A controversial assumption, which causes great uncertainty in public administrations, is the conflict between privacy and transparency.
In recent years, we have seen how public organizations have faced harsh criticism for different fraud and corruption scandals. That is why a Transparency Law emerged whose objective is for organizations, especially those in the public sector, to be more “transparent” and make available to citizens information that is relevant to them, such as, for example, participation. or the result of selective processes or public procurement procedures. However, there are certain limits to the obligation to provide information and this is exactly what this article aims to address.
In fact, if we go to the Law 19/2013, of December 9, on transparency, access to public information and good governance, Specifically, article 15, on the protection of personal data and the right of access, establishes that if the requested information contains data of a special nature, access may be authorized if 1) there is a rule with the force of law that allows it, 2) if there is the express written consent of the affected person, or 3) at least if said affected person has manifestly make the data public before access is requested.
By general rule It is understood that, except in those specific cases where the protection of personal data or other constitutionally protected rights prevails over the public interest in the disclosure that prevents it, Access will be granted to information that contains merely identifying data..
Now, the same rule adds in its third section that “When the information requested does not contain specially protected data, the body to which the request is addressed will grant access.” after sufficiently reasoned consideration of the public interest in the disclosure of information and the rights of those affected whose data appear in the requested information, in particular their fundamental right to the protection of personal data.”
To understand this last case where a true weighing judgment is requested, the resolution of the Spanish Data Protection Agency, Proc., is an example. : PS/00024/2019 which deals with the complaint that a citizen makes against a public school for having placed a list of the students admitted to said center (which included personal data such as names, surnames and scores of students, including names, surnames and complete IDs of the parents and legal guardians of minors) in a glass window located on the main façade of the center, accessible to any passer-by, and on the center's website, accessible to any person.
The school's arguments were logical, since, as it is a process of admission of students to public centers, this is a competitive process, so the principle of transparency and publicity must govern and, therefore, they must be published. Now, as we have already seen, there are limits, so the Agency responds that the display of the list on the window of the main façade of the Center, instead of on the bulletin board inside the school premises, as well as the open dissemination, and without restrictions, on the website of the school center of said list, constitutes a violation of the principle of confidentiality provided for in art. 5.1 f) of the GDPR.
By way of conclusion, from this resolution and other similar ones, it can be deduced that rights must be weighed; That is, it is understood that since it is a selective process, information must be provided to all interested parties; However, such personal data cannot be published in public or on the Internet because then anyone could see it and the duty of transparency would be exceeded and, therefore, violating the principle of confidentiality.
