Tuesday, 27 March 2012

What is the Freedom of Information Act 2000?

Many articles in the press or on tv quote using the Freedom of Information Act 2000 to obtain information.. but what is this piece of legislation?
The Freedom of Information Act 2000 came into force in England and Wales on 1st January 2005.  It applies to all non-personal information held by “Public Authorities” – eg NHS bodies; state educational bodies;  central government; local government etc.  This legislation replaces Codes of Practice for access to official information that existed previously. 
If this law is about the information held by Public Authorities, just how powerful is it?  Just ask an MP!  One example of a journalist using this law to its fullest extent was the resulting MPs Expenses Scandal.  All the information about the MPs “misuse” of public money came into the public domain as a direct result of a journalist requesting  relevant information from the House of Commons (a “public authority”) and the MPs not being able to claim it was not in the public interest to publish!
What use is this for the ordinary person in the street?  Anyone can make a request for information from a Public Authority and they have to consider disclosing it  and also whether or not to make it publicly available as well. There are rules, of course, but the general “rule of thumb” is to disclose unless there are very specific and justifiable reasons not to. This information may include policy information or contract information – the latter can help you grow your business.  How much are they currently paying for a product/service?  If one client had known in advance that a certain NHS Trust would not entertain working in their particular field of complementary therapy, a lot of ensuing problems on both sides would have been avoided! Another client wanted more detail about why a Bid failed with a school- it turned out that the school was only interested in working with a local company, but did not put this into the Specification – information we obtained using this law!.

Monday, 5 March 2012

Data Protection and the construction industry "blacklist"

Did you see the big article on the front page of the Observer newspaper yesterday (4 March 2012) about the blacklisting that had been going on in the construction industry over three decades? They believe that lots of the data had come from the police and security services, which of course is topical at the moment because of the Leveson inquiry into phone hacking.
This story about the construction industry first broke into the public domain about three years ago.  Why is it relevant to aDaVista and the Data Protection Act 1998?  Well, it demonstrates the work of the Information Commissioner’s Office (ICO).  Bear with me while I explain the “case” and its relevance...
(Information taken from the Observer article and my memory of the case!).  Workers in the construction industry had heard rumours for years that a “blacklist” existed. This blacklist could prevent people getting work based on membership of trade unions and being perceived as “troublesome”.  Following a case taken to an Employment Tribunal four years ago, the ICO investigated and discovered the existence of a blacklist on a database held by the “Consulting Association” together with invoices from some of the UK’s biggest construction companies for employment checks. 
More civil cases through the tribunal system have followed and the latest has spurred the Observer article... especially as a representative from the ICO gave evidence that some of the data had come from the police and/or security services.  People often ask me how you can tell if there is other information that has not been provided by a company – if you work with personal data long enough then you can tell whether relevant information has been omitted or indeed where that data may have come from! 
PENALTIES
The ICO closed down the offices and fined Ian Kerr (the keeper of the data) £5,000.   What the Observer do not say is that this is the maximum civil penalty that the ICO can impose and they do not do this without significant evidence of damage to the individuals concerned. The Article states “...only 14 of Kerr’s clients were given enforcement notices, demanding they comply with the law.  In the three years since the blacklist was first revealed, only three people are understood to have successfully won a claim at a full employment tribunal.
The vast majority of those who have attempted to gain redress through the courts have failed” – Personally, this does not surprise me in the slightest!  Damages of this sort are particularly difficult to prove in legal terms as companies can easily state that there were other reasons for not employing someone!  Interestingly, no one seems to have been advised by lawyers to pursue damages under the terms of the Data Protection Act 1998.  Given that the ICO had enough solid evidence to close down the company and hand down the maximum penalty it could at the time, surely the evidence must exist to prove distress and damages to the personal data of the 3,200 individuals affected?  Still this is only my personal opinion...
We should now watch these cases with interest - precedents could easily be set that may help you in the future...

Sunday, 4 March 2012

THE DATA PROTECTION ACT 1998

THE DATA PROTECTION ACT 1998... is seen by many as more “useless red tape”...
BUT – is this really true?  I am bound to argue “no” given my profession now, but I respect you to make up your own mind!
The best place to start is to look at the Act as a whole – what’s it about?
The Data Protection Act 1998 replaces the Act of 1984.  The Previous legislation was about electronic processing of information, but this later one is about so much more!  It applies across the United Kingdom and gradually came into force until by 27th October 2007, it was all in place.
The Data Protection Act 1998 (“the DPA”) is primarily concerned with the individual’s information – retaining control over its use; is it being “processed” appropriately?; are there appropriate security measures in place to protect it?
“processing”? – anything that you may do with personal information in a business environment!  Holding it on a post it note; collection of business cards; database; card index; invoices; emails;... just a few examples of how businesses process personal data on clients/suppliers/staff...
How can the individual know if their data is being respected?  The Act sets out a framework for businesses to comply with so that an individual can tell!
-       Working with the 8 Data Protection Principles
-       Demonstrating compliance with polices; procedures and a “notification” (registration with the Information Commissioner’s Office (ICO)) - these all reflect the work of the individual business involved.

PLEASE REMEMBER that this information provided in these blog posts is designed to be general and apply equally to all types of business and all sectors.  If you would like more details specific to your business then I am happy to arrange a free consultation to discuss further.