Saturday, 7 November 15

Similar documents
CSCU9Q5. Data Protection and Freedom of Information Acts

Charities & Not-for-Profits Overview of Data Protection Law

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Port Glasgow St Andrew s Data Protection Policy

Data Protection Policy

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Data Protection Act 1998 Policy

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

European College of Business and Management Data Protection Policy

BACKGROUND INFORMATION

The Act on Processing of Personal Data

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

- and - OPINION. Reasons

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

Data Protection Policy

DATA SHARING AND PROCESSING

Decision 192/2006 Mr David Sharpe and the Chief Constable of Strathclyde Police

Data Protection Policy

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Decision 120/2007 Mr Russell Findlay and the Chief Constable of Fife Constabulary

DATA PROTECTION (JERSEY) LAW 2005

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

Data Protection. Policy & Procedure. Greater Manchester Police

Freedom of Information Act 2000 (Section 50) Decision Notice

Decision 063/2012 Mr Drew Cochrane of the Largs and Millport News and the Chief Constable of Strathclyde Police

Decision 019/2011 Mr Allan Clark and Glasgow City Council. Names and addresses of Glasgow s Community Councillors

ARTICLE 29 Data Protection Working Party

Law Enforcement processing (Part 3 of the DPA 2018)

Decision 177/2010 Ms Matilda Gifford and the Chief Constable of Strathclyde Police

Annex - Summary of GDPR derogations in the Data Protection Bill

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Privacy. Purpose. Scope. Policy. Appendix A

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Data Protection Bill [HL]

Decision Notice. Decision 083/2018: Ms L and Edinburgh College

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

Decision 073/2014 Mr Derek Cooney and the Scottish Court Service

Merrydale Infant School Freedom of Information Act

the Commisslone Mazionale per le Sodeta e la Borsa in ItaJy and the Public Company Accounting Oversight Board In the United States

COMP Article 1. Article 1 Subject matter and objectives

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

Decision 156/2011 Mr Ralph Lucas and the University of Glasgow

Data Protection Policy and Procedure

THE DATA PROTECTION PRINCIPLES

Freedom of Information Policy

DATA PROTECTION (JERSEY) LAW 2018

Data Protection Policy

Park View Primary School

Freedom of Information and Members correspondence with Public Authorities

Staff Data Protection Policy

ASSEMBLEIA DA REPÚBLICA [PORTUGUESE PARLIAMENT]

Data Protection. Guidance for Schools

Brussels, 16 May 2006 (Case ) 1. Procedure

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

Freedom of Information Act Policy

CCTV Code of Practice

Queensland FREEDOM OF INFORMATION ACT 1992

Freedom of Information Act 2000 (Section 50) Decision Notice

How we use Personal Information

Clare County Council Data Access Requests Policy

Decision 106/2012 Dr Nick McKerrell and Glasgow Caledonian University

FREEDOM OF INFORMATION POLICY

THE PIGGOTT SCHOOL FREEDOM OF INFORMATION POLICY AND GUIDANCE

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

How we use Personal Information

FREEDOM OF INFORMATION ACT 2000 SUMMARY GUIDANCE

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

SUBJECT ACCESS REQUEST

Professional Issues. Data Protec1on (Bo4, Ch 13)

DECISION no. 52 of 31 st May 2012 on the processing of personal data using video surveillance means

Data Protection. Standard Operating Procedure

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

Freedom of Information Policy, Procedures and Requests

Data Protection Act 1998

Force Communications Centre

Decision 254/2013 Mr Peter Mortimer and Glasgow City Council

Data Protection Bill [HL]

Applicant: Ms Suzi Eskandari Authority: Scottish Children s Reporter Administration Case No: and Decision Date: 31 October 2007

EUROPEAN PARLIAMENT COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

The Freedom of Information (Jersey) Law, 2011

Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 (SI 2004 No.

b) How many outstanding arrest warrants does Suffolk Constabulary currently have?

Decision 070/2005 Ms R and the Scottish Tourist Board (operating as VisitScotland)

ARTICLE 29 Data Protection Working Party

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

DATA PROTECTION POLICY STATUTORY

Data protection and journalism: a guide for the media

Obtaining consent from the NCA under Part 7 of the Proceeds of Crime Act (POCA) 2002 or under Part 3 of the Terrorism Act (TACT) 2000

APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

CCTV CODE OF PRACTICE

The Rental Exchange. Contribution Agreement for Rental Exchange Database. A world of insight

Children and Young People (Information Sharing) (Scotland) Bill. Response to the call for evidence. Alistair Sloan

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

A closed circuit television system is used at the Memorial Hall by the Parish Council.

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Transcription:

CSCU9Q5 Data Protection and Freedom of Information Acts 1 The Data Protection Legislation As an individual you should know about your rights with respect to data held about you As an information professional you may have to deal with other people s information, and you may have to advise others on the law The current legislation is the Data Protection Act 1998, which is substantially different from the earlier legislation (1984) The Freedom of Information Act 2000 (UK) and Freedom of Information Act 2002 (Scotland) may also have impact if you work for a public authorities http://www.informationcommissioner.gov.uk/ 2 The Data Protection Legislation First, some points about the words data is not just computer data. Any systematic collection of records is covered, including paper records personal data means that the person can be identified and that there is some extra element in the data, e.g. an opinion or intention relating to the subject sensitive personal data includes race, politics, religion, trade unionism, health, sex, crime (alleged or actual) data subject is any living individual who is the subject of personal data data controller is any person making decisions with regard to personal data processing means held, obtained, organised, adapted, retrieved, consulted, disclosed, deleted 3 CSC9Q5/ITNP31 Database Principles and Applications 1

Eight principles (the snappy version) Personal data must be: 1. Fairly and lawfully processed 2. Processed for limited purposes 3. Adequate, relevant and not excessive 4. Accurate and kept up to date 5. Not kept longer than necessary 6. Processed in accordance with the individual s rights 7. Secure 8. Not transferred to countries outside European Economic area unless the country has adequate protection for the individual 4 The six conditions (aka Schedule 2) Personal data only processed if (at least one of): 1. Subject has given consent 2. Necessary for the performance/agreement of a contract to which the data subject is a party 3. Necessary for compliance with any legal obligation of the data controller, other than an obligation imposed by contract 4. The processing is necessary in order to protect the vital interests of the data subject more... 5 Schedule 2, continued 5. The processing is necessary for the administration of justice, the purposes of government, or any other functions of a public nature exercised in the public interest by any person 6. Necessary for the purposes of legitimate interests pursued by the data controller or by third parties to whom the data are disclosed, except where unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject 6 CSC9Q5/ITNP31 Database Principles and Applications 2

Schedule 3 (Sensitive personal data) At least one of: Subject has given explicit consent Legally necessary for employment When consent cannot reasonably be obtained, to protect vital interests of anyone When consent unreasonably withheld, to protect the vital interests of third parties As part of membership of non-profit groups for political, philosophical, religious or trade-union purposes Already made public by subject Necessary for legal or medical processes Monitoring of equal opportunity of racial/ethnic groups 7 The Seven Subject rights The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include: 1. The right to subject access 2. The right to prevent processing 3. The right to prevent processing for direct marketing 4. Rights in relation to automated decision making 5. The right to compensation 6. The right to rectification, blocking, erasure and destruction 7. The right to ask the Commissioner to assess whether the Act has been contravened 8 Data Controllers Not everyone who holds data is a data controller Data controllers must notify the Information Commissioner of their practices (costs 35 each year) Comply with the 8 principles of data protection Offences include Failure to notify Processing in a non-compliant way Procuring or selling information The commissioner issues enforcement notices Offences are punishable by a fine (up to 5000) Individuals may seek compensation for damage 9 CSC9Q5/ITNP31 Database Principles and Applications 3

Durant vs FSA Mr Durant lost a case against Barclay s Bank in 1993, and wanted information to re-open the case the FSA had conducted an investigation into Barclay s handing of his case in response to a DPA subject access request by Mr Durant, the FSA supplied him with some extracts from its computer records, but nothing from its paper records. It said the information was not personal and also not part of a relevant filing system The case ended in front of the Court of Appeal and a decision was given in October 2003 The case is very important, because it clarifies personal and relevant filing system (and changes the interpretation) 10 Durant: personal The Court found that Subject access exists to enable a subject to check whether his privacy has been infringed It is not an automatic key to any information... in which he may be named To be personal the information must be biographical in a significant sense... going beyond the recording... of involvement that has no personal connotations and the information should have the... data subject as its focus (Durant s case failed this test) 11 Durant: relevant filing system The Court found that a manual filing system is relevant if it has structure so that it is clear from the outset whether it could hold personal data, and in which files information about the applicant would be found (i.e. the system can support computer-like searches) The Commissioner suggests the Temp Test would a temporary admin assistant be able to find specific information on an individual (e.g. John Smith s leave records) without leafing through file(s)? 12 CSC9Q5/ITNP31 Database Principles and Applications 4

Some questions Does the University need to get each student s explicit consent to every detail of their information handling? What happens if a student s parent rings up to enquire about the student s progress? May results be posted on noticeboards? On the WWW? May graded work be returned using a communal pigeonhole? Can a student, making a Subject Access Request see copies of exam board minutes relating to them? see their own exam scripts? ask about how their degree was classified? ask to see every internal email that mentions them? Can a student in debt to the University use the Act to get a statement of his/her degree result? 13 Eight principles (verbatim) 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless - (a) at least one of the conditions in Schedule 2 [Slides 4-5] is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 [Slide 6] is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and... kept up to date. 14 Eight principles, continued 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 15 CSC9Q5/ITNP31 Database Principles and Applications 5

Overview of Freedom of Information (Act) The public s right to know Applies to all information Proactive disclosure via a Publication Scheme Responding to individual enquiries Based on good records management The Freedom of Information Act enables people access to information which is held by/on behalf of public authorities and those bodies carrying out a public function, and which does not fall under the access regime of personal information. 16 Your information rights The Freedom of Information Act facilitates access to information held by public authorities in two ways: * By requiring public authorities to adopt and maintain publication schemes, which should have the effect of improving the amount and quality of information routinely made available to the public. * By creating a right to make a request for information (effective from 1 January 2005). Anyone, including people living abroad, non-uk citizens, journalists, political parties, lobby groups and commercial organisations, will have the right to ask public authorities for any information they hold. More about the act can be found at: http://www.itspublicknowledge.info/ 17 Under the Freedom of Information (Scotland) Act you have the right to get information from any of the following Scottish public authorities or office-holders: Scottish Ministers in charge of all departments of the Scottish Executive and its agencies. The Scottish Parliament. Non-ministerial office holders in the Scottish Administration, including the chief medical and dental officers; the chief inspectors of constabulary, prisons, fire services and school;, rent officers; social work inspectors. Local government, including councils, assessors, fire services, licensing boards and the Strathclyde Passenger Transport Authority. The National Health Service, which includes NHS boards, community health partnerships, hospitals, GPs, dentists, pharmacists, opticians and other health professionals. Educational institutions such as universities and colleges. The police. Other public authorities, including more than 50 types of Scottish public authority not covered in the categories above. They range from the Scottish Arts Council to the Water Industry Commissioner for Scotland. Companies that are wholly owned by one or more public authorities. 18 CSC9Q5/ITNP31 Database Principles and Applications 6

What kind of information do I have a right to see? You can ask to see any kind of recorded information from a Scottish public authority, however old the information is. That includes information recorded on: paper computer files, including e-mails video microfiche 19 Examples of information you can find out The number of complaints made about a particular service, for example street cleaning or refuse collection and whether action was taken as a result. Information showing whether public authority policies are working well for instance, is a Community Policing Initiative reducing crime in the local area? Information that would reveal whether a contract is providing value for money, for instance, what standards have been agreed with agencies contracted to supply hospital cleaning or catering services. Why decisions affecting local services were made, such as a decision to cut back some services at your local hospital, or to combine local primary schools. How public authorities decide who gets priority on waiting lists for services such as health or housing. 20 Information You Cannot Find Using FoI Whether or not somebody has a criminal conviction Who has borrowed that library book that you want Information like this about individuals is protected by DPA How many plastic bottles are collected by the recycling team This information is not kept you cannot ask for research to be done! There is also a limit on how difficult it needs to be to collate information, even it is stored How much money my University spin-out company makes from selling electronic data acquisition boards each year Although the company is fully owned by the University, I can argue that the information is commercially sensitive and not have to disclose it What products Apple is currently developing You cannot use FoI to ask private (non-government) organisations anything Secret military or security related information 21 CSC9Q5/ITNP31 Database Principles and Applications 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback