Stakeholder workshop Central government. Thursday 26 March 2015

Transcription

1 Stakeholder workshop Central government Thursday 26 March 2015

2 Welcome Sue Markey Government and Society Team Strategic Liaison

3 Introductions

4 This afternoon s programme Data Protection and Privacy: key ICO issues and update Break and networking Freedom of Information: key ICO issues and update ICO website a central government sector page?

5 The ICO: data protection update Judith Jones - Group Manager Government and Society Information Commissioner s Office

6 ICO corporate plan

7 Business plan priorities include: preparing for period of substantial change with the implementation of new EU data protection framework and outcome of Triennial Review developing and promoting an ICO privacy seal scheme as a means of demonstrating a commitment to good dp practices engaging with transparency and Open Data initiatives to ensure a balanced information rights perspective

8 Government changes Introduced powers of compulsory audit to public authority NHS bodies Reduced the burden of proof to fine nuisance callers Outlawing enforced subject access requests Extended the FOI Act to Network Rail

9 Data protection: current issues Data sharing service delivery reform, digitalisation of public services Open data, big data, definition of personal data Encouraging good practice PIAs, Privacy by Design General election electoral register, political parties Surveillance EU DP reform

10 EU data protection reform General Regulation not Directive Law enforcement Directive still on the table Council work ongoing partial general agreement Latvian Presidency until June 2015 political agreement? Trilogue Commission/Parliament/Council Possible completion in Brussels by first half 2016 UK implementation mid 2018?

11 EU data protection reform Key issues remain: scalability of the obligations, particularly for small businesses, provisions on profiling and risk, definition and use of pseudonymisation, one stop shop and associated consistency mechanism, the right to be forgotten and the Regulation s enforceability overseas, and duties of data protection authorities including the imposition of sanctions.

12 Privacy seals Third parties to deliver privacy seal schemes Operators must be accredited by the UK Accreditation Service (UKAS) Aim for first scheme to be up and running in 2016

13 PIAs Code of Practice One year on Application of PIA s in practice Process v Policy Good Practice examples Embed proactively Benefit to organisations

14 Enforcement, security breaches PECR easier to tackle spam texts etc from 6 April Intelligence sharing UK Cybersecurity threats and data protection law Increased international cooperation - Global Privacy Enforcement Network (GPEN)

15 DP cases Edem v ICO & FSA [2014] Court of Appeal - clarification of the definition of personal data Weller and others v Associated Newspapers Ltd [2014] High Court of England and Wales - photos of Paul Weller s children on a family outing in a public place. Ryneš v Úřad pro ochranu osobních údajů [2014] Court of Justice of the European Union CCTV footage does not fall within domestic purpose exemption Max Mosley v Google Inc. & Google UK Limited [2015] High Court of England and Wales Mr Mosley s DPA claim was a viable claim.

16 Freedom of Information and Environmental Information Regulations: news and update

17 Contents Outsourcing and FOI Recent cases Current issues ICO guidance

18 Outsourcing and FOI Transparency in outsourcing: a road map An ICO discussion document on how to achieve greater transparency about services and functions outsourced by public authorities Transparency in outsourcing: a roadmap

19 Four steps to greater transparency in outsourcing 1. Better contracts 2. Transparency by Design 3. Legislation 4. Standard contract terms

20 A Transparency by Design approach Key elements: Make as much information as possible available proactively as open data Agree with contractors what information is in scope of a FOIA request and in particular what information is held by the contractor on behalf of the public authority Set out the responsibilities of both parties in dealing with FOIA requests Consider in advance whether FOIA exemptions could apply to any of the information

21 Outsourcing and freedom of information guidance document Practical advice for public authorities Deciding whether information is held on behalf of the public authority How to adopt a transparency by design approach Outsourcing and freedom of information

22 Recent cases Department for Education v Information Commissioner & McInerney (EA/2013/0270) Concerned a request for information about applications to establish Free Schools and about decision letters sent by the Department for Education in response to such applications. The First Tier Tribunal (FTT) had decided that the Department could rely as of right on a late claim of section 12 or 14 and that, on the facts of this case section 14 was engaged. The above decision was appealed by Ms McInerney to the Upper Tribunal (UT). At the hearing on 22 January 2015 the UT dismissed the appeal.

23 Fish Legal v Information Commissioner and others [2015] UKUT 0052 (AAC) (16 February 2015) The Upper Tribunal (UT) ruled that private water companies are public authorities for the purposes of the Environmental Information Regulations (SI 2004/3391). Applying the previous ruling of the Court of Justice of the European Union (C-279/12), the Upper Tribunal based its decision on the fact that water companies have "special powers" over and above those in private law. At the same time, the UT rejected an argument that the water companies were public authorities by virtue of the fact that they are under the control of other public authorities such as OFWAT or the Environment Agency.

24 Current issues Vexatious and Manifestly Unreasonable requests Form of requested information Supreme Court ruling in Evans!

25 Recently published ICO guidance Consideration of the identity or motives of the requestor The requestor s identity may be taken into account when: The authority has reason to believe that the requestor hasn t provided their real name Determining whether the cost of two or more requests can be aggregated under s12 The requested information contains the requestor s own personal data Assessing whether the information is reasonably accessible to the requestor by other means Assessing whether the request is a repeated request When considering refusing a request as vexatious / manifestly unreasonable Where a request is unclear or ambiguous knowing the purpose behind it would help the authority identify and locate the requested information If applying a prejudice or adverse effect based exemption pa is concerned about how the requester will use the information

26 Recently published ICO guidance Section 39 exemption - Environmental Information Provides an overview of the exemption provided by s39 FOIA And includes: Determining whether a pa is subject to the EIR Determining whether the information is environmental Applying the exemption Procedural requirements Dealing with mixed requests The interaction between sections 39 and 21 FOIA

27 ICO guidance Guidance currently being updated Section 16 Advice and Assistance Section 22 - Information intended for future publication Section 29 The Economy Section 38 - Health and Safety Section 39 What is environmental information Section 41 Information provided in confidence Section 45 Code of Practice Section 46 Code of Practice on records management

28 ICO website A central government sector page? Would you find this useful? What should it contain? Links to external sources of relevant information?

29 Keep in touch Subscribe to our e-newsletter at or find us on