policy on dealing with requests for information - Security Industry ...

October 2005Security Industry Authority 50 Broadway London SW1H 0SAPhone 020 7227 3600 Fax 020 7227 3601 E-mail info@the-sia.org.ukwww.the-sia.org.uk

ContentsA. SummaryB. IntroductionC. What information is covered under the DPA?D. What rights are afforded to individuals under the DPA?E. What is the right of subject access?F. How do staff identify a Subject Access Request underthe DPA?G. How will SIA staff deal with an SAR?H. If you want to make an SAR, what should you do?I. What if the information requested contains personaldata about another person?J. Under what conditions may disclosure be exempt?K. Can the SIA disclose personal information to a thirdparty?L. What can the data subject do if the SIA does notprovide the information?Annex AAnnex BAnnex CAnnex DData Protection PrinciplesOther Relevant Legislation[NB: Under Review]Draft Letter – Refusal to Supply Personal Informationunder the DPAPage 2 of 13

A. SummaryThis guidance provides SIA staff with an understanding of their obligations under the DataProtection Act 1998 (the DPA) and their role in dealing with requests for personalinformation (or personal data as it is defined in the Act). It also explains how to make arequest for personal data under the DPA.The DPA gives individuals various rights with regard to their personal data, central to thesebeing the right of access to information. The Act also requires public authorities to abide byeight principles when processing personal data.The Data Protection Officer (DPO), who will normally manage all requests for personaldata, will contact appropriate staff in each area to undertake a search for information asrequested. Staff will need to adhere to strict time limits in completing the search andforwarding their results, in order to meet legislative timeframes for responding to requests.Information requests received by the SIA must meet the conditions specified in Section Hbefore processing can commence. The statutory timeframe for reply of 40 calendar daysdoes not start until these conditions are met.The DPO must be consulted if staff consider that the information being requested may beexempt from disclosure. Each instance where an exemption may apply will be consideredon a case by case basis.Additional factors must be considered when dealing with information requests which involvethird parties (where either the information requested by an individual makes reference to athird party, or the request itself is made by a third party about a specific individual).B. IntroductionThis guidance aims to set out SIA <strong>policy</strong> and procedures for dealing with requests forinformation under the DPA. The SIA is a data controller for the purposes of this Act. It alsoaims to provide assistance in how to identify a request under the DPA, and whenexemptions from disclosure may apply.SIA staff will be made fully aware of the information provided in this guidance as theresponsibility to ensure our activities comply with the DPA rests with each staffmember. Staff should follow this guidance when disclosing any information held by the SIA,so that a consistent approach is adopted.The DPA primarily seeks to protect personal data from unnecessary use and disclosure,and ensures individuals are made aware of and have control over the extent to which theirpersonal data are used or disclosed. The data protection principles, which must be appliedin order to process information lawfully, are provided at Annex A. The DPA took effect from1 March 2000.Processing and disclosure of personal information held by the SIA is also governed by theHuman Rights Act and the common law Duty of Confidence. Background to these statutesare provided at Annex B.The DPA requires that data controllers register all uses of personal data throughNotification to the Information Commissioner. The SIA’s Notification has been included on apublic register and can be searched on the Information Commissioner’s website(www.informationcommissioner.gov.uk). Any changes to the way SIA staff processpersonal data must be notified to the Information Commissioner within 28 days, by law.Staff are to discuss with the DPO any proposals for such changes as a matter of priority,but in any case prior to any changes being introduced.Page 3 of 13

For further guidance or advice on any of the matters addressed by this guidance, pleasecontact the SIA’s DPO (contact details provided at paragraph 50).C. What information is covered under the DPA?The DPA applies to all personal information or data held by the SIA.Personal data is information about a living individual who can be identified from that data orother available information. A reference to a person’s name on its own may not be sufficientto qualify the information as personal data. It must name and directly refer to the individualsuch that that individual is the focus of the information. Personal data does not coverinformation about companies.Some personal data are classified as ‘sensitive’, and additional conditions apply whenprocessing it. Sensitive personal data relate to a person’s:• race or ethnic origin• political opinions• religious beliefs• trade union membership• physical or mental health or condition• sexual life• alleged or committed offences, or proceedings about such offencesPersonal data falls within the scope of the DPA if it is automatically processed (ie.computerised, including email, CCTV and text messages), or is held manually (ie. paperfiles) as part of a relevant filing system, which is a system that:• relates to a set of information about an individual;• is structured by either reference to individuals or reference to criteria relating toindividuals; and• makes specific information about a particular individual readily accessible.It is important to remember that since 1 January 2005, unstructured manual records whichcontain personal data may be captured and disclosable under the Freedom of InformationAct 2000. However, it is useful to note that obligations under the DPA are slightly differentto those under the FOIA (for instance, the timeframes for response and exemptionsavailable).D. What rights are afforded to individuals under the DPA?The DPA gives individuals rights about how their personal data may be processed,including a right of access to that information. These rights can be summarised as follows:• the right of subject access• the right to prevent damage or distress caused by processing• the right to prevent direct marketing• the right to prevent fully automated decision taking• the right of redress - compensation, rectification, blocking or erasure• the right of recourse to the Information CommissionerE. What is the right of subject access?An individual’s right to access information held about them (the subject of the data isreferred to as the data subject in the DPA) is provided for under section 7 of the DPA. Thisright entitles individuals:Page 4 of 13

• To be told whether the SIA, or a representative on behalf of the SIA, is processingpersonal data about that individual (where processing includes collecting, holding,storing, recording, disclosing, destroying or otherwise using that information).• If personal data are being processed, then that individual is to be given adescription of:ooothe personal data;the purposes for which the data are or will be processed;the parties to whom the data are or may be disclosed.• If processing is occurring, to also be given an adequately explained form of:oothe information constituting any personal data (a copy of the informationmust be provided unless it would involve disproportionate effort or theindividual agrees otherwise);the source of the information, if known.The following sections describe how the SIA will fulfil its obligation to provide data subjectsaccess to information about them, and includes the circumstances under which access maybe refused or restricted (see section J).F. How do staff identify a Subject Access Request under the DPA?A request for information made under the DPA is known as a subject access request(SAR). However, a person need not make any specific reference to the DPA in order for theSIA to treat their request as an SAR. The information requested must simply fall within theremit of personal data, as defined by the DPA (see section C).The SIA is not obliged to provide any information unless:• the SAR is made in writing (including in electronic form);• it is accompanied by any required fee (a maximum fee of £10 has been prescribedby legislation and the individual will be informed if payment of the fee is required);• the SIA is satisfied with the identity of the person requesting the information;• sufficient information to locate the information has been provided.If further information is required to confirm a person’s identity or to locate the informationrequested, the SIA will inform the individual of the requirement for that further information.G. How will SIA staff deal with an SAR?All SARs are to be referred from the SIA’s managed service provider to the SIACorrespondence Handling Team (CHT) upon receipt. The DPO will also be kept advised ofall SARs and must be notified where an exemption is employed. Each SAR will be loggedto ensure they are effectively managed and checked for completeness before contactingrelevant staff members to undertake a search for the requested information. A checklist foridentifying a complete SAR and how to process it is shown at Annex C.Staff members contacted will prioritise any work related to SARs received by the SIA,subject to other work deadlines. In any case, all SIA staff will complete a search within fiveworking days, unless otherwise agreed with the DPO or CHT. Staff will be given a clearindication of the search they will be required to carry out, and it is likely that an SAR willaffect more than one SIA team. Search results are to be forwarded to the CHT, to enablethem to prepare a response to the data subject (with advice sought from the DPO asnecessary). Contributing staff will check and approve responses prior to despatch.Page 5 of 13

SARs should be addressed to:Data Protection OfficerThe Security Industry AuthorityPO Box 9Newcastle Upon TyneNE82 6YXFax: 08702 430 125Email: info@the-sia.org.ukA template for making a request for information is available on the SIA’s website. It can befound on the ‘Freedom of Information’ page.SIA staff are also entitled to submit an SAR. These should be made on the SAR formprovided in the Staff Handbook (see Appendix M of that handbook).I. What if the information requested contains personal data aboutanother person?Where an SAR covers information which relates to persons other than the data subject (athird party), the usual data protection rules will apply to the information about that thirdparty. In such circumstances, the SIA is not required to give access to the information,except where:• the third party has given consent to disclosure of their personal data to the personmaking the SAR; or• considering all of the circumstances, it is reasonable to make the disclosure withoutthe third party’s consent. The criteria specified in the DPA are:• any duty of confidentiality owed to the third party;• any steps the SIA has taken to seek consent;• whether the third party is capable of giving consent; and• any express refusal of consent by the third party.If the SIA considers it unreasonable to make the disclosure and consent is not given, theSIA must take steps to make as much information as possible available without revealingthe identity of the third party (eg. by removing all identifying particulars such as name).J. Under what conditions may disclosure be exempt?Where personal data are processed for certain purposes, exemptions under the DPA mayapply. However, many of these exemptions are conditional and are subject to a prejudicetest. They may only be applied on a case by case basis. Staff must therefore consult withthe DPO should they consider that an exemption may apply to any specific case.Exemptions under the DPA are available for several purposes, including the following:• the prevention or detection of crime or prosecution of offenders• the assessment of any tax or duty• the discharging of regulatory functions, where such functions are likely to beprejudiced (such as in licensing staff engaged in the private security industry)• unstructured manual personal data• information available by enactment• disclosures required by law or in connection with legal proceedings• parliamentary privilege• management forecasts and corporate financePage 7 of 13

Data Protection PrinciplesThe eight data protection principles (DPPs) underpin the DPA and must be followed whenprocessing personal data (except where an exemption applies).The DPPs listed in Schedule 1 of the Act are:1. Personal data shall be processed fairly and lawfullyThe requirement that processing is ‘lawful’ means that it must be in accordance with allrelevant rules of law whether derived from statute or common law.The requirement that processing must be ‘fair’ means that individuals must have, beprovided with, or have made readily available to them, certain information. This informationrelates to the purpose or purposes for which the data are being or may be processed, theidentity of the person or organisation (or its representative) who will be carrying out theprocessing, and any other necessary information.In addition to meeting the ‘fair and lawful’ tests, when processing personal data at least oneof the conditions in Schedule 2 of the Act must be met. A key condition is where the datasubject has given consent to the processing, but other conditions are where the processingis in the legitimate interests of the SIA or a third party to whom the data are disclosed,where processing is connected to legal or contractual obligations, the processing is in thevital interests (ie. life or death) of the data subject, and the processing occurs in connectionwith the administration of justice, the functions of the Crown, a Minister of the Crown, or agovernment department, or functions imposed through any enactment.Where data are sensitive (as per paragraph 15), then at least one of the additionalconditions in Schedule 3 of the Act must also be met. Conditions for processing sensitivepersonal data require an additional level of preciseness than for personal data. Keyconditions are where the data subject gives his/her explicit consent (eg. signed consent), orwhere the data subject has taken deliberate steps to make the information public. Otherconditions which may apply to the SIA cover processing information in connection with legalrights and proceedings, the administration of justice, the vital interests of the data subject oranother person, the functions of the Crown, a Minister of the Crown, or a governmentdepartment, and functions imposed through any enactment.In addition, processing of sensitive information may also occur under conditions outlined inthe Data Protection (Processing of Sensitive Personal Data) Order 2000. The primaryconditions which may apply to the SIA are where processing is in the substantial publicinterest and is necessary to prevent or detect crime, or is necessary for the discharge of apublic function designed to protect members of the public against a person’s seriouslyimproper conduct or incompetence.Note also, that even if all conditions under the first DPP are met, processing would not befair and lawful unless it meets all other DPPs and legislative obligations.2. Personal data shall be processed for specified purposesPersonal data should only be processed for the purpose or purposes for which it wascollected or obtained. When any member of the public is asked for personal data, theyshould be informed as to the purpose or purposes for which that data will be processed.No processing is permitted outside those purposes notified to the InformationCommissioner in the SIA’s notification (a copy of which can be found on the InformationCommissioner’s website under ‘Public Register of Data Controllers’). The SIA’s notificationPage 9 of 13

is reviewed regularly, and the SIA is able to amend it to take account of any changes thatmay occur. Any change to the purpose for which information is processed, including all newprocessing of personal data, should be cleared through the DPO.3. Personal data shall be adequate, relevant and not excessiveAll personal data should be sufficient to allow SIA staff members to undertake their work,but should not contain more information than is strictly necessary.4. Personal data shall be accurate and up to dateAs far as practical, personal data should be accurate and up to date to ensure that thepurpose for the processing can be effectively undertaken. The onus will be on licenceapplicants to contact the SIA to keep their personal information up to date.5. Personal data shall not be kept for longer than is necessaryPersonal data should only be kept for as long as there is a business or operational need todo so. The SIA has put in place data retention guidelines for all personal data, and theseguidelines will form part of the SIA’s Records Management Policy.6. Personal data should be processed in accordance with the rights of datasubjects under the ActSections D and E fully outline the rights of data subjects under the Act.7. Personal data shall be kept securePersonal data must be processed (including stored) with a degree of care appropriate tothe sensitivity of the data, so as to prevent accidental loss, theft or other unauthorisedaccess, destruction of, or damage to personal data. Representatives processing personaldata on behalf of the SIA such as BT, must also abide by this principle.8. Personal data shall not be transferred outside the EEAPersonal data must not be transferred outside the EEA (the 15 EU states plus Iceland,Norway and Liechtenstein), unless that country or territory ensures an adequate level ofprotection for the rights and freedoms of data subjects in relation to the processing ofpersonal data. Exemptions where this principle does not apply are outlined in Schedule 4 ofthe Act, and they cover similar areas to the conditions outlined under Schedules 2 and 3.Page 10 of 13

Under ReviewPage 12 of 13

Draft Letter Refusal to Supply Personal Information under the DPADear [insert name]You wrote to us on [insert date] with a request to supply information that the SIA holdsabout you, in relation to [insert subject].I regret to inform you that the Security Industry Authority is unable to comply with yourrequest for information under the Data Protection Act 1998.[insert free text / reasoning as appropriate]Yours sincerely,[insert DPO contact name]Data Protection OfficerPage 13 of 13