CHASE 2014 data protection presentation Paul Ticher

269 views
180 views

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
269
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CHASE 2014 data protection presentation Paul Ticher

  1. 1. Data Protection - All Change or More of the Same? Paul Ticher
  2. 2. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law. Data Protection - All Change or More of the Same?
  3. 3. What Data Protection is about: 1  Protecting data Protecting people Prevent harm to the individuals whose data we hold, or other people • Keep information in the right hands • Hold good quality data Data Protection - All Change or More of the Same? 
  4. 4. What Data Protection is about: 2 Give us more money! Support our campaign! We sold your details to someone else Reassure people that we use their information responsibly, so that they trust us • Be transparent – open and honest, don‟t hide things or go behind people‟s back • Offer people a reasonable choice over how you use their data, and what for Data Protection - All Change or More of the Same?
  5. 5. What Data Protection is about: 3 Comply with specific legal requirements, such as: Right to opt out of direct marketing  Right of Subject Access Notification (And others) Data Protection - All Change or More of the Same?
  6. 6. The main topics for today Top priorities • Security And while we‟re about it • Transparency • Latest developments on • Choice • Enforcement • Accuracy & data quality • Guidance • New EU Regulation But first: • The Data Protection Principles • The definition of Personal data • Confidentiality Data Protection - All Change or More of the Same?
  7. 7. The Data Protection Principles 1. Data „processing‟ must be „fair‟ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & not excessive 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects‟ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad Data Protection - All Change or More of the Same?
  8. 8. Personal data The Act applies to information that is „personal‟ and „data‟ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded: • on a computer or automated system • in a „relevant filing system‟ • with the intention of going into one of these systems • (others apply to public bodies) Data Protection - All Change or More of the Same?
  9. 9. How DP and Confidentiality overlap Data Protection Confidentiality Clear boundaries Data Protection - All Change or More of the Same?
  10. 10. Taking confidentiality seriously Gossip Scams Circumventing security Data Protection - All Change or More of the Same?
  11. 11. Security (Principle 7) The Data Protection Act says you must prevent: • unauthorised access to personal data • accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security (or other Data Protection requirements) Data Protection - All Change or More of the Same?
  12. 12. Key security measures Protect „data in transit‟ • passwords, encryption on USB devices, tablets and laptops • extreme care when faxing, e-mailing & posting • think about encryption on e-mails if appropriate Network security – anti-virus, firewall, log-ons, etc. Website security – „OWASP top ten‟ or similar Bring Your Own Device policy External contractors („Data Processors‟) Secure destruction – shredding, etc. Access controls, clear desks, locked filing cabinets Staff DBS checks, supervision and monitoring Data Protection - All Change or More of the Same?
  13. 13. ‘Fair’ processing (Pr. 1): Transparency One part of being fair to people is to make sure they have no unpleasant surprises when you use data about them. This means you must always think whether you need to tell them anything about: • who is collecting their information • what purposes you hold their data for • who you might pass the data on to • how to contact you if they want to stop you from using their data or check what you are doing Data Protection - All Change or More of the Same?
  14. 14. ‘Fair’ processing (Pr. 1): Choice The other important part of being fair is to give people a reasonable choice over how their information is used. People must be given a choice over Direct marketing Choices can be: • Opt out (we‟ll do it unless you say „no‟) • Opt in (we‟ll only do it if you say „yes‟) Be clear about what choices are offered, record them carefully, and ensure that they are acted on. Pre-ticked boxes are not good practice Data Protection - All Change or More of the Same?
  15. 15. Conditions for fair processing You must meet at least one of these: • With consent of the Data Subject (“specific, informed and freely given”) • For a contract involving the Data Subject • To meet a legal obligation • To protect the Subject‟s „vital interests‟ • Government & judicial functions • In your „legitimate interests‟ (or those you disclose to) provided you don‟t infringe the Data Subject‟s rights, freedoms or legitimate interests Data Protection - All Change or More of the Same?
  16. 16. Data quality (Principles 3 & 4) The Data Protection Act says that data must be: • Adequate • Relevant • Not excessive • Accurate • Up to date (where necessary) Data Protection - All Change or More of the Same?
  17. 17. Data Controller The „person‟ legally responsible for complying with the Data Protection Act  Staff & volunteers are part of the Data Controller A trading company is a separate Data Controller Organisations can be joint Data Controllers Data Protection - All Change or More of the Same? 
  18. 18. Data Processor An organisation that has access to Personal Data on your behalf for your purposes The Data Controller remains responsible for what happens to the data There must be a written contract with the Data Processor, setting out the relationship and, in particular, their security responsibilities Data Processors could include: • Payroll service • Cloud computing provider • Tele-marketing company • Client database maintenance & development • Mailing house • Contractor, delivering services Data Protection - All Change or More of the Same?
  19. 19. Developments in enforcement Recent penalties include: • Fines for spam messaging • Fine for breach caused by employee working from home • Fines for charities Other options: enforcement notices, legally binding undertakings There have been a few successful challenges on technicalities Information Commissioner is consulting on a more targeted approach to handling complaints Data Protection - All Change or More of the Same?
  20. 20. Developments in ICO guidance Recent publications include: • a Code of Practice on handling Subject Access • guidance on Bring Your Own Device policies • a complete update of their guidance on Direct Marketing • guidance on Social Networking • consultation on a review of the Privacy Notices Code of Practice Data Protection - All Change or More of the Same?
  21. 21. New EU Regulation: Rationale 1995: Directive 95/46/EC 1998: UK Data Protection Act (in force from 2000) 2003 (and earlier): Privacy & Electronic Communications Regulations Subsequently: • World Wide Web • Cloud computing • Social media • Profiling • Cookies, GPS tracking ... • Privacy awareness Data Protection - All Change or More of the Same?
  22. 22. New EU Regulation: Timetable January 2012: first draft published by Commission 2012: various EU bodies contribute views 2013: attempts to reconcile differing views, with several conflicting drafts produced October 2013: compromise draft agreed by parliament 2015? Negotiations with Council Mid-2015? Ratification of final Regulation Data Protection - All Change or More of the Same?
  23. 23. New EU Regulation: Some key issues Consent tightened up – no more pre-ticked boxes Marketing is a „legitimate interest‟ Limited right of erasure Right to object to profiling More detailed privacy notices Mandatory breach notification Data Protection by default and by design Mandatory Data Protection Officer Privacy impact assessments replace Notification Much-increased penalties (especially for multinational companies) Data Protection - All Change or More of the Same?
  24. 24. Data Protection: the absolute basics We are trying to: • Prevent harm by • Keeping data only in the right hands (and being clear what „the right hands‟ are) • Holding good quality data (accurate, up to date and adequate) • Reassure people so that they trust us • Making sure people know enough about what we are doing • Giving people a choice where possible Data Protection - All Change or More of the Same?
  25. 25. Thank you for listening To go into more detail, join one of my webinars: www.paulticher.com/webinars Or contact me at: 0116 273 8191 paul@paulticher.com Your Logo www.paulticher.com 2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE

×