The document discusses the principles and regulations surrounding information compliance, specifically focusing on freedom of information (FOI) and data protection laws in Ireland. It outlines the historical context, current statistics, and the roles of various stakeholders in ensuring transparency and accountability in government actions. Additionally, it examines the challenges posed by privacy rights and the evolving landscape of data protection in relation to technology and social media.

1. Information Compliance:FoI, Data Protection and librariesTerry O’Brien, tpobrien@wit.ieInformation Compliance OfficerWaterford Institute of TechnologyE/IIIUG June 2009Institute of Technology Blanchardstown

2. Freedom of informationData Protection

3. Context of information complianceWhat is information compliance – primarily compliance with legal obligations and responsibilities under FoI and DPResponsibilities in maintaining the confidentiality, integrity and availability of information (City University London)Privacy, ethics, copyright, ownership, censorship, connectivity, intellectual property, re-use of public sector information, harvesting, data mining, blogging, IM, social networks, email policy, internet usage, surveillance, PII (Personally Identifiable Information), liability, obligations, legal requirements, plagiarism, information ethics,

4. Freedom of information Sweden 1766, Finland 1951,Irish background – Government reform, Ethics in Public Office Act 1995, Public Service Management Act 1997, Strategic Management Initiative – delivery of better governmentCounterpoint to Official Secrets Act 1963 – government openness, accountability, public participation in governmentBeef Tribunal – disconnect between government and public access to information1966 US FOI Act context of failure of govt to account to Congress re; Vietnam War

5. Freedom of Information 101Legislation –FoI Act 1997, FoI (Amendment) Act 2003Regulations (Statutory Instruments) 1998-2006Dept. of Finance CPU GuidelinesEstablishment of OICPrinciples – openness, transparency, accountabilityFoI Act imposes duty to assist requestorRole of FoI officer – honest broker, facilitator, encouraged to answer requests outside of FoI

8. FoI – what is a recordA record is defined as including any memorandum, book, plan, map, drawing, diagram, pictorial or graphic work or other documents, any photograph, film or recording, or any form in which data are heldThis includes paper or electronic diaries, e-mails (not stored on a back-up system), draft records, electronic records, x-rays even post-it notes etc.

9. Freedom of InformationFoI give power a face, i.e. about who makes the decisions and why – accountabilityPower without a face as represented by Kafka in ‘The Trial’

10. Freedom of information - currentCurrent FOI requests in 2008 up to 12,672 (+18%), Depts. of Taoiseach, Finance, EnterpriseHSE receives most requestsJournalists represent 15% of all requests (+100%) e.g. FAS expense accountsIncrease a by-product of downturn, “holding institutions to account”State bodies outside scope,– VECs, CAO, State Examinations Commission, An Garda, FSRAI, NTMA, Pensions Reserve Commission

11. FoI - statisticsRequests to Public Bodies under FOI Act 1999 -2008

12. Freedom of information140,000 requests since introduced 70% + granted85,000 personal information 304 appealed to OIC73% members of public or representative bodies, 15% journalists, 6% business, staff of public bodies 5%, others, members of Oireachtas 1%Release patterns: civil service lagging behind – 36%, 54% local authorities, HSE 70%, 3rd level 48% but trend very much downward

14. Freedom of information“Every person has a right to and must be offered access to any record held by a public body. The right has been broadly interpreted and the exceptions have been narrowly interpreted”Reasons or motivation for seeking access are irrelevantNot limited to ‘interested’ parties (except in cases of personal information, but there are exemptions

15. FoI – key elementsS28.5(a) Public interest test (harm test) “on balance, the public interest that the request should be granted outweighs the public interest that the right to privacy of the individual to whom the information relates should be upheld”“Public interest” is a vague concept- does not mean interesting to the public!S18 – right for reasons for decisions – if affected, material interest

16. FoI - types of requestsSample requests – tenders, financial information, travel claims / requests for access to personal records (interview feedback), shortlisting criteria, model answers, and scripts, medical records, reasons for decisions made etc.FoIexposed – 700m Bertie Bowl, Industrial schools, TD and Cllr expenses, Public funds – tendering, public procurement, interview notes and marks, references (potentially), inspection of nursing homes, crèches, schools inspection reports

17. FoI exemptionsSection 10 – Records do not existSection 11 – Deferral of access to recordsSection 12 – Manner of access to recordsSection 19 – Meetings of governmentSection 20 – Deliberations of public bodiesSection 21 – Functions and negotiations of public bodiesSection 24 – Security, defence, IRSection 26 – Information obtained in confidenceSection 27 – Commercially sensitiveSection 28 – Personal informationSection 29 – 3rd party consultationSection 32 – Non-disclosure

18. FoI – ‘letting in the light?’FOI – a brief reviewFoI amendments seen as a retrograde step, 2003 – “put genie back in the bottle”, rushed through, OIC resigns, no consultationCharging schedule seen in negative terms (up front fees etc.), Cabinet records – 10 yearsMany bodies still remain outside FoISign of a mature liberal democracy

19. FoI - summaryRationale in 70 countries essentially the same – empowerment of the publicFoIrole in “changing social contract between public service and the public”Ongoing tensions between governments and FoI in Ireland and internationally Reflects a rights-based approach – right to know what is being done by government in people’s name“governmental hygiene measure” – keep government honest, discourage corruption(FoI, The First Decade, OIC 2008)

20. FoI - InternationalALA annual event 16/3 James Madison US FOI 1966 (74, 76, 78) – federal agencies access to all federal records 9 specific exemptions“with a deep sense of pride that the United States is an open society in which the peoples right to know is cherished and guarded” (LBJ, 1966) UK / Scotland – separate legislation. Scottish is seen as more progressive – more positive approach to access for children and those with disability - “ a person who requests information .. Is entitled to receive it”, “as much about culture as it is about legislation” (2004) “we have clearly got the balance wrong when online business have higher standards of transparency than the public services” (Gordon Brown)

21. FoI - the future“economic downturn will increase dependence of public on the state and government agencies” – state will be collecting, processing, maintaining more information about individuals(OIC Annual Report 2008)Comply with legal obligations in face of fewer resources, yet increased demand

22. FoI – some referencesRole of FoI office www.foi.gov.ie/Office of Information Commissioner OIC www.oic.ieCentral Policy Unit Section 23 noticeRe-use of public sector information http://www.psi.gov.ie/FoI Annual Report 2008OIC decisionshttp://www.psi.gov.ie/Bodies covered by FoI http://www.foi.gov.ie/bodies-covered-by-foiDCU FAQs http://www.dcu.ie/foi/faq.shtml#6

23. Barack Obama on 1st day in office“ A democracy requires accountability, and accountability requires transparency. As Justice Louis Brandeis wrote, "sunlight is said to be the best of disinfectants." In our democracy, the Freedom of Information Act (FOIA), which encourages accountability through transparency, is the most prominent expression of a profound national commitment to ensuring an open Government. At the heart of that commitment is the idea that accountability is in the interest of the Government and the citizenry alike.The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. All agencies should adopt a presumption in favor of disclosure”

24. Data ProtectionHuman rightPersonal privacy, affects every day lifeNot absolute - tension with freedom of expression, rights of others LRC (1998) “..basic human right .. Fundamental in a civilised legal system..”Constitution implicit right to personal privacyECHR article 8 explicit right “right to respect for private and family life”

25. Data Protection and the lawData Protection legislation – rights based 1988 Data Protection Act & 2003 Data Protection (amendment) Acts,DPC office est. 1989Data Protection directive 95/46/ECEC Electronic privacy regulationsDisability Act 2005Good Friday AgreementBunreacht na hEireannConvention on Human RightsCouncil of Europe DP conventionEU Charter Fundamental rights fairness and consentLisbon Treaty also makes reference

26. Data Protection CommissionerRole – codes of practice, guidance, advice, education and support, public register, reports, investigations, audits, work with other RegulatorsPowers – notice, enforcement, compliance, entry and inspection. Prosecute, fines up to €250,000 Role of commissioner in EU consistent – ombudsman (resolution), enforcer (compliance) educational (promote and advocacy) registrationArticle 29 Working Party – harmonise application of DP across EU

27. DPC roleApproach of DPC – education and promotion, supportive, part of current Dept. of Justice review group Audit resource for organisations‘private I, public eye’ – DP competition on youtubeVoluntary breach code (public and private)Awareness - Data Privacy Day

29. Data Protection - definitionsData controller “ a person who controls the contents and use of personal data”Data processor“ a person who processes personal data on behalf of a data controller” Data subject“an individual who is the subject of personal data”

30. Personal and sensitive dataPersonal Name, address, age, date of birth, phones, assets, liabilities, financial statements, salary details, bank info., next of kin, holiday records, appraisal, staff disciplinary procedures, sick and medical certs, work history, quals, pps, skills, cvSensitive Physical or mental health, trade union membership, racial origin, criminal convictions, religious or other beliefs, sexual life, alleged commission of offences, political opinions-extra conditions required when using it - explicit consent exemptions - medical purposes, legal advice, vital interests of state, public interest, electoral purposesData protection in short

31. Data Protection – basic principles 101Rights of individualsTo fairnessTo get a copy of personal information (computer and organised manual) To rectification of wrong informationTo opt out (phone and email)To complain to DPC

32. Data ProtectionRights of accessApply in writing, sufficient information

33. Satisfy identity

34. Data supplied in intelligible format

35. Controller must give subject description of personal data held, purpose and who it may be disclosed to RestrictionsInvestigation of crime, tax assessment

36. International relations of State

37. Legal privilege

38. Data kept by DP and OIC

39. Health and social work data – special provisionsRules of Data Protection

40. Data processing is anything done with the life cycle of that data from collection to disposal

41. Data Protection Life-cycleSource: Data Protection Commissioner

42. Data protection and consentConsent generally required for release, but disclosed without for security of state, international relations, investigating offences, order of court, prevent injury or damagePresumption in favour of access to one's own dataFoI generally has precedence in law over DP3rd party access - Personal information is exempt from disclosure to third parties under the FoIActs, subject to a number of exceptionsUnder data protection, protection of the individual's privacy is paramount, but "public interest“ test does not apply

43. Data Protection/FoI

44. Data protection and …CCTVProportionate, specific use, inform, 28 days, protocol for Garda accessDirect marketing40 days, opt-outs, unsolicited calls – fines, National Directory Database, consentRetention EU directive, ISP access (2 years), no content

45. More CCTV units in the UK than the entire population of RoI(CIA Fact Book) Covers Courtesy of LibraryThing.com

46. Courtesy of flickr.com

47. Data Protection .. what to do

48. Data Protection .. what to do II

49. DP high profile breachesjobs.ie, Bank of Ireland, HSE, M50 toll company, DPC active on enforcements, all complaints investigatedHigh profile cases vs. Irish Rail, Sunday World, Dell, Revenue (staff accessing information on need-to-know basis), Ulster bank (bank and insurance cross marketingUK high profile DP case - 40 major companies facing legal action in construction industry for buying secret personal data and engaging in blacklisting – Laing O’Rourke, Balfour Beatty – intelligence database

50. Data Protection case studies Prosecutions in text marketing sector in 2008Prosecutions taken against – NTL, An Post, Tesco, Dell, Total Fitness IrelandAgainst Local Authority and Aer Rianta for excessive harvesting of PPS detailsAgainst Dept of Ed. for misuse of Trade Union details – to withhold pay (not fair obtaining)Code of practice around insurance and health sector problematic Investigations listed publically – name and shame, reputational and business damage

51. Data Protection – some statistics(*source – Lansdowne Market Research 2008 on behalf of DP Commissioner’s office)

52. Data Protection - summaryDuty of carePersonal information should be accurateRetain no longer than necessaryRight of access to personal data on computer and since 2003 to manual data in a relevant filing systemProcedures in place before problems arise and protocols if problems arise – avoid negative publicity, potentially damaging liability, enforcement orders from DPC - Reputational damage could be worse!Only available to those that need to have it and used only used for specified purposes

53. Data ProtectionData subject – (identifiable, living individual)Access rights complaints major increase in 2008Under Disability Act genetic testing prohibited in relation to insurance, mortgages, pension Outsourcing DP operations - obligations still apply (e.g. payroll, call-centres) – on data processors on their behalf Security should be appropriate to potential harm and nature of data - Encryption – particularly important in case of financial and personal records and for vulnerable groups – e.g. BordGais, HSE, UK s/wHave regard to cost and technology available

54. Data Protection – be aware3rd party opinions only exempt if given in confidence or understanding of References not exemptInterview notes may be accessibleMonitoring employees: YES, depending on policy, conditions of employment e.g. acceptable email policy, social media and internet usage

55. Data Protection - high privacy thresholdsConsent is required for police / other vettingAutomated decisions – e.g. creditworthiness must have human inputInternet usage – ongoing monitoring is allowed should be proportionate, not unduly intrusive, on reasonable suspicionMonitoring without CONSENT can be legitimate Call–recording without permission not allowed

56. Data protection - some trendsSocial networking, web 2.0 applications Increasing conflict and tensions, privacy issues, phising , hacking, disclosure, open modelGPS / GIS Google street view, Microsoft VE - Issues of surveillance, private property, photographic data, image retention, trouble in Germany and GreecePatriot Act & Libraries strong opposition from librariansPolitical awareness Increasingly topical, weekly high profile breaches Pirate Party in Sweden

57. Data protection – some trendsEthical issues Detailed trail of personal information across public and private systems – how to balance ‘needs’ of the state with our own ethical rights – TMI, WTMIData sharing 2008 data sharing deal with US – each country access to others fingerprint and DNA profiles + further sensitive data if necessaryElectronic communications – principle of DP apply in relation to cookies, caller ID, spam, cold call opt-outsBiometrics – increasingly mainstream, compliant according to industry, DPC, unions disagree – argue for justification required prior to implementation – national gallery, schools etc.

59. ‘BarackBerry’“They’re going to have to pry it out of my hands.”First Blackberry presidentConnectedEmails and electronic communication subject to Presidential Acts – stored and savedMobile phone data accessed by Verizon employees

60. Is this important to libraries

62. Is this important to librariesLibraries accumulate huge data banks from library systems and services – how this is potentially utilized is often outside of our control, particularly where library is used as an intermediary to access externally provided contentAdvent of participatory web – huge amounts of PII willingly displayed but do people understand (or care) about implications. Do libraries? Libraries traditionally have a culture of privacy, control, this is shifting … do we have a role in this???

63. Sources / referencesDPC presentation to IoT network 11/03/2009www.dataprotection.iehttp://www.ico.gov.uk/ Information Commissioners Office - UKthat personal privacy is a right, take steps to protect it – winner of DP YouTube competition 2009Case studies 2008DP channel

64. Terry O’Brien,Information Compliance officerWaterford Institute of TechnologyThank youtpobrien@wit.iewww.wit.ie