Data Protection Act & Freedom of Information

Simon Mansell

Corporate Governance and Information Team

2

Outline of Session

• The Data Protection Act• Personal Data and Processing • Sensitive Data and Processing• Dealing with Data• Access to Information Legislation• Requests for Information• Information Commissioners Office• Questions

3

Data Protection Act 1998

• An Act to make provision for the regulation of the processing of information relating to individuals (personal data), including the obtaining, holding, use or disclosure of such information

• Can be used to both access your own data, or to prevent access to personal information.

4

What is Personal Data?

• Data relating to a living individual who can be identified from the data or from the data and other information held by the Data Controller

• Data Protection Act applies to manual records as well as electronic records

• The person to whom the personal data relates is known as a Data Subject – regardless of age

5

How should I deal with data? The 8 Data Protection Principles

1. Data must be obtained fairly and lawfully2. Data is held for a specific and lawful purpose3. Data should be relevant, adequate and not

excessive for the purpose4. Data should be accurate and up to date5. Data should not be kept for longer than

necessary6. Data should be processed in accordance with

rights of the Data Subject7. Adequate security measures must be in place8. Data must not be transferred outside of the

European Economic Area

6

Conditions for processing data

• One of the following must be met:• Data subject has given consent• Necessary for the performance of a

contract with the Data Subject• Necessary for complying with legal

obligations• Necessary to protect the vital interests

of the data subject• Necessary for the administration of

justice or exercise of public duty• Necessary for purpose of the legitimate

interests of the data controller

7

Sensitive Personal Data

• Race, ethnicity• Political opinions• Religious beliefs• Trade union membership• Physical or mental health• Sexual life• Commission or alleged commission of

offences• Proceedings for any offence

8

Sensitive Personal Data cont…

• Necessary for the legitimate activities of membership organisation

• Information has been made public deliberately by the Data Subject

• Necessary for legal proceedings• Administration of justice• Medical purposes and is done by a

Health Professional• Ethnic & other monitoring• By order of the Secretary of State

9

Conditions for Processing Sensitive Personal Data

• At least one of the previous processing conditions must be met, plus:

• Data subject has given explicit consent• Necessary for the performance of

obligations imposed by law• Necessary to protect the vital interests

of the data subject or another person where consent cannot be given or be reasonably expected to be given

• Cont…

Dealing with the publics data

• Don’t include documents containing personal data within your agenda;

• It you receive data from another public body and your are in doubt about what you can place in the public domain, ask the person who supplied the data;

• Don’t share data sent to you without the correct authorisation

10

11

When can the a council provide personal information to Councillors?

• A council can provide access to personal information if needed to comply with official duties (i.e. investigating a complaint, as part of a committee)

• The information provided should only be used for the purpose it is provided

• The Councillor should make it clear that they are representing the data subject when requesting the information

• Written consent should be obtained from the Data Subject if the information is sensitive data

Access to Information Legislation

Freedom of Information Act 2000 • The Freedom of Information Act gives the public a

general right of access to recorded information held by the Council including current and historical records.

• The legislation covers a wide range of public bodies for e.g. councils, magistrates, police, schools, health, fire, probation.

• FOI helps to promote openness and transparency within public bodies.   

Access to Information cont….

• Environmental Information Regulations (EIR) 2004

• Similar to FOI, but covers information that is 'Environmental‘

• Environmental information is information that: Has an impact on environment (soil, land, air, water, flora and fauna). Has an impact on state of human health and safety. Relates to cost-benefit/programmes and legislation that affects the environment.

13

Requests regularly come from

• Members of the public• Businesses• Other authorities• Journalists• Pressure groups• MP's • Complainants• Solicitors• But anyone can make a request!

What is a valid request? In writing - include a name, an address for

correspondence and describe the information required.

It doesn't have to mention the legislation.

The requestor doesn't have to say why they want the information.

Requests may be made by letter, fax, email, electronic form (on the council's website) or via social media including twitter and Facebook. A request may also be contained within wider correspondence such as a complaint letter or service request.

What is a valid request – cont…

• Any requests made for information that would be normally given out as standard such as library opening times, should be dealt with in the usual way as a service request.

• If the request asks for personal information about the requestor themselves, then this should be dealt with under Data Protection provisions as a Subject Access Request (SAR) rather than through the FOI process. 16

What information is covered?

Any recorded

information we hold

Dealing with a request?

• If you receive a request you should forward it immediately to your clerk to log the request as the 20 working day time frame applies from the date of receipt into the Council.

• You may be asked if you hold data which comes under the scope of the request – if so it must be supplied.

Dealing with a request

• Some of the data my be exempt from disclosure, eg it may contain personal information - consider if exemptions should be applied

• The requestor can request your decision, if the data is not supplied, be reviewed

• Should the requestor still be dissatisfied they may complain to the ICO and ultimately the First Tier and the Upper Tier Tribunals.

19

When to disclose

• Some things are exempt for a certain period of time

• Can the information be legitimately exempted

• Is disclosure in the public interest?• Should the matter be discussed in closed

session?• If in doubt – seek advice

20

Information Commissioner’s Office• The ICO has powers to serve enforcement notices

and fines on the Council for failing to comply with FOI, EIR and DPA

• The ICO monitors for;• Breaches of the DPA• Repeated breaches of the FOI 20 working day time

frame. The ICO expects that at least 85% of requests should be responded to on time.

• Evidence of long overdue responses• Large number of complaints from requestors

relating to their request or response

ANY QUESTIONS?

22

23

Further information

• ‘Advice for the Elected Member & Prospective Members of Local Authorities’ from ICO website

• ‘Advice to Local Authorities on Disclosing Personal Information to Elected Members’ from ICO website

• www.ico.org.uk• Corporate Governance & Information Team –

Cornwall Council – dataprotection@cornwall.gov.uk