Data Protection and Freedom of Information The Carmichael Centre 13th March 2014 Introduction • • • • • Data Protection principles Dealing with sensitive data Current legislation Purpose of the Freedom of Information Act Rights of access and exemptions Lecturer • Ronan Lupton, B.A. (Hons), M.Sc., DipLs, B.L. (King’s Inns) 2008. • Practice – Areas – Experience – Goals Privacy: A Reference Point • Constitutional Right: Though not unlimited • Necessary for any law of privacy to first define and identify what it aims to protect. It is also useful to develop a clear conception of the principles which justify and underpin the protection of the right, so that the courts are better equipped to accurately identify when a person’s right to privacy is engaged and when, on the other hand, that person is simply asserting a “vacuous” freedom to do as he or she pleases. Privacy: A Reference Point Craig has identified six reasons for the protection of privacy: (i) Refuge: It allows the individual to retreat from the pressures of public scrutiny and social norms (ii) Freedom: Privacy prevents interference in a person’s acts. (iii) Autonomy: It promotes autonomy by encouraging the individual to make his own choices. (iv) Creativity: By protecting the individual against conformist pressures, it fosters creative experimentation, which leads to social diversity. (v) Mental health: Privacy has been linked to individual mental health. (vi) Intimacy: Privacy is a necessary condition for the creation of relationships of trust and confidence – J. Craig, “Invasion of Privacy and Charter Values” (1997) 42 McGill L.J. 355. DP: Background & Genesis • Motivated by a combined concern at the manner in which population statistics had been used by the Nazi regime in Germany and the emergence of technology that could store and process significant amounts of data, measures emerged from various European bodies from the late 1970s onwards to regulate the manner in which personal information about individuals was collected, stored and used. • The EU Data Protection Directive (Directive 95/46/EC) incorporated the principles of data protection contained in two earlier international instruments: – The OECD Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data, 1980. – The Council of Europe’s Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981. • The Data Protection Directive extended the principles of data protection to personal data kept on manual files, as well as automated filing systems. It also provided for more specific protections and exemptions concerning the use of personal data beyond those specified in the Strasbourg Convention. Background • The Data Protection Act, 1988 was enacted following Ireland’s ratification of the 1981 Strasbourg Convention and established the office of the Data Protection Commissioner (DPC). • The enactment of the Data Protection (Amendment) Act, 2003 brought Irish data protection law into line with the requirements of the Data Protection Directive. • The Electronic Privacy Directive (Directive 2002/58/EC) provided for the privacy and security of personal data for users of publiclyavailable electronic communications services, such as telephone communications systems, email, text and Internet services. • The Electronic Privacy Directive was incorporated into domestic law by the Electronic Privacy Regulations, 2003 (SI 535 of 2003, as amended by SI 526 of 2008) and amended further in 2011 by SI 336 of 2011. Note the position on Cookies! What’s it about? • Personal data is information about a living person from which that person is identified or can be identified by reference to that data or by reference to that data and other information held or which is likely to come into the possession of the person holding and controlling that information. • In practice, any information that fully or partially identifies a person can comprise ‘personal data’. • A data controller is a person or entity that holds and controls the use of personal data. • A data controller is in a position to decide how personal data held by her / him / it will be used. Certain categories of data controller - such as banks and financial institutions - are obliged to register as data controllers with the Data Protection Commissioner (see www.dataprotection.ie). • A data processor is a person or entity that processes data on behalf of a data controller (but the term does not include an employee of a data controller who processes personal data on behalf of their employer in the course of their employment). What’s it all about? • The term ‘data processing’ covers any use of data, including collecting, recording, storing, consulting, transmitting and making data available. The publication of personal data is therefore an act of ‘data processing’. • In business, data controllers frequently outsource the processing of personal data to data processors in other jurisdictions. The 1988 Act (as amended - section 11) prohibits the transfer of personal data to processors outside the European Economic Area (EEA - being the EU member states plus Norway, Liechtenstein and Iceland) unless “an adequate level of protection” will apply to the data in the jurisdiction to which it is exported. • This provision applies, for example, to the transfer of customer information by an Irish company to an overseas contractor supplying customer support services on behalf of the Irish company. Data Protection Principles – The DPC’s website identifies eight fundamental rules of data protection derived from the provisions of the combined Data Protection Acts, 1988 to 2003 • Personal data must be obtained and processed fairly. A data subject is entitled to be informed of the fact that data is being collected about them, by whom it is being collected, the purposes for which it is being collected and to whom it will be disclosed. • Personal data may only be kept and used for specified, clearly stated and lawful purposes. This requirement precludes the use of personal data for uses other than or beyond those uses for which it was collected; the proposed uses must be clearly stated to the data subject and those uses must be lawful. Data Protection Principles • Personal data must only be processed (which term includes publishing the data) in a manner that is consistent with the stated purposes for which it was collected. • Personal data must be kept safe and secure by the person or entity holding it, whether in electronic, manual or other form. This requirement affects email and computer access security measures along with the disposal of written paper records and information held in other formats. • Personal data must be kept accurate, complete and up-todate by the person or entity holding it. Decisions about data subjects (for example, the granting of loans or credit facilities by financial institutions) should not be made on the basis of information that is out-of-date. Data Protection Principles • The extent of personal data collected must be adequate for and relevant to the stated purpose for which it is collected. The data collected must not exceed what is necessary for those stated purposes. • Personal data should not be retained for longer than is necessary for the stated purposes for which it is collected. The duration for which the data can lawfully be retained will vary from case to case depending on the purposes for which it was collected. • A data subject is entitled to know what information is held about them by a data controller and has a right to be given a copy of that data on request. A data subject is also entitled to require the correction of any inaccurate information held about her / him by a data controller. Dealing with Personal Data • Any person or entity that collects and uses personal data about an individual (a ‘data subject’) is obliged to comply with data protection legislation. Personal data can include data such as names, addresses, telephone numbers, voice or image recordings and email addresses. • Certain personal data can be ‘sensitive personal data’, which term refers to information about a data subject’s racial or ethnic origin, religious beliefs, political opinions, health and sexuality or criminal record (the list is not exhaustive) (section 1(1) of the 1988 Act, as amended). • Additional protection applies to the collection and use of sensitive personal data. Dealing with Personal Data • Section 4 – Right of Access – Subject Access Request – Fee €6.35 – 40 days to comply • Section 5 – Restriction on right of access • Section 6 – Right of rectification and erasure • Section 7 – Duty of Care – Collins v FBD • Section 8 – Disclosure of personal data in certain cases Exemptions – S.8 Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure is— (a) in the opinion of a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State, (b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid, (c) required in the interests of protecting the international relations of the State, (d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property, (e) required by or under any enactment or by a rule of law or order of a court, (f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness, (g) made to the data subject concerned or to a person acting on his behalf, or (h) made at the request or with the consent of the data subject or a person acting on his behalf. Journalists • Journalists investigating stories for news, current affairs or other journalistic purposes collect personal data about individuals. An important exemption from data protection requirements for processing personal data is set out in section 22A of the Data Protection Act, 1988 (as inserted by section 21 of the Data Protection (Amendment) Act, 2003). • The exemption applies where the processing of personal data is carried out with a view to publishing that data for journalistic, artistic or literary purposes. Under the section, there needs to be a public interest justification for publishing personal data about an individual. DPC Complaints • Personal information about individuals - such as their name, address, telephone number or photographic image - all can comprise personal data. • The collection, use and disclosure of that personal data must be carried out in accordance with data protection legislation. Current Legislation – Incl. Privacy • Article 40.3 of the Constitution • Section 39(1)(e) of the Broadcasting Act, 2009 • Section 10 of the Non-Fatal Offences Against the Person Act, 1997 • Data Protection Act, 1988 – 2011 • Section 62 of the Garda Siochana Act, 2005 • European Convention on Human Rights Act, 2003 Freedom of Information • The Freedom of Information Act, 1997 (FOI) as amended by the Freedom of Information (Amendment) Act, 2003 obliges government departments, the Health Service Executive (HSE), local authorities and a range of other statutory agencies to publish information on their activities and to make personal information available to citizens. • In addition, the Freedom of Information Act establishes the following statutory rights: – A legal right for each person to access information held by public bodies and government departments – A legal right for each person to have official information relating to himself/herself amended where it is incomplete, incorrect or misleading information – A legal right to obtain reasons for decisions affecting himself/herself. Freedom of Information Duties of Public Bodies • Information about the activities of public bodies covered by the Freedom of Information Act (Section 15 and Section 16) is contained in the Freedom of Information Manual, which every public body is obliged to publish. • The information that must be made available in the manual includes: – A general outline of the structure and functions, powers and duties of the organisation; the services it provides to the public and the procedures by which the public can avail of those services; – A description of the types of records held – The arrangements made to enable people to access information and records and to correct inaccurate or misleading personal information if this arises – Information that may assist people to exercise their rights under the Freedom of Information Act. • In practice, most of the public bodies covered by the Freedom of Information Act have their Section 15 and 16 Manuals available on their websites. Paper copies of these documents are also available Freedom of Information Requests for information • You can ask for the following records held by Government departments or certain public bodies: – Any records relating to you personally, whenever they were created – All other records created after 21 April, 1998 A record can be a paper document, information held on computer, printouts, maps, plans, microfilm, microfiche, audio-visual material, etc. Freedom of Information Applications • It is important to note that it may not be necessary to make a request for information under the Freedom of Information Act from a public body. A considerable amount of material is already made available to the public through information leaflets, publications and in response to oral and written enquiries. Most organisations have a dedicated Information Office, which is available to assist you with general queries, requests for information and publications. • If the information you require is not readily available, you must make your request in writing to the FOI Unit of the public body and your application should refer to the Freedom of Information Act. If your application for information does not mention the Act, then your application will be dealt with as an ordinary request for information. If information is required in a particular form (e.g. photocopy, computer disk, etc.,) this should be specified in the application. Freedom of Information • Try to be as specific as you can in order to enable the organisation to identify the information you require. Where possible try to indicate the time period for which you wish to access records (e.g., records created between May 1998 and December 1998). • Further information on making a request under the FOI Act can be found on the website of the Office of the Information Commissioner. • Under the Freedom of Information Act, a request for records must be acknowledged within 2 weeks and, in most cases, responded to within 4 weeks. If a third party is involved, there may be another three weeks before a response. Freedom of Information FOI Review Procedures • If you are not satisfied with the response of the public body to any aspect of your request for information, (i.e., refusal of information, form of access, charges) or you have not received a reply within 4 weeks of your initial application, this is deemed a refusal of your request and you can seek to have the decision re-examined by more senior members of staff within the public body. The internal review of an FOI decision must be made within 3 weeks. Applications for review of a decision should be addressed to the FOI Unit of the public body involved. • If you are still unhappy with the decision, you have the right to appeal the decision to the Information Commissioner. The Information Commissioner investigates complaints of non-compliance with Irish FOI legislation and generally promotes a freedom of information culture in the Irish public service. Rights of Access/Exemptions • • • • • • • • • • • • • • • • FOI - Specifically NAMA Meetings of the Government. Deliberations of public bodies. Functions and negotiations of public bodies. Parliamentary, court and certain other matters. Law enforcement and public safety. Security, defence and international relations. Conclusiveness of certain decisions pursuant to sections 23 and 24 Information obtained in confidence. Commercially sensitive information. Personal information. Procedure in relation to certain requests under section 7 to which section 26, 27 or 28 applies. Research and natural resources. Financial and economic interests of the State and public bodies. Enactments relating to non-disclosure of records. Questions Thank you!