1 / 86

FREEDOM OF INFORMATION/ RECORDS MANAGEMENT & DATA PROTECTION Diana Watt

Join our essential training to learn about Freedom of Information (Scotland) Act 2002, Environmental Information (Scotland) Regulations 2004, Records Management, Data Protection Act 1998, and the interaction between DP and FOI. This session will empower you to comply with statutory obligations, improve working practices, and ensure legislative compliance. Enhance your professional skills and knowledge while promoting information sharing and personal data protection.

jeromez
Télécharger la présentation

FREEDOM OF INFORMATION/ RECORDS MANAGEMENT & DATA PROTECTION Diana Watt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FREEDOM OF INFORMATION/ RECORDS MANAGEMENT & DATA PROTECTION Diana Watt Senior Governance Officer (Records Manager) Helen Mizen Senior Governance Officer (Data Protection & Legal) *part of the Edinburgh Napier Essentials training Delegate feedback…“Less boring than I expected”

  2. House-keeping Fire procedure Toilets Switch off phones/other devices (is anyone needing to use theirs for urgent business?) Refreshment break Confidential

  3. What we’ll cover • Freedom of Information (Scotland) Act 2002 • Environmental Information (Scotland) Regulations 2004 • Records Management • Data Protection Act 1998 • Interaction between DP and FOI …..there’ll also been quizzes and Q & A sessions

  4. Alignment with the University’s Values (for PDR) • Professional - Take personal responsibility - Use resources efficiently and effectively - Comply with the University’s statutory obligations, policies and regulations where applicable • Ambitious and Innovative - Using the information from today’s session to work proactively, using initiative, to improve working practices to ensure the University is legislatively compliant, including identifying potential risks and taking steps to mitigate these. • Inclusive -FOI is all about sharing information, Data Protection is about working together to protect personal information and Records Management relies on ensuring information is accessible as necessary. We encourage you to work with us in Governance Services to deliver consistent and compliant practices. • Confident and Supported - Equipped to perform role - Updated professional/specialist skills and knowledge - Sharing good practice across the University

  5. Freedom of Information and Records Management

  6. Objectives • to give an overview of the Freedom of Information (Scotland) Act 2002 and its context; • To give an overview of the Environmental Information (Scotland) Regulations 2004; • to provide details of how you should deal with a request for information; and • to give advice on how to manage your records.

  7. FOI and RM QuizHow compliance savvy are you?

  8. Who here deals with FOI requests? • How would you recognise an FOI request? • How does the University receive FOI requests? • What would you do with an FOI request? • Do you know what areas of business FOI impacts on? • What about information supplied to the University by external persons/parties? • What about information which is confidential? • What information should you give Governance Services if you have to provide information to respond to a request?

  9. Right of access “ A person who requests information from a Scottish public authority which holds it, is entitled to be given it by the authority” Section 1(1) The Scottish Information Commissioner is responsible for promoting and enforcing FOISA and EIRS. The University has an ‘Access to Information’ policy statement which applies to all staff members

  10. Three strands • The Publication Scheme for information we routinely make available - www.napier.ac.uk/foi • Individual requests can be made • Records management - good management of records ensures that the information is readily available for responding to FOI requests.

  11. Publication Scheme: www.napier.ac.uk/foi • The university must adopt and maintain a publication scheme and keep it under review • University has recently adopted the model publication scheme developed by Scottish HE Practitioners’ Group from OSIC model Has anyone here looked at ours? • It lists classes of information which are published (or intended to be published) • how and where the information will be made available and if there is a fee

  12. The Publication Scheme online

  13. Categories of Information • 8.1 General information • 8.2 Access to information • 8.3 Governance • 8.4 Financial resources • 8.5 Corporate planning • 8.6 Procurement • 8.7 Management of research and development • 8.8 Commercialisation and knowledge transfer • 8.9 Human resources • 8.10 Physical resources • 8.11 Health and safety • 8.12 Equality and diversity • 8.13 Support for disabled people • 8.14 Student administration and support • 8.15 Teaching quality • 8.16 Information services • 8.17 External and community relations • 8.18 Government and regulator relations Please check that the information for your area is up to date and let us know if it requires updating.

  14. Right of Access • Who? – anyone has the right to ask for information ‘held’ by the University • Where? – anywhere, they do not have to be resident in UK • What? – they can ask for any information of any age. The Act is fully retrospective • Why? – we cannot ask why they want the information The request does not need to mention freedom of information – it is ANY request for information. The request must be ‘recorded’ and provide a name and address, includes requests made by voicemail, Facebook and Twitter, etc.

  15. How do we handle a request? • If you receive a request forward it to us in Governance Services (foi@napier.ac.uk) to be centrally logged and dealt with. • We will request information from the relevant people/teams (which may include you). • If it’s in your remit to provide information, please do so as soon as possible to leave us enough time to review and collate the information and, if necessary, write exemption notices. ALL the information must be considered. Creative Commons image

  16. If you are providing information for an FOI request… Please advise us if: • You have any concerns about releasing the information • You can’t provide the information • You can’t provide the information by the date given • You require any clarification or if you require additional information to allow you to provide the information • Another area can provide some/all of the information • The time taken to provide the information will be excessive (we are not obliged to comply with the request if it will take more than 40 hours to locate, retrieve and provide the information – s.12 Excessive cost of compliance & Freedom of Information (Fees for Required Disclosure) (Scotland) Regulations 2004 s.5 – excessive cost prescribed amount = £600 or 40 hours @ £15/hr)

  17. Requirements under FOI(S)A • We must be as helpful as possible (s.15 – Duty to provide advice and assistance) • We must deal promptly with a request, for example, respond within 20 working days (s.10 – Time for compliance) • We must confirm or deny that we hold the information (s.16 & s.17) • We cannot recover the full costs of providing information – the fees schedule limits us to a percentage of the cost

  18. Exemptions Examples: • Personal data - breach of data protection principles (s.38) • Active research information, before publication (s.27(2)) • Commercial interests (s.33) • Confidentiality (s.36) BUT: exemptions are narrow and subject to the public interest test - if information is to be exempted this will be managed centrally by Governance Services

  19. FOI(S)A Clauses in Contracts & Procurement documents Where sections of procurement documents, contracts and committee papers are exempt from disclosure under the Act this must be recorded within the documents provided (so that if a request is received later the documents are ‘self contained’). External parties who are providing us with information must be advised that the University is subject to the Act and may be required to disclose information provided by them unless specifically advised that this is exempt. Blanket exemptions are not allowed, a schedule of exemptions by paragraph must be provided where there are multiple sections which are exempt along with an explanation. cont’d…

  20. FOI(S)A Clauses in Contracts & Procurement documents If you are dealing with external parties/ persons in this regard please: • ensure that they are aware that the University is subject to FOISA (in writing), and • that they provide a schedule detailing what they consider exempt, if anything, and why (by phrase or clause). Guidance and ‘forms of words’ are available on the intranet. The Scottish Ministers’ Code of Practice covers this in detail and this is available using the link above. www.keepcalm-o-matic.co.uk

  21. FOI(S)A Clauses in Committee papers If any FOI(S)A exemption/s apply this should be detailed under the ‘Communications Issues’ section of the committee paper and the item may be considered as ‘reserved business’. ENU Governance Services Committee Servicing training

  22. FOI Implications for staff (Compliance) • Response time • if the request is asking for information that is in your remit and you have no concerns about what is being requested then please answer it promptly. Please remember that we may need additional time to prepare the response. If you have concerns discuss this with us. • Culture change • total transparency (all information required - it is an offence to withhold/conceal information or destroy it after a request has been received). • retrospective • Information as a corporate resource (information and records management) • make sure someone can find your information in your absence • all documents and emails may be open to scrutiny

  23. Compliance cont’d • Email ‘Out of Office’ messages • Apart from advising when you will return and who to contact in your absence, your message for those outside the organisation should include the following: If your email contains a request for information that you feel may fall under the Freedom of Information (Scotland) Act, please forward your email to foi@napier.ac.uk where your request will be dealt with centrally or visit our FOI website at www.napier.ac.uk/foi. Alternatively, the website at www.napier.ac.uk may provide the information you require. • ‘Business as Usual’ Requests for Information • These requests carry the same rights as requests made under the Act. If the requestor is unhappy with the response their feedback/correspondence could qualify as a request for a review. • ‘Hidden’ FOI(S)A Requests • Be aware not to overlook FOI(S)A requests that may be ‘hidden’ in other correspondence, particularly complaints.

  24. Environmental Information (Scotland) Regulations 2004 (EIRS) • EIRS are less restrictive than FOISA requests, and can be made verbally – they do not need to be recorded. • They are requests for any environmental information, including: air, water, earth, habitats of flora and fauna; things that affect the environment, such as emissions, radiation, noise and other pollution; policies, plans and laws on the environment. EIRS that we have received include: • Work place travel plans • A biodiversity study • ‘Green’ initiatives undertaken by the University eg recycling Deal with these as you would a FOI(S)A request – forward to foi@napier.ac.uk

  25. Summary - FOISA • FOI assumes that information will be disclosed (unless exempt) • We must help people to submit requests where necessary • Information must only be retained for as long as necessary – and must be disposed of properly. Ensure that information is destroyed in accordance with University policy (incl. approved Records Retention Schedules) and procedures (an FOI request puts a ‘hold’ on destruction). • We must ensure that data is accessible to respond to access requests promptly • We must respond to requests promptly, within the statutory deadline.

  26. Scottish Information Commissioner Office of the Scottish Information Commissioner (OSIC) now collects stats as a method of monitoring compliance. Guidance issued by the OSIC following recent decisions included: • Staff need to be aware not to overlook FOI(S)A requests which are ‘hidden’ in other correspondence • Effective records management arrangements should be in place to ensure ALL the information can be retrieved • Ensure claims that information is not held can be supported if challenged • The basis for exemptions must be valid The key message was that FOI(S)A impacts on all levels of the organisation and any member of staff may at some time find themselves in receipt of a FOI request and must be able to identify it (extract from other correspondence) and be aware that ‘business as usual’ requests have the same rights as FOI requests and if applicants aren’t happy with response it may fall into the remit of an internal review request.

  27. You should now have all the answers… • How would you recognise an FOI request? • How does the University receive FOI requests? • What would you do with an FOI request? • Do you know what areas of business FOI impacts on? • What about information supplied to the University by external persons/parties? • What about information which is confidential? • What information should you give Governance Services if you have to provide information to respond to a request?

  28. Spot the FOIs • Could you please advise if you are able to confirm that Mr George Smith DOB 8/6/90, obtained a degree from your business department, graduating  in October 2012. • I would like to study at your university (course Tourism and Marketing Management), but  is it necessary to have grade from Maths for entry requirements? Because I'm studying economics and accounting so I will not graduate from Maths. • When a user logs into the student portal is there a log kept of there ip and matriculation number? If so how long is this kept? • Can you please advise me how your University sets the entry requirements for each course? And additionally, can you advise what percentage of your undergraduates come from state schools? • Further to the fine I received for damaging student accommodation I would like to complain that this was issued and request all documents relating to this, particularly those referring to me personally. I would also like to know the policies and procedures used to levy these fines. • The scale and pattern of recruitment difficulties and the skills gaps perceived by existing staff.

  29. RECORDS MANAGEMENT

  30. Is anyone here responsible for Records Management? • What is a record? • Why do we need records? • What is required when creating a record? • Where should University records be kept? • Who needs to see/use University records? • Do you know that the University has a Records Management Policy that applies to all employees? • When should you dispose of records? • How should you dispose of records?

  31. FOI Act requires good records management Underpins legislative compliance “Any freedom of information legislation is only as good as the quality of records to which it provides the rights of access” Code of Practice on Records Management, s.61 FOISA (2002) e.g. if you can’t find the information and therefore can’t provide it that is indicative of records management issues.

  32. Why is good records management necessary? • Compliance with legislative, regulatory, external stakeholder requirements. • Protects the rights and interests of the University and all stakeholders. • To support the business (processes)…enable business to be conducted. • Efficient and effective working practices. • Corporate memory and evidence of business transactions. Corporate memory NOT employee memory

  33. Record Lifecycle (what’s involved in ‘managing records’ or ‘processing’ information) Delete Organise Receive Destroy Maintain Re-use Maintain File Retain Migrate Re-use Use Share View CREATE STORE DISPOSE ACCESS CREATE ARCHIVE

  34. Record creation A record is: recorded evidence of a transaction, decision or business activity. • Ensure that the record is complete, for example: • Does it provide a full and accurate picture of the subject, event, decision, etc...? • If emails are used to make key decisions or convey important information, they too will become records • Are you scanning records or storing information digitally • proving the authenticity of electronic records • think about format of record • Will the record be useable in future by someone else? A document may become a record or make up part of a record e.g. case file, student record, employee record, etc.

  35. Creating and organising records Which comes first? Record creation OR it’s place in the filing structure? When a record is created, in the majority of cases, as it is ‘evidence of business activity’ (generated by a specific business process), its place in the filing system (classification, access, security) and retention period should already exist. This means that if the filing system is set up correctly the person who is creating the record does not necessarily have to think about these issues. If you are creating a new record it should be saved before you start working on it. Creative Commons image

  36. Organising and storing records • Arrange the filing system to mirror the business functions/activities • Keep electronic and hardcopy filing systems the same • Arrange the filing system to facilitate ‘bulk’ disposal • Keep all records together in an appropriately shared area • Think about who will need to access the records (now and in future) • Security – consider the sensitivity of the record and store appropriately • Apply naming conventions according to the business process • Your file plan should be logical for anyone to use e.g. new starter • Do not store records somewhere where only YOU have access e.g. H: Drive Guidance on managing emails which are records is available on the staff intranet

  37. Organising and storing records

  38. Retention/Disposal/Destruction • Ensure that records are disposed of in line with an approved records retention schedule. • Are you sure you are keeping records for the correct time? There are penalties for disposing of records ahead of their time and also penalties for keeping records longer than required • Retention periods are determined by legislation, regulation, external bodies and business needs • Records should be disposed of in an appropriate manner in line with University policy and procedures e.g. either by shredding or confidential console bin • Records destruction days - time dedicated to reviewing and throwing out records/information no longer required. Time must be scheduled in regularly for reviewing/ disposing of records. http://staff.napier.ac.uk/services/secretary/governance/records/Pages/RecordsRetentionSchedules.aspx

  39. Archiving • the University has an offsite storage facility for records which need to be kept longer than a year • cost for using this service • several departments storing records offsite including: HR, Finance, Governance, Communications, Development Office • to use the facility, departments must have in place an agreed retention schedule • there is a destruction service for records no longer required to be kept • storage facility meets the University’s business continuity requirements.

  40. Can you spot any RM issues?

  41. Summary – Records Management • good records management is necessary for statutory, regulatory and contractual reasons • when creating records, we need to think about: • whether the record is necessary • whether the language is appropriate • what format are we going to save the record in • whether people will need access to the record • think about storage options for records – electronic, paper and how you will store records you need to keep long-term

  42. Risks • Security – not kept securely enough (too ‘secure’, no availability). • Accessibility – not available to those who need the information (available to those who don’t need access). • Retention – kept for too long or destroyed too early. • Integrity – proving the record is what it purports to be, the master/‘golden’ record not a copy. • Information asset importance – records management is part of every job. • Disposal – not appropriately disposed of or copies not disposed of (multitude of electronic copies) Breaches DPA breaches are the most widely known about, but breaches occur under other legislation too e.g. FOI(S)A, P & L Act 1973, see the Records Management intranet pages.

  43. Further information • Edinburgh Napier University Records Management intranet pages • http://staff.napier.ac.uk/services/secretary/governance/records/Pages/default.aspx • Freedom of Information • Edinburgh Napier FOI website: • www.napier.ac.uk/foi • Scottish Information Commissioner: • www.itspublicknowledge.info • JISC • JISC Infokit– Records Management • www.jiscinfonet.ac.uk/infokits/records-management • JISC Managing records – guide for administrators • www.jiscinfonet.ac.uk/records-management/guide-for-administrators

  44. REFRESHMENTS

  45. Data Protection Briefing Helen Mizen Senior Governance Officer (Data Protection & Legal)

  46. Legal Compliance? 1 1

  47. Session outcomes • Understand what data protection is about • Recognise the practical data protection issues and risks in your area • Know where to find advice and guidance 3

  48. DPA Quiz

  49. We can share personal data within the University without consent • True • False

More Related