• Home
  • Login
  • Welcome to the Staff Intranet

Page: 1  2  3  4

 

3. Interaction with Other Legislation                    

 

   

3.1 Freedom of Information (Scotland) Act 2002 (FOISA 2002)

The Freedom of Information Act gives a general right of public access to all types of 'recorded' information held by public authorities, set out exemptions from that general right, and places a number of obligations on public authorities. FOISA applies only to Scottish public authorities (which includes Universities) and not to private entities. Both Data Protection Legislation and FOISA relate to aspects of information policy and overlap where personal information is considered for disclosure. The Scottish Information Commissioner oversees FOI in Scotland but the UK Information Commissioner (ICO) oversees data protection in Scotland.
 
Public authorities have two main responsibilities under these Acts:

  • They must produce a  'publication scheme', in essence, a guide to the information they hold which is publicly available
  • They must deal with individual requests for information. Under Data Protection Legislation individuals have a subject access right as regards their personal data, held on computer, and in some paper files. FOISA additionally permits individuals to request all other types of information that public authorities hold, subject to specific exemptions in the Acts

 

FOISA & Data Protection Legislation 

FOISA also extends the data subject access rights that exist under Data Protection Legislation, to include all "recorded information held by a public authority" not otherwise covered by Data Protection Legislation (in other words, any personal data not held on computer or in a relevant structured manual filing system). FOISA states that information is "held" by a public authority if:

  • It is held by the authority, otherwise than on behalf of another person, or
  • It is held by another person on behalf of the authority

While the FOISA amendments to Data Protection Legislation, in principle, make all personal data held by the University available to data subjects, regardless of the form in which it is held, there are important limitations upon the rights granted:

  • Recorded information held in manual form outside of 'relevant structured manual filing systems' by the University is exempt from all of the data processing principles and obligations, apart from the requirement of accuracy; rectification, blocking, erasure or destruction of inaccurate records; the subject access provisions; and the right to compensation for damage or distress
  • There is a partial exemption from the subject access provisions for the new category of data. This exemption is provided by dividing the new category of information into 'structured' and 'unstructured information'; and restricting access to the "unstructured information" to that which is described by the data subject and falls within specific costs limits
  • A final exemption for the new category of data absolutely exempts personnel matters (i.e. information about "appointments or removals, pay, discipline, superannuation or other personnel matters"). However, the fact an exemption exists under Data Protection Legislation does not mean that the University will have to use it.

 

 





Handling requests

A request by an individual for information about him or herself is exempt under FOISA and should be dealt with as a 'subject access request' under Data Protection Legislation. In certain circumstances, such a request may involve the release of associated third party information. Any information about an individual that is exempt from disclosure to them under Data Protection Legislation is also exempt under FOSIA, subject to consideration of the public interest by the University (qualified exemption).
 
Where an applicant specifically requests information about a third party, or where responding to a request for information would involve the disclosure of personal information about a third party, the request falls within the remit of the FOISA. However, the University must apply the Data Protection Principles when considering the disclosure of information relating to living individuals and must not release third party information if to do so would mean breaching one of the Principles.
 

 

Page: 1  2  3  4