Data Protection and
Freedom of Information
The Warwick Network
31 May 2016
Natalie Snodgrass – Administrative Officer, University Secretary’s Office
Overview
• The Data Protection Act 1998 and the
Freedom of Information Act 2000 – what
you need to know about the Acts and
how they affect Warwick (key concepts,
individuals’ rights, legal obligations etc.)
• Case Studies and Practice Questions
• Q & A and Discussion
The Data Protection Act 1998
• Came into force on 1 March 2000, replacing the 1984
Data Protection Act – main purpose to give effect in
the UK to the 1995 EC Data Protection Directive
• The DPA requires that anyone who processes
personal information must:
register its processing with the Information
Commissioner, the regulatory body for the DPA
(notification)
process personal data in accordance with
individuals’ rights
process personal data in accordance with the
eight Data Protection Principles.
What makes data ‘personal’?
• ‘Personal’ information is information about living individuals
where those individuals can be identified either from the data or
with the aid of other information that the data processor holds or
is likely to obtain.
• Caselaw: Durant v FSA (Court of Appeal, London, Dec 2003)
• ‘Personal’ information as being biographical in a significant
sense, with the putative data subject as its focus; information
affecting the subject’s privacy
• ‘Sensitive’ personal data – personal data relating to racial or
ethnic origins, political opinions, religious or spiritual beliefs,
trade union memberships, physical or mental health or
condition, sexual life, the commission or alleged commission of
any offence, or criminal proceedings for any offence committed
or alleged to have been committed.
What sorts of information are
covered under the DPA?
• Any electronic data (e.g. Microsoft Office documents,
emails, web pages etc.)
• Audio-visual data (e.g. CCTV) also covered where
individuals are identifiable
• Paper format (‘manual’) data covered by the DPA
only to a limited extent
• DPA 1998: manual data covered if in a relevant
filing system whereby data must be structured by
reference to individuals or by criteria relating to
individuals, so that specific information on an
individual is readily accessible
Durant on manual data
• Court of Appeal took the view that the Act
intended to cover manual files “only if they
are of sufficient sophistication to provide the
same or similar ready accessibility as a
computerised filing system”
• Following the Durant judgment it is likely that
very few manual files will be covered by
the provisions of the DPA
The Freedom of Information
Act and paper data
• The Freedom of Information Act 2000 extended
certain limited aspects of the DPA to paper format
data held by public authorities which was not in a
relevant filing system (Category ‘e’ data)
• Excludes personnel data
• Right of access to ‘category e data’ only automatic if
paper files are structured so that information on an
individual can be located (e.g. files on named
individuals)
• Unstructured manual data (e.g in general subject
files) can only be requested if the requestor describes
the data in a way which allows it to be located
Individuals’ rights under the
DPA
• Right to prevent processing likely to cause
substantial damage or substantial distress
• Right to prevent processing for purposes of
direct marketing
• Rights in relation to automated decisiontaking
• Right to request the rectification, blocking,
erasure or destruction of inaccurate data
• Right to compensation
• Right of access to personal data
Subject Access Requests
• Applicant must apply in writing
• Can request proof of identity and charge a
fee (usually £10; £50 for health records and a
sliding scale for education records)
• Organisation must respond promptly and in
any event no later than 40 calendar days
following receipt of request
Subject Access Requests –
exemptions and limitations on the right
of access
•
•
•
Data does not have to be released if this would (for e.g.):
endanger the physical or mental health of an individual
disclose information subject to legal professional privilege
Disclose the personal data of other individuals
Other exemptions: Confidential references and examination scripts
Other limitations on the right of access:
No requirement to create data for the purpose of answering a request
Don’t have to release data created after receipt of a request or data
destroyed before receipt of a request
Data can be amended or destroyed after receipt of a request if this is in
line with established records management practice within the organisation
(i.e. a retention schedule), but:
the intentional concealment, alteration or destruction of data in order to
prevent its release is a criminal offence for which both the organisation
and individual staff can be liable.
The Data Protection Principles
The eight principles of the DPA state that the data must be:
fairly and lawfully processed;
processed for limited purposes;
adequate, relevant and not excessive;
accurate and up to date;
not kept longer than necessary;
processed in accordance with the individual's rights;
secure;
not transferred to countries outside the European
Economic area, unless there is adequate protection.
Data Protection at Warwick:
some practical guidance
•
•
•
Remember the Data Protection principles and the conditions on disclosure of
personal data (Schedules 2 and 3)
Be very careful when transferring or disclosing personal data:
Disclosure can be unlawful even if it is to the police or a government
department
Parents, relatives and friends have no automatic right to receive data on
students or staff
Never disclose data on another person over the phone (unless it is a life
or death emergency – then offer to ring the enquirer back on a registered
number)
Disclosure that may not satisfy all the DP principles may be permitted if an
exemption applies, for e.g.:
If disclosure is necessary for national security (s.28(1)), the prevention or
detection of crime, the apprehension or prosecution of offenders or the
assessment or collection of any tax or duty (s.29(3))
If it is information that we are legally obliged to disclose, either because
this is required by statute, rule of law or court order of if the information is
necessary for legal proceedings, legal advice etc. (s.35)
More on confidential
references
•
•
•
Requests for references which appear to be legitimate (e.g. which
come from an established and reputable organisation) can usually be
taken at face value. Possible ways of ascertaining this:
Student/member of staff has asked you if you will be a
referee before submitting the application
The request is accompanied by a disclaimer signed by the
student/member of staff confirming that they authorise the
third party to seek a reference
The third party provides you with a copy of the relevant
section of the student’s/member of staff’s application form
If in any doubt, contact the person who is the subject of the
reference first.
Avoid giving verbal references.
If you’re writing a reference, assume it could be released. So avoid
statements that cannot be defended by fact.
Data Protection and Research
• Data gathered for non-research purposes can be
used for research, provided the data is not used:
for any other purpose, unless it is compatible
with the purpose for which it was first collected
To make decisions or take measures regarding
individuals
In a way which causes substantial damage or
distress to data subjects.
• This exemption allows, for e.g., personal data in
historical records to be retained as archives.
However, personal data in archives should be closed
for the lifetime (or likely lifetime) of the individual.
Freedom of Information Act
2000
•
•
•
•
•
•
Created general right for any member of the public to request any
recorded information held by public authorities – therefore potential for
overlap and conflict with Data Protection
ICO is regulatory body
Public’s rights of access:
Right to know if the authority holds the information requested
Right to have that information communicated
FoIA entitles access to information, not documents
Request can be made by anyone, anywhere
Request must be in writing, supply name and address and
adequately describe information requested – but does not need
to mention the FOIA
Publication Schemes
Obliged to respond within 20 working days of receipt of request
General duty to advise and assist
Exemptions from Access
• Qualified vs. Absolute Exemptions
• Public Interest Test applied for qualified exemptions
• FoIA s.40(1): absolute exemption for first-party personal data
(must make a Subject Access Request via the DPA)
• FoIA s.40(3): qualified exemption for third-party personal data –
exempt from release if disclosure would breach the Data
Protection Principles.
• Information Commissioner: limited situations where third-party
personal data can be legitimately released under FoI.
basic information about staff (name, job title,
responsibilities, work contact details)
salaries/expenses of very senior staff (only grades of
junior staff)
decisions or actions made by individuals in an official or
work capacity
Other restrictions on access
• ‘Vexatious’ requests
• Request repeats a recent request
submitted by same applicant
• Where cost of compliance would exceed
£600 (central government) or £450 (all
other public authorities)
Dealing with Requests
• Being prepared - physical post and electronic mail
• Receiving and assessing requests
Subject Access/Environmental Information
requests
Routine requests (log requests)
Requests for information included in Publication
Scheme (log requests)
More complex and/or sensitive requests: refer to
University Secretary’s Office without delay
Resources
• Warwick’s Freedom of Information pages (including Publication
Scheme):
http://www2.warwick.ac.uk/insite/info/freedomofinformation/
• Warwick’s Data Protection pages:
http://www2.warwick.ac.uk/academicoffice/staff/dataprotection/
• Information Commissioner’s website:
http://www.ico.gov.uk/
• Warwick’s Data Protection Notification:
http://www.esd.informationcommissioner.gov.uk/esd/DoSearch.a
sp?reg=2858484
• Department of Constitutional Affairs’ website:
http://www.dca.gov.uk/