CSCU9Q5 Data Protection and Freedom of Information Acts 1
The Data Protection Legislation As an individual you should know about your rights with respect to data held about you As an information professional you may have to deal with other people s information, and you may have to advise others on the law The current legislation is the Data Protection Act 1998, which is substantially different from the earlier legislation (1984) The Freedom of Information Act 2000 (UK) and Freedom of Information Act 2002 (Scotland) may also have impact if you work for a public authorities http://www.informationcommissioner.gov.uk/ 2
The Data Protection Legislation First, some points about the words data is not just computer data Any systematic collection of records is covered, including paper records personal data means.. that the person can be identified and that there is some extra element in the data, e.g. an opinion or intention relating to the subject sensitive personal data includes.. race, politics, religion, trade unionism, health, sex, crime (alleged or actual) data subject is.. any living individual who is the subject of personal data data controller is.. any person making decisions with regard to personal data processing means held, obtained, organised, adapted, retrieved, consulted, disclosed, deleted 3
Eight principles (the snappy version) Personal data must be: 1. Fairly and lawfully processed 2. Processed for limited purposes 3. Adequate, relevant (to the declared purpose) and not excessive 4. Accurate and kept up to date 5. Not kept longer than necessary 6. Processed in accordance with the individual s rights 7. Secure 8. Not transferred to countries outside European Economic area unless.. the country has adequate protection for the individual 4
The six conditions (aka Schedule 2) Personal data only processed if (at least one of): 1. Subject has given consent 2. Necessary for the performance/agreement of a contract to which the data subject is a party 3. Necessary for compliance with any legal obligation of the data controller, other than an obligation imposed by contract 4. The processing is necessary in order to protect the vital interests of the data subject more... 5
Schedule 2, continued 5. The processing is necessary for the administration of justice, the purposes of government, or any other functions of a public nature exercised in the public interest by any person 6. Necessary for the purposes of legitimate interests pursued by the data controller or by third parties to whom the data are disclosed, except where unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject 6
Schedule 3 (Sensitive personal data) At least one of: Subject has given explicit consent Legally necessary for employment When consent cannot reasonably be obtained, to protect vital interests of anyone When consent unreasonably withheld, to protect the vital interests of third parties As part of membership of non-profit groups for political, philosophical, religious or trade-union purposes Already made public by subject Necessary for legal or medical processes Monitoring of equal opportunity of racial/ethnic groups 7
The Seven Subject rights The Act gives significant rights to individuals in respect of personal data held about them by data controllers. These include: 1. The right to subject access 2. The right to prevent processing 3. The right to prevent processing for direct marketing 4. Rights in relation to automated decision making 5. The right to compensation 6. The right to rectification, blocking, erasure and destruction 7. The right to ask the Commissioner to assess whether the Act has been contravened 8
Data Controllers Not everyone who holds data is a data controller Data controllers must notify the Information Commissioner of their practices (costs 35 each year) Comply with the 8 principles of data protection Offences include Failure to notify Processing in a non-compliant way Procuring or selling information The commissioner issues enforcement notices Offences are punishable by a fine (up to 5000) Individuals may seek compensation for damage 9
Durant vs FSA Mr Durant lost a case against Barclay s Bank in 1993, and wanted information to reopen the case the FSA had conducted an investigation into Barclay s handing of his case in response to a DPA subject access request by Mr Durant, the FSA supplied him with some extracts from its computer records, but nothing from its paper records. It said the information was not personal and also not part of a relevant filing system The case ended in front of the Court of Appeal and a decision was given in October 2003 The case is very important, because it clarifies personal and relevant filing system (and changes the interpretation) 10
Durant: personal The Court found that Subject access exists to enable a subject to check whether his privacy has been infringed It is not an automatic key to any information... in which he may be named To be personal the information must be biographical in a significant sense... going beyond the recording... of involvement that has no personal connotations and the information should have the... data subject as its focus (Durant s case failed this test) 11
Durant: relevant filing system The Court found that a manual filing system is relevant if it has structure so that it is clear from the outset whether it could hold personal data, and in which files information about the applicant would be found (i.e. the system can support computer-like searches) The Commissioner suggests the Temp Test would a temporary admin assistant be able to find specific information on an individual (e.g. John Smith s leave records) without leafing through file(s)? 12
Some questions Does the University need to get each student s explicit consent to every detail of their information handling? What happens if a student s parent rings up to enquire about the student s progress? May results be posted on noticeboards? On the WWW? May graded work be returned using a communal pigeonhole? Can a student, making a Subject Access Request see copies of exam board minutes relating to them? see their own exam scripts? ask about how their degree was classified? ask to see every internal email that mentions them? Can a student in debt to the University use the Act to get a statement of his/her degree result? 13
Eight principles (verbatim) 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless - (a) at least one of the conditions in Schedule 2 [Slides 4-5] is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 [Slide 6] is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and... kept up to date. 14
Eight principles, continued 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 15
The public s right to know Applies to all information Overview of Freedom of Information (Act) Proactive disclosure via a Publication Scheme (demonstration of openness what you already publish, what you regularly get requests for, public interest) Responding to individual enquiries Based on good records management The Freedom of Information Act enables people access to information which is held by/on behalf of public authorities and those bodies carrying out a public function, and which does not fall under the access regime of personal information. 16
Your information rights The Freedom of Information Act facilitates access to information held by public authorities in two ways: * By requiring public authorities to adopt and maintain publication schemes, which should have the effect of improving the amount and quality of information routinely made available to the public. * By creating a right to make a request for information (effective from 1 January 2005). Anyone, including people living abroad, non-uk citizens, journalists, political parties, lobby groups and commercial organisations, will have the right to ask public authorities for any information they hold. More about the act can be found at: http://www.itspublicknowledge.info/ 17
Under the Freedom of Information (Scotland) Act you have the right to get information from any of the following Scottish public authorities or officeholders: Scottish Ministers in charge of all departments of the Scottish Executive and its agencies. The Scottish Parliament. Non-ministerial office holders in the Scottish Administration, including the chief medical and dental officers; the chief inspectors of constabulary, prisons, fire services and school;, rent officers; social work inspectors. Local government, including councils, assessors, fire services, licensing boards and the Strathclyde Passenger Transport Authority. The National Health Service, which includes NHS boards, community health partnerships, hospitals, GPs, dentists, pharmacists, opticians and other health professionals. Educational institutions such as universities and colleges. The police. Other public authorities, including more than 50 types of Scottish public authority not covered in the categories above. They range from the Scottish Arts Council to the Water Industry Commissioner for Scotland. Companies that are wholly owned by one or more public authorities. 18
What kind of information do I have a right to see? You can ask to see any kind of recorded information from a Scottish public authority, however old the information is. That includes information recorded on: paper computer files, including e-mails video microfiche 19
Examples of information you can find out The number of complaints made about a particular service, for example, street cleaning or refuse collection and whether action was taken as a result. Information showing whether public authority policies are working well e.g for instance, is a Community Policing Initiative reducing crime in the local area? Information that would reveal whether a contract is providing value for money, for instance.. what standards have been agreed with agencies contracted to supply hospital cleaning or catering services. Why decisions affecting local services were made, such as a decision to cut back some services at your local hospital, or to combine local primary schools. How public authorities decide who gets priority on waiting lists for services such as health or housing. 20
Information You Cannot Find Using FoI Whether or not somebody has a criminal conviction Who has borrowed that library book that you want Information like this about individuals is protected by DPA How many plastic bottles are collected by the recycling team This information is not kept you cannot ask for research to be done! There is also a limit on how difficult it needs to be to collate information, even it is stored How much money my University spin-out company makes from selling electronic data acquisition boards each year Although the company is fully owned by the University, I can argue that the information is commercially sensitive and not have to disclose it What products Apple is currently developing You cannot use FoI to ask private (non-government) organisations anything Secret military or security related information 21