This document summarizes a presentation on data protection duties under the Data Protection Act 1998 and the upcoming General Data Protection Regulation. It discusses subject access requests, including the time limits for responding, what information must be provided, and exemptions. It also covers Freedom of Information Act requests, exemptions, public interest tests, and time limits for responding. The presentation encourages schools to understand the data they hold, review policies and procedures, and prepare for individuals' new rights under the GDPR.
2. Understanding & discharging
your data protection duties
15th March, Manchester
Patrick O’Connell, Solicitor
Join the conversation #BJ_EDC
3. Information Law – How is it relevant to my school?
• Every piece of recorded information may be disclosable on request
• The fact that disclosure may be inconvenient or embarrassing is no
defence – generally information will be disclosable unless an
exemption applies
• Information legislation imposes requirements as to the use and
storage of information
• GDPR
4. FOIA/DPA – Overview?
• Both FOIA and DPA provide a legal right to information subject only to
limited exemptions
• DPA – individuals have rights to information about themselves from any
organisation and there are legal requirements as to how personal data
must be processed
• FOIA – relates to non-personal information from public bodies. Motive,
identity and what requester will use the information for is irrelevant
• Personal data is exempt from disclosure under FOIA
• Both regimes are regulated by the Information Commissioner
• Breach of FOIA – no significant penalty
• Breach of DPA – in serious cases significant financial penalties and possible
claims for damages
6. Subject Access Requests (SARs)
“Dear Headteacher
Please supply me with all the information held by the School on my son and daughter
which I am entitled to under the Data Protection Act 1998. This should include
assessments carried out, notes, emails, records of conversations, telephone notes
and office notes.
If you need anymore information form me, or a fee, please let me know as soon as
possible.
Yours sincerely
Mum”
7. SARs – What do you do now?
• Panic
• Nothing. It’s not a valid request
• Put it away with a promise to deal with it later
• Start gathering the information to respond in the time limit
• Call Browne Jacobson LLP
8. SARs – Time Limit?
• 20 calendar days
• 20 working days
• 40 calendar days
• 45 working days
9. SARs Time Limit
• DPA says “promptly” and in any event before the end of 40
calendar days
• 40 days does not begin to run until you have received the fee in
cleared funds
10. SARs – What information do I provide?
• (Where a child is not ‘Gillick competent’) parent or guardian (with
parental responsibility) is entitled to:
- The information constituting the personal data of her son and
daughter so the notes, emails, records of conversations and
office notes
- Information as to the source of the data
- How the information has been processed e.g. manual or
electronic
11. SARs – What about third party data?
• Where you cannot comply with a request for personal data without
disclosing information of others who can be identified from that
information, you are not obliged to comply with the request
unless:
- The third party has consented to the disclosure to the person
making the request
- It is reasonable in all the circumstances to comply with the
request without the consent of the third party
- Consider redacting the third party data. However if the
remaining information means the third party will be disclosed
then the information should be withheld.
12. SARs – Second Request
“Dear Headteacher
I am investigating a crime involving Ros Foster/Megan Larrinaga a student at
your school. To assist my investigation I am requesting under the Data Protection
Act 1998 all of Ros’/Megan’s records including her attendance records any
safeguarding notes you have. Section 29 of the DPA allows you to provide me with
the information for the prevention or detection of crime. If you need any more
information please contact me.
Yours sincerely
PC Howard”
13. SAR 2 – What do you do now?
• Panic and hide it in a drawer
• Nothing. DPA doesn’t allow us to share information
• Provide the information as it’s the police and they say
Section 29 allows it
• Call Browne Jacobson LLP
14. SAR 2 – Dealing with the request
• Section 29 does provide an exemption and allows processing of
personal data for the prevention or detection of crime or the
apprehension or prosecution of offenders BUT
• Personal data can only be processed if one of the Conditions in
Schedule 2 to the 1998 Act is met and for sensitive personal data
one of the conditions in Schedule 3.
15. SARs – Schedule 2 Conditions
• Data subject has ‘consented’ to processing
• The processing is [absolutely] necessary:
– for performing a contract with the data subject
– for taking steps at the request of the data subject with a view to
entering into a contract
– complying with any legal obligation to which the data controller is
subject
– in order to protect the ‘vital interests’ of the data subject (e.g. a life
and death situation)
– for certain public functions (in the public interest)
– the processing is necessary of the purposes of ‘legitimate interests’
pursued by the data controller or by a third party to whom the data is
disclosed
– but only where these interests outweigh data subject interests.
16. SARs Schedule 3 Conditions
The most relevant are the following:
• the explicit consent of the data subject is obtained
• Necessary for rights or obligations of employment
• [absolutely] necessary to protect the vital interests of data
subject or someone else
• for medical purposes
• in connection with legal proceedings or for the purposes of
establishing / defending legal rights
• for ethnic monitoring purposes.
17. SARs – Other exemptions which may be relevant
• National Security (s28 DPA)
• Crime prevention and taxation (s29 DPA)
• Orders made for Health, Education, Social Work (s30 DPA)
• Required by law or in legal proceedings (s35 DPA)
• Legal proceedings/establishing and defending legal rights (S35 (2))
• Schedule 7 exemptions include - confidential references – corporate
finance - Legal Professional Privilege.
18. SAR – Top Tips
• Is the child old enough to make their own request? Do you need the child’s
consent before responding?
• Is a fee payable? If so and not enclosed request promptly
• Diarise date for compliance
• Consider if the response includes information about other people
• Consider if any exemptions apply
• Respond
19. Looking ahead to the GDPR
• 25 May 2018
• Fundamental data protection principles revised but broadly
similar
• Personal data must be processed fairly, lawfully, as little as
possible, only for limited purpose
• Obligations as to data quality, security, integrity and
confidentiality
• New accountability principle
• Enhanced rights for data subjects - particularly children
20. Looking ahead to the GDPR
• Understand the data you use and where and to whom it
flows
• Consider legal basis on which you process data
• Check policies, contracts and notices
• Develop an accountability framework
• Determine if you need a DPO
• Plan for complying with individual rights
• Plan for breaches
21. Looking ahead to the GDPR
• Check the guidance available on the ICO website
• Check Browne Jacobson website and events
23. Real Requests?
• How much money has the Trust spent on pornography in the last
twelve months?
• What are the names of the three fish at HMP Leeds?
• How many drawing pins are in the building and what percentage
are currently stuck in a pin board?
• What preparations has the MOD made for a alien invasion?
• How much money has been paid to exorcists over the last twelve
months?
25. FOIA Request
“Dear Headteacher
I am making a request under the Freedom of Information Act for the following
information
(a) What is the annual spend on cleaning supplies such as toilet rolls in the past 12
months?
(b) What cleaning products does the School purchase and how often?
(c) Where do you purchase your cleaning products?
Yours sincerely
Mr Requester
6 Temple Court
26. FOIA – Responding to the request
• Panic
• Nothing. It is not a valid request
• Put it in a drawer. You have more important things to do
• Start investigations in order to respond to the request
• Call Browne Jacobson LLP
27. FOIA – Time Limit?
• 40 calendar days
• 20 calendar days
• 40 working days
• 20 working days
28. FOIA – Time Limit (2)
• Need to consider 2 deadlines
• S10 FOIA says “promptly” and in any event within 20 working days
• Working Days = School Days – but - Teacher Training Days/Inset Days not a
School Day
• Long stop date of 60 days
• Must respond within the earlier of the two deadlines
• Especially important during school holidays
29. FOIA – Practical Considerations
• FOIA relates to information held at the date of the request
• No obligation to create information to respond to a request
• The right is to ‘information’ not specific documents (although caution is
required in relation to some information such as receipts)
• FOIA applies to information held by third parties on behalf of the School
such as contractors
• Remember FOIA is tantamount to disclosure to the whole world – care is
therefore required when disclosing information
30. FOIA - Exemptions
• There are two types of exemptions. Absolute and Qualified
• Most of the exemptions provided by FOIA are “qualified”, meaning
that even if the exemption is engaged, the information requested
should be disclosed unless the public interest in withholding the
information outweighs the public interest in disclosing it
• Absolute exemptions are just that and the public interest test does
not apply
• Often more than one exemption is engaged. Where this is the case,
where practicable, set them all out.
31. FOIA – Relevant Absolute Exemptions
• Section 21 - Information accessible by other means
• Section 40 – Personal Data
• Section 41 - Information provided in confidence
32. FOIA – Relevant Qualified Exemptions
• Section 22 – Information intended for future publication
• Section 30 - Investigations and proceedings conducted by public
authorities
• Section 31- Law enforcement
• Section 36 – Information prejudicial to the effective conduct of
public affairs
• Section 42 - Legal professional privilege
• Section 43 - Commercial interests
33. Public Interest
• There is no definition of ‘public interest’ in FOIA
• Guidance from the IC says that it is something which serves the
public interest. It is not something which the public is interested
in
• A qualified exemption can only apply where the public interest in
maintaining an exemption outweighs the public interest in
disclosing it or confirming or denying it is held.
34. FOIA – Can I Charge?
• It is generally not possible to charge for responding to FOIA requests
• An exemption is available if the cost of dealing with the request, in terms
of identifying, locating and providing the information, would exceed the
prescribed amount – currently £450, calculated as 18 hours at £25 per
hour
• Cannot charge for considering whether an exemption applies or redacting
the information
• If the School estimates that this limit is likely to be exceeded, it may
decline to deal with the request
• Alternatively it can offer to provide the information but charge the
requestor for the costs incurred in doing so. If the requestor agrees to
meet those charges you must proceed.
35. Vexatious/Repeat Requests
• S14 FOIA allows authorities to decline to deal with requests on
grounds that they are vexatious or repeated
• The repeat exemption will apply where the authority has received
a previous request that is the same or substantially similar
• The vexatious exemption applies in respect of requests that are
vexatious and will require you to consider the identity and
motivation of the requestor.
36. FOIA – Top Tips
• Respond – even if only to say “we do not hold the information requested”
• Apply the public interest test where necessary and if withholding
information on this basis explain how the test has been applied
• Think about the wider implications of disclosing or withholding
information? Do you need to consult on disclosure?
• Don’t try to withhold information without clear justification
• Don’s destroy/alter any documents that are the subject of a request. This
is a criminal offence for the individual responsible.