dpa foi

Information about dpa foi

Published on June 16, 2007

Author: Goldye

Source: authorstream.com

Content

The Data Protection Act 1998and theFreedom of Information Act 2000:  The Data Protection Act 1998 and the Freedom of Information Act 2000 Tony Brett IT Support Staff Services OUCS Overview:  Overview General overview of the DPA 1998 Definitions Changes since 1984 Act Sensitive Personal Data andamp; Consent The eight principles Transitional Relief Implications for Colleges and Departments Things to keep in mind Freedom of Information Act 2000 Who it affects Public Rights Publication Schemes Exemptions Key Points Resources What is the Data Protection Act?:  What is the Data Protection Act? Intended to balance interests of data subjects with data controllers. Freedom to process data vs. privacy of individuals. 1984 act was repealed by the 1998 act. 24 October 1998. 1 March 2000. Definitions:  Definitions Personal Data Expression of opinion, or fact, E-mail address, photos, video footage etc. etc. Some types are sensitive (a special new category). Processing Reviewing, holding, sorting, deleting Data Controller all of us! Users of data Relevant Filing System Readily accessible information about living individuals Information Commissioner New name for Data Protection Registrar Changes Since the 1984 Act:  Changes Since the 1984 Act Much broader than the old act. More rights for data subjects. Covers relevant manual filing systems. New category of data – sensitive data. Transitional relief – 23 October 2001, for existing automated data and 23 October 2007 for manual records. Processing must have been in effect before 24 October 1998. Rules about export of data to non-EEA countries. Some Effects on Colleges and Departments:  Some Effects on Colleges and Departments Data subjects are students, staff, alumni, suppliers (sole traders or partnerships), tenants, legal advisers, fellows etc. Not people 'acting in a capacity'. Anyone can be a data controller Dead people have no rights. Overseas transfers of data – notably to U.S. Requirement to ensure data is secure, accurate, sufficient but not excessive. Can’t hold data longer than is reasonable. Principles of the act – 1.:  Principles of the act – 1. Non-sensitive Personal data must be processed fairly and lawfully and shall not be processed unless one of the below is met (schedule 2). Consent – the most important Contract Legal Obligation Vital interests of subject (life or death!) Public functions Balance of interest Sensitive Personal Data:  Sensitive Personal Data Racial or ethnic origin Political opinions Religious/similar beliefs (note food!) Trade Union Membership Health Sexual Life Offences Sensitive Personal Data:  Sensitive Personal Data May only be held if one of the below is met: Explicit and informed consent Employment Law Vital Interests of Subject Legal Proceedings Medical Purposes (by medical professionals) Equal opportunities monitoring Consent:  Consent 'Freely given specific and informed indication of wishes by which the data suject signifies agreement to personal data relating to him/her being processed.' Can’t use implied consent – must get forms back. Can’t use blanket consent as condition of entry. Fair processing:  Fair processing Must not intentionally or otherwise deceive or mislead subject as to purpose of data use/collection. Must identify to subject data controller/nominated representative. Must identify to subject purpose of processing data. Exceptions are disproportionate effort (direct marketing not allowed) or legal obligation. Principles of the act – 2.:  Principles of the act – 2. Data must be obtained only for one or more specified lawful purposes. Must not use data for a new incompatible purpose without subject’s consent. Have a data protection statement explaining what data will be held and why and get consent from new students/staff as they arrive. Old members data is a grey area for Colleges. Principles of the act – 3 & 4.:  Principles of the act – 3 andamp; 4. Personal data must be adequate, relevant and not excessive. Must not stock up on data without a reason that can be justified – consent! Personal data shall be accurate and up-to-date. This is an ongoing requirement and means data needs to be kept under constant review. Principles of the act – 5.:  Principles of the act – 5. Personal data may not be kept for any longer than is necessary for its stated purpose(s). This potentially creates a problem with old staff/members data. Development offices beware! Consent from all new staff/members to keep their data after they have left as this is a different purpose to keeping it while they are here. Principles of the act – 6.:  Principles of the act – 6. Personal data must be processed in accordance with the rights of data subjects This means that you cannot do things that violate the rights given to data subjects under the new act, especially denying access to data. Rights of data subjects:  Rights of data subjects Must be informed if personal data are being processed and given a description of the personal data and for what purpise it is being held. May prevent processing for purposes of direct marketing. Right to see algorithms used in automated decision making (credit scoring etc.). Compensation, rectification, blocking, destruction. Access rights:  Access rights Right to have communicated to him/her in an intelligible form the information constituting the data. No right to rifle through filing systems, computers etc. Right to be informed of logic involved in automated processing. Request must be in writing, fee up to £10 may be charged and identity may be thoroughly checked. Access rights – 2.:  Access rights – 2. Data may be witheld if disclosure would disclose data about a third party unless: Third party has consented to disclosure It is reasonable to comply without the third party’s consent. Duty of confidentiality, steps taken to seek consent, express refusal of third party. Witnesses, confidential reports, access to references . Access rights – 3.:  Access rights – 3. Don’t have to disclose references you have written but must disclose those you have received unless the writer explicitly asked them to kept confidential. 40 days to comply (or state reason for refusal to comply) with requests. Don’t need to comply with repeat requests until a reasonable amount of time has elapsed. Don’t need to comply if disproportionate effort would be involved. Subject must provide reasonable data you request to assist in finding the data. Enforced Access:  Enforced Access It is an offence to force subjects to exercise their access rights to data held by others Includes data about cautions, criminal convictions and certain social security records Right to prevent processing:  Right to prevent processing Unwarranted substantial damage or distress to subject. 21 days to comply with request. Exemption if processing is necessary for performance of contract with subject or there is a legal obligation, or the vital interests of the subject are at stake. Exemptions to access rights:  Exemptions to access rights Prevention and detection of crime Apprehension or prosecution of offenders Collection of tax or other duty Research, history, statistics. Exam marks – 40 days after date of announcement or 5 months of access request. Confidential references. Principles of the act – 7.:  Principles of the act – 7. Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data and accidental loss, damage or destruction of data. First is related to IT support staff (backups, password security etc.) but everyone can help. Second is about being careful with keys, having access controls, CCTV monitoring etc. Beware social engineering! Principles of the act – 8.:  Principles of the act – 8. Personal data may not be transferred overseas unless the receiving country has an adequate level of protection for it. US does not. Putting things on a web site is tantamount to export of data. Transfer is OK if contract is in place with the abroad party or the subject has consented. Data Protection Commissioner is preparing standard contracts. Notification:  Notification Colleges are legally separate entities to The University so has to notify use to commissioner separately. Departments are not. This is like the old registration process under the old act. University counts as a third party in the case of Colleges. Penalties for failure to comply/notify are huge. Commissioner has draconian powers (search andamp; seize). The Freedom of Information Act 2000:  The Freedom of Information Act 2000 The FOI act 2000 gives individuals the right to access information about certain public bodies (including HE institutions) by two routes: Publication Scheme General Right of Access There are exemptions FOI basically extends subject access rights given in the DPA 1998 Colleges are separate legal entities so need their own Publication Scheme and procedures FOI – Public Rights:  FOI – Public Rights To be told whether the information exists – known as the duty to confirm or deny To receive the information (and, where possible, in the manner requested) To receive reasons for a decision to withhold information All requests must be in 'permanent form' E-mail, Letter, Fax Reply must be sent within 20 working days Use vacation auto-reply for contact person if they are away FOI – Publication Scheme:  FOI – Publication Scheme Guide to the information which you have decided to make public Chance to be proactive so people don’t have to make requests Guide to types of information available NOT a list of all of it! Scheme has to be approved by Information Commissioner Model schemes available on Information Commissioner’s web site JISC has model schemes available too Put it on your College website! Some already have FOI – Exemptions:  FOI – Exemptions Many exemptions, some absolute, some qualified e.g. Commercial Interest Communicating with the Queen Law enforcement Legal Professional Privilege Parliamentary Privilege Need to Apply Tests before using Qualified Exemptions Prejudice andamp; Adverse Affect Public Interest (not same as of Interest to the Public) FOI does not override DPA but DPA is not an excuse not to comply with FOI requests Interaction is complex! FOI – Vexatious or Repeated:  FOI – Vexatious or Repeated Vexatious means: clearly does not have any serious purpose or value is designed to cause disruption or annoyance has the effect of harassing the public authority can otherwise fairly be characterised as obsessive or manifestly unreasonable. Repeated means: More often than a 'reasonable interval' Needs defining Requests asking if previously requested information has changed are OK Reply can say when info is next to be updated and a request before then would be 'repeated' FOI - Key points to note:  FOI - Key points to note Requests can be received by anyone within the organisation and do not need to refer to the Freedom of Information Act Requests must be in writing (including e-mail, fax etc) Requests must be dealt within 20 working days No obligation to provide information which is already in the public domain/accessible by other means (e.g. via the publication scheme or in a book the organisation may hold) No obligation to create information that the Organisation does not already hold (e.g. statistical summaries) Organisation may charge a fee for the provision of information. Charges must be calculated in accordance with the fees regulations prescribed by the Department for Constitutional Affairs. Currently £50 maximum. How to Deal with Enquiries:  NO YES NO NO Send the applicant a data protection subject access request form, to be returned to the University’s Data Protection Officer Is the enquirer requesting information about him/herself? Is the request in writing (including e-mail, fax)? Send request to the Data Protection Officer at the University Offices Ask the applicant to put the request into writing, and send to the Data Protection Officer at the University Offices Is the information requested available via the Publication Scheme (check at: http://www.admin.ox.ac.uk/foi/contents.shtml) or via any other means? Does the request relate to a living individual(s)? Tell the applicant where he/she will be able to find the information Does the information requested relate solely to your department or unit? Provide the information Is the information of a type or category for which you have been asked in the past and have given without hesitation (or would have given if you had been asked)? * Is the request in writing (including e-mail, fax)? Ask the applicant to use the FOI request form (at http://www.admin.ox.ac.uk/foi/ Contact [email protected] for advice NO YES YES YES YES YES YES NO NO Start Here How to Deal with Enquiries * Check that the information does not contain any reference to individuals, other than that which is already publicly available FOI & DPA - Key Points:  FOI andamp; DPA - Key Points Don’t panic! Need to be seen to be aware of both FOI and DPA and working within them but the Information Comissioner will always try to help before getting heavy. Have a publication scheme and publish it! Little or no case law yet – many grey areas, but we don’t want to be the test case! Don’t write down anything you wouldn’t say to someone’s face. Avoid holding sensitive personal data if you can. Colleges need to act additionally to Central University Resources:  Resources http://www.informationcommissioner.gov.uk/ http://www.admin.ox.ac.uk/councilsec/oxonly/dp/ http://www.admin.ox.ac.uk/foi/ http://users.ox.ac.uk/~tony/dpa-foi.ppt http://www.jisc.ac.uk/index.cfm?name=pub_ibsm_foi [email protected] [email protected] Conference of Colleges Legal Panel Thanks to Sarah Cowburn at Admin for assistance and permission to use material

Related presentations


Other presentations created by Goldye

La Leccion de la Mariposa 2143
19. 06. 2007
0 views

La Leccion de la Mariposa 2143

seo july06
04. 09. 2007
0 views

seo july06

fairy tales
26. 10. 2007
0 views

fairy tales

INTERNET TECHNOLOGIES
19. 06. 2007
0 views

INTERNET TECHNOLOGIES

encrypt sign
16. 06. 2007
0 views

encrypt sign

1006969221 presentation brazil2
21. 09. 2007
0 views

1006969221 presentation brazil2

chauce3b
01. 10. 2007
0 views

chauce3b

1 Performance
07. 10. 2007
0 views

1 Performance

Swiss LifeScience Survey 2006
15. 10. 2007
0 views

Swiss LifeScience Survey 2006

Xray Lecture01
16. 10. 2007
0 views

Xray Lecture01

PAL MOR
23. 10. 2007
0 views

PAL MOR

kidd
04. 09. 2007
0 views

kidd

svn
29. 11. 2007
0 views

svn

kuznetsov evgeny ppt ai seminar
26. 10. 2007
0 views

kuznetsov evgeny ppt ai seminar

MotherGoose
02. 11. 2007
0 views

MotherGoose

cewit
04. 09. 2007
0 views

cewit

primitive
15. 11. 2007
0 views

primitive

vision02
20. 11. 2007
0 views

vision02

The Art of Living
22. 11. 2007
0 views

The Art of Living

Zambia
04. 09. 2007
0 views

Zambia

Predation lecture Nov30 no2
30. 12. 2007
0 views

Predation lecture Nov30 no2

Launching the New Deal
31. 12. 2007
0 views

Launching the New Deal

prosperity
03. 01. 2008
0 views

prosperity

Machine Guarding
07. 01. 2008
0 views

Machine Guarding

Global Lessons Geneva2
07. 08. 2007
0 views

Global Lessons Geneva2

maldives accredit board
07. 08. 2007
0 views

maldives accredit board

Bernie sPP
07. 08. 2007
0 views

Bernie sPP

Labor
07. 08. 2007
0 views

Labor

OzCHI
07. 08. 2007
0 views

OzCHI

SCLC
03. 01. 2008
0 views

SCLC

culling elephants1
04. 09. 2007
0 views

culling elephants1

ch 15
04. 01. 2008
0 views

ch 15

UNDP
07. 08. 2007
0 views

UNDP

MDA Maldives
07. 08. 2007
0 views

MDA Maldives

attach28
10. 10. 2007
0 views

attach28

Cindy Zheng PRAGMA grid v3
09. 10. 2007
0 views

Cindy Zheng PRAGMA grid v3

Home COMBI workshop
07. 08. 2007
0 views

Home COMBI workshop

OHSWildlifeHandlersW EB
19. 11. 2007
0 views

OHSWildlifeHandlersW EB

Amazed
27. 11. 2007
0 views

Amazed

Panama MWG 29Jun06
22. 10. 2007
0 views

Panama MWG 29Jun06

erasmus mundus presentation
21. 03. 2008
0 views

erasmus mundus presentation

Special Topics 950414
07. 04. 2008
0 views

Special Topics 950414

program 1a 1c
04. 10. 2007
0 views

program 1a 1c

Korea Outlook
28. 03. 2008
0 views

Korea Outlook

Japan08
30. 03. 2008
0 views

Japan08

RabbitsCowsDaVinci
05. 01. 2008
0 views

RabbitsCowsDaVinci

CB05Chapter6
09. 04. 2008
0 views

CB05Chapter6

mobilanalysis
10. 04. 2008
0 views

mobilanalysis

nd planning brief
13. 04. 2008
0 views

nd planning brief

Interestrt
14. 04. 2008
0 views

Interestrt

interim2004
17. 04. 2008
0 views

interim2004

the final1
17. 04. 2008
0 views

the final1

IUM dec2007
22. 04. 2008
0 views

IUM dec2007

kumar friart
15. 10. 2007
0 views

kumar friart

ideaz first consulting
19. 06. 2007
0 views

ideaz first consulting

I2TK
19. 06. 2007
0 views

I2TK

Humor Grafico Informatica 1723
19. 06. 2007
0 views

Humor Grafico Informatica 1723

Grecia Italia 2136
19. 06. 2007
0 views

Grecia Italia 2136

Carta de Jesus 2014
19. 06. 2007
0 views

Carta de Jesus 2014

APP The American Experience WK 5
14. 12. 2007
0 views

APP The American Experience WK 5

Postwar World
20. 02. 2008
0 views

Postwar World

La France 2140
19. 06. 2007
0 views

La France 2140

Increibles pero ciertas 2138
19. 06. 2007
0 views

Increibles pero ciertas 2138

I Know Something Good About You
19. 06. 2007
0 views

I Know Something Good About You

FinanceWkshop Oct06
29. 09. 2007
0 views

FinanceWkshop Oct06

truck
28. 02. 2008
0 views

truck

CPAC2006 StrawPoll
19. 06. 2007
0 views

CPAC2006 StrawPoll

contenzioso
19. 06. 2007
0 views

contenzioso

catalogo2007
19. 06. 2007
0 views

catalogo2007

castello
19. 06. 2007
0 views

castello

A SSCC2007Feb07
09. 10. 2007
0 views

A SSCC2007Feb07

ch11 sec2
25. 03. 2008
0 views

ch11 sec2

pressyn
10. 10. 2007
0 views

pressyn

Condones a la medida 1712
19. 06. 2007
0 views

Condones a la medida 1712

EORTC STBSG
01. 11. 2007
0 views

EORTC STBSG

La capa verde 1852
19. 06. 2007
0 views

La capa verde 1852

Introduzione COAN in PMI
19. 06. 2007
0 views

Introduzione COAN in PMI

Indigena 2078
19. 06. 2007
0 views

Indigena 2078

Geno Pro
16. 06. 2007
0 views

Geno Pro

Exchange
16. 06. 2007
0 views

Exchange

Exchange Office
16. 06. 2007
0 views

Exchange Office

Excel 03
16. 06. 2007
0 views

Excel 03

eLearning An OverviewV2
16. 06. 2007
0 views

eLearning An OverviewV2

24 Horas 2087
19. 06. 2007
0 views

24 Horas 2087

Creazione Sito Web
19. 06. 2007
0 views

Creazione Sito Web

convegno
19. 06. 2007
0 views

convegno

IRREBULL05
19. 06. 2007
0 views

IRREBULL05

present cartagena
22. 10. 2007
0 views

present cartagena

oct city hudco
01. 01. 2008
0 views

oct city hudco

5 Judios 2088
19. 06. 2007
0 views

5 Judios 2088

Plan Puebla Panama
22. 10. 2007
0 views

Plan Puebla Panama

Empyrean Code Master Challenge
16. 06. 2007
0 views

Empyrean Code Master Challenge

cm1 2002 ziegele3
19. 06. 2007
0 views

cm1 2002 ziegele3

IAEC Training
19. 06. 2007
0 views

IAEC Training

west ldc
04. 09. 2007
0 views

west ldc

11 WR USSR
03. 10. 2007
0 views

11 WR USSR

Thrombophilia
07. 08. 2007
0 views

Thrombophilia

Calendar3 20 07
19. 06. 2007
0 views

Calendar3 20 07

ctrl Mela Oven
19. 06. 2007
0 views

ctrl Mela Oven

Butcher
04. 09. 2007
0 views

Butcher