Course Features

Short day session 10am - 3pm

Experienced instructor

Record of attendance

Public schedule

In-company options

What is the connection between FOI and data protection?

The right to access information about the activities of public authorities is established under the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 2004 (EIR). Under FOIA and EIR, public bodies are required to disclose requested information unless there is a good reason for it being withheld. At the same time, the legal framework governing how organisations can collect, store and use personal information is provided by the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18).

Understanding the relationship between information access and data protection laws is vital for public sector information management. Public authorities often receive requests for personal data belonging to individuals other than the requester, known as third-party data under Section 40 of the FOIA and Regulation 13 of the EIRs. To comply with UK data protection laws, information access professionals must follow the correct process to ensure that any personal data of third parties is either released or withheld appropriately. In many situations, the processing would likely not be lawful, fair, or transparent under Article 5(1)(a) of the GDPR without the consent of the other parties.

In reality, the risk of personal data breaches arising from FOI responses remains a significant concern. In 2023, a string of incidents involving spreadsheets with hidden personal data of third parties were unintentionally released through the FOI information-gathering process.

Course Overview

This detailed one-day course is intended for individuals with prior experience working with FOIA and EIR requests. The course explores the connections between third-party personal data requests under Section 40 of the Freedom of Information Act 2000 (FOIA) and Article 5(1)(a) of the UK General Data Protection Regulation (GDPR), along with considering how to identify the appropriate legislation to apply.

The course also provides clarity and guidance concerning what information can be released and looks at measures to prevent hidden data from inadvertently being released on request.

Course Costs

Book this 1-day course on FOI & third-party personal data:

£395 + VAT

Package includes:

Short, 1-day live online training course
1-day in-company training options
Experienced instructor
eBook course manual (see here for eBook features & print options)
Full course PowerPoint presentation

Book now

Intended Audience

This one-day course on FOI & third-party personal data is suitable for those individuals with the following roles or responsibilities:

Freedom of Information officers
Environmental Information Regulations officers
Information Governance professionals
Governance, Risk and Compliance (GRC) professionals
Records Managers, Archivists and Librarians
Data Protection Officers working within the public sector
Press and Communications officers working within the public sector
FOI officers within sectors carrying out public functions or services
FOI officers within relevant public-private partnerships

Course Contents:

Right of Access
The Freedom of Information Act 2000 (FOIA) principles and scope
Section 84 of the FOIA:
- Held information
- Not Held by a public authority
- Restricted disclosures
- Information and personal data
- Requests for third-party personal data vs. subject access requests (SARs) under UK General Data Protection Regulation (GDPR)
- Privacy responsibilities for datasets under FOI and EIR
Data Protection Act 2018 (DPA18) amendments to FOIA
Section 40 FOIA: Third-party data:
- Absolute exemptions
- The Prejudice (Harm) test
- The Public Interest Test
- Third party-data
- Legitimate Interest and Legitimate Interest Assessments (LIAs)
Datasets and hidden third-party personal data
ICO warning against using spreadsheets
CSV files, pivot tables, macros and equations

Book Now

PRIVACY CULTURE

FOI & Third-Party Personal Data