Records management for the public sector 8 September 2016 Judith Jones - Group Manager Sue Markey - Senior Policy Officer Government and Society

Outline ICO and records management Key themes and common trends How the ICO can help What’s new – DP and FOI

The Information Commissioner Elizabeth Denham Promoted transparency in government, proactive approach to enforcement of access and privacy laws Reports to Parliament Independent of Government

ICO enforces and regulates: –Freedom of Information Act –Data Protection Act –Environmental Information Regulations –Privacy and Electronic Communications Regulations –Re-use of Public Sector Information Regulations (TNA - policy, ICO – complaints) TNA, Records of Scotland, Public Record Office of Northern Ireland: - Public records legislation Other legal requirements and professional guidelines

Records Management legislation: FOI Section 46 Code of Practice “Freedom of information legislation is only as good as the quality of the records and other information to which it provides access.” Failure to follow the Section 46 Code of Practice may mean that an authority also fails to comply with other legislation concerning the creation, management, disposal, use and re-use of records and information, for example: Public Records Act 1958 Data Protection Act 1998 (DPA) Re-use of Public Sector Information Regulations 2015

Information Commissioner on FOI: highlighting records management concerns Timeliness in dealing with foi requests Duty to document in British Columbia Private s

Know what you hold

Know what you hold: think about Collecting personal data Responding to FOI requests Legacy records Paper vs digital records Private accounts Risk assessment

Retention

Personal data not to be kept for longer than is necessary. Consider the purpose you hold the information for when deciding how long to retain Retention and disposal schedules - useful when considering FOI complaints Retention requirements of TNA and regional bodies. And others including inquiries Keep retention periods under review Securely delete information that is no longer needed Update, archive or securely delete information if it goes out of date.

Timeliness

Time limits Subject access and FOIA requests have time limits for responses Senior commitment and effective liaison across the organisation is vital Identify barriers to good performance and draw up improvement plans Better reputation with the public ICO monitoring regime

Disposal

Disposing of data Requirement of the DPA to dispose of personal data securely Archiving or deletion? Only archive if still need to hold the information – otherwise delete ICO has issued monetary penalties eg abandoned filing cabinets, selling hard drives rather than destruction

Breaches

Self reported incidents – data protection Operational Statistics 2015/16

Self reported incidents - continued Operational Statistics 2015/16

Recent enforcement action August 2016 Hampshire County Council £100,000 May 2016 Blackpool Teaching Hospitals £185,000 November 2015 CPS £

ICO Audit Outcomes

Not understanding data flows Not understanding responsibilities Lack of training Inadequate, outdated or poorly communicated policies Lack of senior support, funding or visibility of information governance Failure to implement effective remedial measures quickly Inadequate long term remedial measures, with a failure to identify risks Trends – common failings

Data Protection self assessment toolkit ico.org.uk/for-organisations/improve-your practices/data-protection-self-assessment toolkit

Where now on FOI Technology, digitisation Digital Economy Bill – better use of data, data sharing Data protection law in the UK: what next? What’s new?

What the future holds on FOI Recommendations of the Independent Commission on Freedom of Information Divergence from FOISA Open data and the Open Government Partnership Trends, standards and expectations

Digital Economy Bill: digital government

ICO view Recognise benefits of justified data sharing Support permissive, enabling approach to legal gateways Need for robust safeguards to protect public from disproportionate data sharing – including use of PIAs Welcome guiding principle that the powers of DPA should not be weakened

The Data Protection Act remains UK law for now and it’s business as usual for most organisations

Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK

“One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward” Baroness Neville-Rolfe DBE CMG Minister for Data Protection 4th July 2016,

The ICO will continue to provide practical advice and guidance ico.org.uk/dpreform

ICO guidance

ICO guidance on records management matters Section 46 Code of Practice – records management practice-records-management-foia-and-eir.pdf Guide to the Re-use of Public Sector Information Retention and destruction of requested information requested-information.pdf

Further reading The National Archives management/ National Records of Scotland management Public Record Office for Northern Ireland (PRONI) record-office-northern-ireland-proni/record-keeping-proni

ws Keep in touch Subscribe to our e-newsletter at or find us on…