The Data Protection Act 1998 Freedom of Information Act 2000 Regulation of Investigatory Powers Act 2000

1
The Data Protection Act 1998Freedom of
Information Act 2000Regulation of Investigatory
Powers Act 2000

• Tony Brett
• Head of IT Support Staff Services
• Computing Services
• University of Oxford
• England
• tony.brett_at_oucs.ox.ac.uk

2
Disclaimer

• I am not a lawyer!
• Views I give do not constitute formal legal
  advice
• Views expressed are my own and not necessarily
  those of the University of Oxford

3
The University of Oxford

• Oldest University in the English-speaking world
• 9 centuries of history
• 39 self-governing Colleges

• Student population over 18,000 with more than 130
  nationalities represented
• 10,500 Staff (3,500 in colleges)
• Part of the Russell Group (like the Ivy League)
• Steeped in tradition and quirk!

4
The University of Oxford
5
Federal University!

• Colleges are separate legal entities
• Separate Governance and Finance
• Serious implications for both DPA and FOI
• Colleges and University have a symbiotic
  relationship
• Colleges admit undergraduates
• University admits graduates
• But they need a college!
• Colleges provide 1-1 or 1-2 tutorials
• University provides lectures, practicals etc.
• University awards degrees

6
Me!

• In Oxford since 1989
• Chemistry Degree and then IT!
• Institute of Molecular Medicine
• Corpus Christi College
• Computing Services
• Serve on Oxford City Council as licensing chair
  and local councillor
• Particular interest in data privacy since time at
  Corpus Christi as Data Protection officer

7
Overview 1

• General overview of the DPA 1998
• Definitions
• Changes since 1984 Act
• Sensitive Personal Data Consent
• The eight principles
• Transitional Relief
• Implications for Colleges and Departments
• Things to keep in mind
• Freedom of Information Act 2000 (FOI)
• Who it affects
• Public Rights open records
• Publication Schemes
• Exemptions
• Key Points

8
Overview 2

• Regulation of Investigatory Powers (RIPA)
• Interception of Communications in the UK
• Human Rights Act 1998
• Definitions
• Implications
• My view
• Resources
• Questions

9
What is the Data Protection Act?

• Intended to balance interests of data subjects
  with data controllers
• Freedom to process data vs. privacy of
  individuals
• 1984 act was repealed by the 1998 Act
• 24 October 1998
• 1 March 2000

10
Definitions

• Personal Data
• Expression of opinion, or fact, E-mail address,
  photos, video footage etc. etc.
• Some types are sensitive (a special new
  category).
• Processing
• Reviewing, holding, sorting, deleting
• Data Controller
• all of us! Users of data
• Relevant Filing System
• Readily accessible information about living
  individuals
• Information Commissioner
• New name for Data Protection Registrar

11
Changes Since the 1984 Act

• Much broader than the old Act
• More rights for data subjects
• Covers relevant manual filing systems
• No more practical obscurity
• New category of data sensitive data.
• Transitional relief 23 October 2001, for
  existing automated data and 23 October 2007 for
  manual records
• Processing must have been in effect before 24
  October 1998
• Rules about export of data to non-EEA countries

12
Some effects on Colleges and Departments

• Data subjects are students, staff, alumni,
  suppliers (sole traders or partnerships),
  tenants, legal advisers, fellows etc
• Not people acting in a capacity
• Anyone can be a data controller
• Dead people have no rights
• Overseas transfers of data notably to U.S.
• Requirement to ensure data is secure, accurate,
  sufficient but not excessive
• Cant hold data longer than is reasonable

13
Principles of the Act 1

• Non-sensitive personal data must be processed
  fairly and lawfully and shall not be processed
  unless one of the below is met (schedule 2).
• Consent the most important
• Contract
• Legal obligation
• Vital interests of subject (life or death!)
• Public functions
• Balance of interest

14
Sensitive personal data 1

• Racial or ethnic origin
• Political opinions
• Religious/similar beliefs (note food!)
• Trade Union membership
• Health
• Sexual life
• Offences, Cautions, Convictions

15
Sensitive personal data 2

• May only be held if one of the below is met
• Explicit and informed consent
• Employment Law
• Vital Interests of Subject
• Legal Proceedings
• Medical Purposes (by medical professionals)
• Equal opportunities monitoring

16
Consent

• Freely given specific and informed indication of
  wishes by which the data subject signifies
  agreement to personal data relating to him/her
  being processed.
• Cant use implied consent must get forms back
• Cant use blanket consent as condition of entry

17
Fair processing

• Must not intentionally or otherwise deceive or
  mislead subject as to purpose of data
  use/collection
• Must identify to subject data controller/nominated
  representative
• Must identify to subject purpose of processing
  data
• Exceptions are disproportionate effort (direct
  marketing not allowed) or legal obligation

18
Principles of the Act 2

• Data must be obtained only for one or more
  specified lawful purposes
• Must not use data for a new incompatible purpose
  without subjects consent
• Have a data protection statement explaining what
  data will be held and why and get consent from
  new students/staff as they arrive
• Old members data is a grey area for Colleges

19
Principles of the Act 3 4

• Personal data must be adequate, relevant and not
  excessive
• Must not stock up on data without a reason that
  can be justified consent!
• Personal data shall be accurate and up-to-date
• This is an ongoing requirement and means data
  needs to be kept under constant review.

20
Principles of the Act 5

• Personal data may not be kept for any longer than
  is necessary for its stated purpose(s)
• This potentially creates a problem with old
  staff/members data. Development offices beware!
• Consent from all new staff/members to keep their
  data after they have left as this is a different
  purpose to keeping it while they are here

21
Principles of the Act 6

• Personal data must be processed in accordance
  with the rights of data subjects
• This means that you cannot do things that violate
  the rights given to data subjects under the new
  Act, especially denying access to data

22
Rights of data subjects

• Must be informed if personal data is being
  processed and given a description of the personal
  data and for what purpose it is being held
• May prevent processing for purposes of direct
  marketing
• Right to see algorithms used in automated
  decision making (credit scoring etc.)
• Compensation, rectification, blocking, destruction

23
Access rights 1

• Right to have communicated to him/her in an
  intelligible form the information constituting
  the data
• No right to rifle through filing systems,
  computers etc
• Right to be informed of logic involved in
  automated processing
• Request must be in writing, fee up to 10 may be
  charged and identity may be thoroughly checked

24
Access rights 2

• Data may be withheld if disclosure would disclose
  data about a third party unless
• Third party has consented to disclosure
• It is reasonable to comply without the third
  partys consent
• Duty of confidentiality, steps taken to seek
  consent, express refusal of third party
• Witnesses, confidential reports, access to
  references

25
Access rights 3

• Dont have to disclose references you have
  written but must disclose those you have received
  unless the writer explicitly asked them to kept
  confidential
• 40 days to comply (or state reason for refusal to
  comply) with requests
• Dont need to comply with repeat requests until a
  reasonable amount of time has elapsed
• Dont need to comply if disproportionate effort
  would be involved
• Subject must provide reasonable data you request
  to assist in finding the data

26
Enforced access

• It is an offence to force subjects to exercise
  their access rights to data held by others
• Includes data about cautions, criminal
  convictions and certain social security records

27
Right to prevent processing

• Unwarranted substantial damage or distress to
  subject
• 21 days to comply with request
• Exemption if processing is necessary for
  performance of contract with subject or there is
  a legal obligation, or the vital interests of the
  subject are at stake

28
Exemptions to access rights

• Prevention and detection of crime
• Apprehension or prosecution of offenders
• Collection of tax or other duty
• Research, history, statistics.
• Exam marks 40 days after date of announcement
  or 5 months of access request.
• Confidential references.

29
Principles of the Act 7

• Technical or organisational measures must be
  taken to prevent unauthorised or unlawful
  processing of data and accidental loss, damage or
  destruction of data.
• First is related to IT support staff (backups,
  password security etc.) but everyone can help
• Second is about being careful with keys, having
  access controls, CCTV monitoring etc.
• Beware social engineering!

30
Principles of the Act 8

• Personal data may not be transferred overseas
  unless the receiving country has an adequate
  level of protection for it
• US does not by default
• Putting things on a web site is tantamount to
  export of data
• Transfer is OK if contract is in place with the
  abroad party or the subject has consented
• Data Protection Commissioner has standard
  contracts available
• Safe Harbor certification enables US business to
  comply with the DPA
• Safe Harbor approved by EU in July 2000

31
Notification

• Colleges are legally separate entities to the
  University so have to notify use to Commissioner
  separately Departments are not
• This is like the old registration process under
  the old act.
• University counts as a third party in the case of
  Colleges.
• Penalties for failure to comply/notify are huge
• Commissioner has draconian powers (search seize)

32
The Freedom of Information Act 2000

• The FOI Act 2000 gives individuals the right to
  access information about certain public bodies
  (including HE institutions) by two routes
• Publication Scheme
• General Right of Access
• There are exemptions
• Public bodies listed in the act
• General group e.g. HEFCE funded HE Institution
• Specific body e.g. The BBC or The National
  Portrait Gallery
• FOI basically extends subject access rights given
  in the DPA 1998
• Colleges are separate legal entities so need
  their own Publication Scheme and procedures

33
FOI Public Rights

• To be told whether the information exists known
  as the duty to confirm or deny
• To receive the information (and, where possible,
  in the manner requested)
• To receive reasons for a decision to withhold
  information
• All requests must be in permanent form
• E-mail, Letter, Fax
• Reply must be sent within 20 working days
• Use vacation auto-reply for contact person if
  they are away

34
FOI Publication Scheme

• Guide to the information which you have decided
  to make public
• Chance to be proactive so people dont have to
  make requests
• Guide to types of information available NOT a
  list of all of it!
• Scheme has to be approved by Information
  Commissioner
• Model schemes available on Information
  Commissioners web site
• JISC has model schemes available too
• Put it on your College website! Some already have

35
FOI Exemptions

• Many exemptions, some absolute, some qualified
  e.g.
• Commercial Interest
• Communicating with the Queen
• Law enforcement
• Legal Professional Privilege
• Parliamentary Privilege
• Need to Apply Tests before using Qualified
  Exemptions
• Prejudice Adverse Affect
• Public Interest (not same as of Interest to the
  Public)
• FOI does not override DPA but DPA is not an
  excuse not to comply with FOI requests
• Interaction is complex!

36
FOI Vexatious or Repeated

• Vexatious means
• clearly does not have any serious purpose or
  value
• is designed to cause disruption or annoyance
• has the effect of harassing the public authority
• can otherwise fairly be characterized as
  obsessive or manifestly unreasonable
• Repeated means
• More often than a reasonable interval
• Needs defining
• Requests asking if previously requested
  information has changed are OK
• Reply can say when info is next to be updated and
  a request before then would be repeated

37
FOI - Key points to note

• Requests can be received by anyone within the
  organisation and do not need to refer to the
  Freedom of Information Act
• Requests must be in writing (including e-mail,
  fax etc)
• Requests must be dealt within 20 working days
• No obligation to provide information which is
  already in the public domain/accessible by other
  means (e.g. via the publication scheme or in a
  book the organisation may hold)
• No obligation to create information that the
  Organisation does not already hold (e.g.
  statistical summaries)
• Organisation may charge a fee for the provision
  of information.
• Charges must be calculated in accordance with the
  fees regulations prescribed by the Department for
  Constitutional Affairs. Currently 50 maximum.

38
How to Deal with Enquiries
Start Here
Does the request relate to a living individual(s)?
NO
Is the information requested available via the
Publication Scheme (check at http//www.admin.ox
.ac.uk/foi/contents.shtml) or via any other
means?
YES
YES
NO
Send the applicant a data protection subject
access request form, to be returned to the
Universitys Data Protection Officer
Is the enquirer requesting information about
him/herself?
Is the information of a type or category for
which you have been asked in the past and have
given without hesitation (or would have given if
you had been asked)?
Tell the applicant where he/she will be able to
find the information
YES
NO
YES
NO
Is the request in writing (including e-mail, fax)?
Does the information requested relate solely to
your department or unit?
Is the request in writing (including e-mail, fax)?
NO
YES
NO
YES
YES
Send request to the Data Protection Officer at
the University Offices
Ask the applicant to put the request into
writing, and send to the Data Protection Officer
at the University Offices
Ask the applicant to use the FOI request form (at
http//www.admin.ox.ac.uk/foi/
Provide the information
Contact data.protection_at_admin.ox.ac.uk for advice
Check that the information does not contain any
reference to individuals, other than that which
is already publicly available
39
FOI DPA - Key Points

• Dont panic!
• Need to be seen to be aware of both FOI and DPA
  and working within them but the Information
  Comissioner will always try to help before
  getting heavy
• Have a publication scheme and publish it!
• Little case law many grey areas, but we dont
  want to be the test case!
• Dont write down anything you wouldnt say to
  someones face
• Avoid holding sensitive personal data if you can
• Colleges need to act additionally to Central
  University

40
Regulation of Investigatory Powers

• Exists to ensure that surveillance activities are
  in line with the Human Rights act 1998
• Includes
• monitoring, observing or listening to persons,
  their movements, conversations, activities or
  communications
• recording anything monitored, observed or
  listened to in the course of surveillance
• surveillance by or with the assistance of a
  surveillance device

41
RIPA

• Updates UK law on the interception of
  communications in line with technological change
  including huge Internet growth
• Puts other intrusive investigative techniques on
  a statutory footing
• Provides new powers to help combat the threat
  posed by rising criminal use of strong encryption
• Ensures that there is independent judicial
  oversight of the powers in the Act

42
RIPA - Definitions

• Directed Surveillance
• Covert but not intrusive
• Intrusive Surveillance
• Using a person or a device (bug) at a premises or
  in a private vehicle
• Generally unlawful to use intrusive surveillance
  without a warrant
• RIPA covers all forms of communication and their
  interception

43
RIPA - Implications

• Interception warrants
• Government can make your ISP snoop on you and can
  insist it does not tell you
• Mass surveillance is possible if the Secretary of
  State deems it necessary
• ISPs can be forced to install interception
  technology on their systems
• Government has the power to demand encryption
  keys
• This compromises all encrypted data you might
  hold or have sent/received

44
RIPA My view

• At face value the Act appears to improve personal
  privacy
• BUT the large number of situations in which
  interception IS allowed actually make it a
  reduction of privacy
• Much controversy in the UK
• But good has been done the Police used evidence
  gathered under RIPA powers to convict Ian Huntley
  (Soham murders)

45
Resources

• http//www.ox.ac.uk/
• http//www.ox.ac.uk/oucs/
• http//users.ox.ac.uk/tony/dpa-foi-ripa.ppt
• http//www.admin.ox.ac.uk/foi/
• http//www.russellgroup.ac.uk
• http//www.opsi.gov.uk/acts/acts2000/20000023.htm
• http//www.opsi.gov.uk/acts/acts2000/20000036.htm
• http//www.opsi.gov.uk/acts/acts1998/19980029.htm
• http//www.ico.gov.uk/
• http//www.export.gov/safeHarbor/
• tony.brett_at_oucs.ox.ac.uk

Thanks to University of Oxford Central
Administration for permission to use diagram
about answering queries