Checklist for Compliance with DPA for Freedom of Information (Scotland) Requests
The Freedom of Information (Scotland) Act 2002 has created a general right of access to all recorded information that is held by the University. Whilst the Act is intended to promote openness and accountability within Universities, some information may be exempt from disclosure. Section 38 provides exemption from disclosure with respect to personal data as defined in the Data Protection Act.
The University is committed to a policy of adhering to the eight basic Principles of the DPA and protecting the rights and freedoms of individuals with respect to the processing of their personal data. The handling of personal data by the University, in the context of Freedom of Information Requests, must conform to this Policy.
Please work your way through all the points unless you conclude, after point 1, that the DPA does not apply to the information. Further information on the issues below are covered in the A to Z topics. If you are unsure at any stage, you must consult the Data Protection and Freedom of Information Office to ensure compliance with the DPA.
- Check that you know what is meant by personal data and sensitive personal data. If the information does not contain such data then it is not subject to the DPA.
- If the request is focussed on information about the requester, then the request must be considered as a Subject Access Request and passed immediately to the Data Protection and Freedom of Information Office for processing.
- If the request is focussed on information about both the requester and other individuals, then the request might have to be treated as two seperate requests - one as a Subject Access Request under the DPA and the other as a Freedom of Information Request. In these circumstances you must consult both the Data Protection and Freedom of Information Office and your Freedom of Information coordinator.
- The UK Information Commissioner, the regulator of the Data Protection Act and of the UK Freedom of Information Act, has ruled that if a Subject Access Request is made under the Data Protection Act then it is not possible to refuse the release of information by using any of the exemptions of the Freedom of Information [Scotland] Act. The exemptions may only be used in response to a Freedom of Information [Scotland] Act request.
- If the information contains sensitive personal data then it must NOT be released; If such information is already in the public domain, you must consult the University's Data Protection Officer.
- If the information relates to the non-University private life of any individual(s) then it should not be released unless the individual(s) have consented to the release. If any one individual is not the sole focus of the information, then the document may be released but must be subject to redaction. If redaction is not sufficient to protect the rights of the individual(s) whose personal data is contained in a document, then the document must NOT be released.
- If the information (a) does not contain sensitive personal data, (b) does not contain personal data related to non-University life, and (c) relates to the officially identified University role of any individual(s), such as a serving senior manager or Officer of the University, then the information may be released subject to redaction of any details that might involve his/her rights. An example would be individual e-mail address or a mobile phone number.
- If the information has been supplied from outwith the University, for example within a procurement tender document or as an external examiner, you must consider (a) under what circumstances &/or expectations was the data supplied by the third-party, and (b) whether consent has previously been requested, given or refused.
- In all cases you must consider the expectations of the individual(s) about disclosure of the personal data. If in doubt, seek the consent of the individual or consult both the University's Data Protection Officer and your Freedom of Information coordinator.
- In all cases you must consider whether the release of the personal data (a) still accords with the Data Protection Act requirement for fair and lawful processing of that information by the University, and (b) would cause unwarranted and substantial damage or distress to the individual.