1 DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training for GOLDSMITHS COLLEGE by Sue Cullen Amberhawk Training Limited July 2010 [email protected].

1

DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS training

for GOLDSMITHS COLLEGE

by Sue CullenAmberhawk Training Limited

July [email protected]

Note: Amberhawk claims copyright in the contents of this slideshow

2

THREE ACCESS REGIMES

• Data Protection Act 1998- Protection of personal information via the 8 DP

Principles• Environmental Information Regulations 2004

- Access to environmental information • Freedom of Information Act 2000

- Access to all information held by a public authority

NB: Separate FOI Act for Scotland

DATA PROTECTION ACT 1998THE BASICS

3

4

WHAT IS DATA PROTECTION?

• Data protection is about aspects of personal privacy

• It sets out rules for handling “people information”

• Universal – all organisations, and many individuals, use “personal data” (and have liability under the Data Protection Act)

• Current issues in data protection:• I/D Cards legislation – erosion of personal privacy by the state• Retention of DNA data by the police• Security breaches by banks, hospitals, HMRC

5

IMPACT OF DATA PROTECTION ON MY JOB

• Information about:• me or my fellow employees• Students, consultants• other people we do business with, e.g. suppliers

• Sending information by email; information on the website; security camera recordings

• Collection:• Filling in forms• Taking it down over the phone• Getting it from other departments/schools/universities

• Sharing – with other departments, other organisations, under FOI, for official enquiries

6

DEFINITION OF PERSONAL DATA

“Personal data” means:

data which relate to a living individual

who can be identified

from those data, or from them together with other information you already have or are likely to obtain

- includes expressions of opinion and intentions towards the individual

7

EXAMPLES OF PERSONAL DATA

[email protected]

Sue Cullen, Director, Amberhawk Training Limited

“Sue is a workaholic with no personality”

“Sue carried out Sally’s appraisal”

“Sue was present at the 3rd Annual Subject Access Convention”

8

WHO IS RESPONSIBLE?

“Data Controller” – the person or persons who determine the purposes of processing personal data

- e.g. anything done by an organisation for its business; full liability under DPA

“Data Processor” – a person who processes personal data on behalf of the data controller

- e.g. outsourcing – processors have no liability under DPA, but the controller is responsible for their mistakes

9

DATA PROTECTION PRINCIPLES

The data controller has a statutory duty to ensure that personal data are:

1. Processed fairly and lawfully, plus schedules 2 & 3

2. Processed only for specified and lawful purpose(s)

3. Adequate, relevant and not excessive

4. Accurate and kept up-to-date

5. Not kept longer than necessary

6. Respectful of data subjects’ rights

7. Kept secure by technical/organisational means

8. Transferred outside EEA only if privacy is respected.

DATA SUBJECT RIGHTS

• Individuals have the following rights under the DPA:1. Subject access

2. Object to processing in certain circumstances

3. Object to direct marketing (promotion of aims & ideals is marketing)

4. Automated decisions

5. Ask court to order compensation for damage caused by controller’s breach of principles

6. Ask court to order correction of inaccurate data

• Controller liable under 6th Principle for 1-4 above

10

DPA ISSUES AND RISKS

• Records management: security & staff training (7th Principle); subject access (6th Principle) data quality (principles 1, 3, 4)

• HR information: most SAR’s are from current and former staff members, usually with a grievance – tests DPA compliance

• Fair processing notices: what do we tell people about the information we hold on them?

• Data sharing: who can we disclose to – police? parents? Other universities? hospitals? Social services?

11

12

CCTV AND RELATED DP ISSUES

13

COMPLYING WITH 1ST PRINCIPLE

• Personal data must be processed fairly:

• General obligation to be fair• Specific obligation to ensure that the individual knows

who is processing, why, and anything else necessary for fairness

• First principle also requires lawfulness, e.g. must not:• Breach confidence• Breach copyright• Be ultra vires (outside your powers)

14

FAIR COLLECTION - INFORMING THE DATA SUBJECT

• Data protection notice must include:• Identity of the data controller• Purposes for which the data will be processed

(especially any non-obvious purposes)• Anything else necessary to make it fair

• Purposes should be as wide as possible: cover any projected new purpose e.g. sharing for fraud initiatives, using CCTV for disciplinary matters

• This is NOT a PR exercise – beware “Your information is regulated under the DPA”; “Your privacy is very important to us”; “We will never …”

15

WHAT TO INCLUDE IN YOUR NOTICE

Anything that the data subject ought to know about what will happen to his information in your hands, such as:

• What you use it for (purposes for processing)

• Any relevant rights, e.g. to opt out of marketing

• Who do you share it with, and why?

• How long you/they keep it

• What responses on forms are obligatory, and what information is not essential

• Will it be sent outside the UK?

• Any special security issues?

• Any sensitive data (e.g. health, religion, criminality)?

16

JUSTIFYING PROCESSING UNDER 1ST PRINCIPLE

Schedule 2 conditions are:

1. Data subject consent

2. Necessary for contract with data subject

3. Legal obligation of data controller

4. Vital interests of data subject

5. Necessary for public functions

6. Necessary in legitimate interests of data controller, or 3rd party recipient, except where unwarranted prejudice is caused to the data subject

17

WHAT IS CONSENT?

Consent is not defined but general requirements are:

• Must be fully informed• Freely given• Capable of being withdrawn

Has the data subject given some positive indication of his wishes? Is the data subject free to refuse?

NB: Consent does not work as a justification for processing HR data – deemed duress.

CCTV QUESTIONS

• Can CCTV images be “personal data”?

• What conditions legitimise the processing (Sch. 2 & 3)?

• Must you identify the Data Controller and purposes of the processing (e.g. public safety, crime prevention)?

• When don’t you need signage?

• Could improper positioning of cameras can be unfair to Data Subjects and result in the processing of excessive personal data?

• Can the Section 36 exemption be used by parents who record infant school nativity plays?

18

CCTV QUESTIONS

• Can you disclose the images (e.g. to the police)?

• How long can you retain them?

• Does the right of access apply - what are the obvious problems? (e.g. other individuals on the CCTV footage)

• Can the Data Subject object to the processing?

• Security of images (e.g. who has access, training, criminal offences could apply if CCTV data misused)

• Can damage arise from a breach of a Principle?

• ICO CCTV Code of Practice (essential reading).19

FOIA EXEMPTIONS RELEVANT TO GOLDSMITHS

20

FOI EXEMPTIONS RELEVANT TO GOLDSMITHS

• Exemption for personal data s.40

• Exemption for prejudice to commercial interest s.43

• Exemption for confidential information s.41

• No exemption for research (except for Scottish authorities) nor for copyright (except if is environmental information)

21

22

WHEN DOES FOI INVOLVE PERSONAL DATA ?

• FOIA covers all information held by a public authority

• Includes information about staff, students, contacts from other universities, service users, business contacts, enquirers, complainers, (patients, suspects, taxpayers etc, depending on who is the authority)

• Personal data may be included in publication schemes

• Personal data may be requested under s.1

INTERFACE WITH FOIA

• FOIA s.40 gives an exemption for ‘personal data’• Personal data of the requester are exempt because

access under FOI cannot displace subject access under DPA rules

• Personal data of a third party are exempt to protect personal privacy – but this is governed by the DPA principles, which cannot be displaced by FOIA

• If it would breach any DPA principle to disclose third party personal data to all the world under FOIA, than the information is absolutely exempt – no Public Interest Test

23

DISCLOSURE OF PERSONAL DATA UNDER FOIA

• All 8 principles apply, but usually tested under Principle 1 - fairness, lawfulness, compliance with schedules 2 & 3

• Lawfulness usually means no breach of confidence• Fairness is about what data subjects (staff? officials?)

ought to expect• Generally, information about staff in their official capacity

can be in the public domain, e.g. payscales; expenses• Personal information about their private life (e.g. health,

home life) is likely to be exempt • The more senior the individual, the more public exposure• Detailed ICO guidance

24

25

COMMERCIAL INTERESTS (s.43)

• Qualified exemption for disclosures which are :• Trade secrets, or• Disclosures which could prejudice the commercial

interests of any person, including the authority holding the information

• Commercial interests:• more than just financial – must involve trade or

commerce• exemption from duty to confirm or deny

• National Maritime Museum Tribunal decision

26

COMMERCIAL INTERESTS: ISSUES

• Commercial interest of a public authority or a third party:• Is there a commercial activity? Financial interests

insufficient• Is there prejudice?• Where does the balance of the public interest lie?

• Tender and contractual processes:• Include information with bid documentation• Distinguish between current and new contracts• Classification at the start of the contract• Process agreed under the contract for classification during

the life of the contract

27

CONFIDENTIALITY (s.41)

• Absolute exemption for information provided in confidence, but information:• must have been obtained from another person, and• disclosure must give rise to an actionable breach of

confidence

• No public interest test if information qualifies• Internally generated information will not count• Exemption can apply to duty to confirm or deny

FREEDOM OF INFORMATION ACT 2000THE BASICS

28

29

THREE ACCESS REGIMES

• Data Protection Act 1998- Protection of personal information via the 8 DP

Principles• Environmental Information Regulations 2004

- Access to environmental information • Freedom of Information Act 2000

- Access to all information held by a public authority

NB: Separate FOI Act for Scotland

30

WHAT DOES FOIA DO?

• Presumption of right of access to any information held by a public authority

• Anything not available is covered by an exemption• Information is free up to a costs limit

• Codes of Practice• On handling requests• On records management

• An enforcement mechanism and an independent regulator

31

HOW DOES FOIA WORK?

Two routes of access to information:

• Pro-active duty to publish information generally (publication scheme)

• Specific request for information – s.1 FOIA

Twofold duty under s.1:

• Duty to confirm or deny whether information is held• Duty to communicate information

PROCEDURES AND OTHER OBLIGATIONS

• Formal request-handling procedures and time limits, e.g.• 20 working days for response

• Communicate information in requester’s preferred form

• S.45 Code of Practice on Handling Requests, e.g.• Transferring requests

• Consultation with third parties

• Duty to help requesters and prospective requesters• Formalities for refusals• Obligation to deal with complaints• S.46 Code of Practice on Records Management

32

WHEN CAN WE REFUSE?

Exemptions in FOI include:• Requests that are too costly• Nuisance requests• Information already accessible, e.g. Public registers• National security, investigations, law enforcement• Personal privacy (via the DPA rules)• Health & safety• Confidential information• Commercial interests

...and most are subject to a public interest test.

33

FOI ISSUES FOR CONTRACTS AND TENDERING

34

CONTRACTS AND FOI

• Disclosing information about your contractors in response to an FOI request

• What exemptions might be relevant?

• What should you agree to in your contract?

• ICO Guidance, and S.45 Code of Practice

• Managing the expectations of your contractors

35

36

COMMERCIAL INTERESTS (s.43)

• Qualified exemption for disclosures which are :• Trade secrets, or• Disclosures which could prejudice the commercial

interests of any person, including the authority holding the information

• Commercial interests:• more than just financial – must involve trade or

commerce• exemption from duty to confirm or deny

• National Maritime Museum Tribunal decision

37

COMMERCIAL INTERESTS: ISSUES

• Commercial interest of a public authority or a third party:• Is there a commercial activity? Financial interests

insufficient• Is there prejudice?• Where does the balance of the public interest lie?

• Tender and contractual processes:• Include information with bid documentation• Distinguish between current and new contracts• Classification at the start of the contract• Process agreed under the contract for classification during

the life of the contract

38

CONFIDENTIALITY (s.41)

• Absolute exemption for information provided in confidence, but information:• must have been obtained from another person, and• disclosure must give rise to an actionable breach of

confidence

• No public interest test if information qualifies• Internally generated information will not count• Exemption can apply to duty to confirm or deny

39

PROVIDING ADVICE AND ASSISTANCE

• Duty to provide advice and assistance to persons who propose to make requests, or who have made requests for information (s.16)

• Does not apply to publication schemes

• S.45 Code of Practice published by DCA/MOJ sets out what authorities must do to help

• Compliance with Code discharges s.16 duty• EIRs have same requirement (Reg.9)

40

SECTION 45 CODE

• Publish your procedures for dealing with requests for information

• Draw the Act to the attention of potential applicants• Help potential applicants make requests in writing• Help potential applicants frame their requests• Consider what can be provided free of charge if

applicant does not want to pay• Consider what can be provided within the upper limit if

request exceeds limit

41

SECTION 45 CODE

• Advises on procedures for the transfer of requests from one public authority to another (but NB EIRs)

• Provides for consultation with persons affected by an FOI request

• Considers what confidentiality contract clauses should be used by public bodies

• Deals with complaints procedures

INFORMATION HELD BY CONTRACTOR

• Requests made for information which is in the hands of your contractor

• Complying with procedures & time limits

• What about costs of contractor response, and the FOI costs exemption?

• What you should try to negotiate in your contract

NB: Remember that rules are different for EIRs

42

COSTS UNDER FOIA

Three kinds of costs under FOIA:

1. Costs you can’t do anything about (e.g. costs of dealing with the applicant; considering an exemption)

2. Appropriate Limit costs (determining, locating etc)

3. Communication costs (P&P)

In practice information is free and you hardly ever charge a fee or send a fees notice

43

44

EXCEEDING APPROPRIATE LIMIT

• No obligation to comply if the authority estimates that cost would exceed the appropriate limit (s.12)

• No exemption from duty to confirm or deny unless this alone would exceed the appropriate limit.

• Reg.4: The only factors to be taken into account are:• Determining whether information is held• Locating it• Retrieving it• Extracting it

• NB: Does extracting include redacting exempt materials?• Staff time is chargeable at £25 per hour

45

COMMUNICATION COSTS

• If appropriate limit not exceeded, communication costs may be charged

• Reg.6: Limited to informing requestor whether information is held and communicating the information.

• Specifically include costs of:• Complying with any preferred means of communication (s.11)• Reproducing any document• Postage and other transmission costs

• BUT staff time spent on any of the above may not be charged (NB: except in voluntary responses!)

OUTSOURCING – SUPERVISING DATA PROCESSORS

47

WHO IS A DATA PROCESSOR?

A data processor is an individual/organisation who processes data on behalf of the controller, for example:

• Outsourced Payroll

• Offshore Call-Centre (increasingly common in India)

• Mailing house

• CCTV Security Firm

• Document Destruction (e.g. a shredding company)

48

DATA PROCESSOR CONTRACTS

• Data processors are not liable under the DPA

• A data controller must:

• Choose a processor with sufficient security guarantees • Take reasonable steps to ensure that processors comply with

these guarantees• Impose a written contract under which the processor is obliged

to act only on the instructions of the controller and covenants to observe and perform all the obligations of the Seventh Principle

• NB – link with Principle 8 for overseas transfers but separate requirements

49

INFORMATION SECURITY - 7TH PRINCIPLE

• Take appropriate technical and organisation measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

• Determine what is appropriate having regard to -

• the nature of the personal data to be protected

• the resulting harm which might arise from a breach

• state of the art & implementation cost

• the effectiveness of existing measures

• reliability of staff (e.g. appropriate training for all staff)

50

In the news…

51

RISK MANAGEMENT (1)

• Is there proof that all reasonable steps have been taken to comply with DPA’s security duties?

• Are security standards for industry or sector being met?

• Is there a security policy?

• Is there a business continuity plan if to cover inability to process data in an emergency?

• Does management take security seriously?

• Are the service provider’s staff adequately trained in respect of data protection requirements? Have they been security vetted?

52

RISK MANAGEMENT (2)

• What contractual security obligations have you imposed upon the service provider?

• Is there a duty upon the service provider to report data security breaches?

• What powers do you have to audit the service provider to ensure that they are complying with their data protection obligations?

• What are the known risks for the kind of processing undertaken?

• Are data transferred securely?

• Is encryption used when data are processed on mobile devices?

OVERSEAS TRANSFERS

SOLUTIONS AND APPROACHES INCLUDING MODEL CLAUSES AND SAFE

HARBOR

54

LEGAL ISSUES

• Data Protection Act 1998, Principle 8

“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

• Don’t forget the other data protection principles

“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

55

EUROPEAN ECONOMIC AREA

Liechtenstein

Canada

Guernsey

Argentina

Isle of Man

Norway

Iceland

56

OPTIONS FOR COMPLIANCE- THE 8TH PRINCIPLE

1. Findings of Adequacy by the EU (or Safe Harbor for USA)

2. Assessment of Adequacy as set out in the 8th principle

3. Seek an exemption from the adequacy obligation• Consent of data subject• Necessary for performance of contract• Substantial public interest, vital interests, legal proceedings• Model contracts• Binding corporate rules

THE END

DATA PROTECTION FREEDOM OF INFORMATION AND CONTRACTS

training for GOLDSMITHS COLLEGE

Copyright Amberhawk Training Limited July 2010

www.amberhawk.com57