The Freedom of Information and Data Protection Legislation An Overview Ann McKeon November 2016

Why was the Freedom of Information Act introduced? Develop a culture of openness, transparency and accountability Implemented in Government Departments April 1998-Health Boards/Local Authorities Oct 1998 etc. Third Level Institutions - 1st October 2001

Entitlements: Students, Staff and the Public A legal right to: Access official (corporate) records Access and amend, delete or correct your own personal records Be given reasons for decisions which affect you from 1st October 2001 Note: subject to exemptions

Implications of the Act For public bodies: A legal obligation to publish information A legal obligation to establish mechanisms for handling requests A legal obligation to assist individuals to exercise their rights

Publications under the Act Description of functions, structure, services, powers, classes of records held etc. Web based Purpose: assist individuals in exercising their rights under the Act

Publications under the Act Internal rules, procedures, guidelines etc. used in the decision making process Mainly web based Purpose: assist individuals in exercising their rights under the Act

FOI Record Definition “The FOI Act states that a “record” includes “any memorandum, book, plan, drawing, diagram, pictorial or graphic work or other document, any photograph, computer record etc……..or thing in which information is held or stored and anything that is a part or a copy, in any form of any of the foregoing ….etc” (Includes emails – can be accessed under FOI) “Any record under the control of the university”

What records can be requested Records created after Act commenced- 21st April 1998 Student/public personal records regardless of when created Staff records created after 21st April, 1995 Earlier records if needed

Exempt/protected Records Personal information from third party access Information obtained in confidence Commercially sensitive information Functions and negotiations of public bodies Deliberations of public bodies Research and natural resources “public interest test” “injury or harm test” to justify withholding

FOI Process Decision maker: Initial decision within four weeks Internal reviewer: seek review within four weeks - decision within three weeks External review: seek review within six months by Information Commissioner binding decisions Appeal to High Court and Supreme Court (point of Law only)

Maynooth University requests Media requests Staff requests Public requests Student requests

Impact Records released routinely Records of meetings/decisions published on web Diminished culture of secrecy Improved security of Data

Impact Write objectively, support opinions with facts, ensure information is relevant to the matter Document reasons for decisions and refer to policies in decision making Records management (accurate recording, filing and retrieval) Advise people of FOI rights and assist them in exercising their rights

Impact Record content Avoid technical jargon (explain if necessary) Keep language simple and concise Sign and dates entries Legible handwriting Remove draft copies from files

FOI (Amendment) Act 2003 €15 “up front” fee for an application for access to non personal records (€75 for Internal Review, €150 for external review) Does not apply to applications for access to personal records Clarification/amendments to exemptions Increased protection for Government records

The Freedom of Information Act 2014 Removes the main restrictions on access to official information introduced by the FOI (Amendment)Act 2003 Extend FOI to all public bodies Extension of FOI to non-public bodies receiving significant public funding. Removes €15 application fee. Reduced fees for non personal records

Fees €15 initial application fee repealed Minimum threshold of €100 below which no search, retrieval and copying fees can be charged.  Once the charge exceeds €100, full fees apply There is a cap on the amount of search, retrieval and copying fees that can be charged of €500 Upper limit on estimated search, retrieval and copying fees at €700 above which an FOI body can refuse to process a request, unless the requester is prepared to refine the request to bring the search, retrieval and copying fees below the limit; Fee for internal review under Section 21 is now €30 (€10 for medical card holders and their dependants) The fee for appeals to the Information Commissioner under Section 22 is now €50 (€15 for medical card holders and their dependants).

Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 Why was Data Protection introduced: To regulate the collection, processing, keeping, use and disclosure of personal data To give individuals access to their data and allow them to amend it if incorrect To comply with EU Directives

Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 What is data protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection Acts 1988 and 2003 confer rights on individuals as well as responsibilities on those persons processing personal data.

Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 Protects privacy rights of individuals Legal right of access to personal records (only) held on computer or on manual relevant filing systems Applies to all organisations - private and public (FOI -public sector only)

Data Protection record definition Personal Data data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into the possession of the data controller

What is a “relevant filing system”? any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically…the set is structured, either by reference to individuals or … to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible

What is “sensitive personal data” Racial or ethnic origin, political opinions, religious or philosophical beliefs Trade union membership status Physical or mental health or condition or sexual life Commission or alleged commission of offence

Eight Rules of Data Protection for Data Controllers Obtain and process information fairly Keep it only for one or more specified, explicit and lawful purposes Use it and disclose it only in ways compatible with these purposes Keep it safe and secure Keep it accurate complete and up to date

Eight Rules of Data Protection Ensure that it is adequate, relevant and not excessive. Retain it for no longer than is necessary for the purpose or purposes Give a copy of his/her personal data to that individual on request www.dataprivacy.ie

Exempt/Protected records Information about other people Information received in confidence Prejudicial to investigations, prosecutions Legally privileged information Prejudicial to security of State, prisons, international relations Health and Social work records without agreement of Health/Social work Professional

FOI and Data Protection: differences Different definitions of “personal information” DP Act: no provisions for access to records of children, incapacitated or deceased DP Act: 40 days for reply (FOI: 28 days) Different exemptions in both Acts Different rights of review FOI Public sector only - Data Protection Public and Private

Risks/Challenges FOI and DP Security of Data Security Breaches Client/customer care versus legal obligations Up to date and accurate records Control of records

Risks/Challenges FOI and DP Ensuring compliance with the law Audits by FOI and DP Commissioners Limited resources

Responsibilities Laptops Mobile devices Safegaurding Personal data Physical security Technical security

FOI Management/Compliance Publications Information leaflets, booklets, website (Legal obligation to promote FOI) FOI access procedures and routine access procedures Student /Staff awareness and training Records management

Data Protection Management/Compliance Data Protection Policy Privacy statement Staff guidelines DP access structures and procedures Consent of data subjects Staff training

Contact Ann McKeon Freedom of Information Officer Humanity House Maynooth University Tel: 01 7086184 Email: ann.mckeon@nuim.ie Website https://www.maynoothuniversity.ie/freedom-information