Information Law/ Data Protection Briefing2007

Keith G Fraser

University Records Manager

Today’s topics.....• Introduction• DP Across the globe• Data protection the Legislative context• The Data Protection Act : An overview • FOISA 2002 and DP 1998• Requests for information• Subject Access Requests• Requests for 3rd party data• Points to consider and note• Disclosure without consent• Implications for Web publishers• Subject access procedures• The Commissioners• DP and Researchers• Further Information• Key points to note• Data Subject Rights• Any Queries

Legislative context• Data Protection Act 1998

– Sets out eight principles giving a general standard for the processing of personal data

• Freedom of Information (Scotland) Act 2002– Gives a general right of public access to all types of

recorded information held by Public Authorities

• Overlap between the above Acts where personal data is concerned.

• Freedom of Information Act 2000• Human Rights Act 1998• Environmental Information (Scotland) Regulations 2004

Data Protection Act: Overview• Personal data is

– Information about an identifiable living individual processed automatically or stored in a ‘relevant filing system’

• Sensitive personal data is– Information about racial or ethnic origins,

political opinions, religious beliefs, physical or mental health, etc.

• Notification – the process by which a data controller's

processing details are added to a register

• Eight Data protection principles• Enforcement

– The Information Commissioner has the power to serve an enforcement notice if he is satisfied that a data controller has contravened or is contravening the data protection principles.

Data protection principles

• The Eight Principles of Good Practice – Anyone processing personal information must comply with eight

enforceable principles of good information handling practice. These say that data must be:

– fairly and lawfully processed – processed for limited purposes – adequate, relevant and not excessive – accurate and up to date – not kept longer than necessary – processed in accordance with the individual's rights – secure – not transferred to countries outside European Economic area

unless country has adequate protection for the individual

Further Conditions

• In processing fairly and lawfully, data controllers (us) must also comply with one of the six Schedule 2 conditions these are:

1. Consent has been received or2. Processing necessary for performance of

contract by data subjects…or3. Processing necessary for legal compliance…or4. To protect vital interests of data subject… or5. For administration of justice…or6. For legitimate interests of the data controller

Data Subject Rights

• There are several rights under the Act including:– Right of access to personal data– Right to prevent processing if would cause

damage or distress– Right to prevent processing for direct marketing– Right to correction, deletion, of inaccurate

information – Rights regarding automated decision making

BBC News Monday 18 December

Data Protection Act 1998: enforcement

• Complain to Information Commissioner

• University can be sued• Personal criminal offences

1. Destruction of information required for a subject access request

2. Unauthorised disclosure3. Failure to comply with

enforcement or information notice

4. Failure to notify

Amendments to DP Act (by FOISA 2002)• The definition of Data

under the DP Act is widened to include all recorded information held by Public Authorities.

• Data subject has a right to access unstructured personal data held – that is any information at all !

• Data subject needs to describe the unstructured data when requesting access to it.

Request for Information – FOI or DP?

• Firstly need to ascertain which law applies DP or FOI:– Is the applicant for

information also the subject of the information?.. or

– Is the applicant applying for information about a third party?

• The answer to these questions determines which course of action follows

FOISA and DP

• Request by an individual subject for information about him/herself is an absolute exemption under FOISA 2002

• This would be a Subject access request under the DP Act

• Response requires heeding DP rules and regulations.

Dealing with Subject Access requests. 1

• Identify the type of request

• There is a duty to provide advice and assistance to the requestor.

• RGU has 40 working days to respond.

• The information must be provided in the form requested, where ‘reasonably practicable’

• RGU has agreed procedures for dealing with requests and who is responsible for these.

• It is a criminal offence to alter, deface, block, erase, destroy or conceal information to prevent access

Dealing with requests. 2

Request for 3rd party personal data

– If any of the Data Protection principles would be breached if the data was disclosed – absolute exemption

– If the data subject himself would not get the information if he requested it under DP. The University must always consider public interest

– If the data subject has notified in writing to the data controller that releasing the information would cause him harm or distress (s10 notice) – but must consider public interest

A request for third party personal data may be exempt under FOISA 2002:

Disclosure to Third Parties under DP 1998

Certain third parties may require disclosure of an individual's personal data. The University shouldhowever, where possible, ensure that its students are properly warned of any known statutory disclosures that they are required to make.

The Act makes no explicit reference to the nature of data that may be demanded by statutory obligation, so the University should be able to disclose to any properly grounded statutory request without falling foul of the law.

Third Party Authorisation for disclosure

UK Funding Councils Further and Higher Education Act, 1992 s.79 - Duty to give information to the funding councils.

Electoral registration officers (voter registration)

Representation of the People Act 2000;

Officers of the Department of Works and Pensions, and Local Authorities (benefit fraud)

Social Security Administration Act 1992: s.110A, s.109B and s.109C

Health and Safety Executive ( injuries and dangerous occurrences)

Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR) 1995 s.3 - Notification and reporting of injuries and dangerous occurrences

Audit Commission and related auditing bodies (various)

Audit Commission Act 1998 s.6 - Auditors' right to documents and information.

Environmental Health Officers (notifiable diseases)

Public Health (Control of Disease) Act 1984 and the Public Health (Infectious Diseases) Regulations 1988

Child Support Agency Child Support (Information, Evidence and Disclosure) Regulations 1992.

Police Officers Court Order - N.B disclosures to the Police are not compulsory except in cases where the institution is served with a court order requiring information.

Other third parties Court of Session - e.g. third party disclosure order.

Publication Scheme and DP

• Some information in the University’s publication scheme may be personal data

• Consideration has to be given to data protection implications before deciding whether to include the information?

• The same tests have to be applied as for requests– Ultimate test – does its inclusion

breach DP principles?

Points to consider• Care and awareness are required;

– If Personal data is included in the University’s publication scheme

– DP implications must be considered at the outset– Requests for information

•Evaluation process – is it a DP or an FOI request

•Single point of contact for information•Authenticity of requester under DP•Standard forms and templates might be

useful aid• Remember timescales for response

– Staff awareness

Points to note

• Third parties may have a right to access any of the information we record

• It is a criminal offence to tamper with existing records that have been requested for disclosure

• There is no exemption for embarrassment

• Always create records with an eye to other people seeing them

Disclosing without Consent The Freedom of Information (Scotland) Act

2002 sets out criteria to which institutions must consider in deciding whether it would be reasonable to disclose information without consent (although other considerations may also be relevant). These criteria are:– any duty of confidentiality owed to that person– any steps that have been taken to seek their

consent– whether the person is capable of giving consent

and– any express refusal of consent by them.

Public Interest TestThe University will have to disclose theinformation if the public interest in disclosure outweighs the public interest in maintaining the exemption in question.

The public interest includes, but is not confined to:

i) Detecting or exposing crime or serious impropriety.

ii) Protecting public health and safety. iii) Preventing the public from being misled

by an action or statement of an individual or organisation.

Implications for Web publishers• The web is the University’s favoured method of

publication for the publication scheme• Beware of making personal details available on

the internet.– Names and contact details of members of staff. – Listings for academic staff often give details of

their research interests and publications. – photographs of staff and students. – Minutes which contain the names of committee

members.• The Data Protection Act affects what you

publish on the Internet?– The eighth data protection principle states that

personal data must not be transferred to countries outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. When personal data is published on the Internet it is accessible all over the world. Publishing personal data on the Internet without the necessary protections is, therefore, a breach of the Eighth Data Protection Principle.

Subject Access Procedures

This procedure applies to all Schools and Departments

• The DP Act specifies that all requests for Subject Access must be made in writing.

• The University must comply within 40 days of receiving a validated request

• The Information provided must be in an intelligible from. If it contains Codes or abbreviations these should be explained.

Subject Access Procedures 2• Must be in writing.

– By letter– Personal Information Request Form– A form is available via the Web pages this

ensures that all necessary information is given at the outset.

• The Request doesn’t have to mention the DP Act

• Must provide some form of verification • Copy of Student access request goes to

Executive Director of IT• Copy of Employee record requests to

Executive Director of HR • Respective School/ Department contacts

decide what information is disclosed in liaison with University’s Records Manager.

What data is exempt from the Act?There are some complete exemptions and some partial exemptions where personal data is not covered by the 1998 Act. Complete exemptions:

– Any personal data that is held for a national security reason is not covered. MI5 or MI6 don't have to follow the rules. They must get a Government Minister to sign a certificate saying that they are exempt.

– Personal data held for domestic purposes only e.g. Christmas card lists.

Partial exemptions:• Some personal data has partial exemption

under the terms of the Act. For example,

– The Inland Revenue and the Police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files.

– A data subject has no right to see information stored about unless it has to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.

– A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.

– Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals.

– Employment references written by a previous employer are exempt.

Fees

• The University does not have to levy a fee.

• However, it may charge £ 10 which is the standard fee set by the Information Commissioner for answering subject access requests.

The Information Commissioner

Information Commissioner Richard Thomas

The Information Commissioner's Office is an independent official body. The InformationCommissioner is appointed by the Queen and is responsible for administering the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000 (UK except Scotland).

The Scottish Information Commissioner• The Commissioner must

– Promote good practice by Scottish public authorities in following the FoI(S)A and the codes of practice

– Consider what information it is desirable to have made available to the public about the FoI(S)A, its operation and good practice in relation to it and ensure that such information is made available.

Kevin Dunion

Scottish Information Commissioner

Data Protection and Research

Personal data• The data gathered must be used exclusively for

research purposes.

• A fair processing statement should be used to inform the individual of the purpose for which their data will be used. 

• Data should not be used to support measures or decisions relating to any identifiable living individual (not just the data subject but anyone who may be affected by a piece of research).

• Data should not be used in a way that would cause substantial damage or distress to any data subject.

• Researchers should not make the results of research or any resulting statistics available in a form that identifies data subjects. For example if using case studies in a research report then they may choose to disguise the names of individuals. However, if their circumstances are described in detail then it may be possible for someone to identify that individual in which case the researcher would not meet this criterion.

Exemptions Under the Data Protection Act

There are narrow exemptions that allow the use of personal data for research purposes under the Data Protection Act

Exemptions for Research Purposes

• If the processing is not used to support measures or decisions targeted at particular individuals and it does not cause substantial distress or damage to a data subject, it is exempt from: • The Second Principle, meaning that personal data can be

processed for purposes other than for which they were originally obtained;

• The Fifth Principle, meaning that personal data can be held indefinitely;

• The Data subject's right of access to his personal data, where the data is processed for research purposes and the results do not identify data subjects.

Further Information• RGU’s DP Homepage

www.rgu.ac.uk/dp

• JISC Legal Information Service provides– An email enquiry service for

information on FOI and other areas of ICT law

• JISC Legal Information Service web site– www.jisc.ac.uk/legal– For regularly updated news, links,

papers, and reports, as the law and practice develop

Finally

Points for Noting• Personal data must be obtained fairly and lawfully.

– The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration.

– Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject

• The Act covers personal data in both electronic form and manual form

• Personal data processing must be in accordance with the purposes notified by the University to the data protection commissioner-

• If ‘new processing’ is to take place the University’s Records Manager, should be consulted

• Personal data must be kept accurate and up to date and not for longer than is necessary

• Appropriate security measures must be taken against unlawful or unauthorised processing of personal data. Also against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training

• Personal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet

•

Data Subject Rights• The Act gives significant rights to individuals in respect of

personal data held about them by data controllers. These include the rights: – To make a Subject access request- an individual is entitled to

be supplied with a copy of all personal data held. – To require the data controller to ensure that no significant

decisions that affect them are based solely upon an automated decision-taking process

– To prevent processing likely to cause damage or distress – To prevent processing for the purposes of direct marketing – To take action for compensation if they suffer damage by any

contravention of the Act by the data controller – To take action to rectify, block, erase or destroy inaccurate data,

and – To request the Data Protection Commissioner to make an

assessment as to whether any provision of the Act has been contravened

Any Queries ?

k.fraser@rgu.ac.uk

Thank you for listening today.