Data Protection Act 1998 DPA Freedom of Information Act FOI

1
Data Protection Act 1998 (DPA)Freedom of
Information Act (FOI)

• Robert Mackenzie

2
What is it all about

• EU Data Protection Directive (95/46/EC)
• 24 October 1998 new Data Protection Act
• 1 March 2000 brought into force
• Freedom of Information Act 2002
• 1 January 2005 brought into force

3
Data Protection Acts

• Within the European Community the protection of
  personal data is governed by Directive 95/46/EC
  of the European Parliament and of the Council of
  24th October 1995
• The same eight basic data protection principles
  apply to all member countries

4
The Eight Principles

• Data must be
• fairly and lawfully processed
• processed for limited purposes
• adequate, relevant and not excessive
• accurate
• not kept longer than necessary
• processed in accordance with the data subject's
  rights
• secure
• not transferred to countries without adequate
  protection.

5
Personal Data

• "Personal data means data which relate to a
  living individual who can be identified-
• from those data, or
• from those data and other information which is in
  the possession of, or is likely to come into the
  possession of, the data controller,
• and includes any expression of opinion about the
  individual and any indication of the intentions
  of the data controller or any other person in
  respect of the individual"

6
Data

• "Data means information which-
• (a) is being processed by means of equipment
  operating automatically in response to
  instructions given for that purpose,
• (b) is recorded with the intention that it should
  be processed by means of such equipment,
• (c) is recorded as part of a relevant filing
  system or with the intention that it should form
  part of a relevant filing system, or
• (d) does not fall within paragraph (a), (b) or
  (c) but forms part of an accessible record as
  defined by section 68" (health record, education
  record, etc)

7
Processing

• "Processing means obtaining, recording or holding
  the information or data or carrying out any
  operation or set of operations on the information
  or data, including-
• (a) organisation, adaptation or alteration of the
  information or data,
• (b) retrieval, consultation or use of the
  information or data,
• (c) disclosure of the information or data by
  transmission, dissemination or otherwise making
  available, or
• (d) alignment, combination, blocking, erasure or
  destruction of the information or data"

8
Sensitive Personal Data

• "Personal data consisting of information as to-
• the racial or ethnic origin of the data subject
• his political opinions
• his religious beliefs or other beliefs of a
  similar nature
• whether he is a member of a trade union (within
  the meaning of the Trade Union and Labour
  Relations (Consolidation) Act 1992)

9
Sensitive Personal Data

• his physical or mental health or condition
• his sexual life
• the commission or alleged commission by him of
  any offence or
• any proceedings for any offence committed or
  alleged to have been committed by him, the
  disposal of such proceedings or the sentence of
  any court in such proceedings."

10
Area of concern ?

• Do you know what data you actually have?
• Where is it held?
• How is it held?
• Who does what with it?

11
Area of concern ?

• Procedures forms for obtaining consent.
• Different issues for
• Face to face
• Correspondence forms
• Electronic - e-mail and web

12
Area of concern ?

• No consistent comprehensive procedures for the
  handling of potential information requests.
• Staff in general are not aware of their rights
  and responsibilities under the act.

13
Area of concern ?

• Lack of consistent and comprehensive central
  control or guidance to staff.
• Personal information obtained in circumstances
  where there is an absence of fair processing
  information.
• Following screen shoots illustrate an example of
  a very effective tool for addressing this issue.

14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Area of concern ?

• Allocation of responsibility for the definition
  of policies and guidance.
• Responsibility for ensuring the consistent and
  comprehensive application of those policies and
  procedures across the organisation.

19
Manual records

• relevant filing system
• accessible record
• Health record
• Accessible public record
• Manual only
• no notification, but must comply
• Manual and automated
• must notify, but
• no need to detail manual processing

20
Area of concern ?

• Do you know what manual records you have?
• Where they are?
• What is in them?
• Are they or should they be archived?

21
Security

• Appropriate measures
• Written contracts
• BS7799

22
Area of concern ?

• Information Commissioner has advised that
  sizeable organisations will be expected to seek
  certification against BS7799, the British
  Standard for information security management.
• Most other organisations will need to comply with
  the standard even if they do not intend to seek
  certification.

23
Area of concern ?

• As more data becomes stored electronically and
  the use of IT to both capture and distribute or
  process data grows, the need for a robust and
  reliable IT infrastructure will become critical.
• You will require assurance that your systems are
  capable of ensuring the confidentiality,
  integrity and availability of your information.

24
Open Forum

• For the implications of the DPA FOIA to be
  dealt with successfully it is essential that
  relevant staff receive appropriate guidance and
  training.
• Over to you...

25
Thank you for your attention

• For further information on any of the issues
  raised in this workshop
• please feel free to contact
• Robert Mackenzie
• Scott-Moncrieff Business Technology Group
• 0131 473 3500
• robert.mackenzie_at_scott-moncrieff.com