1. Information Law/ Data Protection Briefing 2007
Keith G Fraser
University Records Manager
Welcome to what I hope will be an informative and entertaining hour. Thank you for taking the time at this busy time of the year.
By April 2007, the Data Protection Act 1998 (DPA 1998) will have been in force for six years. During this time the Act has had a significant effect upon the ways in which FE and HE institutions handle their personal data processing.
Today, across FE and HE institutions, all computerised processing of personal data, many structured manual records, and even some unstructured manual records are subject to provisions of the DPA 1998, including the right of the individual to access the data which is held about them. Together with the Freedom of Information Act 2000 (FOIA 2000), and FOISA 2002 the DPA 1998 has forced a re-think of institutional good practice in personal data handling, required new approaches to records management and made institutions consider more carefully their obligations to those whose data they hold.
Data protection law has not been static during this time - various aspects of the DPA 1998 have been subject to judicial interpretation, and the FOIA 2000 has made amendments to the DPA 1998 with particular reference to 'public authorities', the definition of which includes both FE and HE institutions. The Data Protection legislation has far-reaching implications for RGU and its staff. When combined with other legislation, this Act has significant implications for all RGU employees who are responsible for creating and storing information about individuals.
Since the implementation of DP 1998 and FOISA 2002 RGU has moved towards a culture of giving out information as a matter of default. Provided that everyone follows the University’s agreed guidance and procedures the Information Acts should cause you little difficulty.
What I would like to do today is give you a brief overview of the legislation and how to approach it.

2. Today’s topics..... Introduction DP Across the globe
Data protection the Legislative context
The Data Protection Act : An overview
FOISA 2002 and DP 1998
Requests for information
Subject Access Requests
Requests for 3rd party data
Points to consider and note
Disclosure without consent
Implications for Web publishers
Subject access procedures
The Commissioners
DP and Researchers
Further Information
Key points to note
Data Subject Rights
Any Queries

4. Each year,  Privacy International and the Electronic Privacy Information Center review the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws.
The report finds that there is a worldwide regocnition of privacy as a fundamental human right. Many countries around the world are enacting comprehenisve data protection law to safeguard individual privacy increase. However at the same time, privacy is increasingly being undermined by technical advances and the demands of intelligence and law enforcement agencies for increase surveillance powers. This has increased since 11 September.

5. Legislative context Data Protection Act 1998
Sets out eight principles giving a general standard for the processing of personal data
Freedom of Information (Scotland) Act 2002
Gives a general right of public access to all types of recorded information held by Public Authorities
Overlap between the above Acts where personal data is concerned.
Freedom of Information Act 2000
Human Rights Act 1998
Environmental Information (Scotland) Regulations 2004
The Data Protection Act isn’t an isolated administrative measure. It should be seen as an integral part of a much wider-ranging programme of constitutional reform that included issues such as devolution and House of Lords reform.
While he was in opposition, Tony Blair said, ‘It is a change that is absolutely fundamental to how we see politics developing in this country over the next few years…its introduction will signal a new relationship between government and people.’
On this slide I have listed some of the other measures in this area that affect the way you handle information at work.
The Data Protection Act 1998 was passed as a result of an increasing concern about the effects of technology on our society. It implements Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data . The Act came into force in March It repealed the previous UK legislation in this area, the Data Protection Act 1984.
The Act is amplified in respect of personal data used in telecommunications by a further directive specific to this area, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector [check use of footnotes] which has been implemented in the Privacy and Electronic Communications (EC Directive) Regulations 2003 SI 2003 No It intersects with the Regulation of Investigatory Powers Act 2000 and Freedom of Information Act 2000 & FOISA 2002.

6. Data Protection Act: Overview
Personal data is
Information about an identifiable living individual processed automatically or stored in a ‘relevant filing system’
Sensitive personal data is
Information about racial or ethnic origins, political opinions, religious beliefs, physical or mental health, etc.
Notification
the process by which a data controller's processing details are added to a register
Eight Data protection principles
Enforcement
The Information Commissioner has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles.
Data Protection Act 1998
Was passed in 1998 and came fully into force in 2001
Was amended by the FOIA 2000 to cover additional issues in relation to public authorities, including colleges and universities
Covers all personal data processed by FE and HE institutions, including computerised data, structured manual files and unstructured data, except where specifically exempted.
The DPA gives individuals certain rights regarding information held about them. It places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual. Anyone processing personal information must notify the Information Commissioner's Office (TICO) ( that they are doing so, unless their processing is exempt. Notification costs £35 / year.
The Data Protection Act (DPA) provides a legal basis and allowing for the privacy and protection of data of individuals in the UK. The act places restrictions on organisations which collect or hold data which can identify a living person. The Act does not apply to domestic use[1], for example keeping a personal address book.
Data collected by any person or organisation may only be used for the specific purposes for which they were collected. Personal data may only be kept for an appropriate length of time and must not be disclosed to other parties without the consent of the data owner. Schools, for example, may decide to keep information on former pupils for no longer than ten years.
The act is overseen by an independent government authority, the Office of the Information Commissioner. Persons and organisations which store personal data must register with the Data Protection Commissioner.
The UK Data Protection Act is a large Act, and has a reputation for complexity
Whilst the basic principles are honoured for protecting privacy, interpreting the act is not always simple.

7. Data protection principles
The Eight Principles of Good Practice
Anyone processing personal information must comply with eight enforceable principles of good information handling practice. These say that data must be:
fairly and lawfully processed
processed for limited purposes
adequate, relevant and not excessive
accurate and up to date
not kept longer than necessary
processed in accordance with the individual's rights
secure
not transferred to countries outside European Economic area unless country has adequate protection for the individual

8. Further Conditions
In processing fairly and lawfully, data controllers (us) must also comply with one of the six Schedule 2 conditions these are:
Consent has been received or
Processing necessary for performance of contract by data subjects…or
Processing necessary for legal compliance…or
To protect vital interests of data subject… or
For administration of justice…or
For legitimate interests of the data controller

9. Data Subject Rights There are several rights under the Act including:
Right of access to personal data
Right to prevent processing if would cause damage or distress
Right to prevent processing for direct marketing
Right to correction, deletion, of inaccurate information
Rights regarding automated decision making

11. BBC News Monday 18 December

12. Data Protection Act 1998: enforcement
Complain to Information Commissioner
University can be sued
Personal criminal offences
Destruction of information required for a subject access request
Unauthorised disclosure
Failure to comply with enforcement or information notice
Failure to notify

13. Amendments to DP Act (by FOISA 2002)
The definition of Data under the DP Act is widened to include all recorded information held by Public Authorities.
Data subject has a right to access unstructured personal data held – that is any information at all !
Data subject needs to describe the unstructured data when requesting access to it.

14. Request for Information – FOI or DP?
Firstly need to ascertain which law applies DP or FOI:
Is the applicant for information also the subject of the information?.. or
Is the applicant applying for information about a third party?
The answer to these questions determines which course of action follows

15. FOISA and DP
Request by an individual subject for information about him/herself is an absolute exemption under FOISA 2002
This would be a Subject access request under the DP Act
Response requires heeding DP rules and regulations.

16. Dealing with Subject Access requests. 1
• Identify the type of request
There is a duty to provide advice and assistance to the requestor.
• RGU has 40 working days to respond.

17. Dealing with requests. 2
• The information must be provided in the form requested, where ‘reasonably practicable’
• RGU has agreed procedures for dealing with requests and who is responsible for these.
• It is a criminal offence to alter, deface, block, erase, destroy or conceal information to prevent access

18. Request for 3rd party personal data
A request for third party personal data may be exempt under FOISA 2002:
If any of the Data Protection principles would be breached if the data was disclosed – absolute exemption
If the data subject himself would not get the information if he requested it under DP. The University must always consider public interest
If the data subject has notified in writing to the data controller that releasing the information would cause him harm or distress (s10 notice) – but must consider public interest

19. Disclosure to Third Parties under DP 1998
Certain third parties may require disclosure of an
individual's personal data. The University should
however, where possible, ensure that its students are
properly warned of any known statutory disclosures
that they are required to make.
The Act makes no explicit reference to the nature of
data that may be demanded by statutory obligation, so
the University should be able to disclose to any properly
grounded statutory request without falling foul of the
law.

20. Third Party Authorisation for disclosure UK Funding Councils
Further and Higher Education Act, 1992 s.79 - Duty to give information to the funding councils.
Electoral registration officers
(voter registration)
Representation of the People Act 2000;
Officers of the Department of Works and Pensions, and Local Authorities
(benefit fraud)
Social Security Administration Act 1992: s.110A, s.109B and s.109C
Health and Safety Executive
( injuries and dangerous occurrences)
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995 s.3 - Notification and reporting of injuries and dangerous occurrences
Audit Commission and related auditing bodies (various)
Audit Commission Act 1998 s.6 - Auditors' right to documents and information.
Environmental Health Officers (notifiable diseases)
Public Health (Control of Disease) Act 1984 and the Public Health (Infectious Diseases) Regulations 1988
Child Support Agency
Child Support (Information, Evidence and Disclosure) Regulations 1992.
Police Officers
Court Order - N.B disclosures to the Police are not compulsory except in cases where the institution is served with a court order requiring information.
Other third parties
Court of Session - e.g. third party disclosure order.

21. Publication Scheme and DP
Some information in the University’s publication scheme may be personal data
Consideration has to be given to data protection implications before deciding whether to include the information?
The same tests have to be applied as for requests
Ultimate test – does its inclusion breach DP principles?

22. Points to consider Care and awareness are required;
If Personal data is included in the University’s publication scheme
DP implications must be considered at the outset
Requests for information
Evaluation process – is it a DP or an FOI request
Single point of contact for information
Authenticity of requester under DP
Standard forms and templates might be useful aid
Remember timescales for response
Staff awareness

23. Points to note
• Third parties may have a right to access any of the information we record
• It is a criminal offence to tamper with existing records that have been requested for disclosure
• There is no exemption for embarrassment
• Always create records with an eye to other people seeing them

24. Disclosing without Consent
The Freedom of Information (Scotland) Act 2002 sets out criteria to which institutions must consider in deciding whether it would be reasonable to disclose information without consent (although other considerations may also be relevant). These criteria are:
any duty of confidentiality owed to that person
any steps that have been taken to seek their consent
whether the person is capable of giving consent and
any express refusal of consent by them.

25. Public Interest Test The University will have to disclose the
information if the public interest in disclosure
outweighs the public interest in maintaining
the exemption in question.
The public interest includes, but is not confined to:
i) Detecting or exposing crime or serious impropriety.
ii) Protecting public health and safety.
iii) Preventing the public from being misled by an action or statement of an individual or organisation.

27. Implications for Web publishers
The web is the University’s favoured method of publication for the publication scheme
Beware of making personal details available on the internet.
Names and contact details of members of staff.
Listings for academic staff often give details of their research interests and publications.
photographs of staff and students.
Minutes which contain the names of committee members.
The Data Protection Act affects what you publish on the Internet?
The eighth data protection principle states that personal data must not be transferred to countries outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. When personal data is published on the Internet it is accessible all over the world. Publishing personal data on the Internet without the necessary protections is, therefore, a breach of the Eighth Data Protection Principle.

28. Subject Access Procedures
This procedure applies to all Schools and Departments
The DP Act specifies that all requests for Subject Access must be made in writing.
The University must comply within 40 days of receiving a validated request
The Information provided must be in an intelligible from. If it contains Codes or abbreviations these should be explained.

29. Subject Access Procedures 2
Must be in writing.
By letter
Personal Information Request Form
A form is available via the Web pages this ensures that all necessary information is given at the outset.
The Request doesn’t have to mention the DP Act
Must provide some form of verification
Copy of Student access request goes to Executive Director of IT
Copy of Employee record requests to Executive Director of HR
Respective School/ Department contacts decide what information is disclosed in liaison with University’s Records Manager.

30. What data is exempt from the Act?
There are some complete exemptions and some
partial exemptions where personal data is not
covered by the 1998 Act.
Complete exemptions:
Any personal data that is held for a national security reason is not covered. MI5 or MI6 don't have to follow the rules. They must get a Government Minister to sign a certificate saying that they are exempt.
Personal data held for domestic purposes only e.g. Christmas card lists.

31. Partial exemptions:
Some personal data has partial exemption under the terms of the Act. For example,
The Inland Revenue and the Police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files.
A data subject has no right to see information stored about unless it has to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.
A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.
Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals.
Employment references written by a previous employer are exempt.

34. Fees The University does not have to levy a fee.
However, it may charge £ 10 which is the standard fee set by the Information Commissioner for answering subject access requests.

36. The Information Commissioner
The Information Commissioner's Office is an independent official body. The Information
Commissioner is appointed by the Queen and is responsible for administering the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000 (UK except Scotland).
Information Commissioner Richard Thomas

37. The Scottish Information Commissioner
The Commissioner must
Promote good practice by Scottish public authorities in following the FoI(S)A and the codes of practice
Consider what information it is desirable to have made available to the public about the FoI(S)A, its operation and good practice in relation to it and ensure that such information is made available.
Kevin Dunion
Scottish Information Commissioner

39. Data Protection and Research

40. Personal data
The data gathered must be used exclusively for research purposes.
A fair processing statement should be used to inform the individual of the purpose for which their data will be used. 
Data should not be used to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by a piece of research).
Data should not be used in a way that would cause substantial damage or distress to any data subject.
Researchers should not make the results of research or any resulting statistics available in a form that identifies data subjects. For example if using case studies in a research report then they may choose to disguise the names of individuals. However, if their circumstances are described in detail then it may be possible for someone to identify that individual in which case the researcher would not meet this criterion.

41. Exemptions Under the Data Protection Act
There are narrow exemptions that allow the use of personal data for research purposes under the Data Protection Act

42. Exemptions for Research Purposes
If the processing is not used to support measures or decisions targeted at particular individuals and it does not cause substantial distress or damage to a data subject, it is exempt from:
The Second Principle, meaning that personal data can be processed for purposes other than for which they were originally obtained;
The Fifth Principle, meaning that personal data can be held indefinitely;
The Data subject's right of access to his personal data, where the data is processed for research purposes and the results do not identify data subjects.

43. Further Information RGU’s DP Homepage www.rgu.ac.uk/dp
JISC Legal Information Service provides
An enquiry service for information on FOI and other areas of ICT law
JISC Legal Information Service web site
For regularly updated news, links, papers, and reports, as the law and practice develop

44. Finally

45. Points for Noting Personal data must be obtained fairly and lawfully.
The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration.
Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject
The Act covers personal data in both electronic form and manual form
Personal data processing must be in accordance with the purposes notified by the University to the data protection commissioner-
If ‘new processing’ is to take place the University’s Records Manager, should be consulted
Personal data must be kept accurate and up to date and not for longer than is necessary
Appropriate security measures must be taken against unlawful or unauthorised processing of personal data. Also against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training
Personal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet
Personal data must be obtained fairly and lawfully.
The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration.
Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject
The Act covers personal data in both electronic form and manual form
Personal data processing must be in accordance with the purposes notified by the University to the data protection commissioner-
If ‘new processing’ is to take place the University’s Records Manager, should be consulted
Personal data must be kept accurate and up to date and not for longer than is necessary
Appropriate security measures must be taken against unlawful or unauthorised processing of personal data. Also against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training
Personal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet

46. Data Subject Rights
The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include the rights:
To make a Subject access request- an individual is entitled to be supplied with a copy of all personal data held.
To require the data controller to ensure that no significant decisions that affect them are based solely upon an automated decision-taking process
To prevent processing likely to cause damage or distress
To prevent processing for the purposes of direct marketing
To take action for compensation if they suffer damage by any contravention of the Act by the data controller
To take action to rectify, block, erase or destroy inaccurate data, and
To request the Data Protection Commissioner to make an assessment as to whether any provision of the Act has been contravened

47. Any Queries ?

48. Thank you for listening today.