Data Protection and Freedom of Information The Carmichael Centre 13th March 2014 Introduction вЂў вЂў вЂў вЂў вЂў Data Protection principles Dealing with sensitive data Current legislation Purpose of the Freedom of Information Act Rights of access and exemptions Lecturer вЂў Ronan Lupton, B.A. (Hons), M.Sc., DipLs, B.L. (KingвЂ™s Inns) 2008. вЂў Practice вЂ“ Areas вЂ“ Experience вЂ“ Goals Privacy: A Reference Point вЂў Constitutional Right: Though not unlimited вЂў Necessary for any law of privacy to first define and identify what it aims to protect. It is also useful to develop a clear conception of the principles which justify and underpin the protection of the right, so that the courts are better equipped to accurately identify when a personвЂ™s right to privacy is engaged and when, on the other hand, that person is simply asserting a вЂњvacuousвЂќ freedom to do as he or she pleases. Privacy: A Reference Point Craig has identified six reasons for the protection of privacy: (i) Refuge: It allows the individual to retreat from the pressures of public scrutiny and social norms (ii) Freedom: Privacy prevents interference in a personвЂ™s acts. (iii) Autonomy: It promotes autonomy by encouraging the individual to make his own choices. (iv) Creativity: By protecting the individual against conformist pressures, it fosters creative experimentation, which leads to social diversity. (v) Mental health: Privacy has been linked to individual mental health. (vi) Intimacy: Privacy is a necessary condition for the creation of relationships of trust and confidence вЂ“ J. Craig, вЂњInvasion of Privacy and Charter ValuesвЂќ (1997) 42 McGill L.J. 355. DP: Background & Genesis вЂў Motivated by a combined concern at the manner in which population statistics had been used by the Nazi regime in Germany and the emergence of technology that could store and process significant amounts of data, measures emerged from various European bodies from the late 1970s onwards to regulate the manner in which personal information about individuals was collected, stored and used. вЂў The EU Data Protection Directive (Directive 95/46/EC) incorporated the principles of data protection contained in two earlier international instruments: вЂ“ The OECD Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data, 1980. вЂ“ The Council of EuropeвЂ™s Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981. вЂў The Data Protection Directive extended the principles of data protection to personal data kept on manual files, as well as automated filing systems. It also provided for more specific protections and exemptions concerning the use of personal data beyond those specified in the Strasbourg Convention. Background вЂў The Data Protection Act, 1988 was enacted following IrelandвЂ™s ratification of the 1981 Strasbourg Convention and established the office of the Data Protection Commissioner (DPC). вЂў The enactment of the Data Protection (Amendment) Act, 2003 brought Irish data protection law into line with the requirements of the Data Protection Directive. вЂў The Electronic Privacy Directive (Directive 2002/58/EC) provided for the privacy and security of personal data for users of publiclyavailable electronic communications services, such as telephone communications systems, email, text and Internet services. вЂў The Electronic Privacy Directive was incorporated into domestic law by the Electronic Privacy Regulations, 2003 (SI 535 of 2003, as amended by SI 526 of 2008) and amended further in 2011 by SI 336 of 2011. Note the position on Cookies! WhatвЂ™s it about? вЂў Personal data is information about a living person from which that person is identified or can be identified by reference to that data or by reference to that data and other information held or which is likely to come into the possession of the person holding and controlling that information. вЂў In practice, any information that fully or partially identifies a person can comprise вЂ�personal dataвЂ™. вЂў A data controller is a person or entity that holds and controls the use of personal data. вЂў A data controller is in a position to decide how personal data held by her / him / it will be used. Certain categories of data controller - such as banks and financial institutions - are obliged to register as data controllers with the Data Protection Commissioner (see www.dataprotection.ie). вЂў A data processor is a person or entity that processes data on behalf of a data controller (but the term does not include an employee of a data controller who processes personal data on behalf of their employer in the course of their employment). WhatвЂ™s it all about? вЂў The term вЂ�data processingвЂ™ covers any use of data, including collecting, recording, storing, consulting, transmitting and making data available. The publication of personal data is therefore an act of вЂ�data processingвЂ™. вЂў In business, data controllers frequently outsource the processing of personal data to data processors in other jurisdictions. The 1988 Act (as amended - section 11) prohibits the transfer of personal data to processors outside the European Economic Area (EEA - being the EU member states plus Norway, Liechtenstein and Iceland) unless вЂњan adequate level of protectionвЂќ will apply to the data in the jurisdiction to which it is exported. вЂў This provision applies, for example, to the transfer of customer information by an Irish company to an overseas contractor supplying customer support services on behalf of the Irish company. Data Protection Principles вЂ“ The DPCвЂ™s website identifies eight fundamental rules of data protection derived from the provisions of the combined Data Protection Acts, 1988 to 2003 вЂў Personal data must be obtained and processed fairly. A data subject is entitled to be informed of the fact that data is being collected about them, by whom it is being collected, the purposes for which it is being collected and to whom it will be disclosed. вЂў Personal data may only be kept and used for specified, clearly stated and lawful purposes. This requirement precludes the use of personal data for uses other than or beyond those uses for which it was collected; the proposed uses must be clearly stated to the data subject and those uses must be lawful. Data Protection Principles вЂў Personal data must only be processed (which term includes publishing the data) in a manner that is consistent with the stated purposes for which it was collected. вЂў Personal data must be kept safe and secure by the person or entity holding it, whether in electronic, manual or other form. This requirement affects email and computer access security measures along with the disposal of written paper records and information held in other formats. вЂў Personal data must be kept accurate, complete and up-todate by the person or entity holding it. Decisions about data subjects (for example, the granting of loans or credit facilities by financial institutions) should not be made on the basis of information that is out-of-date. Data Protection Principles вЂў The extent of personal data collected must be adequate for and relevant to the stated purpose for which it is collected. The data collected must not exceed what is necessary for those stated purposes. вЂў Personal data should not be retained for longer than is necessary for the stated purposes for which it is collected. The duration for which the data can lawfully be retained will vary from case to case depending on the purposes for which it was collected. вЂў A data subject is entitled to know what information is held about them by a data controller and has a right to be given a copy of that data on request. A data subject is also entitled to require the correction of any inaccurate information held about her / him by a data controller. Dealing with Personal Data вЂў Any person or entity that collects and uses personal data about an individual (a вЂ�data subjectвЂ™) is obliged to comply with data protection legislation. Personal data can include data such as names, addresses, telephone numbers, voice or image recordings and email addresses. вЂў Certain personal data can be вЂ�sensitive personal dataвЂ™, which term refers to information about a data subjectвЂ™s racial or ethnic origin, religious beliefs, political opinions, health and sexuality or criminal record (the list is not exhaustive) (section 1(1) of the 1988 Act, as amended). вЂў Additional protection applies to the collection and use of sensitive personal data. Dealing with Personal Data вЂў Section 4 вЂ“ Right of Access вЂ“ Subject Access Request вЂ“ Fee в‚¬6.35 вЂ“ 40 days to comply вЂў Section 5 вЂ“ Restriction on right of access вЂў Section 6 вЂ“ Right of rectification and erasure вЂў Section 7 вЂ“ Duty of Care вЂ“ Collins v FBD вЂў Section 8 вЂ“ Disclosure of personal data in certain cases Exemptions вЂ“ S.8 Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure isвЂ” (a) in the opinion of a member of the Garda SГochГЎna not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State, (b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid, (c) required in the interests of protecting the international relations of the State, (d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property, (e) required by or under any enactment or by a rule of law or order of a court, (f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness, (g) made to the data subject concerned or to a person acting on his behalf, or (h) made at the request or with the consent of the data subject or a person acting on his behalf. Journalists вЂў Journalists investigating stories for news, current affairs or other journalistic purposes collect personal data about individuals. An important exemption from data protection requirements for processing personal data is set out in section 22A of the Data Protection Act, 1988 (as inserted by section 21 of the Data Protection (Amendment) Act, 2003). вЂў The exemption applies where the processing of personal data is carried out with a view to publishing that data for journalistic, artistic or literary purposes. Under the section, there needs to be a public interest justification for publishing personal data about an individual. DPC Complaints вЂў Personal information about individuals - such as their name, address, telephone number or photographic image - all can comprise personal data. вЂў The collection, use and disclosure of that personal data must be carried out in accordance with data protection legislation. Current Legislation вЂ“ Incl. Privacy вЂў Article 40.3 of the Constitution вЂў Section 39(1)(e) of the Broadcasting Act, 2009 вЂў Section 10 of the Non-Fatal Offences Against the Person Act, 1997 вЂў Data Protection Act, 1988 вЂ“ 2011 вЂў Section 62 of the Garda Siochana Act, 2005 вЂў European Convention on Human Rights Act, 2003 Freedom of Information вЂў The Freedom of Information Act, 1997 (FOI) as amended by the Freedom of Information (Amendment) Act, 2003 obliges government departments, the Health Service Executive (HSE), local authorities and a range of other statutory agencies to publish information on their activities and to make personal information available to citizens. вЂў In addition, the Freedom of Information Act establishes the following statutory rights: вЂ“ A legal right for each person to access information held by public bodies and government departments вЂ“ A legal right for each person to have official information relating to himself/herself amended where it is incomplete, incorrect or misleading information вЂ“ A legal right to obtain reasons for decisions affecting himself/herself. Freedom of Information Duties of Public Bodies вЂў Information about the activities of public bodies covered by the Freedom of Information Act (Section 15 and Section 16) is contained in the Freedom of Information Manual, which every public body is obliged to publish. вЂў The information that must be made available in the manual includes: вЂ“ A general outline of the structure and functions, powers and duties of the organisation; the services it provides to the public and the procedures by which the public can avail of those services; вЂ“ A description of the types of records held вЂ“ The arrangements made to enable people to access information and records and to correct inaccurate or misleading personal information if this arises вЂ“ Information that may assist people to exercise their rights under the Freedom of Information Act. вЂў In practice, most of the public bodies covered by the Freedom of Information Act have their Section 15 and 16 Manuals available on their websites. Paper copies of these documents are also available Freedom of Information Requests for information вЂў You can ask for the following records held by Government departments or certain public bodies: вЂ“ Any records relating to you personally, whenever they were created вЂ“ All other records created after 21 April, 1998 A record can be a paper document, information held on computer, printouts, maps, plans, microfilm, microfiche, audio-visual material, etc. Freedom of Information Applications вЂў It is important to note that it may not be necessary to make a request for information under the Freedom of Information Act from a public body. A considerable amount of material is already made available to the public through information leaflets, publications and in response to oral and written enquiries. Most organisations have a dedicated Information Office, which is available to assist you with general queries, requests for information and publications. вЂў If the information you require is not readily available, you must make your request in writing to the FOI Unit of the public body and your application should refer to the Freedom of Information Act. If your application for information does not mention the Act, then your application will be dealt with as an ordinary request for information. If information is required in a particular form (e.g. photocopy, computer disk, etc.,) this should be specified in the application. Freedom of Information вЂў Try to be as specific as you can in order to enable the organisation to identify the information you require. Where possible try to indicate the time period for which you wish to access records (e.g., records created between May 1998 and December 1998). вЂў Further information on making a request under the FOI Act can be found on the website of the Office of the Information Commissioner. вЂў Under the Freedom of Information Act, a request for records must be acknowledged within 2 weeks and, in most cases, responded to within 4 weeks. If a third party is involved, there may be another three weeks before a response. Freedom of Information FOI Review Procedures вЂў If you are not satisfied with the response of the public body to any aspect of your request for information, (i.e., refusal of information, form of access, charges) or you have not received a reply within 4 weeks of your initial application, this is deemed a refusal of your request and you can seek to have the decision re-examined by more senior members of staff within the public body. The internal review of an FOI decision must be made within 3 weeks. Applications for review of a decision should be addressed to the FOI Unit of the public body involved. вЂў If you are still unhappy with the decision, you have the right to appeal the decision to the Information Commissioner. The Information Commissioner investigates complaints of non-compliance with Irish FOI legislation and generally promotes a freedom of information culture in the Irish public service. Rights of Access/Exemptions вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў вЂў FOI - Specifically NAMA Meetings of the Government. Deliberations of public bodies. Functions and negotiations of public bodies. Parliamentary, court and certain other matters. Law enforcement and public safety. Security, defence and international relations. Conclusiveness of certain decisions pursuant to sections 23 and 24 Information obtained in confidence. Commercially sensitive information. Personal information. Procedure in relation to certain requests under section 7 to which section 26, 27 or 28 applies. Research and natural resources. Financial and economic interests of the State and public bodies. Enactments relating to non-disclosure of records. Questions Thank you!