1 / 27

Data Protection webinar: Data Protection & Volunteers

19 th June 2014. Data Protection webinar: Data Protection & Volunteers . Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on and you will shortly hear a voice! .

edmund
Download Presentation

Data Protection webinar: Data Protection & Volunteers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 19th June 2014 Data Protection webinar:Data Protection & Volunteers Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on and you will shortly hear a voice!

  2. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

  3. The main topics for this webinar: The roles volunteers play Quick overview of Data Protection The legal background Data Protection & Confidentiality Responsibilities The Data Protection Principles in practice 4

  4. The roles volunteers play Volunteers work in a range of settings, including: Running the whole organisation Working in the office alongside paid staff Delivering part or all of the organisation’s service Running local branches Acting as trustees on the Board or Management Committee

  5. What Data Protection is about: 1 Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data Protecting data Protecting people   6

  6. What Data Protection is about: 2 Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide things or go behind people’s back Offer people a reasonable choice over how you use their data, and what for Give us more money! Support our campaign! We sold your details to someone else 7

  7. Comply with specific legal requirements, such as: What Data Protection is about: 3  • Right to opt out of direct marketing • Right of Subject Access • (And others) 8

  8. The Data Protection Principles Data ‘processing’ must be ‘fair’ and legal You must limit your use of data to the purpose(s) you obtained it for Data must be adequate, relevant & not excessive Data must be accurate & up to date Data must not be held longer than necessary Data Subjects’ rights must be respected You must have appropriate security Special rules apply to transfers abroad 9

  9. The legal background: 1 An organisation is “vicariously liable” for most actions of an employee The situation with volunteers is not so clear cut, but measures can be put in place to emphasise their responsibilities in regard to Data Protection and Confidentiality without creating a contract of employment

  10. The legal background: 2 • Most information about people is “personal data” as soon as it is recorded somewhere • If the organisation fails to comply with the Data Protection Principles, it may face: • A penalty from the Information Commissioner • A claim for compensation from affected individuals • Reputational damage • The Principles on their own are not enough: policies and procedures must ensure compliance

  11. Data Protection and Confidentiality overlap a lot, but they are not the same Data Protection Confidentiality Clear boundaries 12

  12. Confidentiality Define the boundaries: who has access to what information for what purposes Employees have an implied duty of confidentiality Volunteers are subject to the common law duty of confidentiality (as long as they know what information is confidential) A signed confidentiality pledge should underpin all volunteers’ responsibilities

  13. Ways of breaking confidentiality Discussing confidential information with partner Talking about confidential information in public Working on confidential material in public Giving out information carelessly over the phone Sharing or disclosing computer access details Losing confidential documents/leaving them around Sharing information about people who have not given permission Disposing of information carelessly

  14. Responsibilities: Internal The organisation is responsible for Data Protection compliance Where volunteers work alongside paid staff they should be following exactly the same procedures Volunteers should also be subject to the same checks, supervision and monitoring as paid staff would be if they were in the same role(s)

  15. Responsibilities: Branches • Branches are part of the parent organisation or they are autonomous; there is no half-way house • In a unified structure, full responsibility lies with the parent organisation: • The volunteers running the branch must be given clear procedures and instructions, and held to account • In a federal structure, full responsibility lies with each branch: • The volunteers running the branch must know this; they may be given guidance

  16. Security (Principle 7) The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. £500,000 The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. 17

  17. Key security areas • Security in the office • IT security (data at rest) • IT security (data in transit) • Website security • Non-electronic data in transit • Personnel

  18. Data quality (Principles 3 & 4) The Data Protection Act says that data must be: Adequate Relevant Not excessive Accurate Up to date (where necessary)

  19. Guidance volunteers might need • Use centrally-produced materials where possible • What information to collect, and in what format • How to design data collection forms • How to ensure that the information they record is as neutral and accurate as possible • How to keep information up to date – including how and when to offer people the chance to check that the information held about them is correct

  20. ‘Fair’ processing (Principles 1 & 2): Transparency & Choice People generally need to know: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using their data or check what you are doing They also must be given a reasonable choice over how their information is used, especially regarding Direct marketing 21

  21. Guidance volunteers might need Use centrally-produced materials wherever possible Use standard wording provided by the organisation Record people’s preferences carefully, and respect their preferences Use the Information Commissioner’s Privacy Notices Code of Practice if designing own materials

  22. Retention periods (Principle 5) • Data must not be held longer than ‘necessary’ • Volunteers who hold data do so on behalf of the organisation • They must follow the organisation’s retention schedule • When their role ends they must not retain any confidential information • Return it for archiving if required • Otherwise destroy it securely

  23. Data Subject Rights (Principle 6) Volunteers must be aware of any restrictions on marketing, resulting from choices the Data Subject has made Most volunteers (or other staff) should not normally handle Subject Access Requests; these should be referred to the organisation’s Data Protection Officer

  24. Transfers abroad (Principle 8) • Most UK voluntary organisations do not transfer information outside Europe. However, transfer may take place if: • cloud computing (online applications such as Dropbox or SurveyMonkey) is used and the location of the data storage is outside Europe • information is published on a website that is designed to be accessible throughout the world • Volunteers should be given guidance on the risks

  25. The Data Protection Principles Data ‘processing’ must be ‘fair’ and legal You must limit your use of data to the purpose(s) you obtained it for Data must be adequate, relevant & not excessive Data must be accurate & up to date Data must not be held longer than necessary Data Subjects’ rights must be respected You must have appropriate security Special rules apply to transfers abroad  ()   () ()  () 26

  26. Data Protection:the absolute basics We are trying to: Prevent harm by Keeping data only in the right hands (and being clear what ‘the right hands’ are) Holding good quality data (accurate, up to date and adequate) Reassure people so that they trust us Making sure people know enough about what we are doing Giving people a choice where possible 27

  27. Many thanks Follow-up questions: paul@paulticher.com To come by e-mail: • Link to evaluation questionnaire • Link to download the presentation, after you have completed the questionnaire

More Related