Data protection concerns should not block investigations, Ombudsman insists


Data protection concerns should not be used as a pretext to hinder the Office of the Ombudsman’s investigations into possible maladministration or rights violations by authorities, the Ombudsman has maintained.

In the office’s latest annual report, published on Monday, Ombudsman Anthony Mifsud spoke at length about whether the EU’s General Data Protection Regulation, which became enforceable on May 2018, was a threat to investigations.

Citing the regulations, the Ombudsman argued that the GDPR did not prevent his office from seeking information relevant to its investigations, as the regulations allow public authorities to process data in exercise of their official authority.

However, Mifsud also noted that the adoption of the regulation had seen authorities become increasingly reluctant to share information, for fear of incurring hefty fines. The complaint against a particular agency – left unnamed in the report – brought the issue to the fore.

-The Ombudsman was dealing with a complaint concerning the conduct of the agency’s selection process, leading him to request information about the exercise itself, as well as on the performance of the complainant and other candidates.

Mifsud noted that if his office was subject to GDPR measures without exception, it was clear that the investigation would face serious obstacles. The office would have to provide detailed justifications for its request of personal data, which Mifsud deemed unacceptable, as it would put at risk the cardinal principle that the Ombudsman cannot be made subject to the direction or control of any other person or authority.

The Ombudsman also expressed concern about another GDPR-related matter that came up during the office’s investigations, concerning provisions on the obligation to inform persons whose personal data was being disclosed. Again, Mifsud argued that the regulations should be interpreted as exempting his office and all other authorities which investigate public administration.

However, he said that there was an urgent need for an in-depth study on the impact of the GDPR on his office’s investigative functions.

Respecting privacy remained paramount

Mifsud emphasised, however, that this did not mean that his office would be released from its duty to protect and correctly use personal information.

The Ombudsman Act imposes privacy in the interest of both parties involved in a complaint, with Mifsud highlighting that confidentiality helped foster trust in his office.

The law also sought to ensure that any information provided to the Ombudsman by public authorities would only be accessible to the office, and divulged to third parties only if and when this is essential.

“Had there not been this requisite of privacy, aggrieved persons would not feel secure to approach the Office to intervene on their behalf to vindicate their rights against the public administration.”