The Data Protection Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Tony Brett Head of IT Support Staff Services Computing.

Slides:



Advertisements
Similar presentations
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Advertisements

Data Protection and Freedom of Information
The Data Protection (Jersey) Law 2005.
Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Tony Brett, Corpus Christi College Oxford University, 29 th June 2000 The Data Protection Act 1998 Tony Brett IT Systems Manager Corpus Christi College.
The Data Protection Act 1998 and the Freedom of Information Act 2000
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
The Data Protection Act 1998 The Eight Principles.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Case Studies: ITSS 4201 Internet Insurance and Information Hiding University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
The Data Protection Act - Confidentiality and Associated Problems.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
BTEC ICT Legal Issues Data Protection Act (1998) Computer Misuse Act (1990) Freedom of Information Act (2000)
OPEN UP! Introduction to handling Freedom of Information requests.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Human Rights Act, Privacy in the context of auditing Phil Huggins Chief Technologist, IRM PLC
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Freedom of Information Act ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection and Freedom of Information. Objectives Describe the main points of the Data Protection Act 1998 and Freedom of Information Act 2000 Illustrate.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
The Data Protection Act 1998
The Data Protection Act 1998
Data Protection GCSE ICT Mrs N Steventon-2005.
Trevor Ellis Trainee Programmer (1981 – 28 years ago)
Data Protection The Current Regime
The Data Protection Act 1998
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
New Data Protection Legislation
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR Workshop MEU Symposium Prague 2018
Data protection & FOIA considerations
Presentation transcript:

The Data Protection Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Tony Brett Head of IT Support Staff Services Computing Services University of Oxford England

Disclaimer I am not a lawyer! –Views I give do not constitute formal legal advice Views expressed are my own and not necessarily those of the University of Oxford

The University of Oxford Oldest University in the English-speaking world –9 centuries of history 39 self-governing Colleges Student population over 18,000 with more than 130 nationalities represented 10,500 Staff (3,500 in colleges) Part of the Russell Group (like the Ivy League) Steeped in tradition and quirk!

The University of Oxford

Federal University! Colleges are separate legal entities –Separate Governance and Finance Serious implications for both DPA and FOI Colleges and University have a symbiotic relationship –Colleges admit undergraduates –University admits graduates But they need a college! –Colleges provide 1-1 or 1-2 tutorials –University provides lectures, practicals etc. University awards degrees

Me! In Oxford since 1989 Chemistry Degree and then IT! –Institute of Molecular Medicine –Corpus Christi College –Computing Services Serve on Oxford City Council as licensing chair and local councillor Particular interest in data privacy since time at Corpus Christi as Data Protection officer

Overview – 1 General overview of the DPA 1998 –Definitions –Changes since 1984 Act –Sensitive Personal Data & Consent –The eight principles –Transitional Relief –Implications for Colleges and Departments –Things to keep in mind Freedom of Information Act 2000 (FOI) –Who it affects –Public Rights: open records –Publication Schemes –Exemptions –Key Points

Overview – 2 Regulation of Investigatory Powers (RIPA) –Interception of Communications in the UK –Human Rights Act 1998 –Definitions –Implications –My view Resources Questions

What is the Data Protection Act? Intended to balance interests of data subjects with data controllers Freedom to process data vs. privacy of individuals 1984 act was repealed by the 1998 Act 24 October March 2000

Definitions Personal Data –Expression of opinion, or fact, address, photos, video footage etc. etc. –Some types are sensitive (a special new category). Processing –Reviewing, holding, sorting, deleting Data Controller – all of us! Users of data Relevant Filing System –Readily accessible information about living individuals Information Commissioner –New name for Data Protection Registrar

Changes Since the 1984 Act Much broader than the old Act More rights for data subjects Covers relevant manual filing systems –No more “practical obscurity” New category of data – sensitive data. Transitional relief – 23 October 2001, for existing automated data and 23 October 2007 for manual records –Processing must have been in effect before 24 October 1998 Rules about export of data to non-EEA countries

Some effects on Colleges and Departments Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, fellows etc Not people “acting in a capacity” Anyone can be a data controller Dead people have no rights Overseas transfers of data – notably to U.S. Requirement to ensure data is secure, accurate, sufficient but not excessive Can’t hold data longer than is reasonable

Principles of the Act – 1 Non-sensitive personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2). –Consent – the most important –Contract –Legal obligation –Vital interests of subject (life or death!) –Public functions –Balance of interest

Sensitive personal data – 1 Racial or ethnic origin Political opinions Religious/similar beliefs (note food!) Trade Union membership Health Sexual life Offences, Cautions, Convictions

Sensitive personal data – 2 May only be held if one of the below is met: –Explicit and informed consent –Employment Law –Vital Interests of Subject –Legal Proceedings –Medical Purposes (by medical professionals) –Equal opportunities monitoring

Consent “Freely given specific and informed indication of wishes by which the data subject signifies agreement to personal data relating to him/her being processed.” Can’t use implied consent – must get forms back Can’t use blanket consent as condition of entry

Fair processing Must not intentionally or otherwise deceive or mislead subject as to purpose of data use/collection Must identify to subject data controller/nominated representative Must identify to subject purpose of processing data Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation

Principles of the Act – 2 Data must be obtained only for one or more specified lawful purposes –Must not use data for a new incompatible purpose without subject’s consent –Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive –Old members data is a grey area for Colleges

Principles of the Act – 3 & 4 Personal data must be adequate, relevant and not excessive –Must not stock up on data without a reason that can be justified – consent! Personal data shall be accurate and up-to- date –This is an ongoing requirement and means data needs to be kept under constant review.

Principles of the Act – 5 Personal data may not be kept for any longer than is necessary for its stated purpose(s) –This potentially creates a problem with old staff/members data. Development offices beware! –Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here

Principles of the Act – 6 Personal data must be processed in accordance with the rights of data subjects –This means that you cannot do things that violate the rights given to data subjects under the new Act, especially denying access to data

Rights of data subjects Must be informed if personal data is being processed and given a description of the personal data and for what purpose it is being held May prevent processing for purposes of direct marketing Right to see algorithms used in automated decision making (credit scoring etc.) Compensation, rectification, blocking, destruction

Access rights – 1 Right to have communicated to him/her in an intelligible form the information constituting the data No right to rifle through filing systems, computers etc Right to be informed of logic involved in automated processing Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked

Access rights – 2 Data may be withheld if disclosure would disclose data about a third party unless: –Third party has consented to disclosure –It is reasonable to comply without the third party’s consent Duty of confidentiality, steps taken to seek consent, express refusal of third party Witnesses, confidential reports, access to references

Access rights – 3 Don’t have to disclose references you have written but must disclose those you have received unless the writer explicitly asked them to kept confidential 40 days to comply (or state reason for refusal to comply) with requests Don’t need to comply with repeat requests until a reasonable amount of time has elapsed Don’t need to comply if disproportionate effort would be involved Subject must provide reasonable data you request to assist in finding the data

Enforced access It is an offence to force subjects to exercise their access rights to data held by others –Includes data about cautions, criminal convictions and certain social security records

Right to prevent processing Unwarranted substantial damage or distress to subject 21 days to comply with request Exemption if processing is necessary for performance of contract with subject or there is a legal obligation, or the vital interests of the subject are at stake

Exemptions to access rights Prevention and detection of crime Apprehension or prosecution of offenders Collection of tax or other duty Research, history, statistics. Exam marks – 40 days after date of announcement or 5 months of access request. Confidential references.

Principles of the Act – 7 Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data. –First is related to IT support staff (backups, password security etc.) but everyone can help –Second is about being careful with keys, having access controls, CCTV monitoring etc. –Beware social engineering!

Principles of the Act – 8 Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it –US does not by default –Putting things on a web site is tantamount to export of data Transfer is OK if contract is in place with the abroad party or the subject has consented –Data Protection Commissioner has standard contracts available –Safe Harbor certification enables US business to comply with the DPA –Safe Harbor approved by EU in July 2000

Notification Colleges are legally separate entities to the University so have to notify use to Commissioner separately; Departments are not –This is like the old registration process under the old act. –University counts as a third party in the case of Colleges. Penalties for failure to comply/notify are huge Commissioner has draconian powers (search & seize)

The Freedom of Information Act 2000 The FOI Act 2000 gives individuals the right to access information about certain public bodies (including HE institutions) by two routes: –Publication Scheme –General Right of Access There are exemptions Public bodies listed in the act –General group e.g. “HEFCE funded HE Institution –Specific body e.g. “The BBC” or “The National Portrait Gallery” FOI basically extends subject access rights given in the DPA 1998 Colleges are separate legal entities so need their own Publication Scheme and procedures

FOI – Public Rights To be told whether the information exists – known as the duty to confirm or deny To receive the information (and, where possible, in the manner requested) To receive reasons for a decision to withhold information All requests must be in “permanent form” – , Letter, Fax Reply must be sent within 20 working days –Use vacation auto-reply for contact person if they are away

FOI – Publication Scheme Guide to the information which you have decided to make public –Chance to be proactive so people don’t have to make requests –Guide to types of information available NOT a list of all of it! Scheme has to be approved by Information Commissioner Model schemes available on Information Commissioner’s web site JISC has model schemes available too Put it on your College website! Some already have

FOI – Exemptions Many exemptions, some absolute, some qualified e.g. –Commercial Interest –Communicating with the Queen –Law enforcement –Legal Professional Privilege –Parliamentary Privilege Need to Apply Tests before using Qualified Exemptions –Prejudice & Adverse Affect –Public Interest (not same as of Interest to the Public) FOI does not override DPA but DPA is not an excuse not to comply with FOI requests –Interaction is complex!

FOI – Vexatious or Repeated Vexatious means: –clearly does not have any serious purpose or value –is designed to cause disruption or annoyance –has the effect of harassing the public authority –can otherwise fairly be characterized as obsessive or manifestly unreasonable Repeated means: –More often than a “reasonable interval” Needs defining –Requests asking if previously requested information has changed are OK Reply can say when info is next to be updated and a request before then would be “repeated”

FOI - Key points to note Requests can be received by anyone within the organisation and do not need to refer to the Freedom of Information Act Requests must be in writing (including , fax etc) Requests must be dealt within 20 working days No obligation to provide information which is already in the public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold) No obligation to create information that the Organisation does not already hold (e.g. statistical summaries) Organisation may charge a fee for the provision of information. –Charges must be calculated in accordance with the fees regulations prescribed by the Department for Constitutional Affairs. Currently £50 maximum.

NO YES NO Send the applicant a data protection subject access request form, to be returned to the University’s Data Protection Officer Is the enquirer requesting information about him/herself? Is the request in writing (including , fax)? Send request to the Data Protection Officer at the University Offices Ask the applicant to put the request into writing, and send to the Data Protection Officer at the University Offices Is the information requested available via the Publication Scheme (check at: or via any other means? Does the request relate to a living individual(s)? Tell the applicant where he/she will be able to find the information Does the information requested relate solely to your department or unit? Provide the information Is the information of a type or category for which you have been asked in the past and have given without hesitation (or would have given if you had been asked)? * Is the request in writing (including , fax)? Ask the applicant to use the FOI request form (at Contact for advice NO YES NO Start Here How to Deal with Enquiries * Check that the information does not contain any reference to individuals, other than that which is already publicly available

FOI & DPA - Key Points Don’t panic! Need to be seen to be aware of both FOI and DPA and working within them but the Information Comissioner will always try to help before getting heavy Have a publication scheme and publish it! Little case law – many grey areas, but we don’t want to be the test case! Don’t write down anything you wouldn’t say to someone’s face Avoid holding sensitive personal data if you can Colleges need to act additionally to Central University

Regulation of Investigatory Powers Exists to ensure that surveillance activities are in line with the Human Rights act 1998 Includes: –monitoring, observing or listening to persons, their movements, conversations, activities or communications –recording anything monitored, observed or listened to in the course of surveillance –surveillance by or with the assistance of a surveillance device

RIPA Updates UK law on the interception of communications in line with technological change including huge Internet growth Puts other intrusive investigative techniques on a statutory footing Provides new powers to help combat the threat posed by rising criminal use of strong encryption Ensures that there is independent judicial oversight of the powers in the Act

RIPA - Definitions Directed Surveillance –Covert but not intrusive Intrusive Surveillance –Using a person or a device (bug) at a premises or in a private vehicle Generally unlawful to use intrusive surveillance without a warrant RIPA covers all forms of communication and their interception

RIPA - Implications Interception warrants –Government can make your ISP snoop on you and can insist it does not tell you Mass surveillance is possible if the Secretary of State deems it necessary ISPs can be forced to install interception technology on their systems Government has the power to demand encryption keys –This compromises all encrypted data you might hold or have sent/received

RIPA – My view At face value the Act appears to improve personal privacy BUT the large number of situations in which interception IS allowed actually make it a reduction of privacy Much controversy in the UK But good has been done – the Police used evidence gathered under RIPA powers to convict Ian Huntley (Soham murders)

Resources Thanks to University of Oxford Central Administration for permission to use diagram about answering queries