You are in the section:: City of London > Services > Council and democracy > Data protection and freedom of information > Summary

Links in this section:: Access to information; City of London policies; Copyright - reusing public sector information; Data protection act; Freedom of Information - advice; Making enquiries; Summary
See also:: Residents change of circumstances

Summary

Access to information legislation

Freedom of Information Act 2000 - a summary
Freedom of Information - useful external links
Data Protection Act 1998 - a summary
Data Protection - useful external links
Environmental Information Regulations 2004 - a summary
Environmental Information Regulations 2004 - useful external links

Freedom of Information Act 2000 - A summary

The purpose of this summary is to assist you in exercising your rights, by highlighting some of the areas of the Act which are of particular relevance. Please note that although every effort is made to ensure that the information provided is correct the City of London does not take responsibility for any inaccuracies.

The Act

The Freedom of Information Act 2000 became law on 30 November 2000, and comes into full effect on 1 January 2000. It is fully retrospective, which means that it applies to all information held by the public authorities which are subject to the Act, regardless of when the information was recorded.

The purposes of the Act are summarised in the Act’s Explanatory Notes. These state that the Act

provides a right of access to recorded information held by public authorities
creates exemptions from the duty to disclose information
establishes the arrangements for enforcement and appeal

Information Commissioner

The Information Commissioner is responsible for ensuring compliance by public authorities with the Data Protection Act 1998 and the Freedom of Information Act 2000. This may involve monitoring, issuing guidance or taking formal steps to enforce compliance with the acts. The Information Commissioner is a Crown appointment, reporting directly to Parliament.

Information Tribunal

Where the Information Commissioner makes a formal decision about an alleged failure to comply with the Data Protection Act 1998 or the Freedom of Information Act 2000, with which any of the parties concerned is dissatisfied, appeal can be made to the Information Tribunal. The functions and operation of the Information Tribunal are described in the acts. The chairman is appointed by the Lord Chancellor.

General right of access to information

The key feature of the Freedom of Information Act 2000 is that, from 1 January 2005, it provides a general right of access to information held by those public authorities which fall within the scope of the Act.

Information held by a public authority is information

which is held by the authority (except for information it holds on behalf of another person)
and information held by another person on behalf of the authority

In principle, subject to exemptions to disclosure, the right of access exists from the moment the information exists.

This right of access comes into effect in two stages. The first stage required the production of a Publication Scheme by each public authority by June 2004, describing the information which they routinely make public.

In the second stage, the Freedom of Information Act provides a general right of access to all information held by public authorities which are subject to the Act, with effect from 1 January 2005.

New approach to disclosure

Subject to exemptions to disclosure, the right of access to information exists from the moment the information is recorded. This is a new approach to access to information held by public authorities, creating a presumption of openness rather than of closure.

Information or records?

It is important to note that the Freedom of Information Act 2000 refers to information, rather than to records, even though it is also concerned with standards of record keeping for assisting access to information. The emphasis on information means that it is not a question of whether individual records (in any media) are open or closed, but the extent to which the information contained within it is open or closed. In many cases, parts of the information may be exempt from disclosure and parts may not. The non-exempt information must be made available.

Publication schemes

Purpose of publication schemes

Under the Act, each public authority has had to produce a Publication Scheme, setting out

what classes of information the authority will make available as a matter of course
how and when it will do so
and what costs will be charged for provision of the information, if any

A Publication Scheme is in effect a catalogue of information, rather than the information itself. ‘Publication’ does not just mean ‘to publish’ in the traditional sense that a book is said to be published. It also means information available by any means - from copies made available on the Internet site of a public authority or in photocopied form, to the possibility of viewing original records in an archive office of a public authority.

Exempt information

Because the information listed in a Publication Scheme is already published - ie made available to you by other means - the information is exempt from the usual access requirements under the Freedom of Information Act. This includes exemption from the obligation to respond to a request for information under the Act, and from the government’s Fees Regulations.

Format and amendments

Public authorities are allowed to publish the schemes in such manner as they think fit. But the schemes have to be approved by the Information Commissioner. It is the duty of public authorities to review their publication schemes from time to time. No time period is laid down for this review. Any alteration in the categories of classes of information listed in a Scheme has to be approved by the Information Commissioner.

Request for information

The term ‘request for information’ is a commonly used one in the Freedom of Information Act 2000. It refers to the process of requesting information under the Act. The right to request information came into force on 1 January 2005.

A request for information is a request which is:

made legibly in writing (this includes by electronic means)
states the name of the applicant and an address for correspondence
and describes the information requested.

The Act states that

Any person making a request for information to a public authority is entitled - (a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and (b) if that is the case, to have that information communicated to him.

This means that from 1 January 2005 every written enquiry directed to public authorities, by anyone, must be considered in the first instance within the context of the Act to see whether it falls within an exemption under the Act. For example, information which is ‘Personal Data’ under the Data Protection Act 1998 is an absolute exemption under the Freedom of Information Act when access to the data is requested by the person to whom the data relates. Therefore, in this situation, the request remains subject to the Data Protection Act.

The Act sets out exemptions to disclosure from the right of access, and also some other grounds which concern refusal of access on administrative grounds. There may also be a claim that the duty to confirm or deny the existence of information is not required. When refusing access to information, a notice of refusal must be given to the applicant.

Duty to confirm or deny the existence of information

The Freedom of Information Act 2000 states that

This is called by the Act the ‘duty to confirm or deny’.

A public authority which communicates to the applicant information which has been requested is taken to have complied with the duty to confirm or deny the existence of the information.

Exempt information is not just exempt from disclosure. It is also exempt from the duty to confirm or deny the existence of information. Some exemptions include an absolute exemption from this duty. Under other exemptions the prejudice test and/or the public interest test must be applied.

Means of communicating the information

When a request for information is made, public authorities are expected, so far as is reasonable, to provide the information in the way that the applicant has requested, if it is by “one or more” of the following means: permanent form (eg paper); the opportunity to inspect the records containing the information; or being provided with a summary of the information.

In determining what is reasonable, the costs of providing the information in the manner requested may be taken into account. Where an authority decides a request for a particular way of communicating is not reasonable, it must notify the applicant of its reasons.

Response times

The following are the required response times to a request for information.

Information to which an exemption does not apply

Where there are no exemptions to disclosure, a public authority must provide the information no later than 20 working days after the day a request for information is received. The exceptions to this relate purely to certain administrative matters.

Information subject to absolute exemptions

Where there apply to the information requested exemptions to disclosure which are absolute exemptions (ie the prejudice test and the public interest test do not apply), a public authority must notify the applicant of this not later than 20 working days after the day a Request for Information is received (which day need not be a working day).

Information subject to qualified exemptions

A qualified exemption is one of the exemptions to disclosure to which a prejudice test and/or the public interest test applies. If the public interest test is being considered in relation to an exemption to the duty to confirm or deny the existence of information, and to disclosure of the information, a public authority should still attempt to make a decision and (if appropriate) provide the information within 20 working days. But if it cannot do so, it can comply within the time limit which is reasonable in the circumstances. However, the applicant must still be informed by a notice, within 20 working days, that an exemption applies, that the public interest test is being applied, and of the estimated date by which it is expected a decision will be made.

Fees

Fees in relation to requests for information

It is not obligatory to charge fees. If they are charged they must not exceed those stated in the Government Fees Regulations (issued under Statutory Instrument 2004, No 3244).

Fees in relation to information provided through a publication scheme

It should be noted that charging for information made available through publication schemes is exempt from the fees regulations, and that authorities must determine for themselves the extent of their power to charge for publications.

Notice of refusal

The Act sets out exemptions to disclosure (including exemptions to the duty to confirm or deny the existence of information), and also some other grounds for refusal of access on administrative grounds.

Whatever the reason for refusing to confirm or deny the existence of information, or for refusing to disclose the information itself, the public authority must normally issue a notice to the applicant within the statutory response time of 20 working days, unless certain conditions apply. The notice must

state the fact of refusal
specify the exemption in question
and state (if that would not otherwise be apparent) why the exemption applies.

Refusal of access on administrative grounds

Apart from the applicability of specific exemptions to disclosure because of the information itself, the freedom of information act 2000 allows for a request for information to be refused on other grounds which are administrative, as follows.

Request for information is insufficiently specific

More information is reasonably required in order to identify and locate the information requested, and the applicant has been informed of this.

Fees have not been paid

When a request for information has been received, a public authority is permitted to issue a ‘Fees Notice’ stating a specified amount to be charged for responding to the request. When the fees notice has been issued, the 20 working day response time stops until the fee is paid. When the fee is paid, the residue of the 20 days is the amount of time left within which to respond. If the fee is not paid within 3 months, the request is considered to have lapsed.

Appropriate limit of chargeable costs is exceeded

Public authorities are not obliged to comply with a request for information if the authority estimates that the cost of complying would exceed the amounts it is allowed to charge. The public authority should, though, consider giving an indication of what information could be provided within the costs ceiling.

Public authorities still have, subject to exemptions to disclosure, a duty to confirm or deny the existence of information which has been requested, unless the estimated cost of complying with this alone would exceed the amount chargeable.

Requests for information are vexatious or repeated

Where a public authority has previously complied with a request for information from someone, it is not obliged to comply with a subsequent identical or substantially similar request from that person unless a reasonable interval has elapsed.

Historical record

The Act states that a record becomes a ‘historical record’ at the end of 30 years beginning with the calendar year following that in which it was created. The Act also provides that certain exemptions under the Act will not apply to historical records. So, in these cases, if an exemption to disclosure of information were to apply up to the end of the 30 years, it could no longer apply after 30 years.

In addition, the Act provides that, with regard to certain other exemptions to disclosure, if the exemptions are found to apply, the information can be closed for even longer than 30 years (ie 60 or 100 years) before the information has to be disclosed.

Under some exemptions, the information can be closed for as long as certain exemptions are found to apply.

Nevertheless, the important point is that, from 1 January 2005, information is immediately open unless an exemption applies. The general application of a closure period of 30 years (or more) to information is no longer possible. Information can only be closed if an exemption applies and it can only continue to be closed as long as the Freedom of Information Act permits the application of the exemption.

Prejudice test

Some of the exemptions to disclosure under the Freedom of Information Act 2000 are subject to a ‘Prejudice Test’. This is an examination of whether there is a substantial expectation that harm would be likely to result from disclosure of information. The ‘harm’ is that which is likely to occur to the particular interest that the exemption is aimed at protecting.

As a public authority cannot restrict the use that is made of the information disclosed under the Act, the harm that is calculated is that resulting from an unrestricted disclosure and not just from disclosure to the applicant.

Public interest test

Of the 23 exemptions to disclosure under the Freedom of Information Act 2000, 16 are subject to a Public Interest Test.

The ‘Public Interest Test’ is an examination of whether the public interest in information being disclosed may outweigh the public interest in an exemption to disclosure being maintained. The ‘public interest’ does not refer to something that is of interest to the public, rather it signifies something that is in the interest of the public, that is, for the common welfare.

The competing interests to be considered are the public interest favouring disclosure against the public (rather than private) interest favouring the withholding of information. There could be a private interest in withholding information which may reveal incompetence on the part of, or corruption within, a public authority or which would simply cause embarrassment to the authority. However, the public interest will favour accountability and good administration. It is this interest that must be weighed against the public interest in not disclosing the information.

Where the balance between disclosure and withholding the information is seen as equal when applying the Public Interest Test, the information must be released.

The ‘Public Interest’ is not defined in the Act, and so will probably be more closely determined by the decisions of the Information Commissioner, the Information Tribunal, and the courts. The Information Commissioner’s FOI Awareness Guidance No 3 - The Public Interest Test should be consulted.

The Information Commissioner has indicated the following public interest factors that would encourage the disclosure of information

Furthering the understanding of, and participation in, the public debate of issues of the day
Promoting accountability and transparency by public authorities for decisions taken by them
Promoting accountability and transparency in the spending of public money.
Allowing individuals to understand decisions made by public authorities affecting their lives and, in some cases, assisting individuals in challenging those decisions.
Bringing to light information affecting public safety.

A Public Interest Test was part of the operation of the Open Government Code of Practice on Access to Government Information (1994). The Open Government Code is superseded by the Freedom of Information Act on 1 January 2005. Although the Code is not statutory and applies to a much smaller number of public authorities, the Public Interest Test which is applied under the Code has been, according to the Information Commissioner, identical to that required under the Freedom of Information Act. Therefore, summaries of cases considered under the Code can provide guidance, and these can be found on the website of the Parliamentary and Health Service Ombudsman. The ‘Public Interest Test’ should not be confused with the ‘Prejudice Test’.

Exemptions to disclosure

In addition to the possibility of refusal of access on administrative grounds, there are exemptions to disclosure of information because of the subject matter of the information which is requested. These are sometimes referred to as the ‘information exemptions’, and they form the main body of exemptions under the Freedom of Information Act 2000.

It is useful to divide the 23 exemptions into the following four categories:

(i) Absolute exemptions
(1) The information is accessible to an applicant by other means (for example, it is listed in a Publication Scheme).
(2) Information supplied by, or relating to bodies dealing with security matters.
(3) Court records.
(4) Information subject to parliamentary privilege.
(5) Information provided in confidence.
(6) Where there is a prohibition on disclosure by other legislation.

These exemptions are absolutely exempt from the access provisions of the Freedom of Information Act 2000. This includes exemption from

the duty to confirm or deny the existence of information
the requirement to disclose the information requested
the public interest test. the prejudice test

(ii) Partly absolute exemptions

There are 2 ‘partly absolute’ exemptions

(1 ) Where disclosure would prejudice the effective conduct of public affairs. The information is subject to the prejudice test and the public interest test if the information is held by a public authority other than central government.

(2)
(a) Information which constitutes ‘personal data’ under the Data Protection Act 1998, and is requested by the ‘data subject’ (ie subject of the data), or on their behalf, is absolutely exempt and must instead be dealt with under the Data Protection Act 1998.
(b) Where requests are made for ‘personal data’ by someone other than the subject of the data, the exemption is absolute if disclosure would breach the Data Protection principles. If they would not be breached, but a notice from the data subject has indicated that disclosure to the other person would cause him/her (the data subject) damage or distress, or an exemption applies which would prevent access by the data subject under the Data Protection Act, the public interest test then applies. If the public interest test finds in favour of disclosure, the information should be disclosed, unless another exemption under the Freedom of Information Act applies.

(iii) Qualified exemptions - subject to the public interest test

This relates to the following classes of information

(1) Information intended for future publication.
(2) Information relating to national security.
(3) Investigations and proceedings conducted by public authorities in relation to possible civil actions and criminal prosecutions in the courts.
(4) Information held by a government department concerned with the formulation of government policy.
(5) Information relating to the conferring of honours by the Crown or to any communications with the Royal Family or Household.
(6) Information the disclosure of which may endanger anyone’s health, or mental health, or safety.
(7) Environmental information. (Environmental information will be exempt if it falls under the proposed new Environmental Information Regulations).
(8) Legal professional privilege.

(iv) Qualified exemptions - subject to the prejudice test and public interest test

This relates to information the disclosure of which would prejudice

(1) National defence.
(2) International relations.
(3) Relations between the central government executives of the countries forming the United Kingdom.
(4) The economy.
(5) Law enforcement.
(6) Audit functions of other public authorities.
(7) Commercial interests.

Practice recommendations to public authorities

If it appears to the Information Commissioner that the practice of a public authority in relation to the exercise of its functions under the Freedom of Information Act 2000 does not conform with that proposed in the codes of practice required under the Act, the Commissioner may issue a ‘practice recommendation’ specifying steps which ought to be taken to ensure conformity.

Complaint procedures

The following are the steps which can be taken by a person complaining (the ‘complainant’) about the nature of a public authority’s compliance with the Freedom of Information Act 2000.

Step 1: Complaints procedures of public authorities

Public authorities must have a fair and impartial in-house procedure for dealing with complaints and reviewing decisions in relation to the Act. In the first instance, the complainant must make their complaint, in writing, using this procedure.

Step 2: Information Commissioner

If complainants consider that the in-house complaints procedures of a public authority have not brought the appropriate decision, and they wish to take their complaints further, they must complain to the Information Commissioner. The Commissioner has to make a decision on a complaint about a public authority unless

the public authority’s own complaints procedures has not been exhausted, or
there has been too long a delay in the complaint being made
or the complaint is vexatious or frivolous

Step 3: Information Tribunal

If complainants consider that the Information Commissioner has not come to an appropriate decision about their complaints, and they wish to take their complaints further, they must apply to the Information Tribunal.

Step 4: High Court

If complainants consider that the Information Tribunal has not come to an appropriate decision about their complaints, they can apply to the High Court. However, they can only apply to the High Court on a point of law rather than the facts of the case.

Enforcement procedures

Information notice

In order to make decisions about complaints against authorities, the Information Commissioner has powers to obtain information - including unrecorded information - from an authority by issuing an ‘information notice’. An authority is not required to supply the Commissioner with information that was passed between a professional legal adviser and the authority on matters relating to the Act.

Decision notice

The Information Commissioner, on weighing up the matter, may inform the complainant that he does not wish to make a decision against the public authority, and of his grounds for not doing so. In this case, the complainant can appeal to the Information Tribunal.

On the other hand the Commissioner, on weighing up the matter, may find in favour of the complainant and issue a ‘decision notice’ specifying the steps which must be taken by the public authority to comply.

Enforcement notice

The Information Commissioner may serve an ‘enforcement notice’ on a public authority if he is satisfied that the authority has failed to comply with the requirements of the access to information provisions (ie Part I) of the Act. It would require the authority to comply within a specified time, and specify the steps to be taken in order to comply.

Powers of entry and inspection

If a judge is satisfied by information supplied by the Information Commissioner that there are reasonable grounds for suspecting that a public authority has failed or is failing to comply with

any of the requirements of the Access to Information provisions (ie Part I) of the Act, or
so much of a Decision Notice as requires steps to be taken, or
an Information Notice or an Enforcement Notice

then the judge may grant the Commissioner a warrant giving powers to

enter and search premises
inspect and seize documents
inspect equipment in which information may be stored.

Contempt of Court

If a public authority fails to comply with an information notice, a decision notice, or an enforcement notice, the Information Commissioner may certify this in writing to the High Court. After enquiring into the matter, hearing witnesses and any statement offered in defence, the High Court may deal with the authority as if it had committed a contempt of court.

Appeal procedures

Public authorities and complainants have a right of appeal to the Information Tribunal against a decision notice served by the Information Commissioner.

Public authorities may also appeal to the Information Tribunal against an information notice or an enforcement notice served by the Information Commissioner.

Appeal against a decision by the Information Tribunal can be made to the High Court by any party, but only on a point of law.

Civil proceedings

Unlike under the Data Protection Act 1998, the Freedom of Information Act 2000 does not confer any right of civil action in the courts by a complainant against a public authority in respect of any failure to comply with the Act. Appeal against a decision by the Information Tribunal can be made to the High Court by any party, but only on a point of law, not on the facts of the case.

Freedom of Information - useful external links

Information Commissioner’s Office (ICO)

ICO home page

Freedom of Information

Compliance with the Data Protection Act 1998, The Privacy and Electronic Communications (EC Directive) Regulations 2003, and the Freedom of Information Act 2000, is monitored by the Information Commissioner, a Crown appointment, reporting directly to Parliament.

On the Information Commissioner’s website can be found The Freedom of Information Act 2000: An Introduction, which provides the Information Commissioner’s general guidance on the Act.

Topics are also covered in a more specific way, for example in the Information Commissioner’s FOI Awareness Guidance series.

Department for Constitutional Affairs (DCA)

DCA home page
DCA: Freedom of Information

The Department for Constitutional Affairs is the government department which during 2003 superseded the Lord Chancellor’s Department. The department is the government department responsible for upholding justice, rights and democracy. This includes keeping the operation of the Freedom of Information Act 2000 and the Data Protection Act 1998 under review. The Department’s website contains guidance on issues in relation to the acts.

Codes of practice

There are two codes of practice which were required by the Freedom of Information Act to be produced by the Lord Chancellor’s Department (which was superseded in 2003 by the Department for Constitutional Affairs), and to be revised as appropriate from time to time. These were produced in November 2002, and no revisions have yet taken place. The codes are

1. Secretary of State for Constitutional Affairs' Code of Practice on the Discharge of Public Authorities Functions under Part 1 of the Freedom of Information Act 2000 issued under Section 45 of the Act

2. Lord Chancellor’s Code of Practice on the Management of Records issued under section 46 of the Freedom of Information Act 2000

Her Majesty’s Stationery Office (HMSO)

HMSO home page

Search page (this is useful for finding copies of Acts and Statutory Instruments)

The HMSO provides online viewing of Acts, Statutory Instruments, Explanatory Notes (to legislation), etc.

Campaign for Freedom of Information (CFI)

CFI home page

The Campaign for Freedom of Information campaigns against unnecessary official secrecy and for freedom of information. It monitors existing access rights and provides practical guides to help people use them.

The Constitution Unit, University College London (UCL)

UCL home page

The Constitution Unit is a UK independent research body on constitutional change. The Unit is based in the School of Policy at University College London and conducts a programme of research, training, consultancy and advice. It has developed a close interest in Data Protection and Freedom of Information, and its website and Newsletter are a useful sources of information on these subjects.

Data Protection Act 1998 - a summary

The Act

The Data Protection Act 1998 came into force on 1 March 2000 and replaced the Data Protection Act 1984. It gives individuals (‘data subjects’) a general right of access to ‘personal data’ (ie personal information) about themselves held by ‘data controllers’ within the United Kingdom. It also lays down principles for the way personal data must be managed.

A ‘data controller’ is a person who determines the purposes of the processing of personal data, and the manner of the processing. The City of London is a data controller.

Until 1 January 2005, the Act applies to such data where it is held on computer and when it is held in very structured filing systems which are not computerised.

After 1 January 2005, for public authorities it applies to such data however it is held, although there are still some limitations with regard to filing systems which are not computerised.

Information Commissioner

Information Tribunal

Data Protection principles

The Data Protection Act 1998 establishes the following 8 principles in relation to the processing (ie management) of personal data

Personal data should be processed fairly and lawfully.
Data should only be obtained for specified purposes and should not be further processed in a manner incompatible with these purposes.
Personal data should be adequate relevant and not excessive in relation to the purposes for which they were collected.
Personal data should be accurate and where necessary kept up to date.
Personal data should not be kept longer than is needed for its intended purpose.
Personal data should be processed in accordance with the rights of the individual which the information concerns.
Appropriate measures should be taken against unauthorised or unlawful processing or destruction of personal data.
Personal data should not be transferred outside the European Economic Area (the EU states plus Liechtenstein, Iceland and Norway).

Lawful processing

In accordance with principle 1, any processing of personal data must be allowed by, or required by, statute or common law. Fair processing code Also in accordance with principle 1, any processing must be fair; that is, must be carried out without deception. The part of the Act which deals with this is now called the ‘Fair Processing Code’. So far as practicable, and subject to exemptions, data subjects should be provided with certain information at the time of collection or as soon as practicable thereafter, so that they understand why and how their data are being processed. This information is provided in a Fair Processing Notice.

Fair processing notice

The fair processing notice (also known by other names such as ‘data protection notice’) should include the following information

the identity of the data controller
the purposes for which the personal data are intended to be processed
to whom the personal data may be disclosed to, eg a government department or agency
and any further information regarding the processing, to enable processing in respect of the data subject to be fair

Further conditions for fair processing

In addition, personal data must not be processed unless one of the conditions listed in Schedule 2 of the Act is met; and in addition, in the case of sensitive personal data, one of the conditions listed in Schedule 3 is also met.

Schedule 2 - Conditions for processing personal data

One of the following conditions must be met for processing personal data

consent has been given by the data subject
it is for entering or performing a contract with the data subject
the data controller is under a legal obligation, other than under contract
it is to protect the vital interests of the data subject
it is for the administration of justice, exercising functions under an enactment, exercising of government functions, or the exercise of any other functions of a public nature in the public interest
it is for the pursuit of the legitimate interests of the data controller

The Secretary of State may also make an Order concerning other particular circumstances.

Schedule 3 - Conditions for processing sensitive personal data

For processing of sensitive personal data, one of the conditions listed in Schedule 2 must be met, and also one of the following conditions listed in Schedule 3 must be met

explicit consent has been given by the data subject
it is for the exercise of rights or obligations in connection with employment
it is to protect the vital interests of the data subject or anyone else
it is part of the legitimate activity of a not for profit organisation
the personal data have already been made public by the data subject
it forms part of legal proceedings, including obtaining legal advice, and exercising or defending legal rights
it is for the administration of justice, or exercising functions under an enactment, or exercising of government functions
it is for medical purposes
it is for the purpose of monitoring equality of opportunity

The Secretary of State may also make an Order concerning other particular circumstances.

‘Sensitive personal data’ consist of data relating to one or more of the following

Racial or ethnic origin
Political opinions
Religious beliefs or other beliefs of a similar nature
Trade Union membership
Physical or mental health
Sexual life
Offences committed or alleged to have been committed
Proceedings in relation to these, including the sentence of any court

Rights of data subjects and others

The Data Protection Act 1998 sets out a framework of general individual rights in relation to personal data. These are described in Part II of the Act, which concerns ‘Rights of Data Subjects and Others’. This is the section to which the 6th data protection principle largely relates.

The six general rights are

1. Right of access to personal data (section 7 of the Act).

There is a general right of access by a data subject to the personal data held about the data subject by the data controller. The process by which this right is exercised is called a ‘Subject Access Request’ (often abbreviated to SAR). The Act describes how the data controller must respond to such requests when an exemption does not apply. A data controller has 40 calendar days in which to provide the requested data, if no exemption applies.

Following a subject access request to a data controller by a data subject, and the data controller having failed to comply, the data subject can apply to court, which may support the Request and order the data controller to comply.

2. Right to prevent processing which causes substantial damage or distress (section 10 of the Act).

There is a right to require processing either to cease, or not to start, if it would cause the data subject, or anyone else, substantial unwarranted damage or distress. A data subject can issue a ‘Data Subject Notice’ to a data controller to prevent processing which he thinks is causing or likely to cause unwarranted damage or distress to the data subject or to another person, unless the data controller has met one of the first four conditions for processing stated in Schedule 2 of the Act (conditions for processing personal data). The data controller must respond within 21 days of receiving the notice, either complying or stating reasons why he is not complying. The data subject can apply to court, which may support the notice and order the data controller to comply.

3. Right to prevent direct marketing (section 11 of the Act).

A data subject can give a notice in writing to a data controller to cease or not begin processing for the purpose of direct marketing (in any medium) to the data subject. If the data controller does not comply, the data subject can apply to court, which may support the notice and order the data controller to comply.

The Act defines direct marketing as

the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals (s 11)

The Information Commissioner, in Data Protection Act 1998: Legal Guidance, has placed a broad interpretation on this definition. The Information Commissioner regards the term as

covering a wide range of activities which will apply not just to the offer for sale of goods or services, also the promotion of … aims and ideals.

4. Right in relation to automated decision-taking (section 12 of the Act).

A data subject can give a notice in writing to a data controller to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that data subject is based solely on processing by automatic means.

If the notice has no effect but a decision using automatic means is nevertheless taken, the data controller must, as soon as reasonably practicable, inform the data subject of the processing. The data subject then has 21 days in which to write to request reconsideration of the decision (a ‘data subject notice’). The data controller then has 21 days to respond specifying the steps he will take to comply. If he does not comply, the data subject can apply to court, which may support the notice and order the data controller to comply.

5. Right to compensation for damage and distress (section 13 of the Act).

A data subject who has suffered damage as a result of any contravention of the act by a data controller has a right to compensation. The right to compensation for distress exists if damage has also occurred.

6. Right to have inaccurate personal data rectified, blocked, erased or destroyed (section 14 of the Act).

If a court is satisfied that personal data being processed are inaccurate, it can order the data controller to rectify, block, erase or destroy the data. The court may also order third parties in receipt of the inaccurate data to be notified.

Subject access request

There is a general right of access to personal data. This is the right by a data subject to see the personal data held about the data subject by the data controller. The process by which this right is exercised is called a ‘subject access request’ (often abbreviated to SAR).

A data controller has 40 calendar days in which to provide the requested data, if no exemption applies. The data controller is allowed to ask for proofs of identity, and to charge an administration fee of £10. If proofs of identity are required and/or the fee is requested, the 40 days begins when the proofs and/or the fee are received.

If the data controller fails to comply with a subject access request, the data subject can apply to court, which may support the request and order the data controller to comply. There is no obligation on the data subject to state why he/she is making a subject access request.

The right of access to personal data is the key provision for the exercise of other rights under the Act. Unless data subjects can learn what data are held about them, their rights to correct or challenge it may become valueless.

Notification

Data controllers have to ‘notify’ the Information Commissioner of the purposes for which they process personal data by electronic means.

The notifications are stored as a register entry. The register is a Public Register of Data Controllers.

The City of London’s entry can be accessed on the register by typing in its Registration Number, which is Z5996206.

There are certain exemptions to notification (for example, the processing of personal data for personal, family or household affairs, including for recreational purposes, does not have to be notified).

It is a criminal offence to process personal data without notification, unless exempted from doing so.

Exemptions

Part III of the Data Protection Act 1998 concerns exemptions from aspects of the Act, particularly from certain basic aspects of the Act such as restrictions on providing personal data to third parties, and the right of access by data subjects to their personal data. There are very few exemptions from the entirety of the Act, although there are some exemptions from much of the Act.

Exemptions under the Act can appear complex. There are some exemptions to prohibitions on sharing personal data with third parties; and also some exemptions to disclosure to data subjects of the personal data held about them.

Exemptions to prohibitions on data sharing with third parties are where

the data subjects have given their consent
the sharing is for the prevention or detection of crime
the sharing is for the assessment of any tax or duty
the sharing is necessary to exercise a right or obligation conferred or imposed by law (other than an obligation imposed by contract)
the sharing is for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings)
the sharing is for the purpose of obtaining legal advice
the sharing is for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress)

There may be an exemption to access to personal data by data subjects where the personal data

are part of a confidential reference given by the data controller
are subject to a duty of confidentiality, eg confidential references provided to the data controller
are subject to legal professional privilege
are being used to investigate crime or detect fraud
are being used for management forecasting or planning
are part of negotiations which would be prejudiced if disclosed
are, in the opinion of the data controller or of independent professional advice, likely to cause serious harm to the physical or mental health of the data subject or another person
relate to health, education and social work, and are processed by a court and consists of information supplied in a report or other evidence to the court by a local authority
are processed for the purposes of assessing suitability for the conferring by the Crown of an honour

Complaint procedures

General right of complaint to the Information Commissioner

With regard to any data protection matter, complaint can be made by anyone to the Information Commissioner.

Request to the information commissioner for an assessment

In addition, a data subject (or anyone acting on his or her behalf) can request the Information Commissioner to assess if data processing is being carried out by a data controller in compliance with the Data Protection Act 1998. The time period for responding to an assessment request is determined by the Information Commissioner.

Enforcement procedures

Information notice

If a request under the Data Protection Act 1998 has been made of the Information Commissioner for an assessment of a data controller, or if anyone enquires as to whether a data controller is complying with the principles, the Information Commissioner can ask the data controller for further information, specifying the time within which to respond to the request. This is called an ‘information notice’.

There are rights of appeal to the Information Tribunal against an information notice. Thereafter, a person who fails to comply is guilty of an offence.

Enforcement Notice

When satisfied that a contravention has taken place under the Act, the Information Commissioner can issue an ‘enforcement notice’, specifying a time within which compliance must take place.

The Notice must state the data protection principles contravened; state that damage and distress is a key criteria; and, if principle 4 has been contravened, the Information Commissioner may request the data controller to rectify, block, erase or destroy the data. There may also be a request that, if practicable, third parties to whom the information has been made available, are informed of corrections.

There are rights of appeal to the Information Tribunal against an enforcement notice. Thereafter, a person who fails to comply is guilty of an offence.

Powers of entry and inspection

If a judge is satisfied by information supplied by the Information Commissioner that there are reasonable grounds for suspecting that a data controller

has contravened any of the data protection principles, or
a criminal offence under the Act has been committed

then the judge may grant the Commissioner a warrant giving powers to

enter and search premises
inspect and seize documents
inspect equipment in which personal data may be stored

Appeal procedures

Appeal to the Information Tribunal by data controllers

There are rights of appeal to the Information Tribunal against an information notice or enforcement notice.

Appeal from a decision of the Information Tribunal

Appeal from the decision of the Information Tribunal can be made only on a point of law. This appeal would be made to the High Court.

Civil proceedings

The Data Protection Act 1998 permits civil proceedings by data subjects against data controllers. This is in relation to the six rights described in the section on ‘Rights of data subjects and others’. The jurisdiction for civil proceedings is the High Court or a County Court. Should damages be awarded, the amount that may be awarded is unlimited.

Data Protection - useful external links

Information Commissioner’s Office (ICO)

ICO home page

Data Protection

Electronic Communications Regulations 2003

On the Information Commissioner’s website can be found codes of practice and extensive other guidance on compliance with the Data Protection Act 1998. This includes

However, this is only a very small selection of the guidance available.

Department for Constitutional Affairs (DCA)

DCA home page

Data Protection

British Standards Institution (BSI)

BSI home page

The BSI, in cooperation with the Information Commissioner, has published a series of standards in relation to compliance with the Data Protection Act 1998. The standards are prefixed with the code BIP 0012, and thereafter are numbered 1, 2, 3, (etc). They include

Data Protection, Part 7 - Guide to Subject Access

(BIP 0012-7, 3rd edition, August 2003, ISBN 0580 33329 9).

Her Majesty’s Stationery Office (HMSO)

HMSO home page

Search page
(this is useful for finding copies of Acts and Statutory Instruments)

The HMSO provides online viewing of Acts, Statutory Instruments, Explanatory Notes (to legislation), etc.

The Constitution Unit, University College London (UCL)

UCL home page

Environmental Information Regulations 2004 - a summary

The Regulations

The Environmental Information Regulations 2004 came into force on 1 January 2005; that is, on the same day that the Freedom of Information Act 2000 also came into full force. The Regulations are fully retrospective, which means that they apply to all information held by the “public authorities” (which is the term applied in the Regulations to those organisations which fall under the Regulations) which are subject to the Regulations, regardless of when the information was recorded.

The Regulations apply to organisations performing public administrative functions (including all those public authorities covered by the Freedom of Information Act), or who have responsibility, directly or indirectly, for the development, management, regulation or inspection of aspects of the environment on behalf of the public.

Any environmental information which falls under the Regulations is exempt from the Freedom of Information Act and falls instead under the Regulations.

What is ‘environmental information’?

‘Environmental information’ is defined in the Regulations as covering

(a) the state of elements of the environment, such as air, water, soil, land, biological diversity, genetically modified organisms, and the interaction among these elements

(b) factors, such as substances, energy, noise, radiation or waste, emissions, discharges and other releases into the environment referred to in (a)

(c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the environment referred to in (a) or measures or activities designed to protect it

(d) reports on the implementation of environmental legislation

(e) cost-benefit and other economic analyses and assumptions used within the framework of the measures and activities referred to in (c)

(f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in (a) or the factors or measures in (b) and (c).

Information Commissioner / Department for Environment, Food and Rural Affairs (Defra)

The Information Commissioner is responsible for ensuring compliance by public authorities with the Environmental Information Regulations 2004, the Data Protection Act 1998 and the Freedom of Information Act 2000, and issues guidance on compliance. Defra is responsible for issuing a Code of Practice in relation to the Regulations, and also issues guidance. See Environmental Information Regulations - Useful External Links.

General right of access to information

The key feature of the Environmental Information Regulations 2004 is that they provide a general right of access to information held by those public authorities covered by the Regulations. In principle, subject to exemptions to disclosure, the right of access exists from the moment the information exists. Information held includes information which is held by a public authority on behalf of others (in this it differs from the Freedom of Information Act), and information held by another person on behalf of a public authority.

Information or records?

The Environmental Information Regulations refer to information, rather than to records, so there is no obligation on public authorities to make original records available.

Request for information

There is no obligation upon applicants to state why they would like the information they are requesting (except with regard to that part of any information requested which is the personal information of someone else). Unlike requests made under the Freedom of Information Act, applicants do not have to make their requests in writing. They do, though, have to provide a name and address. If they are sending a written request, an email address is sufficient to act as a name and address.

Means of communicating the information

As far as possible (subject to exemptions, and only with regard to information held since 1 January 2005) public authorities are supposed to have the ability to communicate the information requested by an applicant in electronic form.

Liechtenstein, Iceland and
Norway

A response to a request has to be made within 20 working days from the first working day after the day on which a request is received. The clock stops when a fee has been requested, until it is received. In addition, public authorities are allowed to extend the time up to 40 working days if they believe that the complexity and volume of the information requested means that it is not practical either to comply with the request within 20 working days or to make a decision to refuse to do so.

Fees

A public authority cannot charge for access to any public registers containing environmental information, or in cases where the information is being viewed at a place where a public authority makes information available for examination. Otherwise, public authorities can make a reasonable charge for making information available, and can request payment in advance of making information available.

Exemptions to disclosure

Under the Environmental Information Regulations the exemptions to disclosure cover information which if disclosed would adversely affect

(a) international relations, defence, national security or public safety

(b) the course of justice, the ability of a person to receive a fail trial or the ability of a public authority to conduct an inquiry of a criminal or disciplinary nature

(d) confidentiality of a public authority’s proceedings where such confidentiality is provided by law, eg a statutory requirement or a common law duty of confidence;

(e) the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

(f) the protection of the environment to which the information relates

(g) the interests of the person who provided the information where that person

(i) was not under, and could not have been put under, any legal obligation to supply it to that or any other public authority

(ii) did not supply it in circumstances where, except for the EIRs 2004, that or any other public authority is entitled to disclose it

(iii) has not consented to its disclosure.

A public authority may also refuse to disclose information to the extent that

(a) it does not hold the information when the applicant’s request is received

(b) the request for information is manifestly unreasonable

(c) the request is formulated in too general a manner and the public authority has, within 20 working days of receiving the request, asked the applicant to provide more particulars and has assisted the applicant in providing those particulars

(d) the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data

(e) the request involves the disclosure of internal communications.

Where a request made for environmental information includes a request by an applicant for his or her own personal information, access to that personal information must be considered instead under the Data Protection Act 1998.

Requests by an applicant about someone else’s personal information must comply with the specific provisions under the Regulations, particularly that any disclosure would not breach the Data Protection Principles under the Data Protection Act. If it is considered that disclosure may cause damage or distress the public interest test must nevertheless be applied.

Public interest test

All the exemptions are subject to the Public Interest Test. See ‘Public interest test’ under Freedom of Information Act 2000 - A summary.

Duty to confirm or deny the existence of information

With one exception, applicants for information must always be told whether or not the information they have requested is held, even if the information itself is not disclosed. The exception relates to the first of the exemptions, ie that which relates to international relations, defence, national security or public safety, and where the balance of the public interest weighs against disclosing whether or not the information is held.

Notice of refusal

When public authorities refuse to disclose information, they must issue a written refusal notice which must state

the fact of refusal
the exemption being relied upon
the matters which were considered in reaching the decision with respect to the public interest (unless this concerns the refusal to confirm or deny whether the information is held where it relates to international relations, defence, national security or public safety).

Complaint procedures

The complaints procedures are the same as for the Freedom of Information Act (see ‘Complaints procedures’ under Freedom of Information Act 2000 - A summary), except that public authorities are allowed a specified period, namely 40 working days from the first working day after the complaint is received, to consider a complaint. Complaints have to be made in writing.

Enforcement procedures, appeal procedures, and civil proceedings

These are the same as for the Freedom of Information Act. See ‘Enforcement procedures’, ‘Appeal procedures’ and ‘Civil proceedings’ under Freedom of Information Act 2000 - A summary.

Environmental Information Regulations - useful external links

Information Commissioner (ICO)

ICO home Page

Environmental Information Regulations

Compliance with the Data Protection Act 1998, the Freedom of Information Act 2000, and the Environmental Information Regulations 2004, is monitored by the Information Commissioner, a Crown appointment, reporting directly to Parliament.

Department for Environment, Food & Rural Affairs (Defra)

DEFRA home page

DEFRA Environmental Information Regulations

Defra is the Government Department responsible for “the essentials of life - food, air, land, water, people, animals and plants” in the UK. This includes overseeing the working of the Environmental Information Regulations 2004.

The Environmental Information Regulations page includes links to the

(1) Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 - Issued by the Secretary of State, Defra, under Regulation 16 of the Environmental Information Regulations

(2) Guidance to the Environmental Information Regulations 2004.

Download help