Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people...
If you can't read please download the document
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect
Introduction Data Protection is about protecting people by
responsibly managing their data in ways they expect and understand
90%
Slide 3
Penalties Data Protection in the UK is supervised and enforced
by the Information Commissioner who can serve notices on
organisations to ensure compliance and can bring prosecutions.
Criminal offences include: Failing to notify data processing to the
ICO Unlawful obtaining and disclosure of personal information Civil
claims for compensation can be brought by individuals where
organisations have breached the provisions of the DPA causing them
damage.
Slide 4
Pro-active Approach Organisations should: Appoint a senior
member to take responsibility for Data Protection The Data
Protection Officer Ensure policies and procedures are in place such
that data protection is always a consideration Ensure staff and
volunteers have training and guidance available to them to ensure
compliance Audit and review your data protection position
Slide 5
The Basics The DPA is concerned with Personal Data held by Data
Controllers Personal Identifiable - living - individuals
Slide 6
The Basics Data? Information held on a computer Information in
a relevant manual filing system Information intended to join one of
the above
Slide 7
A person who determines the purpose for which and the manner in
which personal data is, or is to be, processed Data Controller
Slide 8
Obtaining information What is Processing? Storing information
Changing or copying Disclosing or passing on Destroying or
erasing
Slide 9
Do I have to Notify? Most organisations that process personal
data must register (notify) with the ICO. Failure to notify is a
criminal offence and a fine can be imposed Personal data cannot be
processed until registration has taken place
Slide 10
Do I have to Notify? Cost: 35 per year (If you have more than
249 employees and a turnover in excess of 25.9 million the fee is
500 for notification - unless a charity)
Slide 11
Do I have to Notify? Not for profit organisations have the
benefit of an opt out where their functions are limited to:
establishing or maintaining membership; supporting a not-for-profit
body or association; or providing or administering activities for
either the members or those who have regular contact with it.
Slide 12
Data Protection Principles How to comply?
Slide 13
1. Process fairly and lawfully 2. Obtain and process for
specified purposes only 3. Adequate, relevant and not excessive
4.Accurate and up to date The Principles
Slide 14
5. Not kept longer than is necessary 6. Processed in accordance
with the rights of the individual 7. Appropriate security measures
against unauthorised or unlawful use of data and against loss,
destruction or damage 8.Transfer outside the EEA only where
adequate protection is in place
Slide 15
1. Process Fairly and Lawfully You must collect data fairly and
have legitimate grounds for collecting and using the data You must
be transparent about how you intend to use the data You must not do
anything unlawful with the data
Slide 16
1. Process Fairly and Lawfully What can I do with personal
data? The Act sets out conditions for processing, one of which must
be complied with for processing to take place The key condition is
CONSENT The safest route to compliance is to ensure the individual
knows what will be done with their data at the point of
collection
Slide 17
1. Process Fairly and Lawfully Privacy Notices See Privacy
Notices Code of Practice (www.ico.gov.uk)www.ico.gov.uk Sharing
data with another organisation (Scenario 1) Using data for a new
purpose (Scenario 2) The legitimate interest exemption (Scenario 3)
Lawful processing (Scenario 4) Other exemptions available
Slide 18
2. Obtain and process for specified purposes only The personal
data shall be obtained only for one or more specified lawful
purposes and shall not be further processed in any manner
incompatible with that purpose or those purposes
Slide 19
2. Obtain and process for specified purposes only 1.Identify
the purpose in your Privacy Notice (unless the purpose is obvious)
2.Register the purpose when notifying the Information Commissioner
(unless you are exempt).
Slide 20
2. Obtain and process for specified purposes only Can the data
be used for purposes other than those specified? When is one
purpose compatible with the other?
Slide 21
3. Adequate, relevant and not excessive Personal data shall be
adequate, relevant and not excessive in relation to the purpose or
purposes for which they are processed
Slide 22
3. Adequate, relevant and not excessive Only hold data which is
sufficient for your purpose and no more (or less)
Slide 23
4.Accurate and up to date To an extent the purpose of the
principle is obvious? Take reasonable steps to ensure accuracy
Ensure the source of personal data is clear Consider challenges to
the accuracy of the information and its impact Should you
update?
Slide 24
5. Not kept longer than is necessary Personal data processed
for any purpose or purposes shall not be kept for longer than is
necessary for that purpose or purposes
Slide 25
5. Not kept longer than is necessary 1.Adopt a policy to set
out how long you will keep information and why 2.Regularly review
the data 3.Ensure it is securely deleted or archived when it is no
longer needed
Slide 26
6. The rights of individuals
Slide 27
Rights of access to the data held Rights to object to
processing likely to cause or causing harm A right to prevent
direct marketing A right to object to decisions by automated means
A right to have inaccurate data corrected or erased A RIGHT TO
COMPENSATION for damage caused by a breach of the Act
Slide 28
7. Security Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction of, or
damage to, personal data
Slide 29
7. Security Things to think about: Who should have access to
data? Physical security Computer security Security Breach
Management Plan
Slide 30
7. Security Breach Security Breach Management Plan Containment
and Recovery Assessing risks Notification of breaches Evaluation
and response
Slide 31
8.Transfer outside the EEA Personal data shall not be
transferred to a country or territory outside the EEA unless that
country or territory ensures an adequate level of protection for
the rights and freedoms of data subjects in relation to the
processing of personal data
Slide 32
Direct Marketing Assuming the correct notices / consents have
been given or can be safely assumed, direct marketing is usually
permitted
Slide 33
Direct Marketing Only covered if directed at individuals Covers
communications by whatever means Includes marketing, advertising,
campaigning, fundraising etc.
Slide 34
Direct Marketing Opt outs and stop notices 28 days Delete or
supress? Can I ask them to opt back in?
Slide 35
Electronic Marketing What are the rules governing unsolicited;
1.Phone calls 2.Fax marketing 3.E-mails, texts and voicemails
Privacy and Electronic Communications Regulations
Slide 36
Electronic Marketing Websites: What are the data issues?
Cookies?