SROC Conference

Data Sharing – The New Culture?

Elaine Fletcher, Senior Associate, Eversheds LLPApril 2008

The Legal Climate

• Data Protection Act 1998 (“DPA”)• Freedom of Information Act 2000 (“FOIA”)• The Law of Confidence• Legitimate Expectation • The “Ultra Vires” rule• Human Rights Act 1998• General law on age and capacity

The Challenges

• Balancing statutory duties against commercial demands

• Exposure to scrutiny following FOIA• Protecting College reputation• Maintaining customer confidence• Remaining competitive in the marketplace

Typical data sharing contexts

• Partnering arrangements– Employers or Sponsors of students– College partners eg feeder schools, sector bodies, prospective

employers of students• Student Administrative arrangements

– Fees and grants– Relevant educational and government authorities

• Student Welfare– Pastoral care and wellbeing (eg student support networks)– Parental relationships

• Protecting the College, staff and students– Suspected criminal acts by students– Requests for co-operation from law enforcement agencies

• Staff records

Data requests from Law enforcement Agencies

• Are you required to provide it?– Freedom of Information Act (NB personal data

exemption)– other laws (eg social security, anti-terrorism,

anti-money laundering)• If not:

– crime prevention/detection/prosecution (beware of fishing expeditions)

– Necessary for legal proceedings

DPA – key considerations when data sharing

• Is it personal data?– Increased significance since FOIA.– ICO guidance.

• Is it fair, lawful and proportionate to the particular data sharing objective?– What “data processing” ground applies?– Is there any sensitive data?– Should consent be obtained?– Other relevant laws?

• Is it in line with data subject’s expectations?– Fair processing notice/data consents at point of data capture– Exemptions– Square pegs into round hols

DPA – key considerations when data sharing

• Data quality– What consequences if inaccurate or

inadequate data is shared?– Impose standards on those shared with– Compatible format?– Proper matches– Correcting inaccuracies

• Transferring the data– Is method of transit secure?

DPA – The ICO’s stance

• Approach to data sharing:– Shift in attitude– Less emphasis on narrow interpretation of

administrative law– Concentrate on unfairness/unwarranted detriment– Detriment is material loss, damage, distress,

embarrassment– Recognise where benefits eg to stop benefit fraud– Framework Code of Practice for sharing personal

information

DPA – The ICO’s stance

• ICO Privacy Impact Assessment Toolkit– Step 1 – criteria for full scale PIA– Step 2 – criteria for small scale PIA– Step 3 – criteria for privacy law compliance

checks– Step 4 – criteria for DPA compliance checks

Interaction between DPA & FOI

• Is it personal data?• Assess extent to which data accessible under

FOIA• College publication scheme• What other exemptions might apply if requested

under FOIA?

Questions?

© EVERSHEDS LLP 2008. Eversheds LLP is a limited liability partnership.