The Scottish Government

« Previous | Contents | Next »

Listen

SCOTTISH EXECUTIVE FREEDOM OF INFORMATION (SCOTLAND) ACT 2002:OPEN LEARNING WORKBOOK

MODULE 16
INTERFACE WITH DATA PROTECTION - HOW DOES FREEDOM OF INFORMATION FIT WITH DATA PROTECTION? APPLICATIONS FOR INFORMATION BY DATA SUBJECTS

16.1 CONTENT AND LEARNING OBJECTIVES

This module and the following one deal with the rules that apply when requests are made for information about people rather than, for example, information about policies or financial information. This module explains how the authority should deal with those cases where people make requests for information about themselves; the previous module (15) provides some further material about the Data Protection Act 1998 ("DPA") and the following module (17) explains how the authority should handle cases where requests are received for information about others. These are referred to as "third party" requests.

This module explains how the rights of individuals to access information about themselves will be changed after FOISA comes into effect. Once you have worked your way through this module you should understand:

• What information individuals will be able to see which they were not able to see before
• The new subject access exemption for certain personnel information
• The requirements on applicants to describe some kinds of information

It will help if you have a basic understanding of data protection to start with. If you do not or are unsure whether your knowledge in this area is sufficiently up to date work through Module 15 before you start this module. Module 15 is a refresher module on the DPA.

NB. As at January 2004 the changes to the DPA have yet to be made for Scotland. The Freedom of Information Act 2000 that applies in England, Wales and Northern Ireland makes the changes in those countries and further legislation will be required to extend these changes to Scottish public authorities. For the purposes of this module we have treated the changes to the DPA as having been made in the same way for Scotland as for the rest of the UK.

SUGGESTED TIME ALLOCATION: 50 minutes

16.2 LEARNING MATERIALS

16.2.1 Introduction

Individuals already have a right of access to information about themselves under the DPA. This is known as the subject access right. It applies to personal data (as covered by the DPA) that are computerised and personal data held in some manual files. (This will be extended under further legislation - discussed below). A request by an individual for access to information about themselves, where this is personal data as covered by the DPA, will be exempt from the right of access under the Freedom of Information (Scotland) Act and will continue to be handled as a subject access request under the DPA.

Data protection is not a devolved matter although freedom of information in relation to information held by Scottish public authorities is. Public authorities operating in Scotland which are not subject to the FOISA will be subject to the (UK) Freedom of Information Act 2000.

The (UK) Freedom of Information Act 2000 makes a number of amendments to the Data Protection Act 1998 however these will only apply to public authorities which are subject to the UK Act. It is intended that these amendments to the DPA will be applied to Scottish public authorities by further legislation. The changes will extend the definition of "data" in the DPA to cover all information held by a Scottish public authority. The new category of data will be divided into structured and unstructured records. The rights of access, rectification and limited rights of compensation under the DPA will be applied to the new category of data.

16.2.2 Main points

• The definition of data will be applied to cover information held by Scottish public authorities by the addition of a new category of data which will cover all manual records not currently covered by the DPA;
• The DPA will have limited application to this new category of information;
• Subject access will be extended to cover this new category of information;
• There will be special rules to deal with subject access requests relating to the new category of information;
• A new subject access exemption for personnel data in the new category will be introduced.

16.2.3 New Category of Data

At present the DPA only covers personal data in computerised format and in some limited types of manual records. It will be extended for public authorities subject to the FOISA to cover a new category of data. The new category is "recorded information held by a public authority" which does not fall within any of the other categories. This recorded information is broken down into two types:

• Structured - this is information structured by reference to individuals or criteria relating to individuals but that does not fall within a relevant filing system (key word Module 15) (i.e. specific information on individuals is not readily accessible).
• Unstructured - this is all other data and may include notebooks, files not structured by reference to individuals, papers etc.

The right of access will be extended to cover both types of this new category of information. The result will be that ALL recorded information about individuals held by a public authority subject to the FOISA potentially will be covered by the DPA for the purposes of access by the data subject and correction.

16.2.4 Exemption under FOISA

Information will be exempt under the FOISA if it is personal data and the applicant is the data subject. Any such application should be dealt with under the subject access rules in the DPA . There is no mechanism under the legislation to transfer a request made under the FOISA and to treat it as a subject access request so the FOISA request should technically be refused and the applicant should be advised to make a subject access request instead. In practice, authorities are likely to have policies in place for dealing with this but they should not simply provide the information as if it were a subject access request unless they are confident that they have enough information to ensure the identity of the applicant, an important issue under the DPA.

16.2.5 Handling Requests

A subject access request can be made for both new types of data but under the extended rights of subject access a data subject who wants access to the "unstructured" data has to describe the information so that the public authority can find it. The public authority has no obligation to answer a request for access to unstructured data unless the request contains a description of the information which the data subject seeks. Where the authority needs further information in order to find the information which is requested then it does not have to deal with the request until that information is provided.

Even where the request contains a description sufficient to find the data then the authority does not have to comply if the cost of finding the data would exceed the costs stated in regulations. The authority must however respond to the request and let the applicant know whether the information is held (unless this in itself would exceed the costs limit).

16.2.6 Application

The DPA will be of limited application to the new category of data. Such information will not be covered by the DPA for most purposes, including the first principle, requiring fairness, lawfulness and imposing grounds for processing personal data. The provisions which do apply are:

• the right of subject access;
• the right to rectification, blocking, erasure or destruction of data where it is inaccurate;
• the right to compensation where the damage is as a result of a breach of the above;
• the powers of the UK Information Commissioner to enforce access rights and accuracy.

None of the other provisions of the DPA apply to this type of data.

16.2.7 Subject Access new exemption

The existing subject access exemptions under the DPA apply to all the data.

There will be a new subject access exemption which applies to the new category of data. The exemption relates to personnel matters concerning service in the armed forces, service in any public office or employment or service under a contract of a public nature. Such information is exempt from most of the DPA principles. However, remember that an applicant will still be able to get personnel information about themselves where it is computerised or forms part of a relevant filing system.

16.4 SUMMARY

When the Freedom of Information (Scotland) Act 2002 comes into force people will be able to make a request for all sorts of information from authorities, but a request by an individual for information about themselves will be exempt under freedom of information and will continue to be handled under data protection. However, certain amendments to the Data Protection Act will be made. At present the Data Protection Act only covers computerised information and some manual files. This will be changed so that all recorded information held by an authority concerning an individual will be covered by the right of access, including information in unstructured files. If individuals want access to unstructured data they must describe the information so that the authority can find it and they may be required to pay a higher fee.

16.5 KEYWORDS

None

16.6 REFERENCES

Section 38 FOISA Personal Information

16.7 RESOURCES

UK Information Commissioner:
www.informationcommissioner.gov.uk

16.8 SELF ASSESSMENT CHECKLIST

1. After January 2005 an individual requesting information about himself will be able to rely on either the FOISA or the Data Protection Act 1998 as the basis for the request. TRUE or FALSE ?

2. After January 2005 the right of access to personal data will be extended to cover records that are not part of a relevant filing system and are not accessible records. TRUE or FALSE ?

3. A public authority that receives a request under the FOISA for access to personal data should deal with the request as a subject access request under the Data Protection Act 1998. TRUE or FALSE ?

4. If a public authority holds a file entitled "Staff Suggestions" in which suggestions are filed on the basis of the function of the employee making the suggestion, after January 2005 an employee would be able to make a subject access request under the Data Protection Act 1998. TRUE or FALSE?

5. Once the new category of data to be covered by the Data Protection Act 1998 is in force, individuals will have greater rights in respect of access to information about themselves than a third party would have about that same individual. TRUE or FALSE ?

Click here for answers

16.9 WHAT THEY SAID

"A wide range of information must be provided to the individual. The definition of personal data is a broad one and the information which must be disclosed will include personal information contained in manual files. Information about the processing must also be provided, not just a copy of the information itself. Third party data must be provided in appropriate circustances and a set of rules deals with when that will apply". (Jay & Hamilton, Data Protection Law and Practice, Sweet and Maxwell, 2003)

16.10 CASE STUDY

Paul Hammond sees a job advertised which is based in another department of his authority. It would mean a promotion and so he decides to apply for it. He finds out from a colleague that the other people who have applied for the job have less experience and so he is pretty confident of his chances.

During the interview things seem to go really well, until he is asked why he took time off the previous year. Paul responds that his wife had to go into hospital and it took him a few days to sort out childcare arrangements and so he was late for work a couple of times. He had informed his manager and made sure that he made up the time. His wife came home after two weeks and things returned to normal. The interview panel don't look convinced.

Paul finds out a few days later that one of the less qualified applicants was successful. He decides it must have had something to do with the strange discussion about his absence during his wife's illness. He decides to make a request for a copy of his personnel records to see if they say anything damaging about him in connection with this incident.

Task

1. What type of request will Paul need to make to obtain his records?

2. You are the personnel manager at Paul's authority and have to respond to his request. If Paul makes a request after the Freedom of Information (Scotland) Act comes into effect what information will you provide him with?

3. It turns out that Paul's files incorrectly state that he took two months off when his wife was ill. What advice would you give him on his rights in connection with this error?

« Previous | Contents | Next »