The Data Protection Act NOMS Order. The Freedom of Information Act Environmental Information Regulations 2004 ORDER NUMBER 9020

Transcription

1 NOMS Order The Data Protection Act 1998 The Freedom of Information Act 2000 Environmental Information Regulations 2004 ORDER NUMBER 9020 Date of Update: 29/05/09 Issue number: 313 Date of Initial Issue Click on Number for link to reference 09/08/2004 This supersedes issue no. 137 dated 11/10/2001 PSI Amendments should be read in conjunction with the Order Amendments can be tracked by clicking here Date of Further Amendments 29/05/09 Supersedes issue no. 210 dated 09/08/2004

2 PSO 9020 Executive Summary Page 1 EXECUTIVE SUMMARY STATEMENT OF PURPOSE This PSO is issued to replace Information Access sections of PSO It updates NOMS policy on how to respond to Requests for Information under the Freedom of Information Act 2000 (FOIA) and Environmental Information Regulations 2004 (EIRs) and to Subject Access Requests under the Data Protection Act 1998 (DPA). It informs staff of changes to changes to the handling of FOI and EIR Requests for Information following the introduction of Knowledge and Information Liaison Officers (KILOs) throughout NOMS and of the handling process for DPA Subject Access Requests from staff and ex-employees. Chapter 5 of PSO 9020 (Archiving, Retention and disposal Policy) has been replaced by PSO Chapter 11 of PSO 9020 (Data Security) has been replaced by PSO Local Probation Boards and Trusts established under section 4 of the Criminal Justice and Court Services Act 2000 are public bodies in their own right for Information Access issue. Because of this, PSO 9020 does not apply. DESIRED OUTCOME To embed FOI, EIR and DP in the organisation and to ensure compliance with our statutory obligations under the Data Protection Act 1998, the Freedom of Information Act 2000 and the Environmental Information Regulations MANDATORY ACTIONS All Heads of Group/Units must satisfy themselves they have a fully trained KILO within their area and the identity of the KILO is known to all staff. All Governors and Directors of Contracted prisons must satisfy themselves that they have an Information Access Representative and a Deputy within their business area and the identity of the IAR and Deputy IAR is known to all. The processes contained in this PSO must be followed in dealing with Subject Access Requests under the DPA and Requests for Information under the FOIA and EIRs. Mandatory instructions in the body of this PSO are indicated by the use of italics. RESOURCE IMPLICATIONS The amount of time spent on the new procedures required to comply with our statutory obligations under Data Protection and Freedom of Information legislation will vary from Group to Group and Unit to Unit. IMPLEMENTATION DATE: 1 June 2009 signed Ann Beasley Director of Finance and Performance

3 PSO 9020 Page 2 CONTENTS: CHAPTER 1 CHAPTER 2 ANNEX A INTRODUCTION AND BACKGROUND ROLES AND RESPONSIBILITIES CONTACT DETAILS Until publication of PSO 9025, the previous PSO 9020 Chapter 5 Retention and Destruction, remains extant. Click here to view Chapter 5.

4 PSO 9020 Page 3 CHAPTER 1 INTRODUCTION 1.1 Purpose This PSO outlines NOMS policy in responding to requests made under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 and the Data Protection Act 1998 (DPA) The PSO also provides an overview of the procedures staff must follow in order to ensure compliance with DPA, FOI and EIRs This PSO replaces PSO 9020: The Data Protection Act 1998 and the Freedom of Information Act Separate PSOs are being issued on data security (PSO 9015) and the retention and archiving of information (PSO 9025). 1.2 Explanation of Terms The following terms are used within this PSO: DACU Data Access and Compliance Unit DPA Data Protection Act 1998 EIR Environmental Information Regulations 2004 FOI/FOIA Freedom of Information Act 2000 IAR Information Access Representative ICO I Information Commissioner s Office KILO MC MOJ PCBU PQ RFI SAR TO Knowledge and Information Liaison Officer Ministerial Correspondence Ministry of Justice Parliamentary, Correspondence and Briefing Unit Parliamentary Question Request for information Subject Access Request Treat Official Correspondence 1.3. Background MOJ has responsibility, across government, for policy on Data Protection and Freedom of Information. As such, it is vital that MOJ has robust mechanisms for responding to requests for information under these regimes Building on experience in other areas of the organisation, we have made changes to the way we deal with requests for information. A KILO network has been established across the business. This places the primary responsibility for responding to requests on the area responsible for the subject matter of the request. DACU part of the Information Directorate actively supports KILOs in their duties by providing expert advice and guidance on the management of requests, and co-ordinating responses to those which cut across more than one area of work.

5 PSO 9020 Page Identifying Requests It is very important to draw a distinction between FOI/EIR/DPA requests and routine correspondence. It is also important that requests received by Establishments, Groups, or Units which should properly be treated as requests for information under DPA/FOI/EIR are identified and forwarded to DACU as quickly as possible. This is because timescales for reply are set by legislation and the countdown for reply starts the day that MOJ (at whatever point; i.e. an Establishment, Group or Unit) receives a request Parliamentary Questions/Ministerial and Director General/Treat Official Correspondence It is important that answers to Parliamentary Questions and replies to requests are consistent. Groups and Units must consider related PQs, MCs and DG Correspondence when responding to requests for information Introduction to Information Access The three regimes under which requests for information might be handled are: Freedom of Information Act 2000; Environmental Information Regulations 2004 and Data Protection Act A summary of the Acts and Regulations, including an explanation of the main similarities and differences follows at paras Freedom of Information Act The Freedom of Information Act came into force on 1 January The essential principle of the Act is that there should be a general right of access to information held by public authorities consistent with the public interest, the right to privacy and effective public administration. The Act is designed to allow greater public access to information Any recorded information held by MOJ is potentially disclosable under the FOI regime. Any person making a request is entitled, subject to certain exemptions set out in the Act to: be informed in writing by MOJ whether we hold the information described in the request; and if we hold the information to receive it, subject to the application of exemptions As a public authority, MOJ must have in place a system to ensure the efficient processing of requests for information submitted under FOI and to make sure that we are all aware of the requirements of the legislation and the role we have to play in meeting those requirements. The Act requires us to identify and locate records and respond within tight timescales.

6 PSO 9020 Page Routine Correspondence It is very important to draw a distinction between FOI requests and routine correspondence. FOI deals only with recorded information. So, for example, a request for an explanation of our policy on an issue or for an explanation as to why we made a particular decision or for an opinion on a particular issue should be treated as routine correspondence. Whereas, a request for copies of the papers we considered in making a particular decision or policy would be an FOI request because the individual is asking for the recorded documents. The KILO would then look at the documents that met the request and decide if they could be released or if an exemption applied. As an example, if a request asked why NOMS decided to introduce a training course at a particular prison that is not a request. If the request asked for the documents that were considered in making the decision to introduce the training course, that is a request. 1.9 Main Features of the Act The main features of the Act are: a request must be made in writing. A contact name and address (including an address) must be provided; anyone, anywhere in the world can make a request; we have a duty to provide advice and assistance to an individual making a request; we must reply within 20 working days from the date the request is received by the department; where it is necessary to withhold information we must consider the exemptions listed in the Act and provide an explanation for their use; and we must adopt and maintain a publication scheme in which we proactively make available a range of information about the Department The Act deals only with recorded information held by the department at the time a request is made. There is no requirement to produce new information to reply to a request, nor to consider the disclosure or otherwise of information which came into the department s possession after the request was made. The Act relates to information not documents but supplying a copy of a document, redacted if we have applied exemptions, is the easiest way of providing the information The Act requires that we are as helpful as possible in advising individuals on how to revise a request so that we can provide the information they require. In cases where, although we do not hold the information in the exact form requested, we hold very similar information, best practice is to provide the information we do hold, making it clear that we are doing so outside of the FOIA The Act recognises that there will be valid reasons for protecting certain information from disclosure, and as such includes 24 exemptions. Some of these exemptions are absolute, others, known as qualified exemptions require that before applying the exemption we consider whether or not it is in the public interest to release the information. If, on balance, it is thought that it is in the public interest to provide the information, then the information should be released.

7 PSO 9020 Page 6 The qualified exemptions include: section 22 information held with a view to its publication at a future date; section 31(1)(f) the maintenance of security and good order in prisons; and section 35 information relating to the formulation and development of government policy. The absolute exemptions include: section 21 information which is reasonably accessible to the applicant by other means; section 40 personal information (this exemption provides a gateway to the DPA); and section 41 information provided in confidence Where a request is refused, the requester has the right to ask for an Internal Review of the decision meaning we need to review all aspects of our handling of the original request with onward rights of appeal to the Information Commissioner and the Information Tribunal Cost of replying appropriate limit The FOIA does not oblige us to provide information if the cost of providing it would exceed an appropriate limit of 600. This equates to 24 hours (or 3.5 days) of work and applies only to finding out whether any information caught by the request is held, and to gathering the information together Requests for information on all prisons are likely to come into this category unless the information requested is held centrally The cost limits does not take into account considering the use of exemptions or the public interest test in releasing the information If a request falls into this category the exemption should be applied FOIA requires the Department to offer advice to a requester as to how they might amend their request to meet the cost limit. In cases where, it would exceed the limit to supply the information requested, for example because we would have to contact every prison, but we do hold similar information centrally although not in the exact form requested, best practice is to provide the information we do hold, making it clear that we are doing so outside of the FOIA Publication Scheme Under the Act, the Department must have a publication scheme that sets out categories of information that are routinely made available. When it can be anticipated that a project or issue is likely to be of public interest or the request is asked regularly it will be helpful to think about what, if any, information could be put into the public domain and to provide a brief, containing that information, for the publication scheme. An example of this is the policy on or number of games consoles available to prisoners.

8 PSO 9020 Page DACU will provide advice on how to use the publication scheme to best effect Disclosure Log Replies to requests for information may be published on the Disclosure Log. This allows further requests for information to be directed to and to reduce the number of information requests which need full consideration. This log is managed by DACU s between staff s between staff about individual cases or policy are potentially releasable under FOI. Please take into consideration, when drafting s, the FOI implications and the potential for criticism of the Department or embarrassment for individuals if the was released. s should meet the same departmental standards as other written correspondence Timescale for response The timetable for responding to request for information under FOIA is 20 working days from receipt in the MOJ to final reply Environmental Information Regulations The Environmental Information Regulations (EIR) came into force in January There are many similarities between the FOI and EIR regimes and as with FOI; EIR gives access rights to recorded information about the environment. Our experience is that NOMS receives substantially more EIRs than other areas of the department and it is important that we are aware of it and know how to identify requests which fall under it The main differences between FOI and EIR are: EIR requests do not have to be made in writing. It is helpful to ask for the request to be made in writing but it is not necessary for an individual to do so; there are a number of exceptions contained in EIR which must be considered before information is released in response to a request, but all EIR exceptions are subject to a public interest test; and a requestor does not have to mention EIR. Some requests may specifically mention, for example, FOI. This does not prevent you from treating them under the EIR where the subject matter makes it appropriate to do so Examples of requests for environmental information are: requests which relate to emissions, noise or waste likely to affect elements of the environment; policies, legislation, plans, programmes, environmental agreements and activities likely to affect or protect the elements of the environment;

9 PSO 9020 Page 8 cost-benefit and other economic analyses and assumptions used within the framework of environmental measures and activities; the state of human health and safety, including contamination of the food chain, conditions of human life and built structures in as much as they are or may be affected by the state of the elements of the environment; and information on new buildings (for example, establishments), including local planning considerations Timescale for response The timescale for responding to an EIR RFI is 20 working days from receipt in the MOJ to final reply. There is some scope to extend this timescale for complex or voluminous requests, but only by a maximum of a further 20 working days Data Protection Act The Data Protection Act 1998 regulates the processing of information in relation to individuals. This includes the obtaining, holding, using or disclosing of information. In particular, personal data is data which relates to a living individual who can be identified either from the data or other information which is in the possession of, or is likely to come into our possession. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual The DPA gives individuals the right to know what information MoJ holds about them and sets out rules to make sure this information is handled properly. The DPA requires anyone who handles personal information to comply with a number of important principles Summary of Principles The eight requirements of DPA are that personal data will: be processed fairly and lawfully and not be processed unless specific conditions are met; be held only for specified purposes and not be processed in any manner incompatible with that purpose; be adequate and relevant and not excessive in relation to the purpose for which it is processed; be accurate and kept up to date; be held for no longer than is necessary; be processed in accordance with the rights of data subjects including their right to access all personal data held on them; be subject to appropriate security measures to keep the information safe; and not be transferred to a country outside the European Economic Area unless that country or territory has equivalent levels of protection for personal data All MOJ personnel who process or use personal data should familiarise themselves with and ensure they follow these principles at all times Requests for information that involve the release of personal information, whether about the applicant or another person are subject to the data protection legislation. In practice, it is unlikely that either sensitive personal data, pertaining to health, ethnic status, sexual behaviour or private personal data, such as home address, telephone number or information about personal life would be disclosable to a third party.

10 PSO 9020 Page 9 Limited details about individuals which identifies their official role, for example, job title, responsibilities, work contact details, prison officer number, may be disclosable Routine disclosure of personal information to individual prisoners The processes set out in this PSO are not intended to replace existing arrangements for the local disclosure of information to prisoners, for example the reasons for categorisation decisions, disclosure of parole dossiers, etc. Where there are existing arrangements set out in other Instructions/Orders for disclosing information to individual prisoners, these must continue to be followed Care must be taken with requests for personal information from third parties to ensure they are acting on behalf of the individual. It is common to receive enquiries either directly or via Members of Parliament from relatives of prisoners. However, personal information in relation to living juveniles, young adults and adult prisoners must not be disclosed even to close relatives without the prisoner s consent Requests for information from third parties NOMS, in particular establishments, receive a significant number of requests for information on offenders and ex-offenders from third parties. These requests usually fall into three categories. These are: requests for information on offenders and ex-offenders from third parties, including police forces; requests for information on offenders and ex-offenders involving some form of litigation; and requests for information about ongoing litigation between an offender exoffender and NOMS DACU DP team will provide initial advice on how to respond to requests for personal information, including requests from police forces or those involved in litigation against offenders and ex-offenders NOMS Operational Litigation Unit will provide advice on requests for information from third parties involved in litigation against NOMS. Their contact details are at Annex A Timescale for response The timescale for complying to requests under DPA is 40 calendar days from the date the request is received with the appropriate fee departmental policy is to charge 10 to requesters. This charge is waived for current members of staff and for former members of staff who submit a request within two years of leaving Information which did not originate within MOJ Requests for information relate to information held by the department and not only to information originated by us. NOMS must therefore only hold documents originated by third parties, for example, police and probation service, where there is a business need to do so.

11 PSO 9020 Page 10 CHAPTER TWO ROLES AND RESPONSIBILITIES 2.1 Areas of Responsibility MOJ policy is that requests for information and subject access requests should be responded to by the business area with the lead for the information requested. This places responsibility for meeting the statutory deadline with the appropriate area of the business, and allows: for those with the best understanding of the subject matter of the request to collate and consider the application of exemptions to any information held; us to provide better quality advice to requesters on how broad or vague requests might be modified to allow us to answer them; and us to better monitor and improve our overall performance where necessary The only exception to this rule is requests from prisoners and former prisoners for their own personal data. Because of the volume of requests made, and the need to have access to archived records, there is no benefit to either the requester or to us to be gained by moving responsibility for handling to individual prisons. Responsibility for processing and administering these requests and requests by prisoners for their own records via their appointed solicitor or representative where there is no outstanding litigation remains with a specialist team in DACU Requests for the disclosure of routine current information such as parole dossiers and other reports must be dealt with as day to day business Requests which form part of a litigation claim will continue to be handled by NOMS Operational Litigation Unit 2.2 Heads of Group, Governors/Directors of Contracted Prisons Heads of Groups/Units must nominate a KILO or, for establishments, including contracted prisons, an IAR and a Deputy for their business area and ensure that procedures are in place to facilitate the prompt handling of requests, and that we comply with the appropriate time limit. 2.3 Data Access and Compliance Unit (DACU) DACU has overarching responsibility for the department s compliance with its obligations under the three regimes. Its primary function is to support officials across MOJ in their handling of requests, and to provide a degree of co-ordination where requests relate to the business of more than one area of the department. They also monitor the performance of the KILO network, and provide periodic reports to senior management on the performance of the various areas of the business As part of the day to day process of progressing requests, DACU will: acknowledging receipt of all DPA/FOI/EIR requests to the department; allocating FOI/EIR Requests to PCBU; allocating requests made under the DPA to the HR KILO or IAR;

12 PSO 9020 Page 11 making preliminary judgments on the sensitivity of requests, and informing the KILO if high level clearance is necessary. Business areas must always satisfy themselves that any sensitivities have been identified, and that appropriate steps are taken to ensure that time is allowed for clearance at the appropriate level; providing a high level of support and advice to individual KILOs; monitoring progress of responses to ensure that requests are progressed within the appropriate timeframe; producing management information on the handling of requests; clearing draft replies to FOI requests; providing responses to prisoner and ex-prisoner SARs; providing advice on the use of exemptions and otherwise on the application of the Act to a particular request; obtaining legal advice or clearance where required; carrying out Internal Reviews of our handling of a request; and liaising with the Information Commissioner s Office during the course of their investigations. 2.4 NOMS Parliamentary, Correspondence and Briefing Unit (PCBU) PCBU will allocate requests across NOMS. Its main areas of responsibility are: identifying the appropriate Group/Unit and allocating the request to the appropriate KILO; tracking progress to FOI/EIR 20 working day target; ensuring consistency of response across access regimes; and providing management information. 2.5 Knowledge and Information Liaison Officers KILOs provide the focal point in business areas for FOI, DPA and EIR issues. They are responsible for collating information, considering release, applying exemptions and drafting replies to departmental timescales The full range of KILO responsibilities are set out in detail in the KILO/IAR Manual [ and include: recording receipt of request; collating the information requested; replying to HR SARs;

13 PSO 9020 Page 12 liaising with IARs; considering and applying exemptions; considering related PQs, MCs and DG Correspondence; clearing draft reply with Head of Group/Establishment/Unit; ensuring response is provided on time; liaising with Lead KILO if timescale will not be met; providing DACU and PCBU with a copy of draft replies; issuing final reply; and provide DACU and PCBU with a copy of final reply KILOs responsibilities and performance against targets should be included in individual KILO s personal performance plans. A Job Description and draft objectives are provided in the KILO Manual. 2.6 Process for handling a FOI/EIR request Full details on handling a request are explained in details in the KILO/IAR Manual. In summary a KILO will: On receipt of a request: look at the request to make sure it is being treated under the correct legislation FOI/EIR/DPA. If they have any doubts they should contact the DACU caseworker; consider if the information is held and if so start to collate the information; identify any information already in the public domain that would meet the request; identify any PQs/MCs/TOs on the subject; contact DACU caseworker if they can identify any particular sensitivities related to the request Once the information is collated: read the documentation to confirm the information meets the request; consider if the information can be released or if exemptions apply; consider if anyone outside MOJ needs to be consulted, e.g.: contractors; make contact with other business areas or third parties, if necessary; redact any information which is exempt; prepare the draft reply modelled on the standard templates in the KILO/IAR Manual;

14 PSO 9020 Page 13 clear the draft at the appropriate level; forward the draft reply to DACU Caseworker for clearance and copy to PCBU; When the draft reply is cleared: issue the reply to the requester; copy the final reply to DACU and PCBU. DACU will assist the KILO at any stage of this process and arrange case conferences for particularly sensitive cases as required. 2.7 Information Access Representatives IARs provide the link between DACU and areas of the business with no KILO, predominantly establishments. All establishments, including contracted prisons must appoint an IAR and a Deputy to coordinate the information required to meet SARs from prisoners and ex-prisoners and to respond to third party requests (see paras and 2.1.3) If a business area does not have a KILO, as is the case for establishments, then they must appoint an IAR and a Deputy The full range of IAR responsibilities are set out in detail in the KILO/IAR Manual together with some suggested job objectives. In summary: On receipt of a SAR the IAR must: obtain the information requested in the SAR; check that all photocopies are legible and are not hole punched ; check only one copy of the information is forwarded (i.e. that all duplicates are removed); identify information already released to the prisoner and put in separate envelope; forward the information as quickly as possible to the DP team but not later than seven days from receipt of request; inform the DP team on of any difficulty in meeting the response target Because every document held by NOMS that relates to a prisoner has to be examined and where appropriate redacted, it can, in the most complex cases, take up to four weeks for DACU to process one SAR Establishments should not hold information on a prisoner for longer than is necessary or where there is no business need to do so. Files arriving at establishments from other agencies, for example, police or probations services, which are not required by the establishment, must be returned to the agency concerned.

15 PSO 9020 Page 14 ANNEX A CONTACT DETAILS: Data Access and Compliance Unit Freedom of Information Requests/Environmental Information Requests Information Line Ministry of Justice Data Access and Compliance Unit 6 th Floor 102 Petty France LONDON SW1H 9AJ Fax Website Data.access@justice.gsi.gov.uk Subject Access Requests from Employees and Exemployees Information Line Ministry of Justice Data Access and Compliance Unit 6 th Floor 102 Petty France LONDON SW1H 9AJ Fax Website Data.access@justice.gsi.gov.uk

16 PSO 9020 Page 15 Subject Access Requests from Prisoners and Ex-Prisoners Information Line Ministry of Justice Data Access and Compliance Unit Branston Registry, Building 16 Supply and Transport Store Burton Road Branston BURTON UPON TRENT Staffordshire DE14 3EG Fax Website NOMS Parliamentary, Correspondence and Briefing Unit NOMS Parliamentary, Correspondence and Briefing Unit Cleland House Page Street LONDON SW1P 4LN Information Line Switchboard Fax Website