Education law conferenceMarch 2017, NottinghamUnderstanding & discharging your data protectionduties

Understanding & dischargingyour data protection duties

22nd March, MidlandsPatrick O’Connell, Solicitor

Join the conversation #BJ_EDC

Information Law – How is it relevant to my school?

• Every piece of recorded information may be disclosable on request

• The fact that disclosure may be inconvenient or embarrassing is nodefence – generally information will be disclosable unless anexemption applies

• Information legislation imposes requirements as to the use andstorage of information

• GDPR

FOIA/DPA – Overview?

• Both FOIA and DPA provide a legal right to information subject only tolimited exemptions

• DPA – individuals have rights to information about themselves from anyorganisation and there are legal requirements as to how personal datamust be processed

• FOIA – relates to non-personal information from public bodies. Motive,identity and what requester will use the information for is irrelevant

• Personal data is exempt from disclosure under FOIA• Both regimes are regulated by the Information Commissioner• Breach of FOIA – no significant penalty• Breach of DPA – in serious cases significant financial penalties and possible

claims for damages

Data Protection Act 1998 (DPA)

Subject Access Requests (SARs)

“Dear Headteacher

Please supply me with all the information held by the School on my son and daughter

which I am entitled to under the Data Protection Act 1998. This should include

assessments carried out, notes, emails, records of conversations, telephone notes

and office notes.

If you need anymore information form me, or a fee, please let me know as soon as

possible.Yours sincerelyMum”

SARs – What do you do now?

• Panic

• Nothing. It’s not a valid request

• Put it away with a promise to deal with it later

• Start gathering the information to respond in the time limit

• Call Browne Jacobson LLP

SARs – Time Limit?

• 20 calendar days

• 20 working days

• 40 calendar days

• 45 working days

SARs Time Limit

• DPA says “promptly” and in any event before the end of 40calendar days

• 40 days does not begin to run until you have received the fee incleared funds

SARs – What information do I provide?

• (Where a child is not ‘Gillick competent’) parent or guardian (withparental responsibility) is entitled to:- The information constituting the personal data of her son and

daughter so the notes, emails, records of conversations andoffice notes

- Information as to the source of the data

- How the information has been processed e.g. manual orelectronic

SARs – What about third party data?

• Where you cannot comply with a request for personal data withoutdisclosing information of others who can be identified from thatinformation, you are not obliged to comply with the requestunless:- The third party has consented to the disclosure to the person

making the request- It is reasonable in all the circumstances to comply with the

request without the consent of the third party- Consider redacting the third party data. However if the

remaining information means the third party will be disclosedthen the information should be withheld.

SARs – Second Request

“Dear Headteacher

I am investigating a crime involving Ros Foster/Megan Larrinaga a student atyour school. To assist my investigation I am requesting under the Data ProtectionAct 1998 all of Ros’/Megan’s records including her attendance records anysafeguarding notes you have. Section 29 of the DPA allows you to provide me withthe information for the prevention or detection of crime. If you need any moreinformation please contact me.

Yours sincerelyPC Howard”

SAR 2 – What do you do now?

• Panic and hide it in a drawer

• Nothing. DPA doesn’t allow us to share information

• Provide the information as it’s the police and they saySection 29 allows it

• Call Browne Jacobson LLP

SAR 2 – Dealing with the request

• Section 29 does provide an exemption and allows processing ofpersonal data for the prevention or detection of crime or theapprehension or prosecution of offenders BUT

• Personal data can only be processed if one of the Conditions inSchedule 2 to the 1998 Act is met and for sensitive personal dataone of the conditions in Schedule 3.

SARs – Schedule 2 Conditions• Data subject has ‘consented’ to processing• The processing is [absolutely] necessary:

– for performing a contract with the data subject– for taking steps at the request of the data subject with a view to

entering into a contract– complying with any legal obligation to which the data controller is

subject– in order to protect the ‘vital interests’ of the data subject (e.g. a life

and death situation)– for certain public functions (in the public interest)– the processing is necessary of the purposes of ‘legitimate interests’

pursued by the data controller or by a third party to whom the data isdisclosed

– but only where these interests outweigh data subject interests.

SARs Schedule 3 Conditions

The most relevant are the following:

• the explicit consent of the data subject is obtained• Necessary for rights or obligations of employment• [absolutely] necessary to protect the vital interests of data

subject or someone else• for medical purposes• in connection with legal proceedings or for the purposes of

establishing / defending legal rights• for ethnic monitoring purposes.

SARs – Other exemptions which may be relevant• National Security (s28 DPA)

• Crime prevention and taxation (s29 DPA)

• Orders made for Health, Education, Social Work (s30 DPA)

• Required by law or in legal proceedings (s35 DPA)

• Legal proceedings/establishing and defending legal rights (S35 (2))

• Schedule 7 exemptions include - confidential references – corporatefinance - Legal Professional Privilege.

SAR – Top Tips

• Is the child old enough to make their own request? Do you need the child’sconsent before responding?

• Is a fee payable? If so and not enclosed request promptly

• Diarise date for compliance

• Consider if the response includes information about other people

• Consider if any exemptions apply

• Respond

Looking ahead to the GDPR

• 25 May 2018• Fundamental data protection principles revised but broadly

similar• Personal data must be processed fairly, lawfully, as little as

possible, only for limited purpose• Obligations as to data quality, security, integrity and

confidentiality• New accountability principle• Enhanced rights for data subjects - particularly children

Looking ahead to the GDPR

• Understand the data you use and where and to whom itflows

• Consider legal basis on which you process data• Check policies, contracts and notices• Develop an accountability framework• Determine if you need a DPO• Plan for complying with individual rights• Plan for breaches

Looking ahead to the GDPR

• Check the guidance available on the ICO website

• Check Browne Jacobson website and events

Freedom of Information (FOIA)

Real Requests?• How much money has the Trust spent on pornography in the last

twelve months?

• What are the names of the three fish at HMP Leeds?

• How many drawing pins are in the building and what percentageare currently stuck in a pin board?

• What preparations has the MOD made for a alien invasion?

• How much money has been paid to exorcists over the last twelvemonths?

Real Requests?

• All of them

• None of them

• 2 and 3 only

FOIA Request

“Dear Headteacher

I am making a request under the Freedom of Information Act for the followinginformation(a) What is the annual spend on cleaning supplies such as toilet rolls in the past 12

months?(b) What cleaning products does the School purchase and how often?(c) Where do you purchase your cleaning products?

Yours sincerelyMr Requester6 Temple Court

FOIA – Responding to the request

• Panic

• Nothing. It is not a valid request

• Put it in a drawer. You have more important things to do

• Start investigations in order to respond to the request

• Call Browne Jacobson LLP

FOIA – Time Limit?

• 40 calendar days

• 20 calendar days

• 40 working days

• 20 working days

FOIA – Time Limit (2)• Need to consider 2 deadlines

• S10 FOIA says “promptly” and in any event within 20 working days

• Working Days = School Days – but - Teacher Training Days/Inset Days not aSchool Day

• Long stop date of 60 days

• Must respond within the earlier of the two deadlines

• Especially important during school holidays

FOIA – Practical Considerations

• FOIA relates to information held at the date of the request

• No obligation to create information to respond to a request

• The right is to ‘information’ not specific documents (although caution isrequired in relation to some information such as receipts)

• FOIA applies to information held by third parties on behalf of the Schoolsuch as contractors

• Remember FOIA is tantamount to disclosure to the whole world – care istherefore required when disclosing information

FOIA - Exemptions

• There are two types of exemptions. Absolute and Qualified

• Most of the exemptions provided by FOIA are “qualified”, meaningthat even if the exemption is engaged, the information requestedshould be disclosed unless the public interest in withholding theinformation outweighs the public interest in disclosing it

• Absolute exemptions are just that and the public interest test doesnot apply

• Often more than one exemption is engaged. Where this is the case,where practicable, set them all out.

FOIA – Relevant Absolute Exemptions

• Section 21 - Information accessible by other means

• Section 40 – Personal Data

• Section 41 - Information provided in confidence

FOIA – Relevant Qualified Exemptions

• Section 22 – Information intended for future publication

• Section 30 - Investigations and proceedings conducted by public

authorities

• Section 31- Law enforcement

• Section 36 – Information prejudicial to the effective conduct of

public affairs

• Section 42 - Legal professional privilege

• Section 43 - Commercial interests

Public Interest

• There is no definition of ‘public interest’ in FOIA

• Guidance from the IC says that it is something which serves thepublic interest. It is not something which the public is interestedin

• A qualified exemption can only apply where the public interest inmaintaining an exemption outweighs the public interest indisclosing it or confirming or denying it is held.

FOIA – Can I Charge?• It is generally not possible to charge for responding to FOIA requests

• An exemption is available if the cost of dealing with the request, in termsof identifying, locating and providing the information, would exceed theprescribed amount – currently £450, calculated as 18 hours at £25 perhour

• Cannot charge for considering whether an exemption applies or redactingthe information

• If the School estimates that this limit is likely to be exceeded, it maydecline to deal with the request

• Alternatively it can offer to provide the information but charge therequestor for the costs incurred in doing so. If the requestor agrees tomeet those charges you must proceed.

Vexatious/Repeat Requests

• S14 FOIA allows authorities to decline to deal with requests ongrounds that they are vexatious or repeated

• The repeat exemption will apply where the authority has receiveda previous request that is the same or substantially similar

• The vexatious exemption applies in respect of requests that arevexatious and will require you to consider the identity andmotivation of the requestor.

FOIA – Top Tips

• Respond – even if only to say “we do not hold the information requested”

• Apply the public interest test where necessary and if withholdinginformation on this basis explain how the test has been applied

• Think about the wider implications of disclosing or withholdinginformation? Do you need to consult on disclosure?

• Don’t try to withhold information without clear justification

• Don’t destroy/alter any documents that are the subject of a request. Thisis a criminal offence for the individual responsible.

Any questions?

Find out more

www.brownejacobson.com/education

Talk to us

Patrick O’Connell | 0330 045 2149 | patrick.oconnell@brownejacobson.com

Please note

The information contained in these notes is based on the position atFebruary 2017. It does, of course, only represent a summary of thesubject matter covered and is not intended to be a substitute fordetailed advice. If you would like to discuss any of the matters covered infurther detail, our team would be happy to do so.

© Browne Jacobson LLP 2017. Browne Jacobson LLP is a limited liabilitypartnership.