View
216
Download
0
Category
Tags:
Preview:
Citation preview
1
An Overview of Data Protection Legislation
Consumer Affairs DepartmentTel 061 483286 / 87
© Health Service Executive
2
Contents
• Introduction and background.
• Main definitions.
• Rules and responsibilities for all staff.
• Contact details.
3
What is Data Protection?• Safeguards the privacy rights of individuals in relation to the
processing of personal data by:
regulating computer use
giving individuals rights in relation to their personal information
imposing responsibilities on organisations in terms of compliance with the Data Protection rules and rights of access
• Data Protection Acts 1988 & 2003 create rights for individuals and responsibilities for computer and other users.
• When you create a record which contains personal data not only should it remain confidential but you are also obliged to keep it safe and secure and use it only for the purpose for which it was collected.
• Disciplinary action may follow a DP breach as each staff member has an individual responsibility under DP legislation and the more recent HSE policy
4
History
Council of Europe Convention of Data Protection, 1981 The purpose of this convention was to secure respect for a person’s
rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data relating to them ("data protection")
Data Protection Act 1988 (gives effect to 1981 convention) Data Protection Directive, Directive 95/46/EC
Manual Records Consent Transfer of Data
Data Protection (Amendment) Act 2003 Privacy Bill 2006
5
Corporate Responsibilities
• The HSE must comply with Data Protection legislation.• The HSE must nominate Data Controllers – four in total
being the Consumer Affairs Area Manager in each of the four regions.
• Each Data Controller must register all databases with the Data Protection Commissioner and ensure that this registration is kept up to date.
• The HSE must process all Data Protection Access requests.
• The HSE must ensure that all staff have received Data Protection training.
6
Definitions
© Health Service Executive
•Personal information (even minimum information such as name, address or email address) about a living individual held either electronically or in paper files. It includes information in the form of photographs, fingerprints, audio recordings and text messages. Personal information can be stored in a number of ways such as in mobile phones, laptops, palm pilots, voicemail, fax machines and CCTV.
•Sensitive Personal DataRelates to specific categories of data which are defined as data relating to a person’s racial origin, political opinions or religious or other beliefs; physical or mental health; sexual life; criminal history; trade union membership
7
DataInformation in a form which can be processed (manual & electronic)
Data SubjectAn individual who is the subject of personal data
Data ControllerA person who, either alone or with others, controls content and use of personal data
Data ProcessorA person who processes personal information on behalf of the data controller
© Health Service Executive
Definitions
8
DEFINITIONS
• Processing of Data or Information – performing any operation on data including:
– Obtaining, recording, keeping– Collecting, organising, storing, altering, adapting– Retrieving, consulting, using– Disclosing, transmitting, disseminating– Aligning, combining, blocking, erasing or destroying
9
The 8 Principles of Data Protection
10
Principle Number 1
Obtain and process information fairly• In order to obtain personal data fairly from people, we need to ensure
that they are made aware of:
– Why the data is being collected.
– What it will be used for.
– Persons/third parties to whom data may be disclosed.
– Right to access their data.
• To fairly process personal data it must have been fairly obtained and the data subject must have given consent to the processing.
© Health Service Executive
11
Principle No 2
Keep it for one or more specified, explicit and lawful purposes
•An individual should know the purpose for which we collect and hold his/her data.
•He /she must also be aware of the different sets of data which we hold and the specific purpose of each set.
© Health Service Executive
12
Principle No 3Use and disclose it only in ways compatible with these purposes
key tests of compatibility are
1.Do you use the data only in ways consistent with the purpose for which it was obtained
2.Do you disclose the data only in ways consistent with that purpose
What is Compatible Disclosure?
•Closely related to the specified purpose
•Consistent with the specified purpose
•Need to know basis
•The surprise test – would the subject be surprised to learn that the disclosure is taking place
© Health Service Executive
13
Principle No 3Use and disclose it only in ways compatible
with these purposes
We as staff of the HSE must ensure that personal data is used only in ways consistent with the purpose for which it was obtained.
•Except where it is:– Required urgently to protect life and limb.– Required by law or court order.– With consent of/on behalf of data subject.– Crime; tax; State security; international relations.
© Health Service Executive
14
Principle No 4
Keep it safe and secure
• Appropriate security measures must be taken against unauthorised access to, alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
© Health Service Executive
15
All staff should be aware of the Information Security Policies adopted by the HSE including:
– Information Security Policy
– Information Technology Acceptable Usage Policy
– Electronic Communications Policy
– Password Standards Policy
– Encryption Policy
– Mobile Phone Device Policy
Principle No 4
Keep it safe and secure
16
Principle No 5
Keep it accurate, complete and up to date
© Health Service Executive
•We need to ensure that clerical and computer procedures are adequate to ensure high levels of data accuracy.
•We also need to ensure that appropriate procedures are in place, including periodic review and audit, to ensure that all records are kept up to date.
17
Principle No 6Ensure that it is adequate relevant and not excessive
We must ensure that information being held is:
• Adequate and relevant in relation to the purpose for which it is being held.
• Not excessive in relation to the purpose for which it is kept.
e.g. asking a job applicant about criminal convictions could be relevant but it would be irrelevant and excessive to ask the same question in an online booking form for theatre tickets!
© Health Service Executive
18
Principle No 7Retain it for no longer than is necessary for the purpose. To comply with this you should have:
• Staff should be aware of: – the length of time data/records are held. – the reason why they are being retained. – The process for destruction when no longer required.
• Responsibility should be assigned to a specific individual within a department to ensure that files are reviewed on at least an annual basis to ensure that personal information is not retained any longer than necessary.
• All staff should be aware of:– NHO Code of Practice for Healthcare Records Management.– The National Policy for Health Boards on Record Retention Periods.
© Health Service Executive
19
Principle No 8
Give a copy of personal data on request On making an access request any individual, about whom you keep personal data is entitled to:
•A copy of the data you are keeping about him/her•Know the purpose/s for processing the data•Know the identity of those to whom you disclose the data•Know the source of the data, unless it is contrary to public interest
•Know the logic involved in automated decisions•A copy of any data held in the form of opinions, except where such opinions were given in confidence
© Health Service Executive
20
Right of correction or erasure
Section 6 of the Act
The data subject must make a written request Personal data must be corrected if inaccurate or
deleted. Data controller has 40 days to respond. No fee is required.
21
Manual Data
This information must be in a ‘relevant filing system’ which is structured by reference to individuals in such a way that specific information relating to a particular individual is readily accessible.
The data must be part of a set The set must be structured The data must be accessible Such access cannot be simply random but must be
according to specific criteria
22
Security Issues
Manual Files
Who has access? At what level is it authorised? Are they kept under lock and key? Are there designated staff to make additions
to the file? Who deals with requests for information from
the file? - Set procedures for this?
23
Faxing Information Confidential and personal information should not be transmitted by fax message except if all persons identified in the fax message have fully understood the risks and agreed or there are no other means available or in a medical emergency where a delay would cause harm to a patient.
Checking and confirming correct fax numbers Authorised access to fax only A phone call before fax is sent to ensure machine is
manned
Mailing Information Registered Post Check correct mailing address Sealed envelopes
24
What are Electronic Records?
The term electronic record is a generic description for a record held on, or produced by, a computerised system.
Records can be output as any media: text, images, sound or a combination of these and include electronic documents and electronic messages.
25
Information Security Policies : HSE• The aim of these policies is to help protect patient, client and staff
information.
• Each staff member who uses HSE ICT equipment or has HSE data stored on an electronic device needs to make themselves familiar with the policies.
Information Security Policy, Information Technology Acceptable Usage Policy, Electronic Communications Policy, Password Standards Policy, Encryption Policy, Mobile Phone Device Policy
• The full policies are available to download from the HSE intranet:
http://hsenet.hse.ie/HSE_Central/Commercial_and_Support_Services/ICT/Policies_and_Procedures/Policies/
• If you have any queries contact your local ICT Department Tel 061 483308
26
Keep it Safe and Secure • Personal laptops or other equipment (e.g. cameras, phones)
must NOT be used for HSE business.
• The storage of confidential or personal information on USB flash drives (i.e. memory stick/pen/keys) is strictly prohibited. Encrypted HSE approved USB memory sticks may only be used on an exceptional basis where it is essential to store or temporarily transfer confidential or personal data.
• Users must only use accounts and passwords that are assigned to them.
• All confidential and personal information transmitted to an email address outside the HSE Domain must be encrypted.
• All HSE laptop computer devices must be password protected, have up to date anti-virus software installed and have encryption software installed.
27
Keep it Safe and Secure
• Old and obsolete IT equipment must be securely recycled via the ICT
Directorate.
• Confidential and personal information must be securely deleted from your
PC when no longer required.
• All passwords must be a minimum of 8 characters and must contain a
combination of letters, numbers and at least one special character.
• Mobile phone devices should have PIN or password protection and those
with cameras must not be used inappropriately.
• Restrict access to records on a “need to know” basis & ensure
premises secure when unoccupied.
• Ensure there are back up procedures for computers including off-site back
up.
28
Keep it Safe and Secure
• PC should be locked when a person leaves their desk (ctrl; alt: delete).
• Staff should log out of their PC at the end of each working day.
• Confidential waste papers must be securely disposed of (shredded).
• Use screen savers and passwords
• Revoke Ids and passwords as soon as users resign or leave
• Use audit trails to track when a record is accessed and by whom
• Information on computer screens and manual files should be kept hidden
from callers and should be secured when office is unoccupied.
• Ensure there are contracts and confidentiality agreements in place with
data processors
29
Laptops – some basic precautions!
Do not leave the portable unattended
Do not position portables near exterior windows where they are subject to ‘smash & grab’ theft
Keep only the most necessary information on the portable
Back up files and store them in some other place other than the carry case
Pay attention to where you use the portable, be aware that someone could see the screen behind you
Be cautious about installing any software from unknown sources – may contain a virus
Ensure that sensitive files are password protected when stored on laptop
Ensure that anti-virus software has been installed
Ensure that the data held on your laptop is encrypted
30
Data Breach
• HSE Data Protection Breach Management Policy
• An incident report must be completed immediately by HSE employees and their line manager whenever confidential or personal data belonging to the HSE is accidentally disclosed, lost or stolen, or whenever a HSE mobile computer device or a mobile storage device is lost or stolen.
• The completed report must be forwarded immediately via fax or email (a scanned copy) to the employees local Consumer Affairs Office (for incident involving the accidental disclosure, loss or theft of manual (paper based) data) or ICT call centre / helpdesk (for incidents involving the accidental disclosure, loss or theft of electronic data or, the loss or theft of a HSE mobile computer or storage device).
31
Data Breach
What to do in the event of a breach
• Contact Line Manager
• Fill out incident form with Line Manager
• Contact the Gardaí (if items stolen etc)
• Contact Consumer Affairs / ICT Helpdesk
• Recommendations: Key aspect of report which are followed up by Consumer Affairs and DP Commissioner
• Disciplinary action may follow as each staff member has an individual responsibility under DP legislation and the more recent HSE policy
32
Data Protection Commissioner
33
DP Commissioner
Upholds rights of individualsEnforces obligations of data controllersInvestigates complaintsMaintains public registerEuropean functionsCodes of PracticeInvestigation to ensure compliance and identify contravention Pre registration checkName & PublishAnnual Report absolutely privileged
34
Commissioner’s Powers
Information notice (section 12)Enforcement notice (section 10)Prohibition notice (section 11)Powers of entry and inspection (section 24)
“authorised officers” Decision on complaints (section 10)Refusal to register (section 17)Auditing powers (section 10 (1) a)
35
Offences and Penalties
Failure to comply with a Notice Failure to registerFailure to comply with terms of register entryFine of up to E100,000Court may order erasure of data
36© Health Service Executive
Guidelines & Contact Details
Consumer Affairs Dept, H.S.E., 31/33 Catherine St. Limerick Tel: 061 483286/87
ICT Dept, H.S.E., 31/33 Catherine St. Limerick Tel: 061 4833308
HSE Website:http://hsenet.hse.ie/Intranet/HSE_Central/Consumer_Affairs/
The Data Protection Commissioner’s Website: http://www.dataprotection.ie Tel: 057 8684800
Recommended