Data Protection webinar: Working with other

advertisement
Data Protection webinar:
Collaborative working
Welcome. We’re just making the last few preparations
for the webinar to start at 11.00. Keep your speakers or
headphones turned on and you will shortly hear a voice!
2nd December 2014
This presentation is intended to help you
understand aspects of the Data Protection
Act 1998 and related legislation.
It is not intended to provide detailed advice
on specific points, and is not necessarily a full
statement of the law.
Programme







Recap on key Data Protection points
Who is responsible for what?
Full joint working
Close collaboration
Loose collaboration
Sharing data
Using contractors
Data Protection:
the absolute basics
We are trying to:
 Prevent harm through
 Good security: Keeping data only in the right hands (and being clear
what ‘the right hands’ are)
 Holding good quality data (accurate, up to date and adequate)
 Reassure people so that they trust us, through
 Transparency: Making sure people know enough about what we are
doing
 Giving people a choice where possible & reasonable
5
The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal
2. You must limit your use of data to the purpose(s) you
obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects’ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad
6
Data Controller
 “Data Controller” means … a person who (either
alone or jointly or in common with other persons)
determines the purposes for which and the manner in
which any personal data are … processed.
 So, you can be:
 Joint controllers
 Controllers in common
 Independent controllers
Full joint working: Example
 New joint client database for Refugee Council,
Scottish Refugee Council, Welsh Refugee Council
 Shared responsibility (and some sharing of clients)
 Shared financial liability
= Joint Data Controllers
 Required:
 Detailed negotiation
 Full data sharing agreement
Close collaboration: Example
 Cathedral, with several associated charities
 Multiple databases, overlapping, used mainly for
marketing (in its broadest sense), to be consolidated
into one new system
 All ultimately under one authority
= Joint Data Controllers
 Required:
 Simplified data sharing agreement
Loose collaboration: Example
 Advice agencies in a London borough, setting up an
online referral system to pass clients to the most
appropriate agency
 Each responsible for their own clients
= Independent Data Controllers
 Required:
 Simplified data sharing agreement
Sharing data: Example 1
 Talent Match consortium, each agency treating
clients as their own
 Data to be shared with lead agency for management
purposes and with central evaluator
= Independent Data Controllers
 Required:
 Data sharing incorporated into delivery contract
Sharing data: Example 2
 Funder requires personal data about the beneficiaries
of a programme to be passed back to the funder
= Independent Data Controllers
 Required:
 Data sharing incorporated into contract
 Beneficiaries to be informed at the outset
Ad hoc data sharing
 One agency agrees that if necessary they will disclose
information about one of their clients to another
agency
= Independent Data Controllers
 Required:
 Data sharing protocol
 Client to be informed when the situation arises
Data sharing agreement
 Key headings:







Purpose(s) (Principle 2)
Roles and management of the agreement
Security obligations and procedures (Principle 7)
Transparency & choice (Principle 1)
Data quality (Principles 3 & 4)
Retention periods (Principle 5)
Subject Access (Principle 6)
 Information Commissioner’s Code of Practice
Conditions for Fair Processing
(must meet at least one)
1.
2.
3.
4.
5.
6.
With consent of the Data Subject (“specific,
informed and freely given”)
For a contract involving the Data Subject
To meet a legal obligation
To protect the Subject’s ‘vital interests’
Government functions
In your ‘legitimate interests’ (or the interests of the
organisation you disclose information to) provided
the Data Subject’s rights, freedoms and interests
are respected
Using contractors
 Whenever one organisation uses another to process
data for the first organisation’s purposes the second
organisation is likely to be a Data Processor
… determines the purposes for which and the manner in which …
 “Data Processor” … means any person (other than an
employee of the Data Controller) who processes the
data on behalf of the Data Controller.
Data Processor contract




Must be in writing (Data Protection Act)
Must set out the relationship
Must cover security
Others worth looking at (checklist)
Many thanks
Follow-up questions: paul@paulticher.com
To come by e-mail:
* Link to evaluation questionnaire
* Then option to download presentation and
supporting documents
Download