2 ObjectivesDescribe the main points of the Data Protection Act 1998 and Freedom of Information Act 2000Illustrate the “things you need to know” about Data Protection (DP) and Freedom of Information (FOI)Stop me at any point – chance at end to ask questions
3 The ActsData Protection Act 1998 came into force in March The Act covers information about living individualsFreedom of Information Act 2000 came into force in January 2005 and provides a right of access to information held by public bodiesThe Information Commissioner’s Office (ICO) regulates the operation of the DPA & FOIA (as well as related legislation like the Privacy and Electronic Communications Regulations
4 DPA or FOI? To release or not to release? A student requests his examination resultsA student requests the College internal guidelines for dealing with appealsA local authority wishes to verify a student’s details for Council TaxA parent wants to know if their son or daughter is attending classesThese areas will be reconsidered in terms of whether or not to release the data or information and which law appliesAt the end we’ll consider these – what act they come under and how to deal with each
5 Data Protection ActAll Data Controllers must be registered with the Information Commissioner’s Office. The registration specifies the purposes for which data is processedData Subjects are the person about whom the data is heldData processing covers the collection, recording, holding, maintenance and destruction of any dataPersonal data is information about any living person who can be identified from that informationSensitive Personal Data relates to information about an individual’s health, ethnicity, criminal convictions, sexual life, religious belief, political opinions, TU membershipAim: to give people the right to see information which organisations hold about them and ensure personal information is treated in correct manner. Here are some of the terms used in the Act.QM and all its staff together are a data controller. Data subjects are students, staff and others.Personal data is data about any living individual e.g. DoB, address. What about a photo? Should normally have consent.Sensitive data requires explicit consent.
6 Data Protection Act (cont) Eight Data Protection Principles, which should be complied with. Data shall:Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.Be adequate, relevant and not excessive for those purposes.Be accurate and kept up to date.Not be kept for longer than is necessary for that purpose.Be processed in accordance with the data subject’s rights.Be kept secure from unauthorised access, accidental loss or destruction.Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.Get consent – there are other conditions which allow complianceOnly use it for the purpose statedOnly collect what’s necessaryCheck it’s up to dateCan’t hold it foreverHave rights to have any inaccuracies changed and to accessProtect it by locking it up/passwordsCannot be transferred outside EEA unless under certain conditions. This might be relevant to research data. Need explicit consent or a DP contract
7 Data processing good practice The following checklist is taken from the Information Commissioner’s Office website:Do I really need this information about an individual? Do I know what I'm going to use it for?Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?Is access to personal information limited to those with a strict need to know?Am I sure the personal information is accurate and up to date?Do I delete or destroy personal information as soon as I have no more need for it?Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
8 Freedom of Information Act Places a duty on public authorities (that includes QMUL) to ensure access is available to official informationRegardless of age, format or origin of the info.Each public organisation must publish a Publication Scheme which is approved by the Information Commissioner. QMUL’s scheme is found on its websiteAim to make public authorities more transparent, more accountable. All recorded information held by, or on behalf of, a public authority regardless of age, format, origin e.g. letters, reports, videos, s etc. in current use or historical. May include information received from others and these parties should be consulted, though they do not have a veto on disclosure.Publication Scheme categorises information which the College should pro-actively make available such as policies, finances, stats etc. If it’s not available in the scheme then people can contact the College to make requestsRequired to proactively publish on our website certain types of information in a Publication Scheme which conforms to a model created by the ICO.Be aware that anything you do as an employee might be available to the general public and that all records belong to QM
10 Dealing with RequestsRequest under DPA (known as Subject Access Request) must be dealt with in 40 calendar days (except for examination results); a maximum fee of £10 may be chargedAn FOI request must be dealt with in 20 working days. If the request is excessive and costly it can be denied on these groundsBoth types of request may come to any part of the College and need to be logged with the Records & Information Compliance ManagerIf you are unsure, check with the Records & Information Compliance ManagerThere are dedicated addresses.Good practice to deal with ASAP, cannot be ignored under any circumstances. Deadlines may vary if more information is required – request needs clarification or fee is unpaid. Also remember that information that is requested may be disseminated in different parts of the College, but a Data Subject cannot just ask for “everything you hold on me” – needs to be more specific.FOI requests must be dealt with ASAP but no later than 20 working days after first receipt. If there is an exemption or we don’t hold the info. requestor must also be told within these time limits. We try to make information available free of charge though it is permissible to charge fees for photocopying etc. and we can claim an exemption if the overall cost is over £450 (calculated at £25 per hour i.e. 18 hours). Also corres with questions like “please explain your policy on x or why you did y” are not FOI. There are other exemptions too, some of which I’ll mention in a couple of slides’ time.I maintain a central log of FOI requests – you should inform me if you get a request, remembering that might not mention FOIA.
11 Some FOI ExemptionsFOI exemptions are either absolute or qualified. Qualified exemptions are subject to the public interest test. Absolute exemptions do not require thisPersonal information, where the DPA applies and the release of information would lead to the identification of an individual is an absolute exemptionWhere information is commercial the information might be covered by a qualified exemption as its release could be damaging to the College or other partyVexatious and repeated requests or requests that have been declined recently for good reason can be exemptFOIA assumes that information should be disclosed. However, sometimes there are exemptions which can be applied – either absolute or qualified. Public interest test applied to qualified exemptions = for example would disclosure harm our competitive position in a commercial matter? Others: endanger public safety, undermine governance by discouraging frankness. Balance of factors should be explained in any reply. But exemptions need to be considered on a case-by-case basis
12 Some DPA ExemptionsSection 29 exemptions: data may be provided without the consent of the Data Subject to authorities for the purposes of the prevention and detection of crime and benefits/tax fraud etc. All such requests must be specific, state for what the data will be used and be checked with the QM Data Protection OfficerResearch exemptions: personal data may be processed for the purpose of research without the consent of the Data Subject. However, the identity of the Data Subject must not be made known without explicit consent and the data must not be used to support decisions about that individual or where there may be substantial damage or distress. The time restrictions are different – data for research purposes only may be kept indefinitelyExamination results: there is a longer time frame so students cannot access results earlierSection 29: request under this part of the Act will normally come from the police but could also come from DWP, LB Tower Hamlets, Child Support Agency. This section allows us to release data without the consent of the Data Subject. Still need to be wary: if someone phones or comes in and asks to see a record, you can and should refuse if they haven’t followed the procedure and got the correct paperworkThe Act makes special provisions for the use of personal data in research and for exam results which I’ll cover in a little more detail: a student can apply to see their exam marks but will not be entitled to them if they have not yet been released
13 ResearchPersonal data may be used for purposes beyond the originally stated purposeCan be retained indefinitelyExempt from SARs – as long as published research does not identify individualsFOI – Commercial interests or subject to future publicationStill good practice to ask the data subject before any further processing and mustn’t give away the identity of a participant without consent.Generally recommend use of anonymisation or pseudonymisation in researchUnder FOI, research data might be available unless an exemption can be claimed such as commercial interests or will be published in the future
14 ExaminationsComments on scripts (and marks) but not scripts themselves can be accessed under DPAExam Board minutes can be accessed under DPA (about that individual only) but not FOIAchievement/progression data can be accessed under DPAIt is okay to put lists of those who have passed on the noticeboard but by number is preferable and only if you have told students that this is how their results are publishedYou should not pass on an individual student’s results to a third partyExternal examiners reports – in most circumstances these would be accessible under FOI despite the argument they are confidential and it is important to ensure that External Examiners are able to write frank and helpful comments – in the public interest!Need to keep comments on exam boards (and scripts) factual because they may be seen by the student if an SAR is madePublishing results: ideally inform students if they’re going to be put on a noticeboard and don’t use names. Don’t disclose results to anyone who cannot prove their identity e.g. over the phone. Putting up results is a time-honoured procedureEE reports – generally to be released but with all personal data redacted
15 Dos and Don’ts DO respond quickly – the clock is ticking DO remember that we have a duty to provide advice and assistanceDON’T withhold information without a clear justification under one of the exemptionsDON’T wilfully destroy or alter any original documents – criminal offenceFor SARs you have 40 calendar days. For FOI you have 20 working days, but in both cases we should try to respond as soon as we can.If you destroy or alter documents under the legislation this will be regarded as a criminal offence for the INDIVIDUAL. You may be held personally liable
16 To release or not release A student requests his examination resultsA student requests the College internal guidelines for dealing with appealsA local authority wishes to verify a student’s details for Council TaxA parent wants to know if their son or daughter is attending classesYes – this can be done as a SAR under DPA, but not before marks have been announced. Debtors use this route to get exam marks.Yes, but under FOI.Possibly if necessary and the correct form is filled out as there are special procedures for these requests. What about if a policeman walks in and says “we think Joe Bloggs has committed an offence, please give me his file.” Still got to be written request with specific reasoning – not just some ‘fishing exercise’No – Students are adults (unless they have given their written permission that we can disclose this, but there is still the issue of proving they are the parent if they phone or )
17 Other Sources of Guidance Updated Data Protection PolicyGuidelines on dealing with SARs and other scenarios e.g. photos, marketing, third partiesFOI pages on QM websiteICO website has lots of specific guidelinesSeeDP policy with appendix of guidelines.ICO website has lots of info. on DP and FOI/EIR