Presentation on theme: "Information Law/ Data Protection Briefing 2007 Keith G Fraser University Records Manager."— Presentation transcript:
Information Law/ Data Protection Briefing 2007 Keith G Fraser University Records Manager
Todays topics..... Introduction DP Across the globe Data protection the Legislative context The Data Protection Act : An overview FOISA 2002 and DP 1998 Requests for information Subject Access Requests Requests for 3 rd party data Points to consider and note Disclosure without consent Implications for Web publishers Subject access procedures The Commissioners DP and Researchers Further Information Key points to note Data Subject Rights Any Queries
Legislative context Data Protection Act 1998 –Sets out eight principles giving a general standard for the processing of personal data Freedom of Information (Scotland) Act 2002 –Gives a general right of public access to all types of recorded information held by Public Authorities Overlap between the above Acts where personal data is concerned. Freedom of Information Act 2000 Human Rights Act 1998 Environmental Information (Scotland) Regulations 2004
Data Protection Act: Overview Personal data is –Information about an identifiable living individual processed automatically or stored in a relevant filing system Sensitive personal data is –Information about racial or ethnic origins, political opinions, religious beliefs, physical or mental health, etc. Notification –the process by which a data controller's processing details are added to a register Eight Data protection principles Enforcement –The Information Commissioner has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles.
Data protection principles The Eight Principles of Good Practice –Anyone processing personal information must comply with eight enforceable principles of good information handling practice. These say that data must be: –fairly and lawfully processed –processed for limited purposes –adequate, relevant and not excessive –accurate and up to date –not kept longer than necessary –processed in accordance with the individual's rights –secure –not transferred to countries outside European Economic area unless country has adequate protection for the individual
Further Conditions In processing fairly and lawfully, data controllers (us) must also comply with one of the six Schedule 2 conditions these are: 1. Consent has been received or 2. Processing necessary for performance of contract by data subjects…or 3. Processing necessary for legal compliance…or 4. To protect vital interests of data subject… or 5. For administration of justice…or 6. For legitimate interests of the data controller
Data Subject Rights There are several rights under the Act including: – Right of access to personal data – Right to prevent processing if would cause damage or distress – Right to prevent processing for direct marketing – Right to correction, deletion, of inaccurate information – Rights regarding automated decision making
BBC News Monday 18 December
Data Protection Act 1998: enforcement Complain to Information Commissioner University can be sued Personal criminal offences 1.Destruction of information required for a subject access request 2.Unauthorised disclosure 3.Failure to comply with enforcement or information notice 4.Failure to notify
Amendments to DP Act (by FOISA 2002) The definition of Data under the DP Act is widened to include all recorded information held by Public Authorities. Data subject has a right to access unstructured personal data held – that is any information at all ! Data subject needs to describe the unstructured data when requesting access to it.
Request for Information – FOI or DP? Firstly need to ascertain which law applies DP or FOI: –Is the applicant for information also the subject of the information?.. or –Is the applicant applying for information about a third party? The answer to these questions determines which course of action follows
FOISA and DP Request by an individual subject for information about him/herself is an absolute exemption under FOISA 2002 This would be a Subject access request under the DP Act Response requires heeding DP rules and regulations.
Dealing with Subject Access requests. 1 Identify the type of request There is a duty to provide advice and assistance to the requestor. RGU has 40 working days to respond.
The information must be provided in the form requested, where reasonably practicable RGU has agreed procedures for dealing with requests and who is responsible for these. It is a criminal offence to alter, deface, block, erase, destroy or conceal information to prevent access Dealing with requests. 2
Request for 3rd party personal data –If any of the Data Protection principles would be breached if the data was disclosed – absolute exemption –If the data subject himself would not get the information if he requested it under DP. The University must always consider public interest –If the data subject has notified in writing to the data controller that releasing the information would cause him harm or distress (s10 notice) – but must consider public interest A request for third party personal data may be exempt under FOISA 2002:
Disclosure to Third Parties under DP 1998 Certain third parties may require disclosure of an individual's personal data. The University should however, where possible, ensure that its students are properly warned of any known statutory disclosures that they are required to make. The Act makes no explicit reference to the nature of data that may be demanded by statutory obligation, so the University should be able to disclose to any properly grounded statutory request without falling foul of the law.
Third PartyAuthorisation for disclosure UK Funding CouncilsFurther and Higher Education Act, 1992 s.79 - Duty to give information to the funding councils. Electoral registration officers (voter registration) Representation of the People Act 2000; Officers of the Department of Works and Pensions, and Local Authorities (benefit fraud) Social Security Administration Act 1992: s.110A, s.109B and s.109C Health and Safety Executive ( injuries and dangerous occurrences) Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995 s.3 - Notification and reporting of injuries and dangerous occurrences Audit Commission and related auditing bodies (various) Audit Commission Act 1998 s.6 - Auditors' right to documents and information. Environmental Health Officers (notifiable diseases) Public Health (Control of Disease) Act 1984 and the Public Health (Infectious Diseases) Regulations 1988 Child Support AgencyChild Support (Information, Evidence and Disclosure) Regulations Police OfficersCourt Order - N.B disclosures to the Police are not compulsory except in cases where the institution is served with a court order requiring information. Other third partiesCourt of Session - e.g. third party disclosure order.
Publication Scheme and DP Some information in the Universitys publication scheme may be personal data Consideration has to be given to data protection implications before deciding whether to include the information? The same tests have to be applied as for requests –Ultimate test – does its inclusion breach DP principles?
Points to consider Care and awareness are required; –If Personal data is included in the Universitys publication scheme –DP implications must be considered at the outset –Requests for information Evaluation process – is it a DP or an FOI request Single point of contact for information Authenticity of requester under DP Standard forms and templates might be useful aid Remember timescales for response –Staff awareness
Points to note Third parties may have a right to access any of the information we record It is a criminal offence to tamper with existing records that have been requested for disclosure There is no exemption for embarrassment Always create records with an eye to other people seeing them
Disclosing without Consent The Freedom of Information (Scotland) Act 2002 sets out criteria to which institutions must consider in deciding whether it would be reasonable to disclose information without consent (although other considerations may also be relevant). These criteria are: –any duty of confidentiality owed to that person –any steps that have been taken to seek their consent –whether the person is capable of giving consent and –any express refusal of consent by them.
Public Interest Test The University will have to disclose the information if the public interest in disclosure outweighs the public interest in maintaining the exemption in question. The public interest includes, but is not confined to: i) Detecting or exposing crime or serious impropriety. ii) Protecting public health and safety. iii) Preventing the public from being misled by an action or statement of an individual or organisation.
Implications for Web publishers The web is the Universitys favoured method of publication for the publication scheme Beware of making personal details available on the internet. –Names and contact details of members of staff. –Listings for academic staff often give details of their research interests and publications. –photographs of staff and students. –Minutes which contain the names of committee members. The Data Protection Act affects what you publish on the Internet? –The eighth data protection principle states that personal data must not be transferred to countries outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. When personal data is published on the Internet it is accessible all over the world. Publishing personal data on the Internet without the necessary protections is, therefore, a breach of the Eighth Data Protection Principle.
Subject Access Procedures This procedure applies to all Schools and Departments The DP Act specifies that all requests for Subject Access must be made in writing. The University must comply within 40 days of receiving a validated request The Information provided must be in an intelligible from. If it contains Codes or abbreviations these should be explained.
Subject Access Procedures 2 Must be in writing. –By letter –Personal Information Request Form –A form is available via the Web pages this ensures that all necessary information is given at the outset. The Request doesnt have to mention the DP Act Must provide some form of verification Copy of Student access request goes to Executive Director of IT Copy of Employee record requests to Executive Director of HR Respective School/ Department contacts decide what information is disclosed in liaison with Universitys Records Manager.
What data is exempt from the Act? There are some complete exemptions and some partial exemptions where personal data is notpersonal data covered by the 1998 Act. Complete exemptions: –Any personal data that is held for a national security reason is not covered. MI5 or MI6 don't have to follow the rules. They must get a Government Minister to sign a certificate saying that they are exempt. –Personal data held for domestic purposes only e.g. Christmas card lists.
Partial exemptions: Some personal data has partial exemption under the terms of the Act. For example, –The Inland Revenue and the Police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files. –A data subject has no right to see information stored about unless it has to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.data subject –A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.data controller –Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals. –Employment references written by a previous employer are exempt.
Fees The University does not have to levy a fee. However, it may charge £ 10 which is the standard fee set by the Information Commissioner for answering subject access requests.
The Information Commissioner Information Commissioner Richard Thomas The Information Commissioner's Office is an independent official body. The Information Commissioner is appointed by the Queen and is responsible for administering the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000 (UK except Scotland).
The Scottish Information Commissioner The Commissioner must –Promote good practice by Scottish public authorities in following the FoI(S)A and the codes of practice –Consider what information it is desirable to have made available to the public about the FoI(S)A, its operation and good practice in relation to it and ensure that such information is made available. Kevin Dunion Scottish Information Commissioner
Data Protection and Research
Personal data The data gathered must be used exclusively for research purposes. A fair processing statement should be used to inform the individual of the purpose for which their data will be used. Data should not be used to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by a piece of research). Data should not be used in a way that would cause substantial damage or distress to any data subject. Researchers should not make the results of research or any resulting statistics available in a form that identifies data subjects. For example if using case studies in a research report then they may choose to disguise the names of individuals. However, if their circumstances are described in detail then it may be possible for someone to identify that individual in which case the researcher would not meet this criterion.
Exemptions Under the Data Protection Act There are narrow exemptions that allow the use of personal data for research purposes under the Data Protection Act
Exemptions for Research Purposes If the processing is not used to support measures or decisions targeted at particular individuals and it does not cause substantial distress or damage to a data subject, it is exempt from: The Second Principle, meaning that personal data can be processed for purposes other than for which they were originally obtained; The Fifth Principle, meaning that personal data can be held indefinitely; The Data subject's right of access to his personal data, where the data is processed for research purposes and the results do not identify data subjects.
Further Information RGUs DP Homepage JISC Legal Information Service provides – An enquiry service for information on FOI and other areas of ICT law JISC Legal Information Service web site – – For regularly updated news, links, papers, and reports, as the law and practice develop
Points for Noting Personal data must be obtained fairly and lawfully. –The data subject should be informed of who the data controller is (the institution); who the data controllers representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration. –Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject The Act covers personal data in both electronic form and manual form Personal data processing must be in accordance with the purposes notified by the University to the data protection commissioner- If new processing is to take place the Universitys Records Manager, should be consulted Personal data must be kept accurate and up to date and not for longer than is necessary Appropriate security measures must be taken against unlawful or unauthorised processing of personal data. Also against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training Personal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet
Data Subject Rights The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include the rights: –To make a Subject access request- an individual is entitled to be supplied with a copy of all personal data held. –To require the data controller to ensure that no significant decisions that affect them are based solely upon an automated decision-taking process –To prevent processing likely to cause damage or distress –To prevent processing for the purposes of direct marketing –To take action for compensation if they suffer damage by any contravention of the Act by the data controller –To take action to rectify, block, erase or destroy inaccurate data, and –To request the Data Protection Commissioner to make an assessment as to whether any provision of the Act has been contravened