580 likes | 715 Vues
Public rights of access to information. Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services. Overview of Legislation FOI/EIR Examples of Requests DPA Examples of Requests. Contents.
E N D
Public rights of access to information Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services
Overview of Legislation FOI/EIR Examples of Requests DPA Examples of Requests Contents
Environmental Information Regulations 2004 (‘EIR’) – environmental information eg asbestos in school buildings, drainage, waste Data Protection Act 1998 (‘DPA’) –information held about the person requesting the information Freedom of Information Act 2000 (‘FOI’) –information not covered by either EIR or DPA Pupil Information (England) Regulations 2005 – right of access to educational records for parents Legislation – rights of access to recorded information held by public bodies
FOI – 20 school days ie does not include school holidays (up to a maximum of 60 working days) EIR – 20 or 40 working days (if request is complex and voluminous) FOI/EIR – clock can be stopped for clarification – then re-calculated from date of clarification DP – 40 calendar days Pupil Info regs – 15 school days Legal Timescales
Do not have to refer to FOI or other legislation FOI Requests must be in writing ie letter email online form tweet facebook EIR requests can also be verbal Clear description of the information required Name and address of applicant (No name needed for EIRs) - do not have to give postal address or telephone number and an email address is sufficient Applicant and purpose blind – responses deemed to be in public domain Requests under FOI/EIR
Publication Scheme/FOI Policy/DP Policy Confirm/deny if information is held Respond and supply within legal timescales unless: Not held Vexatious/repeated/manifestly unreasonable Exceeds cost limit (18 hours work) (NB does not apply to environmental information) Exemption applies Give advice and assistance to requester When responding tell the requester how they ask for a review of the handling of the request and how they can complain to the ICO (Information Commissioner’s Office) if still unhappy Your duties under FOI/EIR
Pro-actively publish information/data Adopt Model Publication Scheme – see ICO website Various classes of information Guide to information available Publication Scheme
Make sure your records are properly managed and information can be located easily Keep a record of requests received and when they were responded to – the requester can complain to the ICO if the request is not handled properly Template responses Good Practice Points
If the requester is unhappy with the handling of the request he/she can ask the Chair of Governors to review how it was handled If not satisfied with the Chair’s review can refer it to the Governing Body The next stage is to complain to the ICO Followed by appeal to First Tier Tribunal What happens if the requester is not satisfied
Naming and shaming of authorities not complying or consistently issuing late responses and/or audit of those authorities Decision notice (may be accompanied by press release) re handling of request Information notice Undertaking Enforcement notice – failure to comply treated as if ‘contempt of court’ – fine/prison Powers of entry and inspection ICO enforcement powers
Please provide me with the following materials:+ An electronic copy of your staff handbook or equivalent document+ An electronic copy of the dress code or guidance to which yourteaching and support staff are expected to abide+ An electronic copy of the plans/procedures regarding thelunchtime break and activities organised, who is in control, rotasetc. Email address request-5***2-bd***f**@whatdotheyknow.com The request came in on 12 August during the summer break. Example 1
How long do I have to answer? Is it a valid request? Has the requester given a valid name and address? What do I need to include in any response? Is it already available on the school website? Should I make it available to limit further requests? Points to consider
The requester asks you for copies of all the tenders including the successful tender. He asks you to send it as an electronic document and gives you his email address Example 2 - Request for contract documentation for building project
Should all the information requested be released? Do you have to send it to the requester in the format requested? Has the project been completed? How much time has passed since the tender? Is any environmental information included? Points to consider
Section 41 – Information provided in confidence Section 43 – Trade secrets and disclosure prejudicial to commercial interests of authority/third party (public interest test) OR Regulation 12(5)(e) – the confidentiality of industrial information where such confidentiality is provided by law to protect a legitimate economic interest (public interest test) Possible exemptions
Generally pre-award of contract information unlikely to be disclosed because it might prejudice the procurement process Contract negotiation phase some unsuccessful bidder info might be disclosed such as names rankings and any non sensitive info Successful bidder – some info such as total price but not cvs/refs/financial models/price breakdowns What might be disclosable?
FOI – can express a preference including inspection or summary Authority should supply in format requested so far as reasonably practicable (can take cost into account) EIR – authority should make it available in format requested unless it is reasonable to make available in another form or format or it is already publicly available and easily accessible to the applicant in another form or format Format of response
I would like to request a complete list of suppliers/contractors and consultants that have been used over the past year when procuring IT Software and the total spend on IT Software during the past financial year. Request is from the Marketing Director of a software supplier Example 3
This looks like a marketing exercise – can I therefore treat it as spam and not respond? Should I be publishing where to find details of business opportunities for potential contractors? Points to consider
Please supply the following information: [Long list of data required, some of which is archived information or will require going through a large number of paper files] Example 4
Will it take longer than 18 hours to locate retrieve and collate the information? How to estimate the work involved? Choices eg refuse supply free of charge or charge Duty to advise and assist – narrowing scope Records Management/Retention Schedule Points to consider
Please supply me with copies of all the governing body minutes for the past year The request is from a local resident Example 5
Should I disclose Part 2 confidential minutes? If not, on what grounds? Section 36 exemption (prejudice to effective conduct of public affairs) can only be applied by a qualified person – chair of governors Is there any personal information that needs to be redacted? Points to consider
Please supply the following Head Teacher’s salary Mrs P’s (classroom assistant) salary The classroom assistant for Green Class’s salary The total expenditure on staff salaries Example 6
Is the information requested personal information? If it is, can I refuse it? Is the member of staff a senior or junior member of staff? Do I treat senior/junior staff differently? Balance between public accountability and privacy Points to consider
In accordance with my rights under the Freedom of Information Act I want see all the information that you hold about me. Example 7
Is this a request under FOI? How should it be handled? Points to consider
Access under DP Act (Subject Access Requests)
“Personal Data” - any information relating to an identified or identifiable living individual (data subject) An identifiable person – a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity What is Personal Data?
ICO is regulator – statutory requirement to notify Description of the processing activities is placed on a public register of notifications You must comply with data protection principles - framework for the proper handling of personal information Notification to Information Commissioner’s Office (ICO)
Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to countries outside of the EEA without adequate protection 8 Principles of ‘Good Information Handling’
CCTV Photographs of pupils/staff biometric data eg finger prints used for library/school meal payments etc Other forms of processing personal data
Loss/theft of unencrypted laptop/memory stick Wrong email/fax recipient Not checking photocopying before sending out and including page/s not intended for recipient Having an insufficiently secure IT system with weak password control (allowed hackers access to sensitive information) Personnel file left in car park Conversation about personal information in a public environment eg train bus café SEN file left in discarded filing cabinet Examples of DP breaches
For the Head Teacher – disciplinary proceedings leading to dismissal for gross misconduct For the School – the possibility of a compensation claim under DPA and/or enforcement action by the ICO plus bad publicity and/or follow up FOI requests from parents/local press What are the implications?
Prosecutions – Section 55 offences Monetary Penalty Notices (up to £500,000) Undertakings Enforcement Notices eg to introduce measures such as mandatory training for staff ICO enforcement powers
Parents or those with parental responsibility in own right as parents (Educational records) on behalf of child (Subject Access Request (DPA)) – consent needed from child if ‘Gillick’ competent ie mature enough to understand (c 12-13 years old) Child if competent as above Solicitors acting for parent/child – need consent from parent/child as appropriate Who can make requests for personal information under DPA (Subject Access Requests)?
Request proof of identity and/or fee 40 calendar days from proof of identity/payment of fee £10 fee for subject access requests Sliding fee up to £50 for copies of educational records Timescales/Charging
Hard copy – ensure redaction is secure Electronic – convert to pdf format or password protect Ensure recipient receives response direct if possible and not through 3rd party Format for response
The school receives a telephone call from an officer at the Borough Council. The officer is investigating benefit fraud and is asking for the addresses of 4 pupils who attend the school so he can check this against their records Example 1
Should the requester be asked to put request in writing confirm ID confirm authority from Council? Is consent necessary? Powers under Section 29 (3) (see later slides for more detail) Points to consider
A man contacts the school office to inform the school that he is the estranged father of two new pupils in Year 4 and 6. He is requesting copies of all documents relating to his children and wants to be added to the contact list so he receives copies of communications from the school Example 2
ID? Is the request in writing? Parental responsibility? Notified of issues relating to access? Court injunction? Points to consider
if disclosure would be likely to cause serious harm to the physical or mental health or condition of the child or someone else information re risk of child abuse, where the disclosure of that information would not be in the best interests of the child references supplied to potential employers of the child etc certain court reports information recorded by the pupil during an examination; third party personal information without consent unless reasonable in all circumstances any legal advice given to the School Educational records – what should not be disclosed
A dance teacher uses the school hall for an after school activity. The after school activities coordinator has given the dance teacher the mobile telephone numbers for parents Example 3
Is this a breach of the Act? Purposes personal information collected? If it is, what should the school have done to process the information in accordance with DP? Points to consider
(1) Personal data processed for any of the following purposes— (a) the prevention or detection of crime, (b) the apprehension or prosecution of offenders, or (c) the assessment or collection of any tax or duty or of any imposition of a similar nature, … (3) Personal data are exempt from the non-disclosure provisions in any case in which— (a) the disclosure is for any of the purposes mentioned in subsection (1), and (b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection. Section 29 Crime and taxation.