Data Protection and Freedom of Information The Warwick Network 12 August 2015 Natalie Snodgrass – Administrative Officer, University Secretary’s Office

Overview The Data Protection Act 1998 and the Freedom of Information Act 2000 – what you need to know about the Acts and how they affect Warwick (key concepts, individuals’ rights, legal obligations etc.) Case Studies and Practice Questions Q & A and Discussion

The Data Protection Act 1998 Came into force on 1 March 2000, replacing the 1984 Data Protection Act – main purpose to give effect in the UK to the 1995 EC Data Protection Directive The DPA requires that anyone who processes personal information must: - register its processing with the Information Commissioner, the regulatory body for the DPA (notification) - process personal data in accordance with individuals’ rights - process personal data in accordance with the eight Data Protection Principles.

What makes data ‘personal’? ‘Personal’ information is information about living individuals where those individuals can be identified either from the data or with the aid of other information that the data processor holds or is likely to obtain. Caselaw: Durant v FSA (Court of Appeal, London, Dec 2003) ‘Personal’ information as being biographical in a significant sense, with the putative data subject as its focus; information affecting the subject’s privacy ‘Sensitive’ personal data – personal data relating to racial or ethnic origins, political opinions, religious or spiritual beliefs, trade union memberships, physical or mental health or condition, sexual life, the commission or alleged commission of any offence, or criminal proceedings for any offence committed or alleged to have been committed.

What sorts of information are covered under the DPA? Any electronic data (e.g. Microsoft Office documents, s, web pages etc.) Audio-visual data (e.g. CCTV) also covered where individuals are identifiable Paper format (‘manual’) data covered by the DPA only to a limited extent DPA 1998: manual data covered if in a relevant filing system whereby data must be structured by reference to individuals or by criteria relating to individuals, so that specific information on an individual is readily accessible

Durant on manual data Court of Appeal took the view that the Act intended to cover manual files “only if they are of sufficient sophistication to provide the same or similar ready accessibility as a computerised filing system” Following the Durant judgment it is likely that very few manual files will be covered by the provisions of the DPA

The Freedom of Information Act and paper data The Freedom of Information Act 2000 extended certain limited aspects of the DPA to paper format data held by public authorities which was not in a relevant filing system (Category ‘e’ data) Excludes personnel data Right of access to ‘category e data’ only automatic if paper files are structured so that information on an individual can be located (e.g. files on named individuals) Unstructured manual data (e.g in general subject files) can only be requested if the requestor describes the data in a way which allows it to be located

Individuals’ rights under the DPA Right to prevent processing likely to cause substantial damage or substantial distress Right to prevent processing for purposes of direct marketing Rights in relation to automated decision- taking Right to request the rectification, blocking, erasure or destruction of inaccurate data Right to compensation Right of access to personal data

Subject Access Requests Applicant must apply in writing Can request proof of identity and charge a fee (usually £10; £50 for health records and a sliding scale for education records) Organisation must respond promptly and in any event no later than 40 calendar days following receipt of request

Subject Access Requests – exemptions and limitations on the right of access Data does not have to be released if this would (for e.g.): - endanger the physical or mental health of an individual -disclose information subject to legal professional privilege -Disclose the personal data of other individuals Other exemptions: Confidential references and examination scripts Other limitations on the right of access: -No requirement to create data for the purpose of answering a request -Don’t have to release data created after receipt of a request or data destroyed before receipt of a request -Data can be amended or destroyed after receipt of a request if this is in line with established records management practice within the organisation (i.e. a retention schedule), but: -the intentional concealment, alteration or destruction of data in order to prevent its release is a criminal offence for which both the organisation and individual staff can be liable.

The Data Protection Principles The eight principles of the DPA state that the data must be: -fairly and lawfully processed; -processed for limited purposes; -adequate, relevant and not excessive; -accurate and up to date; -not kept longer than necessary; -processed in accordance with the individual's rights; -secure; -not transferred to countries outside the European Economic area, unless there is adequate protection.

Data Protection at Warwick: some practical guidance Remember the Data Protection principles and the conditions on disclosure of personal data (Schedules 2 and 3) Be very careful when transferring or disclosing personal data: -Disclosure can be unlawful even if it is to the police or a government department -Parents, relatives and friends have no automatic right to receive data on students or staff -Never disclose data on another person over the phone (unless it is a life or death emergency – then offer to ring the enquirer back on a registered number) Disclosure that may not satisfy all the DP principles may be permitted if an exemption applies, for e.g.: -If disclosure is necessary for national security (s.28(1)), the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty (s.29(3)) -If it is information that we are legally obliged to disclose, either because this is required by statute, rule of law or court order of if the information is necessary for legal proceedings, legal advice etc. (s.35)

More on confidential references Requests for references which appear to be legitimate (e.g. which come from an established and reputable organisation) can usually be taken at face value. Possible ways of ascertaining this: -Student/member of staff has asked you if you will be a referee before submitting the application -The request is accompanied by a disclaimer signed by the student/member of staff confirming that they authorise the third party to seek a reference -The third party provides you with a copy of the relevant section of the student’s/member of staff’s application form -If in any doubt, contact the person who is the subject of the reference first. Avoid giving verbal references. If you’re writing a reference, assume it could be released. So avoid statements that cannot be defended by fact.

Data Protection and Research Data gathered for non-research purposes can be used for research, provided the data is not used: -for any other purpose, unless it is compatible with the purpose for which it was first collected -To make decisions or take measures regarding individuals -In a way which causes substantial damage or distress to data subjects. This exemption allows, for e.g., personal data in historical records to be retained as archives. However, personal data in archives should be closed for the lifetime (or likely lifetime) of the individual.

Freedom of Information Act 2000 Created general right for any member of the public to request any recorded information held by public authorities – therefore potential for overlap and conflict with Data Protection ICO is regulatory body Public’s rights of access: -Right to know if the authority holds the information requested -Right to have that information communicated -FoIA entitles access to information, not documents -Request can be made by anyone, anywhere -Request must be in writing, supply name and address and adequately describe information requested – but does not need to mention the FOIA Publication Schemes Obliged to respond within 20 working days of receipt of request General duty to advise and assist

Exemptions from Access Qualified vs. Absolute Exemptions Public Interest Test applied for qualified exemptions FoIA s.40(1): absolute exemption for first-party personal data (must make a Subject Access Request via the DPA) FoIA s.40(3): qualified exemption for third-party personal data – exempt from release if disclosure would breach the Data Protection Principles. Information Commissioner: limited situations where third-party personal data can be legitimately released under FoI. -basic information about staff (name, job title, responsibilities, work contact details) -salaries/expenses of very senior staff (only grades of junior staff) -decisions or actions made by individuals in an official or work capacity

Other restrictions on access ‘Vexatious’ requests Request repeats a recent request submitted by same applicant Where cost of compliance would exceed £600 (central government) or £450 (all other public authorities)

Dealing with Requests Being prepared - physical post and electronic mail Receiving and assessing requests - -Subject Access/Environmental Information requests - Routine requests (log requests) - Requests for information included in Publication Scheme (log requests) -More complex and/or sensitive requests: refer to University Secretary’s Office without delay

Resources Warwick’s Freedom of Information pages (including Publication Scheme): Warwick’s Data Protection pages: Information Commissioner’s website: Warwick’s Data Protection Notification: asp?reg= Department of Constitutional Affairs’ website: