New School Year, New Requests

Selecting the right data to meet requestsAs staff and the students face the return to a new year, it’s worth taking a moment to ensure that you are prepared for the data protection challenges the year brings. As the year commences, the amount of personal data being collected rises rapidly.

If there were any issues with collection, collation, usage or storage last year, now is the time to consider improvements. You may have had new systems or upgrades a critical time for errors to be made.

The other area that can become very busy is requests for information. This may be about individuals in the form of SARs, or more general information in Freedom of Information and Environmental Information Regulations requests.

For SARs and most information requests, it’s now well established that these emerge as part of existing, usually difficult situations with parents or members of staff. Getting these requests right is essential in helping to close the issues behind them and avoiding further complications like the involvement of the Information Commissioner’s Office.

You need to have a clear, preferably documented, process for handling these requests. This includes interacting with the requester to get any clarifications required and setting clear parameters for extracting data. With data in hand, you need to have a well-defined set of rules to establish what data forms part of a response.

Finally, we come to what most organisations find to be the most difficult part of a request, Redaction. SARs and FOI requests have very different redaction rules but may often contain similar base data. The method you choose to undertake redaction is worth considering, but the crucial part is to have very clear guidance about what is included and what is redacted. Of particular concern is where information about one individual is interwoven with data about others.

Your Data Protection Officer should be able to provide the basis of guidance on these matters, but it well worth making sure that this information doesn’t just reside with that one person.

/0 Comments/by
Selecting the right data to meet requests

Improving your response to FOI requests

Last week, the ICO published a director’s update, focusing on the Freedom of Information Act. The number of complaints received from the public have increased significantly, with the ICO receiving 8,000 complaints this year, the highest number on record.  

For many organisations, the Freedom of Information Act sits side by side with the Data Protection Act. Just like Subject Access Requests, responding to an FOI request requires time and expertise.  

With the number of requests and complaints increasing, we thought it would be useful to provide a quick recap on Freedom of Information basics. 

What is the Freedom of Information Act? 

Passed in 2000, the Freedom of information Act makes it possible for individuals to request information from public bodies, such as the Houses of Parliament, Government Departments, the NHS and Local Authorities. When a public body receives a request, they must provide the information, unless there is a valid reason to withhold that data.  

Public bodies are also required to proactively make certain information available and easily accessible to the public.  

Does the Freedom of Information Act affect my organisation? 

The Freedom of Information Act applies to public bodies. This means that most private companies and organisations are not affected by the act. However, the definition of public body is wider than you might think. For instance, schools, colleges, and universities are considered public bodies. 

Additionally, if you work with a public body, such as a school, or a local authority, some of the information you hold for them may be in scope of the Freedom of Information Act. While it is up to the public body you work with to manage this, it’s useful to be aware of the legislation, so you can support your customers with answering requests. 

How does a Freedom of Information Request work? 

If your organisation is considered a public body, you may get a request under the Freedom of Information Act. You have 20 working days to answer this request. This usually works out at around 4 weeks.  

During those 4 weeks, you’ll first need to assess whether the request is in scope of the Freedom of Information Act. You’ll then need to locate the information and consider whether any information needs to be redacted or withheld, in line with the exemptions in the legislation. You’ll also need to consider whether the request exceeds the cost-limit outlined in the act.  

Once this is all complete, you’ll need to provide the information to the requester. With so many steps, it can be incredibly difficult to respond to a request in time, but missing deadlines or failing to provide information can lead to a complaint.  

What if we receive a complaint? 

With the number of complaints clearly rising, public bodies need to be prepared to receive a complaint, either directly from the individual, or via the ICO. This means being ready to complete an internal review. Should an internal review be requested, you’ll need to consider how the request was handled, and whether the initial response should be upheld. This should be completed in writing. You’ll need to complete this within 40 working days, and provide a response to the complainant in that time.  

It’s best to find someone uninvolved with the initial request to complete this review, to provide an objective view on your organisation’s actions, and avoid any concerns about conflict of interest.  

Struggling with the Freedom of Information Act? Our experts can offer support. From a one-off consultancy call, to helpdesk service contracts, we can be on hand to help with any requests you receive

Click here to get in touch. 

/0 Comments/by
A woman works on a laptop analysing data

What High Profile Data Breaches Can Teach Us

The two high profile data breaches that have made the news over the last days. These incidents raise some important issues that we should all take seriously.

The Electoral Commission say that their systems, alongside the details of more than forty million voters, have been compromised. According to the Guardian, the suspicion is that this attack originated in Russia. In addition, the first compromise may have been in 2021.

In contrast, the breach at the Police Service of Northern Ireland (PSNI) was self-inflicted. A spreadsheet containing the details of all serving officers was made public for about 3 hours. Ironically, this happened as part of responding properly to a freedom of information request. This is a clear warning to other public bodies about ensuring they don’t accidentally disclose data when responding to FOI requests.

The Electoral Commission incident certainly fits general image of a blockbuster data breach. A malicious actor, long term compromise of the systems and a huge amount of data available for download.

Assessing the Risks

What are the risks from the breach? Although millions of people have requested not be on the open register, name and address data for most individuals is low risk. There are however, people who register to vote anonymously, for example someone who has fled domestic violence.

The registered addresses of individuals may be found if this information becomes available. Although the probability of this occurring seems very low, the potential consequences to the located person could be catastrophic. Lets assume the chance of something happening being one in a hundred million. With 40 million records at risk, the odds of a person being affected are much too high for comfort.

The lesson here is that even with what appears to be relatively benign data, when there is enough at risk, the ‘it would never happen’ consequences must be taken seriously.

Breached for three hours

The PSNI incident, in contrast, had data at risk for three hours. It was a single spreadsheet albeit with a lot of information in it. As an aside after disclosing that the information included rank, grade and location as well as initial and surname, the Assistant Chief Constable was quoted as saying “It is limited to surname and initial only, so there’s no other personal identifiable information contained within the information that was published”, thereby showing a misunderstanding of the nature of personal data.

Many tensions remain in Northern Ireland despite the 25 years that have passed since the Good Friday Agreement. Dissident republican groups have said they have access to the data, it has been reported. According to the Belfast Telegraph, more than 600 members of the PSNI have come forward raising significant concerns based on the breach.

Learning the Lessons

Whether the information is in the hands of malicious actors or not, it is clear that simple confirmation of employment is enough for many to be concerned about their safety. Like the Electoral Commission incident, the potential consequences could be of the utmost seriousness. Additionally, large numbers of individuals may be affected.

If you are dealing with a breach, it’s essential that you think through all the possible impacts. There are few occasions where a group of names are on a list for no reason. In the PSNI case, it was because they were members of the service, but it might be a list of students who receive free school meals, staff who have had more than 5 days of sick leave or any number of other reasons. Without the context, a name is still just a name.

/0 Comments/by
The revived data protection bill is back before parliament. Data Protection and Digital Information Bill

The identification of living individuals

The times they are a-changin’ (back)!

We’re about a month in from the reintroduction of the Data Protection and Digital Information Bill. At the present time, we’re still waiting for the updated impact assessment based on the latest changes. While we wait there’s plenty of information to look at in the text of the Bill.

We will produce more detailed analysis of the changes over the coming months. However, in the first of a regular series, we’ll take a brief look at some of the changes that will affect all organisations. The Bill alters the basic definition of personal data. In other words the basic scope of data protection is being altered and, in essence, reduced.

A ‘new’ definition

The GDPR brought a key change in the definition of when an individual is identifiable. Ostensibly anonymous data can count as personal because it might become identifiable in the future.

Here’s what the new Bill says:

3A Information relating to an identifiable living individual

(1)    For the purposes of this Act, information being processed is information relating to an identifiable living individual only in cases described in subsections (2) and (3).

(2)    The first case is where the living individual is identifiable (as described in section 3(3)) by the controller or processor by reasonable means at the time of the processing.

(3)    The second case is where the controller or processor knows, or ought reasonably to know, that—

(a)    another person will, or is likely to, obtain the information as a result of the processing, and

(b)    the living individual will be, or is likely to be, identifiable (as described in section 3(3)) by that person by reasonable means at the time of the processing.

Part (2) is straightforward. If all the information is available to narrow down to a unique person at the time the data is processed, then they have been identified.

Part (3) is more complex and, consequentially, needs parts (4), (5) and (6) to try and clarify it.

In this second scenario, it’s someone other than the controller or processor who’s doing the identification. For example, an organisation with whom the data has been shared. Part (4) makes it clear that it could also be someone who obtained the data illegitimately.

So what does it mean?

It didn’t matter, with the old definition how much effort was required get the remaining data to complete the identification. In contrast, under the new rules there is a ‘reasonability’ clause, putting a limit on the actions that can be taken.

If data is shared or breached and it would take an unreasonable degree of effort to identify the individual data subject,  then what was disclosed is arguably not personal data.

For data controllers like schools and colleges, this brings the concept of pseudonymisation back into play. It doesn’t mean that going back to initialising pupil names is enough to stop records being personal data. However, it does open new opportunities. There’s no reason to think this will be particularly controversial in the committee stages, unlike some of the other changes.

Next time we’ll look at some of the changes that are planned around subject access requests.

Find out how we can help you keep up with the changes

/0 Comments/by