Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013


Published on

Blake Lapthorn's Commercial Litigation team held a forum on Data Protection, on 12 September 2013 at Blake Lapthorn's Southampton office.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Blake Lapthorn's In-House Lawyer and Decision Maker's forum - 12 September 2013

  1. 1. In-house lawyer and decision makers’ forum Data Protection Breakfast Thursday, 12 September 2013
  2. 2. Introduction and Welcome Susie Dryden Partner Blake Lapthorn
  3. 3. Data Protection seminar Recognising personal data and anonymisation Overseas transfers of personal data and the cloud Electronic marketing and cookies Apps, social media and BYOD The new Data Protection Regulation Short case studies
  4. 4. Recognising ‘Personal Data’ Why is this relevant? The Data Protection Act 1998 (Act) will not be engaged if you are not processing personal data
  5. 5. What is personal data? First, establish if the information is ‘data’. There are four categories of data: – Automatically processed data or data recorded with the intention that it will be so processed – Data forming part of a ‘relevant filing system’ – Data forming part of an ‘accessible record’ – Data recorded by a public authority Recognising Personal Data (2)
  6. 6. Secondly, establish if the data is ‘personal data’: – Defined in s1 (1) of the Act as: “Data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. – “Living Individual” – “Individual” Recognising ‘Personal Data’ (3)
  7. 7. Examples of personal data include: – Addresses, telephone numbers, job titles and dates of birth – Expressions of opinions about an individual – Indications of the intentions of the data controller or any other person in respect of the individual. Sensitive personal data Anonymised data is not personal data…… Recognising ‘Personal Data’ (4)
  8. 8. Anonymisation Why are we talking about anonymised data? Release of anonymised data can have: – Commercial benefit – Public benefit – Academic research benefits DPA does not apply to the anonymised data but DOES apply to processing the source data to anonymise it
  9. 9. Anonymisation (2) What is it? Anonymised data is data that does not relate to any individual and is unlikely to allow any individual to be identified through its combination with other data at the point of transfer to another party Generally applied to large datasets rather than pseudonymising individual pieces of information
  10. 10. Anonymisation (3) How do we go about creating it? Wide number of anonymisation techniques Consent generally not required Document your process – aim for transparency Must address risk of re-identification Have an on-going governance structure Public authorities need to remember: Application of FOIA Human rights What happens if re-identification happens? You will become a data controller ICO likely to take enforcement action against person re-identifying
  11. 11. Overseas Transfers of Personal Data Due to the continued globalisation of trade and ever increasingly connected world, record amounts of customer and employee data now are transferred overseas from the UK Growth in cloud computing has also had a large impact (often unknown to those who utilise its benefits) As usual, the Act has something to say - 8th Principle: “Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
  12. 12. Is there a transfer? Two questions to consider: 1. Is the country of the transferee of personal data outside the EEA? 2. Does the transmission in question actually amounts to a transfer? What is a ‘transfer’? Transfer or Transit? Examples from ICO: – (1) A company in the UK uses a centralised human resources system in the US belonging to its parent company to store information about its employees – TRANSFER – (2) Personal data is transferred from the UK to Germany via a server in Switzerland, which does not access or manipulate the information while it is in Switzerland – TRANSIT Overseas Transfers of Personal Data (2)
  13. 13. A five step “good practice” approach should be considered: 1. Is there is a transfer of personal data to a third country? 2. Is the transfer necessary? 3. Does the third country ensure an adequate level of protection to data being transferred? 4. Consider whether the parties have, or can put in place, adequate safeguards to protect the data 5. Consider if any of the other derogations to the 8th principle apply Overseas Transfers of Personal Data (3)
  14. 14. Adequacy If there will be a transfer to a third country, you need to consider whether the third country ensures an adequate level of protection. Finding of adequacy normally based on a Community finding or a positive outcome when applying the adequacy test: – “Community finding”: where the European Commission makes a finding that a country outside the EEA has an adequate level of protection. A list can be found on the ICO website. – “Adequacy test”: where there is no Commission finding, a data exporter can assess the general adequacy itself. Overseas Transfers of Personal Data (4)
  15. 15. Model clauses You can use model contractual clauses to transfer data which have been approved by the European Commission Various sets available – controller to controller and controller to processor Binding Corporate Rules Only available to multinational corporations looking to transfer data around world One data protection authority takes the lead and coordinates input from others Overseas Transfers of Personal Data (5)
  16. 16. What is the cloud? The provision of a range of IT technologies and service models on demand via a network usually delivered via the internet: – Software as a service – Platform as a service – Infrastructure as a service Generally provided by a third party or parties hosting resources and data across a number of servers and/or for a number of customers Causes lot of concern from a data protection perspective as: – the servers are often based overseas outside of the EEA – there can be difficulty working out who is responsible for what security controls – data can be stored across a number of servers on a continually changing basis The Cloud
  17. 17. The Cloud (2) If you are the data controller using a cloud provisioned service: You must check where any data is going to be stored and, if not in the EEA, ensure that you meet one or more of the conditions required before data can be transferred outside of the EEA You will be responsible for assessing risks, informing data subjects, putting written controls in place, monitoring, protecting and retrieving data Not easy when dealing with cloud providers and commonly you will also be offered standard terms that are non-negotiable A checklist for data protection compliance by cloud clients and cloud providers has been issued by ICO – see Guidance on the use of cloud computing 2012). Consider also a privacy impact assessment before moving to the cloud. See also ICO Personal Information Online Code of Practice (July 2012)
  18. 18. Electronic Marketing To collect and use personal data for email and SMS marketing (“electronic marketing”) there are certain steps you should follow at the time you collect it and when you send out messages Collect and process the personal data fairly Comply with the Privacy and Electronic Communications Regulations 2003 (PECR) (as amended). In particular you must: – Obtain prior consent – you cannot send unsolicited electronic marketing messages unless you have the individual’s prior consent to do so. This strict ‘opt-in’ rule is only relaxed if three exemption criteria are satisfied. – Identify the sender, nature of communication etc (see (E Commerce Regs 2002 Regs 7 & 8)) and give details of how to revoke consent/opt out).
  19. 19. Exemption criteria – You have obtained the individual’s details as part of the sale or negotiations for sale of a product or service to that person; – The marketing material concerns only a similar product or service; and – The individual must have simple means of refusing unsolicited marketing at the time their details are collected and, if they do not opt-out, you must give a simple way of doing so in every future message e.g. unsubscribe option. Electronic Marketing (2)
  20. 20. Advice: – Recommend marketing campaigns are always permission-based. – Be very careful if using bought-in email lists. – Explain clearly what a person’s details will be used for when collecting data through an appropriate privacy policy and seek opt-in consent when data collected. – Provide a simple way for them to opt-out of marketing messages. – Have a system in place to deal with complaints. Electronic Marketing (3)
  21. 21. What are they? – From 2011 under the amended PECR you now need to (i) tell users about them and (ii) obtain “consent” before setting most types of cookies. – Only set strictly necessary cookies without consent. – But what is meant by consent? Opt-in? e.g. pop up – “For this site to work correctly…we need to store a small file (called a cookie) on your computer….If you click on “OK” below we will store cookies and you can continue using this site with full functionality….For more information read our cookie policy” (FCA website) Implied? e.g. pop up - “We have placed cookies on your computer to help make this website better. You can change your cookie settings at any time. Otherwise we’ll assume you’re OK to continue.” (ICO website) – ICO Guidance (May 2012 and onwards) Cookies
  22. 22. BYOD – “bring your own device” – Lots of legal issues (case study explores some of these not just data protection) – From a data protection perspective security is the biggest issue – 7th Principle (and other principles too). What happens if device lost, hacked or stolen? Steps taken must relate to risks e.g. is sensitive personal data available for access or storage on a “BYOD” – Prevent unauthorised access (e.g. password on device, encryption on device, lock out/delete data if too many failed attempts, separate business from personal data) – Encrypt data in transit – Right to monitor and automatically delete data – Employees leave Apps, Social Media and BYOD
  23. 23. ICO Guidance on BYOD (March 2013) – Carry out an internal assessment leading to implementing BYOD policy (include an acceptable use policy and also a social media policy if BYOD policy leads to increased use of social media by employees) – Need to cross refer to Employment Practices Code (e.g. re monitoring and acceptable use policy) Apps, Social Media and BYOD (2)
  24. 24. Social Media – social networking and online forums – Growth in organisations setting up own blogs/social media web pages/online forums Customer reviews/feed back School/university alumni/ae events Charity fund-raising and volunteer sites – If you are processing personal data for non-domestic purposes then you will be subject to the DPA and won’t benefit from domestic purposes (s 36) exemption Apps, Social Media and BYOD (3)
  25. 25. – Need to assess in particular Who is data controller Ensure data accurate (4th Principle) “Solicitors from Hell” case – ICO Guidance (May 2013) – Have accurate acceptable use policy – Be clear how complaints dealt with Apps, Social Media and BYOD (4)
  26. 26. Apps – Collect personal data (location, stored data, sensor data…)8 – Process personal data – EU’s Article 29 Working Party issued opinion WP 202 on apps on smart devices (27 February 2013). If you are developing or using Apps in your business you must address the privacy issues. Apps, Social Media and BYOD (5)
  27. 27. – Key privacy issues highlighted by EU Lack of transparency on types of processing Lack of meaningful (i.e. free and informed) consent Poor security measures Disregard of any purpose limitation and lack of data minimisation (e.g. “market research” that doesn’t relate to App at all) – Take away: ensure privacy issues are addressed in App development Privacy policy Use of cookies Transborder issues Security Apps for children raise specific issues Apps, Social Media and BYOD (6)
  28. 28. The New Data Protection Regulation On 25 January 2012, the European Commission published a proposal for a new EU Regulation. This will repeal the existing 1995 EU Data Protection Directive. In the UK this will mean all or part of the DPA 1998 (tbd by Parliament) will be superseded by a directly effective Regulation. The European Commission has called for: – An effective new data protection framework – Clear, effective rights for individuals – Clear responsibility and accountability – Obligations to be focussed on processing that poses genuine risks to individuals or societies – Data protection authorities that are independent – with a clearer role.
  29. 29. Potential changes: – Higher fines – Stronger data subject rights including “right to be forgotten” – Consent (specific Article on this e.g. placing burden of proof on data controller where consent relied on) – More responsibility on data controllers (including those outside the EU) including requiring data protection officers in organisations and obligation to notify the regulator if a data breach and then potentially tell data subjects too The New Data Protection Regulation (2)
  30. 30. The Regulation should essentially be a harmonised EU regime. The draft Regulation will need to be approved by EU member states and ratified by the European Parliament. Originally to be adopted in 2014 and in effect in 2016. But delay in legislative process due to contentious nature of the Regulation. The New Data Protection Regulation (3)
  31. 31. Note: other recent and proposed EU laws – Regulation 611/2013 on the notification of personal data breaches (not general - only applies to ISPs/telcos – in force from 29 August 2013 and see also amended PECRs) – Proposed Network and Information Security Directive (February 2013) (potentially applies to a wide range of companies and organisations in energy, transport, banking and finance, health care plus e-commerce platforms, social networks, search engines, clouder services, application stores, payment gateways plus “public administrations”) – obligations to guarantee security appropriate to the risk and to tell regulator about cyber security incidents The New Data Protection Regulation (4)
  32. 32. Case Study (1) (Recognising Personal Data) A potential member of a gym meets with a sales manager of a local gym to discuss membership options. The sales manager asks the prospective member for certain information (name, address, age) and records these details manually on a ‘new membership application form’. These details will subsequently be added to the gym’s computer system. Is this data? Does it matter if the information is never added to the computer system?
  33. 33. Case Study (2) (Overseas Transfer of Data/Cloud) UK Gadgets is one of the leading suppliers of gadgets in the UK. It has recently been bought out by a US multinational, US Gadgets. As part of its new reporting obligations, UK Gadgets has been asked to send copies of all of its employee records to a third party cloud provider (CloudCo) based in the US appointed by US Gadget’s head office in New York to manage the multinational’s global HR database. The UK Co will have direct access to the cloud service through web browser and password access. In due course it will also upload updated data direct to CloudCo. The UK data will be available for access and processing by both the UK and US parent. The HR director is a little concerned that if he does this, he could be in breach of the DPA, but head office is adamant that they must be sent. What are his options? NB: This case study assumes that the other Data Protection principles have been complied with and that the data does not consist of 'sensitive' personal data where consent to transfer may need to be obtained.
  34. 34. Case Study (3) (Electronic Marketing) Please tick here if you do not want us to contact you by electronic means (e-mail or SMS) with information about goods and services which we feel may be of interest to you. Is this acceptable?
  35. 35. Case Study (4) (Apps/BYOD/Social Media) After considerable internal debate amongst the IT director, HR director and head of sales and marketing at Way Ahead law firm, the Board decide to allow legal staff to utilise their own smart phones and tablets for work purposes. What should Way Ahead do to minimise risks?
  36. 36. Contact Details Sheilah Mackie, Partner, Commercial/IT 02380 857039 Simon Stokes, Partner, Commercial/IT 0207 814 5482