Personal data processed for any purpose or purposes shall not be

advertisement
Data Protection
Paul Veysey & Bethan Walsh
Introduction
Data Protection is about protecting people
by responsibly managing their data in ways
they expect and understand
90%
Penalties
Data Protection in the UK is supervised and enforced by the
Information Commissioner who can serve notices on
organisations to ensure compliance and can bring prosecutions.
Criminal offences include:
• Failing to notify data processing to the ICO
•
Unlawful obtaining and disclosure of personal information
Civil claims for compensation can be brought by individuals
where organisations have breached the provisions of the DPA
causing them damage.
Pro-active Approach
Organisations should:
•
Appoint a senior member to take responsibility for Data
Protection – The Data Protection Officer
•
Ensure policies and procedures are in place such that data
protection is always a consideration
•
Ensure staff and volunteers have training and guidance
available to them to ensure compliance
•
Audit and review your data protection position
The Basics
The DPA is concerned with ‘Personal Data’ held
by ‘Data Controllers’
Personal
Identifiable - living - individuals
The Basics
Data?
Information held on a computer
Information in a relevant manual filing
system
Information intended to join one of the above
Data Controller
‘A person who determines the
purpose for which and the manner
in which personal data is, or is to
be, processed’
What is ‘Processing’?
Storing information
Obtaining
information
Changing or
copying
Disclosing or
passing on
Destroying or
erasing
Do I have to Notify?
Most organisations that process personal data
must register (notify) with the ICO. Failure to
notify is a criminal offence and a fine can be
imposed
Personal data cannot be processed until
registration has taken place
Do I have to Notify?
Cost:
£35 per year
(If you have more than 249 employees and a turnover in
excess of £25.9 million – the fee is £500 for notification unless a charity)
Do I have to Notify?
Not for profit organisations have the benefit of an opt out
where their functions are limited to:
• establishing or maintaining membership;
• supporting a not-for-profit body or association; or
• providing or administering activities for either the
members or those who have regular contact with it.
How to comply?
Data Protection Principles
The Principles
1.
Process fairly and lawfully
2.
Obtain and process for specified
purposes only
3.
Adequate, relevant and not excessive
4.
Accurate and up to date
The Principles
5.
Not kept longer than is necessary
6.
Processed in accordance with the rights of
the individual
7.
Appropriate security measures against
unauthorised or unlawful use of data and
against loss, destruction or damage
8.
Transfer outside the EEA only where
adequate protection is in place
1.
Process Fairly and Lawfully
• You must collect data fairly and have
legitimate grounds for collecting and using
the data
• You must be transparent about how you
intend to use the data
• You must not do anything unlawful with the
data
1.
Process Fairly and Lawfully
What can I do with personal data?
The Act sets out ‘conditions for processing’, one
of which must be complied with for processing
to take place
The key condition is CONSENT
The safest route to compliance is to ensure the
individual knows what will be done with their
data at the point of collection
1.
Process Fairly and Lawfully
• Privacy Notices
• See Privacy Notices Code of Practice
(www.ico.gov.uk)
• Sharing data with another organisation (Scenario 1)
• Using data for a new purpose (Scenario 2)
• The ‘legitimate interest’ exemption (Scenario 3)
• Lawful processing (Scenario 4)
• Other exemptions available
2.
Obtain and process for
specified purposes only
“The personal data shall be obtained
only for one or more specified lawful
purposes and shall not be further
processed in any manner incompatible
with that purpose or those purposes”
2.
Obtain and process for
specified purposes only
1. Identify the purpose in your Privacy Notice
(unless the purpose is obvious)
2. Register the purpose when notifying the
Information Commissioner (unless you are
exempt).
2.
Obtain and process for
specified purposes only
• Can the data be used for purposes other than
those specified?
• When is one purpose compatible with the
other?
3.
Adequate, relevant and not
excessive
“Personal data shall be adequate,
relevant and not excessive in
relation to the purpose or purposes
for which they are processed”
3.
Adequate, relevant and not
excessive
Only hold data which is sufficient for your
purpose and no more (or less)
4.
Accurate and up to date
To an extent the purpose of the principle is obvious?
• Take reasonable steps to ensure accuracy
• Ensure the source of personal data is clear
• Consider challenges to the accuracy of the
information and its impact
• Should you update?
5.
Not kept longer than is
necessary
“Personal data processed for any
purpose or purposes shall not be
kept for longer than is necessary
for that purpose or purposes”
5.
Not kept longer than is
necessary
1. Adopt a policy to set out how long you will
keep information and why
2. Regularly review the data
3. Ensure it is securely deleted or archived when it
is no longer needed
6.
The rights of individuals
6.
The rights of individuals
• Rights of access to the data held
• Rights to object to processing likely to
cause or causing harm
• A right to prevent direct marketing
• A right to object to decisions by
automated means
• A right to have inaccurate data corrected
or erased
• A RIGHT TO COMPENSATION for damage
caused by a breach of the Act
7.
Security
“Appropriate technical and
organisational measures shall be
taken against unauthorised or
unlawful processing of personal
data and against accidental loss or
destruction of, or damage to,
personal data”
7.
Security
Things to think about:
•
•
•
•
Who should have access to data?
Physical security
Computer security
Security Breach Management Plan
7.
Security Breach
Security Breach Management Plan
• Containment and Recovery
• Assessing risks
• Notification of breaches
• Evaluation and response
8.
Transfer outside the EEA
“Personal data shall not be
transferred to a country or territory
outside the EEA unless that country
or territory ensures an adequate
level of protection for the rights
and freedoms of data subjects in
relation to the processing of
personal data”
Direct Marketing
Assuming the correct notices /
consents have been given or can be
safely assumed, direct marketing is
usually permitted
Direct Marketing
• Only covered if directed at individuals
• Covers communications by whatever
means
• Includes marketing, advertising,
campaigning, fundraising etc.
Direct Marketing
• Opt outs and stop notices – 28 days
• Delete or supress?
• Can I ask them to opt back in?
Electronic Marketing
Privacy and Electronic Communications
Regulations
What are the rules governing unsolicited;
1.Phone calls
2.Fax marketing
3.E-mails, texts and voicemails
Electronic Marketing
Websites:
What are the data issues?
Cookies?
Discussion
Q&A
Workshop locations
Download