The ICO exists to empower you through information.

The dataset provisions do not provide any additional right to obtain information that is not otherwise accessible under FOIA. They also do not add any exemptions. They concern the form in which you make the information available, both in response to requests and through a publication scheme, and the conditions for re-use.

Requests

When you receive a request for information that you hold as a dataset, you should first consider whether any of the information is exempt from disclosure, just as you would with any other FOIA request. If the information is exempt, then the FOIA duties relating to datasets do not arise. Guidance on all the FOIA exemptions is available in our guidance index.

If the information is not exempt from disclosure, then you should check whether it is part of, or forms part of a dataset as defined in section 11(5). If it does not meet that definition, then the FOIA duties relating to datasets do not arise. If it is a dataset, FOIA requires you to provide it in a form capable of re-use.

Licensing re-use

Your obligations to do with licensing re-use (and charging a re-use fee) depend on whether you and the dataset are covered by the RPSI. If you are a public sector body under RPSI 4 and the dataset is not excluded from the RPSI 5, then you must deal with the licensing and re-use fees under the RPSI. If you’re not a RPSI public sector body, or if you are covered but the dataset is excluded from the RPSI, then you must deal with the licensing and re-use fees under FOIA.

It is therefore important that you establish whether you are a public sector body under the RPSI, and if so what information you hold that is covered by the RPSI.

The easiest way for you to comply with the licensing requirements of both FOIA and the RPSI is to make information available for re-use under the Open Government Licence, where appropriate.

Personal information

Many datasets will contain personal information. Where you receive a request for such a dataset, you must consider whether any of that personal information is exempt under section 40(2) of FOIA. If it is, you must redact that personal information to make sure any disclosure does not contravene the data protection principles.

When considering the disclosure of a dataset held as a spreadsheet, you should take special care to check there are no hidden fields within the spreadsheet which contain personal information. Our checklist for public authorities to use for the safe & appropriate disclosure of information will help you. There have been high profile cases in which public authorities have inadvertently disclosed large volumes of personal information by failing to properly check the content of spreadsheets. There could be situations in which such mistakes endanger the safety of the people concerned.

Part of the rationale behind the open data agenda, of which the dataset provisions are a part, is to encourage the innovative use of multiple datasets to maximise their potential use. As more datasets are released for re-use, the possibilities of analysing the dataset, for example by a pivot table, and of combining datasets from different sources and publishing the results will increase. However, this also increases the possibility that someone could identify people from analysing and combining apparently anonymous datasets. We recognise that it is difficult to know what other information is available, but you should be aware that there may be an increased risk of ‘re-identification’. Our Anonymisation: managing data protection risk code of practice addresses this problem and provides advice to organisations, including public authorities.

Copyright and licences

The duty to make relevant copyright works available for re-use under the terms of a specified licence means that you need to establish whether your datasets meet the definition of a relevant copyright work. In particular, you need to know whether you own the intellectual property in the datasets you hold, since you cannot license re-use if you are not the only owner. This suggests that you should carry out an audit of copyright and database rights, focusing on the datasets you believe you’re most likely to receive requests for. In practice it may be difficult for you to know who owns the intellectual property rights in every case, but if you use an electronic document and records management system (EDRMS) you may be able to extract this information from the metadata.


4 Public sector bodies are specified in regulation 3 of the Re-use of Public Sector Information Regulations 2015 S.I. 2015 no. 1415

5 The types of information excluded from RPSI are listed in regulation 5 of the Re-use of Public Sector Information Regulations 2015 S.I. 2015 no. 1415