,would the disclosure cause unneces-sary or unjustified distress or damageto the data subject?

• Whether the party expressly refusedcon sent to disclosure of the information.

• The content of the information.

• The public interest in disclosure of theinformation.

Legislation 21

• where the issue has generated public orparliamentary debate,

• where proper debate cannot take placewithout wide availability of all relevantinformation,

• where an issue affects a wide range of in-dividuals or companies,

• where the issue affects public safety orpublic health,

• where the release of information wouldpromote accountability and transparencyin decision making, and

• where the issue concerns the making orspending of public money (Pirc Musar2006).

In a leading case in Ireland, the Irish in-formation commissioner set out public inter-est arguments to consider when balancingrequests for information:

• The public interest in the public havingaccess to information.

• The public interest in the accountabilityof elected representatives.

• The public interest in a free and informeddebate on the level of remuneration/ex-penses paid to elected representatives.

• The public interest in accountability foruse of public funds.

• The public interest in an individual’sright to privacy in respect of informationrelating to his/her financial affairs.

• The possibility of damage to the imageof Parliament as an institution in theevent of reduced public confidence in theintegrity of members of the Houses ofthe Oireachtas.

• The public interest in the entitlement ofmembers of the Houses of the Oireachtas(Irish national parliament) to discharge

their Constitutional responsibilities with-out being put in a position where theyare or may be subjected to unjust attackfor claiming financial entitlements whichare theirs as a matter of law and theamounts of which are not, in the normalcourse, relevant to the member’s perform-ance as a public representative.

• The possibility of prejudice to, or distortionof, the democratic process by equation, inthe eyes of members of the public, of thelevel of payment of expenses to memberswith individual performance of members,with possible adverse consequences for thecareers of individual members.

• The possibility that disclosure of recordswhich are, or may not be, comparable,and which are likely to be used for com-parison purposes, may mislead the publicand result in comment based on partiallyor wholly unreliable conclusions whichmay be damaging to the interests of in-dividual members.

• The possibility that such comparisons mayresult in certain members being forced torelease further personal information relat-ing to their financial affairs in order to dealwith inaccurate public speculation as totheir income and to repair perceived dam-age to their interests.70

Thus, it is clear from the different modelsdescribed above that both the RTI and thedata protection laws must clearly define howpersonal information is going to be consid-ered. Under the most effective legislation,this is set out lucidly and provides for specificboundaries on types of personal informationto be protected and a balancing test that ex-amines both harms and the public interest(Pirc Musar 2010).

23

5

Oversight

All national right to information (RTI) lawshave some form of external appeals mecha-nism. In approximately two thirds of coun-tries (roughly 60), an independent oversightbody such as a commission or ombudsmanhas been empowered to receive appeals andmake determinations or recommendationson the release of information.71These bodiescan play an important role in balancing pub-lic interest with the release of personal data.

A very strong trend exists for countries tocreate information commissioner offices thatcan decide appeals and provide oversight andguidance. There is a roughly even split in ju-risdictions that have created a commissionbetween those that have separate bodies tohandle the RTI and data protection andthose that have a single body to handle both.Each model has its pros and cons.

5.1 Two Bodies—Separate RTI andPrivacy Commissions

Many countries have created separate bodiesfor enforcing the RTI and the protection ofprivacy. The bodies may have a single func-tion or have other duties assigned to them.

A few countries have created an independ-ent RTI commission as a single-function body.These countries include Belgium, Canada,France, and Portugal. More commonly, an al-ready existing ombudsman’s office also en-forces the RTI law. This is the situation inNew Zealand, Peru, and the Scandinaviancountries. A few jurisdictions (such as Ireland)have adopted an RTI commission that alsoserves as the ombudsman, but with additionalpowers.

In nearly all countries, the data protectionor privacy commission is an independentbody. This is partly because of requirementsunder European Union law that data protec-tion commissions be independent.72

There are benefits to having two bodies.A separate commission for each of the tworights can create clear champions for suchrights, unencumbered by the need to balancepotentially competing interests. As stated byCanadian Information Commissioner JohnGrace:

The values of openness and privacy eachhas a clearly identifiable and unambiguousadvocate. While both commissioners are re-quired by law to reasonably balance accessrights and privacy rights, each has a clear


mandate to be a lightening [sic] rod for, andchampion of, one of the two values.73

This could be particularly important whenone is a new right that is not yet establishedin the public mind and the other has longbeen accepted and championed by a body.

A primary concern of having two bodiesis that there will be conflict between thetwo—and that could become messy, expen-sive, and embarrassing. In Canada, there havebeen public fights between the two commis-sions for both policy and political reasons(see Government of Canada [2001]).There isalso concern that public bodies and the pub-lic will receive conflicting advice from thetwo commissioners when they disagree. Asnoted by the Canadian Access to Informa-tion Review Task Force in 2002:

An institution is required to notify the Pri-vacy Commissioner before making such adisclosure, where this can reasonably bedone. A situation can arise where the Infor-mation Commissioner advises the institu-tion to disclose personal information in thepublic interest, but the Privacy Commis-sioner advises the institution to protect theinformation on the grounds that the publicinterest in the case does not clearly out-weigh the invasion of privacy that could re-sult from disclosure. This puts the institu-tion in the difficult position of havingcon flicting recommendations from the twoCommissioners (Government of Canada2002, p. 59).74

If there are two commissioners, there willneed to be a mechanism to resolve conflicts.Previously, the Slovenian system used an ad-ministrative dispute institute. The Slovenianinformation commissioner found that thesystem was inefficient:

Two bodies which operate in an area soclosely interlinked would inevitably comeinto conflicting situations [with] the insti-tute of an administrative dispute as a toolfor settling such conflicts. Such a manner ofsettling mutual conflicts though, would, dueto the long time periods of dispute resolu-tions, mean a lessened legal certainty (PircMusar 2006).

Finally, not related to the scope of this re-port but quite relevant to many countries,there is an economic concern relating to thecost of two commissions. It may be difficultto justify two commissions in small jurisdic-tions when economic situations are difficultor as governments are cutting back to createa new body.

When there are two agencies, there shouldbe formal agreements to cooperate to mini-mize conflicts. In New Zealand, the privacycommissioner and the ombudsman have a for-mal consultation process that requires the om-budsman to consider the views of the privacycommissioner before determining whether torelease personal information (Slane 2002). InIreland, the Data Protection Act requires thetwo bodies to cooperate.

5.2 One Body—A SingleRTI and PrivacyCommission

Countries increasingly have been creatingsingle commissions to handle both access toinformation and privacy protection. Coun-tries and jurisdictions that have adopted thismodel include Estonia, Hungary, Malta, Mex-ico, Serbia, Thailand, and the United King-dom at the national level; and many Canadi-an provinces, German länder, Mexican states,and Swiss cantons at the subnational level.

Oversight 25

In most cases, an existing commission isgiven additional authority with the adoptionof new legislation. In the United Kingdom,the Data Protection Commission evolvedinto the Information Commission. A similarprocess also occurred in Germany, Malta, andSwitzerland. In Slovenia, the two bodies weremerged into a single new commission headedby the previous information commissioner.

The most significant benefit of having asingle body is the shared expertise and re-duction of conflict. As noted earlier, there isa strong interrelation between the two rights.Although they have some areas of conflict,there also are strong areas of commonality.

Having a single body can reduce the pos-sibility of institutional conflict. In practice,many requests for information under RTIlegislation will relate to personal informa-tion; having this dual expertise will allow forbetter balancing. Elizabeth France (1999), theU.K. data protection registrar, commentedduring the legislative process in June 1999:

The possibility of institutional conflictwhich would exist were there to be separateCommissioners for freedom of informationand data protection matters is avoided.Working within one institution should al-low more focused and effective considerationthan working across institutional bound-aries. Any tension will be contained withinthe institution. Making the actual decisionabout where the balance should lie betweendata protection and freedom of informationin a particular case will not be less difficultbecause there is one commissioner. However,with experience and understanding of bothissues in-house, the decision process itselfshould be eased.

It is also easier for the public to have asingle point of contact with public bodies to

better exercise their rights. The Sloveniancommissioner has found that having one en-tity resulted in greater awareness of bothrights:

The merged body also insures for its greatervisibility as well as unification of the entirelegal practice of the field. It will also increasethe awareness of all other government bod-ies while carrying out the stated legislativeprovisions to the benefit of all applicants(Pirc Musar 2006).

The creation of a single body with bothpowers also reduces the likelihood that pub-lic bodies can misuse data protection, know-ing that their decisions are subject to reviewby an oversight body that is an expert inboth areas of legislation. As László Majtényi,the first Hungarian information commis-sioner, stated in his first report, “[i]t goeswithout saying that nobody can lawfully ob-struct the freedom of information and thepress in the name of data protection” (Gov-ernment of Hungary 1998a, p. 73).

There is also an important economic ar-gument to having only a single body. Noneof the administrative costs—such as humanresources, technical infrastructure, and ad-ministrative support—are duplicated. Whenthe Canadian information and privacy com-missioners, who shared common corporateservices, split apart in 2002, the costs for bothbodies increased by an estimated Can$1 mil-lion each.

The strongest drawback to adopting asingle-commission model is the danger thatone interest may be stronger or perceived asmore powerful and that the bodies do notequally protect or balance both interests(Tang 2002). Any conflicts are likely to bedecided internally rather than publicly, wherethey would receive a public viewing and de-


bate. The Canadian privacy commissionerworried that it would “diminish” or “dilute”the profile of privacy at a time when therewere profound privacy challenges.75

An imbalance could be especially prob-lematic where one law has a greater consti-tutional protection or has been in force for asignificantly longer period of time. In theUnited Kingdom, this concern led to thecreation of two distinctly separate workforcesfor the different rights inside the informationcommission (which had previously been en-forcing only data protection rights). Only af-ter five years are the two workforces beingmerged.

There is also a concern that a single bodymay not be provided with adequate resourcesto take on additional duties—duties that aresignificantly different in some ways. In Aus-tralia, the Tasmania ombudsman (who is alsothe information commissioner and the in-tegrity commissioner, and who holds severalother posts) recently expressed concern that

new functions added to his mandate have re-sulted in additional work without enough re-sources being provided (ABC News 2009).

There is no clear answer for every juris-diction on the issue of whether it is better tohave one commission or two. Countries maywish to create a new institution to ensurethat the profile of one of the rights is clearlypromoted and not diluted by other func-tions. In other cases, an existing body (suchas an ombudsman) may be appropriate. And,of course, economic or political concernsmay dictate one model over the other.

* * *

In the next chapter, both oversight modelswill appear in the case studies presentedthere—including one jurisdiction that hasswitched from one model to the other. Thediscussion will examine some of the benefitsand limitations of the different models.

27

6

Case Studies

6.1 IrelandIreland’s Data Protection Act was adopted in1988 and amended in 2005 to implementthe European Union (EU) data protectiondirective. The act created the Office of theData Protection Commission as an oversightand enforcement body. Ireland’s Freedom ofInformation Act (FOIA), adopted in 1997,created an Office of Information Commis-sion to enforce the act. The government ap-pointed the ombudsman to act jointly as theinformation commissioner.The second com-missioner was also jointly appointed as om-budsman. Under the Data Protection Act,“the Commissioner and the InformationCommissioner shall, in the performance oftheir functions, co-operate with and provideassistance to each other” (sec. 1[5][b]).

The definition of privacy in the two actsis not identical. Section 2 of the FOIA de-fines personal information as data about an“identifiable person” that is normally “knownonly to the individual or members of thefamily, or friends, of the individual,” or isconfidential. It provides 12 paragraphs of ex-amples of what is personal information, in-cluding “educational, medical, psychiatric orpsychological history,” financial affairs, reli-gion, and tax and identification numbers.

These definitions are followed by three para-graphs of information expressly excludedfrom the definition of personal information,including the activities of an officeholder ofa public body and those providing publicservices under contract, and opinions of theindividual regarding the public body (includ-ing its staff).

Separately, the Data Protection Act definespersonal information as “data relating to a liv-ing individual who is or can be identified ei-ther from the data or from the data in con-junction with other information that is in, oris likely to come into, the possession of the datacontroller” (sec. 1[1]). However, to ensure thatthere is no conflict between that act and theFOIA, section 1(5)(a) of the Data ProtectionAct provides a specific exemption for release ofpersonal information under the FOIA. This isconsidered by a leading commentator (Mc-Donagh 2006) to be a “trumping” of the pri-vacy right, but subject to constitutional protec-tions and international obligations.

Individuals may request personal informa-tion about themselves from government bod-ies under either the Data Protection Act orthe FOIA. Most requests to public bodies aremade under the latter, except requests to bod-ies that are not covered by the FOIA—such asthe Guardi (police) and the private sector.


Under section 28 of the FOIA, personalinformation must be withheld unless (1) it isabout the requestor, (2) the person givesconsent, (3) the information is of a class thatis publicly available or the person has beennotified that it is part of that type of class, or(3) its release is necessary to avoid a seriousand imminent danger to the life or health ofan individual (see Government of Ireland[2006]).

The exemption is subject to a public in-terest test that allows for the release of the in-formation if “the public interest that the re-quest should be granted outweighs thepub lic interest that the right to privacy of theindividual to whom the information relatesshould be upheld” or if it benefits the indi-vidual.The information commissioner ruledin 1999 that the expenses of members ofparliament (MPs) should be released as amatter of public interest. In that case, thecommissioner examined the questions aboutfinancial privacy and public spending:

As a general proposition I would accept that,when an individual discloses details of his/her financial affairs including details of fi-nancial transactions with third parties to apublic body, there is an understanding thatthe information is given in confidence. How-ever, does such an understanding normallyexist in relation to the payment of publicmoney to individuals, be they members ofthe Oireachtas [Parliament] or employees ofa public body? It is pertinent to recall at thispoint that the information at issue in thiscase concerns amounts paid to individuals todefray expenses incurred by them in dis-charging their functions as public representa-tives. The payments do not arise out of someprivate activities or private aspect of theirlives. On this point they can be distinguishedfrom, say, a payment made to a claimant un-

der the Social Welfare Acts, where there is anexpenditure of public money but the pay-ment derives from some private aspect of theclaimant’s life such as family circumstancesor inadequacy of means (Government of Ire-land 1999).

Since that time, the commissioner has ex-amined numerous other cases related to pri-vacy and access. The breakdown of cases in-dicates that this question is the one mostexamined by the office. Other informationthat has been ordered released under thepublic interest test includes payments of agri-cultural subsidies and the names of and pay-ments to experts, outside lawyers, and senioracademics.76 In a recent settled case, thecommissioner negotiated a settlement for therelease of detailed expenditure records indatabase form from the Department of Arts,Sport and Tourism to allow for easy compar-isons (Sheridan 2010). However, a complaintabout the decision has been filed with theData Protection Commission.77

6.2 Mexico

Mexico adopted the Federal Law on Trans-parency and Access to Public Information in2002.78 The law states that its objective is toboth promote transparency and protect per-sonal information held by public bodies. Itdoes not apply to personal data held by pri-vate bodies. In 2010, the Federal Law onProtection of Personal Data Held by Individ-uals was adopted.79The more recent law ap-plies to personal data held by private compa-nies and individuals. Personal information isdefined as “any information concerning anidentified or identifiable natural person.” Anew initiative is being considered by Con-gress to revise and extend the data protection

Case Studies 29

provisions of the right to information (RTI)law to improve the protection of informationheld by federal bodies.

As part of a federal system, each of the 32states has adopted its own access to informa-tion law, and many are considering data pro-tection laws. In the Federal District (MexicoCity), both RTI and data protection lawshave been adopted, and a single commissionhandles both issues.80

The 2002 RTI law created a Federal In-stitute for Access to Information (IFAI) tomonitor federal government bodies’ compli-ance with both access to information andprotection of personal data legislation. TheIFAI was changed into the Federal Institutefor Access to Public Information and DataProtection with the adoption of the 2010act, and will now have the authority to en-force the protection of personal informationheld by the private sector.

Personal information is defined in articleII(2) of the law as “[a]ll information con-cerning an individual, identified or identifi-able, including their ethnic or racial origin,or related to their physical, moral or emo-tional characteristics, their personal and fam-ily life, residence, telephone number, patri-mony, ideology, political opinions, religiousor philosophical beliefs or convictions, phys-ical or mental health, sexual preferences, orany other similar preferences that could havean impact on their intimacy.” Article 18 pro-tects personal data as confidential and thusexempt from release. Personal data related topublic spending or present in public reg-istries is not considered confidential.

According to chapter IV of the 2010 law,federal public bodies are required to provideindividuals access to their own informationand details on the procedures for correctingthat information to ensure that all handlingis “adequate, appropriate and moderated in

connection with the purposes for whichthey were obtained”; to ensure it is accurate,updated, and corrected it if it is incorrect;and to ensure that it is kept secure.

The IFAI rules on all appealed cases con-cerning access to government-held informa-tion. Many of these cases relate to the per-sonal information of third parties, bothofficials and members of the public; and theyhave required the IFAI to balance the tworights. In balancing these rights, the institutebalances public accountability against pro-tecting personal data (Irazábal and Núñez2009). In the cases, some of the factors haveincluded the public interest in knowingabout criminal prosecutions, the importanceof the public being aware of the elements ofa scientific investigation, and the value ofpublic accountability when public funds arespent. In cases where privacy has been up-held, the IFAI has analyzed whether the re-lease of information would give the publicinsight into the performance of the data sub-jects or their suitability for their jobs. Follow-ing such analysis, it decided that releasewould not provide such insight, and so de-nied release of the information. In a differentcase (one that sought the telephone numbersof wildlife units), another decision wasreached and the numbers were released. TheIFAI has also denied release of informationfrom the Mexican Population Register—even though the information was not con-sidered confidential—because it was availableelsewhere.

6.3 Slovenia

The Personal Data Protection Act was adopt-ed in 1999 and replaced in 2005 with a newact based on EU Directive 95/46/EC. Thelaw created an Inspectorate for Protection of


Personal Data within the Ministry of Justiceas its oversight and enforcement body. TheAccess to Public Information Act was adopt-ed in 2003. The law created a commissionerfor access to public information to enforce itsprovisions.

The two commissions were merged intoa single information commissioner by theInformation Commissioner Act in 2005.There were concerns that the inspectoratefor data protection was not as strong and in-dependent as required under EU rules. Priorto the merger of the offices, disputes werehandled through the initiation of an admin-istrative dispute; however, no cases were filed.Following the merger, the National Supervi-sor for Data Protection was established underthe authority of the information commis-sioner, and staff was substantially increased.

Slovenia’s Access to Information Act al-lows for the withholding of informationwhen “the disclosure . . . would constitute aninfringement of the protection of personaldata in accordance with the Act governingthe protection of personal data.” Personaldata are defined in the Data Protection Act as“any data relating to an individual, irrespec-tive of the form in which it is expressed.” Anindividual is defined as “an identified oridentifiable natural person to whom personaldata relates; an identifiable natural person isone who can be identified, directly or indi-rectly, in particular by reference to an identi-fication number or to one or more factorsspecific to his physical, physiological, mental,economic, cultural or social identity, wherethe method of identification does not incurlarge costs or disproportionate effort or re-quire a large amount of time.” However, thecommissioner has said that, based on a Con-stitutional Court ruling, a name is not suffi-cient to constitute personal data in the ab-sence of other identifying data.81

Under the Access to Information Act, ac-cess cannot be withheld if it is “related to theuse of public funds or information related tothe execution of public functions or employ-ment relationship of the civil servant.” It alsocontains a public interest test that providesthat “the access to the requested informationis sustained, if public interest for disclosureprevails over public interest or interest ofother persons not to disclose the requestedinformation.”

Under the decisions of the commissioner,the public interest in the release of informa-tion is the issue that has been examined nu-merous times.82 The commissioner has or-dered the release of information relating tothe misconduct of officials because it is in thepublic interest83 and the release of the nameof a job applicant who was already a publicservant,84 and has denied release of videosurveillance records from the state prosecu-tor’s office.85

6.4 United Kingdom

The United Kingdom first adopted the DataProtection Act in 1984, in response to theCouncil of Europe’s Convention for theProtection of Individuals with Regard toAutomatic Processing of Personal Data.86

The act created a data protection registrar toenforce it. In 1998, the act was replaced toimplement EU Data Protection Directive95/46/EC, which changed the data protec-tion registrar into the data protection com-mission and granted it stronger powers. In2000, the FOIA was adopted. The act trans-formed the data protection commission intothe information commission, with authorityto enforce both acts.

When the FOIA proposal was first con-sidered, the government position was that

Case Studies 31

there would be a separate information com-mission. In the end, the government revisedits position, stating,

Dual enforcement regimes raise serious co-ordination problems, are confusing to appli-cants, wasteful of resources and require com-plicated procedures to ensure that issues ofprivacy and access to information have bothbeen properly assessed in the many cases inwhich they overlap.This is why it has beendecided that for the UK FOI Act the roleof Information Commissioner should bemerged with that of Data Protection Com-missioner (U.K. Home Office 1999).

In addition, the Freedom of Information(Scotland) Act 2002 created a separate Scot-tish information commission that has au-thority only over access to information.TheScottish information commissioner considersthe U.K. data protection exemptions whendeciding on the release of information.87

The FOIA adopts the definition of per-sonal data found in the U.K. Data ProtectionAct: “data which relate to a living individualwho can be identified—(a) from those data,or (b) from those data and other informationwhich is in the possession of, or is likely tocome into the possession of, the data con-troller, and includes any expression of opinionabout the individual and any indication of theintentions of the data controller or any otherperson in respect of the individual.” Eightdata protection principles set the rules for theprocessing of personal information. They re-quire that the processing is fair and lawful,that the data are collected and used only forspecific and lawful purposes, that the data areadequate and relevant for the purpose forwhich they are collected, that they are accu-rate and up to date, that they are kept nolonger than necessary, that they are processed

in accordance with the rights of the individ-ual, that they are kept secure, and that they arenot transferred to third countries.

Under the FOIA, when an individual re-quests personal information about himself orherself, he or she is directed to the subjectaccess provisions of the Data Protection Act.Although this typically is a good solution,given the stronger requirements under EUlaw and the European Convention for theProtection of Human Rights and Funda-mental Freedoms on access to personalrecords, there is a substantial weakness in theUnited Kingdom. Under the U.K. Data Pro-tection Act, individuals who are denied ac-cess cannot appeal to the information com-missioner. Rather, they must apply in court.They have fewer rights to demand accessthan are available under the FOIA.

When it comes to accessing records thatcontain personal information about otherpeople, there is a complex relationship. Asimplified explanation is that requests for in-formation about third parties are generallyexempt if they violate the data protectionprinciples of the Data Protection Act. Underthe FOIA, there is an absolute exemption forpersonal information.Thus, any decisions onthe release of personal data must analyze theinformation using the data protection prin-ciples rather than the FOIA. However, this isnot to say that information containing per-sonal data is never released. The key issue iswhether the release of the information wouldbe unfair under the principles.This includesa consideration of how the information wascollected in the first place, the effect on theperson from whom the information was col-lected, whether consent to release the infor-mation was obtained, and the public interestin releasing the information.88

According to the U.K. Ministry of Justice(2010), the privacy exemption is the most


common one cited by public bodies. Manycases before the information commission, theinformation tribunal, and the courts have fo-cused on this subject; and they have requiredbalancing by those bodies. A significant caseoccurred in 2008, one related to MPs. Journal-ists had asked for detailed records of the ex-penditures of MPs—expenditures that notonly related to their official office and travelexpenses but also to subsidies they received forhousing. Following a protracted series of deci-sions by the information commissioner, infor-mation tribunal, High Court, and Court ofAppeals,89 much of the information was re-leased, based on its public interest. Some of this

information was withheld on privacy grounds,but later leaked. It revealed some corrupt andunethical practices by MPs. In another case in2008, the House of Lords ruled on the releaseof anonymous health statistics.90 Separately, theinformation tribunal has ruled several times re-cently91 on the identity of senior officials, es-tablishing that they do not have a reasonableexpectation of anonymity in any document(even sensitive ones); at the same time, juniorofficials may have this expectation, dependingon the public nature of their jobs and whenthey meet with lobbyists.The tribunal also or-dered the release of anonymous statistics onabortion.92

33

7

Conclusion

Access to information and protection of pri-vacy are both rights intended to help the in-dividual in making government accountable.Most of the time, the two rights complementeach other. However, there are conflicts—forexample, privacy laws often are improperlyinvoked by governments. And there are caseswhere the conflicts are legitimate.

There is no simple solution to balancingthe two rights, but most issues can be miti-gated through the enactment of clear defini-tions in legislation, guidelines, techniques,and oversight systems.

Of key importance is that governmentstake care when writing the laws to ensurethat the access to information and data pro-tection laws have compatible definitions ofpersonal information.They should adopt ap-propriate public interest tests that allow forcareful balancing of the two rights. Finally,they should create appropriate institutionalstructures that can balance these rights andensure that data protection and right to in-formation officials work together, even ifthey represent different bodies.

Endnotes

35

1 For the purposes of this working paper, the terms “rightto information laws,” “access to information laws,” and“freedom of information laws” refer to the same type oflaws that provide for a legal right of access to informationheld by public bodies. 2 See the Universal Declaration of Human Rights (UDHR),art. 19.3 For a detailed overview of international standards on RTI,see Mendel (2008) and Banisar (2006). 4 In 2006, the Inter-American Court of Human Rightsruled that “the State’s actions should be governed by theprinciples of disclosure and transparency in public adminis-tration that enable all persons subject to its jurisdiction toexercise the democratic control of those actions, and so thatthey can question, investigate and consider whether publicfunctions are being performed adequately. Access to State-held information of public interest can permit participationin public administration through the social control that canbe exercised through such access” (Marcel Claude Reyes etal. v. Chile, judgment of September 19, 2006).5 See, for example, ACHPR (2002); and the Joint Declara-tion of the UN Special Rapporteur on Freedom of Opin-ion and Expression, the OSCE Representative on Freedomof the Media, and the OAS Special Rapporteur on Freedomof Expression, November 26, 1999.6 A global map of countries with access to information leg-islation is available at http://www.privacyinternational.org/foi/foi-laws.jpg. 7Writing on December 17, 1992, in Niemietz v. Germany(16 EHRR 97), the European Court of Human Rightsnoted, “The Court does not consider it possible or neces-sary to attempt an exhaustive definition of the notion of‘private life.’” For a detailed overview of the different rights,see EPIC/PI (2007). 8 For example, see the following documents: UN HumanRights Committee (1988); UN Human Rights Council

(2009); and Bensaid v. United Kingdom 44599/98 [2001]ECHR 82.9 For example, see the November 3, 2009, Madrid PrivacyDeclaration: Global Privacy Standards for a Global World, athttp://thepublicvoice.org/madrid-declaration/.10 UDHR, art. 12.11 Ibid., art. 17.12 Ibid., art. 8.13 Ibid., art. 5, 9, and 10.14 Ibid., art. 11.15 For example, see Netherlands—CCPR/C/82/D/903/1999[2004] UNHRC 60 (November 15, 2004), http://www1.umn.edu/humanrts/undocs/html/903-1999.html.16 APEC Privacy Framework, 2005, http://www.apec.org/About-Us/About-APEC/Fact-Sheets/Collection/APEC-Privacy-Framework.aspx.17 Also see Organisation of Eastern Caribbean States (2004). 18 See also Article 29 Data Protection Working Party, Opin-ion 4/2007 on the concept of personal data, June 20, 2007,at http://www.gov.gg/ccm/cms-service/download/asset/?asset_id=12058063.19 Copland v. United Kingdom (App. No. 62617/00) 2007. 20 For example, see the constitutions of Albania (1998, sec.35). Cape Verde (1999, sec. 42), the Former Yugoslav Re-public of Macedonia (1992, sec.18), Mozambique (1990,sec. 71), and Thailand (2007, sec. 35). 21 For a map of data protection laws around the world, seehttp://www.privacyinternational.org/survey/dpmap.jpg.22 See the Privacy Act of 1974, 5 USC 552(a). There is alsoa patchwork of sectoral legislation applying to heath, finan-cial, and credit records; some telecommunications records;educational records; and other areas at both the national andstate levels. For a comprehensive overview, see Solove andSchwartz (2008).23 General Administrative Code, sec. 27.24 Official Information Act, B.E. 2540 (1997).


25 Malaysian Personal Data Protection Act, 2010.26 Freedom of Information: Consultation on Draft Legisla-tion Cm 4355, May 1999, Response of the Data ProtectionRegistrar.27 See Guadamuz (2001); and the Rule on the Writ ofHabeas Data, issued by the Philippines Supreme Court (A.M. No. 08-1-16-SC, January 22, 2008, http://www.lawphil.net/judjuris/juri2008/jan2008/am_08-1-16_sc_2008.html).28 Canton’s remarks of October 30, 2002, are available athttp://www.wpfc.org/index.php?q=node/221. 29 See Decision of the Supreme Administrative Court ofBulgaria No. 7146, July 30, 2004.An informative discussionof this decision can be found at http://www.aip-bg.org/library/dela/yonchev.htm.30 According to the Ninth FOI Report of the Irish Ministerof Finance, 67 percent of all requests in 2008, 72 percent in2007, and 70 percent in 2006 were for the applicants’ per-sonal information. 31 For example, see Times of India (2010). 32 The text of the act is available at http://www.sun.ac.za/university/Legal/dokumentasie/access%20to%20information.pdf.33 Only Antigua and Barbuda and South Africa have adopt-ed laws that apply to private bodies “in the protection ofany right.”34 See, for example, Sunday Times (2008). 35 Guerra and Others v. Italy, 116/1996/735/932, February19, 1998.36 See EPIC v. DHS (Suspension of Body Scanner Program),http://epic.org/privacy/body_scanners/epic_v_dhs_suspension_of_body.html; EFF (2010); and public FOIA docu-ments on spying in Washington, released by the AmericanCivil Liberties Union, http://www.aclu-wa.org/public-documents.37Taxpayers’ Alliance is available at http://www.taxpayersalliance.com/.38 For salary disclosure in the United States, see SunshineReview (2010). For salary disclosure in the United King-dom, see ICO (2009) and BBC News (2010).39 However, also see Chang v. Navy, Civil Action No. 00-0783 (D. D.C.).40 Under European law, medical records are considered themost sensitive records to be protected from release. For ex-ample, see Z v. Finland (1997) 25 EHRR 371, http://www.unhcr.org/refworld/publisher,ECHR,,FIN,3ae6b71d0,0.html.41 For examples, see Djankov et al. (2009); World Bank(2006); People’s Union for Civil Liberties (PUCL) v. Unionof. India (2003) 4 SCC 399; CPIO Supreme Court of Delhiv. Subhash Chandra Agarwal, Delhi High Court, W.P. (C)288/2009; Reid (2010); and CNN/IBN (2010). 42Von Hannover v. Germany (Application No. 59320/00),June 24, 2004.43 Decision 60/1994 (XII, 24) AB.

44 Union of India v. Association for Democratic Reforms(2002) 2 LRI 305. 45The European Court of Human Rights ruled in 2004 thatthere was a public interest in a doctor revealing informationthat French President François Mitterand was seriously illwhile in office and had hid that from the public. The courtruled that a temporary injunction was appropriate, but thata permanent one violated Article 10 of the European Con-vention on Human Rights (Éditions Plon v. France [Appli-cation No. 58148/00], May 18, 2004). A recent case fromIndia ruled that medical information could be released ifthere was a sufficient public interest: “personal informationincluding tax returns, medical records etc. cannot be dis-closed in view of Section 8(1)(j) of the Act. If, however, theapplicant can show sufficient public interest in disclosure,the bar (preventing disclosure) is lifted and after duly noti-fying the third party (i.e. the individual concerned with theinformation or whose records are sought) and after consid-ering his views, the authority can disclose it” (SecretaryGeneral, Supreme Court of India v. Subhash Chandra Agar-wal, High Court of Delhi, January 12, 2010).46 In some jurisdictions, tax records are publicly available.For example, see Tietosuojavaltuutettu v. Satakunnan Mark -kinapörssi Oy, Satamedia Oy (2008), EUECJ C-73/07, De-cember 16; and Government of India (2009). Also see Ban-galore Mirror (2010); Luna Pla and Ríos Granados (2010);and Law et al. News (2010). 47 Nixon v. Warner Communications, Inc., 435 U.S. 589(1978); Richmond Newspapers Inc. v. Virginia, 448 U.S. 555(1980). For a review of Australian law, see Australian LawReform Commission (2008).48 For example, the U.S. Court of Appeals for the District ofColumbia noted, “The [U.S. FOIA] exemption . . . is phrasedbroadly to protect individuals from a wide range of embarrass-ing disclosures. As the materials here contain information re-garding marital status, legitimacy of children, identity of fathersof children, medical condition, welfare payments, alcoholicconsumption, family fights, reputation, and so on” (RuralHousing Alliance v. USDA, 498 F.2d 73 [D.C. Cir. 1974]).49 See “Social Audits—Tracking Expenditures with Com-munities:The Mazdoor Kisan Shakti Sangathan (MKSS) inIndia,” available at http://unpan1.un.org/intradoc/groups/public/documents/un/unpan024549.pdf.50 For example, see the Web site for the Department of Ru-ral Development of India’s Ministry of Rural Development,http://www.nrega.nic.in/netnrega/home.aspx.51 For example, see Consejo Nacional de Ciencia y Tec-nología, Convocatorias becas en el país 2009, http://www.conacyt.gob.mx/Convocatorias/Paginas/Convocatoria_Becas_Pais2009.aspx. 52 In Mexico, information that is already in the public do-main is not considered confidential and cannot be withheldfrom request. In 2008, the European Court of Justice ruled

37Endnotes

that a news service using tax information from a public reg-ister was exempt from the EU Data Protection Directive.See Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy,Satamedia Oy (2008), EUECJ C-73/07, December 16. 53 The principles are available at http://legislation.knowledge-basket.co.nz/gpacts/reprint/text/2006/se/026se59.html.Also see Stewart (2002). 54 Los Angeles Police Department v. United ReportingPublishing Corp., 528 U.S. 32 (1999).55 See the European Transparency Initiative Web site, http://ec.europa.eu/transparency/index_en.htm. 56 “The few cases considering a private party attempting toinfluence government policy typically find in favor of disclo-sure, lacking countervailing concerns not present” (EFF v.ODNI, 09-17235, February 9, 2010). “Individuals are actingin a public or representative capacity, and would have an ex-pectation that their details might be released to third parties”(Creekside Forum v. Information Commissioner and De-partment for Culture, Media, and Sport [2009] UKIT EA-2008-0065 [May 28]). 57 Commission v. Bavarian Lager, Case C-28/08, June 29,2010.58 For example, see http://ec.europa.eu/agriculture/funding/index_en.htm and http://farmsubsidy.org/. 59 EUECJ cases C-92/09 and C-93/09, November 9, 2010.60Testimony of Sir Richard Wilson before the Select Com-mittee on Public Administration, U.K. House of Commons,July 11, 2002.61 See Volker und Markus Schecke (EUECJ C-92/09, No-vember 9, 2010, at 85): “No automatic priority can be con-ferred on the objective of transparency over the right toprotection of personal data . . . even if important economicinterests are at stake.”62 Canada (Information Commissioner) v. Canada (Com-missioner of RCMP), 2003 SCC 8, October 29, 2003.63 Act No. LXIII of 1992, available at http://abiweb.obh.hu/dpc/index.php?menu=gyoker/relevant/national/1992_LXIII. 64 In Tanzania, a draft bill introduced by the government in2006 to address access to information, privacy, and mediarights was more than 85 pages in length—a fact that led toits not being considered.65Text of the act is available at http://www.sun.ac.za/university/Legal/dokumentasie/access%20to%20information.pdf.66 Indonesian Act on Public Information Disclosure No. 14of 2008.67 For public officials, this would be a general notice settingout that information collected in the course of their officialactivities is not considered personal information that will bewithheld. For private individuals, this area is more complexbecause data protection rights—especially relating to sensi-tive personal information—cannot simply be waived inmany cases. 68 5 USC 552 (b)(6).

69 Department of Air Force v. Rose, 425 U.S. 352 (1976). 70 Case 99168—Mr. Richard Oakley, The Sunday Tribunenewspaper and the Office of the Houses of the Oireachtas,July 27, 1999, http://www.oic.gov.ie/ga/CinntianChoimisineara/CinntiibhfoirmFhada/Name,1629,ga.htm. 71 For more information on the roles and activities of over-sight and appeals bodies, see Neuman (2009). 72 Under Article 28(1) of European Union Directive 95/46/EC, data protection commissions “shall act with complete in -dependence in exercising the functions entrusted to them.”The European Court of Justice recently ruled, “[t]he guar-antee of the independence of national supervisory author-ities is intended to ensure the effectiveness and reliability ofthe supervision of compliance with the provisions on pro-tection of individuals with regard to the processing of per-sonal data and must be interpreted in the light of that aim.It was established not to grant a special status to those au-thorities themselves as well as their agents, but in order tostrengthen the protection of individuals and bodies affectedby their decisions. It follows that, when carrying out theirduties, the supervisory authorities must act objectively andimpartially. For that purpose, they must remain free from anyexternal influence, including the direct or indirect influenceof the State or the Länder, and not of the influence only ofthe supervised bodies” (Case C-518/07, OJ May 1, 2010).73 Access to Information Commissioner, Annual Report of1991–92, p. 16, http://www.oic-ci.gc.ca/eng/rp-pr-ar-ra-archive.aspx.74 However, the task force did state that the current situationwas acceptable and did not recommend a merger of the twobodies. 75 Remarks of the information commissioner of Canada to theCanadian Access and Privacy Association, October 28, 2003.76 Communication with Maeve McDonagh, April 2010.77 Communication with Elizabeth Dolan, Irish InformationCommission, October 2010.78 Diario Oficial de la Federación, June 11, 2002, http://www.ifai.org.mx/transparencia/LFTAIPG.pdf.79 Diario Oficial de la Federación, January 12, 2011, http://dof.gob.mx/nota_detalle_popup.php?codigo=5175251.80 For more information about the commission, visit http://www.infodf.org.mx/web/. 81 Decision No. 090-59/2009/, July 9, 2009. 82 See the list of pertinent cases at http://www.ip-rs.si/index.php?id=384.83 Decision No. 021-124/2008/12, December 19, 2008.84 Decision No. 021-80/2005/6, November 2, 2005.85 Decision No. 090-94/2009, October 7, 2009. Accordingto the ruling, records had “no direct connection with theperformance of the public function of the body.” 86 Treaty No. 108, 1981, http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm. 87 For example, see Scottish Information Commissioner(2010) concerning the decision that release of childhood


leukemia statistics for a local area would violate the dataprotection law.88 For a detailed analysis, see U.K. Ministry of Justice (2008). 89 Corporate Officer of the House of Commons v. Informa-tion Commissioner and others [2008] EWHC 1084 (Admin).90 Common Services Agency v. Scottish Information Com-missioner [2008] UKHL 47.91 Alasdair Roberts v. Information Commissioner and De-partment for Business, Innovation and Skills (EA/2009/

0035); Robin Makin v. Information Commissioner andMinistry of Justice (EA/2008/0048); Creekside Forum v.Information Commissioner and Department for Culture,Media, and Sport (EA/2008/0065). 92 Department of Health v. IC (Additional Party: the ProLife Alliance) (EA/2008/0074).

39

References

ABC News. 2009. “Ombudsman Calls forMore Resources.” November 2. http://www.abc.net.au/news/stories/2009/11/02/2730603.htm.

ACHPR (African Commission on Humanand Peoples’ Rights). 2002. “Declarationof Principles on Freedom of Expressionin Africa.” Banjul, The Gambia. http://www.achpr.org/english/declarations/declaration_freedom_exp_en.html.

Administrative Office of the U.S. Courts.2008. “Judicial Conference Policy onPrivacy and Public Access to ElectronicCase Files.” March. http://www.uscourts.gov/RulesAndPolicies/JudiciaryPrivacyPolicy/March2008RevisedPolicy.aspx.

Australian Law Reform Commission. 2008.For Your Information: Australian Privacy Lawand Practice. Report 108, 3 vols. Sydney,NSW. http://www.austlii.edu.au/au/other/alrc/publications/reports/108/.

Bangalore Mirror. 2010. “Taxmen Delugedwith “Ex” Files.” September 23.

Banisar, David. 2006. Freedom of InformationAround the World 2006: A Global Survey ofAccess to Government Information Laws. Lon-don, UK: Privacy International. http://www.privacyinternational.org/foi/foisurvey2006.pdf.

BBC News. 2001. “DTI Denies Smear Cam-paign Claims.” January 8. http://news.bb

c.co.uk/2/hi/uk_news/politics/1106142.stm.

———. 2010. “Thousands of Whitehall Sal -aries Published.” October 15. http://www.bbc.co.uk/news/uk-politics-11551683.

Calland, Richard, and Alison Tilley, eds. 2002.The Right to Know, the Right to Live: Accessto Information & Socio-economic Justice.CapeTown, South Africa: Open DemocracyAdvice Centre.

Cannon, Andrew. 2004. “Policies to ControlElectronic Access to Court Databases.”University of Technology, Sydney, Law Re-view 6: 37–46. http://www.austlii.edu.au/au/journals/UTSLRev/2004/3.html.

CNN/IBN. 2010. “PM to Disclose Assets ofCabinet Ministers.” November 14. http://ibnlive.in.com/news/pm-to-disclose-assets-of-cabinet-ministers/134964-37-64.html?from=tn.

Commonwealth Secretariat. 2002. “ModelData Protection Act.” London, UK. http://www.thecommonwealth.org/shared_asp_files/uploadedfiles/{82BDA409-2C88-4AB5-9E32-797FE623DFB8}_protection%20of%20privacy.pdf.

Coronel, Sheila, ed. 2001. The Right to Know:Access to Information in Southeast Asia.Que -zon City: Philippine Center for Inves-tigative Journalism.


Council of Europe. 1981. “Convention forthe Protection of Individuals with Re-gard to Automatic Processing of PersonalData.” European Treaty Series 108. Stras-bourg, France. http://conventions.coe.int/treaty/en/treaties/html/108.htm.

———. 1986. “Recommendation 1037: OnData Protection and Freedom of Infor-mation.” In Texts Adopted at the 2nd Partof the 38th Ordinary Session of the Parlia-mentary Assembly, September 1986. Stras-bourg, France.

CSA (Canadian Standards Association Inter-national). 1996. “Model Code for theProtection of Personal Information.”Toronto, Ontario.

Daily Mail. 2006. “Anger as Police ObtainJournalist’s Mobile Records to DiscoverSource.” December 1. http://www.dailymail.co.uk/news/article-419986/Anger-police-obtain-journalists-mobile-records-discover-source.html.

Djankov, Simeon, Rafael La Porta, FlorencioLopez-de-Silanes, and Andrei Shleifer.2009. “Disclosure by Politicians.” Work-ing Paper 2009-60. Tuck School of Busi-ness at Dartmouth, Hanover, NH. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1334126.

EC (European Commission). 1995. “Direc-tive 95/46/EC on the Protection of In-dividuals with Regard to the Processingof Personal Data and on the Free Move-ment of Such Data.” Official Journal of theEuropean Union L281: 31–50. http://ec.europa.eu/justice/policies/privacy/law/index_en.htm.

ECOWAS (Economic Community of WestAfrican States). 2008. “Telecommunica-tions Ministers Adopt Texts in CyberCrime, Personal Data Protection.” Pressrelease 100/2008.

EFF (Electronic Frontier Foundation), 2010.“EFF Posts Documents Detailing LawEn forcement Collection of Data fromSocial Media Sites.” Blog post, March 16.http://www.eff.org/deeplinks/2010/03/eff-posts-documents-detailing-law-enforcement.

EO (European Ombudsman). 2007. “DraftRecommendation to the European Par-liament in Complaint 3643/2005/(GK)WP.” September 24. Strasbourg, France.http://www.ombudsman.europa.eu/recommen/en/053643.htm.

EPIC/PI (Electronic Privacy InformationCenter/Privacy International). 2007. Pri-vacy and Human Rights 2006: An Interna-tional Survey of Privacy Laws and Develop-ments.Washington, DC. http://www.privacyinternational.org/survey/dpmap.jpg.

France, Elizabeth. 1999. Third Report of1998–99, Freedom of Information DraftBill, vol. II: HC 570-II of 1998–99,memorandum 2. London, UK.

Gentot, Michel. n.d. “Access for Informationand Protection of Personal Data.” Com-mission Nationale de l’Informatique etdes Libertés. http://www.pcpd.org.hk/english/infocentre/files/gentot-paper.doc.

Government of Canada. 2002. Access to Infor-mation: Making It Work for Canadians. Re-port of the Access to Information Review TaskForce.Ottawa, Ontario. http://www.atirtf-geai.gc.ca/accessReport-e.pdf.

———. 2009. “Info Source Bulletin Num-ber 32B; Statistical Reporting. StatisticalTables 2008–2009, Access to Informa-tion.” Ottawa, Ontario. http://www.infosource.gc.ca/bulletin/2009/b/bulletin32b/bulletin32b02-eng.asp#k.

Government of Canada, Office of the Priva-cy Commissioner. 2001. “Privacy Com-missioner George Radwanski Writes to

Information Commissioner John ReidRegarding Prime Minister’s AgendasCase.” News release, May 10. http://www.privcom.gc.ca/media/nr-c/02_05_b_010510_e.asp.

Government of Hungary, Parliamentary Com-missioner for Data Protection and Free-dom of Information. 1998a. “Annual Re-port 1998.” Budapest. http://abiweb.obh.hu/dpc/index.php?menu=reports/1998.

———. 1998b. “The First Three Years of theParliamentary Commissioner for DataProtection and Freedom of Informa-tion.” Annual reports 1991-96-97. Bu-dapest. http://abiweb.obh.hu/dpc/index.php?menu=reports/1995.

Government of India, Central InformationCommission. 2009. “Decision No. CIC/LS/A/2009/000647/SG/5887.” Decem -ber 14. http://rti.india.gov.in/cic_decisions/SG-14122009-32.pdf.

Government of Ireland, Department of Fi-nance. 2006. “Data Protection and Free-dom of Information in the Public Sec-tor.” Central Policy Unit, Notice No. 23.Dublin. http://www.dataprotection.ie/docs/%22Important_new_data_protection_guidance_for_all_public_/411.htm.

Government of Ireland, Information Commis-sioner. 1999. “Case 99168—Mr. RichardOakley, The Sunday Tribune newspaperand the Office of the Houses of the Oi -reachtas.” July 27. Dublin. http://www.oic.gov.ie/en/DecisionsoftheCommissioner/LongFormDecisions/Name,1629,en.htm.

Guadamuz, Andreas. 2001. “Habeas Data: AnUpdate on the Latin America Data Pro-tection Constitutional Right.” Paperprepared for the 16th British and IrishLaw, Education and Technology Associa-

tion Annual Conference, University ofEdinburgh, Scotland, April 9–16. http://www.bileta.ac.uk/Document%20Library/1/Habeas%20Data%20-%20An%20Update%20on%20the%20Latin%20America%20Data%20Protection%20Constitutional%20Right.pdf.

Hencke, David. 2001. “MP Challenges Se-crecy Culture.” The Guardian, June 27.http://www.guardian.co.uk/politics/2001/jun/27/freedomofinformation.uk.

Hencke, David, and Rob Evans. 2002.“Ashcroft Memos May Spur Data LawRepeal.” The Guardian, February 5. http://www.guardian.co.uk/politics/2002/feb/05/uk.freedomofinformation.

———. 2003. “Ashcroft Wins Apology overPolitical Vendetta.” The Guardian, June 6.http://www.guardian.co.uk/politics/2003/jun/06/uk.conservatives.

ICO (U.K. Information Commissioner’s Of-fice). 2009. “When Should Salaries BeDisclosed?” Version 1, February 23.http://www.ico.gov.uk/for_organisations/freedom_of_information/information_request/~/media/documents/library/Freedom_of_Information/Practical_application/SALARY_DISCLOSURE.ashx.

Irazábal, Alonso Lujambio, and Lina OrnelasNúñez. 2009. “Personal Data Protectionby the Government: The Action of theFederal Institute for Access to Public In-formation.” Mexico City, Mexico: Insti-tuto Federal de Acceso a la Información yProtección de Datos.

Knight Center for Journalism in the Ameri-cas. 2010. “How Much Does Argentina’sPresident Spend on Ads? An NGO Fightsto Find Out.” Journalism in the Americasnews blog, March 26. http://knightcenter.utexas.edu/archive/blog/?q=en/node/6772.

41References

Law et al. News. 2010. “Information on Re-ligion Cannot Be Obtained under RTI.”November 29. http://www.lawetalnews.com/NewsDetail.asp?newsid=2903.

Law Reform Commission, New South Wales.2010. “Access to Personal Information.”Report 126. Sydney, Australia. http://www.lawlink.nsw.gov.au/lawlink/lrc/ll_lrc.nsf/pages/LRC_r126toc.

Leith, Philip, and Maeve McDonagh. 2009.“New Technology and Researchers’ Ac-cess to Court and Tribunal Information:The Need for European Analysis” Script-ed 6 (1/April).

Luna Pla, Issa, and Gabriela Ríos Granados.2010. Transparencia, Acceso a la InformaciónTributaria y el Secreto Fiscal. Desafíos enMéxico. Mexico City: Universidad Na-cional Autónoma de México. http://www.bibliojuridica.org/libros/libro.htm?l=2861.

Majtényi , László. 2002. “Freedom of Infor-mation, The Hungarian Model.” http://www.lda.brandenburg.de/sixcms/media.php/2232/maitenyi.pdf.

McDonagh, Maeve. 2006. Freedom of Informa-tion Law in Ireland. 2nd ed. Dublin:Round Hall Sweet & Maxwell.

Mendel, Toby. 2008. Freedom of Information: AComparative Legal Survey. 2nd ed. Paris,France: United Nations Educational, Sci-entific, and Cultural Organization.

Neuman, Laura. 2009. “Enforcement Mod-els: Content and Context.” Access to In-formation Working Paper Series. Wash-ington, DC: World Bank. http://siteresources.worldbank.org/EXTGOVACC/Resources/LNEumanATI.pdf.

NJSBA (New Jersey State Bar Association).2002. “Privacy and Electronic Access toCourt Records in New Jersey.” Decem-ber 11. http://www.graysonbarber.com/

pdf/Public%20Access%20to%20Court%20Records%2012-11-02.pdf.

NZLC (New Zealand Law Commission).2008. Public Registers: Review of the Law ofPrivacy, Stage 2. Report 101, January.Wellington, New Zealand. http://www.lawcom.govt.nz/sites/default/files/publications/2008/02/Publication_129_391_Public_registers_web_72.pdf.

OAS (Organization of American States). 2003.“Access to Public Information: Strength-ening Democracy.” AG/RES. 1932 (XXX-III-O/03) June 10. Washington, DC.http://www.oas.org/juridico/english/ga03/agres_1932.htm.

OECD (Organisation for Economic Co-operation and Development). 1980.“OECD Guidelines on the Protection ofPrivacy and Transborder Flows of Per-sonal Data.” Paris, France. http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html.

Organization of Eastern Caribbean States.2004. “Privacy Bill.” Proposed draft. http://unpan1.un.org/intradoc/groups/public/documents/TASF/UNPAN024634.pdf.

Pirc Musar, Natasa. 2006. “New Principles ofthe Amended Act on Access to Public In -formation in Slovenia: Commissioner orOmbudsman.” Ljubljana, Slovenia. http://www.ip-rs.si/fileadmin/user_upload/Pdf/konference/Novosti_ZDIJZ_Manchester_ang.pdf.

———. 2010. “How to Strike the RightBalance between Freedom of Informa-tion and Personal Data Protection: Usinga Public Interest Test.” PhD diss., LeidenUniversity, The Netherlands.

Reid, Tyrone. 2010. “Crusade Against Secre-cy—Public Barred from Viewing Finan-cial Disclosures of Elected Officials.” Ja-


maica Gleaner. November 14. http://jamaica-gleaner.com/gleaner/20101114/lead/lead1.html.

Scottish Information Commissioner. 2009.“Decision Notice: Decision 115/2007,Mr. Joseph Millbank and Dundee CityCouncil.” St. Andrews. http://www.itspublicknowledge.info/UploadedFiles/Decision115-2007.pdf.

———. 2010. “Decision Notice: Decision21/2005, Mr. Michael Collie and theCommon Services Agency for the Scot-tish Health Service.” St. Andrews. http://www.itspublicknowledge.info/UploadedFiles/Decision021-2005.pdf.

Sheridan. Gavin. 2010. “Department of Arts,Sport and Tourism Expenses Database.”The Story, March 12. http://thestory.ie/2010/03/12/departments-expenses-database/.

Slane, Bruce. 2002. “Freedom of Informationand Privacy: Competing Interests withComplementary Aims.” Paper preparedfor the International Symposium on Free -dom of Information and Privacy, Auck-land, New Zealand, March 28.

Solove, Daniel J., and Paul Schwartz. 2008.Information Privacy Law. 3rd ed. NewYork: Aspen Publishers.

Stewart, Blair. 2002. “Public Register Provi-sions—Addressing Privacy Issues.” Paperprepared for the International Symposiumon Freedom of Information and Privacy,Auckland, New Zealand, March 28.

Sunday Times. 2008. “Couple Stung by£100,000 ‘Secret’ Loan.” December 7.http://www.timesonline.co.uk/tol/news/uk/article5299156.ece.

Sunshine Review. 2010. “Public EmployeeSalary.” http://sunshinereview.org/index.php/Public_employee_salary.

Tang, Raymond. 2002. “Data Protection,Freedom of Expression and Freedom of

Information: Conflicting Principles orComplementary Rights?” Paper present-ed at the 24th International Conferenceof Data Protection and Privacy Commis-sioners, Cardiff, Wales, September 9–11.http://www.pcpd.org.hk/english/infocentre/speech_200210911.html.

The Times of India. 2010. “RTI Helps PoorDiamond Polishers Get Back CancelledBPL Cards.” August 24. http://timesofindia.indiatimes.com/city/rajkot/RTI-helps-poor-diamond-polishers-get-back-cancelled-BPL-cards/articleshow/6428102.cms.

U.K. Home Office. 1999. “Freedom of In-formation: Preparation of Draft Legisla-tion: Background Material.” May. Lon-don. http://www.publications.parliament.uk/pa/cm199899/cmselect/cmpubadm/570/57007.htm.

U.K. Ministry of Justice. 2008. “Freedom ofInformation Guidance: Exemptions Guid -ance, Section 40-Personal Information.”May 14. London. http://www.justice.gov.uk/about/docs/foi-exemption-s40.pdf.

———. 2009. “Freedom of Information Act2000. Fourth Annual Report on the Op-eration of the FOI Act in Central Gov-ernment 2008.” June. London. http://www.justice.gov.uk/freedom-of-information-annual-report-2008.pdf.

———. 2010. “Freedom of Information Act2000. 2009 Annual Statistics on Imple-mentation in Central Government.”April 29. London. http://www.justice.gov.uk/foi-statistics-report-2009.pdf.

UN (United Nations). 1948. “Universal Dec-laration of Human Rights.” New York.http://www.un.org/en/documents/udhr/index.shtml.

UN General Assembly. 1990. “Guidelines forthe Regulation of Computerized Person-al Data Files” A/RES/45/95, December

43References


14. New York. http://www.un.org/documents/ga/res/45/a45r095.htm.

UN Human Rights Committee. 1988. Cov -enant on Civil and Political Rights Gen-eral Comment 16 (Article 17: The Rightto Respect of Privacy, Family, Home andCorrespondence, and Protection of Ho-nour and Reputation), April 8. http://www.bayefsky.com/general/ccpr_gencomm_16.php.

UN Human Rights Council. 2009. Reportof the Special Rapporteur on the Pro-motion and Protection of Human Rightsand Fundamental Freedoms While Coun-teringTerrorism. A/HRC/13/37. Decem -ber 28. http://www2.ohchr.org/english/bodies/hrcouncil/docs/13session/A-HRC-13-37.pdf.

U.S. Department of Health, Education, andWelfare. 1973. “Records, Computers andthe Rights of Citizens: Report of the Sec-retary’s Advisory Committee on Auto-mated Personal Data Systems July, 1973.”Washington, DC. http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm.

U.S. Department of Justice, Office of Infor-mation Policy. 2010. “Summary of Annu-al FOIA Reports for Fiscal Year 2009.”Washington, DC. http://www.justice.gov/oip/foiapost/2010foiapost18.htm.

Waters, Nigel. 2002. “Privacy Exemptions inFOI Laws—An Unnecessary Barrier toAccountability” Paper prepared for theInternational Symposium on Freedom ofInformation and Privacy, Auckland, NewZealand, March 28.

Working Party on the Protection of Individ-uals with Regard to the Processing ofPersonal Data. 1999. “Opinion No. 3/99on Public Sector Information and theProtection of Personal Data.” May 3.Brussels, Belgium. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1999/wp20en.pdf.

World Bank. 2006. “Income & Asset Disclo-sure Requirements for Heads of Stateand Governments, World Bank ClientCountries.” Washington, DC. http://siteresources.worldbank.org/INTLAWJUSTINST/Resources/IncomeAssetDisclosureinWBClientsasofJune62006.pdf.

About the World Bank Institute’s Governance PracticeGovernance is one of seven priority themes in the World Bank Institute’s recently launched renewal strate-gy—a strategy that responds to client demand for peer-to-peer learning by grounding WBI’s work in the dis-tillation and dissemination of practitioner experiences. The Institute is committed to building knowledge andcapacity on the “how to” of governance reforms, with emphasis on supporting and sustaining multistake-holder engagement in bringing about such reforms.

WBI’s Governance Practice works with partners, including networks of country and regional institutions, todevelop and replicate customized learning programs. Its programmatic approach aims at building multistake-holder coalitions and in creating collaborative platforms and peer networks for knowledge exchange.

For further information:WBIThe World Bank1818 H Street, NWWashington, DC 20433Fax: 202-522-1492

Visit us on the web at: http://wbi.worldbank.org/wbi/topics/governance

Photo Credit: (Front Cover) iphotostock.com.