Data Protection and Freedom of Information Legislation

Data Protection and Freedom of Information

Objectives Describe the main points of the Freedom of Information Act 2000 and data protection legislation Illustrate some of the key things you need to know about Data Protection (DP) and Freedom of Information (FOI)

The Legislation and the Regulator General Data Protection Regulation(GDPR) and Data Protection Act 2018 (DPA) concern information about living individuals Freedom of Information Act 2000 came into force in January 2005 and provides a right of access to information held by public bodies The Information Commissioner s Office (ICO) regulates the operation of GDPR/DPA & FOIA/EIR (as well as related legislation like the Privacy and Electronic Communications Regulations)

DP or FOI? To release or not to release? A student requests his examination results A student requests Queen Mary s internal guidelines for dealing with appeals A local authority wishes to verify a student s details for Council Tax assessment A parent wants to know if their son or daughter is attending classes These areas will be reconsidered in terms of whether or not to release the data or information and which law applies

Data Protection All Data Controllers must pay an annual fee to ICO, maintain a Record of Processing Activities and comply with the data protection principles Data Subjectsare the individuals about whom the data is held Data processingcovers all operations on personal data: collection, recording, holding, maintenance, disclosure, altering, destruction, etc. Personal datais information about any living individual who can be identified from that information Special Category personal datarelates to information about an individual s health, ethnicity, sexual life, religious beliefs, political opinions, TU membership, genetics/biometrics

Six Data Protection Principles which should be complied Personal data shall be: 1. processed lawfully, fairly and in a transparent manner in relation to the data subject 2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 3. adequate, relevant and limited to what is necessary in relation to the purpose(s) for which they are processed 4. accurate and, where necessary, kept up to date 5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed 6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

DP rights and transfers Data subjects rights To access To rectification To erasure ( be forgotten ) To data portability To restriction of processing To object to marketing, profiling, research, automated decision-making To lodge a complaint with ICO International transfers To third countries or international organisations only under certain conditions

Data processing - good practice The following checklist is taken from the Information Commissioner s Office website: www.ico.org.uk Do I really need this information about an individual? Do I know what I'm going to use it for? Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for? If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this?

Data processing - good practice (continuation) Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure? Is access to personal information limited to those with a strict need to know? Am I sure the personal information is accurate and up to date? Do I delete or destroy personal information as soon as I have no more need for it? Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?

Freedom of Information Act Places a duty on public authorities (that includes QMUL) to ensure access is available to official information Regardless of age, format or origin of the info. Each public authority must publish a Publication Scheme which is approved by the ICO QMUL s scheme is found on its website at https://www.qmul.ac.uk/about/foi/

Dealing with Requests Requests under data protection legislation must be dealt with in one calendar month (except for examination results) An FOI request must be dealt with in 20 working days. If the request is excessive and costly it can be denied on these grounds Both types of request may come to any part of Queen Mary and need to be logged with the Information Governance Team If you are unsure, check with the IG Team

Some FOI Exemptions FOI exemptions are either absolute or qualified. Qualified exemptions are subject to the public interest test. Absolute exemptions do not require this Personal information, where the release of information would lead to the identification of an individual and that would breach one of the data protection principles, is an absolute exemption Where information is commercial the information might be covered by a qualified exemption as its release could be damaging to QMUL or other party Vexatious and repeated requests or requests that have been declined recently for good reason can be exempt

Some DPA Exemptions Schedule 2 of DPA exemptions: data may be provided without the consent of the Data Subject to authorities for the purposes of the prevention and detection of crime and benefits/tax fraud etc. All such requests must be specific, state for what the data will be used and be checked with the QMUL Data Protection Officer Research exemptions: there are exemptions in both GDPR and DPA relating to research/academic expression (see Research specific presentation) Examination results: there is a longer time frame so students cannot access results earlier

Research Personal data may be used for purposes beyond the originally stated purpose Can be retained indefinitely Exempt from SARs as long as published research does not identify individuals FOI Commercial interests, personal data, research exemption or subject to future publication

Examinations Comments on scripts (and marks) but not scripts themselves can be accessed under GDPR Exam Board minutes (about that individual only) can be accessed under GDPR and generic parts of the minutes under FOIA Achievement/progression data can be accessed under GDPR OK to put lists of those who have passed on the noticeboard by ID number and only if you have told students that this is how their results are published You should not pass on an individual student s results to a third party External examiners reports in most circumstances these would be accessible under FOI despite the argument they are confidential and it is important to ensure that External Examiners are able to write frank and helpful comments in the public interest!

Dos and Donts DO respond quickly the clock is ticking DO remember that we have a duty to provide advice and assistance DON T withhold information without a clear justification under one of the exemptions DON T wilfully destroy or alter any original documents criminal offence

To release or not release A student requests his examination results A student requests QMUL s internal guidelines for dealing with appeals A local authority wishes to verify a student s details for Council Tax A parent wants to know if their son or daughter is attending classes

Other Sources of Guidance Data Protection Policy Guidelines on dealing with SARs and other scenarios e.g. photos, marketing, third parties FOI pages on QM website ICO website has lots of specific guidelines See https://www.qmul.ac.uk/governance-and- legal-services/governance/information- governance/

Contact Information Governance Team E-mail: data-protection@qmul.ac.ukand foi- enquiries@qmul.ac.uk