Data Protection & Freedom of Information- An Introduction 20th March 2018 Data Protection & Freedom of Information- An Introduction Caroline Llewellyn Information Compliance Officer

Environmental Information Regulations Act (2004) The Information Compliance Team manages all aspects of legal compliance with the Data Protection Act 1998, General Data Protection Regulation (GDPR)/ Data Protection Bill, Freedom of Information Act 2000 and related legislation.closely with key stakeholders across the whole university to establish best practice. City, University of London is obliged to comply with certain legislation, including: Data Protection Act (1998) General Data Protection Regulation (GDPR) Freedom of Information Act (2000) Environmental Information Regulations Act (2004) Member of the Senate Research Ethics Committee Provide data protection advice to all of City’s Research Ethics Committees

What is the Data Protection Act? Intended to balance interests of data subjects (living individuals) with data controllers (City, University of London). Freedom to process data vs. privacy of individuals. Consent has to be freely given by data subject There are certain exemptions to the above, e.g. Research purposes, Crime and taxation, National security etc. The results of the research or any resulting statistics should not be made available in a form which identifies any Data Subject. S.33(1) There are 8 principles of the DPA:

EIGHT PRINCIPLES of Personal Data: Must be processed fairly and lawfully. (Why, what and whom it will be passed to). Obtained only for specified purposes and not further processed in a manner incompatible with those purposes. (Be specific about data purpose - Consent). Adequate, relevant and not excessive. (Avoid the “wouldn’t it be nice to have” scenario). Accurate and kept up to date. (Periodic revalidation). Must not be kept longer than necessary. (Retention Schedules- Ten years). Processed in accordance with the rights afforded to individuals under the legislation, including the right of subject access. (Prevent processing likely to cause damage or distress). Kept secure and protected from accidental loss or destruction. (Encryption). Not transferred to countries outside the European Economic Area (EEA) without adequate protection. (Safe Harbor-Privacy Shield).

General Data Protection Regulation (GDPR) Principles – 25th May 2018 Personal data should be: Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary Accurate and where necessary kept up to date Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed, and Processed in a manner that ensures appropriate security of the personal data Accountability is central to GDPR. Data Controllers are responsible for compliance with the principles (above) and must be able to demonstrate this to data subjects and the regulator (Information Commissioner’s Office www.ico.org.uk)

Personal data - DPA 1998 GDPR 25th May 2018 Personal data - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. name, identification number, location data or online identifier, automated personal data and to manual filing systems where personal data are accessible according to specific criteria - e.g. chronologically ordered sets of manual records containing personal data. Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data Sensitive personal data (DPA 1998) (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c ) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Special Category Data (GDPR) GDPR refers to sensitive personal data as “special categories of personal data” and has been extended to include genetic and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing under GDPR (see Article 10).

What is the Freedom of Information Act? The Act created a right of access to information held by the City. Gives general right of access to recorded information held by public authorities. It promotes openness, transparency and accountability City, University of London is obliged to respond to requests, assists requesters, operate a publication scheme and have complaints procedure.

There is a presumption of openness, unless an exemption applies. Exemptions There is a presumption of openness, unless an exemption applies. There are in total 24 exemptions. 8 Absolute - need not be disclosed. E.g. personal information. 16 Qualified – not to be disclosed unless the public interest test is met. E.g. commercial information.

Please visit the legal section on our website

Information Compliance Contact Details Compliance Email:foi@city.ac.uk Information Compliance Email: Dataprotection@city.ac.uk Tel:+44 (0)20 7040 4000 Location: City, University of London Northampton Square London, EC1V 0HB United Kingdom Thank you!