Introduction • Data protection is relevant to every individual, business or organisation today, not just Local Government. • As well as protecting privacy, data protection is concerned with sharing information, in a secure managed way. • DP gives us rights as subjects, but this presentation is about DP and Rother; in particular the role of Elected Members.
Freedom of Information v DP • The Freedom of Information Act 2000 (FOI) gives people access to information which is held by/on behalf of public authorities subject to various exemptions and sogenerally excludes personal information about individuals. • The Data Protection Act 1998 gives individuals access to information of which they are the subject, e.g. someone’s own file, or electronic records, etc. andrequires it to be kept secure from others.
Data Protection Principles Data must be: • fairly and lawfully processed; • processed for limited purposes; • adequate, relevant and not excessive; • accurate; • not kept for longer than is necessary; • processed in line with subject’s rights; • secure; and, • not transferred to countries without adequate protection.
What is data? • Under the Data Protection Act 1984 only electronic data was covered • Now any data is covered, whether electronic, paper or however stored.
Rights under the Act 1. The right to subject access 2. The right to prevent processing if substantial unwarranted damage or distress 3. The right to prevent direct marketing 4. Objection to automated decision-taking 5. The right to compensation for breach of the law 6. The right to rectification, blocking, erasure and destruction 7. The right to involve the Commissioner
Notification • The Information Commissioner maintains a public register of data controllers, e.g. Rother. • Each register entry includes the name and address of the data controller and a description of the processing of data. • Individuals can consult the register to find out what processing of personal data is being carried out by a particular data controller. • Notification is the process of adding a data controller’s details to the register.
Elected membersmust decide in which capacity they process personal data: • Working Councillor • Political Role • Personal Role
Working Councillor • Members may have access to and process personal data in the same way as employees. • The data controller is the Council rather than the elected member. • An example is of a member of the Licensing Committee who has access to financial information for the purpose of considering whether or not the Council should grant a rate relief. In this case the elected member is not required to notify. • Data given for one purpose cannot be used for another purpose.
Political Role When acting on behalf of a political party, for instance as an office holder or as an official candidate, Members are entitled rely upon the data protection notification made by the party. This could include details of party supporters and workers. You can seek support from local residents whom you have assisted in the past as a Councillor. But you cannot disclose the details of those local residents to the party without consent.
Personal Role • When Councillors act on their own behalf, they are likely to have to notify in their own right. Examples include: • Processing personal data on a computer in order to timetable surgery appointments or progress complaints made by local residents. • Campaigning within your own political parties for adoption as a prospective candidate; you can only rely upon the notification of your parties if the parties control the processing of personal data for the purpose of individual campaigns.
Non-automated records • There is an important exemption from notification where the only personal data, which are processed, take the form of non-automated or manual records. • However, even if this is the case and there is no notification requirement, elected members must comply with the other requirements of the Data Protection Act, in particular the 8 data protection principles
Registration Number: Z529954X Date Registered: 02-MAY-01 Registration expires: 01-MAY-06 Data Controller: ROTHER DISTRICT COUNCIL This register entry describes, in very general terms, the personal data being processed and held for 12 purposes: Staff Administration; Accounts & Records; Property Management; Leisure and Cultural Services;Council Tax; Benefits; Environmental Health, Planning, Licensing, Registration and Regulation; Crime Prevention and Prosecution of Offenders; Corporate Functions; Other non - commercial activities; Other Commercial Services; Advertising, Marketing, Public Relations, Advice etc.
Data Collection • "in determining… whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed“ – DPA ‘98 Schedule 1 • The padlock symbol alerts people that their information is being collected and explains where they can find out how it is to be used.
Subject Access • A request by someone for a copy of information held about them is known as a “Subject Access Request.” • Requests must be made to the person or organisation “data controller” who holds and/or uses the information. • Requests must be in writing and accompanied by the fee of £10. • Proof of identity may be necessary. • Within 40 days they must be told if any personal data are held about them and given a copy.
Some Exemptions from access • Information for taxation purposes • Prevention and detection of crime • Regulatory activity, such as protecting the public • Journalism, literature or art or for research, etc. • Information available to the public under an enactment • Required by law or for legal proceedings • Confidential references • Prevent prejudice to negotiations • Legal professional privilege
Data Processing • The definition in the Act is wide. This definition incorporates, amongst other things, the concepts of “obtaining”, “holding” and “disclosing”. • The second Data Protection Principle states: “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in a manner incompatible with that purpose or those purposes.”
Requirements for Data Processing (at least one must apply) • Consent of data subject • Contract with data subject • Legal obligation (not by contract) • Protecting vital interests of data subject • Public functions, administration of justice • Specific statutory power • Legitimate interests of controller unless prejudicial to data subject
Statutory Powers to process data without consent • Prevention or detection of crime, • Apprehension or prosecution of offenders, • Assessment or collection of any tax or duty or of any imposition of a similar nature, • Authorised data sharing
Sensitive Personal Data-special care needed • Racial or ethnic origin • Political opinions • Trade union membership • Religion or beliefs • Health or sexual life • Criminal offences
Fair Processing by Members • Information, which is held by the local authority, may not be used for political or representational purposes unless all the individuals to whom it relates (the “data subjects”) have agreed. • You cannot use a list of users of a Council service for electioneering purposes without the consent of those individuals. • You cannot use personal data about someone to which you had access in an official capacity, say as a member of a Committee, to help someone else unless all the individuals concerned have consented.
Political Activity Officers should not normally disclose information to elected members for political purposes. Exceptions would be: • Consent of the data subject • Data which the Council is required to make public (for instance lists of some types of licence holder) • Information which does not identify any living individuals (for instance Council Tax band information or statistical information).
Officers’ duties to Members • Members should only be given access to as much information as is necessary to carry outtheir duties. • Officers should specify the purposes for which that information may be used or disclosed. This may be clear in the circumstances or through general procedures and guidelines. • Where the member takes a copy of the information away from Council premises whether in paper or electronic form, steps must be taken to ensure the security of the information.
Offences • Where processing is being undertaken and the Information Commissioner has not been notified. • Obtaining or disclosing personal information without the consent of the data controller. This covers unauthorised access to and disclosure of personal information. • Bringing office into disrepute.
Points to Remember • The need to keep personal data secure. • How we deal with requests for information about people. • People who say they are the person concerned may not be telling the truth. • Beware family members of data subject. • Even within the Council, personal data should only be passed on to colleagues who have a legitimate need for it • Disposal of paper which includes any personal information.