sroc conference data sharing – the new culture? elaine fletcher, senior associate, eversheds llp...
TRANSCRIPT
SROC Conference
Data Sharing – The New Culture?
Elaine Fletcher, Senior Associate, Eversheds LLPApril 2008
The Legal Climate
• Data Protection Act 1998 (“DPA”)• Freedom of Information Act 2000 (“FOIA”)• The Law of Confidence• Legitimate Expectation • The “Ultra Vires” rule• Human Rights Act 1998• General law on age and capacity
The Challenges
• Balancing statutory duties against commercial demands
• Exposure to scrutiny following FOIA• Protecting College reputation• Maintaining customer confidence• Remaining competitive in the marketplace
Typical data sharing contexts
• Partnering arrangements– Employers or Sponsors of students– College partners eg feeder schools, sector bodies, prospective
employers of students• Student Administrative arrangements
– Fees and grants– Relevant educational and government authorities
• Student Welfare– Pastoral care and wellbeing (eg student support networks)– Parental relationships
• Protecting the College, staff and students– Suspected criminal acts by students– Requests for co-operation from law enforcement agencies
• Staff records
Data requests from Law enforcement Agencies
• Are you required to provide it?– Freedom of Information Act (NB personal data
exemption)– other laws (eg social security, anti-terrorism,
anti-money laundering)• If not:
– crime prevention/detection/prosecution (beware of fishing expeditions)
– Necessary for legal proceedings
DPA – key considerations when data sharing
• Is it personal data?– Increased significance since FOIA.– ICO guidance.
• Is it fair, lawful and proportionate to the particular data sharing objective?– What “data processing” ground applies?– Is there any sensitive data?– Should consent be obtained?– Other relevant laws?
• Is it in line with data subject’s expectations?– Fair processing notice/data consents at point of data capture– Exemptions– Square pegs into round hols
DPA – key considerations when data sharing
• Data quality– What consequences if inaccurate or
inadequate data is shared?– Impose standards on those shared with– Compatible format?– Proper matches– Correcting inaccuracies
• Transferring the data– Is method of transit secure?
DPA – The ICO’s stance
• Approach to data sharing:– Shift in attitude– Less emphasis on narrow interpretation of
administrative law– Concentrate on unfairness/unwarranted detriment– Detriment is material loss, damage, distress,
embarrassment– Recognise where benefits eg to stop benefit fraud– Framework Code of Practice for sharing personal
information
DPA – The ICO’s stance
• ICO Privacy Impact Assessment Toolkit– Step 1 – criteria for full scale PIA– Step 2 – criteria for small scale PIA– Step 3 – criteria for privacy law compliance
checks– Step 4 – criteria for DPA compliance checks
Interaction between DPA & FOI
• Is it personal data?• Assess extent to which data accessible under
FOIA• College publication scheme• What other exemptions might apply if requested
under FOIA?
Questions?
© EVERSHEDS LLP 2008. Eversheds LLP is a limited liability partnership.