Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010

Similar presentations


Presentation on theme: "1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010"— Presentation transcript:

1 1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010 Note: Amberhawk claims copyright in the contents of this slideshow

2 2 THREE ACCESS REGIMES Data Protection Act Protection of personal information via the 8 DP Principles Environmental Information Regulations Access to environmental information Freedom of Information Act Access to all information held by a public authority NB: Separate FOI Act for Scotland

3 DATA PROTECTION ACT 1998 THE BASICS 3

4 4 WHAT IS DATA PROTECTION? Data protection is about aspects of personal privacy It sets out rules for handling people information Universal – all organisations, and many individuals, use personal data (and have liability under the Data Protection Act) Current issues in data protection: I/D Cards legislation – erosion of personal privacy by the state Retention of DNA data by the police Security breaches by banks, hospitals, HMRC

5 5 IMPACT OF DATA PROTECTION ON MY JOB Information about: me or my fellow employees Students, consultants other people we do business with, e.g. suppliers Sending information by ; information on the website; security camera recordings Collection: Filling in forms Taking it down over the phone Getting it from other departments/schools/universities Sharing – with other departments, other organisations, under FOI, for official enquiries

6 6 DEFINITION OF PERSONAL DATA Personal data means: data which relate to a living individual who can be identified from those data, or from them together with other information you already have or are likely to obtain - includes expressions of opinion and intentions towards the individual

7 7 EXAMPLES OF PERSONAL DATA Sue Cullen, Director, Amberhawk Training Limited Sue is a workaholic with no personality Sue carried out Sallys appraisal Sue was present at the 3 rd Annual Subject Access Convention

8 8 WHO IS RESPONSIBLE? Data Controller – the person or persons who determine the purposes of processing personal data -e.g. anything done by an organisation for its business; full liability under DPA Data Processor – a person who processes personal data on behalf of the data controller - e.g. outsourcing – processors have no liability under DPA, but the controller is responsible for their mistakes

9 9 DATA PROTECTION PRINCIPLES The data controller has a statutory duty to ensure that personal data are: 1. Processed fairly and lawfully, plus schedules 2 & 3 2. Processed only for specified and lawful purpose(s) 3. Adequate, relevant and not excessive 4. Accurate and kept up-to-date 5. Not kept longer than necessary 6. Respectful of data subjects rights 7. Kept secure by technical/organisational means 8. Transferred outside EEA only if privacy is respected.

10 DATA SUBJECT RIGHTS Individuals have the following rights under the DPA: 1.Subject access 2.Object to processing in certain circumstances 3.Object to direct marketing (promotion of aims & ideals is marketing) 4.Automated decisions 5.Ask court to order compensation for damage caused by controllers breach of principles 6.Ask court to order correction of inaccurate data Controller liable under 6 th Principle for 1-4 above 10

11 DPA ISSUES AND RISKS Records management: security & staff training (7 th Principle); subject access (6 th Principle) data quality (principles 1, 3, 4) HR information: most SARs are from current and former staff members, usually with a grievance – tests DPA compliance Fair processing notices: what do we tell people about the information we hold on them? Data sharing: who can we disclose to – police? parents? Other universities? hospitals? Social services? 11

12 12 CCTV AND RELATED DP ISSUES

13 13 COMPLYING WITH 1 ST PRINCIPLE Personal data must be processed fairly : General obligation to be fair Specific obligation to ensure that the individual knows who is processing, why, and anything else necessary for fairness First principle also requires lawfulness, e.g. must not: Breach confidence Breach copyright Be ultra vires (outside your powers)

14 14 FAIR COLLECTION - INFORMING THE DATA SUBJECT Data protection notice must include: Identity of the data controller Purposes for which the data will be processed (especially any non-obvious purposes) Anything else necessary to make it fair Purposes should be as wide as possible: cover any projected new purpose e.g. sharing for fraud initiatives, using CCTV for disciplinary matters This is NOT a PR exercise – beware Your information is regulated under the DPA; Your privacy is very important to us; We will never …

15 15 WHAT TO INCLUDE IN YOUR NOTICE Anything that the data subject ought to know about what will happen to his information in your hands, such as: What you use it for (purposes for processing) Any relevant rights, e.g. to opt out of marketing Who do you share it with, and why? How long you/they keep it What responses on forms are obligatory, and what information is not essential Will it be sent outside the UK? Any special security issues? Any sensitive data (e.g. health, religion, criminality)?

16 16 JUSTIFYING PROCESSING UNDER 1 ST PRINCIPLE Schedule 2 conditions are: 1.Data subject consent 2.Necessary for contract with data subject 3.Legal obligation of data controller 4.Vital interests of data subject 5.Necessary for public functions 6.Necessary in legitimate interests of data controller, or 3 rd party recipient, except where unwarranted prejudice is caused to the data subject

17 17 WHAT IS CONSENT? Consent is not defined but general requirements are: Must be fully informed Freely given Capable of being withdrawn Has the data subject given some positive indication of his wishes? Is the data subject free to refuse? NB: Consent does not work as a justification for processing HR data – deemed duress.

18 CCTV QUESTIONS Can CCTV images be personal data? What conditions legitimise the processing (Sch. 2 & 3)? Must you identify the Data Controller and purposes of the processing (e.g. public safety, crime prevention)? When dont you need signage? Could improper positioning of cameras can be unfair to Data Subjects and result in the processing of excessive personal data? Can the Section 36 exemption be used by parents who record infant school nativity plays? 18

19 CCTV QUESTIONS Can you disclose the images (e.g. to the police)? How long can you retain them? Does the right of access apply - what are the obvious problems? (e.g. other individuals on the CCTV footage) Can the Data Subject object to the processing? Security of images (e.g. who has access, training, criminal offences could apply if CCTV data misused) Can damage arise from a breach of a Principle? ICO CCTV Code of Practice (essential reading). 19

20 FOIA EXEMPTIONS RELEVANT TO GOLDSMITHS 20

21 FOI EXEMPTIONS RELEVANT TO GOLDSMITHS Exemption for personal data s.40 Exemption for prejudice to commercial interest s.43 Exemption for confidential information s.41 No exemption for research (except for Scottish authorities) nor for copyright (except if is environmental information) 21

22 22 WHEN DOES FOI INVOLVE PERSONAL DATA ? FOIA covers all information held by a public authority Includes information about staff, students, contacts from other universities, service users, business contacts, enquirers, complainers, (patients, suspects, taxpayers etc, depending on who is the authority) Personal data may be included in publication schemes Personal data may be requested under s.1

23 INTERFACE WITH FOIA FOIA s.40 gives an exemption for personal data Personal data of the requester are exempt because access under FOI cannot displace subject access under DPA rules Personal data of a third party are exempt to protect personal privacy – but this is governed by the DPA principles, which cannot be displaced by FOIA If it would breach any DPA principle to disclose third party personal data to all the world under FOIA, than the information is absolutely exempt – no Public Interest Test 23

24 DISCLOSURE OF PERSONAL DATA UNDER FOIA All 8 principles apply, but usually tested under Principle 1 - fairness, lawfulness, compliance with schedules 2 & 3 Lawfulness usually means no breach of confidence Fairness is about what data subjects (staff? officials?) ought to expect Generally, information about staff in their official capacity can be in the public domain, e.g. payscales; expenses Personal information about their private life (e.g. health, home life) is likely to be exempt The more senior the individual, the more public exposure Detailed ICO guidance 24

25 25 COMMERCIAL INTERESTS (s.43) Qualified exemption for disclosures which are : Trade secrets, or Disclosures which could prejudice the commercial interests of any person, including the authority holding the information Commercial interests: more than just financial – must involve trade or commerce exemption from duty to confirm or deny National Maritime Museum Tribunal decision

26 26 COMMERCIAL INTERESTS: ISSUES Commercial interest of a public authority or a third party: Is there a commercial activity? Financial interests insufficient Is there prejudice? Where does the balance of the public interest lie? Tender and contractual processes: Include information with bid documentation Distinguish between current and new contracts Classification at the start of the contract Process agreed under the contract for classification during the life of the contract

27 27 CONFIDENTIALITY (s.41) Absolute exemption for information provided in confidence, but information: must have been obtained from another person, and disclosure must give rise to an actionable breach of confidence No public interest test if information qualifies Internally generated information will not count Exemption can apply to duty to confirm or deny

28 FREEDOM OF INFORMATION ACT 2000 THE BASICS 28

29 29 THREE ACCESS REGIMES Data Protection Act Protection of personal information via the 8 DP Principles Environmental Information Regulations Access to environmental information Freedom of Information Act Access to all information held by a public authority NB: Separate FOI Act for Scotland

30 30 WHAT DOES FOIA DO? Presumption of right of access to any information held by a public authority Anything not available is covered by an exemption Information is free up to a costs limit Codes of Practice On handling requests On records management An enforcement mechanism and an independent regulator

31 31 HOW DOES FOIA WORK? Two routes of access to information: Pro-active duty to publish information generally (publication scheme) Specific request for information – s.1 FOIA Twofold duty under s.1: Duty to confirm or deny whether information is held Duty to communicate information

32 PROCEDURES AND OTHER OBLIGATIONS Formal request-handling procedures and time limits, e.g. 20 working days for response Communicate information in requesters preferred form S.45 Code of Practice on Handling Requests, e.g. Transferring requests Consultation with third parties Duty to help requesters and prospective requesters Formalities for refusals Obligation to deal with complaints S.46 Code of Practice on Records Management 32

33 WHEN CAN WE REFUSE? Exemptions in FOI include: Requests that are too costly Nuisance requests Information already accessible, e.g. Public registers National security, investigations, law enforcement Personal privacy (via the DPA rules) Health & safety Confidential information Commercial interests...and most are subject to a public interest test. 33

34 FOI ISSUES FOR CONTRACTS AND TENDERING 34

35 CONTRACTS AND FOI Disclosing information about your contractors in response to an FOI request What exemptions might be relevant? What should you agree to in your contract? ICO Guidance, and S.45 Code of Practice Managing the expectations of your contractors 35

36 36 COMMERCIAL INTERESTS (s.43) Qualified exemption for disclosures which are : Trade secrets, or Disclosures which could prejudice the commercial interests of any person, including the authority holding the information Commercial interests: more than just financial – must involve trade or commerce exemption from duty to confirm or deny National Maritime Museum Tribunal decision

37 37 COMMERCIAL INTERESTS: ISSUES Commercial interest of a public authority or a third party: Is there a commercial activity? Financial interests insufficient Is there prejudice? Where does the balance of the public interest lie? Tender and contractual processes: Include information with bid documentation Distinguish between current and new contracts Classification at the start of the contract Process agreed under the contract for classification during the life of the contract

38 38 CONFIDENTIALITY (s.41) Absolute exemption for information provided in confidence, but information: must have been obtained from another person, and disclosure must give rise to an actionable breach of confidence No public interest test if information qualifies Internally generated information will not count Exemption can apply to duty to confirm or deny

39 39 PROVIDING ADVICE AND ASSISTANCE Duty to provide advice and assistance to persons who propose to make requests, or who have made requests for information (s.16) Does not apply to publication schemes S.45 Code of Practice published by DCA/MOJ sets out what authorities must do to help Compliance with Code discharges s.16 duty EIRs have same requirement (Reg.9)

40 40 SECTION 45 CODE Publish your procedures for dealing with requests for information Draw the Act to the attention of potential applicants Help potential applicants make requests in writing Help potential applicants frame their requests Consider what can be provided free of charge if applicant does not want to pay Consider what can be provided within the upper limit if request exceeds limit

41 41 SECTION 45 CODE Advises on procedures for the transfer of requests from one public authority to another (but NB EIRs) Provides for consultation with persons affected by an FOI request Considers what confidentiality contract clauses should be used by public bodies Deals with complaints procedures

42 INFORMATION HELD BY CONTRACTOR Requests made for information which is in the hands of your contractor Complying with procedures & time limits What about costs of contractor response, and the FOI costs exemption? What you should try to negotiate in your contract NB: Remember that rules are different for EIRs 42

43 COSTS UNDER FOIA Three kinds of costs under FOIA: 1.Costs you cant do anything about (e.g. costs of dealing with the applicant; considering an exemption) 2.Appropriate Limit costs (determining, locating etc) 3.Communication costs (P&P) In practice information is free and you hardly ever charge a fee or send a fees notice 43

44 44 EXCEEDING APPROPRIATE LIMIT No obligation to comply if the authority estimates that cost would exceed the appropriate limit (s.12) No exemption from duty to confirm or deny unless this alone would exceed the appropriate limit. Reg.4: The only factors to be taken into account are: Determining whether information is held Locating it Retrieving it Extracting it NB: Does extracting include redacting exempt materials? Staff time is chargeable at £25 per hour

45 45 COMMUNICATION COSTS If appropriate limit not exceeded, communication costs may be charged Reg.6: Limited to informing requestor whether information is held and communicating the information. Specifically include costs of: Complying with any preferred means of communication (s.11) Reproducing any document Postage and other transmission costs BUT staff time spent on any of the above may not be charged (NB: except in voluntary responses!)

46 OUTSOURCING – SUPERVISING DATA PROCESSORS

47 47 WHO IS A DATA PROCESSOR? A data processor is an individual/organisation who processes data on behalf of the controller, for example: Outsourced Payroll Offshore Call-Centre (increasingly common in India) Mailing house CCTV Security Firm Document Destruction (e.g. a shredding company)

48 48 DATA PROCESSOR CONTRACTS Data processors are not liable under the DPA A data controller must: Choose a processor with sufficient security guarantees Take reasonable steps to ensure that processors comply with these guarantees Impose a written contract under which the processor is obliged to act only on the instructions of the controller and covenants to observe and perform all the obligations of the Seventh Principle NB – link with Principle 8 for overseas transfers but separate requirements

49 49 INFORMATION SECURITY - 7 TH PRINCIPLE Take appropriate technical and organisation measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Determine what is appropriate having regard to - the nature of the personal data to be protected the resulting harm which might arise from a breach state of the art & implementation cost the effectiveness of existing measures reliability of staff (e.g. appropriate training for all staff)

50 50 In the news…

51 51 RISK MANAGEMENT (1) Is there proof that all reasonable steps have been taken to comply with DPAs security duties? Are security standards for industry or sector being met? Is there a security policy? Is there a business continuity plan if to cover inability to process data in an emergency? Does management take security seriously? Are the service providers staff adequately trained in respect of data protection requirements? Have they been security vetted?

52 52 RISK MANAGEMENT (2) What contractual security obligations have you imposed upon the service provider? Is there a duty upon the service provider to report data security breaches? What powers do you have to audit the service provider to ensure that they are complying with their data protection obligations? What are the known risks for the kind of processing undertaken? Are data transferred securely? Is encryption used when data are processed on mobile devices?

53 OVERSEAS TRANSFERS SOLUTIONS AND APPROACHES INCLUDING MODEL CLAUSES AND SAFE HARBOR

54 54 LEGAL ISSUES Data Protection Act 1998, Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data Dont forget the other data protection principles Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

55 55 EUROPEAN ECONOMIC AREA Liechtenstein Canada Guernsey Argentina Isle of Man Norway Iceland

56 56 OPTIONS FOR COMPLIANCE- THE 8 TH PRINCIPLE 1.Findings of Adequacy by the EU (or Safe Harbor for USA) 2.Assessment of Adequacy as set out in the 8 th principle 3.Seek an exemption from the adequacy obligation Consent of data subject Necessary for performance of contract Substantial public interest, vital interests, legal proceedings Model contracts Binding corporate rules

57 THE END DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE Copyright Amberhawk Training Limited July


Download ppt "1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010"

Similar presentations


Ads by Google