240 likes | 363 Views
Personal Information under FOIA. Andrew Charlesworth Centre for IT & Law University of Bristol. The DP/FOIA Interface. Access by third parties to information about other identifiable living individuals under FOIA
E N D
Personal Information under FOIA Andrew Charlesworth Centre for IT & Law University of Bristol
The DP/FOIA Interface • Access by third parties to information about other identifiable living individuals under FOIA • information about individuals may still be disclosed to third parties other than under FOIA; • the exemptions in FOIA only apply to living and identifiable individuals, separate procedures must be established for the dead and for anonymised information. • Access by the individual data subject to information about himself • this access is made under the Data Protection Act 1998.
3rd party access to personal info. • Access rules are largely the same for all personal info irrespective of how it is held - on a computer, in structured files or unstructured records; • A broad (and technically complex) exemption is available for such information (s.40 FOIA) • Apart from the exemption the usual FOIA rules apply to personal info:- • the provision of advice and assistance; • charging provisions; • locating the information sought; • refusals; • inclusion of information in publication schemes.
Co-existence with existing arrangements • s.78 FOIA - disclosures other than FOI ones can continue to be made e.g. under statute or voluntary arrangements. • In areas of overlap it will be necessary for the disclosing authority to “tag” the information to show which is disclosed under FOIA. • Collection notices will have to be • extended to cover all personal information and • amended to give notice of possible disclosures both of substantive information and of confirmation/denial that information is held.
3rd Party Exemption • An absolute exemption applies where a 3rd party seeks access to personal data and either: • the disclosure of the information to a member of the public other than under FOIA would breach the standards for protection of personal data set by the DP Principles (irrespective of whether the information is data covered by the DPA 98 or not); • the information would be exempt from disclosure to the individual who is the subject of the data if he/she made a subject access request under the DPA 98 (this applies to all the personal data as the right of subject access is extended to all recorded information) • Continued……...
3rd Party Exemption cont... • A non-absolute exemption applies where: • the information is personal data falling within the definition in s.1(1)(a) to (d) of the DPA 98 ( that is automated data, data intended to be automated, data in a relevant filing system and accessible records) but not the “new” category of “recorded information” added by FOIA; and • the disclosure of the information to a member of the public otherwise than under FOIA would contravene s.10 of the DPA (s.10 contains a right to object to processing which would cause damage or distress)
Duty to confirm or deny • Duty to confirm or deny does not arise if: • confirmation or denial would in itself breach any of the standards set in the DP Principles; • confirmation or denial would in itself reveal information which would be exempt from subject access under the DPA 98; • (for data covered by s.1(1)(a) to (d) DPA 98 only) the confirmation or denial would breach s.10.
3rd Party Exemption • This is a non-exhaustive exemption - the other exemptions under FOIA also apply; • Most relevant exemptions are likely to be: • accessible by other means • investigation and prosecution • regulatory functions • information subject to an obligation of confidence • legal professional privilege • health and safety
Applying the s.40 Exemption • When applying the DP Principles consider disclosure into the public domain; • The principles require: • lawfulness and fairness of processing, in particular collection notices explaining uses and disclosures of personal data • use only for purposes compatible with those for which data obtained • respect for data subject rights • data quality and security • transfer to countries outside the EEA only where they provide adequate protection
Investigation and prosecution of crime regulatory functions journalistic, literary or artistic works legal professional privilege national security health, education or social work effectiveness of armed forces confidential references Management forecasts prejudice to negotiations research purposes examination marks and scripts corporate finance Crown appointments and honours Personnel matters in relation to public sector employment (new s33A(2)) Subject access exemptions
The s.10 DPA exemption • This has been “re-imposed” for • automated, relevant filing system and accessible records • otherwise excluded by the basis of the processing • s.10 applies where an individual has given notice that he objects to the processing of personal data about him on the grounds that the processing would cause substantial damage or distress to him or another and that damage or distress would be unwarranted • Exemption applies where the disclosure would “contravene” s.10
Notice to the individual • Collection notices; s.10 notifications and the draft Code of Practice on handling requests combine to reinforce the importance of giving notice so that ideally every individual should have notice of possible FOIA disclosures and the authority’s approach to those disclosures and have been enabled to express a view or register a s.10 notice if appropriate; BUT • Much information will be historic; • It may not be possible to give notice and take account of the responses;
Exemption from collection notices - disproportionate effort • The collection/fair processing notice requirements do not apply where • the provision of the information would involve disproportionate effort and; • the conditions set out in Regulations made by the Secretary of State are met • the data controller has a prior request for the information by the individual in relation to the processing in question. • Record must be kept by the person making the disclosure of the reason for claiming disproportionate effort.
Does data subject consent permit disclosures? • Enforced subject access was the practice of making individuals carry out subject access requests, now outlawed under DPA 98; • Will this be replaced by enforced FOIA access? • Consent legitimises disclosure of information thus a disclosure can be made in compliance with the DP principles; • Consent would negate any earlier s.10 objection; • BUT cannot overcome either a subject access exemption or an FOIA exemption.
Applying the exemptions • Is the information reasonably accessible by other means? • Do any of the absolute FOIA exemptions apply? • Would the information be given in response to a subject access request by the individual? • Do any of the remaining non-absolute FOIA exemptions apply? • Have you got consent to disclose? • For data falling in the DPA 98 s.1(a)-(d)classes is there a s.10 notice in force? • For all information can it be disclosed without breaching the principles?
Suggested approach to personal data • Try to know what personal data you have (this is also important for the individual access provisions) • Try to separate information at the point of collection where possible into non-exempt from third party access and other; • Introduce collection notices for all personal information; • Give notice of proposed disclosures where it is possible and certainly there is any doubt; • Remember the duty to confirm or deny will still apply
New category of data • Definition of personal data in s.1 (1) DPA 98 is extended (by changes to the definition of “data” – s.68 FOIA) to cover “all recorded information”. • New distinction between “structured” and “unstructured” information for purpose of subject access – s.9A DPA (added by s.69 FOIA). • Structured information will be accessible on a subject access request for the £10.00 fee • Unstructured will fall within the FOIA charging regime equivalent and be subject to a requirement that the data subject describes the information sought.
Structured and unstructured information • Unstructured personal data means any recorded information held by a public authority other than information which is recorded as part of, or with the intention that it should form part of, any set of information relating to individuals to the extent that the set is structured be reference to individuals or by reference to criteria relating to individuals.
Subject access • The usual rules on subject access apply to an access request for such data • request must be in writing supported by a fee for £10.00 • the data controller must be satisfied of the identity of the applicant for the data • the request must be dealt with in 40 days • there is no duty to give reasons for a refusal to provide subject access where the controller relies on an exemption • the information must be provided as a copy and any unintelligible codes explained • the usual rules for third party data apply
Subject access exemptions • The existing subject access exemptions under the DPA 98 apply to all the data. • A new exemption applies only to information falling into the new categories of structured and unstructured records. • This covers data which relates to appointments or removals, pay, discipline superannuation or other personnel matters in relation to service in the armed forces, office or employment under the Crown or where the power to take action, or determine or approve action is vested in any public authority.
Access & limited associated rights • In addition to access to the new categories of data the following will apply • data subject rights to rectification, blocking, erasure or destruction of the data where it is inaccurate, together with the powers of the court to order enquiries and tracing of data • powers of the Information Commissioner to enforce for inaccuracy • rights to compensation for damage caused by inaccuracy of the data • No other provisions of the DPA 98 apply to this data
Practical considerations • There is no mechanism in FOIA for FOI requests to be treated as subject access requests (SARs) • If a request is made as a FOIA request the authority will have to refuse it under FOIA and offer to treat it as a SAR under DPA • The obligation to give advice and assistance to those making access requests applies to requests under both Acts • The FOIA exemptions do not apply to SARs.
Other points • A new offence is created - s.77 FOIA: • where a request for information has been made to a public authority; and • the applicant would have been entitled to access to the data under DPA or FOIA; • any person who alters, defaces, blocks, erases, destroys, conceals with intent to prevent disclosure commits an offence; • applies to public authority, employee, officer or person acting on their direction.