Data Protection Act 1998

NICVA27 October 2011

Nigel Treanor

Mission Statement

The ICO’s mission is to uphold information rights

in the public interest,promoting openness by public bodies

and data privacy for individuals.

Enforce and regulate

– Freedom of Information Act

– Environmental Information Regulations

– Data Protection Act

– Privacy and Electronic Communications Regulations

Provide information to individuals and organisations

Adjudicate on complaints

Promote good practice

ICO’s Role

Information Concerns

Recognition by the public that Data Protection is relevant to the following areas:

Preventing crimeProtecting people’s personal information Unemployment (2004 - 50% by 2009 - 93%)The National Health Service (2004 – 78% by 2009 - 90%)National securityEnvironmental issuesEqual rights for everyoneImproving standards in educationProtecting freedom of speechAccess to information held by public authorities

Background

Royston House DFP

HMRC

November 2007

Health Data

Street View

North Lanarkshire Council

Causes of Reported Data Loss

%

24%

24%7%3%

31%

8% 3%

Disclosed in Error

Lost Data/Hardware

Lost in Transit

Non-secure Disposal

Stolen Data/Hardware

Technical/Procedural

Other

Charities and ICO Enforcement

Charities breached data rules over unencrypted computer thefts

Sheffield-based charity Asperger’s Children and Carers Together (ACCT)

Nottingham-based charity Wheelbase Motor Project

Both breached the Data Protection Act by failing to encrypt computers that contained sensitive information relating to young people (80 children and 50 young people ).

Both incidents occurred when the devices were stolen

Data Protection Act 1998

The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework

to ensure that personal information is held and handled properly.

Charitable groups and Data Protection Act –

Examples of areas that are covered

Human resource informationHolding service user/volunteer/staff informationSharing service user/volunteer/staff detailsService Users or staff requesting their personal dataDirect Marketing and Promotional CampaignsRedundancy and Employment issuesInformation SecurityRetention PeriodsDatabase Management and AccuracyPhotographs of service users, volunteers or staffCCTV images and video footage

Data Protection Act 1998

An Act to regulate the processing of information about individualsDrawn from European Directive 95/46/EC“Reserved” matter in Northern IrelandProvides rights for individuals and sets out responsibilities for data controllers 8 Data Protection Principles provide a framework for handling personal data

Eight Principles of DPA

The Data Protection Act states that anyone who processespersonal information must comply with eight principles, which

make sure that personal information is:

– Fairly and lawfully processed – Processed for limited purposes – Adequate, relevant and not excessive – Accurate and up to date – Not kept for longer than is necessary – Processed in line with your rights – Secure – Not transferred to other countries without adequate

protection

And, all data controllers must comply with the principles

DefinitionsPersonal Data means data which relate to a living individual who can

be identified-from those data, or-from those data and other information which is in the possession of, or is

likely to come into the possession of, the data controller,-and includes any expression of opinion about the individual or any

other person in respect of that individual and any indications of intentions of the data controler or any other person in respect of that individual.

Relevant Filing System/Accessible Record

Processing is a compendious definition such as obtaining, recording, consultation, use, disclosure, destruction or carrying out any operation or set of operations on the information or data etc.

Definitions – Sensitive Personal Data

Sensitive Personal Data means personal data where content relates to:

Racial and ethnic originPolitical opinionsReligious or other beliefs

Trade union membershipPhysical or mental healthSexual lifeCriminal convictions/alleged offences

Sensitive Personal Data are subject to extra safeguards before they can be processed

Definitions

Data Subject - means an individual who is the subject of personal data

Data Controller - means any person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Data Processor - in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller

What this means for the individualHow to Access Information

This allows you to find out what information is held about you on a computer and within some manual records, such as medical records, files held by public bodies and financial information held by credit reference agencies.

Correcting InformationThis allows you to apply to a court to order a data controller to correct, block, remove or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information.

Preventing Processing of Information This means you can ask a data controller not to process information about you that causes substantial unwarranted damage or distress. The data controller is not always bound to act on the request.

Preventing Unsolicited Marketing

This means a data controller is required not to process information about you for direct marketing purposes if you ask them not to. For example, you have the right to stop unsolicited mail.

What this means for the individual

Preventing Automated Decision Making This means you can object to decisions made only by automatic means. For example, where there is no human involvement.

Claiming CompensationThis allows you to claim compensation through the courts from a data controller for damage, and in some cases distress, caused by any breach of the act.

Exempt Information

This allows you to ask the ICO to investigate and assess whether the data controller has breached the act. Please read our how to complain section, which explains how to do this

Notification

Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Failure to notify is a criminal offence.

Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers, which is available to the public for inspection

Notification Helpline: 0303 123 1113 (Mon-Fri 9am-5pm)

Changes to the notification fee structure came into effect on 1 October 2009. The fee structure is now tiered to reflect the costs to the ICO of regulating data controllers of different sizes

Fair Processing Notice

Oral or Written statement that individuals are given when information is being collected

A Privacy Notice should tell people - who you are, what you are going to do with the information and who it will be shared with

It can go further and include access rights, security arrangements

A Privacy Notice should be genuinely informative

A Privacy Notice which is legalistic or drafted with the primary objective of indemnifying an organisation is unlikely to achieve

this objective

Right of Access (Subject Access Request)

A request for access must be received in writingA request covers finding out whether personal data are processed and, if so (within 40 days)

– providing a description of the personal data processed, of the purpose of the processing and of any Recipient or classes of Recipient's

– providing a copy of the information constituting the personal data in an intelligible form, and providing information about the source, if available

– providing information about any automated decision that significantly affects the Data Subject.

Right of Access Data controller has to consider….

Identification of Data Subject and seeking assistance from Data Subject to locate the personal data

Any exemption which may apply (eg prevention of crime)

Deciding whether it is reasonable to disclose third party information. If consent of the other individual has been obtained, there should be no problem revealing the information

In the absence of consent of the other individual, the test of “reasonableness” needs consideration (e.g. any duty of confidence to the other individual; has consent been refused; can consent in practice be obtained; steps taken to obtain consent)

Removal of the minimum amount of information which identifies another individual – this, in some circumstances, could be just a name of the other individual

What it means for charitiesHeading in the right direction?

– Do I really need this information about an individual? Do I know what I'm going to use it for? – Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for? – If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this? – Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it

secure? – Is access to personal information limited to those with a strict need to know? – Am I sure the personal information is accurate and up to date? – Do I delete or destroy personal information as soon as I have no more need for it? – Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?

– Do I need to notify the Information Commissioner and if so is my notification up to date?

Section 55 & ‘The Blagging Offence’

“55 (1) A person must not knowingly or recklessly, without the consent of the data controller –

Obtain or disclose personal data or the information contained in personal data, or Procure the disclosure to another person of the information contained in the

personal data”

Reporting Data breaches

At present, there is no law expressly requiring you to notify abreach but sector specific rules may lead you towards issuing anotification to the ICO.

ICO has issued guidance on data security breach management and guidance on reporting a data breach to the ICO (available at www.ico.gov.uk)

But... Revisions to Directive 2002/58/EC Directive on Privacy and Electronic Communications Directive in relation to compulsory breach reporting

Changes to the Law

Significant losses of personal data in 2007/8

Existing powers deemed inadequate

Public calls for criminal offence

Criminal Justice and Immigration Act s 77 Power for Secretary of State to alter penalty for unlawfully obtaining personal data

Preferred option was power to impose a Monetary Penalty – civil sanction

New power inserted into section 55 of Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (CJIA)

Main features

-ICO may serve a Monetary Penalty Notice on a data controller requiring payment of a Monetary Penalty which must not exceed £500,000

-Applies to all data controllers in the private, public and voluntary sectors except Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3) DPA 1998-Royal Household

Specific requirements

Before the ICO can impose a Monetary Penalty it has to be satisfied under section 55A DPA 1998 that:

– There has been a serious contravention of data protection principles by the data controller,

– The contravention was of a kind likely to cause substantial damage or substantial distress and either…

Specific requirements continued

-The contravention was deliberate or,

-The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention

First Monetary Penalty Notices

(i) Hertfordshire County Council - £100,000 penalty (Nov 2010)

http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/hertfordshire_cc_monetary_penalty_notice.ashx (ii) A4e Ltd - £60,000 penalty (Nov 2010)http://www.ico.gov.uk/~/media/documents/library/

Data_Protection/Notices/a4e_monetary_penalty_notice.ashx

Second Monetary Penalty Notices February 2011

Ealing Council - £80,000 and Hounslow Council £70,000

Two laptops containing the details of around 1,700 individuals were stolenfrom an employee’s home. Almost 1,000 of the individuals were clients ofEaling Council and almost 700 were clients of Hounslow Council. Bothlaptops were password protected but unencrypted – despite this being inbreach of both councils’ policies. There is no evidence to suggest that thedata held on the computers has been accessed and no complaints fromclients have been received by the data controllers to date but there wasnevertheless a significant risk to the clients’ privacy.

Ealing Council breached the Data Protection Act by issuing an unencryptedlaptop to a member of staff in breach of its own policies. This method ofworking has been in place for several years and there were insufficientchecks that relevant policies were being followed or understood by staff.

Hounslow Council breached the Act by failing to have a written contract inplace with Ealing Council. Hounslow also did not monitor Ealing Council’sprocedures for operating the service securely.

Misdirected Emails – June 2011

ICO served Surrey County Council with a monetary penalty for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions.

The first incident and most significant of the three, took place on 17 May last year. A member of staff working for one of the council’s Adult Social Care Teams emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address.

The group email address included a large number of transportation companies, including taxi firms, coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.

Misdirected Emails - £120,000

A second misdirected email sent on 22 June 2010 lead to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter.

In a third incident, the council’s Children Services department sent confidential sensitive information, which included data relating to an individual’s health, to the wrong internal group email address on 21 January 2011. While the data did not leave the council’s network this breach led to sensitive data being circulated to individuals who should not have received it.

The penalty of £120,000 recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information.

Information Sharing Code of Practice

Sharing Of Personal Data – Issues to consider:

• Do you have the power or legal provisions to share the information?• What is the sharing intended to achieve?• Do you need to share personal data?• What information needs to be shared?• When should it be shared?• Who does it need to be shared with? • How should it be shared?• What benefits are sought from the proposed sharing?• What risks are there?• What are the likely effects on individuals/society?• Consider the consequences of not sharing.• Consent? Choice? Transparency?• Make the citizen/client/consumer the focus of the decision.

Advice and Guidance

Information Commissioners Office

51 Adelaide Street

Belfast

BT2 8FE

Tel. 02890 269380

Fax. 02890 269388

Website: www.ico.gov.uk

Enquiries by email . ni@ico.gsi.gov.uk

Notification Team – 0303 123 1113

(Mon-Fri 9am to 5pm)

www.twitter.com/iconews

Keep in touch

Subscribe to our e-newsletter at www.ico.gov.ukor find us on…