Upload
sydney-fleming
View
41
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Data Protection: An enabler?. David Freeland, Senior Policy Officer 23 October 2014. An international act…. “We've got a piece of legislation called the Data Protection Act. It's UK legislation but I feel certain that you must have something similar in Scotland.” - PowerPoint PPT Presentation
Citation preview
An international act…
“We've got a piece of legislation called the Data Protection Act. It's UK legislation but I feel certain that you must have something similar in Scotland.”
A high street financial institution
A balancing act…
“Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals”
Recital 2, European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
What is personal data?
Personal data relate to a living individual who can be identified from those data and/or other information and includes opinions and intentions of the data controller or any other person in respect of the individual.
What is sensitive personal data?
Sensitive personal data relate to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual life and criminal activity.
What records are covered?
ElectronicDataTextsImagesRecordings
Manual recordsIntention of being automatedStructured filing systemUnstructured records – public bodies
The 8 Data Protection Principles
1. Processed fairly and lawfully
2. Obtained only for one or more specified lawful purposes
3. Adequate, relevant and not excessive
4. Accurate and, where necessary, kept up to date
5. Kept for no longer than is necessary
6. Processed in accordance with individuals’ rights
7. Subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing, or the accidental loss, destruction, or damage to, personal data
8. Only transferred to a country or territory outside the EEA where adequate levels of protection for the rights and freedoms of individuals in relation to the processing of personal data can be ensured
Personal information must be…
Lawful – conditions for processing
Personal dataConsentContractLegal obligationVital interestsAdministration of justicePublic function in the public interestLegitimate interests of the data controller and third party but not prejudicial to individual
Sensitive dataExplicit consentEmployment lawVital interestsNot-for-profit TU/religious/ political/philosophical groupsPut in public domain by the individualLegal proceedings/adviceFunctions under enactmentAnti-fraud activityMedical purposesEqual opps monitoringSubstantial public interest (SI 2000/417)
Lawful – conditions for processing
Personal dataConsentContractLegal obligationVital interestsAdministration of justicePublic function in the public interestLegitimate interests of the data controller and third party but not prejudicial to individual
Sensitive dataExplicit consentEmployment lawVital interestsNot-for-profit TU/religious/ political/philosophical groupsPut in public domain by the individualLegal proceedings/adviceFunctions under enactmentAnti-fraud activityMedical purposesEqual opps monitoringSubstantial public interest (SI 2000/417)
Additional conditions (SI 2000/417)
The processing is in the substantial public interest Must be carried out without explicit consent so as not to
prejudice the purpose or function
1. Necessary for the detection or prevention of any unlawful act (or failure to act)
2. Necessary for a function designed to protect the public against
a. dishonesty, malpractice, serious improper conduct, incompetence or unfitness of any person, or
b. Mismanagement in the administration of, or failures in services provided by, any body or association
Crime and investigations
Section 29: Crime and taxation exemption
Purpose: detecting or preventing a crime
Exempt from giving fair processing information and giving information in response to a SAR to the extent to which provision would be likely to prejudice the investigation
You can share intelligence that may help detect or prevent a crime on a need-to-know basis
ICO required by law to produce
Approved by Secretary of State and UK Parliament
Not following Code is not necessarily a DPA breach
Provides ‘good practice’ advice
Admissible in court proceedings
Poses questions you need to answer
Data Sharing Code of Practice
Putting it into practice
Clear policies, guidance and procedures Staff training – initial and refresher Clear lines of escalation and decision making Audit trails, and audit the audit trails Work with appropriate people in your organisation – data
protection specialists, lawyers, internal audit Take account of professional standards in handling personal
information Appropriate contacts in other organisations
Key points
Data protection is a framework, not a barrier
Lawful, proportionate and relevant information sharing only
Right information to the right people at the right time
Be prepared – know the legal basis, and have an audit trail
How would you want your information to be treated?
What harm is likely to result from not sharing?
Scotland Office:
45 Melville Street
Edinburgh EH3 7HL
T: 0131 244 9001 E: [email protected]
Subscribe to our e-newsletter at www.ico.org.uk or find us on…
@iconews
Keep in touch
/iconews