Thu, 26 Feb 2009

A simple guide to the Freedom of Information and Data Protection Acts

Recently I have been asked several times how to go about obtaining a copy of one's personal information held by an organisation and how to access information held by a public authority. Often these two interests have been confused, they are distinct in their scopes and approaches. There's a wealth of information already spread across the web, possibly so much that it can be daunting to figure out where to start looking. In this short post I attempted to provide a basic primer to clarify the confusion and give you just enough information so you can start issuing your own data subject access and freedom of information requests whenever appropriate. As my experience has been mostly with police matters, this primer includes related tips and a list of FoI contact details for all police forces. For more information or more complex matters such as complaining see the links at the bottom.

How to obtain personal information which is held by an organisation?

This is covered by the Data Protection Act 1998. Under the DPA, individuals can request a copy of the information held about them by organisations, whether public or private, by sending what is called a data subject access request to the data controller of the organisation. There can be a cost of up to £10; in practice it's either free or £10. Organisations have 40 days to reply.

All organisations that hold personal information must register the details of their data controller and the types of information they record in a register of data controllers maintained by the Information Commissioner's Office. This register can be searched however the search engine functionality is limited and it can be difficult to find the details of an organisation you're looking for; it's often easier to check the website of the organisation you wish to contact for this information.

In your data subject access you will need to give enough information for the organisation to be able to identify you and the information they may have about you. Organisations are only allowed to send back identifying information about you. There are some exceptions, for national security for instance where the organisation does not have to send you the data it is holding about you. If you request a CCTV footage they have to blot out any other individual present and it is now more difficult to obtain CCTV footage under the Data Protection Act unless the footage is specifically about you.

You need to be aware that to comply with the DPA, organisation should not retain the information for longer than needed for the purpose for which it has been obtained so do not delay any data subject access otherwise the information you seek may have been deleted.

An example of the use of the Data Protection Act is to obtain a copy of the personal information held about you in the Police National Computer (aka your PNC record). Most Police forces have forms for this purpose and they list the documents needed to prove your identity. They all charge £10.

How to access to information which is held by a public authority?

This is covered by the Freedom of Information Act 2000. Under the FoIA, individuals have the right to request recorded information held by a public authority. The public authority has to provide the information requested unless it has good reasons not to! For the authority to keep the information confidential it has to valid legal reasons to do so. Requests are free, however there's a limit on how long public authorities may spend trying to answer a request. A response must be provided within 20 working days. It is valid and not uncommon for authorities to write to mention it will take them a little longer than the 20 working days.

Note that the FoIA gives you right to access information only from public authority. It may not always be obvious what is a public authority and what is not. For instance, Police forces are public authorities, but the Association of Police Officers (ACPO) is not.

Before issuing an FoIA request it is worth checking the publication scheme of the concerned authority to see if the information you seek has not already been published. It's also worth checking if someone else has not already asked the same question, for instance using What Do They Know.

To initiate a request, you need to find the contact details of the FoIA team of the public authority. It is usually easy to find this on their website. Some authorities require you to send your request in a web form, but most accept email (note that some refuse cryptographically signed email). You must write a clear description of the information you are after and provide a contact detail. It is worth ensuring the description is precise and clear as this is the only information the public authority will have to figure out what it is you want. You have to provide your real name and either an email address or a physical address; some authorities insist for a physical address but this is not a requirement.

Two common reasons for refusal are that the data you seek is not held by this public authority and that it would take too long to find the answer (often because the source data would require manual searching). If you get a refusal, but believe that the authority should really be able to provide the information, a good initial follow up is to point out that under Section 16 of the Act, the authority has a duty "to provide advice and assistance". You can also offer to narrow your initial request to ensure that the search fits in the allotted time available.

In the case of police forces, the maximum time/cost they are allowed to spend on a FoIA request is 18 hours, sometimes expressed as £450 (i.e., a rate of £25 per hour). Some forces consider just dealing with the admin of the response takes up to three hours of this total.

Further information:

websiteblogblog archivenews feedfeedback