data protection corporate training 2012. data protection act 1998 replaces dpa 1994 ec directive...
TRANSCRIPT
Data Protection
Corporate training 2012
Data Protection Act 1998
• Replaces DPA 1994
• EC directive 94/46/EC
• The Information Commissioner
• The courts
Data Protection Act 1998
• Regulates the processing of data
• Gives rights to individuals
How does it affect me?
• Fylde BC as a “data controller” has responsibilities for data under its control
• All employees handling data have responsibility
Concepts we will cover
• Data• Personal Data• Sensitive Personal Data• The eight data protection principles• Subject access rights
Data
• Any recorded information held by a public authority
• Narrower definition outside the public sector
Personal data
• Living individual• Identified from data - or from other information• Opinions• Intentions
Sensitive personal data
• Race or ethnicity• Political opinions• Religion• Union membership• Health• Sexual life• Offences
Processing• Obtaining• Recording• Holding• Organising• Adapting• Altering• Retrieving• Consulting• Using
• Disclosing• Transmitting• Disseminating• Making available• Aligning• Combining• Blocking• Erasing• Destroying
The data protection principles• Personal data shall be:
– processed fairly and lawfully– used only for specified and lawful purposes– adequate, relevant and not excessive– accurate
– not be kept for longer than necessary
– processed in line with rights of data subjects
– protected against tampering and loss
– not transferred to certain countries
The first principle: Fair processing
“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless [at least one of certain] conditions are met…”
The first principle: Fair processing
“Personal data shall be processed fairlyAND
lawfully AND
in particular, shall not be processed unless [at least one of certain] conditions are met…”
The first principle: Fair processing
• “Fairly”– Consequences to subject– Fair processing information
• “Lawfully”– Powers– Legitimate expectation– Human rights
The first principle: The conditions for fair processing• Consent of subject
The first principle: Fair processing
• Consent– Active communication– Freely given– Not by default– Appropriate to the circumstances
The first principle: The conditions for fair processing
• Consent of subject• Contracts• Legal obligations• Public interest conditions• Legitimate interests: Balance• Necessity test
Sensitive personal data: Extra conditions
• “Explicit” consent
• Employer’s obligations
• Vital interests
• Political or religious bodies
• Public domain
• Legal proceedings
• Administration of justice
• Health purposes…
Sensitive personal data: Extra restrictions
• Equalities• Detection or prevention of crime• Public protection• Counselling services• Insurance• Police
The second principle: Specified purposes
“Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”
The second principle: Specified purposes
Purposes can be satisfied by:
• Notice to data subject
• Registration with the Information Commissioner
Whose responsibility?
The third principle: Proportionality
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”
The third principle: Proportionality
• Minimum of data for the purpose
• Cannot hold information “just in case”
• Should not be held longer than needed
The fourth principle: Accuracy
“Personal data shall be accurate and, where necessary, kept up to date”
The fourth principle: Accuracy
• Reasonable steps
• Right of data subject to mark inaccuracies
• Data must be updated “where necessary”
The fifth principle: Deleting old data
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”
The fifth principle: Deleting old data
• Need for system of review
• Depends on purpose data was held
• Exception for historical, statistical or research purposes
The sixth principle: Subjects’ rights
“Personal data shall be processed in accordance with the rights of data subjects under this Act”
The sixth principle: Subjects’ rights
• Subject access requests
• Processing likely to cause damage or distress– notice procedure
• Processing for direct marketing
• Automatic decision-taking
Subject access request
• Made by data subject in writing (including e-mail)
• Fee of £10
• Data controller must:– say if he holds
personal data about that person
– provide a copy of that data
– say why they are being processed and
– to whom they may be disclosed
Subject access request
• Promptly, or within 40 days• Exceptions:
– Disproportionate effort– Affect on health– Third party information– Unstructured personal data UNLESS
• The data is identified; and• Within cost limit
Third party information
“Information relating to an individual other than the the data subject who can be identified by that information”
• Where the third party has consented
• Reasonable in all the circumstances– duty of confidentiality
– whether consent sought
– Anonimysing
The seventh principle: Tampering and loss
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
The seventh principle: Tampering and loss
• Risk management• Security policy• Access to PCs• Passwords
• Authentication of callers
• Backups• Virus protection• Training
The eighth principle: Data Transfer
“Personal data shall not be transferred to a country of territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data”
Further information• Your line manager
• Tracy Morrison or Ian Curtis
• www.ico.gov.uk