Transcript Slide 1

Data Protection and FOI: An
Introduction
Training session, 3 March 2015
Dr James Knapton, Information Compliance Officer, Registrary’s Office
http://www.admin.cam.ac.uk/univ/information/
Programme
• Part I: Data Protection Act 1998
 what is personal data?
 what are the data protection principles and how do they affect me?
 handling Subject Access Requests
• Part II: Freedom of Information Act 2000
 what is FOI?
 handling FOI requests
• Part III: Records management
 what is a record?
 what is records management and how can it help me?
How do these topics interrelate?
• DPA and FOIA: ‘information law’ overseen by Information Commissioner (ICO)
• DPA 1998: ‘An Act to make new provision for the regulation of the processing of
information relating to individuals, including the obtaining, holding, use or
disclosure of such information’
 focus on privacy for individuals
 framework for all organisations
• FOIA 2000: ‘An Act to make provision for the disclosure of information held by
public authorities or by persons providing services for them’
 focus on openness
 framework for (broad) public sector only
• Records management: implicit in both Acts
Part I
PART I: DATA PROTECTION ACT 1998
What is ‘data’?
• DPA imposes obligations on all organisations that ‘process’ personal data
• Processing = obtaining, recording, holding, amending, destroying, disclosing…
• Data as defined in the DPA
 information processed on computer or other technology
 information waiting to be entered onto a computer
 information in a ‘relevant filing system’ structured by reference to individuals
 specific sorts of health / education (schools) / social services records
• But definition extended by FOIA for some purposes for public authorities
 any recorded information
What is ‘personal data’?
• Relates to a living individual
• Can be identified from the information itself or from the information plus any
other information held by the ‘data controller’
• Data controller = the University as a whole but not the Colleges
• Includes any expression of opinion about the individual
• Includes any indication of the intentions of the data controller or any other
person towards the individual
What is ‘sensitive personal data’?
• Specifically defined in the DPA
• Applies solely to
 racial or ethnic origin
 political opinions
 religious beliefs
 Trade Union membership
 physical or mental health
 sexual life
 criminal offences and court proceedings about these
Practical exercise on identifying personal data
The data protection principles
• Personal data must be
 1: processed fairly and lawfully
 2: obtained and processed for specified purposes
 3: adequate, relevant and not excessive
 4: accurate and, where necessary, kept up to date
 5: not kept for longer than is necessary
 6: processed in accordance with the rights of data subjects
 7: processed securely to prevent unlawful use and accidental loss or
destruction
 8: not transferred outside the EEA without adequate protection
The first principle: fair processing
• Need to satisfy a condition for processing
 the data subject has consented
 to operate a contract with the data subject
 to meet a legal or judicial obligation
 to protect a data subject’s vital interests
 to meet the legitimate interests of data controller
• Must inform the data subject, by way of fair processing / privacy notices
 who you are
 how you’ll use their information
 who you’ll disclose it to
The first principle: lawful processing
• ‘Lawful’ not defined in the DPA
• ICO guidance on what is ‘unlawful’
 criminal offence
 breach of explicit or implicit duty of confidence
 organisation exceeds its legal powers
 copyright infringement
 breach of enforceable contractual obligation
 breach of Article 8 of the Human Rights Act 1998: right to respect for a
private and family life
The first principle: fair and lawful disclosure
• No blanket ban on disclosure of information about individuals without their
consent or even without having told them
• Some disclosures to outside parties are mandated as fair and lawful
 to the police or taxation authorities
 to medical professionals
 for statutory reporting (e.g. to HSE)
 in connection with actual or prospective legal proceedings
 if ordered by a court
The second and fifth principles: research
exemptions
• Exemptions from the second and fifth principles for research
 personal data can be processed for research purposes other than those for
which they were originally obtained
 personal data processed for research purposes can be held indefinitely
 sensitive personal data can be processed for research purposes in the
substantial public interest where research subjects will not suffer damage or
distress and the research will not lead to decisions about them
• But no blanket exemption from rest of DPA
 need to inform research subjects how you’ll use their data now and in future
(participant information / consent forms)
 need adequate security measures and need to manage disclosures and
transfers lawfully
The seventh principle: information security
• Must ensure an ‘appropriate’ level of security for the data in question
• Must take ‘reasonable’ steps to ensure the reliability of employees who process
the data
• If a ‘data controller’ sub-contracts or outsources to a ‘data processor’
 must have a contract made or evidenced in writing
 data processor must only operate on instructions from data controller
 data processor must comply with obligations equivalent to seventh principle
 data controller liable for any loss or damage
The eighth principle: transfers outside the EEA
• Need an ‘adequate’ level of protection for rights and freedoms of data subjects
• Can be achieved by
 transfer to a country deemed by EU to offer adequate protection
 use of EU model clauses or binding corporate rules
 ‘safe harbor’ transfer to certain US companies or organisations
 data controller makes own assessment of adequacy
• Exemptions from the eighth principle
 with the consent of the data subject
 to operate a contract with the data subject
 to protect the vital / legal interests of the data subject
The sixth principle: rights of data subjects
• Right to prevent processing causing substantial and unwarranted damage or
distress
• Right to block, rectify and correct inaccurate data
• Right to prevent direct marketing
• Right to object to automated decision-making
• Right to claim compensation for damages
• Right of subject access
What is a Subject Access Request?
• An individual’s right to receive copies of their own personal data from the data
controller
• Many staff are answering informal Subject Access Requests as part of routine
correspondence
• Formal procedures: in writing, proof of ID, £10 fee
• Cannot insist that a request is narrowed down but can ask questions to help
locate the information
• Right is to copies of the personal data in a permanent form within 40 calendar
days, plus a description of the purposes, sources and recipients of the data
processing
• Criminal offence to destroy or amend data once request received
Procedure for handling Subject Access Requests
• Request sent or forwarded to Data Protection Officer
• Data Protection Officer contacts relevant staff to coordinate searches
• Data Protection Officer assesses material against Durant v. FSA (2003)
definition of personal data
 mere mention of a person in a document does not necessarily amount to
their personal data
 need to assess whether the information is biographical, focuses on and is
obviously ‘about’ the individual, and if it affects their privacy
• Data Protection Officer applies exemptions and redactions before responding
• If requester unhappy, can complain to ICO or direct to the courts
Subject Access exemptions (1)
• No exemption simply because
 of a dispute or formal internal proceedings
 a document is marked ‘confidential’
 release would be embarrassing or problematic
• Main restriction
 information relating to another identifiable individual
 unless that individual consents or it is ‘reasonable in all the circumstances’ to
disclose without their consent
Subject Access exemptions (2)
• Information subject to legal professional privilege
• Data processed solely for journalism, art, research, history or statistics
• Data processed for management forecasting and planning
• Data concerning negotiations with the data subject
• Health information, where it would cause serious harm to release it
• Exam scripts but not examiner comments
• Confidential references from the University but not those received
• Where disclosure would prejudice national security, the armed forces, the
confidentiality of Crown appointments, or criminal / taxation matters
• Where disclosure would incriminate the data controller other than under the
DPA
Practical exercise on Subject Access Request
handling
Part II
PART II: FREEDOM OF INFORMATION ACT 2000
What is Freedom of Information?
• FOIA imposes two main obligations on ‘public authorities’
 adoption and maintenance of a Publication Scheme in accordance with
sector-specific model issued by ICO
 legal requirement to respond to individual requests for information
• Like SARs, many staff are answering informal FOI requests as part of routine
correspondence
What is a valid FOI request?
• In writing and need not mention FOI
• Free to make
• Request for recorded information
 not for explanations, opinions, commentaries, estimates
 no need to create new information but may be complex to extract it from
multiple files or systems
• Entitlement is to information not necessarily documents but need to note
requester’s preferences on format
• Duty to provide advice and assistance to requesters
• Need to respond ‘promptly’ and in any event within 20 working days
What is asked for under FOI?
• Request load growing dramatically
• In order of volume of requests, top topics asked about in 2014
 student issues and numbers
 admissions
 financial information
 management and administration
 HR and staff issues
 teaching and assessment
 IT provision and use
 procurement issues
Who is making FOI requests?
• Wide variety
 journalists
 commercial organisations
 campaigning organisations
 (ex-) staff
 (ex-) students
 complainants
• Many round robins
• FOIA is applicant and motive blind
Procedure for handling FOI requests
• Request sent or forwarded to FOI Officer
• FOI Team contacts relevant staff to coordinate information gathering
 core contacts in UAS Divisions and other administrative areas
 staff in Schools and Departments
 individual academics
• FOI Team applies exemptions and redactions before responding
• If requester unhappy, can complain
 first to the University
 then to ICO
 then to First-Tier Tribunal (Information Rights)
FOI exemptions
• Procedural
 exceeds cost (£450) or time (18 hours) ‘appropriate limit’
 repeated
 ‘vexatious’
• Otherwise divided into absolute and qualified depending on whether we need to
consider the public interest test
 ‘in all the circumstances of the case, the public interest in maintaining the
exemption outweighs the public interest in disclosing the information’
FOI absolute exemptions
• Information accessible to requester by other means
• Personal information – must not breach data protection principles
• Information provided in confidence but not internally marked as confidential
• Prohibition on disclosure due to other legislation or court order but not due to a
contract
• Supplied by or relating to the security services
• Court records
• Parliamentary privilege
FOI qualified exemptions
• Information intended for future publication
• Prejudice to law enforcement
• Prejudice to the ‘effective conduct of public affairs’ – needs VC approval
• Endangerment of health and safety
• Legally privileged information
• Trade secrets or prejudice to ‘commercial interests’
• Police and regulatory body investigations
• Prejudice to national security or defence functions or international relations or
relations within the UK or the national economy or audit functions
• Formulation of government policy or communications with the Queen
Environmental Information Regulations
• Environmental information is exempt from FOI
 state of the environment and factors effecting the environment
 policies, plans and activities that affect the environment
 state of human health and safety, the food chain, cultural sites
• Access rights are governed by the Environmental Information Regulations 2004
• Broadly similar procedures and exemptions (‘exceptions’)
• In practice treated the same as FOI requests
Practical exercise on FOI request handling
Part III
PART III: RECORDS MANAGEMENT
FOIA Code of Practice
• Lord Chancellor’s Code of Practice on the Management of Records
 records management framework
 records management policy
 retention of records for regulatory purposes
 proper system of records keeping
 know what records you hold
 secure storage and controlled access
 timeframe for destruction of old records
 share records within certain protocols
 monitor own records management performance
The basics of records management
• University records = all materials that staff create, update, refer to or destroy in
the course of carrying out their contractual duties at the University
• Records exist in paper and electronic format
• Records management = systems and processes in place for the creation,
maintenance, handling and disposal of records
• Good records management
 helps the University to meet legal obligations
 supports core activities
 promotes better working practices
Types of records
• Three types of records
 master (whether paper or electronic)
 duplicate
 transitory
• Duplicate and transitory records: appropriate use then secure destruction when
no longer in current or reference use
• Master records: appropriate use then, after a fixed period of time,
 secure destruction
or
 transfer to central archive for permanent preservation
Records handling
• Appropriate use = straightforward principles of confidentiality and security
depending on contents
• Good records management
 know what information you hold and for what purposes
 know what – and when – to update, keep and destroy
 apply appropriate access controls and security measures
 understand remote and mobile working provisions
• Every record that is created may potentially be disclosed
 under DPA to an individual
 under FOIA to the public
Cambridge records management framework
• Statement of Records Management Practice
 principles and responsibilities
• Master Records Retention Schedule
 recommendations on how long to keep master records and what to do with
them once this time period has elapsed
 incorporates legislation and sector best practice
• Procedural guidance
Practical exercise on good and bad records
management
Looking forward
• New draft EU legislation on data protection being debated
• New FOI exemption for pre-publication research data (Intellectual Property Act
2014)
• Possible further amendments to FOI following post-legislative scrutiny