Freedom of Information (Scotland) Act 2002 and the Data Protection Act 1998 Guidance for external members of University of Edinburgh bodies Freedom of Information (Scotland) Act 2002 and data protection guidance for external members of University of Edinburgh bodies Audience This guidance is intended for all external members of University committees, such as the Audit Committee, and other, less formal bodies, such as appointments panels, who may keep information relating to their service on such bodies at home or at another location away from the University. An 'external member' is a person who is serving on a University body in a capacity other than as a paid employee of the University of Edinburgh. Purpose This briefing pulls out the key elements of data protection and freedom of information legislation as they apply to external members of University bodies. Key Requirements The University does not anticipate that freedom of information and data protection will have a significant impact on your role as an external member of a University committee or other body. However, to ensure that this is the case, please adopt the following measures: You will gain access to University information on a confidential basis. You must not disclose the information to third parties, and can only use the information in connection with the activity that prompted its disclosure. If you wish to disclose the information or use it for other purposes, please check with the person who provided it to you. Freedom of information and data protection laws give people the right to access University information. Please create clear and professional emails and other records as your contribution to the work of the University may have to be disclosed in response to an information request. If anyone asks about information you hold in your capacity as a member of a University body, record the date the enquiry was received, and quickly pass the enquiry to the secretary of the body concerned. If it is not possible to contact the secretary of the body, please contact Information Compliance Services. Speed is essential as the legislation prescribes tight response deadlines, which are calculated from the date that you received the enquiry. The secretary or Information Compliance Services will determine whether the enquiry is a freedom of information or data protection request and respond to it accordingly. Ensure that you do not keep the only copy of a particular piece of information, document or e-mail arising from the work of the body concerned. If necessary, provide copies of the information to the body’s secretary. Should we receive a request for information, it will then be unnecessary to ask you to search your records. Only keep copies of information that you currently need to fulfil your role. For example, if you do not refer to them regularly, there may be no need to keep a complete set of minutes and papers - you can obtain copies as necessary from the committee secretary. At the end of your period of service, return any paper University of Edinburgh information to the University for disposal and delete any electronic information you may have, including e-mails. For example, if you are an external member of an appointment panel, give your papers to the panel secretary or recruitment organiser once the recruitment is complete. Take appropriate security measures to protect University of Edinburgh information from loss or unauthorised access. The University’s information security guidance gives information about the types of measures that are appropriate. Information security division guidance Use appropriate methods to destroy information relating to your work on the body. While it would be acceptable to destroy paper copies of public domain information via normal domestic or workplace refuse, other paper information should be destroyed using confidential waste services or shredded. If you do not have access to these facilities, please pass papers for destruction to the body’s secretary and they will arrange for their destruction. Please be aware that deleted electronic information can still be retrieved. If you have stored sensitive University of Edinburgh information on a non-University of Edinburgh device, please contact the body’s secretary for advice on how to delete this information securely. Background Data protection law and the Freedom of Information (Scotland) Act 2002 apply to all paper and electronic information created and received on behalf of the University, regardless of who has that information. As an external member of a University body you are acting on behalf of the University insofar as the work of that body is concerned. This means that any information that you hold pertaining to the work of the body is covered by the University's obligations under these two pieces of legislation. A failure to comply with either piece of legislation could lead to reputational damage, regulatory action and contempt of court. There are also criminal offences associated with the deletion of information after it has been requested in an information request. If the University breaches data protection laws, it can fined or sued. About this guidance Version control Author/editor Date Edits made 4 Sara Cranston January 2019 Added link to Information Security Division guidance 3 Sara Cranston April 2018 Minor updates due to new data protection laws. 2 Susan Graham May 2012 This article was published on 2024-05-06