Peter,
Thanks for the response. I think that 1(1)(e) is that broad considering what 1(5) says" In paragraph (e) of the definition fo "data" in subsection (1); the
reference to information 'held' by a public authority shall be construed in accordance with section 3(2) of the Freedom of Information Act 2000…….
When we turn to FOIA 3(2) information is held if (a) "it is held by the authority, otherwise than on behalf of another person, or (b) it is held by another
person on behalf of the authority.
The FOIA covers any recorded information held by the authority. Therefore, it is broader than unstructured data. Moreover, the officer may be bringing the
information to the organisation in a private capacity, but by uploading the information on to the organisation's system they are acting in a public, not a private, capacity.
In the McBride Tribunal decision it was noted the difficulty around s.3(2) as it is not defined by the FOIA in the way it is for other access regimes like EIR.
What is of interest, for my argument, is how far this reads into the DPA.
21. FOIA does not define what is meant by “held”. It does not use terms such as “power, possession or control” that are found
in other legal contexts, nor does it adopt the language in The Environmental Information Regulations 2004 which provide that “held” means information that “is in the authority’s possession and has been produced or received by the authority.” What it does do,
however, is to exclude from the disclosure requirements of FOIA, information that is held by a public authority on behalf of another person. By virtue of section 3(2), such information is not “held” by the public authority for the purposes of FOIA. Of course,
information that a public authority holds on behalf of another person may be subject to disclosure if that other person is a public authority, but that would have to be as a result of a request made to that public authority.
The key issue, for my argument, would be whether 3(2)(a) would apply. However, I would have to think through whether the reference DPA is stating this for
FOIA purposes or for DPA purposes. An organisation could hold information that would not be subject to FOIA but could be covered by DPA in that it may not be disclosable to the public but it would be disclosable to the data subject under s.7. (So if someone
stores a diary in the Council strong room which contains personal information of others would it be held by the Council for the purposes of the FOIA? If not, then would it still be held for the DPA?)
I am relying on this argument but would welcome any contrary views as I have not seen this tested (from my limited research.)
I have checked the ICO decision notices on s3(2) (a) and (b) and cannot find anything discussions the relationship of FOIA and DPA on this issue. What has
been discussed on the decision notices and the Tribunals, suggest that if the organisation can control, or delete, or modify the information, for its own purposes, it may begin to be considered to hold the information. (See for example:
http://www.ico.gov.uk/~/media/documents/decisionnotices/2010/FS_50213395.ashx (The decision notice on the cash for honours scandal) as well as the McBride Tribunal Decision :
http://www.informationtribunal.gov.uk/DBFiles/Decision/i98/McBride.pdf (Which looked at whether
the Privy Council Office (PCO) held information on behalf of the University Visitor. In this decision, the Tribunal stated:
“This is not a situation where the information was simply on the PCO’s premises because, for example, the Visitor had left it there. The PCO managed and controlled the information, and in fact the PCO itself produced much of
the information contained in the Visitor files. The PCO could edit or delete the
information, and it could decide whom to send it to or whom to withhold it from. Indeed, in response to the Appellant’s requests, it could have provided the information to the Appellant, and in
fact, did provide some information.”.
The need to clarify whether an authority held the information on behalf of someone else and therefore not for the purposes of FOIA was clear in the Digby-Cameron
Tribunal decision.
In this tribunal decision, it looked at whether the Council held information on behalf of another (the Coroner) and that the fact that it was not held by the
Council should have been made clear in the refusal notice. For me, it is important whether the organisation can control the information on its system:
As part of this deliberation, it asked itself whether the Council had the right to amend or delete the information.
Most importantly, for my argument (obviously :) ) is the Shields case as the SIC asked specific questions about the control and disposition of information.
http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2005/200500463.asp
“31. If an authority holds information on behalf of another person or organisation, it will not control that information in the same way as it would with information held in its own right. The authority would not have power
to delete or amend that information without the owner’s consent; it would not be able to apply its own policies or procedures to it. It may have restricted access to it”.
In my scenario, this is definitely the case as it is on the organisation's system and they have the final say over the disposition of their electronic systems.
The SIC clarified the issue with the following questions that illustrate the extent and type of control being exercised in paragraph 12.
a) Can Parliamentary authorities ever require access to MSPs’ mail (or their staff or offices’ mail), or have any control over its use or disposal following delivery to his
or her office?
b) Are MSPs’ e-mail and IT systems (and those of their offices) controlled by the Parliamentary authorities? Can Parliamentary system administrators access their accounts, modify them or view them without an MSP’s consent?
c) Do MSPs’ IT systems form part of the same network as that used by Parliamentary staff? Are they supported by the same staff, with the same access privileges as those supporting Parliamentary staff?
d) What (if any) systems are in place to ensure the privacy of MSPs’ communications and to avoid interference from Parliamentary authorities in their work.
I would argue that these points suggest that unlike the MSPs an officer in an organisation would fall under the control of the organisation and its systems
and procedures. Therefore, the information would be held by the Council and therefore would be subject to the DPA.
On the schools issue, I would point out that the schools will have a contractual relationship with the Council regarding the use and disposition of their networks.
In that sense, the Council has consented to the use of the systems and for the schools to do their business through Council systems. In that example, one could argue you are the data processor or data controller depending on what is done with the data. However,
I am moving away from the central point which is about when is information held for the purposes of the data protection act.
In my example, the officer would be acting without consent of the organisation, which is the data controller for data held on its system. The officer in question
is uploading this into the system for storage and other processing. What is clear is that storage of information is processing under the DPA. The data controller for the organisation's system and the information held on that system is the organisation not
the officer. The officer is not acting in a private capacity when they use the organisation's systems because the systems are not theirs, they are the organisation's systems.
The key for me is that the organisation has not consented to receive the information on its system and once on its system it is held for the purposes of the
FOIA (albeit against its will) and for the purposes of the DPA. (With the caveat
mentioned above.)
Best,
Lawrence
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)