Transcript PPT File
Data Protection and Freedom of
Information
The Carmichael Centre
13th March 2014
Introduction
•
•
•
•
•
Data Protection principles
Dealing with sensitive data
Current legislation
Purpose of the Freedom of Information Act
Rights of access and exemptions
Lecturer
• Ronan Lupton, B.A. (Hons), M.Sc., DipLs, B.L.
(King’s Inns) 2008.
• Practice
– Areas
– Experience
– Goals
Privacy: A Reference Point
• Constitutional Right: Though not unlimited
• Necessary for any law of privacy to first define
and identify what it aims to protect. It is also
useful to develop a clear conception of the
principles which justify and underpin the
protection of the right, so that the courts are
better equipped to accurately identify when a
person’s right to privacy is engaged and when,
on the other hand, that person is simply asserting
a “vacuous” freedom to do as he or she pleases.
Privacy: A Reference Point
Craig has identified six reasons for the protection of privacy:
(i)
Refuge: It allows the individual to retreat from the pressures of public
scrutiny and social norms
(ii) Freedom: Privacy prevents interference in a person’s acts.
(iii) Autonomy: It promotes autonomy by encouraging the individual to
make his own choices.
(iv) Creativity: By protecting the individual against conformist pressures, it
fosters creative experimentation, which leads to social diversity.
(v) Mental health: Privacy has been linked to individual mental health.
(vi) Intimacy: Privacy is a necessary condition for the creation of
relationships of trust and confidence
– J. Craig, “Invasion of Privacy and Charter Values” (1997) 42 McGill L.J. 355.
DP: Background & Genesis
• Motivated by a combined concern at the manner in which population
statistics had been used by the Nazi regime in Germany and the
emergence of technology that could store and process significant amounts
of data, measures emerged from various European bodies from the late
1970s onwards to regulate the manner in which personal information
about individuals was collected, stored and used.
• The EU Data Protection Directive (Directive 95/46/EC) incorporated the
principles of data protection contained in two earlier international
instruments:
– The OECD Guidelines Governing the Protection of Privacy and Trans-Border
Flows of Personal Data, 1980.
– The Council of Europe’s Strasbourg Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data, 1981.
• The Data Protection Directive extended the principles of data protection
to personal data kept on manual files, as well as automated filing systems.
It also provided for more specific protections and exemptions concerning
the use of personal data beyond those specified in the Strasbourg
Convention.
Background
• The Data Protection Act, 1988 was enacted following Ireland’s
ratification of the 1981 Strasbourg Convention and established the
office of the Data Protection Commissioner (DPC).
• The enactment of the Data Protection (Amendment) Act,
2003 brought Irish data protection law into line with the
requirements of the Data Protection Directive.
• The Electronic Privacy Directive (Directive 2002/58/EC) provided for
the privacy and security of personal data for users of publiclyavailable electronic communications services, such as telephone
communications systems, email, text and Internet services.
• The Electronic Privacy Directive was incorporated into domestic law
by the Electronic Privacy Regulations, 2003 (SI 535 of 2003, as
amended by SI 526 of 2008) and amended further in 2011 by SI 336
of 2011. Note the position on Cookies!
What’s it about?
• Personal data is information about a living person from which that person
is identified or can be identified by reference to that data or by reference
to that data and other information held or which is likely to come into the
possession of the person holding and controlling that information.
• In practice, any information that fully or partially identifies a person can
comprise ‘personal data’.
• A data controller is a person or entity that holds and controls the use of
personal data.
• A data controller is in a position to decide how personal data held by her /
him / it will be used. Certain categories of data controller - such as banks
and financial institutions - are obliged to register as data controllers with
the Data Protection Commissioner (see www.dataprotection.ie).
• A data processor is a person or entity that processes data on behalf of a
data controller (but the term does not include an employee of a data
controller who processes personal data on behalf of their employer in the
course of their employment).
What’s it all about?
• The term ‘data processing’ covers any use of data, including
collecting, recording, storing, consulting, transmitting and making
data available. The publication of personal data is therefore an act
of ‘data processing’.
• In business, data controllers frequently outsource the processing of
personal data to data processors in other jurisdictions. The 1988 Act
(as amended - section 11) prohibits the transfer of personal data to
processors outside the European Economic Area (EEA - being the
EU member states plus Norway, Liechtenstein and Iceland) unless
“an adequate level of protection” will apply to the data in the
jurisdiction to which it is exported.
• This provision applies, for example, to the transfer of customer
information by an Irish company to an overseas contractor
supplying customer support services on behalf of the Irish company.
Data Protection Principles
– The DPC’s website identifies eight fundamental rules
of data protection derived from the provisions of the
combined Data Protection Acts, 1988 to 2003
• Personal data must be obtained and processed fairly. A data
subject is entitled to be informed of the fact that data is
being collected about them, by whom it is being collected,
the purposes for which it is being collected and to whom it
will be disclosed.
• Personal data may only be kept and used for specified,
clearly stated and lawful purposes. This requirement
precludes the use of personal data for uses other than or
beyond those uses for which it was collected; the proposed
uses must be clearly stated to the data subject and those
uses must be lawful.
Data Protection Principles
• Personal data must only be processed (which term includes
publishing the data) in a manner that is consistent with the
stated purposes for which it was collected.
• Personal data must be kept safe and secure by the person
or entity holding it, whether in electronic, manual or other
form. This requirement affects email and computer access
security measures along with the disposal of written paper
records and information held in other formats.
• Personal data must be kept accurate, complete and up-todate by the person or entity holding it. Decisions about
data subjects (for example, the granting of loans or credit
facilities by financial institutions) should not be made on
the basis of information that is out-of-date.
Data Protection Principles
• The extent of personal data collected must be adequate for and
relevant to the stated purpose for which it is collected. The data
collected must not exceed what is necessary for those stated
purposes.
• Personal data should not be retained for longer than is necessary
for the stated purposes for which it is collected. The duration for
which the data can lawfully be retained will vary from case to case
depending on the purposes for which it was collected.
• A data subject is entitled to know what information is held about
them by a data controller and has a right to be given a copy of
that data on request. A data subject is also entitled to require the
correction of any inaccurate information held about her / him by a
data controller.
Dealing with Personal Data
• Any person or entity that collects and uses personal data
about an individual (a ‘data subject’) is obliged to comply
with data protection legislation. Personal data can include
data such as names, addresses, telephone numbers, voice
or image recordings and email addresses.
• Certain personal data can be ‘sensitive personal data’,
which term refers to information about a data subject’s
racial or ethnic origin, religious beliefs, political opinions,
health and sexuality or criminal record (the list is not
exhaustive) (section 1(1) of the 1988 Act, as amended).
• Additional protection applies to the collection and use of
sensitive personal data.
Dealing with Personal Data
• Section 4 – Right of Access – Subject Access
Request – Fee €6.35 – 40 days to comply
• Section 5 – Restriction on right of access
• Section 6 – Right of rectification and erasure
• Section 7 – Duty of Care – Collins v FBD
• Section 8 – Disclosure of personal data in
certain cases
Exemptions – S.8
Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure is—
(a) in the opinion of a member of the Garda Síochána not below the rank of chief superintendent or an
officer of the Permanent Defence Force who holds an army rank not below that of colonel and is
designated by the Minister for Defence under this paragraph, required for the purpose of
safeguarding the security of the State,
(b) required for the purpose of preventing, detecting or investigating offences, apprehending or
prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to
the State, a local authority or a health board, in any case in which the application of those
restrictions would be likely to prejudice any of the matters aforesaid,
(c) required in the interests of protecting the international relations of the State,
(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or
damage to property,
(e) required by or under any enactment or by a rule of law or order of a court,
(f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal
proceedings in which the person making the disclosure is a party or a witness,
(g) made to the data subject concerned or to a person acting on his behalf, or
(h) made at the request or with the consent of the data subject or a person acting on his behalf.
Journalists
• Journalists investigating stories for news, current affairs
or other journalistic purposes collect personal data
about individuals. An important exemption from data
protection requirements for processing personal data is
set out in section 22A of the Data Protection Act,
1988 (as inserted by section 21 of the Data Protection
(Amendment) Act, 2003).
• The exemption applies where the processing of
personal data is carried out with a view to publishing
that data for journalistic, artistic or literary purposes.
Under the section, there needs to be a public interest
justification for publishing personal data about an
individual.
DPC Complaints
• Personal information about individuals - such
as their name, address, telephone number or
photographic image - all can comprise
personal data.
• The collection, use and disclosure of that
personal data must be carried out in
accordance with data protection legislation.
Current Legislation – Incl. Privacy
• Article 40.3 of the Constitution
• Section 39(1)(e) of the Broadcasting Act, 2009
• Section 10 of the Non-Fatal Offences Against
the Person Act, 1997
• Data Protection Act, 1988 – 2011
• Section 62 of the Garda Siochana Act, 2005
• European Convention on Human Rights Act,
2003
Freedom of Information
• The Freedom of Information Act, 1997 (FOI) as amended by the Freedom
of Information (Amendment) Act, 2003 obliges government departments,
the Health Service Executive (HSE), local authorities and a range of other
statutory agencies to publish information on their activities and to make
personal information available to citizens.
• In addition, the Freedom of Information Act establishes the following
statutory rights:
– A legal right for each person to access information held by public bodies and
government departments
– A legal right for each person to have official information relating to
himself/herself amended where it is incomplete, incorrect or misleading
information
– A legal right to obtain reasons for decisions affecting himself/herself.
Freedom of Information
Duties of Public Bodies
• Information about the activities of public bodies covered by the Freedom
of Information Act (Section 15 and Section 16) is contained in the Freedom
of Information Manual, which every public body is obliged to publish.
• The information that must be made available in the manual includes:
– A general outline of the structure and functions, powers and duties of the
organisation; the services it provides to the public and the procedures by
which the public can avail of those services;
– A description of the types of records held
– The arrangements made to enable people to access information and records
and to correct inaccurate or misleading personal information if this arises
– Information that may assist people to exercise their rights under the Freedom
of Information Act.
• In practice, most of the public bodies covered by the Freedom of
Information Act have their Section 15 and 16 Manuals available on their
websites. Paper copies of these documents are also available
Freedom of Information
Requests for information
• You can ask for the following records held by
Government departments or certain public
bodies:
– Any records relating to you personally, whenever they
were created
– All other records created after 21 April, 1998
A record can be a paper document, information held on
computer, printouts, maps, plans, microfilm,
microfiche, audio-visual material, etc.
Freedom of Information
Applications
• It is important to note that it may not be necessary to make a request for
information under the Freedom of Information Act from a public body. A
considerable amount of material is already made available to the public
through information leaflets, publications and in response to oral and
written enquiries. Most organisations have a dedicated Information Office,
which is available to assist you with general queries, requests for
information and publications.
• If the information you require is not readily available, you must make your
request in writing to the FOI Unit of the public body and your application
should refer to the Freedom of Information Act. If your application for
information does not mention the Act, then your application will be dealt
with as an ordinary request for information. If information is required in a
particular form (e.g. photocopy, computer disk, etc.,) this should be
specified in the application.
Freedom of Information
• Try to be as specific as you can in order to enable the organisation
to identify the information you require. Where possible try to
indicate the time period for which you wish to access records (e.g.,
records created between May 1998 and December 1998).
• Further information on making a request under the FOI Act can be
found on the website of the Office of the Information
Commissioner.
• Under the Freedom of Information Act, a request for records must
be acknowledged within 2 weeks and, in most cases, responded to
within 4 weeks. If a third party is involved, there may be another
three weeks before a response.
Freedom of Information
FOI Review Procedures
• If you are not satisfied with the response of the public body to any aspect
of your request for information, (i.e., refusal of information, form of
access, charges) or you have not received a reply within 4 weeks of your
initial application, this is deemed a refusal of your request and you can
seek to have the decision re-examined by more senior members of staff
within the public body. The internal review of an FOI decision must be
made within 3 weeks. Applications for review of a decision should be
addressed to the FOI Unit of the public body involved.
• If you are still unhappy with the decision, you have the right to appeal the
decision to the Information Commissioner. The Information Commissioner
investigates complaints of non-compliance with Irish FOI legislation and
generally promotes a freedom of information culture in the Irish public
service.
Rights of Access/Exemptions
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
FOI - Specifically
NAMA
Meetings of the Government.
Deliberations of public bodies.
Functions and negotiations of public bodies.
Parliamentary, court and certain other matters.
Law enforcement and public safety.
Security, defence and international relations.
Conclusiveness of certain decisions pursuant to sections 23 and 24
Information obtained in confidence.
Commercially sensitive information.
Personal information.
Procedure in relation to certain requests under section 7 to which section 26, 27 or 28 applies.
Research and natural resources.
Financial and economic interests of the State and public bodies.
Enactments relating to non-disclosure of records.
Questions
Thank you!