390 likes | 407 Views
Data Protection and FOI: An Introduction. Training session , 14 May 2019 James Knapton, Information Compliance Officer, Registrary’s Office. Programme. Part I: Data Protection W hat is personal data? W hat are the data protection principles and how do they affect me?
E N D
Data Protection and FOI: An Introduction Training session, 14 May 2019 James Knapton, Information Compliance Officer, Registrary’s Office
Programme • Part I: Data Protection • What is personal data? • What are the data protection principles and how do they affect me? • Part II: Freedom of Information • What is FOI? • Handling FOI requests • Part III: Records Management • What is a record? • What is records management and how can it help me?
How do these topics interrelate? • ‘Information legislation’ regulated by Information Commissioner (ICO) • Data protection • Focus on privacy for living identifiable individuals • Framework for all organisations • Freedom of information • Focus on organisational openness • Framework for ‘public authorities’ only • Records management • Implicit in information legislation
Part I PART I: DATA PROTECTION
Data protection legislation • General Data Protection Regulation (GDPR) • Has applied EU-wide since 25 May 2018 • Data Protection Act 2018 (DPA 2018) • Has applied in UK since 25 May 2018 • Supplements GDPR in specific ways
What is ‘personal data’? • Data protection legislation imposes obligations on ‘data controllers’ that ‘process’ ‘personal data’ about ‘data subjects’ • Data controller = the organisation that determines how the personal data are processed (the University as a whole but not the Colleges) • Processing = collecting, recording, holding, amending, disclosing, destroying… • Personal data = any information relating to a living identifiable individual that is • Processed on computers or other technology • Held in a structured hard copy filing system • Recorded in unstructured hard copy (for some purposes for public authorities only) • Data subjects = living identifiable individuals
What is ‘special category’ personal data? • Specifically defined in GDPR – more sensitive personal data categories • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Trade Union membership • Genetic data • Biometric data • Health data • Sexual life and orientation • DPA 2018 effectively adds one more category • Criminal offences (alleged or proven) and court proceedings
The data protection principles • Key to compliance is adherence to the data protection principles • Rest of the legislation • Explains how these principles should be applied • Exempts certain types of data processing (e.g. journalism, research) from certain aspects of the principles • Outlines the ICO’s and the courts’ regulatory powers to ensure the principles are upheld
Practical exercise on the principles • You go to visit your bank. During your visit you give them numerous details about your financial situation. • What do you expect from your bank when handling this information?
The principles • Personal data shall be: • Processed fairly, lawfully and transparently • Processed only for specified, explicit and legitimate purposes • Adequate, relevant and limited • Accurate (and rectified if inaccurate) • Not kept for longer than necessary • Processed securely – to preserve the confidentiality, integrity and availability of the personal data • Data controller must be able to demonstrate compliance with principles
Fair, lawful and transparent processing • Fairness • Use personal data in ways data subjects would reasonably expect • Consider any unjustified adverse impact on data subjects • Lawfulness • Not be unlawful (e.g. criminal act or breach of confidentiality) • Have a valid legal basis • Transparency • Be open with data subjects about how their personal data is used
Legal bases for personal data processing • Six possible legal bases in GDPR for personal data processing • With consent – freely given, specific, informed, demonstrable, revocable • To operate a contract with the data subject • To meet a legal obligation • To protect the data subject’s vital interests • To perform a public interest task mandated by law • To further the legitimate interests of the data controller – but not for ‘public authorities in the performance of their tasks’
Legal bases for personal data processing: direct marketing • Privacy and Electronic Communications Regulations 2003 (as amended) • Supplements data protection law on issue of electronic direct marketing (no additional rules for postal direct marketing) • For electronic direct marketing by email/text • Must have consent as legal basis • For electronic direct marketing by live phone call to landlines or mobiles • Must have consent as legal basis or • Must check the individual is not on TPS • Also should give an easy opt-out in every communication
Legal bases for special category personal data processing • Various further legal bases/conditions in both GDPR and DPA 2018 for special category personal data processing • The data subject has explicitly consented • To progress legal proceedings • For medical purposes by a medical professional • To conduct research in the public interest under certain safeguards (data minimisation and pseudonymisation and no damage or distress and no individual decision-making) • To meet a substantial public interest from specified list (e.g. crime prevention or equalities monitoring or child safeguarding) • And more…
Transparency: privacy notices • Need to tell data subjects, in a transparent and accessible way • Who you are • Purposes of personal data processing • The legal basis/bases relied upon • Any disclosures to third parties • Retention periods • The existence of data subject rights • The right to complain to the ICO • And more…
Standards for data collection and use • Personal data must obtained and processed for specified, explicit and legitimate purposes • Exemption for research: personal data can be processed for purposes other than those for which they were originally obtained • Personal data must be adequate, relevant and limited • Personal data must be accurate (and rectified if inaccurate) • Personal data must not be kept for longer than is necessary • Exemption for research and archiving: personal data can be kept indefinitely
Information security • Personal data must be processed securely to prevent unlawful use and accidental loss or destruction • Aim to preserve the confidentiality, integrity and availability of the personal data • Must ensure an ‘appropriate’ level of security depending on the context and risk • Encryption • Pseudonymisation • Resilience – back up and disaster recovery • Testing and evaluating security controls • Data controllers must report certain personal data breaches to ICO within 72 hours – key responsibility for all staff is recognising and reporting breaches internally
Accountability measures • Data controller must be able to demonstrate compliance • Data protection by design when building new systems or designing new processes • Data Protection Impact Assessments for ‘high risk’ processing • Prescribed contents of contracts with ‘data processors’ • Rules for transfers of personal data outside the EEA to ensure ‘adequate’ protection (e.g. to an approved country or use of EU model clauses) • Maintenance of a personal data register • Role of independent Data Protection Officer
Rights of data subjects (1) • Rights of: • Being informed about how personal data are being used – fulfilled by privacy notices • Access (i.e. getting copies) • Rectification (i.e. correcting) • Restriction (i.e. quarantining) pending verification or correction • Objection (i.e. complaining), including to profiling and direct marketing • Erasure (i.e. deleting) • Portability (i.e. getting electronic copies to ‘port’ elsewhere)
Rights of data subjects (2) • Rights requests must be fulfilled for free within one month • Must be satisfied as to identity of requester • Requests must be submitted by the data subjects themselves, or others with proof of authority to act for them • Requests handled centrally unless ‘business as usual’ correspondence • Key responsibility for all staff is recognising requests – requesters do not need to mention GDPR or address requests to a specific office
Rights of data subjects (3) • All rights are qualified • Can refuse ‘manifestly excessive’ rights requests • Some rights only apply under particular legal bases • Specific exemptions from some rights where personal data are processed for specific purposes (e.g. for journalism or research or crime prevention) – in some cases these exemptions only apply if fulfilling the right would prejudice the purpose or would impair the necessary processing • Must not infringe privacy of others in fulfilling access right requests • Specific exemptions from access right for specific types of personal data (e.g. confidential references or exam scripts or information covered by legal privilege)
Practical exercise on recognising the rights • What rights, if any, are being exercised?
Part II PART II: FREEDOM OF INFORMATION
What is Freedom of Information? • Freedom of Information Act 2000 imposes three main obligations on specified ‘public authorities’ • Adoption and maintenance of a Publication Scheme in accordance with sector-specific model issued by ICO • Legal requirement to respond to individual requests for information • Legal requirement to provide advice and assistance to requesters • Requesters have legal rights of internal and then external complaint if they cannot access the information they want • Separate legislation, the Environmental Information Regulations 2004, imposes broadly similar access obligations with regard to information about environmental matters
What is a valid FOI request? • Request for recorded information • Not for explanations, opinions, commentaries, estimates • No need to create new information but may be complex to extract it from multiple files or systems • FOI requests must be fulfilled for free within 20 working days • Requests handled centrally unless ‘business as usual’ correspondence • Key responsibility for all staff is recognising requests – requesters do not need to mention FOI or address requests to a specific office
What is asked for under FOI? • Top topics • Admissions • Student issues and numbers • Financial information • HR and staff issues • Management and administration • IT provision and use • Teaching and assessment • Estates and buildings
Who is making FOI requests? • Wide variety • Journalists • Commercial organisations • Campaigning organisations • Students and applicants • Staff • Complainants • Many round robins • FOIA is applicant and motive blind
FOI exemptions • Procedural • Exceeds cost (£450) or time (18 hours) ‘appropriate limit’ • Repeated • ‘Vexatious’ • Otherwise divided into ‘absolute’ and ‘qualified’ depending on whether we need to consider the public interest test • ‘In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information’
FOI absolute exemptions • Information accessible to requester by other means • Personal information – must not breach data protection principles • Information provided in confidence butnot internally marked as confidential • Prohibition on disclosure due to other legislation or court order but not due to a contract • Supplied by or relating to the security services • Court records • Parliamentary privilege
FOI qualified exemptions • Information intended for future publication, including pre-publication research data • Prejudice to law enforcement • Prejudice to the ‘effective conduct of public affairs’ – needs VC approval • Endangerment of health and safety • Legally privileged information • Trade secrets or prejudice to ‘commercial interests’ • Police and regulatory body investigations • Prejudice to national security or defence functions or international relations or relations within the UK or the national economy or audit functions • Formulation of government policy or communications with the Queen
Part III PART III: RECORDS MANAGEMENT
FOIA Code of Practice • Lord Chancellor’s Code of Practice on the Management of Records • Records management framework • Records management policy • Retention of records for regulatory purposes • Proper system of records keeping • Know what records you hold • Secure storage and controlled access • Timeframe for destruction of old records • Share records within certain protocols • Monitor own records management performance
The basics of records management • University records = all materials that staff create, update, refer to or destroy in the course of carrying out their contractual duties at the University that provide evidence of something having occurred • Records exist in paper and electronic format • Records management = systems and processes in place for the creation, maintenance, handling and disposal of records
Types of records • Three types of records • Master (whether paper or electronic) • Duplicate • Transitory • Duplicate and transitory records: appropriate use then secure destruction when no longer in current or reference use • Master records: appropriate use then, after a fixed period of time, • Secure destruction or • Transfer to central archive for permanent preservation
Cambridge records management framework • Statement of Records Management Practice • Principles and responsibilities • Master Records Retention Schedule • Recommendations on how long to keep master records and what to do with them once this time period has elapsed • Incorporates legislation and sector best practice
Further information • Website https://www.information-compliance.admin.cam.ac.uk/ • Email data.protection@admin.cam.ac.uk foi@admin.cam.ac.uk