An Overview of Data Protection Legislation Consumer Affairs Department Tel 061 483286 / 87 © Health Service Executive 1 Contents • Introduction and background. • Main definitions. • Rules and responsibilities for all staff. • Contact details. 2 What is Data Protection? • Safeguards the privacy rights of individuals in relation to the processing of personal data by: regulating computer use giving individuals rights in relation to their personal information imposing responsibilities on organisations in terms of compliance with the Data Protection rules and rights of access • Data Protection Acts 1988 & 2003 create rights for individuals and responsibilities for computer and other users. • When you create a record which contains personal data not only should it remain confidential but you are also obliged to keep it safe and secure and use it only for the purpose for which it was collected. • Disciplinary action may follow a DP breach as each staff member has an individual responsibility under DP legislation and the more recent HSE policy 3 History Council of Europe Convention of Data Protection, 1981 The purpose of this convention was to secure respect for a person’s rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data relating to them ("data protection") Data Protection Act 1988 (gives effect to 1981 convention) Data Protection Directive, Directive 95/46/EC Manual Records Consent Transfer of Data Data Protection (Amendment) Act 2003 Privacy Bill 2006 4 Corporate Responsibilities • The HSE must comply with Data Protection legislation. • The HSE must nominate Data Controllers – four in total being the Consumer Affairs Area Manager in each of the four regions. • Each Data Controller must register all databases with the Data Protection Commissioner and ensure that this registration is kept up to date. • The HSE must process all Data Protection Access requests. • The HSE must ensure that all staff have received Data Protection training. 5 Definitions •Personal information (even minimum information such as name, address or email address) about a living individual held either electronically or in paper files. It includes information in the form of photographs, fingerprints, audio recordings and text messages. Personal information can be stored in a number of ways such as in mobile phones, laptops, palm pilots, voicemail, fax machines and CCTV. •Sensitive Personal Data Relates to specific categories of data which are defined as data relating to a person’s racial origin, political opinions or religious or other beliefs; physical or mental health; sexual life; criminal history; trade union membership © Health Service Executive 6 Definitions Data Information in a form which can be processed (manual & electronic) Data Subject An individual who is the subject of personal data Data Controller A person who, either alone or with others, controls content and use of personal data Data Processor A person who processes personal information on behalf of the data controller © Health Service Executive 7 DEFINITIONS • Processing of Data or Information – performing any operation on data including: – – – – – Obtaining, recording, keeping Collecting, organising, storing, altering, adapting Retrieving, consulting, using Disclosing, transmitting, disseminating Aligning, combining, blocking, erasing or destroying 8 The 8 Principles of Data Protection 9 Principle Number 1 Obtain and process information fairly • In order to obtain personal data fairly from people, we need to ensure that they are made aware of: – Why the data is being collected. – What it will be used for. – Persons/third parties to whom data may be disclosed. – Right to access their data. • To fairly process personal data it must have been fairly obtained and the data subject must have given consent to the processing. 10 © Health Service Executive Principle No 2 Keep it for one or more specified, explicit and lawful purposes •An individual should know the purpose for which we collect and hold his/her data. •He /she must also be aware of the different sets of data which we hold and the specific purpose of each set. 11 © Health Service Executive Principle No 3 Use and disclose it only in ways compatible with these purposes key tests of compatibility are 1.Do you use the data only in ways consistent with the purpose for which it was obtained 2.Do you disclose the data only in ways consistent with that purpose What is Compatible Disclosure? •Closely related to the specified purpose •Consistent with the specified purpose •Need to know basis •The surprise test – would the subject be surprised to learn that the disclosure is taking place © Health Service Executive 12 Principle No 3 Use and disclose it only in ways compatible with these purposes We as staff of the HSE must ensure that personal data is used only in ways consistent with the purpose for which it was obtained. •Except where it is: – Required urgently to protect life and limb. – Required by law or court order. – With consent of/on behalf of data subject. – Crime; tax; State security; international relations. © Health Service Executive 13 Principle No 4 Keep it safe and secure • Appropriate security measures must be taken against unauthorised access to, alteration, disclosure or destruction of, the data and against their accidental loss or destruction. 14 © Health Service Executive Principle No 4 Keep it safe and secure All staff should be aware of the Information Security Policies adopted by the HSE including: – Information Security Policy – Information Technology Acceptable Usage Policy – Electronic Communications Policy – Password Standards Policy – Encryption Policy – Mobile Phone Device Policy 15 Principle No 5 Keep it accurate, complete and up to date •We need to ensure that clerical and computer procedures are adequate to ensure high levels of data accuracy. •We also need to ensure that appropriate procedures are in place, including periodic review and audit, to ensure that all records are kept up to date. 16 © Health Service Executive Principle No 6 Ensure that it is adequate relevant and not excessive We must ensure that information being held is: • Adequate and relevant in relation to the purpose for which it is being held. • Not excessive in relation to the purpose for which it is kept. e.g. asking a job applicant about criminal convictions could be relevant but it would be irrelevant and excessive to ask the same question in an online booking form for theatre tickets! 17 © Health Service Executive Principle No 7 Retain it for no longer than is necessary for the purpose. To comply with this you should have: • Staff should be aware of: – the length of time data/records are held. – the reason why they are being retained. – The process for destruction when no longer required. • Responsibility should be assigned to a specific individual within a department to ensure that files are reviewed on at least an annual basis to ensure that personal information is not retained any longer than necessary. • All staff should be aware of: – NHO Code of Practice for Healthcare Records Management. – The National Policy for Health Boards on Record Retention Periods. 18 © Health Service Executive Principle No 8 Give a copy of personal data on request On making an access request any individual, about whom you keep personal data is entitled to: •A copy of the data you are keeping about him/her •Know the purpose/s for processing the data •Know the identity of those to whom you disclose the data •Know the source of the data, unless it is contrary to public interest •Know the logic involved in automated decisions •A copy of any data held in the form of opinions, except where such opinions were given in confidence 19 © Health Service Executive Right of correction or erasure Section 6 of the Act The data subject must make a written request Personal data must be corrected if inaccurate or deleted. Data controller has 40 days to respond. No fee is required. 20 Manual Data This information must be in a ‘relevant filing system’ which is structured by reference to individuals in such a way that specific information relating to a particular individual is readily accessible. The data must be part of a set The set must be structured The data must be accessible Such access cannot be simply random but must be according to specific criteria 21 Security Issues Manual Files Who has access? At what level is it authorised? Are they kept under lock and key? Are there designated staff to make additions to the file? Who deals with requests for information from the file? - Set procedures for this? 22 Faxing Information Confidential and personal information should not be transmitted by fax message except if all persons identified in the fax message have fully understood the risks and agreed or there are no other means available or in a medical emergency where a delay would cause harm to a patient. Checking and confirming correct fax numbers Authorised access to fax only A phone call before fax is sent to ensure machine is manned Mailing Information Registered Post Check correct mailing address Sealed envelopes 23 What are Electronic Records? The term electronic record is a generic description for a record held on, or produced by, a computerised system. Records can be output as any media: text, images, sound or a combination of these and include electronic documents and electronic messages. 24 Information Security Policies : HSE • The aim of these policies is to help protect patient, client and staff information. • Each staff member who uses HSE ICT equipment or has HSE data stored on an electronic device needs to make themselves familiar with the policies. Information Security Policy, Information Technology Acceptable Usage Policy, Electronic Communications Policy, Password Standards Policy, Encryption Policy, Mobile Phone Device Policy • The full policies are available to download from the HSE intranet: http://hsenet.hse.ie/HSE_Central/Commercial_and_Support_Services/ICT/ Policies_and_Procedures/Policies/ • If you have any queries contact your local ICT Department Tel 061 483308 25 Keep it Safe and Secure • Personal laptops or other equipment (e.g. cameras, phones) must NOT be used for HSE business. • The storage of confidential or personal information on USB flash drives (i.e. memory stick/pen/keys) is strictly prohibited. Encrypted HSE approved USB memory sticks may only be used on an exceptional basis where it is essential to store or temporarily transfer confidential or personal data. • Users must only use accounts and passwords that are assigned to them. • All confidential and personal information transmitted to an email address outside the HSE Domain must be encrypted. • All HSE laptop computer devices must be password protected, have up to date anti-virus software installed and have encryption software installed. 26 Keep it Safe and Secure • Old and obsolete IT equipment must be securely recycled via the ICT Directorate. • Confidential and personal information must be securely deleted from your PC when no longer required. • All passwords must be a minimum of 8 characters and must contain a combination of letters, numbers and at least one special character. • Mobile phone devices should have PIN or password protection and those with cameras must not be used inappropriately. • Restrict access to records on a “need to know” basis & ensure premises secure when unoccupied. • Ensure there are back up procedures for computers including off-site back up. 27 Keep it Safe and Secure • PC should be locked when a person leaves their desk (ctrl; alt: delete). • Staff should log out of their PC at the end of each working day. • Confidential waste papers must be securely disposed of (shredded). • Use screen savers and passwords • Revoke Ids and passwords as soon as users resign or leave • Use audit trails to track when a record is accessed and by whom • Information on computer screens and manual files should be kept hidden from callers and should be secured when office is unoccupied. • Ensure there are contracts and confidentiality agreements in place with data processors 28 Laptops – some basic precautions! Do not leave the portable unattended Do not position portables near exterior windows where they are subject to ‘smash & grab’ theft Keep only the most necessary information on the portable Back up files and store them in some other place other than the carry case Pay attention to where you use the portable, be aware that someone could see the screen behind you Be cautious about installing any software from unknown sources – may contain a virus Ensure that sensitive files are password protected when stored on laptop Ensure that anti-virus software has been installed Ensure that the data held on your laptop is encrypted 29 Data Breach • HSE Data Protection Breach Management Policy • An incident report must be completed immediately by HSE employees and their line manager whenever confidential or personal data belonging to the HSE is accidentally disclosed, lost or stolen, or whenever a HSE mobile computer device or a mobile storage device is lost or stolen. • The completed report must be forwarded immediately via fax or email (a scanned copy) to the employees local Consumer Affairs Office (for incident involving the accidental disclosure, loss or theft of manual (paper based) data) or ICT call centre / helpdesk (for incidents involving the accidental disclosure, loss or theft of electronic data or, the loss or theft of a HSE mobile computer or storage device). 30 Data Breach What to do in the event of a breach • Contact Line Manager • Fill out incident form with Line Manager • Contact the Gardaí (if items stolen etc) • Contact Consumer Affairs / ICT Helpdesk • Recommendations: Key aspect of report which are followed up by Consumer Affairs and DP Commissioner • Disciplinary action may follow as each staff member has an individual responsibility under DP legislation and the more recent HSE policy 31 Data Protection Commissioner 32 DP Commissioner Upholds rights of individuals Enforces obligations of data controllers Investigates complaints Maintains public register European functions Codes of Practice Investigation to ensure compliance and identify contravention Pre registration check Name & Publish Annual Report absolutely privileged 33 Commissioner’s Powers Information notice (section 12) Enforcement notice (section 10) Prohibition notice (section 11) Powers of entry and inspection (section 24) “authorised officers” Decision on complaints (section 10) Refusal to register (section 17) Auditing powers (section 10 (1) a) 34 Offences and Penalties Failure to comply with a Notice Failure to register Failure to comply with terms of register entry Fine of up to E100,000 Court may order erasure of data 35 Guidelines & Contact Details Consumer Affairs Dept, H.S.E., 31/33 Catherine St. Limerick Tel: 061 483286/87 ICT Dept, H.S.E., 31/33 Catherine St. Limerick Tel: 061 4833308 HSE Website: http://hsenet.hse.ie/Intranet/HSE_Central/Consumer_Af fairs/ The Data Protection Commissioner’s Website: http://www.dataprotection.ie Tel: 057 8684800 © Health Service Executive 36