Data Protection and Freedom of Information

Objectives

• Describe the main points of the Data Protection Act 1998 and Freedom of Information Act 2000

• Illustrate the “things you need to know” about Data Protection (DP) and Freedom of Information (FOI)

The Acts

• Data Protection Act 1998 came into force in March 2000. The Act covers information about living individuals

• Freedom of Information Act 2000 came into force in January 2005 and provides a right of access to information held by public bodies

• The Information Commissioner’s Office (ICO) regulates the operation of the DPA & FOIA (as well as related legislation like the Privacy and Electronic Communications Regulations

DPA or FOI?To release or not to release?

• A student requests his examination results• A student requests the College internal

guidelines for dealing with appeals• A local authority wishes to verify a student’s

details for Council Tax• A parent wants to know if their son or daughter

is attending classes

These areas will be reconsidered in terms of whether or not to release the data or information and which law applies

Data Protection Act• All Data Controllers must be registered with the

Information Commissioner’s Office. The registration specifies the purposes for which data is processed

• Data Subjects are the person about whom the data is held

• Data processing covers the collection, recording, holding, maintenance and destruction of any data

• Personal data is information about any living person who can be identified from that information

• Sensitive Personal Data relates to information about an individual’s health, ethnicity, criminal convictions, sexual life, religious belief, political opinions, TU membership

Data Protection Act (cont)

Eight Data Protection Principles, which should be complied with. Data shall:

1. Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.

2. Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.

3. Be adequate, relevant and not excessive for those purposes.4. Be accurate and kept up to date.5. Not be kept for longer than is necessary for that purpose.6. Be processed in accordance with the data subject’s rights.7. Be kept secure from unauthorised access, accidental loss or

destruction.8. Not be transferred to a country outside the European Economic

Area, unless that country has equivalent levels of protection for personal data.

Data processing good practice

The following checklist is taken from the Information Commissioner’s Office website: www.ico.gov.uk

• Do I really need this information about an individual? Do I know what I'm going to use it for?

• Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for?

• If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?

• Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure?

• Is access to personal information limited to those with a strict need to know? • Am I sure the personal information is accurate and up to date? • Do I delete or destroy personal information as soon as I have no more need

for it? • Have I trained my staff in their duties and responsibilities under the Data

Protection Act, and are they putting them into practice?

Freedom of Information Act

• Places a duty on public authorities (that includes QMUL) to ensure access is available to official information

• Regardless of age, format or origin of the info.• Each public organisation must publish a

Publication Scheme which is approved by the Information Commissioner. QMUL’s scheme is found on its website http://www.qmul.ac.uk/about/collegeinfo/scheme/index.html

Dealing with Requests• Request under DPA (known as Subject Access

Request) must be dealt with in 40 calendar days (except for examination results); a maximum fee of £10 may be charged

• An FOI request must be dealt with in 20 working days. If the request is excessive and costly it can be denied on these grounds

• Both types of request may come to any part of the College and need to be logged with the Records & Information Compliance Manager

• If you are unsure, check with the Records & Information Compliance Manager

Some FOI Exemptions• FOI exemptions are either absolute or qualified.

Qualified exemptions are subject to the public interest test. Absolute exemptions do not require this

• Personal information, where the DPA applies and the release of information would lead to the identification of an individual is an absolute exemption

• Where information is commercial the information might be covered by a qualified exemption as its release could be damaging to the College or other party

• Vexatious and repeated requests or requests that have been declined recently for good reason can be exempt

Some DPA Exemptions• Section 29 exemptions: data may be provided without the

consent of the Data Subject to authorities for the purposes of the prevention and detection of crime and benefits/tax fraud etc. All such requests must be specific, state for what the data will be used and be checked with the QM Data Protection Officer

• Research exemptions: personal data may be processed for the purpose of research without the consent of the Data Subject. However, the identity of the Data Subject must not be made known without explicit consent and the data must not be used to support decisions about that individual or where there may be substantial damage or distress. The time restrictions are different – data for research purposes only may be kept indefinitely

• Examination results: there is a longer time frame so students cannot access results earlier

Research

• Personal data may be used for purposes beyond the originally stated purpose

• Can be retained indefinitely

• Exempt from SARs – as long as published research does not identify individuals

• FOI – Commercial interests or subject to future publication

Examinations• Comments on scripts (and marks) but not scripts themselves

can be accessed under DPA• Exam Board minutes can be accessed under DPA (about that

individual only) but not FOI• Achievement/progression data can be accessed under DPA• It is okay to put lists of those who have passed on the

noticeboard but by number is preferable and only if you have told students that this is how their results are published

• You should not pass on an individual student’s results to a third party

• External examiners reports – in most circumstances these would be accessible under FOI despite the argument they are confidential and it is important to ensure that External Examiners are able to write frank and helpful comments – in the public interest!

Dos and Don’ts

• DO respond quickly – the clock is ticking

• DO remember that we have a duty to provide advice and assistance

• DON’T withhold information without a clear justification under one of the exemptions

• DON’T wilfully destroy or alter any original documents – criminal offence

To release or not release

• A student requests his examination results

• A student requests the College internal guidelines for dealing with appeals

• A local authority wishes to verify a student’s details for Council Tax

• A parent wants to know if their son or daughter is attending classes

Other Sources of Guidance

• Updated Data Protection Policy

• Guidelines on dealing with SARs and other scenarios e.g. photos, marketing, third parties

• FOI pages on QM website

• ICO website has lots of specific guidelines

• See http://www.arcs.qmul.ac.uk/information_governance/index.html

Questions?

Contact

Records & Information Compliance Manager

• E-mail: foi-enquiries@qmul.ac.uk

data-protection@qmul.ac.uk

• Tel: (13) 7596