Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection and Freedom of Information

Similar presentations

Presentation on theme: "Data Protection and Freedom of Information"— Presentation transcript:

1 Data Protection and Freedom of Information

2 Objectives Describe the main points of the Data Protection Act 1998 and Freedom of Information Act 2000 Illustrate the “things you need to know” about Data Protection (DP) and Freedom of Information (FOI) Stop me at any point – chance at end to ask questions

3 The Acts Data Protection Act 1998 came into force in March The Act covers information about living individuals Freedom of Information Act 2000 came into force in January 2005 and provides a right of access to information held by public bodies The Information Commissioner’s Office (ICO) regulates the operation of the DPA & FOIA (as well as related legislation like the Privacy and Electronic Communications Regulations

4 DPA or FOI? To release or not to release?
A student requests his examination results A student requests the College internal guidelines for dealing with appeals A local authority wishes to verify a student’s details for Council Tax A parent wants to know if their son or daughter is attending classes These areas will be reconsidered in terms of whether or not to release the data or information and which law applies At the end we’ll consider these – what act they come under and how to deal with each

5 Data Protection Act All Data Controllers must be registered with the Information Commissioner’s Office. The registration specifies the purposes for which data is processed Data Subjects are the person about whom the data is held Data processing covers the collection, recording, holding, maintenance and destruction of any data Personal data is information about any living person who can be identified from that information Sensitive Personal Data relates to information about an individual’s health, ethnicity, criminal convictions, sexual life, religious belief, political opinions, TU membership Aim: to give people the right to see information which organisations hold about them and ensure personal information is treated in correct manner. Here are some of the terms used in the Act. QM and all its staff together are a data controller. Data subjects are students, staff and others. Personal data is data about any living individual e.g. DoB, address. What about a photo? Should normally have consent. Sensitive data requires explicit consent.

6 Data Protection Act (cont)
Eight Data Protection Principles, which should be complied with. Data shall: Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose. Be adequate, relevant and not excessive for those purposes. Be accurate and kept up to date. Not be kept for longer than is necessary for that purpose. Be processed in accordance with the data subject’s rights. Be kept secure from unauthorised access, accidental loss or destruction. Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data. Get consent – there are other conditions which allow compliance Only use it for the purpose stated Only collect what’s necessary Check it’s up to date Can’t hold it forever Have rights to have any inaccuracies changed and to access Protect it by locking it up/passwords Cannot be transferred outside EEA unless under certain conditions. This might be relevant to research data. Need explicit consent or a DP contract

7 Data processing good practice
The following checklist is taken from the Information Commissioner’s Office website: Do I really need this information about an individual? Do I know what I'm going to use it for? Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for? If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this? Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure? Is access to personal information limited to those with a strict need to know? Am I sure the personal information is accurate and up to date? Do I delete or destroy personal information as soon as I have no more need for it? Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?

8 Freedom of Information Act
Places a duty on public authorities (that includes QMUL) to ensure access is available to official information Regardless of age, format or origin of the info. Each public organisation must publish a Publication Scheme which is approved by the Information Commissioner. QMUL’s scheme is found on its website Aim to make public authorities more transparent, more accountable. All recorded information held by, or on behalf of, a public authority regardless of age, format, origin e.g. letters, reports, videos, s etc. in current use or historical. May include information received from others and these parties should be consulted, though they do not have a veto on disclosure. Publication Scheme categorises information which the College should pro-actively make available such as policies, finances, stats etc. If it’s not available in the scheme then people can contact the College to make requests Required to proactively publish on our website certain types of information in a Publication Scheme which conforms to a model created by the ICO. Be aware that anything you do as an employee might be available to the general public and that all records belong to QM

9 This is the Internet page

10 Dealing with Requests Request under DPA (known as Subject Access Request) must be dealt with in 40 calendar days (except for examination results); a maximum fee of £10 may be charged An FOI request must be dealt with in 20 working days. If the request is excessive and costly it can be denied on these grounds Both types of request may come to any part of the College and need to be logged with the Records & Information Compliance Manager If you are unsure, check with the Records & Information Compliance Manager There are dedicated addresses. Good practice to deal with ASAP, cannot be ignored under any circumstances. Deadlines may vary if more information is required – request needs clarification or fee is unpaid. Also remember that information that is requested may be disseminated in different parts of the College, but a Data Subject cannot just ask for “everything you hold on me” – needs to be more specific. FOI requests must be dealt with ASAP but no later than 20 working days after first receipt. If there is an exemption or we don’t hold the info. requestor must also be told within these time limits. We try to make information available free of charge though it is permissible to charge fees for photocopying etc. and we can claim an exemption if the overall cost is over £450 (calculated at £25 per hour i.e. 18 hours). Also corres with questions like “please explain your policy on x or why you did y” are not FOI. There are other exemptions too, some of which I’ll mention in a couple of slides’ time. I maintain a central log of FOI requests – you should inform me if you get a request, remembering that might not mention FOIA.

11 Some FOI Exemptions FOI exemptions are either absolute or qualified. Qualified exemptions are subject to the public interest test. Absolute exemptions do not require this Personal information, where the DPA applies and the release of information would lead to the identification of an individual is an absolute exemption Where information is commercial the information might be covered by a qualified exemption as its release could be damaging to the College or other party Vexatious and repeated requests or requests that have been declined recently for good reason can be exempt FOIA assumes that information should be disclosed. However, sometimes there are exemptions which can be applied – either absolute or qualified. Public interest test applied to qualified exemptions = for example would disclosure harm our competitive position in a commercial matter? Others: endanger public safety, undermine governance by discouraging frankness. Balance of factors should be explained in any reply. But exemptions need to be considered on a case-by-case basis

12 Some DPA Exemptions Section 29 exemptions: data may be provided without the consent of the Data Subject to authorities for the purposes of the prevention and detection of crime and benefits/tax fraud etc. All such requests must be specific, state for what the data will be used and be checked with the QM Data Protection Officer Research exemptions: personal data may be processed for the purpose of research without the consent of the Data Subject. However, the identity of the Data Subject must not be made known without explicit consent and the data must not be used to support decisions about that individual or where there may be substantial damage or distress. The time restrictions are different – data for research purposes only may be kept indefinitely Examination results: there is a longer time frame so students cannot access results earlier Section 29: request under this part of the Act will normally come from the police but could also come from DWP, LB Tower Hamlets, Child Support Agency. This section allows us to release data without the consent of the Data Subject. Still need to be wary: if someone phones or comes in and asks to see a record, you can and should refuse if they haven’t followed the procedure and got the correct paperwork The Act makes special provisions for the use of personal data in research and for exam results which I’ll cover in a little more detail: a student can apply to see their exam marks but will not be entitled to them if they have not yet been released

13 Research Personal data may be used for purposes beyond the originally stated purpose Can be retained indefinitely Exempt from SARs – as long as published research does not identify individuals FOI – Commercial interests or subject to future publication Still good practice to ask the data subject before any further processing and mustn’t give away the identity of a participant without consent. Generally recommend use of anonymisation or pseudonymisation in research Under FOI, research data might be available unless an exemption can be claimed such as commercial interests or will be published in the future

14 Examinations Comments on scripts (and marks) but not scripts themselves can be accessed under DPA Exam Board minutes can be accessed under DPA (about that individual only) but not FOI Achievement/progression data can be accessed under DPA It is okay to put lists of those who have passed on the noticeboard but by number is preferable and only if you have told students that this is how their results are published You should not pass on an individual student’s results to a third party External examiners reports – in most circumstances these would be accessible under FOI despite the argument they are confidential and it is important to ensure that External Examiners are able to write frank and helpful comments – in the public interest! Need to keep comments on exam boards (and scripts) factual because they may be seen by the student if an SAR is made Publishing results: ideally inform students if they’re going to be put on a noticeboard and don’t use names. Don’t disclose results to anyone who cannot prove their identity e.g. over the phone. Putting up results is a time-honoured procedure EE reports – generally to be released but with all personal data redacted

15 Dos and Don’ts DO respond quickly – the clock is ticking
DO remember that we have a duty to provide advice and assistance DON’T withhold information without a clear justification under one of the exemptions DON’T wilfully destroy or alter any original documents – criminal offence For SARs you have 40 calendar days. For FOI you have 20 working days, but in both cases we should try to respond as soon as we can. If you destroy or alter documents under the legislation this will be regarded as a criminal offence for the INDIVIDUAL. You may be held personally liable

16 To release or not release
A student requests his examination results A student requests the College internal guidelines for dealing with appeals A local authority wishes to verify a student’s details for Council Tax A parent wants to know if their son or daughter is attending classes Yes – this can be done as a SAR under DPA, but not before marks have been announced. Debtors use this route to get exam marks. Yes, but under FOI. Possibly if necessary and the correct form is filled out as there are special procedures for these requests. What about if a policeman walks in and says “we think Joe Bloggs has committed an offence, please give me his file.” Still got to be written request with specific reasoning – not just some ‘fishing exercise’ No – Students are adults (unless they have given their written permission that we can disclose this, but there is still the issue of proving they are the parent if they phone or )

17 Other Sources of Guidance
Updated Data Protection Policy Guidelines on dealing with SARs and other scenarios e.g. photos, marketing, third parties FOI pages on QM website ICO website has lots of specific guidelines See DP policy with appendix of guidelines. ICO website has lots of info. on DP and FOI/EIR

18 Questions?

19 Contact E-mail:
Records & Information Compliance Manager Tel: (13) 7596

Download ppt "Data Protection and Freedom of Information"

Similar presentations

Ads by Google