The sun is shining*, I’ve finished work for the day** and for no specific reason***, I’ve decided to write a brief guide to the main Data Protection issues associated with publishing the names of members of the public on the internet.
You have to tell people that you are publishing their data. If they have a particularly bland and common name (e.g. John Smith), and if publication is not linked to a specific locality (like say, a local council area), the names may not be identifiable, so you’re OK. Otherwise, the first Data Protection principle states that in order to process personal data like names fairly, you are obliged to inform the subjects that their data will be published. If you are publishing under some kind of legal obligation, or if informing people would represent a disproportionate effort, you may be able to get out of this. The Information Commissioner may also accept an argument that in some contexts, there is a reasonable expectation that information will be published. This will not apply to a publication of data that nobody else in your sector participates in. It won’t be disproportionate if you have been involved in some kind of transaction with the person and the opportunity to tell them directly has presented itself (to pick an example at random, if they have made an FOI request to you, and you have responded to them).
The Data Protection Act also requires that – as well as informing the subject of the data that it will happen – you also meet a condition before publication. Consent is one option, but there are others. However, they are specific – a legal power or obligation, a contractual obligation, or the need to protect that person’s vital interests. There is a tempting condition that allows you to publish data if it would be necessary for legitimate interests, as long as it causes no unwarranted harm to the subject’s rights. That sounds good, but remember, the harm test isn’t the clincher. You have to show that publication is NECESSARY: not convenient, or helpful or just something you really want to do because right now, it seems like a really good idea or something. If it isn’t necessary, even if it’s harmless, you’re still not able to do it.
Data Protection does have some exemptions, some of them (the national security and journalism ones) are impressively broad. The journalism one (S32) in particular clearly covers a lot of publication of personal data on the internet. However, it’s important that you can justify the publication in terms of the public interest in freedom of expression, and not just publishing a bunch of people’s names for the sake of it.
PUBLICATION BY MISTAKE
A common misconception is that the accidental publication of personal data is automatically a breach of the Data Protection Act’s Seventh Principle (the one about appropriate security measures). It’s entirely possible for someone to make a mistake – I don’t know, let’s say publishing database extracts on your website and accidentally including people’s names – without the Act being breached. The data hasn’t been processed fairly, but that wasn’t the organisation’s intention, so the ICO will probably look kindly on a single human error. Repeating the publication – perhaps on a monthly basis – is evidence that appropriate measures are not in place. Publishing data by mistake because procedures aren’t robust, staff haven’t been trained or managers don’t carry out proper checks are all evidence that the seventh principle has been breached. If the breach is compounded by serious damage to the individuals concerned, a fine is even possible. The best thing to do is to remove the offending information as soon as possible.
NEXT WEEK: A handy guide to the Streisand Effect, and other ways to draw attention to things you’d probably prefer people not to notice
* I live in Manchester, so it looks like it’s about to throw it down
** I am putting off doing something else
*** I am thinking of something very specific