Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Using Information Sources
Sharing and Data Protection Issues
Suki Harrar
People and Information Governance Partner
Data Protection in the Workplace
Make it simple by knowing
What and Why you are collecting customers data
How to obtain right consent
How to share lawfully
How not to get caught out
I know the tenant
information file is
here some
where!!
Source of information and help:
Regulator
Christopher Graham:
Information Commissioner
Regulator of DPA & FOIA :
Information Commissioner Office
Aim – Data Protection Act
Privacy Rights For Living Individuals (Data Subjects)
Controls processing requirements of Individuals personal information
(that is your information)
8 Guiding Principles
Obligations on Housing Associations who collect and process your
personal data
Defines obligations for Housing Associations as Data Controllers
Data controller’s responsibilities
Decides the purpose and manner in which your personal data will be
processed and they have to comply with all the provisions of the Act
Ensure the right data is collected, used, shared, secured and destroyed in
line with the Act
Notify the ICO what, and why they are collecting and who they will share this
data with
Ensure they comply with your rights - Data Subject’s
Comply with the 8 Data Protection Principles
Ensure third parties they engage to deliver services are compliant
With the Act and the Housing Association's DP Policies
Collect the right data and obtain the right consent
Personal Data (schedule two)
Data which relates to a living individual who can be identified from that data.
This includes an expression or opinion about any living individual:
Name Address
Bank account Details E-mail address
Telephone number CCTV Footage
Image Gender
“Mrs Window has detailed on her tenant profile form she has complained about
her leaking tap, for the 10th time can you arrange for a plumber to go out again”
Personal Data - Need to obtain informed consent (Show and Tell)
When did you last go on line and buy something and read the
privacy statement ?
We buy and inadvertently may have accepting for the supplier to use our information for marketing
We can obtain informed consent in different ways:
• Tenant profile or census form
• Survey form
• In a proposed or agreed contract
• tenancy agreement, lease agreement or employment contract
• Statement on website, back of receipts or letter/email
• ASB wittiness statement or interview/report form
Personal Sensitive Data - Need to explicit on top of informed consent (Show, Tell and Record)
• Ethnicity
• Religious or Other Beliefs
• Political Opinions
• Membership of a Trade Union
• Sexual Life
• Offences Committed or Alleged to have been Committed by that Individual
• Medical History
It can be obtained in different ways, but you need to ensure that the consent you obtain is "unambiguous”, freely given and fully understood
• A signature or a verbal agreement which is recorded and confirmed
Personal and Sensitive Personal Data How to obtain the right consent and help the person understand the WHY…
Customer census or profile forms should have a separate ‘tear’ off sheet with
this information on
You should tell people that they do not have to supply the information but how it
will help them if they do
You should have a recorded consent from each individual – You cannot supply
the information for other people in your household and it cannot be used if
consent is not recorded
You should have a information leaflet explaining why you want the information
and how you will use, share, retain, secure and destroy the information
Have you got a customer profile procedure or leaflet?
We can use and share your personal and sensitive personal data without consent
Some examples:
• Need to comply with legal obligations
• Protect the vital interests of an individual
• Comply administration of justice or to exercise functions of a public nature which is in the public interest
• Legitimate interest ensuring the processing is justifiable to the individual’s rights
• The individual has made the information public
• For prospective or current legal proceedings and/or legal advice
• Exercising contractual obligations
8 Principles – Sharing has to be Fair and Lawful
data sharing As long as you are C.O.T you can use and share without consent:
For the prevention or detection of crime and fraud
For the apprehension or prosecution of offenders
For the assessment or collection of tax or duty owed to customs & excise
In connection with legal proceedings
In relation to the physical or mental health of an individual, where disclosure is required to protect them or others vital interests
8 Principles – Sharing has to be Fair and Lawful data
sharing
For research and statistical purposes (anonymous)
To carry out contractual obligations
Administration of justice, exercise functions of public nature in public interest
Legitimate interests except where unwarranted prejudices individual rights
To comply with the law
8 Principles – Sharing has to always be Fair and
Lawful data sharing Consider when consent should be sought and is it reasonable to disclose personal data without consent? What duty of confidentiality do we owe the 3rd party can it be anonymised Have steps been taken to seek consent and note refusal and/or objection? Have steps been taken to record legal and/or regulatory grounds for disclosure? It is fine to positively challenge the request and ask for it in writing Do not put someone at risk by withhold information
Your First Principle
Process personal data fairly and lawfully
Clear Open and Transparent
Collect Use Share and Secure data correctly
Confirm when you need consent
Personal Data Informed
Sensitive Personal Data Explicit
1
Your Second Principle
Personal data must be used for the stated purpose you
informed the individual about
Do not be use their data for any incompatible purpose –
use the C.O.T approach
Think about what the recipient of the data will use it for
Do you need to review your notification and inform
individuals of the new form of processing
2
You Next Set Of Principles in practice
3 Relevant and Adequate – data sharing agreements does
not mean a ‘catch all’ approach. Look at what is the objective of
the sharing and what is needed for that purpose. Why receive
other RP or agency data only hold what is relevant and
adequate for your purposes
4 Accurate and up to date records – you are sending
troubled family data to a public body at their request thus
enabling them to obtain funding. They will have limited
responsibility. You need to ensure accuracy in you’re and their
systems on a regular basis
5 Keep data for as long as it is needed – ensure both
parties retain the data for the pre-agreed time scale. Put in
your sharing agreements provision for use, further sharing
and retention. Attach a retention destruction schedule
Your Sixth Principle – Your rights individuals
• Access personal data 40 days from valid request
• Object to the use of data that causes damage or distress
• Seek correction, and destruction of personal data
• Object to the use of data for direct marketing
• Know about automated decision making
• Seek compensation
6
Your Seventh Principle - keep data secure
Ensuring appropriate technical measures are in place
Ensure you prevent unauthorised access and processing
Ensure you prevent unlawful obtaining of personal data
Train your staff, Board and Customer Panels
7
Your Eighth Principle - Limits on overseas
transfers Personal data should not be transferred
outside the outside EEA unless there is
adequate protection for the rights of
individuals
Check if your on-line buying means your
date is being shared with third parties
sub contract (Read your privacy statement)
Check if your data is secure at all times
Check what consent is needed to send data
outside
UK
8
Enforcement and Sanctions
Regulator – ICO
• Information Notice’s and Assessment Requests
• Power to service Undertaking or Enforcement Notices
• Revoke right to process data
• Monetary Penalty (Up to Half Million Pounds)
• Evoke Sec 61 Directors Liability
• Evoke Sec 55 Personal Legal Accountability & Liability
• Power to enter LA/Government – Audits
• Criminal & Civil Action
• Support people in court
Enforcement and Sanctions
Courts
Review the handling of subject access requests
Order the payment of compensation
Prosecute individuals for section 55 (theft of data)
Data Controller
Could suffer loss of confidence from customers, stakeholders and employees
Could consider disciplinary action
Data Sharing Agreements (Protocol)
They need to formally define the sharing purposes, agents, privacy rights of the
individuals and obligations of the agencies. Clauses:
• Purpose and Members of the project
• What data is to be shared PD, SPD or anonymous
• What is the purpose of sharing (sec29)
• What legitimate and legal obligations have the agencies in place to share
data with or without consent
• Proportionate Test
• Further use of the data (prevent recipient from processing activities)
• Roles, Responsibilities and Accountabilities
• Security requirements of all parties
Data Sharing Agreements (Protocol)
• Integrity of the shared data and each controllers obligations
• Freedom of information or Environmental Information Regulations
• Inspection and data protection audit reviews
• Loss or unauthorised release steps (breach management procedure)
• Actions for end of project
Sharing In Practice Your Second Principle
Personal data obtained for housing service
Sample 1 Name and date of birth of all occupants in a given
address
Shared with the Police to detect and prevent crime
Sharing is permissible. But you need to share it in the right way. Confirm it is the
police, why they want it, collect relevant paperwork for sharing
Sample 2 personal data obtained for housing services
• Name, address, telephone number and email
Used by the communications team to send out marketing calls, texts and
emails regarding a new payable garden service
X Not compatible. This is a new purpose.
Sharing In Practice Your Second Principle
Personal data obtained for housing benefit service and rent
payments
Recorded and it is used for sending confirmation to housing benefit department
what their rent of the property is and what the person is claiming as housing
benefit. Housing Benefit form and make rent payments to Housing Association.
Sharing is permissible. As the landlord/council has duty under section 29
to ensure tax payment are made and report any overpayments of benefits
etc.
Recorded and want to share the rent arrears balance, current legal action to
recover date and submit the persons name and address to be considered for a
discretionary housing payment from council which may cover all or part of their
debt.
X Not compatible. They never informed the tenant they would
share data for this reason, they can put statement on next
arrears letter and newsletter and internet to make it fair
Sharing In Practice Your Second Principle
Sensitive Personal data obtained for anonymised statistical
purposes
Sample 1 Sexuality and Ethnicity
Recorded and it is used for sending reports to show we are meeting the Equality Act
and not discriminated.
Sharing is permissible. As you are not identify the people to whom the data relates
to and it is going to company board for governance reasons.
Sample 2 Identified Sexuality and Ethnicity
Collected for the above reason, told person it will be only used for this purpose.
But organisation inserts peoples sexuality and ethnicity onto the computer
system which contractors can see.
X This is not compatible and is unfair and unlawful as the
Person does not know you had intended to do this and
did not consent
Housing Association has a tenant profile form and they want to
collect all the people who live in the house hold ethnicity and
sexuality. However only the main tenant has a place to sign and
give consent. The form says “we collect your data to deliver you a
service and we comply with the Act.”
Q Have they obtained the right consent for the sensitive personal
data on the form?
Q Have they told the people where to look to find out how their
information will be used, shared, stored, secured an destroyed?
Lets Discuss
Data Protection is not a BLOCKER
it is ther to help, apply and work
together
Fair and lawful use
Accurate and, where necessary, kept
up to date
In accordance with individual rights
Relevant, adequate, not excessive
Not kept longer than necessary
Expected purposes only
Security measures
Safe transfers overseas
Paula makes data protection simple and fun
Thank you
01926 884 697