Presentation is loading. Please wait.

Presentation is loading. Please wait.

20946812v1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010 sue.cullen@amberhawk.com.

Published byAngelina Stephens Modified over 10 years ago

Similar presentations

Presentation on theme: "20946812v1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010 sue.cullen@amberhawk.com."— Presentation transcript:

1 v1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July Note: Amberhawk claims copyright in the contents of this slideshow

2 THREE ACCESS REGIMES Data Protection Act 1998
v1 THREE ACCESS REGIMES Data Protection Act 1998 Protection of personal information via the 8 DP Principles Environmental Information Regulations 2004 - Access to environmental information Freedom of Information Act 2000 - Access to all information held by a public authority NB: Separate FOI Act for Scotland Start with a public authority receiving a request for access and ask students to suggest what access regimes might be engaged. Use flip chart to write up details of the 3 main regimes, as supplied by class: DPA FOIA EIRS 2004 Personal data Anything Environmental Information EU Directive Westminster Act EU Directive & Aarhus Treaty Not primarily an (not Scotland) access to environmental info access to info regime Access to any info held FOIA authorities plus some data controllers public authorities others 8 Principles: anyone can request anyone can request Princ.6: Rights – Everything is covered more limited exemptions Subject access, but exemptions accommodate by data subject only other regimes Exemptions NB: Briefing Note: FOI and other information access regimes Why a separate regime for EIRs? (Parliament could write its own script, EIRs dictated by Directive) Explain why FOISA and mention some differences Re-Use Regs are covered in course F7. Briefly explain difference between access to information and the right to make use of it, mention copyright. Information Commissioner formerly Data Protection Registrar

3 DATA PROTECTION ACT 1998 THE BASICS

4 WHAT IS DATA PROTECTION?
Data protection is about aspects of personal privacy It sets out rules for handling “people information” Universal – all organisations, and many individuals, use “personal data” (and have liability under the Data Protection Act) Current issues in data protection: I/D Cards legislation – erosion of personal privacy by the state Retention of DNA data by the police Security breaches by banks, hospitals, HMRC

5 IMPACT OF DATA PROTECTION ON MY JOB
v1 IMPACT OF DATA PROTECTION ON MY JOB Information about: me or my fellow employees Students, consultants other people we do business with, e.g. suppliers Sending information by ; information on the website; security camera recordings Collection: Filling in forms Taking it down over the phone Getting it from other departments/schools/universities Sharing – with other departments, other organisations, under FOI, for official enquiries

6 DEFINITION OF PERSONAL DATA
“Personal data” means: data which relate to a living individual who can be identified from those data, or from them together with other information you already have or are likely to obtain - includes expressions of opinion and intentions towards the individual

7 EXAMPLES OF PERSONAL DATA
Sue Cullen, Director, Amberhawk Training Limited “Sue is a workaholic with no personality” “Sue carried out Sally’s appraisal” “Sue was present at the 3rd Annual Subject Access Convention”

8 WHO IS RESPONSIBLE? “Data Controller” – the person or persons who determine the purposes of processing personal data e.g. anything done by an organisation for its business; full liability under DPA “Data Processor” – a person who processes personal data on behalf of the data controller - e.g. outsourcing – processors have no liability under DPA, but the controller is responsible for their mistakes

9 DATA PROTECTION PRINCIPLES
The data controller has a statutory duty to ensure that personal data are: 1. Processed fairly and lawfully, plus schedules 2 & 3 2. Processed only for specified and lawful purpose(s) 3. Adequate, relevant and not excessive 4. Accurate and kept up-to-date 5. Not kept longer than necessary 6. Respectful of data subjects’ rights 7. Kept secure by technical/organisational means 8. Transferred outside EEA only if privacy is respected.

10 DATA SUBJECT RIGHTS Individuals have the following rights under the DPA: Subject access Object to processing in certain circumstances Object to direct marketing (promotion of aims & ideals is marketing) Automated decisions Ask court to order compensation for damage caused by controller’s breach of principles Ask court to order correction of inaccurate data Controller liable under 6th Principle for 1-4 above

11 DPA ISSUES AND RISKS Records management: security & staff training (7th Principle); subject access (6th Principle) data quality (principles 1, 3, 4) HR information: most SAR’s are from current and former staff members, usually with a grievance – tests DPA compliance Fair processing notices: what do we tell people about the information we hold on them? Data sharing: who can we disclose to – police? parents? Other universities? hospitals? Social services?

12 CCTV AND RELATED DP ISSUES

13 COMPLYING WITH 1ST PRINCIPLE
Personal data must be processed fairly: General obligation to be fair Specific obligation to ensure that the individual knows who is processing, why, and anything else necessary for fairness First principle also requires lawfulness, e.g. must not: Breach confidence Breach copyright Be ultra vires (outside your powers)

14 FAIR COLLECTION - INFORMING THE DATA SUBJECT
Data protection notice must include: Identity of the data controller Purposes for which the data will be processed (especially any non-obvious purposes) Anything else necessary to make it fair Purposes should be as wide as possible: cover any projected new purpose e.g. sharing for fraud initiatives, using CCTV for disciplinary matters This is NOT a PR exercise – beware “Your information is regulated under the DPA”; “Your privacy is very important to us”; “We will never …”

15 WHAT TO INCLUDE IN YOUR NOTICE
Anything that the data subject ought to know about what will happen to his information in your hands, such as: What you use it for (purposes for processing) Any relevant rights, e.g. to opt out of marketing Who do you share it with, and why? How long you/they keep it What responses on forms are obligatory, and what information is not essential Will it be sent outside the UK? Any special security issues? Any sensitive data (e.g. health, religion, criminality)?

16 JUSTIFYING PROCESSING UNDER 1ST PRINCIPLE
Schedule 2 conditions are: Data subject consent Necessary for contract with data subject Legal obligation of data controller Vital interests of data subject Necessary for public functions Necessary in legitimate interests of data controller, or 3rd party recipient, except where unwarranted prejudice is caused to the data subject

17 WHAT IS CONSENT? Must be fully informed Freely given
Consent is not defined but general requirements are: Must be fully informed Freely given Capable of being withdrawn Has the data subject given some positive indication of his wishes? Is the data subject free to refuse? NB: Consent does not work as a justification for processing HR data – deemed duress.

18 CCTV QUESTIONS Can CCTV images be “personal data”?
What conditions legitimise the processing (Sch. 2 & 3)? Must you identify the Data Controller and purposes of the processing (e.g. public safety, crime prevention)? When don’t you need signage? Could improper positioning of cameras can be unfair to Data Subjects and result in the processing of excessive personal data? Can the Section 36 exemption be used by parents who record infant school nativity plays? Re no need to have signage DP wise. Mention that application of an exemption from informing the Data Subject about the processing also applies in the case of lawful covert surveillance (e.g. via RIPA) Need to consider Human Rights Act and RIPA implications

19 CCTV QUESTIONS Can you disclose the images (e.g. to the police)?
How long can you retain them? Does the right of access apply - what are the obvious problems? (e.g. other individuals on the CCTV footage) Can the Data Subject object to the processing? Security of images (e.g. who has access, training, criminal offences could apply if CCTV data misused) Can damage arise from a breach of a Principle? ICO CCTV Code of Practice (essential reading).

20 FOIA EXEMPTIONS RELEVANT TO GOLDSMITHS

21 FOI EXEMPTIONS RELEVANT TO GOLDSMITHS
Exemption for personal data s.40 Exemption for prejudice to commercial interest s.43 Exemption for confidential information s.41 No exemption for research (except for Scottish authorities) nor for copyright (except if is environmental information)

22 WHEN DOES FOI INVOLVE PERSONAL DATA ?
FOIA covers all information held by a public authority Includes information about staff, students, contacts from other universities, service users, business contacts, enquirers, complainers, (patients, suspects, taxpayers etc, depending on who is the authority) Personal data may be included in publication schemes Personal data may be requested under s.1 Try the “pot” diagram on the flipchart: FOIA applies to “all information held” (write this within a large circle under the “FOIA” heading); get class to shout examples of when this info is or includes personal data; they need to be got to agree that prima facie this is available under FOIA – and what do we need if we don’t want that to happen? With any luck they will respond “an exemption!” Tutor can return to this diagram at slide 22 to put a couple of arrows out of the pot for personal data of the applicant escaping by one exemption, and PD of 3rd parties escaping via another. Personal information is not exempt from inclusion in publication schemes; may be specified as a “class” of information in some categories or specifically flagged as exempt. NB: DCA recommended that where public authorities have data sharing arrangements for personal data, information about those arrangements should be included in the publication scheme.

23 INTERFACE WITH FOIA FOIA s.40 gives an exemption for ‘personal data’
Personal data of the requester are exempt because access under FOI cannot displace subject access under DPA rules Personal data of a third party are exempt to protect personal privacy – but this is governed by the DPA principles, which cannot be displaced by FOIA If it would breach any DPA principle to disclose third party personal data to all the world under FOIA, than the information is absolutely exempt – no Public Interest Test

24 DISCLOSURE OF PERSONAL DATA UNDER FOIA
All 8 principles apply, but usually tested under Principle 1 - fairness, lawfulness, compliance with schedules 2 & 3 Lawfulness usually means no breach of confidence Fairness is about what data subjects (staff? officials?) ought to expect Generally, information about staff in their official capacity can be in the public domain, e.g. payscales; expenses Personal information about their private life (e.g. health, home life) is likely to be exempt The more senior the individual, the more public exposure Detailed ICO guidance

25 COMMERCIAL INTERESTS (s.43)
v1 COMMERCIAL INTERESTS (s.43) Qualified exemption for disclosures which are : Trade secrets, or Disclosures which could prejudice the commercial interests of any person, including the authority holding the information Commercial interests: more than just financial – must involve trade or commerce exemption from duty to confirm or deny National Maritime Museum Tribunal decision Refer to s.43 – class to construe. Refer also to ICO Guidance 5: Commercial interests (version 1) and ICO Annexe to Guidance 5: Public Sector Contracts (updated March 2008) – also relevant to confidentiality clauses, in courseware. Apart from Trade Secrets (next but one slide) Confidentiality, and prejudice to commercial interests is only other IPR protection, but NB. Consider any statutory prohibitions on disclosure, such as under Public Contracts Regulations 2006. Time-sensitive exemption (e.g. in relation to a tendering process) and historical records over 30 years old cannot be subject to this exemption. National Maritime Museum Case (Tribunal decision 25/01/06) Explores the degree of prejudice required to engage the exemption – Tribunal overturns Commissioner’s decision to uphold the exemption. This is a hard exemption to maintain as the many decisions overturning an authority’s application of it demonstrate: note how hard it is to set up commercial interests of a private body (or even the authority) as against the public interest in transparency, especially where public money is involved. Compare the result when the authority is defending legally privileged documents. NB: Consider the Re-use Regulations. F3 exercises here – from 5-7?

26 COMMERCIAL INTERESTS: ISSUES
v1 COMMERCIAL INTERESTS: ISSUES Commercial interest of a public authority or a third party: Is there a commercial activity? Financial interests insufficient Is there prejudice? Where does the balance of the public interest lie? Tender and contractual processes: Include information with bid documentation Distinguish between current and new contracts Classification at the start of the contract Process agreed under the contract for classification during the life of the contract Can be used to protect the authority’s own information. ICO guidance refers to a commercial activity but points out that this is not necessarily the same as a financial activity or interest. E.g. the level of council tax relates to financial interests but not to commercial interests. There is a prejudice test applied to commercial information – Is the commercial activity conducted in a competitive environment? would there be damage to reputation or business confidence? Whose commercial interests are affected? Is it commercially sensitive? What is the likelihood of prejudice? Then consider the general public interest considerations – these may be time dependent. Relevance to: Procurement, regulation, policy development and implementation, PFI/PPP Refer to it in bid documentation and definitely at the contract stage – in terms and conditions/standard contracts. May cut down on difficulties with discussing with third parties later in the day. Also consider existing contracts; if there is no contractual relationship in place then a protocol, e.g. on data sharing? NB: Consider the Re-use Regulations. Exercises – any from 5-7

27 v1 CONFIDENTIALITY (s.41) Absolute exemption for information provided in confidence, but information: must have been obtained from another person, and disclosure must give rise to an actionable breach of confidence No public interest test if information qualifies Internally generated information will not count Exemption can apply to duty to confirm or deny Refer to s.41 in Act – get class to construe. Important exemption for most authorities; only applies where information has been obtained from another person and there is an enforceable obligation of confidence. This means that the person who supplied the confidential information must have the legal standing to sue if it is disclosed – and one government department cannot sue another, although a local authority could sue a government department. Refer to ICO Guidance 2 in courseware (and by next slide to PM Briefing: Confidential Information). and ICO Annexe to Guidance 5: Public Sector Contracts (updated March 2008) – also relevant to commercial interest exemption, in courseware. Go through Guidance with class Basic q. to ask is “can someone sue us for breach of confidence if we disclose this information?” – not would they sue, this is not about risk. The nature of confidential information is discussed in the next 2 slides. Ask class why they think that the FOIA confidentiality exemption applies only to information obtained from outside the authority. (Otherwise everything would be exempt?) Contrast DPA 1st principle lawfulness – no fetter on confidentiality there.

28 FREEDOM OF INFORMATION ACT 2000 THE BASICS

29 THREE ACCESS REGIMES Data Protection Act 1998
v1 THREE ACCESS REGIMES Data Protection Act 1998 Protection of personal information via the 8 DP Principles Environmental Information Regulations 2004 - Access to environmental information Freedom of Information Act 2000 - Access to all information held by a public authority NB: Separate FOI Act for Scotland Start with a public authority receiving a request for access and ask students to suggest what access regimes might be engaged. Use flip chart to write up details of the 3 main regimes, as supplied by class: DPA FOIA EIRS 2004 Personal data Anything Environmental Information EU Directive Westminster Act EU Directive & Aarhus Treaty Not primarily an (not Scotland) access to environmental info access to info regime Access to any info held FOIA authorities plus some data controllers public authorities others 8 Principles: anyone can request anyone can request Princ.6: Rights – Everything is covered more limited exemptions Subject access, but exemptions accommodate by data subject only other regimes Exemptions NB: Briefing Note: FOI and other information access regimes Why a separate regime for EIRs? (Parliament could write its own script, EIRs dictated by Directive) Explain why FOISA and mention some differences Re-Use Regs are covered in course F7. Briefly explain difference between access to information and the right to make use of it, mention copyright. Information Commissioner formerly Data Protection Registrar

30 v1 WHAT DOES FOIA DO? Presumption of right of access to any information held by a public authority Anything not available is covered by an exemption Information is free up to a costs limit Codes of Practice On handling requests On records management An enforcement mechanism and an independent regulator There is a presumption of openness underlying FOIA. The right of access is qualified by a number of exemptions. These can be absolute or non-absolute (qualified) exemptions – requiring a a public interest test FOIA goes beyond covering the right of access - also covers records and proactive publication. Amounts to a “Public Sector Information Act” which addresses the whole spectrum of public sector information handling. The codes of practice are a “softer” part of the law. If an authority does not comply with the codes it may face a practice recommendation; a “name and shame” mechanism but this itself may lead it to be in breach, for example if its records are not in an appropriate state to enable it to respond to requests in 20 working days.

31 HOW DOES FOIA WORK? Two routes of access to information:
v1 HOW DOES FOIA WORK? Two routes of access to information: Pro-active duty to publish information generally (publication scheme) Specific request for information – s.1 FOIA Twofold duty under s.1: Duty to confirm or deny whether information is held Duty to communicate information Consider “Briefing :How to read the FOIA” here or later at slide 11 Use of flip chart is recommended to illustrate 2 routes of access e.g.: Demonstrate how much of FOIA is about pub schemes (a page) and how much about s.1 requests (most of it). Refer to statute, read out s.1. Discuss twofold duty. S.1 Request Procedures Duty to assist Code of Practice Time limits Usually no charge Exemptions Refusals Complaints Enforcement Publication Scheme Scheme approved by ICO No duty to assist No Code, no time limit Authority decides what to publish & how Authority can charge No exemptions no refusals or complaints procedure limited enforcement

32 PROCEDURES AND OTHER OBLIGATIONS
Formal request-handling procedures and time limits, e.g. 20 working days for response Communicate information in requester’s preferred form S.45 Code of Practice on Handling Requests, e.g. Transferring requests Consultation with third parties Duty to help requesters and prospective requesters Formalities for refusals Obligation to deal with complaints S.46 Code of Practice on Records Management

33 WHEN CAN WE REFUSE? Exemptions in FOI include:
Requests that are too costly Nuisance requests Information already accessible, e.g. Public registers National security, investigations, law enforcement Personal privacy (via the DPA rules) Health & safety Confidential information Commercial interests ...and most are subject to a public interest test.

34 FOI ISSUES FOR CONTRACTS AND TENDERING

35 CONTRACTS AND FOI Disclosing information about your contractors in response to an FOI request What exemptions might be relevant? What should you agree to in your contract? ICO Guidance, and S.45 Code of Practice Managing the expectations of your contractors

36 COMMERCIAL INTERESTS (s.43)
v1 COMMERCIAL INTERESTS (s.43) Qualified exemption for disclosures which are : Trade secrets, or Disclosures which could prejudice the commercial interests of any person, including the authority holding the information Commercial interests: more than just financial – must involve trade or commerce exemption from duty to confirm or deny National Maritime Museum Tribunal decision Refer to s.43 – class to construe. Refer also to ICO Guidance 5: Commercial interests (version 1) and ICO Annexe to Guidance 5: Public Sector Contracts (updated March 2008) – also relevant to confidentiality clauses, in courseware. Apart from Trade Secrets (next but one slide) Confidentiality, and prejudice to commercial interests is only other IPR protection, but NB. Consider any statutory prohibitions on disclosure, such as under Public Contracts Regulations 2006. Time-sensitive exemption (e.g. in relation to a tendering process) and historical records over 30 years old cannot be subject to this exemption. National Maritime Museum Case (Tribunal decision 25/01/06) Explores the degree of prejudice required to engage the exemption – Tribunal overturns Commissioner’s decision to uphold the exemption. This is a hard exemption to maintain as the many decisions overturning an authority’s application of it demonstrate: note how hard it is to set up commercial interests of a private body (or even the authority) as against the public interest in transparency, especially where public money is involved. Compare the result when the authority is defending legally privileged documents. NB: Consider the Re-use Regulations. F3 exercises here – from 5-7?

37 COMMERCIAL INTERESTS: ISSUES
v1 COMMERCIAL INTERESTS: ISSUES Commercial interest of a public authority or a third party: Is there a commercial activity? Financial interests insufficient Is there prejudice? Where does the balance of the public interest lie? Tender and contractual processes: Include information with bid documentation Distinguish between current and new contracts Classification at the start of the contract Process agreed under the contract for classification during the life of the contract Can be used to protect the authority’s own information. ICO guidance refers to a commercial activity but points out that this is not necessarily the same as a financial activity or interest. E.g. the level of council tax relates to financial interests but not to commercial interests. There is a prejudice test applied to commercial information – Is the commercial activity conducted in a competitive environment? would there be damage to reputation or business confidence? Whose commercial interests are affected? Is it commercially sensitive? What is the likelihood of prejudice? Then consider the general public interest considerations – these may be time dependent. Relevance to: Procurement, regulation, policy development and implementation, PFI/PPP Refer to it in bid documentation and definitely at the contract stage – in terms and conditions/standard contracts. May cut down on difficulties with discussing with third parties later in the day. Also consider existing contracts; if there is no contractual relationship in place then a protocol, e.g. on data sharing? NB: Consider the Re-use Regulations. Exercises – any from 5-7

38 v1 CONFIDENTIALITY (s.41) Absolute exemption for information provided in confidence, but information: must have been obtained from another person, and disclosure must give rise to an actionable breach of confidence No public interest test if information qualifies Internally generated information will not count Exemption can apply to duty to confirm or deny Refer to s.41 in Act – get class to construe. Important exemption for most authorities; only applies where information has been obtained from another person and there is an enforceable obligation of confidence. This means that the person who supplied the confidential information must have the legal standing to sue if it is disclosed – and one government department cannot sue another, although a local authority could sue a government department. Refer to ICO Guidance 2 in courseware (and by next slide to PM Briefing: Confidential Information). and ICO Annexe to Guidance 5: Public Sector Contracts (updated March 2008) – also relevant to commercial interest exemption, in courseware. Go through Guidance with class Basic q. to ask is “can someone sue us for breach of confidence if we disclose this information?” – not would they sue, this is not about risk. The nature of confidential information is discussed in the next 2 slides. Ask class why they think that the FOIA confidentiality exemption applies only to information obtained from outside the authority. (Otherwise everything would be exempt?) Contrast DPA 1st principle lawfulness – no fetter on confidentiality there.

39 PROVIDING ADVICE AND ASSISTANCE
Duty to provide advice and assistance to persons who propose to make requests, or who have made requests for information (s.16) Does not apply to publication schemes S.45 Code of Practice published by DCA/MOJ sets out what authorities must do to help Compliance with Code discharges s.16 duty EIRs have same requirement (Reg.9) Go through s.16. Public authorities must engage with requestors and would-be requestors to promote open-ness in accordance with the Act. For example, if the s.8 stipulations for a valid request are not met, an authority cannot just sit on its hands and wait until the person trying to obtain information manages to get his request right (perhaps hoping that they fail!). Authorities have a pro-active duty to give people a helping hand, and this is made into a statutory obligation. There have been a number of decisions in which authorities were found to be in breach of that duty (look at shortly). The s.45 Code of Practice sets out what authorities have to do to be helpful. S.16(2) says that an authority has complied with its s.16(1) duty if it has done whatever the code requires. See later (slide 25) for ICO decisions on s.16

40 v1 SECTION 45 CODE Publish your procedures for dealing with requests for information Draw the Act to the attention of potential applicants Help potential applicants make requests in writing Help potential applicants frame their requests Consider what can be provided free of charge if applicant does not want to pay Consider what can be provided within the upper limit if request exceeds limit First look at s.45 of the Act, and then go through the Code with class. Refer also to ICO Guidance no.23 in courseware Note that the Code advises (at Part II paras.5 & 9) contact by phone or in connection with advice & assistance – consider this in the light of the authority’s additional responsibilities under the EIR’s in relation to oral requests. But at para.9, note that while at times it would be really useful for you to know why they want the information (i.e. what they are really after) in order to help, you are not allowed to ask – access under FOIA is purpose blind. You might connect this to the fact that special status applicants will usually do worse under FOIA – since anyone can ask for anything disclosure to one requestor is disclosure to all the world, so you can’t say – I will tell him, but not her, or I don’t mind giving this information to this disgruntled employee, but not to that media journalist. This is particularly relevant to disclosures of third party personal data under the DPA – a requestor is likely to get more outside of an FOI request because an exemption from the non-disclosure provisions might then apply to facilitate specific disclosures – considered further in course F4.

41 v1 SECTION 45 CODE Advises on procedures for the transfer of requests from one public authority to another (but NB EIRs) Provides for consultation with persons affected by an FOI request Considers what confidentiality contract clauses should be used by public bodies Deals with complaints procedures The management of requests is not confined to deciding how to assemble the material and then supply it to the applicant. It may be necessary to consider how the authority will handle those requests which are either more difficult to deal with or should not have been made to it in the first instance. Transfer procedures may become very messy – for example the applicant may have written to the authority because he or she did not want to approach another organisation. It may therefore be inappropriate to transfer a request without the applicant’s consent, however if consent is sought it may be more trouble than simply refusing the applicant and advising him or her to seek the material elsewhere. NB: In EIRs, transfer of request is an obligation under Reg.10 Relations with third parties should also be considered and it is suggested that all authorities which deal with material received from third parties should have a project stream devoted to assessing what impact this may have and how such requests should be dealt with. Examples of third parties: those whose personal data has been requested; project partners in the private sector. Do not give the impression that consultation gives a third party a right to veto disclosure.

42 INFORMATION HELD BY CONTRACTOR
Requests made for information which is in the hands of your contractor Complying with procedures & time limits What about costs of contractor response, and the FOI costs exemption? What you should try to negotiate in your contract NB: Remember that rules are different for EIRs

43 COSTS UNDER FOIA Three kinds of costs under FOIA:
Costs you can’t do anything about (e.g. costs of dealing with the applicant; considering an exemption) Appropriate Limit costs (determining, locating etc) Communication costs (P&P) In practice information is free and you hardly ever charge a fee or send a fees notice

44 EXCEEDING APPROPRIATE LIMIT
v1 EXCEEDING APPROPRIATE LIMIT No obligation to comply if the authority estimates that cost would exceed the appropriate limit (s.12) No exemption from duty to confirm or deny unless this alone would exceed the appropriate limit. Reg.4: The only factors to be taken into account are: Determining whether information is held Locating it Retrieving it Extracting it NB: Does extracting include redacting exempt materials? Staff time is chargeable at £25 per hour Refer to s.12 & Reg.4 Fees Briefing: The Fees Regs divide costs incurred by a public authority in relation to an FOI request into two categories: the costs which may be taken into account in calculating the appropriate limit, defined in Reg.4(3), and communication costs, defined in Reg.6. These two categories are mutually exclusive – activities covered in one category of costs are excluded from the other category. Furthermore, these categories do not cover all the costs which an authority may actually incur in dealing with an request – such as costs of checking the validity of a request, of advising and assisting the requestor, or of considering the application of an exemption, or of dealing with a complaint. But remember – s.45 code says your s.16 duty covers suggesting that requestors whose requests trip the costs ceiling refine their requests, and OIC decisions show that authority is in breach if it fails to do this. Refer to briefing on Decisions on s.16 Duty & Costs in courseware, and to points 3.4 & 3.6 of Fees Briefing. Note also point 3.10 of Fees Briefing – external contractors’ time still costed at £25 per hr, regardless of actual charge. NB: Does extracting include redaction of exempt materials? ICO & MOJ disagree – see points 3(8) and 3(9) of Fees Briefing.

45 v1 COMMUNICATION COSTS If appropriate limit not exceeded, communication costs may be charged Reg.6: Limited to informing requestor whether information is held and communicating the information. Specifically include costs of: Complying with any preferred means of communication (s.11) Reproducing any document Postage and other transmission costs BUT staff time spent on any of the above may not be charged (NB: except in voluntary responses!) S.9 FOIA and Reg.6; Fees Briefing point 4 – go through.

46 OUTSOURCING – SUPERVISING DATA PROCESSORS

47 WHO IS A DATA PROCESSOR? A data processor is an individual/organisation who processes data on behalf of the controller, for example: Outsourced Payroll Offshore Call-Centre (increasingly common in India) Mailing house CCTV Security Firm Document Destruction (e.g. a shredding company)

48 DATA PROCESSOR CONTRACTS
Data processors are not liable under the DPA A data controller must: Choose a processor with sufficient security guarantees Take reasonable steps to ensure that processors comply with these guarantees Impose a written contract under which the processor is obliged to act only on the instructions of the controller and covenants to observe and perform all the obligations of the Seventh Principle NB – link with Principle 8 for overseas transfers but separate requirements

49 INFORMATION SECURITY - 7TH PRINCIPLE
Take appropriate technical and organisation measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Determine what is appropriate having regard to - the nature of the personal data to be protected the resulting harm which might arise from a breach state of the art & implementation cost the effectiveness of existing measures reliability of staff (e.g. appropriate training for all staff)

50 In the news…

51 RISK MANAGEMENT (1) Is there proof that all reasonable steps have been taken to comply with DPA’s security duties? Are security standards for industry or sector being met? Is there a security policy? Is there a business continuity plan if to cover inability to process data in an emergency? Does management take security seriously? Are the service provider’s staff adequately trained in respect of data protection requirements? Have they been security vetted?

52 RISK MANAGEMENT (2) What contractual security obligations have you imposed upon the service provider? Is there a duty upon the service provider to report data security breaches? What powers do you have to audit the service provider to ensure that they are complying with their data protection obligations? What are the known risks for the kind of processing undertaken? Are data transferred securely? Is encryption used when data are processed on mobile devices?

53 SOLUTIONS AND APPROACHES INCLUDING MODEL CLAUSES AND SAFE HARBOR
OVERSEAS TRANSFERS SOLUTIONS AND APPROACHES INCLUDING MODEL CLAUSES AND SAFE HARBOR

54 LEGAL ISSUES Data Protection Act 1998, Principle 8
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” Don’t forget the other data protection principles “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

55 EUROPEAN ECONOMIC AREA
Canada Iceland Guernsey Norway Isle of Man Liechtenstein Argentina

56 OPTIONS FOR COMPLIANCE- THE 8TH PRINCIPLE
Findings of Adequacy by the EU (or Safe Harbor for USA) Assessment of Adequacy as set out in the 8th principle Seek an exemption from the adequacy obligation Consent of data subject Necessary for performance of contract Substantial public interest, vital interests, legal proceedings Model contracts Binding corporate rules

57 Copyright Amberhawk Training Limited July 2010 www.amberhawk.com
THE END DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE Copyright Amberhawk Training Limited July 2010

Download ppt "20946812v1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010 sue.cullen@amberhawk.com."

Similar presentations

1 Isolation and Quarantine Protocol Public Health Seattle and King County 2004.

1 Isolation and Quarantine Protocol Public Health Seattle and King County 2004.
Using Information at the University University Secretarys Office

Using Information at the University University Secretarys Office
IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.
Data Protection webinar: Data Protection & Human Resources

Data Protection webinar: Data Protection & Human Resources
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
PP Test Review Sections 6-1 to 6-6

PP Test Review Sections 6-1 to 6-6
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.

Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: What You Need to Know.

Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: What You Need to Know.
Research and the Data Protection and Freedom of Information Acts.

Research and the Data Protection and Freedom of Information Acts.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Www.actnow.org.uk Ten things you should know about Data Protection Paul Simpkins Director, Act Now Training Ltd.

Ten things you should know about Data Protection Paul Simpkins Director, Act Now Training Ltd.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.

Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
The Data Protection Act - an absolute right to ask but a qualified right to receive Maureen H Falconer Senior Policy Officer, ICO CELCIS, Scottish University.

The Data Protection Act - an absolute right to ask but a qualified right to receive Maureen H Falconer Senior Policy Officer, ICO CELCIS, Scottish University.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Data Protection and Records Management

Data Protection and Records Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Similar presentations

Ads by Google