Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office.

Slides:



Advertisements
Similar presentations
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Advertisements

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.
Bernadette Malone – Chief Executive Perth and Kinross Council and Chair of GIRFEC National Implementation Working Group Alan Small -Information Sharing.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)
The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research
Presentation to GTMC on GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulation
Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust
GDPR Overview GDPR - General Data Protection Regulations
GDPR Overview Gydeline – October 2017
Nina Barakzai November 2017
Data protection reform:
GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction
Public Sector Organisations - are you GDPR ready?
GDPR - Individual’s Rights
GENERAL DATA PROTECTION REGULATION (GDPR)
General Data Protection Regulations
The Rise of Privacy: Complying with GDPR in the United States
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
Data protection reform – update from the ICO
General Data Protection Regulation
State of the privacy union
Appropriate Data Sharing in Health and Social Care
G.D.P.R General Data Protection Regulations
The Public Sector Equality Duty
GENERAL DATA PROTECTION REGULATIONS (GDPR)
The new data protection rules

GDPR Overview and Use Cases.
a principle-based approach to compliance
General Data Protection Regulation
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Relocation CARNIVAL come one…come all
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Mathew Norman, Policy & Public Affairs Officer, RLA Wales
IMPLICATIONS OF GDPR ROBERT BELL.
GDPR Workshop MEU Symposium Prague 2018
Data Protection in a Tutorial Context
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
Information Handling Research Student Induction Day
GDPR Consent Data Protection Practitioners’ Conference 2018 #DPPC2018.
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
The Public Sector Equality Duty
General Data Protection regulation (GDPR)
A Framework for Compliance
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
General Data Protection Regulation Q & A Session
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
General Data Protection Regulation (GDPR)
GDPR Session
Presentation transcript:

Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office

Content What is Personal Data? Working with Personal Data Rights and Obligations Preparing for GDPR

What is Personal Data?

Personal Data is... Personal data relates to a living individual who can be identified from those data and/or other information likely to be in the possession of the data controller. Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Personal data includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person. Under GDPR the definition of personal detail has been expanded and made more specific.

Not all data is the same… Race or ethnicity Political opinions Religious or philosophical beliefs Trade union membership Physical or mental health Sexual life or orientation Genetic or biometric The Data Protection Act has two types of personal data, normal personal data and sensitive personal data. Sensitive personal data is separated out from ordinary personal data as worthy of more consideration and security following conflicts in Europe. Under GDPR sensitive personal data is referred to as special categories of data. Genetic and biometric data is added as a new class of special category data. Data about criminal convictions and offences is dealt with separately but still regarded as sensitive and to be used in limited circumstances. There is one piece of information missing which most people assume would be classed as sensitive personal data and that is financial data. Although Financial data is not classed as sensitive personal data by the DPA or the GDPR the ICO treats a breach of this data as if it were sensitive data because of the impact a breach can have on an individual.

Personal Data isn’t Always Obvious! We need to be aware of what other information is out there that people can piece together to identify an individual. GDPR makes reference to this by stating that personal data is data which allows someone to be identified either directly or indirectly. If you are using anonymisation or pseudonyms to protect an individual’s identity think carefully about how they are created. If they use initials or dates of birth then it’s possible people could identify an individual from them. For example, your driving licence number is made up of your name and date of birth. Likewise pseudonyms or locations may make an individual identifiable. It is about common sense and you have to consider what is reasonably likely in regards to the risk of individuals being identified. Someone would have to want to identify a person and actively search out the additional information. The likelihood of this happening will depend on who you work with, with some people more likely to be at risk than others. Some examples of data which can be used to identify individuals include locations, medication, the car you drive, work you’ve undertaken, in particular research work, even the name of your pet. Personal Data isn’t Always Obvious!

Working with Personal Data

Lorem ipsum dolore sit amet Subtitle can go here

The Accountability Principle The controller shall be responsible for, and be able to demonstrate compliance It is currently good practice to keep a record of your data processing as evidence of compliance. GDPR makes this a requirement.

Schedule Conditions for Processing Personal data: Consent Contract Legal obligation Vital interests of individual Public function under enactment/public interest Legitimate interests of the data controller and third party but not prejudicial to individual Sensitive personal data: Explicit consent Employment law Vital interests of anyone Not-for-profit TU/religious/ political/philosophical groups Already in public domain Legal proceedings/advice Public function under enactment Anti-fraud activity Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417) Consent Contract Legal Obligation Vital interests of individual Public function under enactment/public interest Legitimate interests of the data controller and third party but not prejudicial to individual At present in order to use personal data lawfully, you need to be able to rely on at least one Condition for processing from Schedule 2 (personal data). If it is sensitive personal data, you need to be able to rely on at least one Condition for processing from each of the Schedules 2 and 3 (sensitive personal data). Under GDPR the conditions for processing personal data are under Article 6 and the conditions for processing sensitive personal data are under Article 9. If you process children’s data you must take into consideration Article 8. If you rely on consent you must take into consideration Article 7. All Conditions have equal weighting: one does not carry any more status than any other. It is for the data controller to be satisfied that they are relying on the appropriate Condition. Schedule Conditions for Processing

Lets talk about the elephant in the room…

Consent The GDPR is raising the bar to a higher standard for consent. Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it. Data cannot be processed based on consent if there is an inbalance of power e.g. the provision of a service based on an individual consenting to data processing. Consent

GDPR requires privacy notices to be provided at the time personal data is collected. Article 13 sets out what must be included in a privacy notice. Article 12 states that any communication regarding the processing of an individual’s data must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Privacy Notices

Data Sharing Know why and how data will be shared Be transparent about data sharing Use our data sharing checklist: https://ico.org.uk/media/for-organisations/documents/1067/data_sharing_checklists.pdf Data Sharing

Personal Data Security

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold. DATA BREACHES

Rights and Obligations under GDPR Access Accuracy/ Rectification To Be Forgotten (Erasure) Restrict Processing Object Data Portability Fundamentally, the DPA is about establishing rights for individuals and placing obligations on organisations using personal data. Individuals get all the rights: organisations have all the responsibility!!

Preparing for the GDPR

Keep in touch ICO Scotland 45 Melville Street Edinburgh EH3 7HL T: 0131 244 9001 E: Scotland@ico.org.uk Subscribe to our e-newsletter at www.ico.org.uk or find us on… @iconews