1. Records management for the public sector 8 September 2016 Judith Jones - Group Manager Sue Markey - Senior Policy Officer Government and Society

2. Outline ICO and records management Key themes and common trends How the ICO can help What’s new – DP and FOI

3. The Information Commissioner Elizabeth Denham Promoted transparency in government, proactive approach to enforcement of access and privacy laws Reports to Parliament Independent of Government

4. ICO enforces and regulates: –Freedom of Information Act –Data Protection Act –Environmental Information Regulations –Privacy and Electronic Communications Regulations –Re-use of Public Sector Information Regulations (TNA - policy, ICO – complaints) TNA, Records of Scotland, Public Record Office of Northern Ireland: - Public records legislation Other legal requirements and professional guidelines

5. Records Management legislation: FOI Section 46 Code of Practice “Freedom of information legislation is only as good as the quality of the records and other information to which it provides access.” Failure to follow the Section 46 Code of Practice may mean that an authority also fails to comply with other legislation concerning the creation, management, disposal, use and re-use of records and information, for example: Public Records Act 1958 Data Protection Act 1998 (DPA) Re-use of Public Sector Information Regulations 2015

6. Information Commissioner on FOI: highlighting records management concerns Timeliness in dealing with foi requests Duty to document in British Columbia Private emails

8. Know what you hold

9. Know what you hold: think about Collecting personal data Responding to FOI requests Legacy records Paper vs digital records Private email accounts Risk assessment

10. Retention

11. Personal data not to be kept for longer than is necessary. Consider the purpose you hold the information for when deciding how long to retain Retention and disposal schedules - useful when considering FOI complaints Retention requirements of TNA and regional bodies. And others including inquiries Keep retention periods under review Securely delete information that is no longer needed Update, archive or securely delete information if it goes out of date.

12. Timeliness

13. Time limits Subject access and FOIA requests have time limits for responses Senior commitment and effective liaison across the organisation is vital Identify barriers to good performance and draw up improvement plans Better reputation with the public ICO monitoring regime

14. Disposal

15. Disposing of data Requirement of the DPA to dispose of personal data securely Archiving or deletion? Only archive if still need to hold the information – otherwise delete ICO has issued monetary penalties eg abandoned filing cabinets, selling hard drives rather than destruction

16. Breaches

17. Self reported incidents – data protection Operational Statistics 2015/16

18. Self reported incidents - continued Operational Statistics 2015/16

19. Recent enforcement action August 2016 Hampshire County Council £100,000 May 2016 Blackpool Teaching Hospitals £185,000 November 2015 CPS £200 000

20. ICO Audit Outcomes

21. Not understanding data flows Not understanding responsibilities Lack of training Inadequate, outdated or poorly communicated policies Lack of senior support, funding or visibility of information governance Failure to implement effective remedial measures quickly Inadequate long term remedial measures, with a failure to identify risks Trends – common failings

22. Data Protection self assessment toolkit ico.org.uk/for-organisations/improve-your practices/data-protection-self-assessment toolkit

25. Where now on FOI Technology, digitisation Digital Economy Bill – better use of data, data sharing Data protection law in the UK: what next? What’s new?

26. What the future holds on FOI Recommendations of the Independent Commission on Freedom of Information Divergence from FOISA Open data and the Open Government Partnership Trends, standards and expectations

27. Digital Economy Bill: digital government

28. ICO view Recognise benefits of justified data sharing Support permissive, enabling approach to legal gateways Need for robust safeguards to protect public from disproportionate data sharing – including use of PIAs Welcome guiding principle that the powers of DPA should not be weakened

29. The Data Protection Act remains UK law for now and it’s business as usual for most organisations

30. Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK

31. “One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward” Baroness Neville-Rolfe DBE CMG Minister for Data Protection 4th July 2016,

32. The ICO will continue to provide practical advice and guidance ico.org.uk/dpreform Twitter: @iconews

33. ICO guidance

34. ICO guidance on records management matters Section 46 Code of Practice – records management https://ico.org.uk/media/1624142/section-46-code-of- practice-records-management-foia-and-eir.pdf Guide to the Re-use of Public Sector Information https://ico.org.uk/for-organisations/guide-to-rpsi/ Retention and destruction of requested information https://ico.org.uk/media/1160/retention-and-destruction-of- requested-information.pdf

35. Further reading The National Archives http://www.nationalarchives.gov.uk/information- management/ National Records of Scotland http://www.nrscotland.gov.uk/record-keeping/records- management Public Record Office for Northern Ireland (PRONI) https://www.nidirect.gov.uk/information-and-services/public- record-office-northern-ireland-proni/record-keeping-proni

36. www.twitter.com/icone ws Keep in touch Subscribe to our e-newsletter at www.ico.gov.uk or find us on…