Presentation - DP and FOI overview

advertisement
Data Protection and Freedom of
Information
Objectives
• Describe the main points of the Data
Protection Act 1998 and Freedom of
Information Act 2000
• Illustrate the “things you need to know”
about Data Protection (DP) and Freedom
of Information (FOI)
The Acts
• Data Protection Act 1998 came into force in
March 2000. The Act covers information about
living individuals
• Freedom of Information Act 2000 came into
force in January 2005 and provides a right of
access to information held by public bodies
• The Information Commissioner’s Office (ICO)
regulates the operation of the DPA & FOIA (as
well as related legislation like the Privacy and
Electronic Communications Regulations
DPA or FOI?
To release or not to release?
• A student requests his examination results
• A student requests the College internal
guidelines for dealing with appeals
• A local authority wishes to verify a student’s
details for Council Tax
• A parent wants to know if their son or daughter is
attending classes
These areas will be reconsidered in terms of
whether or not to release the data or information
and which law applies
Data Protection Act
• All Data Controllers must be registered with the
Information Commissioner’s Office. The registration
specifies the purposes for which data is processed
• Data Subjects are the person about whom the data is
held
• Data processing covers the collection, recording,
holding, maintenance and destruction of any data
• Personal data is information about any living person
who can be identified from that information
• Sensitive Personal Data relates to information about an
individual’s health, ethnicity, criminal convictions, sexual
life, religious belief, political opinions, TU membership
Data Protection Act (cont)
Eight Data Protection Principles, which should be
complied with. Data shall:
1. Be obtained and processed fairly and lawfully and shall not be
processed unless certain conditions are met.
2. Be obtained for a specified and lawful purpose and shall not be
processed in any manner incompatible with that purpose.
3. Be adequate, relevant and not excessive for those purposes.
4. Be accurate and kept up to date.
5. Not be kept for longer than is necessary for that purpose.
6. Be processed in accordance with the data subject’s rights.
7. Be kept secure from unauthorised access, accidental loss or
destruction.
8. Not be transferred to a country outside the European Economic
Area, unless that country has equivalent levels of protection for
personal data.
Data processing good practice
The following checklist is taken from the Information Commissioner’s Office
website: www.ico.gov.uk
•
•
•
•
•
•
•
•
Do I really need this information about an individual? Do I know what I'm
going to use it for?
Do the people whose information I hold know that I've got it, and are they
likely to understand what it will be used for?
If I'm asked to pass on personal information, would the people about whom I
hold information expect me to do this?
Am I satisfied the information is being held securely, whether it's on paper or
on computer? And what about my website? Is it secure?
Is access to personal information limited to those with a strict need to know?
Am I sure the personal information is accurate and up to date?
Do I delete or destroy personal information as soon as I have no more need
for it?
Have I trained my staff in their duties and responsibilities under the Data
Protection Act, and are they putting them into practice?
Freedom of Information Act
• Places a duty on public authorities (that includes
QMUL) to ensure access is available to official
information
• Regardless of age, format or origin of the info.
• Each public organisation must publish a
Publication Scheme which is approved by the
Information Commissioner. QMUL’s scheme is
found on its website
http://www.qmul.ac.uk/about/collegeinfo/scheme/
index.html
Dealing with Requests
• Request under DPA (known as Subject Access
Request) must be dealt with in 40 calendar days
(except for examination results); a maximum fee
of £10 may be charged
• An FOI request must be dealt with in 20 working
days. If the request is excessive and costly it can
be denied on these grounds
• Both types of request may come to any part of
the College and need to be logged with the
Records & Information Compliance Manager
• If you are unsure, check with the Records &
Information Compliance Manager
Some FOI Exemptions
• FOI exemptions are either absolute or qualified.
Qualified exemptions are subject to the public interest
test. Absolute exemptions do not require this
• Personal information, where the DPA applies and the
release of information would lead to the identification of
an individual is an absolute exemption
• Where information is commercial the information
might be covered by a qualified exemption as its
release could be damaging to the College or other party
• Vexatious and repeated requests or requests that
have been declined recently for good reason can be
exempt
Some DPA Exemptions
• Section 29 exemptions: data may be provided without the
consent of the Data Subject to authorities for the purposes of
the prevention and detection of crime and benefits/tax fraud
etc. All such requests must be specific, state for what the
data will be used and be checked with the QM Data
Protection Officer
• Research exemptions: personal data may be processed for
the purpose of research without the consent of the Data
Subject. However, the identity of the Data Subject must not
be made known without explicit consent and the data must
not be used to support decisions about that individual or
where there may be substantial damage or distress. The time
restrictions are different – data for research purposes only
may be kept indefinitely
• Examination results: there is a longer time frame so
students cannot access results earlier
Research
• Personal data may be used for purposes
beyond the originally stated purpose
• Can be retained indefinitely
• Exempt from SARs – as long as published
research does not identify individuals
• FOI – Commercial interests or subject to
future publication
Examinations
• Comments on scripts (and marks) but not scripts
themselves can be accessed under DPA
• Exam Board minutes can be accessed under DPA (about
that individual only) but not FOI
• Achievement/progression data can be accessed under
DPA
• It is okay to put lists of those who have passed on the
noticeboard but by number is preferable and only if you
have told students that this is how their results are
published
• You should not pass on an individual student’s results to
a third party
• External examiners reports – in most circumstances
these would be accessible under FOI despite the
argument they are confidential and it is important to
ensure that External Examiners are able to write frank
and helpful comments – in the public interest!
Dos and Don’ts
• DO respond quickly – the clock is ticking
• DO remember that we have a duty to
provide advice and assistance
• DON’T withhold information without a clear
justification under one of the exemptions
• DON’T wilfully destroy or alter any original
documents – criminal offence
To release or not release
• A student requests his examination results
• A student requests the College internal
guidelines for dealing with appeals
• A local authority wishes to verify a
student’s details for Council Tax
• A parent wants to know if their son or
daughter is attending classes
Other Sources of Guidance
• Updated Data Protection Policy
• Guidelines on dealing with SARs and other
scenarios e.g. photos, marketing, third
parties
• FOI pages on QM website
• ICO website has lots of specific guidelines
• See http://www.arcs.qmul.ac.uk/information_governance/index.html
Questions?
Contact
Records & Information Compliance Manager
• E-mail: foi-enquiries@qmul.ac.uk
data-protection@qmul.ac.uk
• Tel: (13) 7596
Download