FOIA AND COMPUTER LAW

FOIA and computer law



FOIA and computer law

Question 1)

Introduction

The Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 ("the Acts") came into full force on 1 January 2005, giving individuals a statutory right for the first time to see a huge amount of information held by Government departments and public bodies. The Data Protection Act ("DPA") has traditionally provided individuals with a right of access to information held about themselves, the new Acts extend this right to cover information about third parties as well as any other information that may be held by the public authority.

Under the Acts, anyone of any nationality, and living anywhere in the world, can make a written request for information, and expect a response within 20 working days. The public authority will be obliged to meet that request subject to a number of specified exemptions and certain practical and financial constraints.

The Acts impose a substantial burden on those responsible for administering freedom of information (FOI) requests in public authorities, with over 4,000 requests in the first month of operation. However it is not only public authorities that have been affected by the Acts. Whilst the primary impact of the Acts will be on public authorities, the Acts will have a knock on effect on companies dealing with public authorities.

Impact Risk of FOIA

The public sector employer is to a large extent caught between a rock and a hard place. Whilst the aim of the Acts is to increase openness in the public sector and disclosing information about decisions and activities of employees may promote this, it is recognized that employees also have legitimate concerns over privacy and rights to have those concerns respected. With this delicate balancing act, how should the employer prepare for requests made by third parties about their employees? They could consider the following factors:

Implement policies

The employer should draw up a policy setting out how it intends to deal with requests for employee information to provide a clear view of how information will be dealt with under the Acts. This policy should be made available to all employees and ideally published on the publication scheme (required under the Acts for all public authorities) for all to see. Policies could cover what types of information and in what circumstances information will or will not generally be disclosed and also what issues will be considered in determining whether to disclose employee information. Issuing this policy will help the authority to meet its DPA obligations to employees.

Know your information

Records management is important. Try to know what personal data you have. This will also be useful in dealing with subject access requests under the DPA and consider separating or flagging information at the point of collection or creation to information which is not exempt from third party requests and other information.

Raise awareness

One potential factor to consider when determining whether information should be disclosed is what the employee was told when the information was ...