Print

Print

Peter,

Thanks for the response.  I think that 1(1)(e) is that broad considering what 1(5) says" In paragraph (e) of the definition fo "data" in subsection (1); the reference  to information 'held' by a public authority shall be construed in accordance with section 3(2) of the Freedom of Information Act 2000…….

 

When we turn to FOIA 3(2) information is held if (a) "it is held by the authority, otherwise than on behalf of another person, or (b) it is held by another person on behalf of the authority.

 

The FOIA covers any recorded information held by the authority. Therefore, it is broader than unstructured data.  Moreover, the officer may be bringing the information to the organisation in a private capacity, but by uploading the information on to the organisation's system they are acting in a public, not a private, capacity. 

In the McBride Tribunal decision it was noted the difficulty around s.3(2) as it is not defined by the FOIA in the way it is for other access regimes like EIR.  What is of interest, for my argument, is how far this reads into the DPA.

21. FOIA does not define what is meant by “held”. It does not use terms such as “power, possession or control” that are found in other legal contexts, nor does it adopt the language in The Environmental Information Regulations 2004 which provide that “held” means information that “is in the authority’s possession and has been produced or received by the authority.” What it does do, however, is to exclude from the disclosure requirements of FOIA, information that is held by a public authority on behalf of another person. By virtue of section 3(2), such information is not “held” by the public authority for the purposes of FOIA. Of course, information that a public authority holds on behalf of another person may be subject to disclosure if that other person is a public authority, but that would have to be as a result of a request made to that public authority.

 

The key issue, for my argument, would be whether 3(2)(a) would apply.  However, I would have to think through whether the reference DPA is stating this for FOIA purposes or for DPA purposes. An organisation could hold information that would not be subject to FOIA but could be covered by DPA in that it may not be disclosable to the public but it would be disclosable to the data subject under s.7.   (So if someone stores a diary in the Council strong room which contains personal information of others would it be held by the Council for the purposes of the FOIA?  If not, then would it still be held for the DPA?)  I am relying on this argument but would welcome any contrary views as I have not seen this tested (from my limited research.)

 

I have checked the ICO decision notices on s3(2) (a) and (b) and cannot find anything discussions the relationship of FOIA and DPA on this issue.  What has been discussed on the decision notices and the Tribunals, suggest that if the organisation can control, or delete, or modify the information, for its own purposes, it may begin to be considered to hold the information. (See for example: http://www.ico.gov.uk/~/media/documents/decisionnotices/2010/FS_50213395.ashx (The decision notice on the cash for honours scandal)  as well as the McBride Tribunal Decision : http://www.informationtribunal.gov.uk/DBFiles/Decision/i98/McBride.pdf (Which looked at whether the Privy Council Office (PCO) held information on behalf of the University Visitor.  In this decision, the Tribunal stated:

“This is not a situation where the information was simply on the PCO’s premises because, for example, the Visitor had left it there. The PCO managed and controlled the information, and in fact the PCO itself produced much of the information contained in the Visitor files. The PCO could edit or delete the  information, and it could decide whom to send it to or whom to withhold it from. Indeed, in response to the Appellant’s requests, it could have provided the information to the Appellant, and in fact, did provide some information.”.

The need to clarify whether an authority held the information on behalf of someone else and therefore not for the purposes of FOIA was clear in the Digby-Cameron Tribunal decision.

http://www.informationtribunal.gov.uk/DBFiles/Decision/i261/A.J.%20Digby-Cameron%20v%20ICO%20(EA-2008-0010)%20Decision%2016-10-08.pdf

In this tribunal decision, it looked at whether the Council held information on behalf of another (the Coroner) and that the fact that it was not held by the Council should have been made clear in the refusal notice.  For me, it is important whether the organisation can control the information on its system:

As part of this deliberation, it asked itself whether the Council had the right to amend or delete the information.

Most importantly, for my argument (obviously :) ) is the Shields case as the SIC asked specific questions about the control and disposition of information. http://www.itspublicknowledge.info/ApplicationsandDecisions/Decisions/2005/200500463.asp

 

“31. If an authority holds information on behalf of another person or organisation, it will not control that information in the same way as it would with information held in its own right. The authority would not have power to delete or amend that information without the owner’s consent; it would not be able to apply its own policies or procedures to it. It may have restricted access to it”.

In my scenario, this is definitely the case as it is on the organisation's system and they have the final say over the disposition of their electronic systems.

The SIC clarified the issue with the following questions that illustrate the extent and type of control being exercised in paragraph 12.

a) Can Parliamentary authorities ever require access to MSPs’ mail (or their staff or offices’ mail), or have any control over its use or disposal following delivery to his or her office?

b) Are MSPs’ e-mail and IT systems (and those of their offices) controlled by the Parliamentary authorities? Can Parliamentary system administrators access their accounts, modify them or view them without an MSP’s consent?

c) Do MSPs’ IT systems form part of the same network as that used by Parliamentary staff? Are they supported by the same staff, with the same access privileges as those supporting Parliamentary staff?

d) What (if any) systems are in place to ensure the privacy of MSPs’ communications and to avoid interference from Parliamentary authorities in their work.

I would argue that these points suggest that unlike the MSPs an officer in an organisation would fall under the control of the organisation and its systems and procedures. Therefore, the information would be held by the Council and therefore would be subject to the DPA.

 

On the schools issue, I would point out that the schools will have a contractual relationship with the Council regarding the use and disposition of their networks.  In that sense, the Council has consented to the use of the systems and for the schools to do their business through Council systems.  In that example, one could argue you are the data processor or data controller depending on what is done with the data.  However,  I am moving away from the central point which is about when is information held for the purposes of the data protection act.

 

In my example, the officer would be acting without consent of the organisation, which is the data controller for data held on its system.   The officer in question is uploading this into the system for storage and other processing.  What is clear is that storage of information is processing under the DPA.  The data controller for the organisation's system and the information held on that system is the organisation not the officer.  The officer is not acting in a private capacity when they use the organisation's systems because the systems are not theirs, they are the organisation's systems.

 

The key for me is that the organisation has not consented to receive the information on its system and once on its system it is held for the purposes of the FOIA (albeit against its will) and for the purposes of the DPA. (With the caveat mentioned above.)

 

Best,

Lawrence

 



Help protect our environment by only printing this email if absolutely necessary. The information it contains and any files transmitted with it are confidential and are only intended for the person or organisation to whom it is addressed. It may be unlawful for you to use, share or copy the information, if you are not authorised to do so. If you receive this email by mistake, please inform the person who sent it at the above address and then delete the email from your system. Durham County Council takes reasonable precautions to ensure that its emails are virus free. However, we do not accept responsibility for any losses incurred as a result of viruses we might transmit and recommend that you should use your own virus checking procedures.

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)