The following “conversation” took place on several online networks over three days beginning June 10, 2015.
FreedomInfo.org has compiled the comments in chronological order, with only minor editorial adjustments for clarity. The comments are reprinted with the permission of the authors (except one who didn’t reply). The collected comments are long (about 10,000 words) but rich in content and rarely repetitive.
FreedomInfo.org has posted an article summarizing parts of the discussion.
The exchange was sparked on an article – “In The Information Debate, Openness and Privacy Are The Same Thing” — posted on TechCrunch June 10, 2015, by Martin Tisné (@martintisne). Tisné is a director of policy at Omidyar Network where he leads policy, advocacy strategy and related investments for its Governance & Citizen Engagement initiative.
TechCrunch did not reply to a request to reprint the article, but you can read it here.
Tisné began:
We’ve been framing the debate between openness and privacy the wrong way.
Rather than positioning privacy and openness as opposing forces, the fact is they’re different sides of the same coin – and equally important. This might seem simple, but it might also be the key to moving things forward around this crucial debate.
Tisné wrote, “Openness and privacy both share the same impulse: I want to be in control of my life, I want to know and choose whether a hospital or school is a good hospital or school and be in control of my choice of services.”
Bringing up a related topic, he said, “Another strong thread in conversations around open data is that transparency should be proportionate to power.”
Arguing that “we need to stop making a binary distinction between freedom of information laws and data protection; between open data policies and privacy policies,” Tisné wrote, “We need one single policy framework that controls as well as encourages the use ‘open’ data.”
COMMENTS
Marc Rotenberg – President and Executive Director of Electronic Privacy Information Center (EPIC)
Very good observation and entirely consistent with the development of “information rights” — the better construct – in modern democratic societies.
The aim is to protect the individual and to hold accountable large powerful organizations.
There is no inconsistency. The great champions of constitutional democracy have always favored both. Justice Brandeis, who established the modern right to privacy in the US also favored transparency (“sunlight is the best disinfectant”) and defended freedom of expression.
The problem with “open data” is that is elevates process over people, it places technology instead of democracy at the center, it transfers power and knowledge from individuals to corporations.
Javier Ruiz – leads on policy at the UK based Open Rights Group
Hi Martin
I completely agree with the main point of involving privacy people and making the debate more nuanced and breaking down the elements of privacy control and openness to find the best compromise.
What you are describing in the article is quite similar to the Latin American model of privacy protections, which is based on the concept of Habeas Data: the right to ask for a court to show the body (of data). This also forms the basis for Freedom of Information. So in some contexts it is even true from a legal perspective that privacy and openness are the same, as explained by David Banisar elsewhere.
It is also true that every privacy policy is a data release policy, if they actually worked as they should they would be telling you more about where your data goes than about what cannot be done with it.
I agree with looking ahead, but we also need to consider the existing practices and the impacts they have in different contexts. Sharing tax data leads to gender parity in wages in Scandinavia, but the US disclosure of all forms of public records is more problematic.
The report by the US FTC on Data Brokers – organisations like Acxiom hoovering up all sorts of available data to build unaccountable profiles of the whole population – shows exactly why open personal information can cause harms right now in many places (and why the US urgently needs more privacy protections). https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf <https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf>
A fundamental problem is that for all the theoretical benefits of opening data it is unclear that these end up reaching those whose data is shared. The UK sharing of pseudonymised health data with the insurance industry (society of actuaries) saw millions of people’s premiums go up. And it was not even about linking individuals, just class profiling.
Opening personal data of the powerful for accountability is a lot more developed; for example the UK ICO has guidance for the responses to FOI. But ultimately every release needs to be examined in its own terms.
My proposal in Ottawa was to first look at the objectives you want to achieve, then the privacy principles you want to maintain and what flexibility is there (you may not have that much room anyway), and then look at the open data principles and see if you can justify each of them individually or removing them can help to preserve privacy.
But ultimately some form of general opt out from big/open data where you don’t require individual level granularity may be unavoidable to give people assurance.
Best, Javier
Helen Darbishire – Executive Director, Access Info Europe
Dear All,
Thanks Martin for this thought-provoking piece, timely given a lot of current discussions.
I should probably write a blog post too, but here’s a quick reaction to some of the key issues:
I agree very much with Marc’s comments: information rights should set in place the framework for protecting personal privacy and holding power (political and – as democracy activists increasingly agree – other types of power, such as economic) to account.
In fact, RTI activists have long recognised that there is no need to frame this as a conflict. Open Data came in strong with the “everything open now” message, which might have caused a bit of a backlash, exacerbated by the Snowden revelations about just how much our privacy is being infringed and our rights trampled upon, but even then not entirely: in the joint report Beyond Access(7 January 2011), Jonathan Gray of Open Knowledge and I made clear that it’s perfectly possible to uphold both privacy rights and to make much government data public. (We looked at anonymization processes and we cited the 2009 European Court of Human Rights jurisprudence on the difference when it comes to public figures such as MPs.)
And there has been a lot of thinking and a lot of Information Commissioner decisions and a lot of court jurisprudence since then. Some of it good, some of it less so, but there is certainly a vibrant debate that is ongoing and seems to be increasing in intensity, which is much needed.
The challenge we have now, and Martin alludes to it, is to be much more precise. What is the private sphere? What is the public sphere? When 50% of participants in a conference say that personal data should never be open data, what do they really mean? I suspect they mean a range of different things. Do they agree with the European Commission in its remarkable 2014 refusal to release any detail on travel and hospitality expenditure of Commissioners on grounds of protecting their privacy (see here for more)? I doubt it. Or the blacking out of the name of a minister from a document released under an access request because personal names, even of ministers, are private data? I doubt that too!
Martin raises the question “who is ‘powerful’, how do you define ‘power’ and who is in charge of defining this?”. Well, we should all engage in defining it, through the democratic process, so that when legislators legislate and courts rule, they do so within a human rights-based framework the nuances of which have been subject to public debate. And, as often, it’s up to civil society organisations to take the lead.
This happened reasonably satisfactorily recently with the EU Farm Subsidies, when the European Parliament determined that the needs of public oversight of spending outweighed personal privacy concerns for any subsidies over about €1,250 and information on recipients will now be public. In doing so the legislator reacted to a much-criticised European Court of Justice ruling. The debate raised by civil society and investigative journalists (in particular our good friends at Farmsubsidy.org) resulted in the legislator bringing greater clarity and greater transparency.
What we don’t have, however, and urgently need, are better-developed criteria on how to make these privacy judgements. The current legal framework is inadequate and often vague. In part it needs to be because this is so culturally determined and national solutions vary significantly. (To wit, Amsterdammers with their curtains open of an evening, and Budapestians with their blinds crashing firmly down the second dusk sets in.) I would say it’s cultural more than ideological, although it can be a bit of both.
There are numerous areas crying out for policy proposals and specific arguments: The current debate about beneficial owners of companies. Access to the names of lobbyists attending meetings with public officials. Access to details of those responsible for decision-making processes. Access to data on spending of taxpayers funds. We can identify a series of challenges that we have on the table right now and that are important in democratic life.
Most of these are far from raising the Orwellian spectre of all our personal, intimate data being released because that’s obvious and nobody is calling for it: the transparency camp is right with the privacy camp on that one! But, while we let such fears frame the debate, we are not advancing on the really important issues. I would even go further: the post-Snowden privacy drive is being exploited to refuse access to information that was previously available.
Keen to hear more perspectives!
Best from a rainy Madrid,
Helen
Josh Tauberer – civic hacker” based in Washington, D.C.
This is the part that keeps surprising me about these debates. Somewhere along the way, what began as a very practical movement to solve immediate problems of access to information became…. an ideology. I am either confused or afraid when I read, to quote Martin in his article:
Open data advocates often suggest that openness should be the default for all human knowledge.
Is that statement factually true? Do open data advocates actually say that about all human knowledge? Has it always been that way? I don’t know. But it doesn’t describe the movement I thought I was in (and, I thought, helped start).
When I get up in the morning, I think about how I can help people with less power over government get more power. I don’t care about human knowledge per se. I care about what knowledge people need to have power over their world around them. The idea that I am in a movement that
could be described as “lead[ing] to an Orwellian world” is shocking.
Either I’m in the wrong movement or the movement has a massive public relations problem.
Martin’s point that open data and privacy are the same is maybe a bit exaggerated, but it’s insightful: They are very different techniques to addressing what can be very similar underlying problems (of, for example, inequitable distribution of power). Open data goes off the rails when it is (or is perceived to be) a solution to be applied regardless of the existence of problems.
I thought I was in a movement about underlying problems, but now I don’t know anymore.
Josh Tauberer
Javier Ruiz – leads on policy at the UK based Open Rights Group
Marc Rotenberg has put it quite clearly: privacy is abused by the powerful like any other right, including the right to property. But that’s how power works. Funny that these arguments have typically been made by communists criticising liberal democracies, and now that leftists finally embrace human rights we go back to square one! Lets set the record straight: privacy laws in most places allow for information to hold people accountable to be made public while setting some limits. Do we really want to be able to track the postman via a GPS anklet? Privacy is not a blunt instrument, e.g. as it been explained elsewhere it allows for the taxes of everyone in Norway to be accessible online. Public registers everywhere make public personal information in exchange for social recognition (educational achievement, property, good citizenship, etc.).
But I think the main issue here is not the privacy vs accountability debate, which can be solved with goodwill, but the drive to use data (big data, data science, machine learning, etc.) in everything: from running transport systems by tracking users, to curing cancer by analysing detailed medical histories. Today a massive UK summer festival (Download) announced they will be the first using RFID armbands that will track everyone at checkpoints throughout the venue, and process all payments in a cashless system. Couple this with the well known problems with the standard privacy solutions of anonymisation or consent.
It is the interaction of open data ideology with this new world that I find concerning; and it is a simple corollary that all the above examples would benefit from being open in terms of efficiency. Firstly because the lack of proper considerations of privacy in the first wave of open data (when it was mainly driven by genuine activists) has pushed the debate really far, and only now we are catching up. Many later arrivals have found the rhetoric of open data great to support other agendas.
Open data has played a truly trojan horse role, for example in the case of care.data in the UK (as Phil Booth from MedConfidential has also explained elsewhere), which has become a shorthand for the wider debate about the future of the National Health Service. In this context information about people is there to be exploited and eventually captured and added to the valuation for the IPO, an “asset class”. People rebel against what they perceive as an expropriation of their data, even when legally speaking they’ve probably lost all rights by then. Hundreds of thousands in the UK have engaged in campaigns against sharing health and tax data with private companies.
But is not just the abuse of open data. There are some intrinsic problems in the slightly black and white approach of open data discourse, the obsession with fixed sets of principles or rankings in a very data-centric manner that does not take into account the context and people affected, or even the reasons for opening, which is seen as a goal in itself.
We need a more nuanced approach. In Ottawa I proposed that each data release involving personal information should have to justify why each principle (completeness, timeliness, machine readability, etc.) will not cause privacy harms, even if legally you are allowed to do it. This is just about the fairness, and in addition to having a legitimate purpose and a case with demonstrable benefits to open the data in the first place. One example of this is the recent changes to Norway’s tax register, which since 2014 requires registration to deter frivolous access.
Finally, and to clarify Phil’s comments, sorry if it wasn’t clear, I did not propose to pick and choose privacy principles, just to check them to understand what exactly you want to achieve in terms of privacy, and what room for manoeuvre you have (e.g. sensitive data). Generally we have to balance the rights to privacy and freedom of expression and information, and this is the right frame for the cases that Helen and Chris have to deal with. But in the specific context of open data, I think this balance is operationalised in ensuring that data releases respect privacy at the cost of complying with the open data principles.
Best, Javier
Chris Taggart – Co-founder and CEO of OpenCorporates
Two comments that strongly resonated with me here.
From Javier
first look at the objectives you want to achieve, then the privacy principles you want to maintain and what flexibility is there (you may not have that much room anyway), and then look at the open data principles and see if you can justify each of them individually or removing them can help to preserve privacy.
From Helen
Martin raises the question “who is ‘powerful’, how do you define ‘power’ and who is in charge of defining this?”. Well, we should all engage in defining it, through the democratic process, so that when legislators legislate and courts rule, they do so within a human rights-based framework the nuances of which have been subject to public debate. And, as often, it’s up to civil society organisations to take the lead.
The problem is that the current data protection regime has led to increasing the asymmetries of privacy and power rather than decreasing them, and in the process are undermining the who concept of democracy. As Helen and I agreed after the dinner event on Beneficial Ownership and Privacy — we value privacy as a concept, but value democracy even more, and by taking a flat approach to privacy, ignoring the implications for democracy, we risk undermining it permanently.
Chris
Marc Rotenberg – President and Executive Director of Electronic Privacy Information Center (EPIC)
I may not have understood Chris’s point, but I do not see the conflict between privacy and democracy. It could easily by argued that one of the measures of a healthy democracy is the degree of privacy it allows it citizens. The other end of the spectrum — constant surveillance by the state — is easily recognized as authoritarian rule.
One of the critical insights about privacy and open government is the distinction between personal privacy and government secrecy. Privacy advocates do not typically favor government secrecy, and the effort to conflate such claims with the rights of citizens often needs to be disentangled to understand the interests at stake. That is where I think much of the confusion arises.
But we need not be apologetic about the defense of privacy. I read recently about the drafting of the UDHR and was interested to learn that privacy (Article 12) was placed ahead of other human right claims because it was seen by Rene Cassin as literally foundational to the exercise of other freedoms.
Best regards,
Marc
Helen Darbishire – Executive Director, Access Info Europe
Great to be discussing this (although I am getting bounces from various lists)!
Privacy is a fundamental right so yes everyone has it equally. It’s indeed “flat” in that sense.
Everyone should also have the right to access, to know, and possibly to correct the data that private companies, and even government bodies hold on them.
But that is different from society determining that if you want to do certain things then it will entail some of your personal data entering the public domain. Being a public official, being a lobbyist going into meetings with public officials, receiving certain kinds of business subsidies, owning a company … such conditionality doesn’t take away the overall privacy rights of those individuals.
But it does mean that the right to privacy is balanced with other fundamental rights, including the right of access to information, an inherent part of freedom of expression, similarly identified as a core right at the time of drafting the UDHR.
Sometimes we don’t have a choice: think public registers of public registers for births, marriages, and deaths. (Well, marriages are avoidable). In Nordic countries taxes clearly go along with deaths on the transparency side of things. Elsewhere owning land, being on the electoral roll, living in a certain town … there have historically been public registers.
The internet has complicated things. Should all these registers be on line? How can we guard against “illegitimate” use of the information? And we are seeing a trend towards charging for information that used to be free and open. So it’s still public but only for those with the ability to pay!
And the problem we are seeing is that it’s public officials who are deliberately conflating the concerns and saying, well you used to know my name, my salary, my assets declaration, my conflict of interest declaration, whether I have been charged with criminal offences for corruption, whether I have been pardoned for those offences by my mates in government … but now you can’t because, as you have kindly been reminding me, I have a right to privacy.
The result is shutting down of access I referred to earlier. It’s interfering with participation and accountability across Europe at least, maybe elsewhere too.
Helen
Chris Taggart – Co-founder and CEO of OpenCorporates
Not sure I agree this is a correct characterisation of the situation.
The point is not whether the data subject can see what data the companies’ holds on them, but whether they have equal agency and power in the relationship, particularly given that their ability to influence is much less than that of the companies and the people who run them.
This is particularly important in the data world in which we now live.
Zuckerberg, or Facebook the corporate entity, can not just find out information on any person in their database, they can also do complex and powerful queries, combining that person’s data with other people’s data (friends, similar profiles etc) to learn possibly more about you than you know (or remember) about yourself.
Focusing on whether data subjects have equal access to information about themselves is a key problem with this flatness. It’s like saying everyone can spend 10% of their income on influencing elections. Yes, it applies equally, but the effects are far from equal.
Marc Rotenberg – President and Executive Director of Electronic Privacy Information Center (EPIC)
Chris –
Your argument appears to be that powerful people use privacy to protect themselves from public scrutiny. That is clearly true.
But the law operates (or should operate) in a very different way. It is purposefully “flat” to give all citizens equal privacy rights (communications privacy, for example) and equal rights of access.
The example with Mark Z./ Facebook is very interesting and points to how closely privacy and open data interest are aligned once you see that the dividing line is not between the two categories, but between individuals and the powerful.
Max Schrems, an Austrian lawyer, pursued a case against Facebook in Europe for the right to access the personal information the company collects about him. (The EU Data Protection Directive, a privacy law, established a right to access to personal data held by companies, as do many privacy laws.) He was successful, and received far more information through his legal claim than FB provided to him through the service.
With a privacy law that created a right of access, Max made the company more accountable for its business practices.
I would think that is good for democracy.
Marc
Chris Taggart – Co-founder and CEO of OpenCorporates
Marc
Possibly I didn’t word it very clearly. I’m not arguing for zero privacy, but I do think the current un-nuanced approach, specifically not recognizing the asymmetries of privacy and power, are rapidly undermining democracy.
The critical parts are:
“the current data protection regime has led to increasing the asymmetries of privacy and power rather than decreasing them” — I think this is clear but can provide countless examples.
“by taking a flat approach to privacy, ignoring the implications for democracy, we risk undermining it permanently”. The flatness is important. By ignoring the fact that a very small number of people have disproportionate power and influence (and that probably includes most of us) — either by dint of their position in society (e.g. MPs), owning large datasets that can only be accessed by a few, or the money to influence elections, etc — we risk entrenching that power, and thus undermining democracy. Of course, that doesn’t mean they are fair game in every way — the sexuality of the CEO of a FTSE 100 company is none of my business, nor anyone else’s. However the fact that they are the CEO, that they are going to the cricket with senior civil servants, is.
I sometimes use the following shorthand: can you find out as much about Mark Zuckerberg as he can about you?
Chris
Staffan Dahllöf – “freelance journalist and kind of transparency activist”
Should Helen be in need of a supporting voice I’m happy to supply one. (Not sure she is though.)
My own experience with the EU and a couple of Scandinavian countries supports her views. Privacy rules have been sneaking in and overruled access regulations in many areas. The upcoming EU data protect regulation will most likely add to this.
The trick is seldom to find a correct balance between privacy and transparency but to decide which regime should rule in the concrete case, as in the infamous Bavarian Lager case and other examples mentioned by Helen.
Freedom of speech including the right to know is based on the assumption that everything is allowed/accessible unless otherwise stated in law. Right to privacy is based on the assumption that only one or few purposes of data processing is allowed and everything else is forbidden. This is the conflict which forces us to choose.
I would be happy to elaborate on this had time not been such a scarce commodity.
But this is a good and much needed discussion.
Staffan Dahllöf
Andrew Ecclestone – a New Zealand-based expert on freedom of information
Hi All,
Phil Booth, Coordinator of medConfidential in the UK, posted a response to Martin’s article to the UK OGP list which I thought would be of interest to those on the FOI Advocates list too. I’ve checked with Phil if he’s a member of FOIAnet and would like to post it to this list too, and he’s given me permission to repost his message here.
Cheers,
Andrew
Phil Booth – Coordinator, medConfidential, UK
Hi Martin,
I read your piece, it touches on some important issues, and I suspect we arrive at a similar place in terms of practical steps forward, but I fear your framing is a bit off.
I must fundamentally disagree with Javier and Chris (my apologies, guys, if I am not reading you correctly – but others might misunderstand you in this way too) if what they mean to suggest by “the privacy principles you want to maintain” is that open data could or should (attempt to) operate under different privacy principles than everyone else, or that open data should seek to change or undermine or route around existing principles. It really, really shouldn’t.
The principles are very clear: privacy is a fundamental human right. It’s not an absolute right, of course, but it is one of the fundamental rights from which others flow. (It is also a pillar of democracy – e.g. the “private citizen”, the ‘public servant” – so I confess I’m not sure what tension Chris is implying / alluding to by “taking a flat approach”.)
I speak as a privacy, transparency and wider human rights advocate (and a passionate believer in democracy) with a keen interest in open data. I sometimes give talks at ODI, join in open data discussions (e.g. I’m on this list and participated in the OGP strategy event last week) and I helped ODI with the privacy portion of its Open Data Certificate. I’m speaking at OpenTech this weekend: http://www.opentech.org.uk/2015/ (if anyone would like to continue the discussion…) and I also coordinate https://medconfidential.org – Gus from PI chairs our Board.
I agree with you, Martin, that there is no necessary conflict between open data and privacy. Indeed, my understanding is that the commonly-held definition of open data, “data that can be freely published for all to use”, makes this so.
You cannot publish someone’s personal data without their consent, except in certain specific and legally-defined ways – generally as a matter of public record. To do so would be both a breach of Data Protection laws (DPA in UK) and of their human rights (Article 8 HRA & ECHR) so, while organisations / companies / governments may aspire to – and do – collect and process ever-increasing amounts of personal data, there are – though not always properly enforced – some real constraints around this, especially around the publication of personal information. Even the media has a ‘public interest’ test (ish).
As a general comment, I find that some ‘open data people’ – a group of which I count myself a member – are a little too eager to redefine the world from their own perspective. Open data is a new and relatively immature term and endeavour and, unless properly defined and defended against active attempts to subvert it*, the term ‘open data’ may not only turn out not to be helpful but to be actively unhelpful (see first footnote below).
“Openness”(as opposed to open data) is one branch of a wider, more well-developed concept – transparency – which is a long-standing, well-understood principle, for which society already has such things such as legal frameworks, e.g. Freedom of Information, and established practices, e.g. oversight bodies.
And privacy is a fundamental human right.
I know your point was not to trivialise, Martin, but please be absolutely clear – the straw poll at Omidyar shows two things: (1) that 50% of open data “experts” either don’t understand the law and human rights framework or don’t care, and (2) that the open data community needs to educate itself much better in the wider context and consequences of what it is advocating. That there is such a fundamental schism within the community itself is not good ground from which to go out into the wider world, making claims and/or demands. It is probably much wiser for the community to make its own mind up about what it believes in and will stand for first, before trying to ‘sell’ others on what would then at least be a self-consistent proposition.
As it stands, at least some of the people who currently wrap themselves in open data’s “ideological flag” are actively harming the community – and could cause serious damage, should their (wilful) misunderstanding or deliberate abuse of the term “open data” be allowed to prevail.
We do, however, end up at the same destination: privacy is, indeed, a principle that “cuts across all forms of data release” – and a whole lot more besides.
I do believe it is vitally important for privacy people and open data people to be in the same conversations. That’s one of the reasons I join in when I can. In fact, I think it is actively dangerous, given some of the vested interests involved and the quite evident gap in understanding in the open data community, for open data groups to go talking / representing to others without privacy people (and experienced transparency people – don’t forget, privacy and transparency folks have been negotiating these “tensions” a lot longer than open data, or open government, have been around) by their side.
We – and I now speak as a privacy person, and as a campaigner – have been fighting very hard indeed these past years, “thrashing out data revolution principles”. I spent 7 years coordinating a campaign, NO2ID, that had to defend against numerous ‘database state’ assaults on our freedoms; most notably a monolithic government identity scheme, but many other things as well. We are in an information revolution, yes – and there are very powerful forces in play (economic, commercial, cultural, political, ideological…) which means we must work together to defend our freedoms and rights, not peel off into exclusive little huddles and ponder which of other people’s basic rights may or may not be dispensable.
I apologise if it sounds like I’m on my high horse. Maybe I am. But if the open data community doesn’t open itself up more to the privacy – and wider transparency and human rights** – community, I’m afraid it will be putting its energies into efforts that won’t deliver the benefits, including the actual openness and transparency, that it aspires to.
Cheers,
Phil
* We have had to intervene on a number of occasions in recent years when Government Ministers and others, including Tim Kelsey (Director of Patients and Information , NHS England), have attempted to misuse the term ‘open data’ to spin various Government data-sharing initiatives. The open data community should be much more alert to this, and spend at least as much time and effort examining, defining and defending its own ‘territory’ and boundaries as it does trying to get others to redefine theirs.
** The dynamic is not simply privacy/transparency. With an increasing number of decisions made about people algorithmically, in both the private and public sector, the effects and responsibilities of open data may not simply end with collecting and publishing the data. In terms of rights, principles and the broader social and individual effects, other factors could come into play, e.g. discrimination (Article 14 HRA / ECHR – another human right).
Silvana Fumega – “Access to Public Information/OpenGov Consultant” based in Australia
Thanks for sharing this post, Andrew!
And also thanks to Martin for kicking off these cross communities’ conversations.
Disclosure vs. privacy, I thought this was a discussion already settled by the FOI and Privacy advocates years ago. Despite the particularities of the OGD community, the ideas behind data disclosure are related to all the discussions already had in this topic by the FOI and privacy advocates. I’ve been working on the FOI and OGD linkages for quite some time now. briefly, and in a rush, included here: http://silvanafumega.blogspot.com.au/2015/05/right-to-data-rti-open-formats-reuse.html
Once again (at this point some of you heard me saying these things several times now) there is a need for closer work between several communities working with government’s informational resources (OGD, FOI, Privacy).
We had some initial conversations on the topic at the IODC15 (http://silvanafumega.blogspot.com.au/2015/06/iodc15-recount-recuento-de-la_3.html). We, with other colleagues, are thinking about working on these linkages (FOI and OGD, particularly) during the abrelatam/condatos meeting in Chile, later this year. More than ever these joint efforts are necessary (if somebody from this list is planning on attending and is willing to work on this collaboration, please let me know)
Sorry if I’ve been too repetitive. Hope it helps!
Carole Excell — Project Director, The Access Initiative, World Resources Institute, Washington D.C.
Hi everyone,
Just to note that the FOINet Steering Committee, has indicated a keen interest in facilitating dialogue with the open data community. We have indicated that there is a need to build and connect with the open data movement to re-establish the important interconnection between the two movements. We need issues to connect on though whether its things like the SDGs , working on FOIA implementation or shared approaches to work on access to specific datasets, or evaluating impact of access to information and data.
Funny that Martin’s article says
“We need to include privacy groups in those open data conversations. They need to be alongside us, thrashing out data revolution principles. Issues like the International Open Data Charter – which are central to the new Sustainable Development Goals – need us to build consensus.”
It would have been great for the blog to have indicated the importance of all three communities getting together and thrashing out principles, including the critical role that advocacy from the FOI community has played in actually achieve a Governance goal that references Access to information.
I just think we keep on perpetuating thoughts that keep the movements separate. Privacy and FOIA advocates have had a much closer relationship and understanding, I believe that the gap is with the open data community as Phil indicated.
Carole
Andrew Ecclestone – a New Zealand-based expert on freedom of informatio
Just as an aside to the broader discussion, this article illustrates how some actors may seek to play privacy interests off against open data and accountability interests, in this instance relating to beneficial company ownership information:
http://www.mondaq.com/x/401988/Corporate+Commercial+Law/Privacy+for+Beneficial+Owners+of+Companies
Cheers
Helen Darbishire – Executive Director, Access Info Europe
Very good observation and entirely consistent with the development of *information rights* — the better construct – in modern democratic societies.
Ivan Szekely – Open Society Archives, Central European University/ Budapest University of Technology and Economics, Hungary
Dear All,
May I add two aspects to the discussion:
- privacy itself is a public matter
- 2. both privacy and FOI serve the interests of the individual, too.
So the borderline is not between private and public values and interests.
Ivan
Martin Tisné
Hi Phil, Helen, Marc, All
Thank you so much for taking the time to read the piece and comment. I am excited about the conversation – it would be great if we could post these so others can also benefit, beyond the list serves.
My main aim has been to get different yet related communities to connect and break silos so delighted that the conversation is happening. (though as per Silvana’s point, there are also many other fora where this is taking place.)
A few quick thoughts:
3-way debate
I agree that it’s a 3-way debate between FOI/Privacy/Open data and should have mentioned that in the piece.
Open data and privacy
Phil mentioned:
“the straw poll at Omidyar shows two things: (1) that 50% of open data “experts” either don’t understand the law and human rights framework or don’t care, and (2) that the open data community needs to educate itself much better in the wider context and consequences of what it is advocating.”
Agreed, I should probably have written “Open data experts, including the 1,000 who attended a recent meeting in Ottawa, may not have sufficient expertise in privacy (me included) to provide a clear answer to this statement”. Instead of” “Open data experts, including the 1,000 who attended a recent meeting in Ottawa, ultimately disagree on this fundamental issue.”
Ultimately, I think we agree that the open data community needs to get a lot smarter about privacy and skill up fast. There were many more privacy experts at the Ottawa conference than at previous ones- a good trend which I hope will continue.
FOI and open data
Phil mentioned: “But if the open data community doesn’t open itself up more to the privacy – and wider transparency and human rights** – community, I’m afraid it will be putting its energies into efforts that won’t deliver the benefits, including the actual openness and transparency, that it aspires to.”
Carole mentioned:
“I just think we keep on perpetuating thoughts that keep the movements separate. Privacy and FOIA advocates have had a much closer relationship and understanding , I believe that the gap is with the open data community as Phil indicated.”
Point well taken.
It’s clear to me that the FOI and open data communities are much closer than it may at times appear. This goes back to conversations around the OKFN/Access Info paper from 2011 that Helen cited (Beyond Access) but I don’t think we’ve yet succeeded to really bridge that gap (e.g. this was a noticeable tension around the UK OGP global summit in 2013). People (outside the expert groups on these list serves) tend to assume that FOI = reactive disclosure, rather than reactive + pro-active disclosure. Technology and open data have now enabled pro-active disclosure to have much greater strength and potential than in the past (e.g. Chris and others’ work on open data on beneficial owners of companies), we should work together (FOI, privacy and open data activists) to realise this potential.
Again, great debate and thanks for your comments!
Best wishes
Martin
Marc Rotenberg – President and Executive Director of Electronic Privacy Information Center (EPIC)
Martin –
Thanks for the summary. Your framing of the discussion as a three-way debate is helpful.
It is true also that the FOI and privacy community have long be allied around common human rights objectives and complementary institutional relations.
It is worth mentioning also that there has been significant exchange around privacy and “open data’ for many years. This included such traditional matters, such as the proper use of census data and restrictions on the use of unique identifiers, and such current discussions as anonymization and the use of big data in ways that minimize harm and limit discrimination.
EPIC has recently launched a campaign in support of “Algorithm Transparency” to make clear that even if the data is open, the decision making may not be.
Establishing transparency and accountability in automated decision making should be considered a best practice in the open data community. Algorithmic Transparency could also provide a common framework for those in the privacy, RTI, and open data communities.
Best regards,
Marc Rotenberg
Phil Booth – Coordinator, medConfidential, UK
Agree++ on Algorithmic Transparency, Marc.
As I alluded to at the end of my first post, I think this is going to become increasingly significant. Quite frankly, as Subject Access Requests have shown time and time again, the data itself isn’t always that relevant – what you often really want/need to know is the process by which decisions are made about you, based on that data.
Over here in the UK, we (medConfidential) are working with folks at the Office for National Statistics and other official bodies around population-scale, rich, linked datasets and – for those who have got over the fact that they simply can’t keep sending out / selling copies of such data – it is discrimination that keeps coming up as an issue.
More power to EPIC!
Cheers,
Phil
Patrice McDermott, Executive Director of Open The Government, Washington, D.C.
I have not been able to engage actively on this, but in the US the FOIA/privacy communities have a lot of (good) interaction and overlap – going back to (at least) the passage of the Privacy Act of 1974. There is also, as I think someone noted, a lot of work on ‘big data’ here is focused on privacy (and discrimination). But, I think it is fair to say that there is a good bit of disconnect here among the FOIA and data communities.
Thanks for getting this going, Martin & all.
Patrice McDermott
Silvana Fumega – “Access to Public Information/OpenGov Consultant” based in Australia
Hi Martin and all,
This is a long needed conversation. I am really happy about receiving this messages and comments; specially as it partially is the topic of my PhD dissertation 😉
I think, at this point we all agree that there is disconnection/gaps/ lack of joint projects, etc between these communities (in particular FOI and Open Data communities).
My previous point was that differences in approaches, background, languages, skills seem to build barriers for the interaction between these groups. However, those differences are the key elements that make this collaboration necessary. To have provisions on formats for disclosure, to count with more politically sensitive information proactively disclosed, to solve accountability problems with new tools, they are all tasks which require a closer collaboration from these two groups (with privacy experts as well)
Now that the conversation is happening, we need to start thinking about “the bridges”. We need to think about initiatives/projects/activities to achieve a closer collaboration.
Have a nice weekend!
All the best,
Toby Mendel – Executive Director, Centre for Law and Democracy, Halifax, Canada
Thanks everyone for this very interesting debate and sorry to weigh in late.
Just a couple of quick comments:
1) I fully agree with Martin’s comments below but I think we need to understand there is a difference between the divide inside of the openness community (ie between FOI and open data types) and that between privacy and openness. I see the first as being more social/cultural than policy or issue based, where I see the two groups as essentially promoting very similar goals. As Martin points out, FOI advocates have always promoted proactive disclosure and this has always been understood as a major way of achieving openness. While the FOI and open data communities may have different priorities, I think they are largely aligned at a policy level (no doubt policy issues can come up, eg open data advocates have sometimes decried the importance of reactive transparency, but this doesn’t happen so often and, absent the social divide, would simply be a sign of a vibrant community debating issues). On the other hand, openness and privacy are two very different rights which, while they often align and are mutually supporting, can also come into clear conflict. Legal systems have ways of resolving such conflicts (basically hinging on an assessment of what is in the greater overall public interest), and reasonable people in both ‘camps’ accept this, but it remains the case that the core right each group promotes is very distinct. If this is correct, it is all the more a shame that the FOI and open data communities have not been able to exploit more synergies. At the London OGP Summit, where as Martin says there was tension, I hosted a panel which promoted dialogue about this very fact of the divide between the two communities. We need to do more of that. At our last Steering Committee meeting, FOIAnet resolved precisely to do that! Hopefully this can contribute to that goal.
2) I have not been able to read all of the interventions in this debate carefully but at one point I felt that the ideas of privacy and data protection were being elided, as they far too often are. These are very different ideas (albeit within the notion of privacy – perhaps like proactive and reactive disclosure are different ideas within the notion of openness) and there is a lot of confusion, even in law in many countries, about the way they relate. This is complex (obviously or there wouldn’t be confusion), but data protection rules arose to prevent the misuse of organised data (ie databases) with the growth of such databases in many countries in the 1960s and 70s (the first data protection law dates from 1970). Privacy, on the other hand, is about protecting some sort of personal sphere (no one has really ever defined it comprehensively). The scope and implications of both notions can be very different. One has privacy inside of a restaurant but data protection is not relevant to this (normally; I guess now with States being able to track our every movement through location devices on mobile phones this may be changing!) whereas my email is on my website (and hence not private) but it still benefits from data protection (albeit not enough, because I still get too much spam!). It is extremely problematical when the idea of data protection is put forward as a counterweight to openness since it is simply not designed to be balanced in that way (instead of only applying to private information, it covers any personally identifying information, which tends to be much broader in scope). Better practice is for privacy to be an exception in FOI laws, and then for a public interest balancing to take place when a conflict arises.
Best, Toby
Phil Booth – Coordinator, medConfidential, UK
I believe Silvana is absolutely right, and that there are all sorts of “bridges” already between the various communities – FOI/privacy, privacy/open data, FOI/open data. I know more about the first two from my own work, of course, and my sense is that it’s when there has been a coherent project or necessary battle of common interest that these bridges have formed. Action around legislation, for example, rarely collapses into a ‘purely’ privacy or transparency fight. Identity was a fun one, which dragged in just about everything along the way!
Your point about reactive vs pro-active disclosure is an important one we (medConfidential) are engaged in right now, around medical records in the UK NHS. Because reactive (FOI) disclosure generally allows for the disclosing authority to check for inappropriate disclosures – though it sometime fails, big time* or over-re(d)acts – there is actually an in-built ‘privacy check’ in the process for every disclosure. With ‘pro-active’ (open data) disclosure there is nothing of the sort and because open data is “freely published for all to use” you have to get privacy right first time, for all time, before the very first release. The professional statisticians understand this; I wonder how well the open data community gets on with them?
The risks involved if you get this wrong are quite extreme, and not just limited to those individuals whose data is released. As Tom Steinberg has pointed out over here in the UK, it could take just one single significant open data screw-up – “releasing data that is obviously seriously privacy-infringing” – to collapse the entire open data endeavour. So, if anything, the open data community needs to understand privacy far better than the FOI community ever had to. In my experience, FOI folk ‘get’ privacy better and more deeply than most open data folk. That’s a problem we (all) must solve.
A couple of final thoughts, about ‘incentives’ and focus:
In campaigning terms, it’s actually pretty easy to see how FOI and privacy interests align in terms of keeping power ‘at bay’. It seems to me, however, that the open data community is slipping into dangerous territory when, as it increasingly seems to be wanting to do, it thinks about pro-actively publishing stuff ‘about citizens’ (forgive my imprecision).
How about focussing exclusively on government (big ‘G’ and small) and corporations for a while maybe? This would have the merit of letting open data demonstrate that (a) it shows us something useful, and (b) it can be trusted – and we’d (FOI, privacy folk) have some time to work alongside, to show folks the ropes. If the open data community keeps buying into the agendas of people like Tim Kelsey or going for precisely the sort of stuff (linked identifiers, private citizens) that the privacy community is clearly bound to defend, then I’m afraid it will be members of the open data community itself that are precipitating conflict.
I actually wanted to end on a positive note, so I will just reiterate what I said a couple of paragraphs above: I truly believe the problem is fixable, and it is a problem we (all) must solve. Thanks again, Martin, for getting the ball rolling
Cheers,
Phil
*e.g. https://wilmslowfilmfanatics.wordpress.com/2015/06/07/the_list/
Maurice Frankel – Director, Campaign for Freedom of Information
I agree with what Toby says, particularly at point (1).
I’m less aligned with Toby on (2), the distinction between privacy and data protection, despite the theoretical validity his argument. In the UK at least, data protection is the basis for privacy protection under FOI and open data. (A small part is also played by breach of confidence.) The relevant FOI exemption permits disclosure only where it complies with the Data Protection Act (DPA), which is why we often talk about it here in terms of ‘data protection’ not ‘privacy’.
The basic data protection definition catches all personal information, but the actual test is whether its disclosure would be ‘fair’. As interpreted in the UK that does take some account of the public interest in disclosure, albeit by a circuitous route which starts with a strong presumption in favour of protecting personal information.
For example, the names of individual landlords convicted of offences under the Housing Act, for providing substandard or dangerous housing, has recently been released under FOI because of the public interest in allowing housing authorities and potential tenants to identify landlords who do not respect their safety obligations towards tenants. The Information Commissioner had found that this information to be exempt on DP grounds and liable to lead to ’naming and shaming’. The Tribunal ordered its release under a DPA provision which permits disclosure about wrongdoing for the purposes of journalism on grounds of ‘substantial’ public interest.
FOI decisions of that kind have implications for open data, though every decision is highly specific to the facts.
The last UK government presented openness as something invented by it, circa 2010, with no connection to FOI. But the development of the criteria which apply to potential open data disclosures of personal information is taking place under FOI, because that provides a legal right and forum for testing it. This is sometimes overlooked in discussions between open data and privacy people (I’m not talking about Phil), who appear to be attempting to construct answers from first principles without recognising the extent to which they already exist in case law.
Best wishes
Maurice
Toby Mendel – Executive Director, Centre for Law and Democracy, Halifax, Canada
Thanks for those comments Maurice.
I accept, of course, that many national laws do provide for data protection rules as the basis for the ‘privacy’ exception (by no means only the UK) and my point (perhaps not entirely clear) was that I don’t think that is a sound approach (ie in terms of promoting the appropriate balance between openness and privacy). And maybe I misunderstood you, but it seems to me the very example you give supports that. In a straight public interest competition between FOI and privacy, I have some difficulty imagining that your IC would not have found in favour of openness in the first place in the landlords case. And if we imagined that as a competition between freedom of expression and privacy (ie whether a newspaper could name and shame in case it happened to get its hands on the information), then I am even more sure of the outcome (and in my view, given that the right to information is derived from freedom of expression, the same public interest balancing considerations should apply, of course taking into account all of the circumstances).
I am not intimate with the jurisprudence, but it seems to me that in general the fairness test you note is more weighted towards confidentiality than a public interest balancing (especially if combined with a strong presumption in favour of protecting privacy, as you noted).
Best, Toby
Savita Bailur – Open Data Research Lead, World Wide Web Foundation, London
Dear all
Following this thread with interest. We recently held a session on Right to Data (the similarities and differences between open data & RTI) at the International Open Data Conference in Ottawa
Posting the summary here with some trepidation amongst this group of experts 🙂 http://webfoundation.org/2015/06/open-data-right-to-information-right-to-data/
Best
Savita
Victoria L. Lemieux – Senior Public Sector Specialist, The World Bank
Dear Martin,
Many thanks for forwarding this statement. I agree with the broad sentiment, but wonder at what appears to be a reinvention of the wheel. Many jurisdictions have Freedom of Information/Access to Information/Right to Information laws that set forth provisions that guide determination of what can be opened and what must be closed to protect certain rights and interests, such as the right to privacy and national security interests. One can argue that in some contexts, these provisions are not open enough, but they have at least been openly debated in legislatures and exist in laws established according to due process (in most countries). They also have, in most cases, procedures determining the decision-making process and some degree of transparency in their operation. Moreover, there are mechanisms in most states to call for reform of the laws.
My concern with the way that Open Data is moving forward is that it is not working with the Access to Information community to understand how existing laws can be used as guides to frame the issues and guide decision-making on the important issues you raise in your statement. Not only should the Open Data community be working with privacy advocates, it should be working with FOI/ATI/RTI advocates who have dealt with the issues you lay out here for many years. Instead, one has the impression sometimes that ATI is considered “so analog” by some within the Open Data community. This plays out in much better funding for Open Data and very little for ATI initiatives, forgetting that the ATI community has much knowledge and experience in dealing with the very issues you raise in your statement. These disparate and only somewhat overlapping communities of interest need to work together on what are complex and inter-twining information policy issues. We cannot afford, nor do we need, to reinvent wheels.
I therefore call upon the Open Data Working group to work more closely with the Access to Information Working group within the OGP as a first-step to better collaboration between these two groups in order to address the issues you raise.
Best wishes,
Victoria L. Lemieux, PhD
Martin Tisne
Dear Victoria
I agree very much. There has been a lot of FOI/open data/privacy discussion around the article on other list serves (FOInet for example) which I will forward to you in case of interest.
Best wishes,
Martin
Victoria L. Lemieux – Senior Public Sector Specialist, The World Bank
Dear Martin, Many thanks, I am delighted to know that and, moreover, to have a sense that these groups are now engaged in dialogue and beginning to work together.
May I take this opportunity to suggest another community that it would be beneficial for the Open Data community to engaged with more; that is, the records and archives community. Data quality and preservation continue to be challenges to realizing the full potential of Open Data. Though many in the Open Data community believe that by establishing user feedback on data quality, the quality of the data will be improved, I have been conducting research that suggests otherwise (I hope to have this research in good enough shape to disseminate over the summer). In any case, it’s logical that if users are to provide feedback on data quality, data providers need some capacity to respond to that feedback. This is often not the case because of weaknesses in the manner in which information is created, managed and maintained.
The records and archives community has developed many international standards and methods that can help improve data quality and long-term availability of trustworthy data, so I believe that this is another community that the Open Data community would benefit from engaging with more.
Best wishes,
Vicki
Filed under: Articles Exchange