Records Management Section
The University of Edinburgh Records Management Section
 

The Implications of Data Protection And Freedom of Information For Creating Records

Contents:

Why is this an issue?

1. The Data Protection Act 1998 and the Freedom of Information (Scotland) Act 2002 both give people rights of access to information held by the University.

2. The Data Protection Act permits people to see information that the University holds about them (including information in e-mails, on personal drives of computers, or on home computers if you work from home) if they make a subject access request. The Freedom of Information (Scotland) Act will give people the right to access any other recorded information that the University holds (again, including e-mails, information on personal or home computer drives or meeting minutes). The rights of access under the Freedom of Information (Scotland) Act will not come into force until 1 January 2005, but those rights will be retrospective and will apply to documents that you create now if they are still in the University’s possession in 2005.

3. Although both pieces of legislation include exemptions that will apply in certain circumstances, it is advisable to work on the assumption that all information you create will be accessible to somebody.

4. The Freedom of Information (Scotland) Act also requires the University to develop a publication scheme by 31 May 2004. This is a list of the types of information that the University will make available to the public as a matter of routine without waiting to receive an individual request. The University’s publication scheme will probably include documents such as the minutes and papers of key committees. Inclusion of an item in a publication scheme is a legally binding commitment to publish that information in its entirety to the timetable set out in the scheme. However, if your information is included in a publication scheme you do not have to respond to individual requests for information, so if you expect that an area of your work will attract a large number of individual requests, it will save you time if you include that work in the University’s publication scheme.

What is the purpose of this guidance?

5. This guidance is intended to highlight the issues you should consider when creating any University record, and it provides specific guidance on common document types that raise particular issues.

6. The aim is to ensure that you and your colleagues have the information you need to carry out your job, that the University has the official records it needs, and that we can respond quickly and easily to requests made under the Data Protection Act and the Freedom of Information (Scotland) Act.

Whose responsibility is this?

7. Individuals employed by the University are responsible for ensuring that their written communications are professional in tone and follow the general principles set out in this document.

What is a record?

8. For the purposes of this guidance, a record is ‘recorded information in any format’. It includes official University documents, references, e-mails, video recordings, photographs and even Post-It notes.

How does this guidance affect academic freedom?

9. It is not intended that this guidance should limit academic freedom; the ability to debate and examine contentious, uncomfortable or other difficult issues is an essential part of the University's mission. However, debate should be conducted in a professional manner which meets the requirements of the Data Protection Act, other relevant legislation and the University’s own Code of Professional Practice.

What do I need to think about when creating a record?

10. Before creating the record, consider the purpose of the record. Ensure that you include all the information necessary to achieve that purpose, but do not include extraneous information.

What should I do when writing about an identifiable, living individual?

11. As well giving people the right to see the information we hold about them, the Data Protection Act also requires us to ensure that the information we hold about identifiable, living individuals is relevant, accurate but not excessive. The following points will help you to achieve this in documents you create (all the examples are based on real situations):

  • Do not include irrelevant information. For example, when giving an academic reference it is unlikely to be necessary to comment on a person’s health, financial position or personal circumstances unless they have a direct bearing on the person’s academic achievement.
  • Clearly differentiate between matters of fact and opinion. For example, say, ‘In my opinion, this person has difficulty mixing with others’, rather than, ‘This person cannot mix with others’.
  • Do not express opinions that you are not prepared to defend, or which you cannot substantiate. For example, do not say, ‘This person has no personality whatsoever’; this clearly cannot be substantiated.
  • Do not express opinions in areas where you are not qualified. For example, do not say, ‘This person has a personality disorder’, unless it is relevant and you are qualified medical practitioner in a position to make such a diagnosis, or you know that a qualified medical practitioner has diagnosed the condition. It might be acceptable in some circumstances to say, ‘I am concerned about the mental health of this person’ but only if it is relevant to the matter under discussion.
  • Always be sure of the facts. Do not say, ‘This person has no archival research experience’ if you do not know the full details of their career. Instead say, ‘While this person was studying with me they did no archival research’, or, ‘To my knowledge, this person has no archival research experience’.
  • Do not write in anger or in haste. This is particular danger with e-mails because of the immediacy of e-mail as a means of communication. Do not say, ‘This clod should be horse-whipped’. Wait and write once you have calmed down.
  • Always speak respectfully of the person, even when expressing negative information. For example, do not say, ‘This student is the weakest link. Goodbye’. Say, ‘This student’s performance falls significantly below the standards required for this course and we cannot allow them to continue their studies’.

What do I need to think about when providing a reference?

12. The University will develop a policy on references at a later date. In the meantime, please take the following into account whenever you are asked to give a reference.

13. The Data Protection Act states that if you are somebody’s referee then you are not required to provide a copy of the reference to its subject, even if they make a subject access request. However, the organisation to which you provided the reference may be obliged to provide a copy of the reference to the data subject if they make a subject access request. In effect this means that individuals will probably be able to see what you say about them in a reference. In some cases, for example, peer review, access may be provided by removing details of who gave the reference but releasing the text of the reference.

14. You should write your reference on the assumption that the data subject will be able to see what you have said about them. This does not mean that you cannot give an honest reference; the individual’s right to see what you have written about them simply enhances the robustness of the reference process.

15. Do not provide an oral reference; it is probable that the recipient of the reference will make some sort of a record of the conversation, either by recording it formally or by referring to it in notes, e-mails or correspondence. If the candidate later challenges the fairness of the process, the parties involved will need evidence that they followed best practice. An oral reference will seem suspicious regardless of whether or not it was a material factor in the decision.

16. Please see the section on writing about identifiable living individuals for the kind of thing to bear in mind when writing the reference.

What do I need to say if I ask someone to provide a reference?

17. The University will develop a policy on references at a later date. In the meantime, please take the following into account whenever you ask for a reference.

18. In many circumstances, a reference will qualify as personal data within the meaning of the Data Protection Act. Data subjects have a right to see the personal data that we hold about them, and this may include references we have received. Therefore, when you ask for a reference about somebody, you must not give undertakings that this reference will be kept confidential as we may sometimes be required to disclose a reference to its subject. Instead of asking for a ‘confidential reference’, simply ask for a reference, and go on to say,

‘The Data Protection Act gives individuals the right to receive copies of the information we hold about them unless particular exemptions apply. These exemptions include an exemption for information involving third parties where the third party’s interest in the data remaining confidential is greater than the data subject’s interest in receiving the data. Please indicate whether or not you object to the disclosure of your reference to the person concerned. If you do object, please also give an explanation of the reasons for your objection. We will take this into account if the person makes a subject access request. The person has the right to challenge any non-disclosure decisions that we make, so we cannot guarantee that the reference will not be disclosed. However, we will ensure that your views are put forward in any discussion about the matter.’

19. You should not rely on an oral reference alone; if the candidate later challenges the fairness of the process we will need evidence to demonstrate that it was conducted in line with best practice. An oral reference with no record of its contents will seem suspicious regardless of whether or not it was a material factor in the decision.

What issues should I think about when writing an e-mail?

20. E-mails are as much an official communication as is a letter, memo or a fax. Your e-mails may be disclosed in response to a data protection request, a freedom of information request, or in legal cases. Much litigation now stands or falls on the basis of e-mail evidence. Electronic messages can be legally binding; contracts can be set up via e-mail and the University may be held liable for defamatory statements in e-mails For these reasons, do not say things in e-mails that you would not say in other forms of written communication.

21. Try to restrict an e-mail to one topic, and do not mix personal and University matters in one e-mail. When involved in a discussion, try not to drift off the original topic. This will make your e-mail easier to manage, and will mean that you will not have to spend time blanking out information if we receive a request for that e-mail.

22. When replying to an e-mail, do not do so by annotating the text of the previous e-mail; send a completely new e-mail. The meaning and context of annotated e-mails might be clear at the time of writing but it becomes unclear over time, particularly for users who were not involved in the original discussion or if the e-mail is migrated into a different format to preserve it as a University record. For example, it can often be difficult to tell who said what as differences such as changes of font or colour might not survive migration between systems. If an e-mail written in this way were disclosed in response to a request for information, this could lead to the writer’s intentions being misinterpreted.

23. The University’s computing regulations allow small-scale personal use of University e-mail facilities (as a privilege and not a right). The regulations also state that in some circumstances the University may need to access data or computer files. This would include personal e-mails that you have sent or received. Clearly mark your personal e-mails as such (for example, by beginning the title with the word, ‘personal’, or storing them in a folder called ‘personal’), as this will minimise the risk of University staff inadvertently accessing them, or of personal e-mails having to be disclosed in response to a subject access request. Please ensure that you only deal with genuinely personal material in this way; if there is reason to believe that work-related information has been marked as ‘personal’ to evade data protection or freedom of information requirements, we may have to access all your personal e-mails to identify that those that are really work related.

What issues should I consider when preparing meeting agendas and receiving papers?

24. It is advisable to divide meeting agendas into at least two sections – open business, which you would have no hesitation about releasing in response to a freedom of information request or under a publication scheme, and closed business. You may need to sub-divide closed business further as some information will be sensitive for much longer than other information. For example, some policy decisions might be sensitive while they are being considered, but that sensitivity declines once the decision is announced. On the other hand, information about matters such as the University’s IT security measures might remain sensitive for many years.

25. Structuring the agenda in this way will enable you to deal more easily with individual freedom of information requests, as it will make clear what information the University is cautious about releasing. It will also assist the University in compiling our publication scheme, as it might adopt different publication dates for open and closed business. For example, open business might be published within one month of the minutes being confirmed, while closed business might be released within a year.

26. If you classify particular items as closed business, you must be prepared to explain for which exemption they would qualify under the Freedom of Information (Scotland) Act. This could be done by requiring anyone submitting a closed committee paper to indicate on the cover sheet which exemption applies, and for how long the sensitivity is likely to endure. An example of a cover sheet can be found at Appendix one.

What issues should I think about when writing minutes of meetings?

27. Minutes of meetings can be intended to serve a number of different purposes. The purpose of the minutes affects the level of detail required in the minutes. For example:

  • If the purpose is simply to identify who agreed to do what, an action list will be sufficient.
  • If the intention is to provide an audit trail for University decisions and the reasons for those decisions, you should record the decision and the reason for taking that decision.
  • If the minutes are intended to communicate detailed information to people who were not present at the meeting, then a fuller record of what was said will be required. However, you should consider whether there are more accurate ways of communicating information than using meeting minutes, as errors can occur when one person is recording what another person said.
  • On occasion a particular committee is used as the sounding board for a new policy or approach.In those circumstances it would be sufficient for the minutes to record that the committee discussed the issue; the person working on the area should make fuller notes of the discussion.

28. Sometimes different sections of the same set of minutes are intended to serve different purposes, so it may be appropriate for different styles to be adopted within the same document.

29. For any minutes, you should consider whether it is necessary to identify people by name, or if it would be more appropriate to identify people by the role they are performing in that meeting. Some people might prefer it their names were not included in documents published under the University’s publication scheme or released in response to requests for information; the University’s recommended approach is to accommodate these preferences by not including their names in the document in the first place. This is particularly important if the minutes are due to be published on the Internet. In those circumstances, you must ensure that all committee members are aware of this and you must provide them with a mechanism for asking for their names to be removed. If any object to the inclusion of their names in the published minutes, this objection must be respected. See the guidance on Internet publication for further information about this.

30. This is particularly the case with minutes of boards of examiners, where the University has made a commitment not to reveal the views of individual examiners. Under data protection legislation students will be entitled to ask for anything said in the minutes about them, while freedom of information legislation will entitle them to any generic comments made in the minutes, for example, comments about the overall standard in the examinations under discussion.

31. The simplest way of ensuring that we do not release which examiner said what, is not to include this information in the minutes. For example, instead of saying ‘Professor Smith said that the candidate did not show enough originality of thought to qualify for a first’, say, ‘It was suggested that the candidate did not…’, or ‘An examiner said…’. It may not even be necessary to record the discussions in such detail, in which case approaches such as, ‘The candidate received a 2.I because he did not show sufficient originality of thought to qualify for a first’, are recommended.

What should I consider when creating documents which are included in our publication scheme?

32. We have a legal obligation to publish any information included in our publication scheme. If a document is due to be published under the publication scheme, do not include in it any information that you do not think should be published. For example, rather than refer to people by name, it might be more appropriate to refer to them by their role.

33. In some cases the publication scheme will limit the types of information that will be made available. For example, the publication scheme might say that the minutes of open committee business for a particular committee will be published within one month of the approval of the minutes, but that the minutes of closed business will be published at a later date, or not published at all. Alternatively the scheme might say that all information in the minutes will be published except for information which qualifies for particular exemptions set out in the Freedom of Information Act. If the scheme is limited in this way, and you decide to withhold certain pieces of information from publication, you must record how those items qualify for the exemptions set out in the publication scheme.

How should I deal with drafts?

34. For most documents there is no need to retain drafts once the final document has been approved. The only exception to this relates to the development of major policy initiatives where the drafting shows substantial changes in approach over time. In these cases you may need to keep the drafts to show for the record how the University’s approach developed and the reason why a particular option was eventually chosen.

What should I do now?

35. Review the approach that you adopt when you create records, particularly e-mails and references.

36. Secretaries and convenors of committees should consider which approach is most suitable for your committee and advise the committee accordingly.

What help is available?

37.  The University Records Management Section provides advice, guidance and training on data protection, records management and freedom of information issues. We can be contacted by clicking on the link below.

Author: Susan Graham
June 2003

If you have any comments or suggestions regarding these pages please e-mail them to us at recordsmanagement@ed.ac.uk
Terms and conditions, legal disclaimer and copyright information

The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336

Page last updated: Monday March 12 2007