019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for AV.pptx

1. Your Data Protection Responsibilities Under the General Data Protection Regulation (GDPR) This course covers your fundamental data protection responsibilities and obligations. It will iden Music: https://www.bensound.com/royalty-free-music

2. What is Personal Data? • Any information relating to an identified or identifiable person • Not just identifiers, also images and information about a person 4 Hermitage Green 1234567T Liam Kelly BIC BOFIIE2D IBAN IE29BOFI90583812345678 192.168.1.255 Payment card details

3. What is Processing? • Any operation (or set of operations) performed on personal data (or sets of personal data), whether automated or not • Collection • Recording • Organisation • Structuring • Storage • Adaptation or alteration • Retrieval • Consultation • Use • Disclosure by • Transmission • Dissemination • Otherwise making available • Alignment or combination • Restriction • Erasure or destruction Destruction Storage

4. What is Privacy? • Right to be let alone • Right to be protected against intrusion into personal/family life or affairs by • Direct physical means • Publication of information • No privacy law • Implied right under article 40.3.1 • Privacy is a fundamental right …but is not an absolute right • Data Protection seeks to balance • Individual’s right to privacy • Legitimate information requirements of organisations for their continued business activities and functions • GDPR • Protects the fundamental rights and freedoms of people regarding the processing of personal data • Does not restrict or prohibit the free movement of personal data within the EU 5 Right to Privacy Right to run a business

5. Legislation ePrivacy Regulation ePrivacy Directive 2002 [2002/58/EC] General Data Protection Regulation (GDPR) 2016 [2016/679] Data Protection Act 2018 Data Sharing and Governance Act 2019

6. Characters Meet the DP Dramatis Personae • Natural person • Living human being • Legal person • Commissioners of Public I Works in Ireland • Data Subject • A natural person who can be identified directly or indirectly • Controller • Legal/natural person who determines the purposes and means of the processing of personal data • Processor • Legal/natural person who processes personal data on behalf of a Controller • NOT an employee of Controller who processes it in the course of their work • Recipient • Anybody to whom personal data is disclosed • Third Party

7. Data Protection Officer (DPO) • A public body must have a Data Protection Officer (DPO) • Data subjects may contact DPO on all data protection issues • To make Data Subject Access Requests (DSARs) • To make other requests to exercise their rights • DPO … • Must be fully involved in all data protection issues from the start • Must be given access to personal data • Informs/advises management/staff of their data protection obligations • Monitors compliance with data protection legislation • Liaises and cooperates with the Data Protection Commission (DPC) • Is independent • Is bound by secrecy/confidentiality

8. CCTV • CCTV images are personal data • Can give a person a copy of their own CCTV images but must pixelate those of others • Warning signs must state purposes for which images are recorded • CCTV cannot be used for any other purpose • Retain CCTV images for a max. of 28 days • Gardaí investigating a crime • Can freely view CCTV on site • Do not hand over CCTV without a formal written request, signed by Garda’s superior • Do not give CCTV images to third parties • Members of the public or staff • Damage to cars in car parks • Accidents (e.g. trips and falls)

9. European Union (without Croatia) EFTA (Iceland, Norway, and Liechtenstein) Provisional EU members EFTA signatories that have not ratified Former EU members European Economic Area (EEA) member states Extra-territorial nature

10. 1. Process personal data fairly, lawfully and transparently 2. Collect it for specified, explicit and legitimate purposes and not further process it in a way incompatible with purposes 3. Ensure it is adequate, relevant and limited to what is necessary 4. Ensure it is accurate and, where necessary, kept up to date 5. Do not keep it in an identifiable form for longer than necessary 6. Process it to ensure appropriate security, to protect it from: • Unauthorised or unlawful processing • Accidental • Loss • Disclosure • Destruction 7. We are responsible for and must demonstrate compliance with 1-6 Principles of Data Protection [Article 5]

11. Lawfulness of Processing [Article 6] • Lawful only if at least one of the following is true: a) Contract (where Data Subject is a party) • Before entering a contract (at Data Subject’s request) b) Legal obligation on Controller c) Protection of the vital interests of the Data Subject • Another natural person d) Performance of a task carried out in the public interest • Exercising of official authority vested in the controller • Need a legal basis for this e) Legitimate interests of Controller • Only where these are not related to the public tasks • Consent of the Data Subject not available for public authorities • Clear imbalance between Data Subject and Controller

12. Data Subject Rights [Articles 12-23] • We must allow our Data Subjects to exercise their rights 1. Right to information and communication 2. Right of access to their personal data (DSAR) 3. Right to rectification 4. Right to erasure • Right to be forgotten 5. Rights to restriction of processing and notification of lifting of such restrictions 6. Rights to be notified of any rectification, erasure or restriction of processing 7. Right to data portability 8. Right to object 9. Right not to be subject to a decision based solely on automated processing, including profiling

13. Data Sharing [Article 26] • Two (or more) Controllers jointly determine the purposes and means of processing • Must decide their who does what to comply with the GDPR for: • Data Subject rights • Providing information to Data Subject in a Data Sharing Agreement or Joint Controller Agreement made between them • Data sharing between public bodies governed by • Data Sharing and Governance Act 2019 01010 10101 01010 10101 01010 10101 00110 01100 11001 Joint Controllers

14. Processor Contracts [Article 28] • The OPW is jointly and severally liable for GDPR infringements/breaches by its Processors • The OPW can only use Processors who • Comply with the GDPR • Protect the rights of the Data Subject • The OPW must have a binding legal contract with each of its Processors • Article 28 details what must be in this contract • Processor must not process the data except on documented instructions from the OPW • Processor must implement appropriate security measures based on level of risk to Data Subject

15. Records of Processing Activities [Article 30] • The OPW must maintain a written record of its processing activities • Processing activity: One or more processing operations carried out for a specific purpose • Key information to record for each processing activity a) Purposes of the processing of the personal data b) Legitimate (lawful) reason for processing the personal data [Article 13] c) Categories of Data Subjects and of personal data d) Categories of recipients to whom personal data are be disclosed e) Transfers of personal data to a third country or international organisation f) Retention periods • Processing Activities identified via workshops with business areas • Collected via online questionnaires

19. Records of Processing Activities [Article 30] • The OPW must maintain a written record of its processing activities • Processing activity: One or more processing operations carried out for a specific purpose • Key information to record for each processing activity a) Purposes of the processing of the personal data b) Legitimate (lawful) reason for processing the personal data [Article 13] c) Categories of Data Subjects and of personal data d) Categories of recipients to whom personal data are be disclosed e) Transfers of personal data to a third country or international organisation f) Retention periods • Processing Activities identified via workshops with business areas • Collected via online questionnaires • Record is a large spreadsheet • DPC regards these records as vital for transparency and can ask to see them at any time

20. DPO Name DPO Address DPO Email DPO Phone DPO Fax Purpose of Processing Lawful Ground Legal Basis for Processing Legitimate Interests Data Subject - Personal Data Data Subjects - Volume Liam S. Kelly Data Protection Officer, The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36. dpo@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793 Recording for purposes of H&S and security of staff and visitors [Article 6.1.f] Necessary for the purposes of the legitimate interests pursued by the OPW or a third party** Security of staff, visitors and building Employees, Visitors 10,000- 100,000 Name Managing Organization Description Controller Controller Address Controller Email Controller Phone Controller Fax CCTV: Rathfarnham Castle National Historic Properties External cameras surrounding Rathfarnham Castle and one internal camera in the tearooms monitor activities for reasons of Health and Safety and Security of visitors and staff. The Commissioners of Public Works in Ireland The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36 info@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793 Security of staff visitors and building

25. DPO Name DPO Address DPO Email DPO Phone DPO Fax Purpose of Processing Lawful Ground Legal Basis for Processing Legitimate Interests Data Subject - Personal Data Data Subjects - Volume Liam S. Kelly Data Protection Officer, The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36. dpo@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793 Recording for purposes of H&S and security of staff and visitors [Article 6.1.f] Necessary for the purposes of the legitimate interests pursued by the OPW or a third party** Security of staff, visitors and building Employees, Visitors 10,000- 100,000 Name Managing Organization Description Controller Controller Address Controller Email Controller Phone Controller Fax CCTV: Rathfarnham Castle National Historic Properties External cameras surrounding Rathfarnham Castle and one internal camera in the tearooms monitor activities for reasons of Health and Safety and Security of visitors and staff. The Commissioners of Public Works in Ireland The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36 info@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793

26. DPO Name DPO Address DPO Email DPO Phone DPO Fax Purpose of Processing Lawful Ground Legal Basis for Processing Legitimate Interests Data Subject - Personal Data Data Subjects - Volume Liam S. Kelly Data Protection Officer, The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36. dpo@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793 Recording for purposes of H&S and security of staff and visitors [Article 6.1.f] Necessary for the purposes of the legitimate interests pursued by the OPW or a third party** Security of staff, visitors and building Employees, Visitors 10,000- 100,000 Name Managing Organization Description Controller Controller Address Controller Email Controller Phone Controller Fax CCTV: Rathfarnham Castle National Historic Properties External cameras surrounding Rathfarnham Castle and one internal camera in the tearooms monitor activities for reasons of Health and Safety and Security of visitors and staff. The Commissioners of Public Works in Ireland The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36 info@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793

27. DPO Name DPO Address DPO Email DPO Phone DPO Fax Purpose of Processing Lawful Ground Legal Basis for Processing Legitimate Interests Data Subject - Personal Data Data Subjects - Volume Liam S. Kelly Data Protection Officer, The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36. dpo@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793 Recording for purposes of H&S and security of staff and visitors [Article 6.1.e] Necessary for the exercise of official authority vested in the OPW Arterial Drainage Act 1945 and 1995 Security of staff, visitors and building Employees, Visitors 10,000- 100,000 Name Managing Organization Description Controller Controller Address Controller Email Controller Phone Controller Fax CCTV: Rathfarnham Castle National Historic Properties External cameras surrounding Rathfarnham Castle and one internal camera in the tearooms monitor activities for reasons of Health and Safety and Security of visitors and staff. The Commissioners of Public Works in Ireland The Office of Public Works Head Office, Jonathan Swift Street, Trim, Co. Meath, Ireland, C15 NX36 info@opw.ie (0761) 106000 / (046) 942 6000 / (01) 647 6000 / 1890 213 414 (LoCall) (046) 948 1793 Security of staff visitors and building

30. Data Subjects – Region Data Category - Personal Data Data Element - Personal Data Recipients Locations Reci- pient Country Inter- national Organ- isation Transfer Dero- gation Transfer Safe- guards Adequacy Decision Data Retention Security Measures Europe (EEA) Employees - Personal Identification, Visitors - Personal Identification Employees - CCTV Images, Visitors - CCTV Images Other Government Bodies/ Public Authorities EEA (except UK): Austria; Belgium; Bulgaria; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland; F rance; Germany; Greece; Hungary; Iceland; Ireland; Italy; Latvia; Liechtenstein; Lithuania; Luxembourg; Malta; Netherlands; Norway; Poland;P ortugal; Romania; Slovakia; Slovenia; Spain; Sweden 28 days Signage advising public of CCTV in place. Screens not visible to general public. Guiding staff have access to live feed only. Security staff aware of regulations regarding viewing of recorded material. Screens and recording equipment in secure security room located away from public. Access to security room via door with coded keypad.

36. Data Subjects – Region Data Category - Personal Data Data Element - Personal Data Recipients Locations Reci- pient Country Inter- national Organ- isation Transfer Dero- gation Transfer Safe- guards Adequacy Decision Data Retention Security Measures Europe (EEA) Employees - Personal Identification, Visitors - Personal Identification Employees - CCTV Images, Visitors - CCTV Images Other Government Bodies/ Public Authorities EEA (except UK): Austria; Belgium; Bulgaria; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Latvia; Liechtenstein; Lithuania; Luxembourg; Malta; Nether- lands; Norway; Poland; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden 28 days Signage advising public of CCTV in place. Screens not visible to general public. Guiding staff have access to live feed only. Security staff aware of regulations regarding viewing of recorded material. Screens and recording equipment in secure security room located away from public. Access to security room via door with coded keypad.

37. Data Subjects – Region Data Category - Personal Data Data Element - Personal Data Recipients Locations Reci- pient Country Inter- national Organ- isation Transfer Dero- gation Transfer Safe- guards Adequacy Decision Data Retention Security Measures Europe (EEA) Employees - Personal Identification, Visitors - Personal Identification Employees - CCTV Images, Visitors - CCTV Images Other Government Bodies/ Public Authorities EEA (except UK): Austria; Belgium; Bulgaria; Croatia; Cyprus; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Latvia; Liechtenstein; Lithuania; Luxembourg; Malta; Nether- lands; Norway; Poland; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden 28 days Signage advising public of CCTV in place. Screens not visible to general public. Guiding staff have access to live feed only. Security staff aware of regulations regarding viewing of recorded material. Screens and recording equipment in secure security room located away from public. Access to security room via door with coded keypad.

38. Records of Processing Activities [Article 30] • The OPW must maintain a written record of its processing activities • Processing activity: One or more processing operations carried out for a specific purpose • Key information to record for each processing activity a) Purposes of the processing of the personal data b) Legitimate (lawful) reason for processing the personal data [Article 13] c) Categories of Data Subjects and of personal data d) Categories of recipients to whom personal data are be disclosed e) Transfers of personal data to a third country or international organisation f) Retention periods • Processing Activities identified via workshops with business areas • Collected via online questionnaires • Record is a large spreadsheet • All business areas must provide full details of their processing activities to the DPO • Processors must maintain a written record of all categories of processing activities carried out on behalf of the OPW • DPC regards these records as vital for transparency and can ask to see them at any time

39. Secure Your Space [Article 32] • Lock your computer with <Windows>-L whenever you leave your desk • Do not leave personal data lying about unattended • Lock it away, remove the key and secure it • Do not leave uncollected jobs on the printer tray or fax machine • Do not leave scanned documents in scanner folder • Choose strong passwords and protect them • Do not give them to anyone else • Do not stick them under your keyboard or write them in a desk diary

40. Mandatory Reporting of Data Breaches [Articles 33 and 34] • What is a Data Breach? • Accidental loss, disclosure or destruction of personal data • The OPW is legally obliged to notify a personal data breach to the DPC • Without undue delay and within 72 hours of becoming aware of it • The 72 hours takes no account of weekends, bank holidays or Christmas • If notification not made within 72 hours, YOU, not the DPO, must explain why • If you become aware of a data breach • REPORT IT TO DPO IMMEDIATELY • Do not wait until an investigation takes place • DPO will notify the DPC if there is a risk to the rights and freedoms of the Data Subjects involved • You must inform Data Subject(s) of a personal data breach • Without undue delay • Not required where personal data is encrypted • A Processor must notify the OPW of a data breach without undue delay Common Causes of Data Breaches • Accidentally published • Emailed or posted to wrong person • Hacking • Lost or stolen computer or media • Security Vulnerability

41. Transferring Personal Data Outside the EEA • You can transfer data outside the EEA by • Putting it on a website • Using cloud services • Always ask: “Where is my data?” • Countries outside EEA are third countries • UK left EU on 31 Jan 2020. Transition period ended 31 Dec 2020 • Consult the DPO before transferring personal data to a third country • Personal data may be transferred to a third country only • Where EU Commission has decided that it provides an adequate level of protection • Easy • By using Standard Contractual Clauses • Model contracts – harder • By using Binding Corporate Rules • Very complex and expensive • Only for Multinationals Andorra Argentina Canada* Faroe Islands Guernsey Israel Isle of Man Japan Jersey New Zealand Republic of Korea Switzerland Uruguay UK USA (Privacy Shield) 2021 USA (Safe Harbour) 2015

42. Transferring Personal Data Outside the EEA • You can transfer data outside the EEA by • Putting it on a website • Using cloud services • Always ask: “Where is my data?” • Countries outside EEA are third countries • UK left EU on 31 Jan 2020. Transition period ended 31 Dec 2020 • Consult the DPO before transferring personal data to a third country • Personal data may be transferred to a third country only • Where EU Commission has decided that it provides an adequate level of protection • Easy • By using Standard Contractual Clauses • Model contracts – harder • By using Binding Corporate Rules • Very complex and expensive • Only for Multinationals Andorra Argentina Canada* Faroe Islands Guernsey Israel Isle of Man Japan Jersey New Zealand Republic of Korea Switzerland Uruguay UK USA (Privacy Shield) 2021

43. Transferring Personal Data Outside the EEA • You can transfer data outside the EEA by • Putting it on a website • Using cloud services • Always ask: “Where is my data?” • Countries outside EEA are third countries • UK became a third country at 11pm on 31 December 2020 • Consult the DPO before transferring personal data to a third country • Personal data may be transferred to a third country only • Where EU Commission has decided that it provides an adequate level of protection • Easy • By using Standard Contractual Clauses • Model contracts – harder • By using Binding Corporate Rules • Very complex and expensive • Only for Multinationals Andorra Argentina Canada Faeroe Islands Guernsey Israel Isle of Man Japan Jersey New Zealand Switzerland Uruguay USA (Privacy Shield)

44. When it all Goes Horribly Wrong • Penalties: effective, proportionate and dissuasive • Fines of up to €1m apply to OPW • Person who has suffered material or non-material damage as a result of a GDPR infringement can sue OPW (and/or our Processors) for compensation • Where both OPW and our Processors are responsible for any damage caused by processing, each shall be held liable for the entire damage • Data Protection Commission may: • Carry out data protection audits • Notify OPW (or our Processors) of alleged GDPR infringements • Access all personal data, information and IT equipment it needs • Reprimand OPW where processing has infringed the GDPR • Order OPW to comply with the GDPR • Impose a temporary or permanent ban on processing in the OPW

45. Treat other peoples personal data as it if was your own Clodagh Murphy, Accounts, Kilkenny 23/02/2023 47 dpo@opw.ie And Finally …

019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for AV.pptx

Recommended

Recommended

More Related Content

Similar to 019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for AV.pptx

Similar to 019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for AV.pptx (20)

Recently uploaded

Recently uploaded (20)

019 2023-02-09 Induction Training - GDPR and Data Protection Rev May 2021 for AV.pptx

Editor's Notes