Data protection & FOIA considerations

Prevent Statutory duty Exercise functions with due regard to the need to prevent people being drawn into terrorism.

Prevent Terrorism is defined by Terrorism Act 2000 and includes action or threat of action which: Involves serious violence against a person. Involves serious damage to property. Endangers a person's life, other than that of the person committing the action. Creates a serious risk to the health or safety of the public or a section of the public or is designed seriously to interfere with or seriously to disrupt an electronic system.

& … Is designed to influence the government or an international governmental organisation or to intimidate the public or a section of the public, and the use or threat is made for the purpose of advancing a political, religious racial or ideological cause. It includes action taken for the benefit of a proscribed organisation. Applies to action taken overseas and in relation to foreign governments.

Prevent guidance Extremism is defined as: Vocal or active opposition to fundamental British values, including democracy, the rule of law, individual liberty and mutual respect and tolerance of different faiths and beliefs. It also includes calls for death for members of the armed forces. Extremism per se is not unlawful unless it amounts, for example, to incitement to violence or to religious/racial hatred.

Prevent guidance Challenging extremist ideas. Preventing transition from extremist groups (lawful) to terrorism? Effective co-operation with Prevent co-ordinators, police etc. Information sharing and provision of support, not covert surveillance. Comply with law on data protection and confidentiality. Where possible obtain consent to share information.

General Data Protection Regulation (GDPR) Balances the individual’s right to privacy with other legitimate interests. Privacy is not an absolute right. GDPR confers on the individual a degree of control over their data. Personal data is not HEIs’ sovereign property to use in ways incompatible with the purposes for which it has been obtained. “Personal data” is any information from which a living person can be identified directly or indirectly. GDPR applies from 25 May 2018.

GDPR Religious beliefs or political opinions amount to “special categories of personal data” (ie sensitive). Stricter conditions apply to processing sensitive personal data. Conditions for disclosing include (GDPR Article 9): Individual’s explicit consent. The information has been made public by steps deliberately taken by the individual. To protect the individual’s vital interests where individual physically or legally incapable of giving consent. Legal proceedings Substantial public interest subject to proportionality and safeguards for the individual.

GDPR Article 6 conditions for non-sensitive data include: Consent. To comply with a legal obligation (eg Terrorism Act 2000 – duty to report information of material assistance in preventing terrorism). Vital interests (no qualification) Necessary to perform a task in the public interest Legitimate interests provided no unwarranted intrusion in privacy? Does not apply to public authorities in the performance of their tasks. Non-sensitive personal data – must comply with one condition under Article 6. Special categories of personal data – must comply with two conditions – one from Article 9 and one from Article 6.

GDPR Disclosure of personal data must be: Fair and transparent (reasonably anticipated) Relevant and not excessive (i.e. proportionate). Accurate. Data protection by design and default Accountability (to the individual)

GDPR – possible crime exemption Exemption from most of Data Protection Act where: Disclosure for purpose of: Prevention/detection of crime. Apprehension/prosecution of offenders. Complying with the DPA would be likely to prejudice the above purposes. Exemption does not apply to justification, but usually justified in the public interest. GDPR – exemption not specifically included but member states may make separate provision of it.

Confidential information Must have the necessary quality of confidence. Must not be trivial (not tittle tattle). Must not be in the public domain. Simply labelling information “confidential” is not sufficient.

Confidentiality Not an absolute right. Defence to disclosure in breach of confidence where: Consent of confider. Compulsion of law – no general duty to report a crime. There are some exceptions eg Terrorism Act 2000. Public interest – ie disclosures to the appropriate authorities e.g. preventing crime, correct misleading information.

Anxieties Extremism is not automatically unlawful. HEIs advance understanding and challenge received wisdom. Freedom of speech/expression – includes the right to express and receive shocking and disturbing ideas. Challenge – where is the threshold for reporting to police/Channel/Prevent co-ordinator? Fear of stereotyping and increased scrutiny of particular cohorts.

Information-sharing agreements Protocols. Types of information to be disclosed and when (eg anonymised data, trends and statistics). When specific personal data is disclosed. Cannot contract out of data protection obligations to third parties. Not intended to be a general mechanism for surveillance on behalf of the police.

Freedom of Information Act (FOIA) Right to a copy of information held unless exempt. Exemptions usually subject to public-interest test. Possible relevant exemptions: Prejudice to effective conduct of public affairs. Personal data (if cannot anonymise). Prejudice to commercial interests. Information intended for future publication (absolute). Information reasonably accessible elsewhere. Information supplied by/relating to bodies dealing with security matters (absolute). Law enforcement. Safeguarding national security. Health and safety. Confidential information received from a third party.

Case studies