Privacy of personal data and Re-use of Public Sector Information

One of the main difficulties that typically arises in addressing a project related to the re-use of public sector information is the impossibility or, at least, the difficulties with the availability of data linked to identifiable or identified natural persons. In fact, regardless of the purpose of the re-use of information, the regulations on transparency and access to information clearly establish this limit, although admitting that the existence of a superior legal interest may justify access even to personal data. According to Article 15 of Law 19/2013, in those cases in which it is intended to access  information containing personal data, the application may only be granted "subject to sufficiently reasoned deliberation of the public interest in the disclosure of the information and the rights of those affected whose data appeared in the information requested”.

As regards the specific legislation on the re-use of public sector information, article 3 of Law 37/2007, after the reform that took place in 2015, explicitly refers to the above-mentioned general regulation on transparency and access to information. Consequently, either ex officio when publishing information or, where appropriate, as the result of the request that may be formulated, the fact is that the mere presence of personal data does not constitute in itself a definitive barrier to prevent re-use. Of course, one must take into account the extent to which the purpose of such re-use must prevail over the protection of the individuals affected.

This evaluation is of great importance, since the aim that initially justifies the treatment may not be incompatible with the subsequent use of the data by the re-user. In this regard, the openness of information under open data standards is an additional difficulty because - as has happened in a recent case concerning the publication of the remuneration of staff in the service of a Public Administration - it may facilitate the automated processing of the information and call into question whether the most basic requirements of the principle of proportionality are fulfilled.

In this regard, the reform of European legislation in this matter officially published just two months ago provides a set of measures to be taken into account especially as regards advanced information management that allows the dissociation of data, in other words, the disassociation of the natural person referred to. Specifically, Article 3 of EU Regulation 2016/679 of 27 April, requires that the data cannot be attributed to an interested individual without using additional information, and the latter should be shown separately and be subject to technical and organizational measures to avoid attribution to an identified or identifiable person. In addition, the principle of protection by design and by default (Article 25) and the need to carry out an assessment of the impact on the personal data (Article 35) are firmly established when this represents a high risk for the rights and freedoms of individuals, which can happen in cases of massive treatment of information affecting large groups of individuals.

Thus, in application of such measures, technology may provide an even greater assurance on the re-use of data from a legal perspective. In particular, it should be established by default that applications and Public Administration information systems should allow the separation from the persons referred to of the information they manage and, at the same time, allow correlation thereof only in those cases where it is necessary to identify the interested party in order to exercise the powers and administrative functions that initially justified the collection of information, usually without consent of those affected. Nevertheless, this approach should be present from the beginning of the design of such programs and systems, but also when considering the purchase or use of applications designed by third parties, whether public bodies or private companies, so that those that do not meet these standards on document management and legal protection cannot be used.

In conclusion, it is to be expected that the process of adaptation to the reform of 2015 in the field of eGovernment will become an opportunity not only to comply with the legal requirements of the new regulation but to bring about a real transformation of an obsolete management model which does not fully exploit the possibilities for innovation and strengthening of the legal security offered by technology.