FOIMan examines the similarities and differences between FOIA and the Environmental Information Regulations.
A few months ago I started a series in PDP’s Freedom of Information Journal on the Environmental Information Regulations (EIRs), starting with an examination of the definition of environmental information. Here I bring you the second instalment in the series which looks at how FOIA and the EIRs differ.
I’ve just written the third and final part in the series which covers the exceptions in the EIRs. You’ll be able to read that in the next issue of the journal or right here on the FOIMan site later in the summer. Once they’re all available, I’ll put them all in one place in the Resources section so they will act as a comprehensive guide to the EIRs.
FOIMan examines a new right to access information about yourself that will become law next year, and considers what organisations will be obliged to do to comply with it.
We’re constantly submitting information about ourselves to companies and other organisations. Everytime we sign up for a new energy deal, we have to input our details. The same if we want to move bank, or credit card. Even if we want to be able to listen to music or watch films from a streaming service. And everytime we have to re-input those details, even though they’re more or less the same. Imagine if you could just get Apple to transfer the details you gave them to Spotify. Or ask your credit card provider to give your transaction history to their rival so you can find out if you can get a better deal.
Well…from next year you will be able to. The General Data Protection Regulation (GDPR) introduces a new “right to portability” (not potability, as it’s often misspelled – it’s not a right to your own personal drinking water). What does it involve?
What does it do?
It gives data subjects (individuals) a right to be provided with information they have provided to data controllers (businesses and other organisations) in a machine-readable and re-usable format. If the data subject prefers, data controllers will have to transfer their data directly to another data controller.
What does it cover?
Data provided by the data subject that is being processed by automated means (i.e. this won’t apply to data held in paper files) where the data controller relies on consent or a contract with the data subject to justify collection and use of the data (from the list of conditions at Article 6).
According to the Article 29 Working Party (A29WP), data which the data subject has “provided” will include both the information supplied directly by the data subject, but also raw data collected from observation such as smart meter data, activity logs, web usage or search history. It won’t cover any data that results from analysis of the observed data.
Some facts about portability
- you’re expected to remind people of this right whenever you collect data directly from them, and also tell them if you start collecting data by “observation” within a month
- requests for data to be “ported” will have to be processed “without undue delay”, and normally no later than a month after receipt of the request
- fees can only be charged where a request is “manifestly unfounded or excessive”; the A29WP comment that this is going to be rare with portability requests as the data should be relatively easy to extract, prepare and disclose given that the right only applies to automated data
- data must be disclosed “in a structured, commonly used and machine-readable format”; the A29WP interprets this as a format supporting re-use and suggests commonly used open formats should be used for release such as CSV, XML or JSON
- where there are reasonable doubts about the identity of a requester, proof of ID can be requested; this is perhaps less likely to be an issue with portability requests than with, say, subject access requests, as in most cases there will be existing methods to authenticate a person’s identity (e.g. username and password)
- when a data controller complies with a request to transfer data, they are responsible for its security during transfer – for example, by using end-to-end encryption. Once it gets to its destination however, the recipient is responsible for it – whether that be the data subject or another data controller to which the data has been transferred
- generally data being ported is still subject to the data protection principles and other GDPR rules; e.g. data subjects should be able to restrict what data is transferred and data controllers in receipt of data should not process more of it than they need
- contracts with other companies that process data on the data controller’s behalf (i.e. data processors) should specify requirements to facilitate portability requests
- Article 20 specifies that the right to portability shall not adversely affect the rights of others; third parties have rights too.
- This doesn’t mean that, for example, where someone crops up in the data subject’s bank account as a payee, a bank would have to redact their details before transferring the data.
- However, in certain cases (A29WP cite social networks as an example) it will be appropriate to seek third parties’ consent at any point where they transact with the data controller (e.g. Facebook’s privacy permissions might indicate that a “friend” could seek to export their account data including data about their friends; the privacy permissions portal might allow individuals to indicate that they don’t want their data to be included in such exports).
- Where data is transferred to another data controller, that organisation won’t be able to extract the details of third parties from the data and, for example, send them marketing using those details.
- it’s worth noting that many companies already provide facilities to “port” data; a government initiative in the UK called “MiData” has been working towards developing an industry standard here for some years. If you’ve ever downloaded your bank statement as a spreadsheet, you’ve effectively made a data portability request. GDPR, though, now makes this a right, and potentially there will be many businesses in particular who haven’t worried about this that will now have to prepare for the possibility of receiving such a request.
The above are just my notes and thoughts on how portability will work. For further (and more authoritative) information, consult the following:
Note: I’ll be delivering a webinar on the portability right for Act Now Training on 23 June 2017. Visit their website for further details.
FOIMan explains how GDPR puts keeping records well at its very centre.
Back in December, the Information Commissioner, Elizabeth Denham, indicated her wish for a new duty to document law. I’ve written previously about this here and here.
On 28 April, I explored this issue a bit further in a talk to the public sector group of the Information and Records Management Society (IRMS) at a venue in Westminster. I’d been asked to talk about the need to keep records for corporate requirements identified in the FOI s46 Code of Practice.
The s46 Code does spell out the need to keep records to meet legal requirements, to record precedent, to document legal and other rights, and to justify actions taken. It’s worth noting that s.48 of FOIA gives the Information Commissioner the power to issue “practice recommendations” requiring public authorities to bring their practice into line with the Codes of Practice. So the s46 Code establishes a duty to document and the Act gives the Commissioner (admittedly limited) powers to enforce it.
Leaving FOI behind though, I handed delegates postcards of the image above. It illustrates the data protection principles as set out in the General Data Protection Regulation (GDPR). Right at the centre of my image is the accountability principle. It means that organisations will not be able to comply with the other principles without being able to demonstrate their compliance. In other words, they need to keep records to show what they are doing with people’s personal data. What they told those people when it was collected. Whether they gave consent. What their data protection impact assessment concluded. And so on.
Keeping records – and keeping them well – is central to compliance with GDPR. Records management should form a central plank of your GDPR preparations over the next year. Not least because it is very clear that the Information Commissioner is very interested in records management indeed.
Let me know if you need a speaker for your event – I’m always happy to help if I can. If you’re looking for in-house training on GDPR, get in touch for a quote.
s.46 Code of Practice
FOIMan begins an exploration of the Environmental Information Regulations.
The rabbit hole in question is also known as section 39 of the UK FOI Act (and also of the Scotland Act, for that matter), which leads, of course, to the Environmental Information Regulations 2004 (EIRs). It always seems to me that the EIRs are somewhat neglected so I’ve chosen to devote a series of articles for PDP’s Freedom of Information Journal to an exploration of them.
In the first in the series – available here – I look at why there are separate regulations covering environmental information at all, and what exactly is environmental information. The next piece will look at the main differences between FOI and the EIRs, whilst the last piece will examine the exceptions. You can read the whole series by subscribing to the Freedom of Information Journal (external link) or just by keeping an eye out for the later articles here on the FOIMan website (and you can ensure you don’t miss them by subscribing to FOIMan posts via the box in the column on the right).
If you want training on the EIRs, I can provide this in-house – just get in touch for a quote. Or you can attend one of the courses I’m running for Act Now Training (external link) later this year.