1. The Right of Access to Information The Right of Access to Information DATA PROTECTION ACT 1998 FREEDOM OF INFORMATION ACT 2000 ENVIRONMENTAL INFORMATION REGULATIONS 2004 Andy Gray (Information Management )

2. Data Protection Act 1998

3. “all staff must be aware of the Data Protection Act and of their obligations under it.” ADC Data Protection Policy “a person must not knowingly or recklessly, without the consent of the data controller - (a) obtain or disclose personal data or the information contained in personal data, or (b) procure the disclosure to another person of the information contained in personal data” Data Protection Act 1998 Section 55 (1) Why you are here

4. What is Data Protection? The purpose of the Data Protection Act is to ensure that data relating to living people is handled responsibly.

5. What does it do for people? The Act grants certain rights to individuals about whom data is held: we must tell them what we are doing with their data they can object to some of the uses we have for it identifies a body who will investigate complaints and provide advice – Information Commissioner they can see the data we hold about them on request

6. What does it do for the organisation? Provides rules that have to be followed when processing personal information Requires organisations to publicly show what personal information they are using - Notification Restricts the use of “sensitive” personal information

7. Data  Computerized records  Manual filing systems

8. Personal Data  Data which essentially relates to a living individual who can either be identified from that information on its own or from that and other information available to the Data Controller. i.e. name and address, date of birth, qualifications, income level, employment history.

9. Sensitive Personal Data  Information deemed personal and sensitive includes - racial and ethnic origin - political opinions or trade union membership - religious or similar beliefs - health or sexual life - criminal offences  If processing this type of data it is advisable to seek guidance

10. Is a name personal information? Mike Hall David King Mike David

11. Processing  Any activity whatsoever that involves Personal Data, held either electronically or manually, which is undertaken by the Data Controller or on their behalf by the Data Processor. i.e. consulting information, retrieving it, disclosing it,creating copies etc

12. Data Subject  Is the living individual that the information that is held by the Data Controller applies to.

13. The Act’s Principles  There are eight legally enforceable principles which lie at the heart of our data protection legislation  These can be referred to as good information handling practice

14. Over 20 Exemptions  Information for the detection or the prevention of Crime  Disclosure may result in serious harm to health  Statistical or historical information  Employment references  Information consisting of records of the intention of the data controller to carry out negotiations  Legal professional privilege

15. ADC’s Data Protection Policy Covers -  confidentiality of personal information  staff to comply with Data Protection Code of Practice  to be aware of the Data Protection Act  council will not hold more information than is necessary for the performance of its functions  subject access requests dealt with through specified procedure  responsibility for maintaining council’s compliance undertaken via corporate function  Heads of Service responsible for compliance in each section

16. Data Protection In Practice

17. Data Subject Access Upon making a request in writing and upon paying the fee to the data controller an individual is entitled  To be told by the data controller whether they or someone else on their behalf is processing the individuals data  if so, to be given a description of a. the personal data b. the purposes for which they are being processed, and c. those to whom they are or may be disclosed

18. Dealing with a Data Subject Access Request Request For Personal Information N.B. if non-personal info is requested follow Request Handling Procedure for Non-Personal Information Contact Designated Officer Issue the (Your Right To Know) leaflet Main Office Other Office’s Unobtainable

19. Police Requests  Must be in writing  Preferably on the recognised Police Form  Must indicate the section of the Act under which access is requested  Must be countersigned by a team leader or above who must be satisfied of validity  Must relate to an individual and not be a trawl for information

20. Councillors Access to the Authority’s Personal Data Disclosure of information to Councillors is essential if they are to carry out their (statutory) duties as a member of the council

21. Councillors Access to the Authority’s Personal Data cont. Any use of data for purposes other than those specified could result in the Councillor acting illegally. A Councillor requesting access to information about matters dealt with by a committee of which he/she in NOT a member must demonstrate a need to know.

22. Security - In Practice Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing and against accidental loss, damage or destruction of personal data Data Protection Act 1998  IT Security Policy  Data Protection Code of Practice

23. leaving laptops on the bus sending documents with personal information to the wrong printer or fax, leaving them on the photocopier sensitive documents on shared networks sensitive papers left on desks taking sensitive documents home insecure filing Security - In Practice contd.

24. Disclosure - In Practice DO NOT disclose personal information without authority. Personal data should not be disclosed to any person except where - Unauthorised disclosure may lead to disciplinary action IF IN DOUBT CONSULT YOUR MANAGER  disclosure is permitted under the Act’s exemptions, or  consent has been given by the data subject

25. Data Protection Offences 1.It is a criminal offence to destroy or erase information after a request has been received. 2.It is an offence to knowingly or recklessly obtain, disclose or procure the disclosure of personal information without the consent of the data controller. 3.If a person has obtained personal information illegally it is an offence to offer or to sell personal information. And the penalty if you do? Currently – A fine of up to £5,000 per offence + £5,000 costs Recently proposed – A fine of up to £5,000 per offence + £5,000 costs AND up to 2 years imprisonment Gross Misconduct Lose your job?

26. Comfort Break

27. Freedom of Information Act 2000 Environmental Information Regulations 2004

28. Access to Information around the World 1966 1982 1985 1989 1998 2005

29. Freedom of Information Act 2000 “to engineer change in the culture of public life from one of a need to know to one of a right to know.” Richard Thomas Information Commissioner October 2004

30. The reality  Covers all information “held”, regardless of the format  Fully retrospective  Anyone can request information, with no reason provided and we have no right to ask.  Provide “reasonable” advice and assistance  Requests for information to be dealt with in 20 working days  There is NO exemption for embarrassment!

31. Who will make use of access?  The public  The media  Pressure groups  Commercial Organisations  Current or former employees  Anyone worldwide.

32. ADC Information Requests All emails between XXX officer and third party All files you hold on me What criteria does the Council use to determine the positioning of speed bumps how many premises have failed food inspections All information relation to XXX planning applications Avg number of staff sick days How many meeting have Councillors failed to attend The CEO job description and salary paid How many members of staff have been disciplined for accessing inappropriate websites How well are you prepared against mosquito borne diseases – West Nile Virus & Malaria Do you chip your wheelie bins and what do you use the information for 126 in 2007 risen to 234 in 2008 2009???

33. A Request now what?

34. Rights of the applicants  A right to be told whether the information requested is held &  To have that information communicated to them.

35. What is a request?  Wanting access to information that the authority holds  Could be: - committee agenda - report - minutes of meeting - analysis - costs - emails or notes Held in any format.

36. Beware!!!!! File notes Comments made on reports Draft copies Photocopies Duplicate files/filing systems Emails

37. What is being asked for? Is a red car with a horse a Ferrari?

38. Ensure you know what is being asked for Not always!

39. When is a request valid ?  The request can be in any format – written note, (email, fax) verbal (telephone, reception, on-site)  A name and contact details are reqd  Information requested must be described.

40. How much assistance to be given?  Section 16 mentions “reasonable” assistance  As much assistance that is required to ensure the request is understandable &  Meets the requestors need  DO NOT ask what purpose the information is required for.

41. Request Handling Procedure for Non- Personal Information Request For Information N.B. if personal info is requested follow DP Procedure Happy to release? Have done so in past? Service Area releases Scrutiny & Policy (Information Management) Via Employee Via Reception Via Switchboard Via Email/Mail/Fax YES NO Line Manager Fast track?

42. Fast-Track Card  Method of short-cutting request handling procedure  Provides the option for the Requestor to deal directly with Information Handling Section  Can only be suggested, must never be forced  If refused, request must still be taken.

43. Fast-Track Card

44. Summary  Be aware of requests  Don’t ignore them  Follow the procedure  Date stamp if possible  If in doubt ASK.