This page contains information that has appeared on Sandy Adirondack's legal update website for voluntary organisations at www.sandy-a.co.uk/legal.htm. For current updates, including potential changes that are in the pipeline, see the legal update website.

These websites for each chapter update the 3rd edition of The Russell-Cooke Voluntary Sector Legal Handbook by James Sinclair Taylor and the Charity Team at Russell-Cooke Solicitors, edited by Sandy Adirondack (Directory of Social Change, 2009). The websites are not intended as a comprehensive update and should not be treated as such.

To order a copy of The Russell-Cooke Voluntary Sector Legal Handbook, print out the order form at www.sandy-a.co.uk/bookserv.htm or send an email order by clicking . It costs £60 for voluntary organisations or £90 for others, plus 10% p&p.

Chapter 43
DATA PROTECTION AND USE OF INFORMATION

FREEDOM OF INFORMATION ACT: PUBLIC AUTHORITIES

Updated 19/12/11. This information updates s.43.2 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Ministry of Justice announced in January 2011 that it would extend the Freedom of Information Act (FOIA) to cover more bodies, including the Association of Chief Police Officers, the Financial Services Ombudsman and higher education admissions body UCAS, and would consult on bringing examination boards, some school inspectorates, the Local Government Association and some other bodies within the Act. The MoJ confirmed that although some specific named charities are covered under the FoIA, there is still no intention to extend FOIA to all charities, or to all contractors that provide services on behalf of public authorities.

In Scotland, the Scottish government consulted until November 2010 on proposals to extend the FOI (Scotland) Act 2002 (FOISA) to cover some contractors and other bodies that provide public services, such as trusts created by local authorities operating leisure and cultural facilities, or companies which run prisons and prison escort services, or which build and/or maintain schools. The consultation documents can be accessed via tinyurl.com/yzqx9en. The outcome of this consultation could mean that the FOIA and FOISA end up with different definitions of public authorities and "functions of a public nature".

Even if an organisation is not subject to FOIA or FOISA, information provided to a public body, for example as part of contract tender documents or monitoring of services, may need to be disclosed by the public body in response to a FOIA or FOISA request for information. And in some very specific cases, a court might find that a charity providing services on behalf of a public body is itself directly subject to the FOIA.

USING THE FREEDOM OF INFORMATION ACT FOR CAMPAIGNING

Added 19/12/11. This information updates s.43.2 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The National Council for Voluntary Organisations published in October 2010 a guide to using the Freedom of Information Act for campaigning at local and national levels. Voicing your right to know: A guide to using the FOIA in campaigning gives examples of how voluntary organisations have used to Act to obtain statistics and other information which can help in campaigning, and is at www.ncvo-vol.org.uk/yourrighttoknow. There's a summary of key points on the Guardian's Voluntary Sector Network at tinyurl.com/7bz8ock.

DISCLOSURE OF PERSONAL DATA IN FREEDOM OF INFORMATION & ENVIRONMENTAL INFORMATION REQUESTS

Added 19/12/11. This information adds a new s.43.2.3 ∧ 43.3.1 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Personal data as defined under the Data Protection Act is in most cases exempt from the Freedom of Information Act and the Environmental Information Regulations, and generally cannot be disclosed by public authorities in responding to a request under the FOIA or EIR. The intention of this exemption is to protect individuals’ privacy. However there are some exceptions, and organisations faced with a request which could involve disclosure of personal data should take specialist advice.

The Information Commissioner's Office issued updated guidance for these situations in March 2011. There is no direct link but it can be accessed from the ICO website via tinyurl.com/3f6fa57, then click on "Exemptions - freedom of information" then on "Section 40: personal information".

USING THE AUDIT COMMISSION ACT TO OBTAIN INFORMATION

Added 19/12/11. This information adds a new s.43.2.5 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Freedom of Information Act exemptions allow public authorities not to disclose, in some situations, information whose disclosure would prejudice the authority's commercial interests, and some confidential information. But under s.15 of the Audit Commission Act 1998 local authorities (but not other public bodies) are required to allow an individual or corporate local taxpayer to inspect and copy the "books, deeds, contracts, bills, vouchers and receipts" that relate to the local authority's audited accounts.

In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council, the court of appeal ruled in October 2010 that the Audit Commission Act requirement overrode the local authority's duty of confidentiality to Veolia, and contract details had to be disclosed to a local taxpayer who requested them. The decision is at www.bailii.org/ew/cases/EWCA/Civ/2010/1214.html.

While this allows organisations and individuals to access information about local authority contracts that would otherwise be unavailable, Unity Trust Bank has warned in a newsletter that "this case highlights one of the risks involved in contracting with local authorities and this should be borne in mind when considering whether to bid for these type of contracts".

Details of how to request information are in the Bates Wells & Braithwaite Charity and Social Enterprise Law Update, summer 2011, on p.14 at www.bwbllp.com/Files/Updates/CharityUpdateSummer2011.pdf.

DATA PROTECTION RESOURCES

Added 28/4/13. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Information Commissioner's Office (ICO), which oversees data protection implementation and enforcement, provides one-day advisory visits for small and medium-sized charities and other voluntary organisations. The visits focus primarily on data security, records management and dealing with requests for personal data, but are tailored to each organisation and offer practical advice on improving data protection practices. Information about the visits and how to request one is at tinyurl.com/ct9694a.

Voluntary sector data protection expert Paul Ticher provides free or low-cost webinars (internet seminars) on data protection. Details and registration are at www.paulticher.com.

The ICO website at www.ico.gov.uk has detailed information about the Data Protection Act 1998 and related regulations. There are separate sections for organisations about their duties under the act, along with codes of practice and good practice guidance, and for individuals who may want to make a subject access request to see personal data held about them. New or recently revised ICO resources include:

• Bring your own device (BYOD), March 2013. This guidance covers the security vulnerabilities and other data protection concerns that can arise when employers permit employees to connect their personal computing devices (smart phones, tablets, laptops etc) to the organisation's IT systems. It is at tinyurl.com/br5xjhw.


• Draft subject access code of practice, November 2012. In 2011/12 the ICO handled nearly 6,000 complaints from individuals unhappy that organisations were denying them their statutory right to view information held about them. A new code of practice, to be published in spring 2013, aims to explain individuals' rights to subject access and organisations' legal responsibilities. Consultation on the draft code took place from 29 November 2012 to 21 February 2013. The draft code is at tinyurl.com/btmaefa, with the consultation questions at tinyurl.com/ckd2aqs.


• IT asset disposal for organisations, November 2012. This guidance is intended to help organisations securely dispose of their IT equipment. It includes what they need to consider when disposing of electronic equipment that may contain personal data, the use of asset disposal registers, and the arrangements that need to be in place when contracting IT disposal work to another company. It is at tinyurl.com/csqfqme.


• Anonymisation, November 2012. This code of practice and summary of the code cover the steps an organisation can take to ensure that anonymisation is conducted effectively, while retaining useful data. It is at tinyurl.com/con63ya.


• Cloud computing, September 2012. The guide includes questions and approaches an organisation should consider, in conjunction with a prospective cloud provider, in order to ensure that the processing of personal data done in the cloud complies with the Data Protection Act. It is at tinyurl.com/cnvgrmc.


• Practical guide to IT security, April 2012. A short guidance briefing, intended for small business but just as relevant to voluntary organisations. It covers using a layer approach to security; securing data on the move; keeping the organisation and its systems up to date; and keeping an eye out for problems. It is at tinyurl.com/bnlpnhn.

DATA PROTECTION BREACHES: COULD IT HAPPEN TO YOU?

Updated 23/2/14. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Since 6 April 2010 the Information Commissioner's Office has been able to impose monetary penalties (fines) of up to £500,000 if a breach of one or more of the eight data protection principles is likely to cause substantial damage or substantial distress, and either the breach was deliberate or the data controller knew or ought to have known there was a risk of serious breach and failed to take reasonable steps to prevent it.

Some of the monetary penalties imposed in the year from March 2013 to February 2014 are below.

Personal data sent to the wrong person

• Halton Borough Council Cheshire, £70,000, June 2013. A council employee sent a letter about an adopted child to its birth mother, and mistakenly included a covering letter giving details of the adoptive parents' home address. The ICO's investigation concluded that the breach was caused by the council's underlying failure to have a clear policy and process for checking such correspondence, and lack of relevant training for their staff.
  ICO news release tinyurl.com/ntsvuuy.


• North Staffordshire Combined Healthcare NHS Trust, £55,000, June 2013. Sensitive medical details of three patients were faxed to a member of the public instead of to the trust's Wellbeing Centre. The fax number was incorrectly dialled each time, and the trust only discovered this when the recipient told them. The ICO's investigation found that the trust's guidance required staff to phone ahead to be sure faxes were being sent to the right address and then to check they had been received, but this guidance had not been communicated to staff and they had received no specific training on the secure use of fax machines.
  ICO news release tinyurl.com/o3jf294.


• Bank of Scotland, £75,000, August 2013. Customers' account details, including payslips, bank statements, mortgage applications and contact details, that should have been faxed to a department within the bank were repeatedly faxed over a four-year period to a third party organisation and a member of the public. The organisation and individual had fax numbers that were one digit different from the correct one. Despite the bank being informed of the problem on numerous occasions the errors continued — and continued even after the receiving organisation had reported it to the Information Commissioner's Office and the ICO was in process of investigating the breaches.
  ICO news release tinyurl.com/prto5vv.


• Ministry of Justice, £140,000, October 2013. Along with an email about visiting a family member at HM Prison Cardiff, three inmates' families received an attachment with details of all 1,182 prisoners serving at the prison, including their names, ethnicity, addresses, sentence length, release dates and coded details of the offences. One family reported it; the other two didn't. The ICO's investigation found that there was a clear lack of management oversight at the prison, with the clerk who sent the emails working unsupervised despite only having worked at the prison for two months and having limited experience and training. A lack of audit trail also meant that the disclosures would have gone unnoticed if they had not been reported by one of the recipients. The investigation also found problems with the manner in which prisoners' records were handled, with unencrypted floppy disks regularly used to transfer large volumes of data between the prisons's two separate networks.
  ICO news release tinyurl.com/pqhmu9b.

For summaries and articles about cases, do a Google search on key words in the case name or content.

THE TOP FIVE DATA PROTECTION ISSUES FOR VOLUNTARY ORGANISATIONS

Added 28/4/13. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
The Information Commissioner's Office published in August 2012 its top five data protection areas for improvement for small and medium sized charities and other voluntary organisations, which may not have the resources to hire dedicated information specialists but often handle extremely sensitive information such as individuals' medical details. Failure to comply with data protection requirements in relation to such data could lead to a monetary penalty of up to £500,000.

The five areas identified by the ICO are:

1. Tell people what you are doing with their data. People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.


2. Make sure your staff are adequately trained. New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff. The ICO has a training checklist for small and medium sized organisations at www.tinyurl.com/d7xvzzo.


3. Use strong passwords. There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.


4. Encrypt all portable devices. Make sure all portable devices — such as memory sticks and laptops — used to store personal information are encrypted.


5. Only keep people's information for as long as necessary. Make sure your organisation has established retention periods in place, and set up a process for deleting personal information once it is no longer required.

DATA PROTECTION ROUND-UP

Added 17/3/10. This information updates s.43.3 in The Russell-Cooke Voluntary Sector Legal Handbook (VSLH3).
Lest anyone think that data protection is unimportant or does not apply to voluntary organisations: the Alzheimer's Society was in February 2010 found by the Information Commissioner to be in breach of the Data Protection Act 1998 duty to keep personal data secure, after several laptops were stolen during a burglary. The laptops were not locked away, and one contained unencrypted details of 1000 staff, including addresses and national insurance numbers. Ironically, the computers had been returned to the office for encryption.

The Society had to give an undertaking that "portable and mobile devices including laptops and other portable media used to store and transmit personal data, the loss of which could cause damage or distress to individuals, are encrypted using encryption software which meets the current standard or equivalent; physical security measures are adequate to prevent unauthorised access to personal data; staff are aware of the data controller’s policy for the storage and use of personal data and are appropriately trained how to follow that policy; and the data controller shall implement such other security measures as it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage". Further data protection breaches could lead to criminal prosecution.

In case you want to know what such a thing looks like, the Alzheimer's Society undertaking is at tinyurl.com/ylltcmp.

And to help ensure your organisation doesn't get into such trouble, here is some new and recent guidance.

Clearly ICT security is essential — not just in relation to data protection, but to protect all of your organisation's information. The 34-page Computanews guide to ICT security, published in October 2009, is essential reading for all organisations. It covers how to assess the risks and policies needed, how computer security is affected by people and by the environment in which it is used (including public access computers and homeworking), specific steps to secure assets (everything from passwords through to end point security and the end of the computer's life), and checklists for assessing and dealing with risks. All that — and cartoons too. Download from tinyurl.com/ykxxlm3.

The Information Commissioner's Office issued in December 2009 a plain English guide to data protection, with an explanation about each of the eight data protection principles and practical examples of how they apply in practice. The guide can be accessed via tinyurl.com/372h3z.

The Trades Union Congress has produced guidance on the law on access to medical reports that are requested by the employer. The guidance also looks at how unions and safety representatives can ensure that the rights of workers are protected. It is at www.tuc.org.uk/h_and_s/tuc-17272-f0.cfm.

The consultation on the Information Commissioner's Office's draft guidance on collecting information online closed on 5 March 2010. The guidelines include broad principles such as not being secretive or deceptive in how personal data is handled; not trying to gain an advantage by using personal data in a way that people wouldn't expect or might object to; not collecting personal data that is not needed; ensuring adequate data security; and not ignoring the laws of other countries from which personal data is collected. The consultation documents are at ico-consult.limehouse.co.uk/portal/cop/pio.

British Standard 10012 on personal information management systems, designed to ensure compliance with the Data Protection Act, was issued in May 2009 and covers issues such as training and awareness, risk assessment, data sharing, retention and disposal of data, and disclosure to third parties. It costs £50 for BSI members and £100 for others. Information is at tinyurl.com/y89wer8.

The annual fee for notification to (registration with) the Information Commissioner's Office increased to £500 on 1 October 2009, for organisations in the public, private, or non-charitable voluntary sector with annual turnover of £25.9 million or more and 250 or more staff. The fee remains £35 for all charities, regardless of size, and for public, private, or non-charitable voluntary organisations below the threshold. The Data Protection (Notification and Notification Fees)(Amendment) Regulations 2009 are at www.opsi.gov.uk/si/si2009/plain/uksi_20091677_en.

Organisations which transfer personal data outside the European Economic Area (EU + Iceland, Liechtenstein and Norway) need to be aware of a decision by the European Commission on 5 February 2010. This requires, for new contracts with outsourcing companies, written consent for processing of personal data to be sub-contracted. Useful information is available at www.out-law.com/page-8169.

SANDY ADIRONDACK
Governance and legal training and consultancy
for the voluntary sector
39 Gabriel House, 10 Odessa Street, London SE16 7HQ
Tel 020 7232 0726; fax 020 7237 8117
Email:
Web: www.sandy-a.co.uk