Data Protection Act 1998 Introduction to Data Protection Alan Shipman Group 5 Training Limited

Introduction to

Data Protection

Alan Shipman

Group 5 Training Limited

BSI Training Objective for Session To help you understand the Data Protection Act 1998, and be able to assess your organisations level of compliance

Objective for Session

To help you understand the

Data Protection Act 1998, and be able to assess your organisations level of compliance

BSI Training Workshop Agenda Definitions Data Protection Principles Responsibilities Policies and Notification Dealing with Data Processors Subject Access Procedures Manual Records Human Resource

Agenda

Definitions

Data Protection Principles

Responsibilities

Policies and Notification

Dealing with Data Processors

Subject Access Procedures

Manual Records

Human Resource

BSI Training Workshop Agenda Do you need to audit How to audit Data audit Responsibilities Procedures and processes How an audit is carried out Corrective Procedures Demonstrating compliance

Agenda

Do you need to audit

How to audit

Data audit

Responsibilities

Procedures and processes

How an audit is carried out

Corrective Procedures

Demonstrating compliance

Introductions

Definitions

The Act Data Protection Act 1998 ‘An Act to make provision for the regulation of the processing of information relating to individuals …’

Data Protection Act 1998

‘An Act to make provision for the regulation of the processing of information relating to individuals …’

The Act EU Data Protection Directive 95/46/EC Objectives … No restriction on personal data flow in EU Right to privacy Deadline for implementation 24 October 1998

EU Data Protection Directive 95/46/EC

Objectives …

No restriction on personal data flow in EU

Right to privacy

Deadline for implementation

24 October 1998

Definitions Personal Data Data which relates to a living individual who can be identified from those data, or from those data and other information which is in, or likely to come into, the possession of the data controller

Personal Data

Data which relates to a living individual who can be identified from those data, or from those data and other information which is in, or likely to come into, the possession of the data controller

Definitions Processing Includes obtaining, holding and carrying out any operation on data No requirement that processing is by reference to data subject

Processing

Includes obtaining, holding and carrying out any operation on data

No requirement that processing is by reference to data subject

The Eight Principles

Principles The 8 Data Protection Principles (Schedule 1)

The 8 Data Protection Principles

(Schedule 1)

First Principle Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless:- a) at least 1 of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least 1 of the conditions in Schedule 3 is also met

Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless:-

a) at least 1 of the conditions in Schedule 2 is met,

and

b) in the case of sensitive personal data, at least 1

of the conditions in Schedule 3 is also met

Schedule 2 What is fair? Consent Contract Legal obligation Vital interests Public functions Legitimate interests

What is fair?

Consent

Contract

Legal obligation

Vital interests

Public functions

Legitimate interests

Sensitive Data Personal data relating to: Racial or ethnic origin Political beliefs Religious or other beliefs Trade union membership Physical or mental health Sexual life Commission of any offence Proceedings / convictions for any offence

Personal data relating to:

Racial or ethnic origin

Political beliefs

Religious or other beliefs

Trade union membership

Physical or mental health

Sexual life

Commission of any offence

Proceedings / convictions for any offence

Schedule 3 What is fair? Explicit consent Employment law Vital interests Activities of political, religious or trade unions Information made public Legal / regulatory proceedings Administration of justice Medical purposes

What is fair?

Explicit consent

Employment law

Vital interests

Activities of political, religious or trade unions

Information made public

Legal / regulatory proceedings

Administration of justice

Medical purposes

Second Principle Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or purposes

Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or purposes

Third Principle Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed

Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed

Fourth Principle Personal data shall be accurate and where necessary, kept up to date

Personal data shall be accurate and where necessary, kept up to date

Fifth Principle Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose

Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose

Sixth Principle Personal data shall be processed in accordance with the rights of data subjects under this Act

Personal data shall be processed in accordance with the rights of data subjects under this Act

Seventh Principle Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Eighth Principle Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of Data Protection Note: Does not apply if at least 1 of the conditions in Schedule 4 is met

Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of Data Protection

Note: Does not apply if at least 1 of the conditions in Schedule 4 is met

Schedule 4 When can you do it? Consent Performance of contract with data subject Performance of contract with other Substantial public interest Legal proceedings Vital interests Public register Authorised by the Commissioner

When can you do it?

Consent

Performance of contract with data subject

Performance of contract with other

Substantial public interest

Legal proceedings

Vital interests

Public register

Authorised by the Commissioner

Responsibilities

Responsibilities The ‘Data Controller’ is the organization, but…….. Someone must have overall responsibility co-ordination role ensure that notification is up to date ensure that appropriate strategy is implemented focal point for queries reporting of issues

The ‘Data Controller’ is the organization, but……..

Someone must have overall responsibility

co-ordination role

ensure that notification is up to date

ensure that appropriate strategy is implemented

focal point for queries

reporting of issues

Responsibilities Policy Who writes it Who approves it Approval by top management (e.g. the Board) demonstrates support and buy-in

Policy

Who writes it

Who approves it

Approval by top management (e.g. the Board) demonstrates support and buy-in

Responsibilities Compliance audit Is the policy being implemented Are individuals following the procedures Audit report Resolve non-compliances Annual report (maybe)

Compliance audit

Is the policy being implemented

Are individuals following the procedures

Audit report

Resolve non-compliances

Annual report (maybe)

Responsibilities Who! Who is actually responsible Who will be the first to get it wrong? Any member of staff who handles personal data

Who!

Who is actually responsible

Who will be the first to get it wrong?

Any member of staff who handles personal data

Responsibilities Training Do individuals know what they must do when talking to data subjects when handling personal data during system design when deciding security issues Ensure no-one acts recklessly

Training

Do individuals know what they must do

when talking to data subjects

when handling personal data

during system design

when deciding security issues

Ensure no-one acts recklessly

Responsibilities Training Give everyone guidelines Do they understand their responsibilities And what happens if they get it wrong

Training

Give everyone guidelines

Do they understand their responsibilities

And what happens if they get it wrong

Responsibilities Subject access Who deals with subject access requests How are they dealt with procedures time scales fees

Subject access

Who deals with subject access requests

How are they dealt with

procedures

time scales

fees

Notification

Notification What you have to do Review current registration(s) Determine timescales Categorise your data Use the Notification Handbook Check security arrangements

What you have to do

Review current registration(s)

Determine timescales

Categorise your data

Use the Notification Handbook

Check security arrangements

Notification Notification Check for exemptions from notification from the Act Decide method phone web

Notification

Check for exemptions

from notification

from the Act

Decide method

phone

web

Notification Current registration(s) Get details of all registrations Find out when each one expires As current registrations run out - combine When last registration run out - notify Or just notify ASAP

Current registration(s)

Get details of all registrations

Find out when each one expires

As current registrations run out - combine

When last registration run out - notify

Or just notify ASAP

Notification Categorise Personal Data Get relevant OIC notification template Compare with information audit results Categorise data why have you got it (purpose) - Handbook 3.1.8 who is it about (data subject) - Handbook 3.1.9 what have you got (data class) - Handbook 3.1.10 who might it be disclosed to (recipients) - Handbook 3.1.11

Categorise Personal Data

Get relevant OIC notification template

Compare with information audit results

Categorise data

why have you got it (purpose) - Handbook 3.1.8

who is it about (data subject) - Handbook 3.1.9

what have you got (data class) - Handbook 3.1.10

who might it be disclosed to (recipients) - Handbook 3.1.11

Notification Check security arrangements Comply with BS 7799? Security policy / procedures Disaster recovery plans Security during transfer physical encryption

Check security arrangements

Comply with BS 7799?

Security policy / procedures

Disaster recovery plans

Security during transfer

physical

encryption

Notification Notification What information do you need identity purposes for each purpose data subject data class recipients what countries are involved security measures

Notification

What information do you need

identity

purposes

for each purpose

data subject

data class

recipients

what countries are involved

security measures

Notification How? Method phone web What happens next check form pay fees check register Keep it up to date (28 days)

How?

Method

phone

web

What happens next

check form

pay fees

check register

Keep it up to date (28 days)

Notification Phone Notification Be ready Contact by phone Answer questions

Phone Notification

Be ready

Contact by phone

Answer questions

Notification Web Notification Where to go What do you see How does it work

Web Notification

Where to go

What do you see

How does it work

Data Processors

Data Processors Definition Process personal data on behalf of a Data Controller, and does not implement its own purposes

Definition

Process personal data on behalf of a Data Controller, and does not implement its own purposes

Data Processors Responsibilities Who is responsible for data processed by a Data Processor? The Data Controller - i.e. you!

Responsibilities

Who is responsible for data processed by a Data Processor?

The Data Controller - i.e. you!

Subject Access Procedures

Subject Access Whole purpose of Data Protection law is to protect information about living individuals and guard their privacy

Whole purpose of Data Protection law is to protect information about living individuals and guard their privacy

Subject Access Procedures Who will deal with requests How will request be verified identity in writing fees What has been requested (reasonable?) Keep an audit trail of requests

Procedures

Who will deal with requests

How will request be verified

identity

in writing

fees

What has been requested (reasonable?)

Keep an audit trail of requests

Subject Access Procedures How to respond is processing occurring don’t correct it! copy of the data source (if known) not disclosed due to exemption disproportionate effort what if a third party is identified When to respond by (40 days)

Procedures

How to respond

is processing occurring

don’t correct it!

copy of the data

source (if known)

not disclosed due to exemption

disproportionate effort

what if a third party is identified

When to respond by (40 days)

Subject Access Procedures How to handle blocking requests made by data subject validity ensure action audit trails Compensation

Procedures

How to handle blocking requests

made by data subject

validity

ensure action

audit trails

Compensation

Subject Access Procedures Automatic processing manual decision override

Procedures

Automatic processing

manual decision override

Manual Records

Manual Records Types Now included: paper microfilm CCTV voice recording Be prepared!

Types

Now included:

paper

microfilm

CCTV

voice recording

Be prepared!

Human Resources

Human Resources Issues Personnel files Managers own copies e-mails References

Issues

Personnel files

Managers own copies

e-mails

References

Do you need to audit?

Need to audit? Do you know: Where you store personal data? Who has access to it? How do they use it? Are the security measures adequate? If NO to any, you need to audit!

Do you know:

Where you store personal data?

Who has access to it?

How do they use it?

Are the security measures adequate?

If NO to any, you need to audit!

What an audit should achieve

Audit objectives What should be achieved? Demonstration of compliance Improved confidence Better procedures

What should be achieved?

Demonstration of compliance

Improved confidence

Better procedures

Audit objectives Who is being audited? Your own organization whole part A third party data processor

Who is being audited?

Your own organization

whole

part

A third party

data processor

Audit objectives Who undertakes DP audits? Internal auditor External auditor Information Commissioner Customers

Who undertakes DP audits?

Internal auditor

External auditor

Information Commissioner

Customers

Data audit

Data audit Who knows what is processed? Department managers Records managers IT staff Users

Who knows what is processed?

Department managers

Records managers

IT staff

Users

Data audit How to audit Don’t ask open questions What data have you got? Create a survey form Use the ‘headers’ from the Notification Handbook

How to audit

Don’t ask open questions

What data have you got?

Create a survey form

Use the ‘headers’ from the Notification Handbook

Review responsibilities

Responsibilities Are these responsibilities defined? Who has specific responsibility Who approves policy Who audits compliance Who trains staff Who deals with subject access requests Who deals with security issues

Are these responsibilities defined?

Who has specific responsibility

Who approves policy

Who audits compliance

Who trains staff

Who deals with subject access requests

Who deals with security issues

Procedures and processes

Processes & procedures Data Protection Policy Is there one? Has it been approved? Is it available to all? Are responsibilities included? Is the policy policed?

Data Protection Policy

Is there one?

Has it been approved?

Is it available to all?

Are responsibilities included?

Is the policy policed?

Processes & procedures Data Protection Co-ordinator Is there one? Conversant with the Act? Known to all staff? Able to liaise with other departments?

Data Protection Co-ordinator

Is there one?

Conversant with the Act?

Known to all staff?

Able to liaise with other departments?

Data Use Fair processing When collecting data, is it performed fairly? Do users know what they can do (and cannot do)

Fair processing

When collecting data, is it performed fairly?

Do users know what they can do (and cannot do)

Data Use Disclosure of data Do staff know when to disclose? Does the policy include guidelines and training requirements?

Disclosure of data

Do staff know when to disclose?

Does the policy include guidelines and training requirements?

People Management of people Are there appropriate management strategies for all staff? Does this include: recruitment? training / direction? supervision / discipline?

Management of people

Are there appropriate management strategies for all staff?

Does this include:

recruitment?

training / direction?

supervision / discipline?

People Management of people Is there an effective communications system? Is DP compliance in contract of employment? Is there a disciplinary procedure?

Management of people

Is there an effective communications system?

Is DP compliance in contract of employment?

Is there a disciplinary procedure?

Documentation Management of documentation Are there adequate audit trails? Are there documented procedures: collection, access, use? disclosure? transfer? disposal?

Management of documentation

Are there adequate audit trails?

Are there documented procedures:

collection, access, use?

disclosure?

transfer?

disposal?

Documentation Management of documentation Are there procedures for: data subject explanations? recording of subject access requests? how to use data correctly? staff obligations / authority?

Management of documentation

Are there procedures for:

data subject explanations?

recording of subject access requests?

how to use data correctly?

staff obligations / authority?

Data quality Data audit Are there procedures for ensuring that data is: adequate, relevant and not excessive? accurate? retention and destruction? security?

Data audit

Are there procedures for ensuring that data is:

adequate, relevant and not excessive?

accurate?

retention and destruction?

security?

Data quality Data audit Do you review data quality? effective training and communications? authority? procedures? review new systems?

Data audit

Do you review data quality?

effective training and communications?

authority?

procedures?

review new systems?

Data quality Data audit Have you reviewed your processing? information needs? storage formats? purposes? fair collection? fair use?

Data audit

Have you reviewed your processing?

information needs?

storage formats?

purposes?

fair collection?

fair use?

Data quality Data audit Have you reviewed your processing? deleted unwanted data? information need policy? review procedures? review responsibilities? results documented?

Data audit

Have you reviewed your processing?

deleted unwanted data?

information need policy?

review procedures?

review responsibilities?

results documented?

Data quality Data audit Have you reviewed your processing? results reviewed? identify ‘sensitive’ data? actions implemented? review complete? established need?

Data audit

Have you reviewed your processing?

results reviewed?

identify ‘sensitive’ data?

actions implemented?

review complete?

established need?

Data quality Data acquisition Is data collection: restricted to a minimum? justified?

Data acquisition

Is data collection:

restricted to a minimum?

justified?

Data quality Data acquisition Do data collection procedures: identify data need? identify minimum requirement? justify each item? check for alternative source? act in the best interests of subject authorise collection?

Data acquisition

Do data collection procedures:

identify data need?

identify minimum requirement?

justify each item?

check for alternative source?

act in the best interests of subject

authorise collection?

Data quality Data acquisition Are data collection forms appropriate? paper? web? verbal? Does they include consent requirements?

Data acquisition

Are data collection forms appropriate?

paper?

web?

verbal?

Does they include consent requirements?

Data quality Data accuracy Do you avoid recording of opinions? Where inaccurate data is held: is it retained where it is a true record? are reasonable steps taken? is the data subject notified if necessary?

Data accuracy

Do you avoid recording of opinions?

Where inaccurate data is held:

is it retained where it is a true record?

are reasonable steps taken?

is the data subject notified if necessary?

Data quality Data retention Are retention periods justifiable? Are retention periods sufficient? Has legal advice been taken? Have you checked for relevant Codes of Practice?

Data retention

Are retention periods justifiable?

Are retention periods sufficient?

Has legal advice been taken?

Have you checked for relevant Codes of Practice?

Data quality Data retention Are records up to date? Is accuracy checked? Is frequency of checking adequate? Is inaccurate data deleted where necessary?

Data retention

Are records up to date?

Is accuracy checked?

Is frequency of checking adequate?

Is inaccurate data deleted where necessary?

Data quality Data destruction Is there a retention and destruction policy? Are these supported by procedures? Is compliance monitoring included? Is the retention schedule appropriate?

Data destruction

Is there a retention and destruction policy?

Are these supported by procedures?

Is compliance monitoring included?

Is the retention schedule appropriate?

Data quality Data destruction Are there destruction procedures? Is inadvertent destruction prevented? Are destruction procedures audited?

Data destruction

Are there destruction procedures?

Is inadvertent destruction prevented?

Are destruction procedures audited?

Security Security procedures Is security on the DP agenda? technical? procedural? Supervision and training included?

Security procedures

Is security on the DP agenda?

technical?

procedural?

Supervision and training included?

Security Security measures Is there an information security policy, including DP? Monitored and reviewed? Responsibilities? Staff procedures?

Security measures

Is there an information security policy, including DP?

Monitored and reviewed?

Responsibilities?

Staff procedures?

Security Security measures Suitable technology used? Security levels appropriate? Security in Data Processor contracts? BS ISO 17799?

Security measures

Suitable technology used?

Security levels appropriate?

Security in Data Processor contracts?

BS ISO 17799?

Security Security threats Have these been identified? Contingency plans appropriate? Recovery times acceptable?

Security threats

Have these been identified?

Contingency plans appropriate?

Recovery times acceptable?

Security Security procedures Security of data transfers? Security of destruction?

Security procedures

Security of data transfers?

Security of destruction?

Subject Access Request Procedures Is there a documented procedure? Does it check for request validity? Do you: confirm you are processing? provide copy of the data?

Procedures

Is there a documented procedure?

Does it check for request validity?

Do you:

confirm you are processing?

provide copy of the data?

Subject Access Request Procedures Is there a manual override for automated processing? Are amendments stopped when a request is being processed? Is there a fee charging policy?

Procedures

Is there a manual override for automated processing?

Are amendments stopped when a request is being processed?

Is there a fee charging policy?

Subject Access Request Procedures Is the request processed in time? Is there an identification procedure? Is the person who deals with requests known? Do searches include data processors?

Procedures

Is the request processed in time?

Is there an identification procedure?

Is the person who deals with requests known?

Do searches include data processors?

Subject Access Request Procedures Is data supplied in permanent form? Is there a procedure where disproportionate effort is claimed? Is the data source disclosed? Is there a telephone request procedure?

Procedures

Is data supplied in permanent form?

Is there a procedure where disproportionate effort is claimed?

Is the data source disclosed?

Is there a telephone request procedure?

Subject Access Request Procedures Is there a request form? Is there a procedure for requests by minors? Is there a procedure for requests on behalf of minors?

Procedures

Is there a request form?

Is there a procedure for requests by minors?

Is there a procedure for requests on behalf of minors?

Subject Access Request Procedures Is there a procedure for requests for references? are the rights of third parties considered? Is there a procedure where objections to processing are received?

Procedures

Is there a procedure for requests for references?

are the rights of third parties considered?

Is there a procedure where objections to processing are received?

How to carry out an audit

Audit process How to audit? Project plan Identify: who should be interviewed which processes to review how to audit security measures Creating awareness Use the Workbook!

How to audit?

Project plan

Identify:

who should be interviewed

which processes to review

how to audit security measures

Creating awareness

Use the Workbook!

Audit process BSI-DISC Pre-Audit Workbook PD 0012-5 Assists and documents audit Provides statement of compliance Links to procedural documentation

BSI-DISC Pre-Audit Workbook

PD 0012-5

Assists and documents audit

Provides statement of compliance

Links to procedural documentation

Audit process Document results Necessary to demonstrate process and results Provides an audit trail of compliance Workbook is a great help!

Document results

Necessary to demonstrate process and results

Provides an audit trail of compliance

Workbook is a great help!

Corrective Actions

Corrective Actions

Corrective Actions What to do Are there any gaps? Each gap should be reviewed and corrective action taken Look at subject access procedures first Use common sense! Pretend that it is your data!

What to do

Are there any gaps?

Each gap should be reviewed and corrective action taken

Look at subject access procedures first

Use common sense!

Pretend that it is your data!

Demonstrating Compliance

Demonstrating Compliance

Data Protection Demonstrating Compliance Completed Workbook Training records Policies Records of breaches and actions Records of subject access requests

Demonstrating Compliance

Completed Workbook

Training records

Policies

Records of breaches and actions

Records of subject access requests

Thank you Any Questions? Alan Shipman 07702-125265 [email_address]