Data Protection & FOI

Data Protection: Background

• Human Right to Privacy• Unenumerated right under Irish

Constitution• Explicit right under European

Convention on Human Rights ECHR Act 2003

• EU Data Protection Directives

EU & Irish Legislation• Data Protection

Directive 95/46/EC• Electronic Privacy

Directive 2002/58/EC

• EUROPOL etc

• Data Protection Acts 1988 & 2003

• EC Electronic Privacy Regulations 2003 (SI 535/2003)

• Corresponding Acts• Good Friday

Agreement• Disability Act 2005

Definitions: DP Personal Data “Data relating to a living individual who is or can

be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1)

Applies to any data that is processed (includes hosting) using any medium by a legal entity. Therefore paper, computer, network, web, phone etc.

FOI Personal Information (narrower)means information about an identifiable individual

that_

(a) would, in the ordinary course of events, be known only to the individual or members of the family, or friends, of the individual, or

(b) is held by a public body on the understanding that it would be treated by it as confidential, and, without prejudice to the generality of the foregoing, includes etc………….

DP FOI• Information relating to

the living individual only• Information held on a

relevant filling system• Some potential to claim

“disproportionate effort” in rare circumstances

• Also relates to the deceased

• Need to search for information

• No provision for not retrieving documents

DP/FOI Access to Personal Information • DP and FOI Acts reinforce one

another in relation to personal access in the public sector

• Defending access to personal information as human (DP) and citizen (FOI) right

Access to personal info: DP v FOI ?• New Circular no 23 from D/Finance • Where a request is made to a public

body by, or behalf of, a person seeking access to their own personal information under the Freedom of Information Act, this request should also be taken as a request under the Data Protection Acts

Legislative Basis• Section 1(5) of the Data Protection Act 1988

and 2003 requires co-operation between Data Protection and Information Commissioners

• Section 7(7) of the FOI Act imposes a duty on public bodies to assist people who request information or access to a record from a public body otherwise than under FOI.

Procedural Arrangements• Decision should be made in shortest time

possible under the Acts. Usually FOI at 20 Working days

• Suggest that public bodies review information on hand under each legislative framework and give the person the maximum amount of their personal data

Procedural Arrangements (2)• if the decision is to grant access in full, there is

no necessity to mention the other Act in the decision issued to the requester.

• If the decision is to refuse an individual access to some or all of her/his personal information, the decision letter should refer to the individual's tight to internal review under the FOI Acts and to the right to complain to the Data Protection Commissioner under the Data Protection Acts.

The Right of Access (1)• Data subject must apply in writing & provide

sufficient information to satisfy data controller of his/her identity … … and to locate any relevant data

• Data controller must give data subject a description of personal data held, its purpose and to whom it may be disclosed

• Data controller must supply a copy of the data in intelligible format

Right of Access(2): Restrictions

• Investigation of crime, or assessing tax Subject to case-by-case “prejudice” test

• International relations of the State• legal professional privilege• estimate of liability for damages or compo.• data kept by DP or Info Commissioners for their

functions• Health and Social Work data: special provisions

Disclosure of Personal info to Third PartiesDP• No provision for

release of personal information to third parties

• No obligation to release information in relation to third parties when responding to access request

FOI• Where a public

interest outweighs the individual’s right to privacy

• consent