Open Data Governance & Legality — ChangeFusion Group

The development of open data in Thailand is an important step towards a transparent society where data are used for public interest. However, there are many legal considerations relating to open data which must conform with international standards and national laws, especially where the balance between public interest and the protection of personal rights are concerned. This intricate balance should be made clear and practicable.

To facilitate the discussion on this topic, ChangeFusion partnered with Thailand Institute of Justice (TIJ) to organise the Open Data Governance and Legality forum on 13th September 2019. This forum is a part of the Roundtable for Technology and Justice Series under Project j : jX Justice Experiment.

Important discussion points are as follow:

Overview of Open Data

By Sunit Shrestha, ChangeFusion

Open data is a practice of data collection and dissemination that allows everyone to access and make use for public interest. It is closely related with Open government which is a practice of government that opens its data to promote accountability and transparency, improve the quality of state activities, and promote innovative solutions to public issues by using data as a basis, together with data science and digital technology.
Open data allows many datasets to be cross-related with each other, therefore facilitate possible revelation or 'insight' that has never been surfaced by using traditional data analysis approach. For example, cross-relating different sets of data can allow public to detect corruption activities.
In Thailand, there are initiatives to create open data that focuses on public participation. For example, in July 2019 there was a 'datathon' to organise the corruption verdict of the National Anti-Corruption Commission (NACC) and the Supreme Court into a standardised form. The datathon also brought programmers and designers to create prototypes for interpretation and visualisation of the above sets of data. This activity created a community of citizen who share the interest to co-create open data in Thailand.
During the development of open data, there arisen many concerns about legality, especially where the practice can be assured not to encroach upon individual's rights, while maintaining the public interest.

Overview of related legal acts

By Dr Poom Poomrat, KQ Consulting

Thailand's legal acts that are directly related with open data are the Computer Act, Personal Data Protection Act, and Cyber Security Act.
There are also other related general laws, such as Defamation Act, Copyright Act, State Information Act, and Digital Government Act (which dictates that government agencies must publish their data. However there is no penalty for not doing so.)
Some acts are recently issued, are open to interpretations, or lacking the committee to define the practical guideline to conform.

General Concern on Legal Interpretation

The practice of law is based on facts and precedents which are severely lacking in the case of open data. This causes confusion and indecisiveness among practitioners. / Dr Piyabutr Boon-aramruang, Faculty of Law, Chulalongkorn University
Wordings in many legal acts are sometimes indefinite and confusing. For example, in the State Information Act, the definition of public information which is exempted from protection is not inclusive, therefore causing different interpretations which in turn causes practical problem when a state agency does not publish open data because it does not regard such publication as its legal duty. / Thitirat Thipsamritkul, Faculty of Law, Thammasat University
Court verdicts are known to be exempted from protection under the Personal Data Protection Act.

Open data for public interest: principles and limitations

Does the law regard public interest non-government organisations as having the same right to disseminate public information as government agencies do? -> No. If it were, then it can be possible for any other organisations or entities to make such claim that they were to distribute the data for public interest. The main principle for open data should be referred to the Legitimate Interest principle, which describes the balance between public interest and privacy protection. / Thitirat
The core concept of data privacy protection is the management of risks associated with the dissemination of data. Distributors must apply policies and tools to ensure that the privacy is not violated. For example, anonymisation (of names and private information), provision of sound reasons to publicise the data, and the management of possible risks. These are required considerations for using legitimate interest clause. / Dr Piyabutr
The definition of activities that fall under legitimate interest principle is open to interpretation. There should be an effort to develop a guideline for the data privacy protection committee to use as a reference. This committee will hold the first meeting session in the next 6-8 weeks. / Dr Poom
In addition to the legitimate interest principle, there is also another principle that requires that reasons for publication should be compatible with the original reasons for doing so by the data owner. / Thitirat
There is a real and current issue of NACC publishing their verdict summary for corruption cases but put the offline after 180 days of being available. -> There is actually a clause under the NACC Act that requires NACC to make available the data for 180 days. Also the act requires that the published data being the concise version that erased sensitive information due to security concern for witnesses. The reason for NACC putting down information was actually because the NACC committee wanted to wait for then newly issued Personal Data Protection Act to be put into effect, then the committee can decide how to comply with this law. Currently it has been decided that NACC can provide the data for public interest without unnecessary limitation, therefore it should be able to pose no time limitation for data publication for public interest, in accordance with other laws that supersede the NACC Act. / Thitirat
Open data practitioners should take care to give solid explanation on the rationale for making data available. / Dr Piyabutr
There is a question of how to proceed if a government agency denies the request for data access. The immediate step is to put the case on to the State Information Committee.

Key legal principles of personal data protection

Lawful basis: consent, academic use, prevention of harm to lives and health, contract, public duty (of state), and legitimate interest.
The legitimate interest principle has sub-principles of 1) (abiding by the) expectation 2) risk, and 3) safeguard. It should be used when other principles cannot be used.
The expectation sub-principle means that an activity that allows access to data should not be 'unexpected'; the access of such data is already expected because there already are rationale for data provision by related authorities and data owners are already informed of such rationale. / Dr Poom
Additionally, In Europe there is a 'right to be forgotten' principle which honors the request to remove personal information from search results, or make it relatively difficult to access. / Dr Poom

A Korean case study

By Wisoot Tantinan, UNDP Thailand

According to international principle, poor governance and corruption are risk factors that necessitate open data.
In South Korea, there is a project called 'Seoul Clean Construction System' which exemplifies open data practice by government agencies. The Seoul City wanted to make available all data related to construction projects in the city. The extent of available data was negotiated and adjusted until all parties agreed. The platform is called Allimi. It provides general information of projects, maps, contacts, photos of construction sites and activities, construction reports (daily / weekly / monthly), stakeholders information, problems and penalties received, real-time camera of construction sites (was put down later due to concern about privacy). Public can also ask questions regarding projects and making site visit requests. These are answered by responsible city staffs.
The project uses the principle of 'protection of information VS right to know', aiming to disclose as much information as possible within the limitation of the law.
The primary rationale for this project is the safety of the public.

Going forward

Open data practitioners should insist that data be made available, accessible, and reusable. This will being about accountability and innovation.
Practitioners will develop a guideline for open data, with detailed explanation of concerned principles, particularly the legitimate interest principle.
Practitioners should not neglect to advocate for open data that is made available by data owners themselves, i.e. government agencies, who should regard this as their own mission.