Data in colleges: a timely reminder

As the new term approaches, many colleges will be more focused on enrolment, learner retention and the general melee of starting new term life. However, this article serves as a timely reminder to colleges of the issues they face when dealing with requests for information under both the Freedom of Information Act 2000 (“FOIA”) and Data Protection Act 1998 (DPA”).

Freedom of Information Act 2000

FOIA gives individuals and companies the right to ask colleges whether they hold information and, if they do, they have the right to be given that information. There is a wide variety of information accessible under FOIA including contracts for the supply or purchase of goods or services, responses to regulatory enquiries and health and safety information. The information must be disclosed unless an exemption applies.

There are two categories of exemptions:

1. Absolute exemptions; and

2. Qualified exemptions – this is a public interest test. Here the question is whether the public interest in maintaining the exemption outweighs the public interest in disclosing it.

An exemption can sometimes have the effect that a college neither confirms nor denies that it holds the information, for example if a request is made for information about the number of complaints made about an individual, even a denial to disclose the information would confirm that such information is held and, consequently, that complaints have indeed been made against that individual. Exemptions that are considered most often under FOIA are:

• Information accessible by other means

• Information relating to the formulation of a government policy

• Information that would inhibit the free and frank provision of advice or exchange of views within public authorities if it was disclosed

• Personal information that is subject to data protection laws

• Information supplied and held under a legal duty of confidence (where disclosure would constitute an actionable breach of confidence)

• Trade secrets and other commercially sensitive information (where disclosure is likely to prejudice the commercial interests of any person)

Colleges must comply with a request within 20 working days of receiving it. If the cost of replying to a request would exceed the “appropriate limit” (£450/18 hours), the college does not need to comply with the request. In addition, requests that are either vexatious (e.g. aimed at causing disruption), or requests that are the same or similar to previous requests that have repeatedly been made by the applicant, do not need to be complied with.

Data Protection Act 1998

The rights to data under the DPA refer to “personal data”. Personal data is defined in the DPA and includes:

• A living individual can be identified either from the information itself or with other information that is in the possession of, or likely to come into the possession of, the data controller

• The information relates to the person in his personal or family life, business or profession

• The information is used to inform or influence actions or decisions affecting that person

• The information focusses on the individual as its central theme

• The information impacts (or has potential to impact) on an individual

Under the DPA the individual has the following rights in relation to this personal data:

• The right to know if the data is being processed

• The right to a description of that personal data, the purpose for which it is being processed and the recipients to whom it may be disclosed

• The right to have the information constituting the personal data, and any information available to the employer on the source of the data, communicated to the applicant in an “intelligible” form; and

• Where the personal data is processed by automatic means, the right to be informed of the logic of the automated process.

Colleges must comply with a subject access request promptly and within 40 days of receipt of the request. However, an employer is not obliged to respond unless it has received the following:

• A £10 fee

• Evidence confirming the identity of the individual

• Any information required to locate the information

An employer should at least give a basic explanation of its approach to searching as it is under a general duty to act fairly in processing the data. On receiving a request the employer must locate the personal data, which involves locating sources of data, and then making an assessment whether such data is personal data within the meaning of the DPA.

Although a data controller cannot refuse to deal with a subject access request simply because locating the information would involve considerable effort and time, on the other hand the data controller is not obliged to leave no stone unturned. A reasonable and proportionate search should be carried out. An employer is not obliged to comply with a subject access request if the request is an overly general one and the employer would require further information to clarify the request and has informed the enquirer of this.

There is no obligation to comply with a data subject access request in relation to the following:

• Personal data held for personal, family or household affairs

• Confidential references given by the data controller for employment or educations purposes

• Health records

• Personal data processed in relation to management forecasting if it would prejudice the conduct of the business

• Personal data subject to legal professional privilege

• Personal data consisting of intentions relating to negotiations between the data controller and data subject

Whilst colleges will already be fully conversant of FOIA and DPA, it will not stop employees, learners and the general public alike in bringing such claims, which can be time consuming and costly to colleges in terms of management time and legal costs alike.

Matthew Kelly is a partner at Thomas Eggar, the law firm