ship conference data protection mini-briefing nick billingham head of housing management devonshires
TRANSCRIPT
SHiP Conference
Data Protection Mini-Briefing
Nick BillinghamHead of Housing Management
Devonshires
Data Protection – An overview and topical issues in the supported housing context
Reform of the European Data Protection Regime – the General Data Protection Regulation
• Key Definitions– Data– Personal Data– Sensitive Personal Data– Data Subject– Data Controller– Processing
DPA 1998 – An Overview
• There are Eight DPPs:
1. Processing to be fair and lawful
2. Only for specified and lawful purposes
3. Not excessive
4. Accurate and Up to date
5. Kept for no longer than necessary
6. Processed in accordance with rights of Data Subject
7. Technical and Organisational Measures
8. Data not to be transferred outside EEA
DPA 1998 – the DP Principles
• First DPP – Processing shall be fair and lawful and shall not be processed unless: – At least one Schedule 2 condition is met– Where sensitive personal data, at least one
Schedule 3 condition is met• Data subject consent is a Sch 2 and 3 condition. • Other conditions, e.g. legal obligation,
administration of justice.
The Non-Disclosure Principle
• Schedule 2, para 6:– The processing is necessary for the purposes
of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of the prejudice to the rights and freedoms or legitimate interests of the data subject.
Legitimate Interest
The DPA at work: Issues in the Supported Housing Context
Is it personal information?
• Can we disclose it/can the tenant demand it?• First question is whether it is personal information• Information about a living identifiable individual• But individual must be the focus of the information• Information must affect or say something about the
individual’s private life - personal, family, business or professional
• Mere passing reference to individual in documents or correspondence NOT sufficient - Durant –v- FSA [2003]
Disclosure to third parties (Sch 2 DPA 1998)
• Six exceptions permitting processing/disclosure• Consent = first and most obvious (para 1, Sch 2)• Use of consent forms when signing up tenants• Tenancy terms relating to DPA consent• BUT majority of processing/disclosure already
covered by para 6, Schedule 2 “necessary for the legitimate interests of the business…”
• Belt & braces
Other commonly-used exceptions to non-disclosure
• S29 – crime and taxation: prevention or detection of crime/apprehension or prosecution of offenders
• Also covers other investigations eg HB investigations• S31 – regulatory activity eg TSA inspections/inquiries• S35 – disclosures required by law or made in
connection with legal proceedings• Para 3, Sch 2: compliance with legal obligation eg
names and addresses of tenants requested by Electoral Officer
Dealing with sensitive personal information
• S2 – racial/ethnic origins; political opinions; religious beliefs; membership of Trade Union; physical or mental health or condition; sexual life; conviction or prosecution for alleged offence
• Main one for social landlords will be health• Cannot use legitimate interests of business exception to disclose • Consent = most likely/safest course• Must be explicit consent • Other possible exception: protecting vital interests of subject or
another person and consent cannot be given or the data controller cannot reasonably be expected to obtain consent
Information sharing agreements
• In most cases unnecessary because disclosure is in your legitimate interests, but
• Control – “mandating” how information to be processed and disposed of and controlling any onward use
• Imposing security requirements• Evidential and presentational value in cases of breach• ICO likes them• But… keep them simple
Data subject access requests from tenants
• S7 DPA – 40 days and £10 fee for copies• Remember could be computer data or docs from
‘relevant filing system’ – DPA covers both• Tenancy files NOT relevant filing system – must be
structured system (more akin to card index system)• Maintenance files NOT personal information• Should refuse request for manual records but offer own
policy on disclosure – should provide for tenant to review own tenancy file and request copies
Use of CCTV
• Personal information includes images
• Directed covert surveillance by HAs generally not permitted– must be with police backing
• Signage – clearly visible; who undertaking it; and for what purpose
• Ensure no intrusion into private areas (Human Rights issues) – consult with neighbours if risk of overlooking
• Security of recordings; not retaining longer than necessary
• ICO CCTV guidance
• Violent Persons Registers
• Fair Processing Obligations:
– Information must be accurate. Is it the right tenant?
– Is circulation of register proportionate? Clift v Slough BC [2009] EWHC 1550.
Violent Persons Markers
Reform of the European Data Protection Regime – the General Data Protection Regulation
Background to new Regulation
• Last Directive 1995 (led to DPA 1998) outdated• Advances in technology• Need for harmonised DP laws across 27 states of Europe• Announced 25 January 2012• Go to:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
When coming in?
• Currently being negotiated in EU - due to conclude before end 2015 but could be earlier
• Regulation will be immediately binding once ratified (no need for legislation unlike last DP Directives)
• Understanding what is on the horizon and implications for organisations especially since proposals unlikely to change significantly
• Because Regulation => law will be much more prescriptive than before
Key points
• DP Principles and definitions of data subject, personal data etc broadly the same
• Notification to ICO no longer required• Need for Data Protection Officers• Changes to definition of consent• Legitimate Interest• Data subject rights enhanced• More robust requirements of data security• New penalties
Notification
• Current requirement to notify ICO of DP activities• New law – no longer required, but…• Organisations with more than 250 employees must
have document describing their processing activities• Document must be available for inspection by DP
authority (ie ICO)
Data Protection Officers
• DPO required where processing undertaken by:- public body
- business of more than 250 people
- business whose core activity involves regular and systematic monitoring of subjects
• DPO must be independent• DPO tasks include monitoring policies and
procedures, audits, training and maintenance of risk and compliance register
Consent
• Consent should be given explicitly by any appropriate method enabling a freely given, specific and informed indication of the data subject’s wishes either by…statement or…clear affirmative action…”
• Burden of proof on controller – no implied consent• Consent will not suffice where “significant imbalance
between position of data subject and the controller”• Right to withdraw consent at any time
Consent (cont)
• Parental consent required if child under 13• 13-18, child can consent but the fair processing
language must be appropriate• Age verification must be reasonably made
Legitimate interest
• Heavily relied on currently• Narrowed so as not to cover legitimate interests of
third parties• Must take particular care where child involved• Express prohibition on public authorities relying on this
condition (public authority not defined…)• Data subject right to object
Data Subject Rights
• “Right to be forgotten” – ie have personal data erased particularly if obtained when a child
• The Google case• Data portability – gives individuals right to obtain copy
of their data in an electronic and structured format • Profiling – right to object to automatic profiling
Data security
• Enhanced requirements• Mandatory breach notification procedure for all but
smallest organisations• Data subjects must also be notified within 24 hours of
breach (“where feasible”)
New Penalties
• New three tier system of administrative sanctions covering wide range of infringements
• Highest sanction = either 1M euros or 2% of organisation’s world-wide turnover
Steps to take
• Be prepared• Getting an understanding of the changes• Who will be your DPO?• Training for DPO• Check internal policies and procedures to
ensure can be readily updated
Any Questions?