Presentation on theme: "Information Law/ Data Protection Briefing 2007"— Presentation transcript:
1Information Law/ Data Protection Briefing 2007 Keith G FraserUniversity Records ManagerWelcome to what I hope will be an informative and entertaining hour. Thank you for taking the time at this busy time of the year.By April 2007, the Data Protection Act 1998 (DPA 1998) will have been in force for six years. During this time the Act has had a significant effect upon the ways in which FE and HE institutions handle their personal data processing.Today, across FE and HE institutions, all computerised processing of personal data, many structured manual records, and even some unstructured manual records are subject to provisions of the DPA 1998, including the right of the individual to access the data which is held about them. Together with the Freedom of Information Act 2000 (FOIA 2000), and FOISA 2002 the DPA 1998 has forced a re-think of institutional good practice in personal data handling, required new approaches to records management and made institutions consider more carefully their obligations to those whose data they hold.Data protection law has not been static during this time - various aspects of the DPA 1998 have been subject to judicial interpretation, and the FOIA 2000 has made amendments to the DPA 1998 with particular reference to 'public authorities', the definition of which includes both FE and HE institutions. The Data Protection legislation has far-reaching implications for RGU and its staff. When combined with other legislation, this Act has significant implications for all RGU employees who are responsible for creating and storing information about individuals.Since the implementation of DP 1998 and FOISA 2002 RGU has moved towards a culture of giving out information as a matter of default. Provided that everyone follows the University’s agreed guidance and procedures the Information Acts should cause you little difficulty.What I would like to do today is give you a brief overview of the legislation and how to approach it.
2Today’s topics..... Introduction DP Across the globe Data protection the Legislative contextThe Data Protection Act : An overviewFOISA 2002 and DP 1998Requests for informationSubject Access RequestsRequests for 3rd party dataPoints to consider and noteDisclosure without consentImplications for Web publishersSubject access proceduresThe CommissionersDP and ResearchersFurther InformationKey points to noteData Subject RightsAny Queries
4Each year, Privacy International and the Electronic Privacy Information Center review the state of privacy in over fifty countries around the world. The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws.The report finds that there is a worldwide regocnition of privacy as a fundamental human right. Many countries around the world are enacting comprehenisve data protection law to safeguard individual privacy increase. However at the same time, privacy is increasingly being undermined by technical advances and the demands of intelligence and law enforcement agencies for increase surveillance powers. This has increased since 11 September.
5Legislative context Data Protection Act 1998 Sets out eight principles giving a general standard for the processing of personal dataFreedom of Information (Scotland) Act 2002Gives a general right of public access to all types of recorded information held by Public AuthoritiesOverlap between the above Acts where personal data is concerned.Freedom of Information Act 2000Human Rights Act 1998Environmental Information (Scotland) Regulations 2004The Data Protection Act isn’t an isolated administrative measure. It should be seen as an integral part of a much wider-ranging programme of constitutional reform that included issues such as devolution and House of Lords reform.While he was in opposition, Tony Blair said, ‘It is a change that is absolutely fundamental to how we see politics developing in this country over the next few years…its introduction will signal a new relationship between government and people.’On this slide I have listed some of the other measures in this area that affect the way you handle information at work.The Data Protection Act 1998 was passed as a result of an increasing concern about the effects of technology on our society. It implements Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data . The Act came into force in March It repealed the previous UK legislation in this area, the Data Protection Act 1984.The Act is amplified in respect of personal data used in telecommunications by a further directive specific to this area, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector [check use of footnotes] which has been implemented in the Privacy and Electronic Communications (EC Directive) Regulations 2003 SI 2003 No It intersects with the Regulation of Investigatory Powers Act 2000 and Freedom of Information Act 2000 & FOISA 2002.
6Data Protection Act: Overview Personal data isInformation about an identifiable living individual processed automatically or stored in a ‘relevant filing system’Sensitive personal data isInformation about racial or ethnic origins, political opinions, religious beliefs, physical or mental health, etc.Notificationthe process by which a data controller's processing details are added to a registerEight Data protection principlesEnforcementThe Information Commissioner has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles.Data Protection Act 1998Was passed in 1998 and came fully into force in 2001Was amended by the FOIA 2000 to cover additional issues in relation to public authorities, including colleges and universitiesCovers all personal data processed by FE and HE institutions, including computerised data, structured manual files and unstructured data, except where specifically exempted.The DPA gives individuals certain rights regarding information held about them. It places obligations on those who process information (data controllers) while giving rights to those who are the subject of that data (data subjects). Personal information covers both facts and opinions about the individual. Anyone processing personal information must notify the Information Commissioner's Office (TICO) ( that they are doing so, unless their processing is exempt. Notification costs £35 / year.The Data Protection Act (DPA) provides a legal basis and allowing for the privacy and protection of data of individuals in the UK. The act places restrictions on organisations which collect or hold data which can identify a living person. The Act does not apply to domestic use, for example keeping a personal address book.Data collected by any person or organisation may only be used for the specific purposes for which they were collected. Personal data may only be kept for an appropriate length of time and must not be disclosed to other parties without the consent of the data owner. Schools, for example, may decide to keep information on former pupils for no longer than ten years.The act is overseen by an independent government authority, the Office of the Information Commissioner. Persons and organisations which store personal data must register with the Data Protection Commissioner.The UK Data Protection Act is a large Act, and has a reputation for complexityWhilst the basic principles are honoured for protecting privacy, interpreting the act is not always simple.
7Data protection principles The Eight Principles of Good PracticeAnyone processing personal information must comply with eight enforceable principles of good information handling practice. These say that data must be:fairly and lawfully processedprocessed for limited purposesadequate, relevant and not excessiveaccurate and up to datenot kept longer than necessaryprocessed in accordance with the individual's rightssecurenot transferred to countries outside European Economic area unless country has adequate protection for the individual
8Further ConditionsIn processing fairly and lawfully, data controllers (us) must also comply with one of the six Schedule 2 conditions these are:Consent has been received orProcessing necessary for performance of contract by data subjects…orProcessing necessary for legal compliance…orTo protect vital interests of data subject… orFor administration of justice…orFor legitimate interests of the data controller
9Data Subject Rights There are several rights under the Act including: Right of access to personal dataRight to prevent processing if would cause damage or distressRight to prevent processing for direct marketingRight to correction, deletion, of inaccurate informationRights regarding automated decision making
12Data Protection Act 1998: enforcement Complain to Information CommissionerUniversity can be suedPersonal criminal offencesDestruction of information required for a subject access requestUnauthorised disclosureFailure to comply with enforcement or information noticeFailure to notify
13Amendments to DP Act (by FOISA 2002) The definition of Data under the DP Act is widened to include all recorded information held by Public Authorities.Data subject has a right to access unstructured personal data held – that is any information at all !Data subject needs to describe the unstructured data when requesting access to it.
14Request for Information – FOI or DP? Firstly need to ascertain which law applies DP or FOI:Is the applicant for information also the subject of the information?.. orIs the applicant applying for information about a third party?The answer to these questions determines which course of action follows
15FOISA and DPRequest by an individual subject for information about him/herself is an absolute exemption under FOISA 2002This would be a Subject access request under the DP ActResponse requires heeding DP rules and regulations.
16Dealing with Subject Access requests. 1 • Identify the type of requestThere is a duty to provide advice and assistance to the requestor.• RGU has 40 working days to respond.
17Dealing with requests. 2• The information must be provided in the form requested, where ‘reasonably practicable’• RGU has agreed procedures for dealing with requests and who is responsible for these.• It is a criminal offence to alter, deface, block, erase, destroy or conceal information to prevent access
18Request for 3rd party personal data A request for third party personal data may be exempt under FOISA 2002:If any of the Data Protection principles would be breached if the data was disclosed – absolute exemptionIf the data subject himself would not get the information if he requested it under DP. The University must always consider public interestIf the data subject has notified in writing to the data controller that releasing the information would cause him harm or distress (s10 notice) – but must consider public interest
19Disclosure to Third Parties under DP 1998 Certain third parties may require disclosure of anindividual's personal data. The University shouldhowever, where possible, ensure that its students areproperly warned of any known statutory disclosuresthat they are required to make.The Act makes no explicit reference to the nature ofdata that may be demanded by statutory obligation, sothe University should be able to disclose to any properlygrounded statutory request without falling foul of thelaw.
20 Third Party Authorisation for disclosure UK Funding Councils Further and Higher Education Act, 1992 s.79 - Duty to give information to the funding councils.Electoral registration officers(voter registration)Representation of the People Act 2000;Officers of the Department of Works and Pensions, and Local Authorities(benefit fraud)Social Security Administration Act 1992: s.110A, s.109B and s.109CHealth and Safety Executive( injuries and dangerous occurrences)Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995 s.3 - Notification and reporting of injuries and dangerous occurrencesAudit Commission and related auditing bodies (various)Audit Commission Act 1998 s.6 - Auditors' right to documents and information.Environmental Health Officers (notifiable diseases)Public Health (Control of Disease) Act 1984 and the Public Health (Infectious Diseases) Regulations 1988Child Support AgencyChild Support (Information, Evidence and Disclosure) Regulations 1992.Police OfficersCourt Order - N.B disclosures to the Police are not compulsory except in cases where the institution is served with a court order requiring information.Other third partiesCourt of Session - e.g. third party disclosure order.
21Publication Scheme and DP Some information in the University’s publication scheme may be personal dataConsideration has to be given to data protection implications before deciding whether to include the information?The same tests have to be applied as for requestsUltimate test – does its inclusion breach DP principles?
22Points to consider Care and awareness are required; If Personal data is included in the University’s publication schemeDP implications must be considered at the outsetRequests for informationEvaluation process – is it a DP or an FOI requestSingle point of contact for informationAuthenticity of requester under DPStandard forms and templates might be useful aidRemember timescales for responseStaff awareness
23Points to note• Third parties may have a right to access any of the information we record• It is a criminal offence to tamper with existing records that have been requested for disclosure• There is no exemption for embarrassment• Always create records with an eye to other people seeing them
24Disclosing without Consent The Freedom of Information (Scotland) Act 2002 sets out criteria to which institutions must consider in deciding whether it would be reasonable to disclose information without consent (although other considerations may also be relevant). These criteria are:any duty of confidentiality owed to that personany steps that have been taken to seek their consentwhether the person is capable of giving consent andany express refusal of consent by them.
25Public Interest Test The University will have to disclose the information if the public interest in disclosureoutweighs the public interest in maintainingthe exemption in question.The public interest includes, but is not confined to:i) Detecting or exposing crime or serious impropriety.ii) Protecting public health and safety.iii) Preventing the public from being misled by an action or statement of an individual or organisation.
27Implications for Web publishers The web is the University’s favoured method of publication for the publication schemeBeware of making personal details available on the internet.Names and contact details of members of staff.Listings for academic staff often give details of their research interests and publications.photographs of staff and students.Minutes which contain the names of committee members.The Data Protection Act affects what you publish on the Internet?The eighth data protection principle states that personal data must not be transferred to countries outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. When personal data is published on the Internet it is accessible all over the world. Publishing personal data on the Internet without the necessary protections is, therefore, a breach of the Eighth Data Protection Principle.
28Subject Access Procedures This procedure applies to all Schools and DepartmentsThe DP Act specifies that all requests for Subject Access must be made in writing.The University must comply within 40 days of receiving a validated requestThe Information provided must be in an intelligible from. If it contains Codes or abbreviations these should be explained.
29Subject Access Procedures 2 Must be in writing.By letterPersonal Information Request FormA form is available via the Web pages this ensures that all necessary information is given at the outset.The Request doesn’t have to mention the DP ActMust provide some form of verificationCopy of Student access request goes to Executive Director of ITCopy of Employee record requests to Executive Director of HRRespective School/ Department contacts decide what information is disclosed in liaison with University’s Records Manager.
30What data is exempt from the Act? There are some complete exemptions and somepartial exemptions where personal data is notcovered by the 1998 Act.Complete exemptions:Any personal data that is held for a national security reason is not covered. MI5 or MI6 don't have to follow the rules. They must get a Government Minister to sign a certificate saying that they are exempt.Personal data held for domestic purposes only e.g. Christmas card lists.
31Partial exemptions:Some personal data has partial exemption under the terms of the Act. For example,The Inland Revenue and the Police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files.A data subject has no right to see information stored about unless it has to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals.Employment references written by a previous employer are exempt.
36The Information Commissioner The Information Commissioner's Office is an independent official body. The InformationCommissioner is appointed by the Queen and is responsible for administering the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000 (UK except Scotland).Information Commissioner Richard Thomas
37The Scottish Information Commissioner The Commissioner mustPromote good practice by Scottish public authorities in following the FoI(S)A and the codes of practiceConsider what information it is desirable to have made available to the public about the FoI(S)A, its operation and good practice in relation to it and ensure that such information is made available.Kevin DunionScottish Information Commissioner
40Personal dataThe data gathered must be used exclusively for research purposes.A fair processing statement should be used to inform the individual of the purpose for which their data will be used. Data should not be used to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by a piece of research).Data should not be used in a way that would cause substantial damage or distress to any data subject.Researchers should not make the results of research or any resulting statistics available in a form that identifies data subjects. For example if using case studies in a research report then they may choose to disguise the names of individuals. However, if their circumstances are described in detail then it may be possible for someone to identify that individual in which case the researcher would not meet this criterion.
41Exemptions Under the Data Protection Act There are narrow exemptions that allow the use of personal data for research purposes under the Data Protection Act
42Exemptions for Research Purposes If the processing is not used to support measures or decisions targeted at particular individuals and it does not cause substantial distress or damage to a data subject, it is exempt from:The Second Principle, meaning that personal data can be processed for purposes other than for which they were originally obtained;The Fifth Principle, meaning that personal data can be held indefinitely;The Data subject's right of access to his personal data, where the data is processed for research purposes and the results do not identify data subjects.
43Further Information RGU’s DP Homepage www.rgu.ac.uk/dp JISC Legal Information Service providesAn enquiry service for information on FOI and other areas of ICT lawJISC Legal Information Service web siteFor regularly updated news, links, papers, and reports, as the law and practice develop
45Points for Noting Personal data must be obtained fairly and lawfully. The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration.Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subjectThe Act covers personal data in both electronic form and manual formPersonal data processing must be in accordance with the purposes notified by the University to the data protection commissioner-If ‘new processing’ is to take place the University’s Records Manager, should be consultedPersonal data must be kept accurate and up to date and not for longer than is necessaryAppropriate security measures must be taken against unlawful or unauthorised processing of personal data. Also against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection trainingPersonal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internetPersonal data must be obtained fairly and lawfully.The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration.Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subjectThe Act covers personal data in both electronic form and manual formPersonal data processing must be in accordance with the purposes notified by the University to the data protection commissioner-If ‘new processing’ is to take place the University’s Records Manager, should be consultedPersonal data must be kept accurate and up to date and not for longer than is necessaryAppropriate security measures must be taken against unlawful or unauthorised processing of personal data. Also against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection trainingPersonal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet
46Data Subject RightsThe Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include the rights:To make a Subject access request- an individual is entitled to be supplied with a copy of all personal data held.To require the data controller to ensure that no significant decisions that affect them are based solely upon an automated decision-taking processTo prevent processing likely to cause damage or distressTo prevent processing for the purposes of direct marketingTo take action for compensation if they suffer damage by any contravention of the Act by the data controllerTo take action to rectify, block, erase or destroy inaccurate data, andTo request the Data Protection Commissioner to make an assessment as to whether any provision of the Act has been contravened