« Previous | Contents | Next »
Listen
SCOTTISH EXECUTIVE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002:OPEN LEARNING WORKBOOK
MODULE 15
DATA PROTECTION - REFRESHER MODULE ON THE EFFECT OF THE DATA PROTECTION ACT 1998
15.1 CONTENT AND LEARNING OBJECTIVES
This module provides an overview of the main aspects of the Data Protection Act 1998 (the "DPA"). It can be used to refresh your memory before proceeding to Modules 16 and 17 which deal with the interface between freedom of information and data protection. If you have not looked at data protection before, then spend some time working through this module and understanding what the key concepts behind the DPA are and what the key terminology is. This will help you when looking at Modules 16 and 17.
Once you have worked your way through this module you should:
- Be reminded of or learn about the data protection regime
- Understand the key terms used in the DPA
- Be familiar with the main elements of the DPA
SUGGESTED TIME ALLOCATION: 1 hour
15.2 LEARNING MATERIALS
15.2.1 The importance of key terms
The Data Protection Act 1998 uses several key words which you may not be familiar with. These terms are highlighted in bold throughout this module. They are listed at the end of the module.
15.2.2 Introduction
The DPA came into force on 1 March 2000. Data protection is not a devolved function so the DPA applies throughout the UK. It comes from a European Directive that the UK was required to implement and so all other member states of the European Union have similar legislation. It also partially implements Article 8 of the Human Rights Act 1998 in relation to privacy. It sets out rules for processing personal data and applies to many paper records as well as those held on computer. The idea behind the DPA was to help to secure individuals a right to privacy by protecting the information that is held about them. Under the DPA, the person to whom personal data relate is known as the data subject.
The DPA requires data controllers, that is those who determine the purpose of and the manner of processing personal data, to comply with the rules of good information handling practice, called the Data Protection Principles. These principles require, amongst other things, that personal data are processed fairly and lawfully, are accurate and relevant and are subject to appropriate security. All Scottish public authorities will process personal data and therefore need to respect the data protection principles set out in the DPA.
15.2.3 Information covered by the DPA
In order for information to be fully covered by the DPA it must fall within the definition of data and also be personal data.
Data are information which are
- processed by computer or other automatic equipment or recorded on paper with the intention of processing it later by computer;
- recorded as part of a ' relevant filing system', that is a system which is structured by reference to individuals or by reference to criteria relating to individuals (such as payroll numbers) and has sufficient structure to enable specific information relating to a particular individual to be found easily; or
- held on an accessible record.
Accessible records are manual files not otherwise covered by the DPA but to which access was previously available under other legislation. These are certain health records, educational records and housing and social services records.
15.2.4 Personal data
The DPA is concerned with personal data; that is information which falls within the definition of data and is also about a living person. The information may be stored under a particular individual's name but personal data which identifies a person in a different manner, for instance by reference to a payroll number, is also covered by the DPA. As long as the information relates to a living person who can be identified from the data or that and other information in the possession of or likely to come into the possession of the data controller it will be protected by the DPA.
However, this does not mean that mere mention of an individual in a document means that the document is their personal data, a data controller will have to consider whether this relates to them. A number of English and European cases have looked at what is covered by the definition of personal data and authorities should seek advice if required.
15.2.5 Sensitive personal data
Some types of personal data are regarded as particularly sensitive - partly because they may be more liable to cause damage or distress to individuals if the data are misused or disclosed without proper authority. The categories of sensitive personal data are listed in the DPA and include racial or ethnic origin or information about an individual's health or sexual life.
15.2.6 Processing
The main effect of the DPA is to control the way in which data are 'processed' by data controllers. Processing is another keyword under the DPA and is given a broad definition. Processing includes obtaining or recording data, the retrieval, consultation or use of data, the disclosure or otherwise making available of data.
15.2.7 The Principles
Anyone processing personal data must comply with the eight enforceable data protection principles. These state, broadly, that personal data must be:
- fairly and lawfully processed;
- processed for limited purposes;
- adequate, relevant and not excessive to the purpose of the processing;
- accurate;
- not kept longer than necessary;
- processed in accordance with the data subject's rights;
- held securely;
- not transferred to countries without adequate protection.
15.2.8 Notification
The UK Information Commissioner is responsible for keeping a public register of data controllers. All data controllers have to notify the Commissioner of the data they process and the purposes for which they do so unless they fall into an exempt category. The exempt categories cover basic business processing which is unlikely to have a detrimental effect on individuals.
15.2.9 Grounds for processing data
In order to carry out any processing of personal data a data controller must have a lawful justification for carrying out the processing. These grounds on which processing can be justified are set out in the DPA. They are reasonably generous. A data controller should be able to find a ground for most processing. The grounds include that the data subject has consented to the data being processed or that the controller is justified in processing for the purpose of his business where there is no damage to the legitimate interests of the individual data subject.
Where the data controller wishes to process sensitive personal data he has to be able to show an additional ground. The grounds for processing sensitive personal data are more stringent and it can be more difficult for the controller to justify the processing of such data.
15.2.10 Individual rights
The DPA gives individuals considerable power to influence the actions of data controllers. They are entitled to:
- Access the data held about them (see 'subject access rights' below);
- prevent processing likely to cause damage or distress;
- prevent processing for the purposes of direct marketing;
- object to automated decisions being taken about them;
- claim compensation for damage or distress caused by a breach of the DPA;
- apply for rectification, blocking or erasure of inaccurate data.
However, there are some limitations and exceptions to these rights which are set out in the DPA.
15.2.11 The right of subject access
This is dealt with in more detail as it is the right which will be extended by the changes brought about by the UK Freedom of Information Act 2000 (and which will be brought in in Scotland by way of further legislation). The subject access right gives an individual the right to
- require a data controller to provide a description of the personal data held about them, the purposes for which that data are processed and the classes or types of persons to whom the data are disclosed;
- have the data communicated to them in an intelligible form together with information about the source of the data (where this information is held by the controller);
- be given information about the logic behind any automated decision making.
The data must be supplied in permanent form by way of a copy, except where the supply of a copy in permanent form is not possible or would involve disproportionate effort. The fee for subject access is set in Regulations. It is 10.00 although it may be more if medical or education records are accessed or less for credit reference files. When the right of access is extended by way of further legislation in Scotland there will be different fees for some manual information, these being likely to be those set out in the FOISA fees regulations (which are expected later in 2004).
The changes to the right of subject access are discussed in Modules 16 and 17 but basically, individuals will be able to apply for all information held about them by a public authority rather than previously where they were restricted to computerised data and data falling within a relevant system.
15.2.12 Exemptions under the DPA
There are some exemptions to the obligations under the DPA. There are several different kinds of exemption, for example information may be exempt from the right of access or from the restrictions on disclosure. There are a considerable number of subject access exemptions, for example information may be exempt from access in the interests of national security or because the prevention or detection of crime would be prejudiced by providing access.
15.2.13 Enforcement
The DPA is enforced by the UK Information Commissioner. The UK Commissioner has obligations to give advice and assistance to data controllers and to deal with complaints of breach of the principles. He has powers to take formal action to require data controllers to obey the DPA or to prosecute for serious breaches. The UK Information Commissioner is different from the Scottish Information Commissioner. The UK Information Commissioner has responsibility throughout the UK for data protection and has responsibility for freedom of information in England, Wales and Northern Ireland. One of his Assistant Commissioners specifically deals with data protection as it relates to Scotland. The Scottish Information Commissioner only has responsibility for freedom of information in Scotland, not for data protection, although he will liaise closely with the UK Information Commissioner.
15.2.14 Conclusion
It is clear that there can be a conflict between the rights to privacy afforded by the Data Protection Act and the rights of access to information which the Freedom of Information (Scotland) Act provide - the interfaces between these two pieces of legislation are dealt with in the following two modules.
15.3 THE STRATEGIC VIEW
Authorities should consider staff awareness of data protection issues and whether refresher training or general awareness training would be appropriate.
Staff should be aware how subject access requests are to be handled - whether by referring this to a dedicated member of staff or by staff members direct.
Staff should be aware of the difference between a subject access request and a FOISA request and understand how the different requests should be treated. |
15.4 SUMMARY
The Data Protection Act 1998 aims to secure individuals' right to privacy by protecting information that is held about them. Any authority that handles personal data must comply with the data protection principles which control how such data are processed. These principles require, amongst others, that personal data should be fairly and lawfully processed, accurate, not kept longer than necessary, held securely and processed in accordance with the data subject's rights. Individuals have the right to ask for a description of the personal data held about them, this is known as a subject access request, and to receive a copy of the information. The DPA only relates to information processed by a computer and to some manual files, such as files which relate to specific individuals.
15.5 KEYWORDS
Accessible Records | These are health, education and some records about local authority tenancies and social services. (Section 68 DPA). |
Data Controller | This is a person who, whether on his own or jointly or in common with others, decides the purposes for which personal data are processed and the manner in which they are processed. (Section 1 DPA). |
Data Protection Principles | These are the standards of good information handling practice set out in Schedule 1 of the Data Protection Act 1998. |
Data Subject | This means an individual who is the subject of personal data. (Section 1 DPA). |
Personal Data | This is defined in the Data Protection Act 1998 and means information which relates to a living individual who can be identified from that information or other information in the possession of or likely to come into the possession of the holder of the data. (Section 1 DPA). |
Relevant Filing System | This is the term which defines those sets of manual information which are covered by the Data Protection Act 1998. (Section 1 DPA). |
15.6 REFERENCES
Section 38 (1) FOISA Exemption for personal information
15.7 RESOURCES
UK Information Commissioner:
www.informationcommissioner.gov.uk
15.8 SELF-ASSESSMENT CHECKLIST
1. The Data Protection Act 1998 requires data controllers to comply with following Data Protection Principles :
- personal data must be processed fairly and lawfully;
- personal data must be adequate, relevant and not excessive;
- personal data must be accurate and secure; and
- personal data must not be kept for longer than is necessary.
TRUE or FALSE ?
2. A data controller stores personal data about its employees under a series of employee code numbers so that the files can be accessed anonymously. However, human resources staff and the payroll manager can identify employees by their code numbers, so this data will still be covered by the Data Protection Act 1998. TRUE or FALSE ?
3. Where a data controller wishes to process sensitive personal data he has to be able to show that either the data subject has consented or that there will be no damage to the legitimate interests of the data subject as a result of the processing. TRUE or FALSE?
4. A student who wants to discover what information about himself is held by the Scottish Higher Education Funding Council may use the Data Protection Act 1998 as the basis for his enquiries. TRUE or FALSE ?
Click here for answers
15.9 WHAT THEY SAID
"An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use, or disclosure of such information". (Data Protection Act 1998)
"This is an important area of law. Those advising on it need to understand its context and recognise that there remains areas where there are different interpretations, as yet untested by the courts. But they also need to take a step back every now and again and look at the big picture. The law is there to protect one aspect of a fundamental right and to balance that with others. If we forget that then all we see is regulatory burden". (Elizabeth France CBE, Telecommunications Ombudsman)
15.10 CASE STUDY
COMPARATIVE RIGHTS OF ACCESS UNDER THE DATA PROTECTION ACT 1998 AND FREEDOM OF INFORMATION (SCOTLAND) ACT 2002
The Table of comparative rights of access follows:
COMPARATIVE RIGHTS OF ACCESS UNDER THE DATA PROTECTION ACT 1998 AND FREEDOM OF INFORMATION (SCOTLAND) ACT 2002
Note - In relation to the Data Protection Act these notes do not deal with the special rules which apply for access to accessible records. The DPA will change post 1 January 2005. The provisions that will only apply post January 2005 in the DPA are shown in bold.
ISSUE | DATA PROTECTION | FREEDOM OF INFORMATION |
1. | Who can apply for information? | Only the data subject, that is the living individual to whom the particular data relate. | Anyone anywhere can apply for information. This can include limited companies or persons who are overseas. |
2. | Who can a request be made to? | Any data controller that is a person or organisation within the public or private sector who determines the manner and purpose of the processing as long as the controller is subject to UK law. | Any Scottish public authority listed in the FOISA. |
3. | Can the organisation ask for proof of the identity of the applicant? | Yes, it must do so as the data controller is under an obligation not to disclose information to an unauthorised third party. | No, the applicant must give a name and an address for correspondence but in most cases the identity of the applicant is irrelevant. However if special circumstances apply for example the applicant is suspected of making vexatious or repeat applications then the identity of the applicant may be relevant. Also, the identity of the applicant may be relevant when making a request for a review to a public authority. |
4. | How must an application be made? | In writing, this means in a form which gives rise to a permanent record although this may be by e-mail or other electronic mechanism. | In writing, this means in a form which gives rise to a permanent record although this may be by e-mail or other electronic mechanism. |
5. | What information can be requested? | All the information which relates to the data subject and which falls with the definition of data in the DPA, that is broadly information held on a computer or in a filing system in which specific information about the individual can be readily found. It also covers structured files in which specific information cannot be readily accessed and unstructured information. | Any recorded information held by or on behalf of the authority. |
6. | Can a fee be charged? | Yes. Generally a fee of up to 10 can be charged. | Yes. Authorities will be able to charge a fee in accordance with Fees Regulations. |
7. | When is the fee payable? | When the request is made or prior to the information being provided. | If it wishes to charge a fee once an authority has received a request, it must give the applicant a fees notice. The specified fee must be paid before the authority actions the request for information. |
8. | How specific does the request have to be? | The request must enable the authority to locate the information requested. If this is not possible the authority can ask the subject to provide further information and does not have to respond until it has received enough information to handle the request. | The request must enable the authority to locate the information requested. If this is not possible the authority can ask the subject to provide further information and does not have to respond until it has received enough information to handle the request. |
9. | Is there a limit to the amount of information that can be requested? | No. The individual is entitled to all the personal data held about him unless it is exempt. | Yes. There is a limit to the searching which an authority must carry out to provide the information. This is set as the appropriate limit. |
10. | Does the organisation always have to answer a request for information? | It should always send a reply but in some circumstances it does not have to acknowledge that it holds information. | It should always send a reply but in some circumstances it does not have to acknowledge that it holds information. |
11. | Must original documents be provided? | No. The individual is entitled to the information constituting the data not a copy of the actual data. | No. The obligation is to provide information not to provide copy documents. |
12. | Can the applicant insist on having the information in a particular form or format? | No. However, codes must be explained. If it is not possible to provide the information in permanent form without disproportionate effort the information can be provided by other means e.g. inspection. | No. The applicant cannot insist but can specify a preferred form when making the request. An authority must accommodate the request if practicable and if it is not practicable explain why. |
13. | How long does the organisation have to respond to a request? | The organisation must respond as soon as possible and in any event within 40 days of receiving a valid request and fee. | The authority must respond within 20 working days. |
14. | Are there any exemptions from the obligation to provide information? | Yes. There are a range of exemptions set out in the Act. These are usually applied on a case by case basis. | Yes. There are exemptions set out in the Act. |
15. | Can information be excluded or blacked out ("redacted") from documents supplied in response to a request? | Yes, if the information relates to another individual and it is not reasonable to give it or an exemption applies. Where information can be redacted that should be done rather than withholding information. | Yes. Information can be redacted if it is exempt. Information should be redacted rather than access being refused. |
16. | What recourse or remedy is there if the authority does not provide the information it should? | The individual can either complain to the Information Commissioner's Office (UK Commissioner) or can go to court. | The complainant must make a request for review to the authority which will reconsider the application. If not satisfied it can be referred to the Scottish Information Commissioner. The Scottish Information Commissioner's decision can then be appealed to the Court of Session. |
Task
Without looking back at the comparison table fill in the name of the relevant Act in the right hand box below. When you have finished go back and check your answers against the table.
Rule | DPA or FOISA or BOTH |
An aggrieved complainant can take a case to court | |
Only the individual to whom the information relates can apply for access to it | |
Exemptions may be applicable | |
An application must be made in writing | |
There is no limit to the amount of information that can be requested | |
A response must be provided in 20 working days | |
« Previous | Contents | Next »