300 likes | 726 Views
Data Protection Overview. Data Protection & Information Security Officer. Outline. Reasons for/History of Data Protection Definitions Data Protection Principles Rights of Data Subjects Data Subject Access Request. Data Protection? Why?.
E N D
Data Protection Overview Data Protection & Information Security Officer
Outline • Reasons for/History of Data Protection • Definitions • Data Protection Principles • Rights of Data Subjects • Data Subject Access Request
Data Protection? Why? • Ensure data relating to individuals are managed properly. • Assure individuals that their data are managed properly.
Data Protection History Data Protection Act 1984 • only applied to data processed “by equipment operating automatically” Data Protection Act 1998 • applies to data processed both by computer and manually.
The Information Commissioner Initially the Data Protection Registrar Subsequently the Data Protection Commissioner Now the Information Commissioner • Registration Role • Enforcement Role
The Council • Data Controller - determines the purposes for which and the manner in which any personal data are, or are to be, processed. • Data Processor - processes data on behalf of other data controllers.
Data Subject • An individual who is the subject of Personal Data. • Only natural persons, not companies. • Must be a living individual.
Personal Data Data which relate to a living individual who can be identified: • from those data; OR • from those data and other information which is in the possession of, or is likely to come into the possession of, the Council • AND includes any expression of opinion about the individual and any indication of the intentions of the Council or any other person in respect of the individual.
Personal Data Information which • is being processed by means of equipment operating automatically in response to instructions given for that purpose OR • is recorded with the intention that it should be processed automatically OR
Personal Data Information which • is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system OR • does not fall within the above but forms part of an accessible record (Health, Education or “accessible public records”)
Personal Data “Inpractice, virtually any reference to an identifiable living individual may constitute personal data”.
8 categories of Sensitive Personal Data • The racial or ethnic origin of the data subject; • His political opinions; • His religious beliefs or other beliefs of a similar nature; • Whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992); • His physical or mental health or condition;
8 categories of Sensitive Personal Data • His sexual life; • The commission or alleged commission by him of any offence; or • Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Eight Data Protection Principles • Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: • at least one of the conditions in Schedule 2 of the DPA is met, and • in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA is also met.
Eight Data Protection Principles • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Eight Data Protection Principles • Personal data shall be accurate and, where necessary, kept up to date. • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. • Personal data shall be processed in accordance with the rights of data subjects under the DPA.
Eight Data Protection Principles • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Eight Data Protection Principles • Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Rights of Data Subjects • To be informed whether any personal data are being processed by the Council and, if so, what they are, the purposes and to whom data may be disclosed; • To be informed of any potential decision based solely on automatic processing; • To be provided with the data (in an intelligible form) and details of where they were sourced from.
Data Subject Access Request Any request by a data subject for access to information must: • be in writing; • be accompanied, where applicable, by the required fee.
Data Subject Access Request Must be responded to within 40 days - BUT • No right to see third party data. • Exemptions from requirement to provide information.
Third Party Data • File on data subject could contain information on others. • Potential conflict between data subject’s right of access and third party’s right to privacy.
Third Party Data • Can third party information be removed? • Will third party consent to disclosure? • If no consent is it still reasonable to disclose? • Is there a duty of confidentiality to the third party? • Some statutory exemptions.
Exemptions from Disclosure • Prevention/detection of crime. • Apprehension/prosecution of offenders. • Assessment/collection of tax/duty. • Processing for the discharge of statutory functions. • Assessment of risk in relation to the tax/duty & crime exemptions above.
Exemptions from Disclosure • Data relating to Health, Education & Social Work where the Secretary of State has made orders. • Discharge of regulatory functions. • References given (but not those received). • Management forecasting/planning.
Exemptions from Disclosure • Records of the Council’s intentions in relation to negotiations with the data subject. • Information recorded by exam candidates. • Legal professional privilege.
Further Data Subject Rights • To have inaccurate data corrected or deleted; • To prevent processing likely to cause damage or distress; • To prevent processing for purposes of direct marketing; • To prevent automated decision taking.
Remedies & Compensation • Data subject may be able to claim compensation for damage or distress. • Data subject may apply to court for an order for rectification, blocking, erasure or destruction. • Data subject may apply to Information Commissioner for an enforcement notice.
Summary • Obtain data properly in the first place. • Ensure data subjects know what & why. • Record and process data properly. • Keep data only as long as necessary - and dispose of properly. • Ensure data are accessible to respond to access requests promptly.
Further Information Information Commissioner’s web site http://www.dataprotection.gov.uk or http://www.informationcommissioner.gov.uk The Council’s Data Protection & Information Security Manual