SHiP Conference

Data Protection Mini-Briefing

Nick BillinghamHead of Housing Management

Devonshires

Data Protection – An overview and topical issues in the supported housing context

Reform of the European Data Protection Regime – the General Data Protection Regulation

• Key Definitions– Data– Personal Data– Sensitive Personal Data– Data Subject– Data Controller– Processing

DPA 1998 – An Overview

• There are Eight DPPs:

1. Processing to be fair and lawful

2. Only for specified and lawful purposes

3. Not excessive

4. Accurate and Up to date

5. Kept for no longer than necessary

6. Processed in accordance with rights of Data Subject

7. Technical and Organisational Measures

8. Data not to be transferred outside EEA

DPA 1998 – the DP Principles

• First DPP – Processing shall be fair and lawful and shall not be processed unless: – At least one Schedule 2 condition is met– Where sensitive personal data, at least one

Schedule 3 condition is met• Data subject consent is a Sch 2 and 3 condition. • Other conditions, e.g. legal obligation,

administration of justice.

The Non-Disclosure Principle

• Schedule 2, para 6:– The processing is necessary for the purposes

of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of the prejudice to the rights and freedoms or legitimate interests of the data subject.

Legitimate Interest

The DPA at work: Issues in the Supported Housing Context

Is it personal information?

• Can we disclose it/can the tenant demand it?• First question is whether it is personal information• Information about a living identifiable individual• But individual must be the focus of the information• Information must affect or say something about the

individual’s private life - personal, family, business or professional

• Mere passing reference to individual in documents or correspondence NOT sufficient - Durant –v- FSA [2003]

Disclosure to third parties (Sch 2 DPA 1998)

• Six exceptions permitting processing/disclosure• Consent = first and most obvious (para 1, Sch 2)• Use of consent forms when signing up tenants• Tenancy terms relating to DPA consent• BUT majority of processing/disclosure already

covered by para 6, Schedule 2 “necessary for the legitimate interests of the business…”

• Belt & braces

Other commonly-used exceptions to non-disclosure

• S29 – crime and taxation: prevention or detection of crime/apprehension or prosecution of offenders

• Also covers other investigations eg HB investigations• S31 – regulatory activity eg TSA inspections/inquiries• S35 – disclosures required by law or made in

connection with legal proceedings• Para 3, Sch 2: compliance with legal obligation eg

names and addresses of tenants requested by Electoral Officer

Dealing with sensitive personal information

• S2 – racial/ethnic origins; political opinions; religious beliefs; membership of Trade Union; physical or mental health or condition; sexual life; conviction or prosecution for alleged offence

• Main one for social landlords will be health• Cannot use legitimate interests of business exception to disclose • Consent = most likely/safest course• Must be explicit consent • Other possible exception: protecting vital interests of subject or

another person and consent cannot be given or the data controller cannot reasonably be expected to obtain consent

Information sharing agreements

• In most cases unnecessary because disclosure is in your legitimate interests, but

• Control – “mandating” how information to be processed and disposed of and controlling any onward use

• Imposing security requirements• Evidential and presentational value in cases of breach• ICO likes them• But… keep them simple

Data subject access requests from tenants

• S7 DPA – 40 days and £10 fee for copies• Remember could be computer data or docs from

‘relevant filing system’ – DPA covers both• Tenancy files NOT relevant filing system – must be

structured system (more akin to card index system)• Maintenance files NOT personal information• Should refuse request for manual records but offer own

policy on disclosure – should provide for tenant to review own tenancy file and request copies

Use of CCTV

• Personal information includes images

• Directed covert surveillance by HAs generally not permitted– must be with police backing

• Signage – clearly visible; who undertaking it; and for what purpose

• Ensure no intrusion into private areas (Human Rights issues) – consult with neighbours if risk of overlooking

• Security of recordings; not retaining longer than necessary

• ICO CCTV guidance

• Violent Persons Registers

• Fair Processing Obligations:

– Information must be accurate. Is it the right tenant?

– Is circulation of register proportionate? Clift v Slough BC [2009] EWHC 1550.

Violent Persons Markers

Reform of the European Data Protection Regime – the General Data Protection Regulation

Background to new Regulation

• Last Directive 1995 (led to DPA 1998) outdated• Advances in technology• Need for harmonised DP laws across 27 states of Europe• Announced 25 January 2012• Go to:

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

When coming in?

• Currently being negotiated in EU - due to conclude before end 2015 but could be earlier

• Regulation will be immediately binding once ratified (no need for legislation unlike last DP Directives)

• Understanding what is on the horizon and implications for organisations especially since proposals unlikely to change significantly

• Because Regulation => law will be much more prescriptive than before

Key points

• DP Principles and definitions of data subject, personal data etc broadly the same

• Notification to ICO no longer required• Need for Data Protection Officers• Changes to definition of consent• Legitimate Interest• Data subject rights enhanced• More robust requirements of data security• New penalties

Notification

• Current requirement to notify ICO of DP activities• New law – no longer required, but…• Organisations with more than 250 employees must

have document describing their processing activities• Document must be available for inspection by DP

authority (ie ICO)

Data Protection Officers

• DPO required where processing undertaken by:- public body

- business of more than 250 people

- business whose core activity involves regular and systematic monitoring of subjects

• DPO must be independent• DPO tasks include monitoring policies and

procedures, audits, training and maintenance of risk and compliance register

Consent

• Consent should be given explicitly by any appropriate method enabling a freely given, specific and informed indication of the data subject’s wishes either by…statement or…clear affirmative action…”

• Burden of proof on controller – no implied consent• Consent will not suffice where “significant imbalance

between position of data subject and the controller”• Right to withdraw consent at any time

Consent (cont)

• Parental consent required if child under 13• 13-18, child can consent but the fair processing

language must be appropriate• Age verification must be reasonably made

Legitimate interest

• Heavily relied on currently• Narrowed so as not to cover legitimate interests of

third parties• Must take particular care where child involved• Express prohibition on public authorities relying on this

condition (public authority not defined…)• Data subject right to object

Data Subject Rights

• “Right to be forgotten” – ie have personal data erased particularly if obtained when a child

• The Google case• Data portability – gives individuals right to obtain copy

of their data in an electronic and structured format • Profiling – right to object to automatic profiling

Data security

• Enhanced requirements• Mandatory breach notification procedure for all but

smallest organisations• Data subjects must also be notified within 24 hours of

breach (“where feasible”)

New Penalties

• New three tier system of administrative sanctions covering wide range of infringements

• Highest sanction = either 1M euros or 2% of organisation’s world-wide turnover

Steps to take

• Be prepared• Getting an understanding of the changes• Who will be your DPO?• Training for DPO• Check internal policies and procedures to

ensure can be readily updated

Any Questions?

nick.billingham@devonshires.co.uk