Regulatory Activity (Section 31)

Similar documents
Information exempt from the subject access right (section 40(4) and

Refusing a request under the EIR

Data Protection Bill: Summary of government amendments for Lords Committee tabled on 20 October 2017

Calculating costs where a request spans different access regimes

The Freedom of Information (Jersey) Law, 2011

Requests formulated in too general a manner (regulation 12(4)(c))

Disclosure of Documents in Disciplinary Proceedings

Public Services Ombudsman (Wales) Bill

THE PIGGOTT SCHOOL FREEDOM OF INFORMATION POLICY AND GUIDANCE

Freedom of Information Act 2000 (FOIA) Decision notice

The course of justice and inquiries exception (regulation 12(5)(b))

FREEDOM OF INFORMATION ACT 2000 (SECTION 50) DECISION NOTICE. Dated 5 June Public Authority: Newry and Mourne Health and Social Services Trust

The Campaign for Freedom of Information

EXEMPTION NOTE. Prejudice and Likelihood

Freedom of Information Act 2000 (FOIA) Decision notice

Data protection and journalism: a guide for the media

Freedom of Information Act 2000 (FOIA) Decision notice

Interpreting and clarifying requests

The guidance will be developed over time in the light of practical experience.

Decision Notice. Decision 005/2015: Mr M and the Chief Constable of the Police Service of Scotland

Freedom of information regulatory action policy

Freedom of Information Act 2000 (Section 50) Decision Notice

Guy s & St Thomas NHS Foundation Trust

Merrydale Infant School Freedom of Information Act

Data Protection Bill [HL]

SASKATCHEWAN OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER

Background. 19/04/13 Version 1.0 Final. 1 Sir Andrew Leggatt: Tribunal for users- One system, one Service (2001 )

Park View Primary School

PART 2B. CONCLUSIVE REASONS FOR REFUSAL

An Assessment of the Thirteenth Year of Freedom of Information Act Requests to Invest Northern Ireland

Defence (section 26) Freedom of Information Act. Contents

Public Services Ombudsman Act (Northern Ireland) 2016

CODE OF CONDUCT FOR EMPLOYEES

Data Protection Bill [HL]

Data Protection Bill [HL]

Yr Adran Plant, Addysg, Dysgu Gydol Oes a Sgiliau Department for Children, Education, Lifelong Learning and Skills

This was received by Ofcom on 6 March and it has been considered under the Freedom of Information Act 2000.

European College of Business and Management Data Protection Policy

Applicant: Mr Norman Brown Authority: The Chief Constable of Strathclyde Police Case No: and Decision Date: 26 July 2007

UCL Freedom of Information Policy

Freedom of Information Act 2000 (FOIA) Decision notice

Decision 106/2012 Dr Nick McKerrell and Glasgow Caledonian University

Department of the Premier and Cabinet Circular. PC032 Lobbyist Code of Conduct. October 2009

The Freedom of Information (Jersey) Law, 2011

FREEDOM OF INFORMATION POLICY

Decision 287/2013 Mr Stewart V. Mackenzie and Perth and Kinross Council

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

Draft Resolution 67/1. The Council adopts the Whistleblowing Policy.

Freedom of Information Policy

Freedom of Information Act 2000 (FOIA) Decision notice

Data Protection Act 1998 Policy

Freedom of Information Act 2000: Policy

IMMIGRATION ADVISERS LICENSING ACT 2007

Data Protection Bill, House of Commons Second Reading Information Commissioner s briefing

ARTICLE 29 Data Protection Working Party

Data protection and journalism: a guide for the media

PROTECTIONS AND PROCEDURES FOR REPORTING MISCONDUCT (WHISTLEBLOWING) 1. Subject, Policy Rationale, and Applicability

Review of Day 3. The Environmental Information Regulations 2004 BCS CERTIFICATE IN FREEDOM OF INFORMATION - DAY 4

Freedom of Information Act 2000 (FOIA) Decision notice

Holy Trinity Catholic School. Whistle Blowing Policy 2017 BIRMINGHAM CITY COUNCIL WHISTLEBLOWING POLICY 2015 ADOPTED BY HOLY TRINITY CATHOLIC SCHOOL

Outsourcing and freedom of information - guidance document

Decision 021/2005 Mr Michael Collie and the Common Services Agency for the Scottish Health Service

Freedom of Information Act 2000 (FOIA) Decision notice

Information Privacy Act 2000

COMPLAINTS ABOUT THE JUDICIARY (SCOTLAND) RULES 2017

Forensic Science Regulator Bill

Whistleblowing & Serious Misconduct Policy

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Data Protection Act 1998

Policy Document. Dr Margaret Guy, Non-Executive Director and Vice-Chair

Freedom of Information Memorandum of Understanding (signed 24 February 2005)

Decision 073/2014 Mr Derek Cooney and the Scottish Court Service

2016 No. 41 POLICE. The Police (Conduct) Regulations (Northern Ireland) 2016

Data Protection Bill, House of Lords second reading Information Commissioner s briefing

Anti-Fraud, Bribery and Corruption Response Policy. Telford and Wrekin Clinical Commissioning Group

Decision 067/2006 Mr George Harper & Perth and Kinross Council

The Freedom of Information (Jersey) Law, 2011

Decision 024/2007 Mr Charles Traynor and the Chief Constable of Strathclyde Police

Freedom of Information Act 2000 (FOIA) Decision notice

Whistle Blower Policy

Freedom of Information Act 2000 (FOIA) Decision notice

Environmental Information Regulations Decision Notice

Freedom of Information Act 2000 (FOIA) Decision Notice

Whistleblowing Policy

Sanctions Policy August 2016

Freedom of Information Act 2000 (FOIA) Decision notice

The position you have applied for is exempt from the Rehabilitation of Offenders Act 1974 (as amended in England and Wales).

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Memorandum of Understanding. between. The Legal Aid Agency (LAA) and. Solicitors Regulation Authority (SRA)

Freedom of Information Act 2000 (Section 50) Decision Notice

Memorandum of Understanding. between. HM Land Registry. and. Solicitors Regulation Authority (SRA)

A BILL. entitled PROCEEDS OF CRIME REGULATIONS (SUPERVISION AND ENFORCEMENT) AMENDMENT ACT 2010

Decision 122/2010 Mr Kevin McIntyre and Clackmannanshire Council

Freedom of Information Act 2000 (FOIA) Decision notice

Transcription:

ICO lo Regulatory Activity (Section 31) Data Protection Act The Data Protection Act 1998 (DPA) is based around eight principles of good information handling. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it. An overview of the main provisions of the DPA can be found in The Guide to Data Protection. This is part of a series of guidance, which goes into more detail than the Guide to data protection, to help you as an organisation to fully understand your obligations, as well as promoting good practice. This guidance explains the circumstances in which the regulatory activity exemption (in section 31 DPA) may be used by data controllers to withhold information requested or to be provided under the subject information provisions of the DPA. Overview Section 31 provides an exemption from the subject information provisions for the processing of personal data in connection with regulatory activities. The exemption is not available to all organisations. It applies only to information processed for the core regulatory activities of appropriate organisations. Even where the exemption is to be used by an appropriate organisation in relation to information processed for core regulatory functions, it may not be used in a blanket manner. The exemption applies only to the extent that the application of the subject information provisions to the information in question would be likely to prejudice the proper discharge of the regulatory functions. Regulatory Activity - Section 31 DPA 1

What the DPA says Subsection 31(1) outlines the general scope of the exemption: Subsection 31(1) Personal data processed for the purposes of discharging functions to which this subsection applies are exempt from the subject information provisions in any case to the extent to which the application of those provisions to the data would be likely to prejudice the proper discharge of those functions. Section 31 applies to the processing of personal data in order to carry out various regulatory functions. The exemption applies to the provision of information to data subjects to ensure fair processing of their personal data 1 and the individual s right of access to his personal data 2. The functions that subsection 31(1) refers to are set out in subsections 31(2) to 31(5). The exemption for regulatory activity only applies to personal data processed for the purposes of discharging these functions. Our general approach When considering section 31 it is important not to become overly concerned with the detailed wording of the section without first considering the overall scope of the exemption. You should consider both the types of regulatory organisations that are able to use the exemption and the types of regulatory functions that are covered. Organisations that may rely on section 31 The exemption is not available to all organisations and only applies to the core regulatory activities of bodies which perform appropriate public regulatory functions, primarily watchdogs. 1 The first data protection principle to the extent to which it requires compliance with paragraph 2 of Part II of Schedule 1DPA. 2 Section 7 DPA. 2

Regulatory functions Subsection 31(2) provides an overview of the types of functions the exemption applies to. It only applies to data processed to discharge regulatory functions concerning: the protection of members of the public (from dishonesty, malpractice, incompetence or seriously improper conduct or in connection with health and safety matters); the protection of charities; or fair competition in business. Subsection 31(3) clarifies that the functions listed in subsection (2) are limited to: (a) (b) (c) functions conferred on any person by or under any enactment; any function of the Crown, a Minister of the Crown or a government department; or any other function which is of a public nature and is exercised in the public interest. The scope of paragraph (c) of subsection (3) has created difficulty. The paragraph is concerned with functions of a public nature exercised by a variety of watchdogs whose regulatory role is recognised by both the general public and the sector that they oversee. Such regulators may be established by statute or as a result of formal agreement of the participants in their sector of business. Example The primary function of many public, and some private, bodies is to investigate complaints about the services or treatment received by members of the public. Ombudsmen are tasked with investigating complaints from the public in a variety of fields. Regulators such as the Financial Services Authority, the Independent Police Complaints Commission, the Care Quality Commission, Advertising Standards Authority and the Legal Services Complaints Commissioner are all tasked with investigating complaints in their respective fields and maintaining standards for the benefit of the general public. 3

One of the primary functions of these organisations is to investigate complaints about a particular group of service providers. It is inappropriate for an organisation to use section 31 to withhold information gathered in the course of investigating complaints about itself. Subsection 31(3)(c) does not apply to investigatory or complaint handling functions (or any other function which may be of benefit to the public) which organisations undertake when investigating their own activities. Most organisations have an internal complaints procedure to investigate and report on how the organisation has carried out its primary functions. In addition, most organisations will have disciplinary procedures for dealing with inappropriate behaviour by staff. These procedures are not the primary activity or function of the organisation and are therefore not regulatory activities covered by section 31. Named bodies that may rely on section 31 where appropriate Subsection 31(4) lists certain named parties (mainly ombudsmen) who may rely on the exemption in respect of personal data processed for the purpose of discharging public functions relating to maladministration and failure in services provided by public bodies. In addition, section 31 has been amended by a number of other statutes to extend the scope of the exemption to cover personal data processed in accordance with particular legislation. Subsections 31(4) (a) to (c) concern processing for certain functions under the Financial Services and Markets Act 2000, under the Legal Services Act 2007 and certain functions of the Legal Services Board. Subsection 31(5) concerns processing for certain functions of the Office of Fair Trading. These subsections are obviously only relevant to the named regulator under the relevant legislation. Limitations on the application of the exemption Where a body processes personal data for the purposes of carrying out a function falling within the scope of section 31 it is important to remember that the section does not operate as a blanket exemption with the result that no information processed by that body for that function need be disclosed. The exemption is expressed as being available only: 4

to the extent to which the application of the [subject information provisions] would be likely to prejudice the proper discharge of [the] functions [to which the section applies]. The prejudice test is not a weak test, and a data controller must be able to point to prejudice which is real, actual or of substance and to show some causal link between the potential disclosure and the prejudice. Likely to prejudice means that the degree of risk must be such that there may very well be prejudice to those interests, even if the risk falls short of being more probable that not. There should be a very significant and weighty chance of prejudice to the identified public interests 3. Where the disclosure of information in response to a subject access request would be unlikely to prejudice the proper discharge of a relevant function, such information should be disclosed even though it is being processed in connection with a regulatory function falling within the scope of section 31. Example The disclosure of information, which is known to the data subject and which the data subject knows is held by the data controller, in response to a subject access request is unlikely to prejudice the proper discharge of public regulatory functions. Application to copies of information passed to a regulator During an internal investigation into a complaint about itself or its staff, an organisation may gather information. If the complaint is then referred to a regulator, the organisation may need to pass this information on. Alternatively, an organisation may come across information that it holds in its normal course of business which raises concerns and which it decides should be passed on to the appropriate regulator. 3 See R (on the application of Alan Lord) v Secretary of State for the Home Department [2003] EWHC 2073 re. meaning of likely to prejudice in the section 29, DPA. 5

Example A bank receives a complaint about the service it has provided to a customer. It carries out an internal investigation into the matter and advises the customer of its conclusions. The customer is not satisfied and refers his complaint to the Financial Services Ombudsman. The Ombudsman then asks the bank for details of its internal investigation to assist in his investigation of the complaint. The bank supplies the Ombudsman with copies of the information it has gathered. Although an organisation would not normally consider this information to fall within the scope of section 31, this exemption may become relevant if the information is referred to the regulator, or copied to a regulator in order to assist in the performance of its formal regulatory functions. If the regulator can withhold personal data in response to a subject access request because it is likely to prejudice the discharge of its regulatory function the originating organisation also will be able to so the same. Failure by the originating organisation to withhold data might allow a data subject (who would be refused access to the data if he approached the regulator) to circumvent the provisions of the DPA by simply obtaining the data from the originating organisation instead. It is therefore important that organisations are cautious with information being used by regulatory bodies to carry out their functions. However, an organisation cannot rely on section 31 to withhold information on the basis that it might, in the future, be used by the regulator. Other considerations In circumstances where the section 31 exemption does not apply, other exemptions (in the DPA or introduced by the subject access modification orders) or the rules on third party information may be relevant in deciding whether personal data should be disclosed in response to a subject access request. See the ICO guidance on exemptions for further information about the exemptions from the subject information provisions. 6

The ICO guidance Dealing with subject access requests involving other people's information provides advice applicable where personal data relates to more than one person. More information This guidance will be reviewed and considered from time to time in line with new decisions of the Information Commissioner, Tribunals and courts. It is a guide to our general recommended approach, although individual cases will always be decided on the basis of their particular circumstances. If you need any more information about this or any other aspect of freedom of information or data protection, please Contact us: see our website www.ico.org.uk. 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback