Just adding to Paul's explanation - my understanding is that any personal information falling into the additional 5th category (all other recorded info held by a public body) is covered by the new Fee Regulations for FOI & DPA (see attached). This means that public bodies receiving a subject access request from now on, will have to estimate whether the personal data held in unstructured manual systems/storage would cost more or less than £450 to provide and then proceed as follows:
a) if it would cost less than £450 the public body has the right to charge additional costs to cover disbursements such as photocopying and postage in order to provide this information.
b) if the volume of relevant personal data in unstructured filing systems would cost more than £450, (take more than 2 1/2 days) we could refuse to process this part of the request but it would be better if we either i) provided a limited amount within the £450 threshold or ii)charged full costs for dealing with the request for personal data held in unstructured manual systems.
Kind regards
Lynne Skipsey
Information Manager
Registry - Corporate Services
NHSU
Tel 07775 508113
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Paul Ticher
Sent: 13 December 2004 13:04
To: [log in to unmask]
Subject: Re: [data-protection] Unstructured personal data
No doubt others will correct me if I'm wrong, but I read it that s.68 of the Freedom of Information Act amends s.1(1)of the Data Protection Act to add a new fifth category of data: "recorded information held by a public authority [which] does not fall within any of paragraphs (a) to (d)". In effect, therefore, *all* recorded information held by a public authority is "data". If such data is also personal, it is therefore personal data and access would be available under the Data Protection Act, for a fee of up to £10, within 40 days and with the Data Protection Act restrictions - access would only be granted to the Data Subject and third party confidentiality would be protected, for example.
If it is not personal - i.e, post-Durant, not *about* an identifiable living individual - it would not be personal data and therefore access would not be available under the Data Protection Act, but under the Freedom of Information Act, for free and with shorter time limits provided the cost was within the limits.
Just thinking about how you would handle a collection which contains a mixture of personal and non-personal data makes me glad not to be a public authority DPO.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data for direct marketing purposes.
----- Original Message -----
From: "Kirsty Gray" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, December 13, 2004 12:19 PM
Subject: Unstructured personal data
Now that the FOIA fees regs have been laid before Parliament - anyone any idea what we do about 'unstructured' personal data post 01/01/05?
Reg 3 (the appropriate limit) "(1) This regulation has effect to prescribe the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act ..." then goes on to confirm FOIA fees of £600 for central government and £450 for other public authorities.
Reg 4 (estimating the cost of complying with a request - general) "...a relevant request is any request to the extent that it is a request (a) for unstructured personal data within the meaning of section 9A(1) of the 1998 Act and to which section 7(1) of that Act would, apart from the appropriate limit, to any extent apply..."
Does this mean that Durant is definately no longer applicable to the public sector? Must we estimate total cost of complying with a request for unstructured personal data? And either respond (under the limit) or choose to refuse unless full cost paid (over the limit)? Can we charge disbursements for responding (under the limit)? Is that as well as or instead of £10 SAR fee?
Has anyone seen any guidance from either DCA or ICO on this one? My search attempts this AM brought up nothing. Am I the only one totally confused?
Kirsty E Gray
Access to Information Advisor
Commission for Social Care Inspection
Note: comments for discussion and debate only and do not necessarily reflect the corporate position of CSCI nor constitute legal advice.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
*** This e-mail and any attachments are confidential and are intended only for the addressee(s). If you are not an intended recipient of this e-mail and have received it in error, please notify the sender immediately by reply e-mail and then delete it from your system.
This e-mail has been scanned for viruses by the NHSU WebShield Virus Scanner, but is not guaranteed free from viruses ***
|