JISCMail - DATA-PROTECTION Archives

Email discussion lists for the UK Education and Research communities
Subscriber's Corner
Email Lists
DATA-PROTECTION Archives

data-protection@JISCMAIL.AC.UK

View:

Message:
[
First
Last
]
By Topic:
[
First
Last
]
By Author:
[
First
Last
]
Font:
Proportional Font
		LISTSERV Archives
		DATA-PROTECTION Home
		DATA-PROTECTION 1999
Options

Subscribe or Unsubscribe
Get Password
Subject:
RE: [Fwd: Re: Exam scripts - Personal Data Exempt - Marks Not]
From:
"Street, Terry" <[log in to unmask]>
Reply-To:
[log in to unmask]
Date:
Tue, 5 Oct 1999 18:11:31 +0100
Content-Type:
text/plain
Parts/Attachments:
text/plain (307 lines)
As requested here is more info re FOI & DPA 
firstly a snip from recent article about FOI based on Freedom of Information
Consultation Document (Cm 4355).
--------------------------------------------
Relationship to Data Protection
I highlighted in issue 68 the links drawn between these two areas of
legislation, it is established that the FOI Act will link to the Data
Protection Act in that if disclosure of personal information is permitted
under the DP Act then there will be a right to it under the FOI Act, and the
converse is true.

The paper confirms the view that the roles of Information and Data
Protection Commissioner will be combined. This is a change from the original
White Paper and is based on the fact that many requests for information may
involve elements of personal information and authorities will need to
co-ordinate the data protection issues and balance access and privacy
rights.  The Bill contains revisions to the Data Protection Act 1998 in
relation to public authorities and extends the coverage in respect of
accuracy and of subject access to all manual or non-automated files even if
they are not part of a "relevant filing system". Subject access is also
changed in that  relatively structured information will be treated as now
but the residual information will not be disclosed if it is not expressly
described in the request or if the cost to provide it would exceed the
prescribed cost ceiling.- 

secondly extracts from FOI bill showing amendments to DPA 1998.
----------------------------------------------------------------------------
--------------------

Public Bodies & Data Protection Act 1998
Amendments proposed in the FOI Bill 1999
Several amendments are proposed in the Freedom of Information Bill, that
only apply to public bodies. They are detailed below, 

Section 7(1) 
substitute for "sections 8 and 9" the words "sections 8, 9 and 9A"
Insert section 9A
(1) This section "unstructured personal data" means any personal data
falling within paragraph (e) of the definition of "data" in section 1(1),
other than information which is recorded as part of, or with the intention
that it should form part of, any set of information relating to individuals
to the extent that the set is structured by reference to individuals or by
reference to criteria relating to individuals.
(2) A public Authority is not obliged to comply with subsection (1) of
section 7 in relation to any unstructured personal data unless the request
under that section contains a description of the data.

(3) Even if the data are described by the data subject in his request, a
public authority is not obliged to comply with section (1) of section 7 in
relation to unstructured data if the authority estimates that the cost of
complying with that request so far as relating to those data would exceed
the appropriate limit.
(4) Subsection (3) does not exempt the public authority from its obligation
to comply with paragraph (a) of section 7(1) in relation to the unstructured
personal data unless the cost of complying with that paragraph alone in
relation to those data would exceed the appropriate limit.

(5) in Subsection (3) and (4) "the appropriate limit" means such amount as
may be prescribed by the secretary of State by regulations, and different
amounts may be prescribed in relation to different cases.

(6) Any Estimate for the purposes of this section must be made in accordance
with regulations under section 12(5) of the Freedom of Information Act
1999."

There are also revision to Data Protection Act regarding Manual data held by
public authorities this involves these changes 

Section 33 
	 insertion of a new clause 33A
 
33A.-(1) 
Personal Data falling within paragraph (e) of the definition of "data" in
section 1(1) are exempt from:-
(a) First, second, third, fifth seventh and eighth data protection
principles.
(b) The sixth principle in so far as it relates to rights conferred on data
subjects by sections 7 and 14.
(c) sections 10 to 12.
(d) Section 13, except so far as it relates to damage caused by a
contravention of section 7 or of the fourth data protection principle and to
any distress which is also  suffered by reason of that contravention.
(e) Part III.
(f) Section 55.
(2) Personal Data which falls under paragraph (e) of the definition of
"data" in section 1(1) and relate to appointments or removals, pay,
discipline, superannuation or other personal matters, in relation to:-
(a)Service in any armed forces of the crown
(b)service in any office or employment under the crown or under any public
authority, or
(c)service in any office or employment, or under any contract for services,
in respect of which power to take action, or to determine or approve the
action taken, in such matters is vested in Her Majesty, any minister of the
crown, or any public authority,

Is also exempt from the remaining data protection principles and the
remaining provisions of part II.
In section 55
In subsection (8) after "section 28" insert "or 33A"
In Section 16(1)
		Before the word "and" inserted 
"(ff) where the data controller is a public authority, a statement of that
fact,".
In section 34
		After the word "enactment" insert
 "other than an enactment contained in the Freedom of Information Act 1999"

> -----Original Message-----
> From:	[log in to unmask]
> [SMTP:[log in to unmask]]
> Sent:	Tuesday, October 05, 1999 2:53 PM
> To:	Street, Terry
> Cc:	DATA PROTECTION DISCUSSION GROUP
> Subject:	[Fwd: Re: Exam scripts - Personal Data Exempt - Marks Not]
> 
>   
> Correction to previous message (full text below). The following statement
> should have included the words 'some of' as follows: 
> 
> "Let us put the proposition that 'personal data' is the entire set of data
> held by the data controller which 'relates' to the individual concerned,
> even though some of it does not aid identification of the individual." 
> 
> -------- Original Message -------- 
> Subject: 	 Re: Exam scripts - Personal Data Exempt - Marks Not	 
> Date: 	 Tue, 05 Oct 1999 13:48:44 +0100	 
> From: 	 [log in to unmask]	 
> To: 	 "Street, Terry" <[log in to unmask]>	 
> CC: 	 [log in to unmask]	 
> BCC: 	 [log in to unmask]	 
> References: 	 <86FBC86D0511D21189B500805FD74AFA53D73E@CVTE203E>	 
> 
> Please do highlight the FOI amendments concerned.  If unstructured data is
> covered there is a related issue.  Also, what 'personal data' includes
> will remain relevant to others. 
> 
> The flaw in the argument regarding comments on scripts must lie in trying
> to separate the data that 'relates' to an individual into;- 
> 
> *	data which can be used to identify the individual; and,
> *	data which might be considered to 'relate' but does not contribute
> to identification of the individual
> 
> The issue of separating discrete items of data from the data set arose
> because the DPA 98 expressly exempts 'information recorded by candidates
> during .... an examination' from the subject access provisions of section
> 7.  This gave rise to a distinction between comments made by an examiner
> and other data, whether exempt or not falling within the 'personal data'
> definition. 
> 
> Instead of breaking up the data into discrete elements of 'personal' and
> other 'data', let us do the opposite. 
> 
> Let us put the proposition that 'personal data' is the entire set of data
> held by the data controller which 'relates' to the individual concerned,
> even though it does not aid identification of the individual. 
> 
> This begs another question.  What criteria should be used to decide what
> limit is to be put on the set of data which 'relates' to the individual
> under the DPA 98.  Is there no limit? 
> 
> A judge may well take a pragmatic view on a case by case basis, but a data
> controller has to plan for all potential cases. 
> 
> For example, the following may be items on a database: '51 No Through
> Road, Oldham is a magnificent road' and 'Fred Jones, 51 No Through Road,
> Oldham'.  Is the first statement to be considered part of the data set
> which relates to 'Fred Jones'? 
>   
> 
> "Street, Terry" wrote: 
> 
> I note that in the current FOI bill all public bodies have the coverage of
> 
> Data Protection extended to "unstructured" data too. 
> (unstructured = not forming part of a set of structured information) 
> I'm not sure if universities are treated as public bodies for this piece
> of 
> legislation but if so it might make some of this debate academic. 
> 
> I can highlight FOI amendments if you need details. 
> 
> Terry Street 
> Terry Street  Acting ALM Coventry 
> Strategic Support Manager, Siemens Business Services Coventry, 2nd Floor 
> Waters Court, Salt Lane, Coventry, CV1 2GX 
> note these new codes (024) and numbers 76xx xxxx become fully effective
> from 
> April 2000 in the interim you need to dial the full code even if making a 
> local call. 
> Tel.     024  76 831160   Mobile 0385 916060   fax.     024 76 831050 
> home 024 76 417574                Email [log in to unmask] 
> This message contains information which is confidential and may also be 
> privileged.  It is for the exclusive use of the addressee/s.  If you are
> not 
> the addressee, please note that any distribution, copying or use of this 
> message and the information is prohibited. If you receive this
> communication 
> in error, please advise the sender and delete it immediately. 
> The information on costs and charges is provided for indicative purposes 
> only and does not constitute an offer capable of acceptance. The views 
> expressed are those of the Author and do not represent the Company. 
> 
> > -----Original Message----- 
> > From: [log in to unmask] 
> > [SMTP:[log in to unmask]] 
> > Sent: Monday, October 04, 1999 4:59 PM 
> > To:   Charles Oppenheim 
> > Cc:   [log in to unmask] 
> > Subject:      Re: Exam scripts - Personal Data Exempt - Marks Not 
> > 
> > 
> > 
> > Charles Oppenheim wrote: 
> > 
> > I don't understand this argument.  The student is identifiable because
> on 
> > the front of the exam paper is his/her name or some other method of 
> > identifying him/her such as a registration number.  A set of exam
> scripts 
> > form a database that is searchable by student name.   So, the student is
> 
> > certainly identifiable from other data in the data controller's
> posession. 
> > 
> > Ergo, the  examination comments are personal data.  To argue that
> "because 
> > 
> > the comments *on their own* do not allow the student to be identified 
> > means 
> > the comments are not personal data" seems nonsensical to me.  Or am I 
> > missing something here? 
> > 
> > Professor Charles Oppenheim 
> > Dept of Information Science 
> > Loughborough University 
> > Loughborough 
> > Leics LE11 3TU 
> > 
> > Tel 01509-223065 
> > Fax 01509-223053 
> > 
> > 
> > If the definition of 'personal data' is interpreted strictly, for the 
> > comment to qualify as 'personal data' the student must be identifiable 
> > from the comment and other data in the data controller's possession. 
> > 
> > The definition is conjunctive.  It uses 'and', not 'or'. 
> > 
> > Your argument is that the student is identifiable because on the front
> of 
> > the exam paper is his/her name or some other method of identifying
> him/her 
> > such as a registration number. 
> > 
> > If you use that information you are not using the comment at all to 
> > identify the individual. 
> > 
> > If the definition said the individual had to be identifiable 'from that 
> > data or other data', the position would be different. 
> > 
> > Assume the comment is 'Good analysis'.  Assuming that comment can be 
> > considered to 'relate' to the individual, it still does not help
> identify 
> > an individual. 
> > 
> > It also does not aid identification even when combined with other 
> > information which does, such as the information on the front of the exam
> 
> > paper. 
> > 
> > I agree the argument does seem strange.  Part of the answer must be to 
> > read the 'and' as not exclusively conjunctive, but as meaning 'and/or'. 
> > 
> > Additionally, perhaps it is not valid to attempt to break up the data
> into 
> > discrete blocks and attempt to decide which data qualify under the DPA
> 98 
> > as 'personal' and which do not. 
> > 
> > Both these latter approaches have the disadvantage for the data
> controller 
> > (and advantage for the data subject) of making a wider data set fall 
> > within the definition of 'personal data'.  They are also a matter of 
> > construction and interpretation as the DPA 98 does not contain a
> complete 
> > answer.
> 
> -- 
> 
> From: 
> 
> Clifford G. Miller 
> CLIFFORD MILLER 
> Coborn House 
> Coborn Road 
> London E3 2DA 
> England 
> 
> <http://www.millercompany.demon.co.uk> 
> Tel: + 44 181 983 6688 
> Fax: + 44 181 983 6699 
>  


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Top of Message | Previous Page | Permalink
JiscMail Tools

Files Area | help
RSS Feeds and Sharing

Search Archives

Advanced Options