Data Protection Act presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Good morningFollowing my 27 page report on data protection issues which I gave to Mike and Beryl I’ve pulled together an boiled down overview of data protection in 28 sidesThere’s a natural break after 23 if we run out of time or you’ve had enoughBut I hope the subject will be interesting,Indeed I’ve included a highlight picture or cartoon on every slide to lighten the mood so I hope you will enjoy this presentation
  • Data Protection Act presentation

    1. 1. Data Protection – an overview By Ian C. Oultram Compliance Officer Business Link Northwest Presented 16th March 2009
    2. 2. What is the Act for?• Maintains balance between the individual and government/industry• Regulates demands for data by government and industry• Protects privacy of individual• Privacy is a basic human right
    3. 3. Data Protection history• Original Act passed in 1984• Replaced by 1998 Act• Brought UK into line with European Data Protection Directive• Information Commissioner’s Office established in Wilmslow
    4. 4. Key Definitions• Personal data – uniquely identifies individual• Sensitive data – ethnic, health or criminal• Processing – obtaining, storing, sharing, using• Data subject – the individual concerned• Data controller – organisation using and owning data• Data processor – organisation sub-contracted to use data by the controller• Notification – informing Commissioner of processing purposes or a breach• Purpose – broad area of use
    5. 5. The 8 Principles• Fair and lawfully processed• Processed for limited purposes• Adequate, relevant and not excessive• Accurate and up to date• Not kept longer than necessary• Processed in accordance with subject rights• Kept secure• Not transferred to other countries without protection
    6. 6. Fair and lawfully processed• Need consent OR contract OR legal obligation OR statutory power OR public interest• Fair processing statement (privacy policy) made available at time data is obtained• Statement should include details of purposes and data sharing• Comply with all relevant laws including confidentiality and Human Rights Convention• Act within limits of any statutory powers• Process within specific but broad purpose• Cannot obtain data and do nothing with it1st Principle
    7. 7. Sensitive personal data• At least one schedule 2 condition plus explicit consent OR• Necessary for statutory obligation regarding employment OR• Necessary to monitor equal opportunities• Does not involve sharing or a new purpose without consent• Sickness and injury records should be kept separate from other employment records• Medical reports should concentrate on fitness• Staff should know what BUPA data is shared Business Link1st Principle
    8. 8. Consent• Individual must be aware of ways data will be processed• Cannot be inferred from non-response to opt- out• ‘Opportunity to object’ with another condition such as public interest may provide basis• Consent does not last forever• Can be transferred from/to third party where there is clear prior opt-in for sharing• Explicit consent to processing of sensitive data1st Principle
    9. 9. Opt-in and opt-out• Opting-in by ticking a box, clicking an icon, sending an email• Prominent opt-out box along with clear and bold message can establish consent• Opt-in is always for the time being• Remains valid until recipient objects• Recipient can opt out at any time and must be complied with• Corporate subscriber has no right of opt-out unless recipient is a named individual1st Principle
    10. 10. Encore project• Hewlett Packard and London School of Economics involved• Vision to make giving and revoking consent as easy as turning a tap• Tap as common on data gathering pages as padlock is on payment sites1st Principle
    11. 11. Telephone marketing• Must identify ourselves and provide address or Freephone number if asked• Must regularly screen CRM against TPS and CTPS registers• Must not call numbers on TPS or CTPS registers unless subscriber gives specific opt-in consent• Provide opportunity to opt out and terminate call• Must comply with request to opt out by ticking CRM do not call• Responsible even if agency calls on our behalf1st Principle
    12. 12. Electronic marketing• Includes email, text, sound, image, video, voicemail and answer-phone messages• Only send marketing to named individuals who opt-in or who are clients (or implied opt-in)• Can send emails to organisations or non- personal emails addresses• Must provide opportunity to opt out• Must comply with opt-outs by clicking ‘no email’• Should not use tracking devices unless recipients can turn them off• Should not use viral marketing techniques • Subject to Privacy and Electronic Communications Regulations Act1st Principle
    13. 13. Direct mail• Must inform individuals that we may use details for marketing• Individuals can opt-out of direct mail by writing or ticking a box• Should not mail-shot named individuals who have opted-out or registered with MPS• MPS does not carry legal obligation• Non-personal letters are not subject to Data Protection or MPS1st Principle
    14. 14. Processed for limited purposes• Data obtained for one purpose cannot be used for another without consent• Data cannot be obtained without purposes being aligned• Change in purpose needs consent which cannot be obtained retrospectively• Purpose should be stated in fair processing statement• Subjects must not be deceived or misled regarding purpose• Commissioner must be notified of new purposes within 28 days2nd Principle
    15. 15. Adequate, relevant, not excessive• All processing must be necessary and proportionate• Data needs at least one valid purpose• Minimum amount of data necessary to fulfil purpose• Information necessary for one individual should not be kept for all subjects• Data cannot be kept on basis that it might be useful in the future• Data should be kept up to date and relevance reviewed3rd Principle
    16. 16. Accurate and up-to-date• Take reasonable steps to ensure accuracy• Update individual or third party data regularly• Individuals can request their data is updated or deleted• Record when information was recorded or updated• Aware that data may not reflect current situation• Objections should be noted• Avoid false matches and unfounded inferences• Exceptions are historical records of ‘transactions’4th Principle
    17. 17. Not kept longer than necessary• Data not kept for longer than purpose it was originally obtained• Not gathered or held indefinitely without a purpose• Reviewed regularly and deleted when no longer required• Deleted when relationship ceases• Historical or statistical data can be kept indefinitely5th Principle
    18. 18. Processed in accordance withsubject rights• Must supply information relating to a subject access right• Must rectify or delete inaccurate or illegitimate data• Must stop processing if causes damage or distress when requested• Must cease direct marketing when consent withdrawn or not given• Subject has right to seek compensation for damage or distress• Must know purpose6th Principle
    19. 19. Subject access rights• Entitled to copy of data unless cost, time and effort is disproportionate• Respond to written request within 40 calendar days after identity of requester is established• Data supplied should include archived data but not management forecasts nor employment references• Not obliged to comply where similar request has been met• Routine amendments are allowed but must not cover-up or tamper with data• Must not disclose to anyone else unless required by law, warrant, for legal advice or proceedings6th Principle
    20. 20. Employees’ subject access rights• Emails and word documents should be disclosed where individual is the subject• References received by us should be disclosed unless subject to strict confidentiality• References given by us are exempt from access• Personal references are not covered• Do not disclose when investigating criminal or harassment allegations• Taxation or management information need not be disclosed6th Principle
    21. 21. Kept secure• Take appropriate technical, management and organisational measures during processing• Prevent accidental loss, damage, destruction or unlawful access and keep audit trails• Design security measures into new data projects• Adopt ISO 27001 standard and undertake security risk analysis• Prepare security incident response plan• Adopt privacy enhancing techniques and encryption• Ensure staff reliability and train staff in data protection• Ensure business continuity7th Principle
    22. 22. Not transferred to other countrieswithout protection• Not transferred outside European Economic Area without adequate level of data protection• Safe countries and ‘safe harbours’ allowed• Model contracts available8th Principle
    23. 23. Information Commissioner’s role• Registers data controller notifications• Makes register available for public inspection• Investigates requests for assessments• Issues information notices• Issues data subject notices• Issues enforcement notices• Has powers of entry and inspection under warrant• Can endorse a code of practice
    24. 24. Offences• Processing without notification• Failure to notify changes in purpose within 28 days• Failure to comply with Commissioner’s ‘information notice’ request• Failure to comply with enforcement notice• Obstructing warrant• Obtaining or disclosing data without permission of data controller• Selling or offering to sell data without permission of data controller
    25. 25. Data sharing• Check notification includes all classes of organisation we wish to share with• Obtain consent unless processing and disclosure is in public interest• Explicit consent before sensitive data can be shared• Should not share personal data where anonymised data will do• Conduct privacy impact assessment and prepare code of practice• Commissioner recommends creating fast-track to dispense with existing barriers to sharing• Data sharing review encourages research and statistical analysis and change in culture
    26. 26. Code of practice• Define data sharing and business case• Describe negative effect on individuals• State whether consent is needed• Outline legal provisions which allow data sharing• Include less invasive alternatives such as anonymous data• Describe data to be shared and list organisations to share with• Evaluate security standards and training which need to be adopted• Can take form of privacy impact assessment• Review regularly and develop privacy strategy
    27. 27. Paper-based files• Act covers computer input and output documents• Includes organised and structured document files (relevant filing systems)• Review paper-based filing systems to check whether they become ‘organised’• Documents should be securely disposed• Commissioner recommends shredders for home-workers• No requirement to notify Commissioner of paper-based files
    28. 28. Monitoring at work• Should be open and not covert unless part of criminal or malpractice investigation• Subject to Regulation of Investigatory Powers Act and European Convention on Human Rights• Right for privacy even in workplace• Personal emails should not be opened• Staff should be aware that business emails or voicemails may be checked while away• Manager can listen/record calls for staff training and quality when caller receives message
    29. 29. CCTV• Cameras should not be angled towards staff• May need a new purpose to cover CCTV• Signs should be placed at entrance to surveilled zone• Recordings should be stored to safeguard images and rights of individuals• Restrict access and viewing and delete when no longer needed• Included in subject access rights and can be disclosed to Police• European Convention on Human Rights applies• Commissioner recommends new statutory code of practice
    30. 30. The end• Any final questions?• Thank you for your kind attention