1 / 39

Data Protection and FOI: An Introduction

Data Protection and FOI: An Introduction. Training session , 14 May 2019 James Knapton, Information Compliance Officer, Registrary’s Office. Programme. Part I: Data Protection W hat is personal data? W hat are the data protection principles and how do they affect me?

jkerns
Download Presentation

Data Protection and FOI: An Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection and FOI: An Introduction Training session, 14 May 2019 James Knapton, Information Compliance Officer, Registrary’s Office

  2. Programme • Part I: Data Protection • What is personal data? • What are the data protection principles and how do they affect me? • Part II: Freedom of Information • What is FOI? • Handling FOI requests • Part III: Records Management • What is a record? • What is records management and how can it help me?

  3. How do these topics interrelate? • ‘Information legislation’ regulated by Information Commissioner (ICO) • Data protection • Focus on privacy for living identifiable individuals • Framework for all organisations • Freedom of information • Focus on organisational openness • Framework for ‘public authorities’ only • Records management • Implicit in information legislation

  4. Part I PART I: DATA PROTECTION

  5. Data protection legislation • General Data Protection Regulation (GDPR) • Has applied EU-wide since 25 May 2018 • Data Protection Act 2018 (DPA 2018) • Has applied in UK since 25 May 2018 • Supplements GDPR in specific ways

  6. What is ‘personal data’? • Data protection legislation imposes obligations on ‘data controllers’ that ‘process’ ‘personal data’ about ‘data subjects’ • Data controller = the organisation that determines how the personal data are processed (the University as a whole but not the Colleges) • Processing = collecting, recording, holding, amending, disclosing, destroying… • Personal data = any information relating to a living identifiable individual that is • Processed on computers or other technology • Held in a structured hard copy filing system • Recorded in unstructured hard copy (for some purposes for public authorities only) • Data subjects = living identifiable individuals

  7. What is ‘special category’ personal data? • Specifically defined in GDPR – more sensitive personal data categories • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade Union membership • Genetic data • Biometric data • Health data • Sexual life and orientation • DPA 2018 effectively adds one more category • Criminal offences (alleged or proven) and court proceedings

  8. Practical exercise on identifying personal data

  9. The data protection principles • Key to compliance is adherence to the data protection principles • Rest of the legislation • Explains how these principles should be applied • Exempts certain types of data processing (e.g. journalism, research) from certain aspects of the principles • Outlines the ICO’s and the courts’ regulatory powers to ensure the principles are upheld

  10. Practical exercise on the principles • You go to visit your bank. During your visit you give them numerous details about your financial situation. • What do you expect from your bank when handling this information?

  11. The principles • Personal data shall be: • Processed fairly, lawfully and transparently • Processed only for specified, explicit and legitimate purposes • Adequate, relevant and limited • Accurate (and rectified if inaccurate) • Not kept for longer than necessary • Processed securely – to preserve the confidentiality, integrity and availability of the personal data • Data controller must be able to demonstrate compliance with principles

  12. Fair, lawful and transparent processing • Fairness • Use personal data in ways data subjects would reasonably expect • Consider any unjustified adverse impact on data subjects • Lawfulness • Not be unlawful (e.g. criminal act or breach of confidentiality) • Have a valid legal basis • Transparency • Be open with data subjects about how their personal data is used

  13. Legal bases for personal data processing • Six possible legal bases in GDPR for personal data processing • With consent – freely given, specific, informed, demonstrable, revocable • To operate a contract with the data subject • To meet a legal obligation • To protect the data subject’s vital interests • To perform a public interest task mandated by law • To further the legitimate interests of the data controller – but not for ‘public authorities in the performance of their tasks’

  14. Legal bases for personal data processing: direct marketing • Privacy and Electronic Communications Regulations 2003 (as amended) • Supplements data protection law on issue of electronic direct marketing (no additional rules for postal direct marketing) • For electronic direct marketing by email/text • Must have consent as legal basis • For electronic direct marketing by live phone call to landlines or mobiles • Must have consent as legal basis or • Must check the individual is not on TPS • Also should give an easy opt-out in every communication

  15. Legal bases for special category personal data processing • Various further legal bases/conditions in both GDPR and DPA 2018 for special category personal data processing • The data subject has explicitly consented • To progress legal proceedings • For medical purposes by a medical professional • To conduct research in the public interest under certain safeguards (data minimisation and pseudonymisation and no damage or distress and no individual decision-making) • To meet a substantial public interest from specified list (e.g. crime prevention or equalities monitoring or child safeguarding) • And more…

  16. Transparency: privacy notices • Need to tell data subjects, in a transparent and accessible way • Who you are • Purposes of personal data processing • The legal basis/bases relied upon • Any disclosures to third parties • Retention periods • The existence of data subject rights • The right to complain to the ICO • And more…

  17. Standards for data collection and use • Personal data must obtained and processed for specified, explicit and legitimate purposes • Exemption for research: personal data can be processed for purposes other than those for which they were originally obtained • Personal data must be adequate, relevant and limited • Personal data must be accurate (and rectified if inaccurate) • Personal data must not be kept for longer than is necessary • Exemption for research and archiving: personal data can be kept indefinitely

  18. Information security • Personal data must be processed securely to prevent unlawful use and accidental loss or destruction • Aim to preserve the confidentiality, integrity and availability of the personal data • Must ensure an ‘appropriate’ level of security depending on the context and risk • Encryption • Pseudonymisation • Resilience – back up and disaster recovery • Testing and evaluating security controls • Data controllers must report certain personal data breaches to ICO within 72 hours – key responsibility for all staff is recognising and reporting breaches internally

  19. Accountability measures • Data controller must be able to demonstrate compliance • Data protection by design when building new systems or designing new processes • Data Protection Impact Assessments for ‘high risk’ processing • Prescribed contents of contracts with ‘data processors’ • Rules for transfers of personal data outside the EEA to ensure ‘adequate’ protection (e.g. to an approved country or use of EU model clauses) • Maintenance of a personal data register • Role of independent Data Protection Officer

  20. Rights of data subjects (1) • Rights of: • Being informed about how personal data are being used – fulfilled by privacy notices • Access (i.e. getting copies) • Rectification (i.e. correcting) • Restriction (i.e. quarantining) pending verification or correction • Objection (i.e. complaining), including to profiling and direct marketing • Erasure (i.e. deleting) • Portability (i.e. getting electronic copies to ‘port’ elsewhere)

  21. Rights of data subjects (2) • Rights requests must be fulfilled for free within one month • Must be satisfied as to identity of requester • Requests must be submitted by the data subjects themselves, or others with proof of authority to act for them • Requests handled centrally unless ‘business as usual’ correspondence • Key responsibility for all staff is recognising requests – requesters do not need to mention GDPR or address requests to a specific office

  22. Rights of data subjects (3) • All rights are qualified • Can refuse ‘manifestly excessive’ rights requests • Some rights only apply under particular legal bases • Specific exemptions from some rights where personal data are processed for specific purposes (e.g. for journalism or research or crime prevention) – in some cases these exemptions only apply if fulfilling the right would prejudice the purpose or would impair the necessary processing • Must not infringe privacy of others in fulfilling access right requests • Specific exemptions from access right for specific types of personal data (e.g. confidential references or exam scripts or information covered by legal privilege)

  23. Practical exercise on recognising the rights • What rights, if any, are being exercised?

  24. Part II PART II: FREEDOM OF INFORMATION

  25. What is Freedom of Information? • Freedom of Information Act 2000 imposes three main obligations on specified ‘public authorities’ • Adoption and maintenance of a Publication Scheme in accordance with sector-specific model issued by ICO • Legal requirement to respond to individual requests for information • Legal requirement to provide advice and assistance to requesters • Requesters have legal rights of internal and then external complaint if they cannot access the information they want • Separate legislation, the Environmental Information Regulations 2004, imposes broadly similar access obligations with regard to information about environmental matters

  26. What is a valid FOI request? • Request for recorded information • Not for explanations, opinions, commentaries, estimates • No need to create new information but may be complex to extract it from multiple files or systems • FOI requests must be fulfilled for free within 20 working days • Requests handled centrally unless ‘business as usual’ correspondence • Key responsibility for all staff is recognising requests – requesters do not need to mention FOI or address requests to a specific office

  27. What is asked for under FOI? • Top topics • Admissions • Student issues and numbers • Financial information • HR and staff issues • Management and administration • IT provision and use • Teaching and assessment • Estates and buildings

  28. Who is making FOI requests? • Wide variety • Journalists • Commercial organisations • Campaigning organisations • Students and applicants • Staff • Complainants • Many round robins • FOIA is applicant and motive blind

  29. FOI exemptions • Procedural • Exceeds cost (£450) or time (18 hours) ‘appropriate limit’ • Repeated • ‘Vexatious’ • Otherwise divided into ‘absolute’ and ‘qualified’ depending on whether we need to consider the public interest test • ‘In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information’

  30. FOI absolute exemptions • Information accessible to requester by other means • Personal information – must not breach data protection principles • Information provided in confidence butnot internally marked as confidential • Prohibition on disclosure due to other legislation or court order but not due to a contract • Supplied by or relating to the security services • Court records • Parliamentary privilege

  31. FOI qualified exemptions • Information intended for future publication, including pre-publication research data • Prejudice to law enforcement • Prejudice to the ‘effective conduct of public affairs’ – needs VC approval • Endangerment of health and safety • Legally privileged information • Trade secrets or prejudice to ‘commercial interests’ • Police and regulatory body investigations • Prejudice to national security or defence functions or international relations or relations within the UK or the national economy or audit functions • Formulation of government policy or communications with the Queen

  32. Practical exercise on FOI request handling

  33. Part III PART III: RECORDS MANAGEMENT

  34. FOIA Code of Practice • Lord Chancellor’s Code of Practice on the Management of Records • Records management framework • Records management policy • Retention of records for regulatory purposes • Proper system of records keeping • Know what records you hold • Secure storage and controlled access • Timeframe for destruction of old records • Share records within certain protocols • Monitor own records management performance

  35. The basics of records management • University records = all materials that staff create, update, refer to or destroy in the course of carrying out their contractual duties at the University that provide evidence of something having occurred • Records exist in paper and electronic format • Records management = systems and processes in place for the creation, maintenance, handling and disposal of records

  36. Types of records • Three types of records • Master (whether paper or electronic) • Duplicate • Transitory • Duplicate and transitory records: appropriate use then secure destruction when no longer in current or reference use • Master records: appropriate use then, after a fixed period of time, • Secure destruction or • Transfer to central archive for permanent preservation

  37. Cambridge records management framework • Statement of Records Management Practice • Principles and responsibilities • Master Records Retention Schedule • Recommendations on how long to keep master records and what to do with them once this time period has elapsed • Incorporates legislation and sector best practice

  38. Practical exercise on records handling

  39. Further information • Website https://www.information-compliance.admin.cam.ac.uk/ • Email data.protection@admin.cam.ac.uk foi@admin.cam.ac.uk

More Related