"Information Compliance - Freedom of Information, Data Protection and Libraries".
-
Upload
terry-obrien -
Category
Education
-
view
1.381 -
download
2
description
Transcript of "Information Compliance - Freedom of Information, Data Protection and Libraries".
Information Compliance:FoI, Data Protection and libraries
Terry O’Brien, [email protected] Information Compliance Officer
Waterford Institute of Technology
E/IIIUG June 2009Institute of Technology Blanchardstown
• Freedom of information
•Data Protection
Context of information compliance
• What is information compliance – primarily compliance with legal obligations and responsibilities under FoI and DP
• Responsibilities in maintaining the confidentiality, integrity and availability of information (City University London)
• Privacy, ethics, copyright, ownership, censorship, connectivity, intellectual property, re-use of public sector information, harvesting, data mining, blogging, IM, social networks, email policy, internet usage, surveillance, PII (Personally Identifiable Information), liability, obligations, legal requirements, plagiarism, information ethics,
Freedom of information
• Sweden 1766, Finland 1951,• Irish background – Government reform, Ethics in
Public Office Act 1995, Public Service Management Act 1997, Strategic Management Initiative – delivery of better government
• Counterpoint to Official Secrets Act 1963 – government openness, accountability, public participation in government
• Beef Tribunal – disconnect between government and public access to information
• 1966 US FOI Act context of failure of govt to account to Congress re; Vietnam War
Freedom of Information 101• Legislation –FoI Act
1997, FoI (Amendment) Act 2003
• Regulations (Statutory Instruments) 1998-2006
• Dept. of Finance CPU Guidelines
• Establishment of OIC
• Principles – openness, transparency, accountability
• FoI Act imposes duty to assist requestor
• Role of FoI officer – honest broker, facilitator, encouraged to answer requests outside of FoI
•Statutory Rights
• A right to obtain reasons for decisions
affecting the person
• A right to access records held by
public bodies
• A right to have personal
information amended
• Personal requests – no
fee• OR
• Non-personal requests -
€15.00
• Decision-maker [20 working
days]
• Appeal to OIC – legally binding (only 3 or 4%)
• High Court [on point of law]
• Internal review [15 days]
• Supreme Court – section 42
FoI – what is a record• A record is defined as including any memorandum,
book, plan, map, drawing, diagram, pictorial or graphic work or other documents, any photograph, film or recording, or any form in which data are held
This includes paper or electronic diaries, e-mails (not stored on a back-up system), draft records, electronic records, x-rays even
post-it notes etc.
This includes paper or electronic diaries, e-mails (not stored on a back-up system), draft records, electronic records, x-rays even
post-it notes etc.
Freedom of Information
• FoI give power a face, i.e. about who makes the decisions and why – accountability
• Power without a face as represented by Kafka in ‘The Trial’
Freedom of information - current
• Current FOI requests in 2008 up to 12,672 (+18%), Depts. of Taoiseach, Finance, Enterprise
• HSE receives most requests• Journalists represent 15% of all requests (+100%) e.g.
FAS expense accounts• Increase a by-product of downturn, “holding
institutions to account”• State bodies outside scope,– VECs, CAO, State
Examinations Commission, An Garda, FSRAI, NTMA, Pensions Reserve Commission
FoI - statistics
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008
11531 13705 15428 17196 18443 12597 14616 11804 10704 12672
Requests to Public Bodies under FOI Act 1999 -2008
Freedom of information
• 140,000 requests since introduced 70% + granted• 85,000 personal information • 304 appealed to OIC• 73% members of public or representative bodies,
15% journalists, 6% business, staff of public bodies 5%, others, members of Oireachtas 1%
• Release patterns: civil service lagging behind – 36%, 54% local authorities, HSE 70%, 3rd level 48% but trend very much downward
Freedom of information• “Every person has a right to and must be
offered access to any record held by a public body. The right has been broadly interpreted and the exceptions have been narrowly interpreted”
• Reasons or motivation for seeking access are irrelevant
• Not limited to ‘interested’ parties (except in cases of personal information, but there are exemptions
FoI – key elements
• S28.5(a) Public interest test (harm test)“on balance, the public interest that the request should be granted outweighs the public interest that the right to privacy of the individual to whom the information relates should be upheld”
• “Public interest” is a vague concept- does not mean interesting to the public!
• S18 – right for reasons for decisions – if affected, material interest
FoI - types of requests• Sample requests – tenders, financial information,
travel claims / requests for access to personal records (interview feedback), shortlisting criteria, model answers, and scripts, medical records, reasons for decisions made etc.
• FoI exposed – 700m Bertie Bowl, Industrial schools, TD and Cllr expenses, Public funds – tendering, public procurement, interview notes and marks, references (potentially), inspection of nursing homes, crèches, schools inspection reports
FoI exemptions• Section 10 – Records do not exist• Section 11 – Deferral of access to records• Section 12 – Manner of access to records• Section 19 – Meetings of government• Section 20 – Deliberations of public bodies• Section 21 – Functions and negotiations of public bodies
• Section 24 – Security, defence, IR• Section 26 – Information obtained in confidence• Section 27 – Commercially sensitive• Section 28 – Personal information• Section 29 – 3rd party consultation• Section 32 – Non-disclosure
FoI – ‘letting in the light?’
FOI – a brief review• FoI amendments seen as a retrograde step,
2003 – “put genie back in the bottle”, rushed through, OIC resigns, no consultation
• Charging schedule seen in negative terms (up front fees etc.), Cabinet records – 10 years
• Many bodies still remain outside FoI• Sign of a mature liberal democracy
FoI - summary• Rationale in 70 countries essentially the same –
empowerment of the public• FoI role in “changing social contract between public
service and the public”• Ongoing tensions between governments and FoI in
Ireland and internationally • Reflects a rights-based approach – right to know
what is being done by government in people’s name• “governmental hygiene measure” – keep government
honest, discourage corruption(FoI, The First Decade, OIC 2008)
FoI - International• ALA annual event 16/3 James Madison • US FOI 1966 (74, 76, 78) – federal agencies access to all
federal records 9 specific exemptions• “with a deep sense of pride that the United States is an
open society in which the peoples right to know is cherished and guarded” (LBJ, 1966)
• UK / Scotland – separate legislation. Scottish is seen as more progressive – more positive approach to access for children and those with disability - “ a person who requests information .. Is entitled to receive it”, “as much about culture as it is about legislation” (2004)
• “we have clearly got the balance wrong when online business have higher standards of transparency than the public services” (Gordon Brown)
FoI - the future
• “economic downturn will increase dependence of public on the state and government agencies” – state will be collecting, processing, maintaining more information about individuals
(OIC Annual Report 2008)• Comply with legal obligations in face of
fewer resources, yet increased demand
FoI – some references• Role of FoI office www.foi.gov.ie/• Office of Information Commissioner OIC www.oic.ie • Central Policy Unit Section 23 notice• Re-use of public sector information
http://www.psi.gov.ie/• FoI Annual Report 2008• OIC decisions• http://www.psi.gov.ie/• Bodies covered by FoI
http://www.foi.gov.ie/bodies-covered-by-foi • DCU FAQs http://www.dcu.ie/foi/faq.shtml#6
Barack Obama on 1st day in office
“ A democracy requires accountability, and accountability requires transparency. As Justice Louis Brandeis wrote, "sunlight is said to be the best of disinfectants." In our democracy, the Freedom of Information Act (FOIA), which encourages accountability through transparency, is the most prominent expression of a profound national commitment to ensuring an open Government. At the heart of that commitment is the idea that accountability is in the interest of the Government and the citizenry alike. The Freedom of Information Act should be administered with a clear presumption: In the face of doubt, openness prevails. All agencies should adopt a presumption in favor of disclosure”
Data Protection• Human right• Personal privacy, affects every day life• Not absolute - tension with freedom of
expression, rights of others • LRC (1998) “..basic human right ..
Fundamental in a civilised legal system..”• Constitution implicit right to personal privacy• ECHR article 8 explicit right “right to respect
for private and family life”
Data Protection and the law• Data Protection legislation – rights based 1988
Data Protection Act & 2003 Data Protection (amendment) Acts,
• DPC office est. 1989• Data Protection directive 95/46/EC• EC Electronic privacy regulations• Disability Act 2005
• Good Friday Agreement
• Bunreacht na hEireann
• Convention on Human Rights
• Council of Europe DP convention
• EU Charter Fundamental rights fairness and consent
• Lisbon Treaty also makes reference
Data Protection Commissioner• Role – codes of practice, guidance, advice,
education and support, public register, reports, investigations, audits, work with other Regulators
• Powers – notice, enforcement, compliance, entry and inspection. Prosecute, fines up to €250,000
• Role of commissioner in EU consistent – ombudsman (resolution), enforcer (compliance) educational (promote and advocacy) registration
• Article 29 Working Party – harmonise application of DP across EU
DPC role
• Approach of DPC – education and promotion, supportive, part of current Dept. of Justice review group
• Audit resource for organisations• ‘private I, public eye’ –
DP competition on youtube • Voluntary breach code (public and private)• Awareness - Data Privacy Day
Data Protection - definitions
• Data controller “ a person who controls the contents and use
of personal data”• Data processor
“ a person who processes personal data on behalf of a data controller”
• Data subject “an individual who is the subject of personal data”
Personal and sensitive data• Personal Name, address, age, date of birth, phones,
assets, liabilities, financial statements, salary details, bank info., next of kin, holiday records, appraisal, staff disciplinary procedures, sick and medical certs, work history, quals, pps, skills, cv
• Sensitive Physical or mental health, trade union membership, racial origin, criminal convictions, religious or other beliefs, sexual life, alleged commission of offences, political opinions
- extra conditions required when using it - explicit consent - exemptions - medical purposes, legal advice, vital interests of
state, public interest, electoral purposes
Data protection in short
RIGHTSfo r
In d ivid u a ls
RESPONSIBILITIESfo r
u se rso f pe rso na l da ta
Data Protection Acts 1 98 8 & 2 00 3 create
Data Protection – basic principles 101
Rights of individuals• To fairness• To get a copy of personal information
(computer and organised manual) • To rectification of wrong information• To opt out (phone and email)• To complain to DPC
Data Protection
Rights of access- Apply in writing, sufficient information- Satisfy identity- Data supplied in intelligible format- Controller must give subject description of
personal data held, purpose and who it may be disclosed to
Restrictions- Investigation of crime, tax assessment- International relations of State- Legal privilege- Data kept by DP and OIC- Health and social work data – special
provisions
Rules of Data Protection
Data processing is anything done
with the life cycle of that data from
collection to disposal
Data Protection Life-cycle
Source: Data Protection Commissioner
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Data protection and consent• Consent generally required for release, but disclosed
without for security of state, international relations, investigating offences, order of court, prevent injury or damage
• Presumption in favour of access to one's own data• FoI generally has precedence in law over DP• 3rd party access - Personal information is exempt
from disclosure to third parties under the FoI Acts, subject to a number of exceptions
• Under data protection, protection of the individual's privacy is paramount, but "public interest“ test does not apply
Data Protection/FoIData protection FoI
Human right Citizens right
Co-operation Complimentary
All sectors Public sector
Info exempt from 3rd parties*
Not exempt – consent may be required
Living only Living and deceased
Focus on privacy Focus on openness
Right of access Right of access
40 days to respond 20 days to respond
Prejudice test Public interest
Data protection and …
• CCTVProportionate, specific use, inform, 28 days, protocol for Garda access
• Direct marketing40 days, opt-outs, unsolicited calls – fines, National Directory Database, consent
• RetentionEU directive, ISP access (2 years), no content
More CCTV units in the UK than the entire population of RoI (CIA Fact Book)
Covers Courtesy of LibraryThing.com
Courtesy of flickr.com
• Compliance is a legal requirement for all organisations public and private
• Strong records management, records retention, archiving
• Consent – best at point of capture, registration forms, applications, website etc.
• Awareness, training and DPC guidelines
• Remedy damage before enforcement and civil liability
Data Protection .. what to do
Data Protection .. what to do II • Common sense – DP policy, clear desk and
screen, lock & key, password protect, encrypt, dispose and destruct
• Security measures for data taken off-site
• Plan into action – notify DPC immediately if breach voluntarily and inform clients (stakeholders) without delay
• Clear disclosure awareness – no to parents, external colleges, companies, marketing purposes, police by protocol only, alumni, companies by explicit consent only
DP high profile breaches • jobs.ie, Bank of Ireland, HSE, M50 toll company, • DPC active on enforcements, all complaints
investigated• High profile cases vs. Irish Rail, Sunday World,
Dell, Revenue (staff accessing information on need-to-know basis), Ulster bank (bank and insurance cross marketing
• UK high profile DP case - 40 major companies facing legal action in construction industry for buying secret personal data and engaging in blacklisting – Laing O’Rourke, Balfour Beatty – intelligence database
Data Protection case studies • Prosecutions in text marketing sector in 2008• Prosecutions taken against – NTL, An Post, Tesco,
Dell, Total Fitness Ireland• Against Local Authority and Aer Rianta for excessive
harvesting of PPS details• Against Dept of Ed. for misuse of Trade Union details
– to withhold pay (not fair obtaining)• Code of practice around insurance and health sector
problematic • Investigations listed publically – name and shame,
reputational and business damage
Data Protection – some statistics
•1031 complaints v 658 in 2006
•Eurobarometer - 70% of Irish people concerned about individual data protection
•2008
•People feel public and private sectors keep personal information safe and secure, have controls in place to ensure employees cannot access inappropriately
•50%
•Medical records, financial history, credit card, PPS, Garda records, social welfare history, telephone, internet records, emails, CVs
•Concerns
(*source – Lansdowne Market Research 2008 on behalf of DP Commissioner’s office)
Data Protection - summary• Duty of care• Personal information should be accurate• Retain no longer than necessary• Right of access to personal data on computer and
since 2003 to manual data in a relevant filing system• Procedures in place before problems arise and
protocols if problems arise – avoid negative publicity, potentially damaging liability, enforcement orders from DPC - Reputational damage could be worse!
• Only available to those that need to have it and used only used for specified purposes
Data Protection• Data subject – (identifiable, living individual)• Access rights complaints major increase in 2008• Under Disability Act genetic testing prohibited in
relation to insurance, mortgages, pension • Outsourcing DP operations - obligations still apply
(e.g. payroll, call-centres) – on data processors on their behalf
• Security should be appropriate to potential harm and nature of data - Encryption – particularly important in case of financial and personal records and for vulnerable groups – e.g. Bord Gais, HSE, UK s/w
• Have regard to cost and technology available
Data Protection – be aware• 3rd party opinions only exempt if given in
confidence or understanding of • References not exempt• Interview notes may be accessible• Monitoring employees: YES, depending
on policy, conditions of employment e.g. acceptable email policy, social media and internet usage
Data Protection - high privacy thresholds
• Consent is required for police / other vetting• Automated decisions – e.g. creditworthiness
must have human input• Internet usage – ongoing monitoring is
allowed should be proportionate, not unduly intrusive, on reasonable suspicion
• Monitoring without CONSENT can be legitimate
• Call–recording without permission not allowed
Data protection - some trends• Social networking, web 2.0 applications
Increasing conflict and tensions, privacy issues, phising , hacking, disclosure, open model
• GPS / GIS Google street view, Microsoft VE - Issues of surveillance, private property, photographic data, image retention, trouble in Germany and Greece
• Patriot Act & Librariesstrong opposition from librarians
• Political awarenessIncreasingly topical, weekly high profile breachesPirate Party in Sweden
Data protection – some trends• Ethical issues
Detailed trail of personal information across public and private systems – how to balance ‘needs’ of the state with our own ethical rights – TMI, WTMI
• Data sharing 2008 data sharing deal with US – each country access to others fingerprint and DNA profiles + further sensitive data if necessary
• Electronic communications – principle of DP apply in relation to cookies, caller ID, spam, cold call opt-outs
• Biometrics – increasingly mainstream, compliant according to industry, DPC, unions disagree – argue for justification required prior to implementation – national gallery, schools etc.
‘BarackBerry’• “They’re going to have to pry it out of my hands.”• First Blackberry president• Connected• Emails and electronic communication subject to Presidential
Acts – stored and saved• Mobile phone data accessed by Verizon employees
Is this important to libraries• Librarians are information
professionals - public servants, funded by
taxpayer, spend public money, transparency!
• Libraries use, acquire, mine, harvest people’s
information on our own and other people’s behalf
- obligations and duties
• Libraries exist within wider organisational
structures that have legal information compliance
obligations
• Our customers are the public, we use their
personal data
• Libraries are accountable, trust is important
• “Tension between privacy issues and library’s need
to collect user data” (Coombs, 2004)
• Libraries recruit and employee people like any
other organisation
• Libraries are involved in tendering and public
procurement
• People who use libraries should have an
expectancy that we are doing things ‘right’ and
not just copyright
• Libraries are seen as a positive social force,
civic minded –• IFLA & FoI
• Information ethics part of our world –
plagiarism etc.
• Libraries have obligations like other
public bodies
• Librarians interview people be aware of
what this means
• Libraries are involved in web 2.0 and social media applications
• Libraries are required to give user options –
opt-in, opt-out, Reading History.
• Libraries keep and retain records
• Sensitive data, and consent - information
to 3rd (commercial) parties
• Libraries/librarians are traditionally
compliant, conscientious professionals
Is this important to libraries• Libraries accumulate huge data banks from library
systems and services – how this is potentially utilized is often outside of our control, particularly where library is used as an intermediary to access externally provided content
• Advent of participatory web – huge amounts of PII willingly displayed but do people understand (or care) about implications. Do libraries? Libraries traditionally have a culture of privacy, control, this is shifting … do we have a role in this???
Sources / references
• DPC presentation to IoT network 11/03/2009• www.dataprotection.ie • http://www.ico.gov.uk/ Information
Commissioners Office - UK• that personal privacy is a right, take steps to pr
otect it – winner of DP YouTube competition 2009
• Case studies 2008• DP channel
Terry O’Brien, Information Compliance officer
Waterford Institute of Technology
Thank [email protected]
www.wit.ie