The Data Protection Act 1998Freedom of Information Act 2000Regulation of Investigatory Powers Act 2000 : The Data Protection Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000 Tony Brett
Head of IT Support Staff Services
Computing Services
University of Oxford
England
tony.brett@oucs.ox.ac.uk
Disclaimer : Disclaimer I am not a lawyer!
Views I give do not constitute formal legal advice
Views expressed are my own and not necessarily those of the University of Oxford
The University of Oxford : The University of Oxford Oldest University in the English-speaking world
9 centuries of history
39 self-governing Colleges
Student population over 18,000 with more than 130 nationalities represented
10,500 Staff (3,500 in colleges)
Part of the Russell Group (like the Ivy League)
Steeped in tradition and quirk!
The University of Oxford : The University of Oxford
Federal University! : Federal University! Colleges are separate legal entities
Separate Governance and Finance
Serious implications for both DPA and FOI
Colleges and University have a symbiotic relationship
Colleges admit undergraduates
University admits graduates
But they need a college!
Colleges provide 1-1 or 1-2 tutorials
University provides lectures, practicals etc.
University awards degrees
Me! : Me! In Oxford since 1989
Chemistry Degree and then IT!
Institute of Molecular Medicine
Corpus Christi College
Computing Services
Serve on Oxford City Council as licensing chair and local councillor
Particular interest in data privacy since time at Corpus Christi as Data Protection officer
Overview – 1 : Overview – 1 General overview of the DPA 1998
Definitions
Changes since 1984 Act
Sensitive Personal Data andamp; Consent
The eight principles
Transitional Relief
Implications for Colleges and Departments
Things to keep in mind
Freedom of Information Act 2000 (FOI)
Who it affects
Public Rights: open records
Publication Schemes
Exemptions
Key Points
Overview – 2 : Overview – 2 Regulation of Investigatory Powers (RIPA)
Interception of Communications in the UK
Human Rights Act 1998
Definitions
Implications
My view
Resources
Questions
What is the Data Protection Act? : What is the Data Protection Act? Intended to balance interests of data subjects with data controllers
Freedom to process data vs. privacy of individuals
1984 act was repealed by the 1998 Act
24 October 1998
1 March 2000
Definitions : Definitions Personal Data
Expression of opinion, or fact, E-mail address, photos, video footage etc. etc.
Some types are sensitive (a special new category).
Processing
Reviewing, holding, sorting, deleting
Data Controller
all of us! Users of data
Relevant Filing System
Readily accessible information about living individuals
Information Commissioner
New name for Data Protection Registrar
Changes Since the 1984 Act : Changes Since the 1984 Act Much broader than the old Act
More rights for data subjects
Covers relevant manual filing systems
No more 'practical obscurity'
New category of data – sensitive data.
Transitional relief – 23 October 2001, for existing automated data and 23 October 2007 for manual records
Processing must have been in effect before 24 October 1998
Rules about export of data to non-EEA countries
Some effects on Colleges and Departments : Some effects on Colleges and Departments Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, fellows etc
Not people 'acting in a capacity'
Anyone can be a data controller
Dead people have no rights
Overseas transfers of data – notably to U.S.
Requirement to ensure data is secure, accurate, sufficient but not excessive
Can’t hold data longer than is reasonable
Principles of the Act – 1 : Principles of the Act – 1 Non-sensitive personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2).
Consent – the most important
Contract
Legal obligation
Vital interests of subject (life or death!)
Public functions
Balance of interest
Sensitive personal data – 1 : Sensitive personal data – 1 Racial or ethnic origin
Political opinions
Religious/similar beliefs (note food!)
Trade Union membership
Health
Sexual life
Offences, Cautions, Convictions
Sensitive personal data – 2 : Sensitive personal data – 2 May only be held if one of the below is met:
Explicit and informed consent
Employment Law
Vital Interests of Subject
Legal Proceedings
Medical Purposes (by medical professionals)
Equal opportunities monitoring
Consent : Consent 'Freely given specific and informed indication of wishes by which the data subject signifies agreement to personal data relating to him/her being processed.'
Can’t use implied consent – must get forms back
Can’t use blanket consent as condition of entry
Fair processing : Fair processing Must not intentionally or otherwise deceive or mislead subject as to purpose of data use/collection
Must identify to subject data controller/nominated representative
Must identify to subject purpose of processing data
Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation
Principles of the Act – 2 : Principles of the Act – 2 Data must be obtained only for one or more specified lawful purposes
Must not use data for a new incompatible purpose without subject’s consent
Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive
Old members data is a grey area for Colleges
Principles of the Act – 3 & 4 : Principles of the Act – 3 andamp; 4 Personal data must be adequate, relevant and not excessive
Must not stock up on data without a reason that can be justified – consent!
Personal data shall be accurate and up-to-date
This is an ongoing requirement and means data needs to be kept under constant review.
Principles of the Act – 5 : Principles of the Act – 5 Personal data may not be kept for any longer than is necessary for its stated purpose(s)
This potentially creates a problem with old staff/members data. Development offices beware!
Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here
Principles of the Act – 6 : Principles of the Act – 6 Personal data must be processed in accordance with the rights of data subjects
This means that you cannot do things that violate the rights given to data subjects under the new Act, especially denying access to data
Rights of data subjects : Rights of data subjects Must be informed if personal data is being processed and given a description of the personal data and for what purpose it is being held
May prevent processing for purposes of direct marketing
Right to see algorithms used in automated decision making (credit scoring etc.)
Compensation, rectification, blocking, destruction
Access rights – 1 : Access rights – 1 Right to have communicated to him/her in an intelligible form the information constituting the data
No right to rifle through filing systems, computers etc
Right to be informed of logic involved in automated processing
Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked
Access rights – 2 : Access rights – 2 Data may be withheld if disclosure would disclose data about a third party unless:
Third party has consented to disclosure
It is reasonable to comply without the third party’s consent
Duty of confidentiality, steps taken to seek consent, express refusal of third party
Witnesses, confidential reports, access to references
Access rights – 3 : Access rights – 3 Don’t have to disclose references you have written but must disclose those you have received unless the writer explicitly asked them to kept confidential
40 days to comply (or state reason for refusal to comply) with requests
Don’t need to comply with repeat requests until a reasonable amount of time has elapsed
Don’t need to comply if disproportionate effort would be involved
Subject must provide reasonable data you request to assist in finding the data
Enforced access : Enforced access It is an offence to force subjects to exercise their access rights to data held by others
Includes data about cautions, criminal convictions and certain social security records
Right to prevent processing : Right to prevent processing Unwarranted substantial damage or distress to subject
21 days to comply with request
Exemption if processing is necessary for performance of contract with subject or there is a legal obligation, or the vital interests of the subject are at stake
Exemptions to access rights : Exemptions to access rights Prevention and detection of crime
Apprehension or prosecution of offenders
Collection of tax or other duty
Research, history, statistics.
Exam marks – 40 days after date of announcement or 5 months of access request.
Confidential references.
Principles of the Act – 7 : Principles of the Act – 7 Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data.
First is related to IT support staff (backups, password security etc.) but everyone can help
Second is about being careful with keys, having access controls, CCTV monitoring etc.
Beware social engineering!
Principles of the Act – 8 : Principles of the Act – 8 Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it
US does not by default
Putting things on a web site is tantamount to export of data
Transfer is OK if contract is in place with the abroad party or the subject has consented
Data Protection Commissioner has standard contracts available
Safe Harbor certification enables US business to comply with the DPA
Safe Harbor approved by EU in July 2000
Notification : Notification Colleges are legally separate entities to the University so have to notify use to Commissioner separately; Departments are not
This is like the old registration process under the old act.
University counts as a third party in the case of Colleges.
Penalties for failure to comply/notify are huge
Commissioner has draconian powers (search andamp; seize)
The Freedom of Information Act 2000 : The Freedom of Information Act 2000 The FOI Act 2000 gives individuals the right to access information about certain public bodies (including HE institutions) by two routes:
Publication Scheme
General Right of Access
There are exemptions
Public bodies listed in the act
General group e.g. 'HEFCE funded HE Institution
Specific body e.g. 'The BBC' or 'The National Portrait Gallery'
FOI basically extends subject access rights given in the DPA 1998
Colleges are separate legal entities so need their own Publication Scheme and procedures
FOI – Public Rights : FOI – Public Rights To be told whether the information exists – known as the duty to confirm or deny
To receive the information (and, where possible, in the manner requested)
To receive reasons for a decision to withhold information
All requests must be in 'permanent form'
E-mail, Letter, Fax
Reply must be sent within 20 working days
Use vacation auto-reply for contact person if they are away
FOI – Publication Scheme : FOI – Publication Scheme Guide to the information which you have decided to make public
Chance to be proactive so people don’t have to make requests
Guide to types of information available NOT a list of all of it!
Scheme has to be approved by Information Commissioner
Model schemes available on Information Commissioner’s web site
JISC has model schemes available too
Put it on your College website! Some already have
FOI – Exemptions : FOI – Exemptions Many exemptions, some absolute, some qualified e.g.
Commercial Interest
Communicating with the Queen
Law enforcement
Legal Professional Privilege
Parliamentary Privilege
Need to Apply Tests before using Qualified Exemptions
Prejudice andamp; Adverse Affect
Public Interest (not same as of Interest to the Public)
FOI does not override DPA but DPA is not an excuse not to comply with FOI requests
Interaction is complex!
FOI – Vexatious or Repeated : FOI – Vexatious or Repeated Vexatious means:
clearly does not have any serious purpose or value
is designed to cause disruption or annoyance
has the effect of harassing the public authority
can otherwise fairly be characterized as obsessive or manifestly unreasonable
Repeated means:
More often than a 'reasonable interval'
Needs defining
Requests asking if previously requested information has changed are OK
Reply can say when info is next to be updated and a request before then would be 'repeated'
FOI - Key points to note : FOI - Key points to note Requests can be received by anyone within the organisation and do not need to refer to the Freedom of Information Act
Requests must be in writing (including e-mail, fax etc)
Requests must be dealt within 20 working days
No obligation to provide information which is already in the public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold)
No obligation to create information that the Organisation does not already hold (e.g. statistical summaries)
Organisation may charge a fee for the provision of information.
Charges must be calculated in accordance with the fees regulations prescribed by the Department for Constitutional Affairs. Currently £50 maximum.
How to Deal with Enquiries : NO YES NO NO Send the applicant a data protection subject access request form, to be returned to the University’s Data Protection Officer Is the enquirer requesting information about him/herself? Is the request in writing (including e-mail, fax)? Send request to the Data Protection Officer at the University Offices Ask the applicant to put the request into writing, and send to the Data Protection Officer at the University Offices Is the information requested available via the Publication Scheme (check at: http://www.admin.ox.ac.uk/foi/contents.shtml) or via any other means?
Does the request relate to a living individual(s)? Tell the applicant where he/she will be able to find the information Does the information requested relate solely to your department or unit? Provide the information Is the information of a type or category for which you have been asked in the past and have given without hesitation (or would have given if you had been asked)? * Is the request in writing (including e-mail, fax)? Ask the applicant to use the FOI request form (at http://www.admin.ox.ac.uk/foi/ Contact
data.protection@admin.ox.ac.uk for advice NO YES YES YES YES YES YES NO NO Start Here How to Deal with Enquiries * Check that the information does not contain any reference to individuals, other than that which is already publicly available
FOI & DPA - Key Points : FOI andamp; DPA - Key Points Don’t panic!
Need to be seen to be aware of both FOI and DPA and working within them but the Information Comissioner will always try to help before getting heavy
Have a publication scheme and publish it!
Little case law – many grey areas, but we don’t want to be the test case!
Don’t write down anything you wouldn’t say to someone’s face
Avoid holding sensitive personal data if you can
Colleges need to act additionally to Central University
Regulation of Investigatory Powers : Regulation of Investigatory Powers Exists to ensure that surveillance activities are in line with the Human Rights act 1998
Includes:
monitoring, observing or listening to persons, their movements, conversations, activities or communications
recording anything monitored, observed or listened to in the course of surveillance
surveillance by or with the assistance of a surveillance device
RIPA : RIPA Updates UK law on the interception of communications in line with technological change including huge Internet growth
Puts other intrusive investigative techniques on a statutory footing
Provides new powers to help combat the threat posed by rising criminal use of strong encryption
Ensures that there is independent judicial oversight of the powers in the Act
RIPA - Definitions : RIPA - Definitions Directed Surveillance
Covert but not intrusive
Intrusive Surveillance
Using a person or a device (bug) at a premises or in a private vehicle
Generally unlawful to use intrusive surveillance without a warrant
RIPA covers all forms of communication and their interception
RIPA - Implications : RIPA - Implications Interception warrants
Government can make your ISP snoop on you and can insist it does not tell you
Mass surveillance is possible if the Secretary of State deems it necessary
ISPs can be forced to install interception technology on their systems
Government has the power to demand encryption keys
This compromises all encrypted data you might hold or have sent/received
RIPA – My view : RIPA – My view At face value the Act appears to improve personal privacy
BUT the large number of situations in which interception IS allowed actually make it a reduction of privacy
Much controversy in the UK
But good has been done – the Police used evidence gathered under RIPA powers to convict Ian Huntley (Soham murders)
Resources : Resources http://www.ox.ac.uk/
http://www.ox.ac.uk/oucs/
http://users.ox.ac.uk/~tony/dpa-foi-ripa.ppt
http://www.admin.ox.ac.uk/foi/
http://www.russellgroup.ac.uk
http://www.opsi.gov.uk/acts/acts2000/20000023.htm
http://www.opsi.gov.uk/acts/acts2000/20000036.htm
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
http://www.ico.gov.uk/
http://www.export.gov/safeHarbor/
tony.brett@oucs.ox.ac.uk
Thanks to University of Oxford Central Administration for permission to use diagram about answering queries