There was an excellent session hosted by Ibrahim Hasan, a Solicitor from Act Now Training, at this year’s annual IRRV conference providing some key updates on changes in legislation which will impact how Councils handle data and information going forward. Draft EU regulations are currently being worked on to replace the existing data protection regulation act which came into force in 2000.
Right to be forgotten
This new legislation is expected to be finalised by the end of this year, and in force by June 2018. Maximum fines for failing to comply will be in the region of £500,000. Some of the main highlights of the regulation include a new ‘right to be forgotten’, where an individual can ask to have their data deleted if it is no longer relevant or causes distress.
Explicit consent and data breaches
Another element of the regulation is ‘explicit consent’ which will require Councils telling people at the point of data collection how that data will be used. It will also be compulsory to report data breaches to both the individual and the regulator, for example if a customer’s data is lost or emails end up in the wrong inbox or place.
Statutory roles of DPO’s
Councils will be required to appoint Data Protection Officers (DPO) who will hold a statutory role and Ibrahim provided some tips for putting together an action plan to deal with this new legislation. This included conducting a data protection audit to identify what information your Council holds on people, where it comes from, what you do with it and what you tell them you will do with it at the point of collection.
Ibrahim suggests when designing any new systems in future to look at consent and control and how you manage security breaches and how you allocate staffing roles to deal with these.
Re-use of Public Sector Information Regulations 2015
There was also a new piece of regulation which came into force in July 2015 called the ‘Re-use of Public Sector Information Regulations’. This requires Public Sector organisations to deal with requests for re-use of their information. For example people may request to use images and text from brochures and your Council are obliged to license it. Any data requested should be provided in an electronic and re-usable format.
Using Council information to boost economy
The general thinking behind this regulation is that businesses could take that information and create an application for it. An example of this is the ‘asborometer’, which is a mobile application measuring the levels of antisocial behaviour in a given area. It is believed that the development of these types of applications will help boost the economy with businesses able to generate income from effective and innovative use of Council information.
The process for requesting Council information
Individuals or businesses wishing to do this must first submit in writing what data they want and how they will use it, typical examples of information that may be requested include; social, economic, geographic, tourist, business and patent data. A council then has twenty working days to deal with a request. A council can refuse the request under the following circumstances; if somebody else owns the copyright of the information or if it is outside their core or statutory functions.
Conditions can be imposed on the re-use of the information relating to profits made and whilst the information can be given away under an open government license it must be attributable to the government. The enforcer of this legislation is the Information Commissioner who can issue information, decision or enforcement notices as well as fines.
Ibrahim suggests that Councils create an information asset list and publish it as well as making any statements of areas which might be outside the scope of the regulation. He also suggests you consider publishing charging polices as well as complaints procedures.
Freedom of Information Act
If the data is a dataset it falls under the existing provisions of the Freedom of Information (FOI) Act and as such an Authority can call upon any one of the 23 reasons not to allow access to the requested data for example it may be commercially sensitive.
Ibrahim also provided some guidance on post-legislative scrutiny of the FOI act, stating that there are new exemptions on unpublished research which means that data formed as part of the research does not have to be published. Also if the time taken to retrieve the data is likely to be more than 18 hours, the request can be denied. Some steps have also been taken to deal with vexatious requests such as introducing fees for tribunal appeals, so individuals who want to test the law, may be required to pay £200 for the privilege.
In conclusion, it was a very useful session for Councils to get a better understanding of the latest legislation coming into force, so that Councils can start preparing and get a head start on meeting their future obligations.