Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team

Background to the present FoI/DP function CCLRC used Data Protection co-ordinators and received few Freedom of Information requests PPARC received few requests, dealt with by the FoI officer in HR – Data Protection requests not formally recorded STFC moved the FoI/DP function to sit with Records Management under Information Management Group - CICT

STFC FoI/DP team responsibilities Information Management Freedom of Information Records Management Data Protection

Approach to Data Protection Enquiries The approach to Data Protection enquiries is low key compared with the high profile FoI enquiries FoI/DP team members have attended PDP conferences and workshops including one on Exemption 40 – the link between the two Acts No formal DP enquiry process has been mapped for STFC Legal advice is available - also advice on Information Security HR and Finance staff receive separate training

Present Situation FoI requests still dominate but DP issues cause most internal enquiries Internal requests dealt with by a single contact - ongoing training required to increase throughput No set process for requests Limited experience and resources within team to train all staff General but no specific DP awareness training for Co-ordinators No formal means of checking staff awareness. Induction training and assistance on request is provided There is recognition that this should be addressed

The Information Commissioner The Information Commissioner is Christopher Graham and his powers are increasing! STFC Registration is online: Z postcode SN2 1SZ Online viewing available and online updates to register Online advice and assistance as well as phone advice Rights and responsibilities

Basics of the Data Protection Act – ICO Individuals’ right to know what information is held about them. Framework to ensure that personal information is handled properly. Anyone who processes personal information must comply with 8 principles: 1. Fairly and lawfully processed 2. Processed for limited purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept for longer than is necessary 6. Processed in line with your rights 7. Secure 8. Not transferred to other countries without adequate protection

Data protection Act continued The Act (in force from 1 st March 2000) provides individuals with important rights, including: the right to find out what personal information is held on computer and most paper records. The right to complain to the ICO if they feel that their information has not been handled according to the principles It is what is held on databases that causes most concern!

New Powers to Punish – April 2010 Press Release Date: 09 May 2008 ICO welcomes new powers to fine organisations for data breaches The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act. David Smith, Deputy Information Commissioner said: “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously. “This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly.

Internal Requests to STFC Requests for advice and assistance internally have increased, possibly due to increased awareness that Data Protection poses serious questions for STFC database owners Examples: Storing data collected by surveys or from conference attendance Service Level Agreement requirements concerning 3 rd party providers of services Third party awareness where STFC is host for 3 rd party information

Cross Council Liaison To address common issues STFC liaises with other Research Councils and RCUK by means of the Information Compliance Group (ICG) ICG reports to OSG Councils share information and advice Councils consider alignment of approach to both DP and FoI However, each council makes it’s own decisions on FoI disclosure

Sensitive Personal Information In this Act “sensitive personal data” means personal data consisting of information as to— (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

How to answer your own questions Work through the 8 Data Protection Principles Check whether any Sensitive personal information is being requested Check whether we really need to hold the information – why? Ensure that the Individual is aware of their rights – survey wording etc. Gain the individual’s permission to hold the information Ensure there is a means to update/delete it If in doubt, ask.

The FoI/DP/Records team service to users STFC staff intranet STFC_internal_foi_dp_enquiries Telephone – Request training, checking of policies etc., We are here to help and advise you

End Any Questions?