Embed Size (px)
Citation preview
1
Freedom of Information and Data Protection
Presentation by
Rishi Maharaj
2
Freedom of Information“Information is the Oxygen of democracy. IfPeople do not know what is happening in theirsociety, if the actions of those who rule themare hidden, then they cannot take a meaningfulpart in the affairs of that society”
3
• The FOIA enshrines the concept that information collected and generated by government, is a resource of the people, for the people and is to be accessible as freely as possible by the people.
• The Act should not displace formal procedures for access to information but should be regarded as a legislative “last resort.”
Freedom of Information
4
There are eleven (11) exemptions
It is important to note that exceptions are not absolute.
Public authorities are required to give consideration to the public interest in determining whether access should be given to exempt documents.
Exempt Documents(Section 24)
5
Exempt Documents(Section 25)
• 25. (1) A document is an exempt document if it contains information, the disclosure of which would be likely to prejudice the defence of the Republic of Trinidad and Tobago.
• (2) A document is an exempt document if it contains information, the disclosure of which would be likely to prejudice the lawful activities of the security or intelligence services.
6
A document is an exempt document if its disclosure under this Act would, or would be reasonably likely to –
a) prejudice the investigation of a breach or possible breach of the law or prejudice the enforcement or proper administration of the law in a particular instance;
b) prejudice the fair trial of a person or the impartial adjudication of a particular case;
c) disclose, or enable a person to ascertain, the identity of a confidential source of information in relation to the enforcement or administration of the law;
d) disclose methods or procedures for preventing, detecting, investigating, or dealing with matters arising out of, breaches or evasions of the law the disclosure of which would, or would be reasonably likely to, prejudice the effectiveness of those methods or procedures; or
e) endanger the lives or physical safety of persons engaged in or in connection with law enforcement or persons who have provided confidential information in relation to the enforcement or administration of the law.
Exempt Documents(Section 28)
7
Public Interest Test(Section 35)
• Notwithstanding any law to the contrary a public authority shall give access to an exempt document where there is reasonable evidence that significant:
– Abuse of authority of neglect in the performance of official duty; or
– Injustice to an individual; or– Danger to the health or safety of an individual or of the
public; or– Unauthorised use of public funds has or is likely to occur.
8
• An important thing to note about this test is that it has a presumption in favour of disclosure.
• The burden is on the public authority to show that the public interest in withholding the information is greater then the public interest in disclosure.
Public Interest Test(Section 35)
9
Members of the Public Have Rights
• Response within 30 calendar days
• Remedies Ombudsman (Section 38) (21 days)
Judicial Review (Section 39) (3 months)
10
Data Protection
Whilst citizens have a right to information about their Government, as recognised & facilitated by FOIA, this right must be balanced with the rights of individuals to have their personal privacy maintained & respected.
11
Overall, what does the Data Protection Bill* set out to do?
This legislation provides for the protection of personal privacy, and the information of individuals which is in the custody or control of an organization, whether public or private. * Note – the Bill is currently before a JSC of Parliament that will result in various amendments
12
Why is the Protection of Personal Information necessary?
• Privacy has long been understood to have a value in a civil society that respects inherent rights & values of mankind
• T&T Constitution enshrines the right to privacy• Universal Declaration of Human Rights states
that privacy is a fundamental human right• Privacy is an impt. element in the control of
electronic activities such as unsolicited marketing & spam
13
Why is the Protection of Personal Information necessary (cont’d)?
Privacy protection is also important in:• Developing confidence & trust in
electronic commerce• Reducing electronic crime• Enabling Trade
14
Why is Government’s role in this protection critical?
Because:• Public Authorities are the primary holders of
personal information in the country, using the power of the State to collect such info
• Gov’t has a leadership role in developing a new ethic & way of thinking about personal privacy, and alerting & educating citizens & consumers to the areas in which their privacy may be compromised
15
Aim of the DP Bill
The Bill aims to ensure that personal information shall not be disclosed, processed or used other than the purpose for which it was collected, except with the consent of the individual and where exemptions are clearly defined.
16
Aim of the DP Bill cont’d
• Note that the Bill aims to balance personal information needs with broader public interest needs such as law enforcement, security and public health, as identified in the exemptions.
17
Who will be affected by this Legislation?
• Every citizen and resident of T&T; • All Public Authorities; as well as • Private Enterprises, through either
voluntary or mandatory codes of conduct to be developed in conjunction with the Data Commissioner.
18
What is meant by ‘Personal Information’?
Personal Information means information about an identifiable individual that is recorded in any form. Such Info includes:•Info re race, ethnicity, religion or marital status
•Info re education, medical, criminal or employment history; or info relating to financial transactions in which the individual has been involved;
•Any identifying number or symbol e.g. Identification Card No. or Driver’s Permit No.
•Fingerprint, DNA or blood type
19
What is meant by ‘Sensitive Personal Information’?
This refers to personal information on a person’s:•Racial or ethnic origins•Political opinions•Religious beliefs or other beliefs of a similar nature•Physical or mental health condition•Sexual orientation or sexual life; or•Criminal or financial record
20
The General Privacy PrinciplesThese establish norms & requirements for the
physical & electronic security of Personal Information. They mandate:
• Identification by the organisation of the purpose for which it was collected b4 or at time of collection
• Individual’s knowledge & consent required for collection, use or disclosure of the pi.
• Collection to be legal and limited to what is necessary in accordance with the identified purpose
21
The General Privacy Principles
• Organisations are to make available to individuals documents re their policies & practices related to the management of personal info (except where otherwise provided by law)
• To enable individuals to verify the accuracy & completeness of their info, organisations are to disclose on request all docs. re the existence, use & disclosure of their pi.
22
The General Privacy Principles
• Retained only for as long as is necessary for purpose collected & not disclosed for purposes other than purpose of collection w/o individual’s prior consent
• It shall be accurate, complete and up-to-date• To be protected by such appropriate
safeguards necessary in accordance with sensitivity of the info
23
The General Privacy Principles
• Individuals have the right to challenge organisation’s compliance with the GPP & receive timely & appropriate engagement from the organisation
• Re foreign requests – pi that is requested to be disclosed outside T&T is to be regulated. Comparable safeguards to those under the DP Bill are to exist in jurisdiction receiving the pi.
Clause 6
24
Collection of personal information
Personal info may not be collected by a PA unless:•The collection of that info is expressly authorized by or under written law;•Info is collected for the purposes of law enforcement; or•That info relates directly & is necessary for an operating programme or activity of the PA.
Clause 30
25
Collection of Personal Information cont’d
PA to ensure that individual from whom it collects personal info or causes pi to be collected is informed of:
a) Purpose for collecting it;b) The legal authority for so doing;c) The title, business address & telephone no.
of official/employee/PA who can answer individuals’ questions about the collection
Clause 32
26
Collection of Personal Information cont’d
The prerequisite of informing of purpose for collection does NOT apply if compliance would:a) Result in collection of inaccurate info;b) Defeat the purpose or prejudice the use for
which the info is to be collected;c) Prejudice a law enforcement matter; ord) Prejudice T&T defence, or that of a foreign
state allied with us, or harm the detection of espionage, sabotage or terrorism.
27
Right of Access by Individual to PI
• Every T&T citizen and resident has a right to Personal Info about them in a personal information bank in PA’s custody & control;
• Request to be made on a prescribed form;• PA Head may refuse disclosure of the PI if:a) Disclosure constitutes an unjustified invasion of
another’s personal privacyb) It is a correctional record that could reveal info
supplied in confidence;
28
Right of Access by Individual to PI
• It is evaluative or opinion material compiled for determining eligibility or qualificiations for employment or for the award of government contracts where disclosure would reveal the identity of a source who furnished info to the institution;
• A disclosure would result in disclosure of info that is exempt from disclosure under Clause 42
29
Data Sharing & Data Matching
Government is subject to specific responsibilities re data sharing and data matching that recognizes the importance of Government as a primary holder of info about individuals
Where a PA intends to share info with other Pas, it shall do so only pursuant to an agreement in a manner prescribed by the Commr. by Order
Clause 49
30
Data Matching
• The comparison, whether naturally or by means of any electronic or other device, of any data that contains personal information about individuals with other documents containing personal information about individuals for the purpose of producing new forms of information about individuals
31
Data Matching Cont’d
• Before a public authority matches personal information from a set of data with personal information from another set of data, whether or not pursuant to an information sharing agreement, the public authority shall obtain the written authorization of the Commissioner.
Clause 50(1)
32
•The Data Commr. has 60 days to determine the data matching request.
•If he does not complete within 60 days, the public authority may apply to the Minister for a determination of the matter
Clauses 50(3) & (5)
Data Matching Cont’d
33
• And the DC can impose whatever terms and conditions considered appropriate
Clause 50(4)• In giving his authorization, the DC may give
covering authorization to allow the matching of data where such matching is part of a system of practice approved by him
Clause 50(6)
Data Matching Cont’d
34
What will DC consider in determining whether to allow DM?
Whether:1. Objective of matching programme relates to
matter of significant public importance;2. Matching programme would achieve significant
& quantifiable monetary savings or other sig. societal benefits;
3. Public Interest in allowing the matching programme outweighs public interest in adhering to the GPP
35
When may Personal Info be disclosed?
12 Instances under Clause 42:(a) For purposes for which info was collected/compiled by the PA (b) For any purpose in accordance with any written law or any order
made pursuant to such written law that authorizes such disclosure;
(c)For the purpose of complying with subpoena/warrant issued or order made by a court, person or body with jurisdiction to compel production of info. or for the purpose of complying with rules of court relating to the production of information;
(d) To the AG for use in legal proceedings involving the State;(e)To an investigative body specified by the Minister by Order, on the
written request of the investigative body, for the purpose of investigating compliance with any written law or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be provided;
36
When may Personal Info be disclosed? (cont’d)
(f) by 1 T&T law enforcement agency to another T&T law enforcement agency for the purpose of enforcement of a written law;
(g) to a law enforcement agency in a foreign country under an arrangement, a written agreement, treaty or under the authority of the GoRTT;
(h) if the head of the public authority agrees that a compelling circumstance exists that affects the health or safety of any person and if notice of the disclosure is mailed to the last known address of the individual to whom the information relates, unless the head of the public authority has a reasonable belief that providing notification could harm the health or safety of any person;
37
When may Personal Info be disclosed? (cont’d)
(i) so that the next of kin or friend of an injured, ill or deceased person may be contacted;
(j) for the purpose of collecting monies owing by an individual to the GoRTT or by a public authority to an individual;
(k) for statistical purposes where the disclosure meets the requirements of section 43; or
(l) for archival purposes where the disclosure meets the requirements of section 44.
PRIVACY IMPACT ASSESSMENTS
Ministries are required to prepare PIAs in the prescribed form for any:
• Proposed enactment• System• Project• Programme or • Activity
Clause 47(1)
PRIVACY IMPACT ASSESSMENTS Cont’d
• PIAs are to be submitted be every Ministry to the Data Commr for approval and evaluation in accordance with the GPP
• DC will make recommendations to the Minister for amendments
Clause 47(2)
PRIVACY IMPACT ASSESSMENTS Cont’d
Ministries are to take all reasonable steps in accordance with its PIA to avoid unnecessary intrusions into personal privacy when designing, implementing or enforcing enactments, systems, projects, programmes or activities.
Clause 47(5)
41
Data Protection Act and the Financial Intelligence Unit
• Under the former S 55(3) of the Proceeds of Crime Act 2000, financial institutions made reports of suspicious activity or transactions to a designated authority i.e. lawyer, police officer, etc, usually a single entity.
• The Proceeds of Crime (Amendment Bill) 2009 repealed section 55(3) & introduced the Financial Intelligence Unit (FIU).
• The FIU as the new designated authority functions as a body, rather than a single entity, in receiving reports of suspicious activity from financial institutions or listed businesses.
42
• The FIU, upon receiving suspicious activity report, may enter into the premises of any financial institution….to inspect any business transaction record etc. S 55 (7).
• The FIU does not have the authority to enter the premises of public authorities, only financial institutions, hence the identifiable scope of the Data Commissioner.
• The Data Commissioner under clause 19, 20 and clause 21 of the DP Bill respectively, has powers to enter premises to conduct inspections in both public and private authorities.
• The Office of the Data Commissioner can therefore assist the FIU in combating criminal activity where the FIU is limited in function.
Data Protection Act and the Financial Intelligence Unit
43
Data Commissioner and the Financial Intelligence Unit in Action
Financial Institution or listed business having reasonable grounds, reports suspicious transaction or activity to FIU under Proceeds of Crime Act
FIU receives suspicious activity report which includes many forms of personal information and deliberates on how to proceed. They may decide to conduct an inspection of the financial institution’s records by entering their premises however, valuable information is at the suspect’s business but they do not have authority to enter such premises.
Data Commissioner who has authority to enter both public and private authorities under the DBP is contacted by FIU to assist where FIU has no authority.
Person or business entity raises suspicion when it conducts transaction with financial institution or listed business.
Consider the following practical example:
The result is a combined effort between the FIU and the Data Commissioner in combating criminal activity.
Such raises the issue of data sharing. Under 55 (8) of the Proceeds of Crime Act, all documents received by FIU in the course of their duties are considered confidential, however the Minister has authority to amend this under 55 (10). Perhaps such can be amended to accommodate the Data Commissioner’s Office.
44
KEY TO REMEMBER
Important that the Ministry of National Security’s data banks & use of personal information be subject to a transparent & accountable regime with the objective of balancing personal information protection needs with the broader public interest requirements.
45
• FOI Act on Legal Affairs Website:http://rgd.legalaffairs.gov.tt/Laws/Alphabetical%20List/Alphabetical%20List.htm#F• DP Policy of T&T on Fastforward websitehttp://www.fastforward.tt/files/cms/Data%20Protection%20-%20Final%20Document.pdf• Data Protection Bill on Parliament’s Site:http://www.ttparliament.org/publications.php?mid=28&id=522
Useful Links
46
THANK YOU FOR YOUR ATTENTION
