The Provincial Grand Lodge and Chapter of East Lancashire

Slides:



Advertisements
Similar presentations
Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
Advertisements

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
The Data Protection (Jersey) Law 2005.
Data Protection.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Data Protection Act.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
Data Protection Act. Lesson Objectives To understand the data protection act.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Legal Framework Can you work out which slide each bullet point should go on?!
Data Protection for Church of Scotland Congregations
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
The Data Protection Act 1998 The Eight Principles.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
The Data Protection Act (1998). The Data Protection Act allows you to Check if any organisation keeps information about you on computer or in paper form.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
BTEC ICT Legal Issues Data Protection Act (1998) Computer Misuse Act (1990) Freedom of Information Act (2000)
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
THE DATA PROTECTION ACT Data Protection Act 1998 DPA 1. Reasons2. People3. Principles 4. Exemptions 4 key points you need to learn/understand/revise.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
DATA PROTECTION ACT DATA PROTECTION ACT  Gives rights to data subjects (i.e. people who have data stored about them on a computer)  Information.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Data protection act. During the second half of the 20th century, businesses, organisations and the government began using computers to store information.
General Data Protection Regulation (EU 2016/679)
The Data Protection Act 1998
Education Update Data Protection
The Data Protection Act 1998
Learning Intention Legislations impact on security of information
Data Protection GCSE ICT Mrs N Steventon-2005.
PowerPoint presentation
Data Protection and Confidentiality
Handout 2: Data Protection and Copyright
Legislation in ICT.
Data Protection Act.
Data Protection The Current Regime
The Data Protection Act 1998
Data Protection Legislation
GENERAL DATA PROTECTION REGULATION (GDPR)
The Data Protection Act & ICT Law
MyHR and Data Protection
Records management and data security
G.D.P.R General Data Protection Regulations
The new data protection rules
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
How we use Your Health Records
D3 Confidentiality.
Information management and communication
General Data Protection Regulations 2018
What is the Data Protection Act (DPA)? 1998
Legislation in ICT.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Understanding Data Protection
Handling Information Securely
Handling information 14 Standard.
Presentation transcript:

The Provincial Grand Lodge and Chapter of East Lancashire Data Protection Act 1998 WBro Martin P Roche - ProvGSec/ScE April 2017

Why do I need to read this? If you have access to the systems and records that the Province holds about our members, or The purpose of this presentation is to simply remind you: Of the existence of the Data Protection Act How the Act applies to you when undertaking the work of the Province and your role within it That it affects all those who have legitimate business access (i.e. when carrying out the duties of your role) to the information we hold concerning our members That there are consequences in the case of non-compliance Of best practice to ensure we all comply with our obligations WBro Martin P Roche - ProvGSec/ScE April 2017

The Data Protection ... Why is it important to me? Our members have disclosed to us for the purpose of their membership, certain personal information relating to their identity and how they may be contacted That information is stored, primarily in an electronic format on our own system (Keystone), but as a consequence, on the Grand Lodge system we access for business use (Adelphi 2) Because of your role, you have been given access to those systems and that brings with it a personal and organisational responsibility to ensure we all protect the private information of our members We all therefore have a duty of care to our members to ensure their personal information is accurate, stored securely, used properly and disposed of appropriately if no longer required. WBro Martin P Roche - ProvGSec/ScE April 2017

How does the law protect personal data? WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE The Data Protection Act (DPA) is designed to protect personal data concerning living individuals which is stored on computers or in an organised paper filing system. For us that includes: Keystone Adelphi 2 And any associated paper records WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE How the DPA works The Data Protection Act 1998 was brought in to control the way personal information is handled and to give legal rights to people who have information stored about them. Basically it works by: setting up rules that people have to follow having an Information Commissioner to enforce the rules Ensuring that organisations such as ours follow those rules It does not prevent us from storing and using information about our members. It just means we that we have to follow a set of rules to Protect our members and their personal information Protect ourselves WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE The 3 Main Roles Information Commissioner (IoC) Data Controller (The Province) Data subject (The Member) WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE Types of data There are distinct types of data involved: 1. Personal data For us, that only includes: Name, address, date of birth, occupation, membership records, contact details 2. Sensitive personal data: The Province does not hold this type of data If someone who is not entitled to see this data can obtain access without permission, it is deemed and termed, unauthorised access and may constitute a breach of the Act WBro Martin P Roche - ProvGSec/ScE April 2017

The Data Protection Act A number of issues need considering: Who can access our information? How do they access it? How accurate is it? How do we ensure it is stored securely? Do we keep it up to date? Do we use it properly? WBro Martin P Roche - ProvGSec/ScE April 2017

What does it actually mean? Who can access our information? All staff/volunteers/Officers of the Province who have been authorised to do so because of their role, must have signed a declaration in respect of the DPA and been provided with the Provincial Policy (which is also available on our website) How do they access it and keep it secure? By a secure log on either within the Provincial Office or remotely from home. Either way, users must ensure that they protect their log on details and password and do not leave open systems unattended so that unauthorised users such as visitors – and family – can see or access it. If a user feels their log on/ID has been compromised, they must contact the Secretariat as soon as possible Keeping secure also means controlling any paper records or printouts of personal information. If you are disposing of paper records which contain personal information, it must be shredded. This MUST be borne in mind when accessing systems from home. WBro Martin P Roche - ProvGSec/ScE April 2017

What does it actually mean? How do we make sure it is accurate and up to date? We ask our members and Secretaries/Scribes to update us of any changes in member’s details We must then update our records in a timely manner If we identify any errors, we have an obligation to highlight it. If in doubt, raise the issue with staff in the Secretariat. We publish a policy (on the Provincial website) which sets out how we do this and our approach to the management and storage of personal information WBro Martin P Roche - ProvGSec/ScE April 2017

What does it actually mean? What does ‘using it properly’ mean? That we only ever access our systems for a legitimate business reason which is related to our specific role That we only ever use the information we obtain from our systems for the purpose it was provided by the member i.e. For the administration of their memberships That we do not disclose any aspect of a members details other than to a person who has a legitimate reason to know it because of their role/function within the Province. That we question any request for a member’s personal information That we do not disclose personal information to persons or organisations outside of the Province. If in doubt ALWAYS ask a member of staff in the Secretariat. WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE The Eight Principles The personal data that we store and processes must be: Collected and used fairly and within the law Only be held and used for the reasons we have given to the Information Commissioner (i.e. as a ‘not for profit’ membership organisation) Only used for our registered purposes and then, only disclosed to those people who have a right to process it Adequate, relevant and not excessive when compared with the purpose stated in the register Accurate and be kept up to date Retained (kept) only for as long as is necessary for our registered purpose Stored safely and securely Not be transferred outside of the European Economic Area unless the country that the data is being sent to has a suitable data protection law This point might not seem relevant, but we actually have hundreds of East Lancashire members all over the world WBro Martin P Roche - ProvGSec/ScE April 2017

Some of the Data Subject’s rights Amongst other things, the Data Subjects (our members) have a right to enquire about what information we hold concerning them. This is called Subject Access They have a right to ask that records are amended where found to be incorrect They have a right to expect that we will, by virtue of holding that information, not cause them any distress That they will not be subject to Direct Marketing They have recourse of complaint to the Information Commissioner They also have the right to claim compensation if we get it wrong WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE Exemptions Complete exemptions Any personal data that is held for a national security reason is not covered – thankfully, not an issue for the Province! Personal data held for domestic purposes only at home, e.g. a list of your friends' names, birthdays and addresses does not have to keep to the rules. Partial exemptions e.g. HMRC, school pupils, company planning documents, health notes, statistics, employer references The Provincial Grand Lodge and Chapter of East Lancashire may be registered with the Information Commissioner as a ‘not for profit’ membership organisation, but we are not exempt from the Act WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE What can go wrong? Individuals as well as the Province can be prosecuted under the legislation if we: use or disclose information about other people without their consent or authorisation This could happen if we used members personal information for a purpose which was outside our legitimate business use or in a manner which the member did not agree to or reasonably expect give personal information to another person who does not have a right to have it, even if it was accidental Unauthorised disclosure is a serious breach of the legislation WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE Social Networking Social Media ‘posts’ are subject to Data Protection legislation! THINK: Are you sharing information in a social environment/ setting, only known to you because of your business role? THINK: before updating or posting that status as you may be disclosing personal information inappropriately – and illegally REMEMBER: the internet does not forget! WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE REMEMBER Only ever access Provincial systems and records for a legitimate business reason/purpose. Being nosey or idly browsing is not legitimate access. Do not leave member’s information out (i.e. on your desk/at home) unattended Store paper records securely which are subject to the provisions of the Act Do not throw away paper records without first establishing that they do not contain personal information. If they do, they must be disposed of appropriately i.e. Shredded Do not leave data displayed on a computer screen which can be seen by persons who should not have sight of it (especially if you access our systems from home) Do not leave your computer logged on and unattended Do not choose a password that is easy to guess - and change it regularly. The Provincial System will automatically require you to change it every 6 months. WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE REMEMBER Do not give your password to anyone - ever Before you share personal information with anybody, ask simple questions: What do they want it for? Do they have a legitimate business reason to have it/request it for the purpose of their role? What will they do with it? If in doubt, ALWAYS ASK. Therefore, Do not disclose any personal information outside of the organisation or to a person who does not have a legitimate right to know it REMEMBER: Once personal information leaves the secure environment of the system it is stored on (i.e. by email, printed off) you no longer have control over what is done with it or who may end up in possession of it Email: Think before forwarding any personal information by email Is there a risk it might be forwarded on to a third party with no right to receive it? Review emails when forwarding them, particularly to establish the need to remove any email addresses of persons who received the original which might be in the body of the forwarded message Consider the use of ‘Bcc’ (blind copy) for emails so as not to disclose unnecessarily, the email address of recipients WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE Additionally Lodge Secretaries and Chapter Scribes maintain records for the purposes of their own Lodge/Chapter memberships This should comprise the minimum information required to discharge that function i.e. names, addresses and contact information In simple terms, they must also ensure that the personal information they hold is: Stored securely Accurate and up to date Processed fairly and lawfully Not shared inappropriately Not kept for longer than is necessary Disposed of properly when no longer required They (and holders of that office) will have been identified as having responsibility for this by a resolution passed by their Lodge/Chapter This was communicated to them in a Provincial Circular in April 2017 WBro Martin P Roche - ProvGSec/ScE April 2017

WBro Martin P Roche - ProvGSec/ScE FINALLY Only ever use or access membership information for a legitimate business reason Question requests for personal information about our members from others Ask what the information is required for and what it will be used for Ensure it is for a legitimate business or organisational reason If unsure, ASK WBro Martin P Roche - ProvGSec/ScE April 2017

The Provincial Grand Lodge and Chapter of East Lancashire Data Protection Act 1998 Our full policy is available online and all enquiries directed to: secretariat@eastlancsmasons.org.uk WBro Martin P Roche - ProvGSec/ScE April 2017