Data Protection webinar: Collaborative working Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on and you will shortly hear a voice! 2nd December 2014 This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law. Programme Recap on key Data Protection points Who is responsible for what? Full joint working Close collaboration Loose collaboration Sharing data Using contractors Data Protection: the absolute basics We are trying to: Prevent harm through Good security: Keeping data only in the right hands (and being clear what ‘the right hands’ are) Holding good quality data (accurate, up to date and adequate) Reassure people so that they trust us, through Transparency: Making sure people know enough about what we are doing Giving people a choice where possible & reasonable 5 The Data Protection Principles 1. Data ‘processing’ must be ‘fair’ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & not excessive 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects’ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad 6 Data Controller “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed. So, you can be: Joint controllers Controllers in common Independent controllers Full joint working: Example New joint client database for Refugee Council, Scottish Refugee Council, Welsh Refugee Council Shared responsibility (and some sharing of clients) Shared financial liability = Joint Data Controllers Required: Detailed negotiation Full data sharing agreement Close collaboration: Example Cathedral, with several associated charities Multiple databases, overlapping, used mainly for marketing (in its broadest sense), to be consolidated into one new system All ultimately under one authority = Joint Data Controllers Required: Simplified data sharing agreement Loose collaboration: Example Advice agencies in a London borough, setting up an online referral system to pass clients to the most appropriate agency Each responsible for their own clients = Independent Data Controllers Required: Simplified data sharing agreement Sharing data: Example 1 Talent Match consortium, each agency treating clients as their own Data to be shared with lead agency for management purposes and with central evaluator = Independent Data Controllers Required: Data sharing incorporated into delivery contract Sharing data: Example 2 Funder requires personal data about the beneficiaries of a programme to be passed back to the funder = Independent Data Controllers Required: Data sharing incorporated into contract Beneficiaries to be informed at the outset Ad hoc data sharing One agency agrees that if necessary they will disclose information about one of their clients to another agency = Independent Data Controllers Required: Data sharing protocol Client to be informed when the situation arises Data sharing agreement Key headings: Purpose(s) (Principle 2) Roles and management of the agreement Security obligations and procedures (Principle 7) Transparency & choice (Principle 1) Data quality (Principles 3 & 4) Retention periods (Principle 5) Subject Access (Principle 6) Information Commissioner’s Code of Practice Conditions for Fair Processing (must meet at least one) 1. 2. 3. 4. 5. 6. With consent of the Data Subject (“specific, informed and freely given”) For a contract involving the Data Subject To meet a legal obligation To protect the Subject’s ‘vital interests’ Government functions In your ‘legitimate interests’ (or the interests of the organisation you disclose information to) provided the Data Subject’s rights, freedoms and interests are respected Using contractors Whenever one organisation uses another to process data for the first organisation’s purposes the second organisation is likely to be a Data Processor … determines the purposes for which and the manner in which … “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. Data Processor contract Must be in writing (Data Protection Act) Must set out the relationship Must cover security Others worth looking at (checklist) Many thanks Follow-up questions: paul@paulticher.com To come by e-mail: * Link to evaluation questionnaire * Then option to download presentation and supporting documents