Public Sector Organisations - are you GDPR ready? Data Protection Practitioners’ Conference 2018 #DPPC2018
Are we a public authority? Public authority is not defined in the GDPR. It will be defined in the Data Protection Act 2018 (when passed) It is likely that if you are a public authority as defined under the Freedom of Information Act 2000 or Freedom of Information (Scotland) Act 2002), you will be a public authority for the purposes of the GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018
What lawful bases should we use? Consent: the individual has given clear consent for you to process their personal data for a specific purpose Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations) Vital interests: the processing is necessary to protect someone’s life Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests Data Protection Practitioners’ Conference 2018 #DPPC2018
What lawful bases should we use? The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies Once you have identified your lawful basis, you must document it and update your privacy notice to explain it Documenting your lawful basis will help you comply with the GDPR’s ‘accountability’ requirements Data Protection Practitioners’ Conference 2018 #DPPC2018
Public task? #DPPC2018 Data Protection Practitioners’ Conference 2018 One of the differences between the old conditions for processing and new lawful bases is that public authorities now need to consider the new ‘public task’ basis for most processing The ‘public task’ basis can apply where the processing is necessary for you to perform a task in the public interest or in the exercise of your official authority (for example a public body’s tasks, functions or powers) There must be a clear basis in law for the relevant task or function It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest Data Protection Practitioners’ Conference 2018 #DPPC2018
Consent or legitimate interest? In many circumstances consent may not be the most appropriate lawful basis. You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. More information can be found in our lawful basis section of our Guide to GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018
Consent or legitimate interest? For example: Universities and museums are likely to be classified as public authorities, so the ‘public task’ basis is likely to apply to much of their processing But where they are processing personal data separate from their tasks as a public authority, then they may instead wish to consider whether either the lawful basis of consent or that of legitimate interests is appropriate These bases could apply, for example, where they are processing personal data for alumni relations or for fundraising purposes There are other lawful bases which could also be relevant. For more information see the lawful basis section of our Guide to GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018
Do we need to appoint a DPO? Public authorities must appoint a DPO (except for courts acting in their judicial capacity) You will need to provide the ICO with the contact details of your DPO when you pay your fee Data Protection Practitioners’ Conference 2018 #DPPC2018
Can organisations share a DPO? Yes, you may appoint a single DPO to act for a group of public authorities, taking into account their size and structure However, you must ensure that the DPO is still able to perform their tasks effectively and is easily accessible Data Protection Practitioners’ Conference 2018 #DPPC2018
Special categories of personal data “Special Category Data” under the GDPR is broadly similar to the concept of “Sensitive Personal Data” under the DPA 1998 It is personal data which is more sensitive, and so needs more protection The special categories have been expanded to include genetic data and biometric data where it is processed to uniquely identify an individual Data Protection Practitioners’ Conference 2018 #DPPC2018
Special categories of personal data Race or ethnicity Political opinions Religious or philosophical beliefs Trade union membership Physical or mental health Sexual life or orientation Genetic or biometric Data Protection Practitioners’ Conference 2018 #DPPC2018
Special categories of personal data Under GDPR if you are processing special category data you must have a lawful basis for processing under Article 6 (as you would for other personal data) but you must also satisfy a condition under Article 9: Explicit consent Employment law Vital interests of anyone Not-for-profit TU/religious/ political/philosophical groups Already in public domain Legal proceedings/advice Substantial public interest Medical purposes Public Health Archiving in public interest, scientific/historical research purposes or statistical purposes Data Protection Practitioners’ Conference 2018 #DPPC2018
Criminal offence data #DPPC2018 The GDPR rules for special category data do not apply to information about criminal allegations, proceedings or convictions Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10 To process such data, you must have both a legal basis under Article 6 and either legal authority or official authority for the processing under Article 10 Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of official authority Data Protection Practitioners’ Conference 2018 #DPPC2018
Data sharing agreements under GDPR If you have an existing data sharing agreement, and this agreement complies with the Data Protection Act 1998, it is likely you can still share data under the GDPR. You should still review any existing agreements to ensure that any data sharing is fair and transparent and complies with the requirements of GDPR A data protection impact assessment (DPIA) may need to be carried out for any new or revised data sharing, especially if you are using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals You should also be aware that GDPR contains explicit provisions about documenting processing activities, including maintaining records on data sharing. There is a limited exemption for small and medium-sized organisations Data Protection Practitioners’ Conference 2018 #DPPC2018
What rights will exist under GDPR? Be informed Access Rectification Erasure Restrict processing Data portability Object ADM/Profiling Data Protection Practitioners’ Conference 2018 #DPPC2018
Right to be informed #DPPC2018 Individuals have the right to receive privacy information such as: How their data will be processed Who it will be shared with What their rights are with respect to it The information you supply must be: Concise, transparent, intelligible and easily accessible Written in clear and plain language, particularly if addressed to a child AND Provided free of charge Data Protection Practitioners’ Conference 2018 #DPPC2018
Right of access #DPPC2018 Individuals have the right to: Have confirmation that their data is being processed Be aware of and verify the lawfulness of the processing Request access to their personal data You must: Take reasonable steps to verify the identity of the requestor Comply with such requests within 1 calendar month Provide data free of charge Data Protection Practitioners’ Conference 2018 #DPPC2018
Right of access You may charge a reasonable fee or refuse to respond when a request is manifestly unfounded or excessive, particularly if it is repetitive Where you refuse a request, you must explain why to the individual, informing them of their right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month The fee must be based on the administrative costs of providing the information If a request is made electronically, you should provide the information in a commonly used electronic format It would be considered best practice, where possible, to provide remote access to a secure self-service system which would provide individuals with direct access to his or her information Where you process a large quantity of information, the GDPR permits you to ask the individual to specify the information that the request relates to Data Protection Practitioners’ Conference 2018 #DPPC2018
Right to rectification Individuals have the right to: Their personal data being accurate Request inaccurate data be corrected and incomplete data completed You must: Correct inaccurate matters of fact and confirm rectification Inform recipients of incorrect data of the rectification Inform the data subject if you are not amending the record and why Data Protection Practitioners’ Conference 2018 #DPPC2018
Right to erasure Individuals have the right to erasure if: Personal data is no longer necessary in relation to the purpose for which it was originally collected/processed Individuals withdraw consent Their data has been unlawfully processed There is legal obligation to erase The data was added to social media when the individual was a child You must: Comply with the request unless you have a legal obligation to continue processing the data Take steps to inform any other processors of the data subject’s request for erasure if personal data has been made public Data Protection Practitioners’ Conference 2018 #DPPC2018
Right to restrict processing Individuals can request: Restriction of processing until an accuracy claim is verified Retention of unlawfully processed data Retention of data for exercise or defence of legal claims You must: Take steps to ensure the restriction as requested Inform the data subject if data processing will recommence and why Data Protection Practitioners’ Conference 2018 #DPPC2018
Right to data portability Individuals have the right to: Receive their personal data in a structured, commonly used and machine readable format. Transmit their data to another controller without hindrance. This right only applies if: The individual has provided you with their personal data The data is processed by consent or a contract AND Processing is carried out by automated means This right does not apply when the data processing is necessary for the performance of a task carried out in the public interest or in the exercise of your official authority. However, it may be good practice to provide for portability regardless Data Protection Practitioners’ Conference 2018 #DPPC2018
Right to object Individuals have the right to object to: Processing for direct marketing Processing if done in the public interest or for your legitimate interests, including profiling You must: Comply immediately if you are direct marketing! No exemptions! For public and legitimate interests, comply unless you can demonstrate legitimate ground for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims Data Protection Practitioners’ Conference 2018 #DPPC2018
Rights in relation to ADM including profiling Under Article 22, individuals have the right not to be subject to a decision when: It is based solely on automated processing, including profiling AND It produces a legal or similarly significant effect on the individual You must identify whether any of your processing falls under Article 22 and, if so, make sure that you: Give individuals information about the processing Introduce simple ways to request human intervention or challenge a decision Carry out regular checks to make sure that your system works as intended Data Protection Practitioners’ Conference 2018 #DPPC2018
What rights will exist under GDPR? Your obligation to uphold these individual rights may vary depending on the lawful basis you are relying on For example, individuals’ rights to erasure and data portability do not apply where you are processing on the basis of ‘public task’ but individuals will have a right to object Please see the Individual Rights section of our Guide to the GDPR for further information Data Protection Practitioners’ Conference 2018 #DPPC2018
Accountability under GDPR The GDPR’s accountability principle (Article 5(2)) requires you to be able to demonstrate how you comply with the data protection principles This can be demonstrated by having effective policies and procedures in place such as: Processing data in a transparent manner Maintaining records of processing Appointing a DPO Carrying out DPIAs Data Protection Practitioners’ Conference 2018 #DPPC2018
Transparency under GDPR The first principle of the GDPR requires you to process data in a transparent manner in relation to the data subject (Article 5(1)(a)) The GDPR emphasises the need for transparency over how you use personal data. This can be achieved by providing individuals with privacy information (typically through a privacy notice) such as how their data will be processed, who it will be shared with and what their rights are with respect to it (Article 13 and 14) If individuals know this information from the outset, they will be able to make informed decisions in relation to their personal data Any information you supply relating to the processing of personal data should be easily accessible, easy to understand and written in clear and plain language Data Protection Practitioners’ Conference 2018 #DPPC2018
Security under GDPR #DPPC2018 Personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).” You are required to implement appropriate technical, organisational and security measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. This may include: Staff training Internal audits Pseudonymisation and encryption A process for regularly testing, assessing and evaluating measures Breach Management Data Protection Practitioners’ Conference 2018 #DPPC2018
Breach reporting #DPPC2018 Notify ICO: Not later than 72 hours (Can add detail later) Where likely to result in a risk to rights and freedoms of individuals Notify data subject: Without undue delay Where likely to result in a high risk to rights and freedoms of individuals Data Protection Practitioners’ Conference 2018 #DPPC2018
Subscribe to our e-newsletter at www.ico.org.uk Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on… /iconews http://ico.org.uk/livechat @iconews Data Protection Practitioners’ Conference 2018 #DPPC2018