Commissioning Services: with the DPA in mind South Yorkshire Information and Data Sharing Group Sheffield 14 th August 2014 Lynne Shackley Lead Policy.

Slides:



Advertisements
Similar presentations
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Advertisements

Legal & Regulatory Compliance. Overview What types of information should be included? What issues or problems might there be? What benefits could be obtained?
The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child
Big Data and data protection
Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at.
Wales Accord on the Sharing of Personal Information (WASPI)
Customer Service & Customer Protection in MANSELL
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
How the Information Commissioner’s office operates as a regulator David Smith Deputy Information Commissioner.
Data Protection for Church of Scotland Congregations
The Information Commissioner’s Office David Evans.
Handling information 14 Standard.
Health & Social Care Apprenticeships & Diploma
Care.Data an ICO Update EMIS National User Group Conference East Midlands Conference Centre Nottingham 3 rd October 2013 Lynne Shackley Lead Policy Officer.
The Data Protection Act 1998 The Eight Principles.
Data Protection Act obligations and pseudonymisation Dawn Monaghan Group Manager Information Commissioners Office.
Professional Values and Basic Business Legislation.
Data Protection and Elected Members A Round Table Event From Bradford Council and iNetwork The Banqueting Hall, Bradford 11 th November 2013 Useful links.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Local Government Reform: Incorporating Planning Functions Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
Information sharing: the view from the ICO Vicky Cetinkaya, Senior Policy Officer, ICO One Staffordshire Information Sharing Protocol launch event Stafford,
THE DATA PROTECTION ACT Data Protection Act 1998 DPA 1. Reasons2. People3. Principles 4. Exemptions 4 key points you need to learn/understand/revise.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Data Protection and research Rachael Maguire Records Manager.
DATA PROTECTION ACT DATA PROTECTION ACT  Gives rights to data subjects (i.e. people who have data stored about them on a computer)  Information.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
DATA PROTECTION AND RUNNING A COMPLIANT PUB WATCH SCHEME Nigel Connor Head of Legal –JD Wetherspoon PLC.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
Data protection—training materials [Name and details of speaker]
Uses of brain imaging data: privacy and governance implications Dr. Hester Ward Medical Director, Information Services Division, (ISD) Consultant in Public.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Records management for the public sector 8 September 2016 Judith Jones - Group Manager Sue Markey - Senior Policy Officer Government and Society.
General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998
Data protection and data sharing
Making the Connection ISO Master Class An Overview.
The Possibilities are Endless?
Level 2 Diploma in Customer Service
Data Protection : A Practical Guide
Privacy Impact Assessments (PIAs)
General Data Protection Regulation
GDPR Overview Gydeline – October 2017
The Data Protection Act 1998
Data Protection Legislation
GDPR Overview Gydeline – October 2017
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
G.D.P.R General Data Protection Regulations
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Data protection and data sharing
General Data Protection Regulations 2018
GDPR what do we need to do?
Presentation transcript:

Commissioning Services: with the DPA in mind South Yorkshire Information and Data Sharing Group Sheffield 14 th August 2014 Lynne Shackley Lead Policy Officer Information Commissioner’s Office

Purpose To talk about commissioning services with new partners To discuss the data protection implications of working in this way To explain the importance of data flow monitoring To promote questions and discussion

The ICO’s role Enforce and regulate –Data Protection Act –Freedom of Information Act –Environmental Information Regulations –Privacy and Electronic Communications Regulations Provide information to individuals and organisations Adjudicate on complaints Promote good practice

The Principles 1.Fair and lawful 2.Obtained for one or more lawful purpose 3.Must be adequate, relevant and not excessive 4.Accurate and kept up to date 5.Not kept for longer than is necessary 6.Processed in accordance with the rights of data subjects 7.Must be kept secure 8.Not transferred outside the European Economic Area, unless an adequate level of data protection exists

The Major Drivers Austerity and the need to do more with less across the whole of the public sector Greater public demand for services and a perception that this can be met. An aging population, which will live longer and have more complex needs The role of public sector organisations as advisors, signposting services and as service guarantors

What Information? This might depend on what you are doing Are you helping colleagues form a mutual to provide a service? Are you splitting off and commissioning part of your usual in house services? Are you commissioning back room or front line services? Will there be much interaction with the public?

Scoping the project Start your Privacy Impact Assessment Agree your purpose: clarity aids progress Decide what information is required Will you provide it all, or will some be created by your commissioning partner Do a risk assessment, how will information be moved, where will it be stored, who will have a claim on it How will disaster recovery be handled, and by whom? Have a contingency plan for organisational failures What are the timescales: limited one -off or yearly renewal Does your commissioning partner understand the public sector environment? Who is going to tell the clients, and how will this be done?

Checking out your Commissioning partner Does your commissioning partner understand that red tape is not just red tape? Have you seen their premises, are they secure? Do they have good quality policies and procedures for information governance and handling? Where do they recruit their staff, are they vetted, how are they trained? How will you monitor what they do with your information? Should you even try? Is this starting to sound familiar?

Putting it in writing Service level agreement, partnership papers, commercial contract Time to articulate the rules What your commissioning partner can and cannot do with your information Time to decide who is the data controller, to decide whether your commissioning partner is a data processor, or a data controller in their own right Joint, or in common, or just too darn complicated? The thorny question of “What’s in it for the commissioning partner?” Data protection contract clauses Solicitor, or IG staff?

Or not putting it in writing No-one goes into business without some form of written agreement If the service you are commissioning has a statutory basis, you may still be responsible for the DP aspects of it The potential reputational damage of a breach could be enormous Public perception may be that you are at fault The ICO might think so too

Scary possibilities Your commissioning partner sub contracts a task to organisation B with the personal information they need to do it. Organisation B is short of cash and sells the information to a sales company. Your commissioning partner goes bankrupt and in closing down its office dumps all the personal information it holds (including yours) into a skip Your commissioning partner performs badly, loses its contract, and holds your information hostage while you argue about money owed Meanwhile, what about the clients?

Safety nets Think things through, due diligence is vital Take as much care over the DP aspects of the commissioning as you do over commercial and service provision aspects If it starts looking like a data Controller / data processor contract that might not be a bad thing Talk to your IG people Use flow charts to show where your information is and who is the data controller at each point of its lifecycle If information is regularly moving back and forth it might also help to have an ISA

And in the end Spend as much time working out what will happen at the end of any commissioning contract as you spend on what happens at the beginning Ensure that contracts contain prohibitions on some uses of information e.g. marketing Ensure that there is a means of recovering all the necessary information when the contract ends Align retention schedules where possible, or ensure commissioning partners have a reasonable schedule which they follow Ensure that information which cannot be recovered can be securely destroyed

Some useful links The ICO website: Free publications and training aids Privacy Impact Assessments: _guides/privacy_impact_assessment.aspx Data Sharing Code of Practice es/data_sharing Data Controller / Data Processor new guidance ocuments/library/Data_Protection/Detailed_specialist_guides/d ata-controllers-and-data-processors-dp-guidance.pdf

Keep in touch Subscribe to our e-newsletter at or find us on…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.