Data Protection and Freedom of Information

Objectives Describe the main points of the Data Protection Act 1998 and Freedom of Information Act 2000 Illustrate the “things you need to know” about DP and FOI

The Acts Data Protection Act 1998 came into force in March The Act covers information about living individuals Freedom of Information Act 2000 came into force in January 2005 and provides a right of access to information held by public bodies The Information Commissioner’s Office regulates the operation of the DPA & FOIA

DPA or FOI? To release or not to release? A student requests his examination results A student requests the College internal guidelines for dealing with appeals A local authority wishes to verify a student’s details for Council Tax A parent wants to know if their son or daughter is attending classes These areas will be reconsidered in terms of whether or not to release the data or information and which law applies

Data Protection Act All Data Controllers must be registered with the Information Commissioner’s Office. The registration specifies the purposes for which data is processed Data Subjects are the person about whom the data is held Data processing covers the collection, recording, holding, maintenance and destruction of any data Personal data is information about any living person who can be identified from that information Sensitive Personal Data relates to information about an individual’s health, ethnicity, criminal convictions, sexual life, religious belief, political opinions, trade union membership

Data Protection Act (cont.) Eight Data Protection Principles, which should be complied with. Data shall: 1.Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met 2.Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose 3.Be adequate, relevant and not excessive for those purposes 4.Be accurate and kept up to date 5.Not be kept for longer than is necessary for that purpose 6.Be processed in accordance with the data subject’s rights 7.Be kept secure from unauthorised access, accidental loss or destruction 8.Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data

Data processing good practice The following checklist is taken from the Information Commissioner’s Office Website: Do I really need this information about an individual? Do I know what I'm going to use it for? Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for? If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this? Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure? Is access to personal information limited to those with a strict need to know? Am I sure the personal information is accurate and up to date? Do I delete or destroy personal information as soon as I have no more need for it? Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?

Freedom of Information Act Places a duty on public authorities (that includes QMUL) to ensure access is available to official information Regardless of age, format or origin of the info. Each public organisation must publish a Publication Scheme which is approved by the Information Commissioner. QMUL’s scheme is found on its website /index.html /index.html

Dealing with Requests Request under DPA (known as Subject Access Request) must be dealt with in 40 calendar days (except for examination results); a maximum fee of £10 may be charged An FOI request must be dealt with in 20 working days. If the request is excessive and costly it can be refused on these grounds Both types of request may come to any part of the College and need to be logged with the Records & Information Compliance Manager Records & Information Compliance Manager If you are unsure, check with the Records & Information Compliance Manager

Some FOI Exemptions FOI exemptions are either absolute or qualified. Qualified exemptions are subject to the public interest test. Absolute exemptions do not require this Personal information, where the DPA applies and the release of information would lead to the identification of an individual - this is an absolute exemption Where information is commercial the information might be covered by a qualified exemption as its release could be damaging to the College or another party Vexatious and repeated requests or requests that have been declined recently for good reason can be exempt

Some DPA Exemptions Section 29 exemptions: data may be provided without the consent of the Data Subject to authorities for the purposes of the prevention and detection of crime and benefits/tax fraud etc. All such requests must be specific, state for what the data will be used and be checked with the QM Data Protection OfficerQM Data Protection Officer Research exemptions: personal data may be processed for the purpose of research without the consent of the Data Subject. However, the identity of the Data Subject must not be made known without explicit consent and the data must not be used to support decisions about that individual or where there may be substantial damage or distress. The time restrictions are different – data for research purposes only may be kept indefinitely Examination results: there is a longer time frame so students cannot access results earlier

Dos and Don’ts DO respond quickly – the clock is ticking DO remember that we have a duty to provide advice and assistance DON’T withhold information without a clear justification under one of the exemptions DON’T wilfully destroy or alter any original documents – that’s a criminal offence

Examinations Comments on scripts but not scripts themselves can be accessed under DPA Exam Board minutes can be accessed under DPA (about that individual only) but not FOI Achievement/progression data can be accessed under DPA It is okay to put lists of those who have passed on the noticeboard but by student number is preferable and only if you have told students that this is how their results are published You should not pass on an individual student’s results to a third party External examiners reports – in most circumstances these would be accessible under FOI despite the argument they are confidential and it is important to ensure that External Examiners are able to write frank and helpful comments – in the public interest!

Research Personal data may be used for purposes beyond the originally stated purpose Can be retained indefinitely Exempt from SARs – as long as published research does not identify individuals FOI – Commercial interests or subject to future publication

To release or not release A student requests his examination results A student requests the College internal guidelines for dealing with appeals A local authority wishes to verify a student’s details for Council Tax A parent wants to know if their son or daughter is attending classes

Other Sources of Guidance Updated Data Protection Policy Guidelines on dealing with SARs and other scenarios e.g. photos, marketing, third parties FOI pages on QM website ICO website has lots of specific guidelineswebsite See on the QMUL website

Questions?

Contact Records & Information Compliance Manager Tel: (13) 7596