Data Protection & FOI
Data Protection: Background Human Right to Privacy Unenumerated right under Irish Constitution Explicit right under European Convention on Human Rights ECHR Act 2003 EU Data Protection Directives
EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) Corresponding Acts Good Friday Agreement Disability Act 2005
Definitions: DP Personal Data “Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1) Applies to any data that is processed (includes hosting) using any medium by a legal entity. Therefore paper, computer, network, web, phone etc.
FOI Personal Information (narrower) means information about an identifiable individual that_ (a) would, in the ordinary course of events, be known only to the individual or members of the family, or friends, of the individual, or (b) is held by a public body on the understanding that it would be treated by it as confidential, and, without prejudice to the generality of the foregoing, includes etc………….
DPFOI Information relating to the living individual only Information held on a relevant filling system Some potential to claim “disproportionate effort” in rare circumstances Also relates to the deceased Need to search for information No provision for not retrieving documents
DP/FOI Access to Personal Information DP and FOI Acts reinforce one another in relation to personal access in the public sector Defending access to personal information as human (DP) and citizen (FOI) right
Access to personal info: DP v FOI ? New Circular no 23 from D/Finance Where a request is made to a public body by, or behalf of, a person seeking access to their own personal information under the Freedom of Information Act, this request should also be taken as a request under the Data Protection Acts
Legislative Basis Section 1(5) of the Data Protection Act 1988 and 2003 requires co-operation between Data Protection and Information Commissioners Section 7(7) of the FOI Act imposes a duty on public bodies to assist people who request information or access to a record from a public body otherwise than under FOI.
Procedural Arrangements Decision should be made in shortest time possible under the Acts. Usually FOI at 20 Working days Suggest that public bodies review information on hand under each legislative framework and give the person the maximum amount of their personal data
Procedural Arrangements (2) if the decision is to grant access in full, there is no necessity to mention the other Act in the decision issued to the requester. If the decision is to refuse an individual access to some or all of her/his personal information, the decision letter should refer to the individual's tight to internal review under the FOI Acts and to the right to complain to the Data Protection Commissioner under the Data Protection Acts.
The Right of Access (1) Data subject must apply in writing & provide sufficient information to satisfy data controller of his/her identity … … and to locate any relevant data Data controller must give data subject a description of personal data held, its purpose and to whom it may be disclosed Data controller must supply a copy of the data in intelligible format
Right of Access(2): Restrictions Investigation of crime, or assessing tax Subject to case-by-case “prejudice” test International relations of the State legal professional privilege estimate of liability for damages or compo. data kept by DP or Info Commissioners for their functions Health and Social Work data: special provisions
Disclosure of Personal info to Third Parties DP No provision for release of personal information to third parties No obligation to release information in relation to third parties when responding to access request FOI Where a public interest outweighs the individual’s right to privacy consent