Public Sector Organisations - are you GDPR ready?

Slides:



Advertisements
Similar presentations
The Data Protection (Jersey) Law 2005.
Advertisements

Getting data sharing right for every child
Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)
Key changes with the GDPR
The future of data protection: General Data Protection Regulation
Data Subject Rights under the GDPR
Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office.
Issues of personal data protection in scientific research
General Data Protection Regulation (GDPR)
General Data Protection Regulation
General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.
Museums + Heritage webinar, 30 November 2017
GDPR Overview Gydeline – October 2017
Data Protection Update – GDPR or bust
GDPR Overview GDPR - General Data Protection Regulations
GDPR Overview Gydeline – October 2017
Nina Barakzai November 2017
GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction
Bob Siegel President Privacy Ref, Inc.
GDPR - Individual’s Rights
GENERAL DATA PROTECTION REGULATION (GDPR)
General Data Protection Regulations
Data Protection Reform in Local Government
General Data Protection Regulation
GDPR and paper records Why it’s not all cyber and fines Gary Shipsey
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
Introducing the General Data Protection Regulation 2016
Data protection reform – update from the ICO
State of the privacy union
Appropriate Data Sharing in Health and Social Care
G.D.P.R General Data Protection Regulations
The new data protection rules

GDPR Overview and Use Cases.
General Data Protection Regulation
Data Protection principles
Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.
Relocation CARNIVAL come one…come all
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Mathew Norman, Policy & Public Affairs Officer, RLA Wales
Guide to overview of changes under GDPR ww.ZAKSIT.com
IMPLICATIONS OF GDPR ROBERT BELL.
GDPR Workshop MEU Symposium Prague 2018
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
A Framework for Compliance
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Data Protection What you need to know
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
GDPR Session
GDPR Workshop – Partnerships for Jewish Schools
Presentation transcript:

Public Sector Organisations - are you GDPR ready? Data Protection Practitioners’ Conference 2018 #DPPC2018

Are we a public authority? Public authority is not defined in the GDPR. It will be defined in the Data Protection Act 2018 (when passed) It is likely that if you are a public authority as defined under the Freedom of Information Act 2000 or Freedom of Information (Scotland) Act 2002), you will be a public authority for the purposes of the GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018

What lawful bases should we use? Consent: the individual has given clear consent for you to process their personal data for a specific purpose Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations) Vital interests: the processing is necessary to protect someone’s life Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests Data Protection Practitioners’ Conference 2018 #DPPC2018

What lawful bases should we use? The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies Once you have identified your lawful basis, you must document it and update your privacy notice to explain it Documenting your lawful basis will help you comply with the GDPR’s ‘accountability’ requirements Data Protection Practitioners’ Conference 2018 #DPPC2018

Public task? #DPPC2018 Data Protection Practitioners’ Conference 2018 One of the differences between the old conditions for processing and new lawful bases is that public authorities now need to consider the new ‘public task’ basis for most processing The ‘public task’ basis can apply where the processing is necessary for you to perform a task in the public interest or in the exercise of your official authority (for example a public body’s tasks, functions or powers) There must be a clear basis in law for the relevant task or function It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest Data Protection Practitioners’ Conference 2018 #DPPC2018

Consent or legitimate interest? In many circumstances consent may not be the most appropriate lawful basis. You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. More information can be found in our lawful basis section of our Guide to GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018

Consent or legitimate interest? For example: Universities and museums are likely to be classified as public authorities, so the ‘public task’ basis is likely to apply to much of their processing But where they are processing personal data separate from their tasks as a public authority, then they may instead wish to consider whether either the lawful basis of consent or that of legitimate interests is appropriate These bases could apply, for example, where they are processing personal data for alumni relations or for fundraising purposes There are other lawful bases which could also be relevant. For more information see the lawful basis section of our Guide to GDPR Data Protection Practitioners’ Conference 2018 #DPPC2018

Do we need to appoint a DPO? Public authorities must appoint a DPO (except for courts acting in their judicial capacity) You will need to provide the ICO with the contact details of your DPO when you pay your fee Data Protection Practitioners’ Conference 2018 #DPPC2018

Can organisations share a DPO? Yes, you may appoint a single DPO to act for a group of public authorities, taking into account their size and structure However, you must ensure that the DPO is still able to perform their tasks effectively and is easily accessible Data Protection Practitioners’ Conference 2018 #DPPC2018

Special categories of personal data “Special Category Data” under the GDPR is broadly similar to the concept of “Sensitive Personal Data” under the DPA 1998 It is personal data which is more sensitive, and so needs more protection The special categories have been expanded to include genetic data and biometric data where it is processed to uniquely identify an individual Data Protection Practitioners’ Conference 2018 #DPPC2018

Special categories of personal data Race or ethnicity Political opinions Religious or philosophical beliefs Trade union membership Physical or mental health Sexual life or orientation Genetic or biometric Data Protection Practitioners’ Conference 2018 #DPPC2018

Special categories of personal data Under GDPR if you are processing special category data you must have a lawful basis for processing under Article 6 (as you would for other personal data) but you must also satisfy a condition under Article 9: Explicit consent Employment law Vital interests of anyone Not-for-profit TU/religious/ political/philosophical groups Already in public domain Legal proceedings/advice Substantial public interest Medical purposes Public Health Archiving in public interest, scientific/historical research purposes or statistical purposes Data Protection Practitioners’ Conference 2018 #DPPC2018

Criminal offence data #DPPC2018 The GDPR rules for special category data do not apply to information about criminal allegations, proceedings or convictions Instead, there are separate safeguards for personal data relating to criminal convictions and offences, or related security measures, set out in Article 10 To process such data, you must have both a legal basis under Article 6 and either legal authority or official authority for the processing under Article 10 Article 10 also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of official authority Data Protection Practitioners’ Conference 2018 #DPPC2018

Data sharing agreements under GDPR If you have an existing data sharing agreement, and this agreement complies with the Data Protection Act 1998, it is likely you can still share data under the GDPR. You should still review any existing agreements to ensure that any data sharing is fair and transparent and complies with the requirements of GDPR A data protection impact assessment (DPIA) may need to be carried out for any new or revised data sharing, especially if you are using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals You should also be aware that GDPR contains explicit provisions about documenting processing activities, including maintaining records on data sharing. There is a limited exemption for small and medium-sized organisations Data Protection Practitioners’ Conference 2018 #DPPC2018

What rights will exist under GDPR? Be informed Access Rectification Erasure Restrict processing Data portability Object ADM/Profiling Data Protection Practitioners’ Conference 2018 #DPPC2018

Right to be informed #DPPC2018 Individuals have the right to receive privacy information such as: How their data will be processed Who it will be shared with What their rights are with respect to it The information you supply must be: Concise, transparent, intelligible and easily accessible Written in clear and plain language, particularly if addressed to a child AND Provided free of charge Data Protection Practitioners’ Conference 2018 #DPPC2018

Right of access #DPPC2018 Individuals have the right to: Have confirmation that their data is being processed Be aware of and verify the lawfulness of the processing Request access to their personal data You must: Take reasonable steps to verify the identity of the requestor Comply with such requests within 1 calendar month Provide data free of charge Data Protection Practitioners’ Conference 2018 #DPPC2018

Right of access You may charge a reasonable fee or refuse to respond when a request is manifestly unfounded or excessive, particularly if it is repetitive Where you refuse a request, you must explain why to the individual, informing them of their right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month The fee must be based on the administrative costs of providing the information If a request is made electronically, you should provide the information in a commonly used electronic format It would be considered best practice, where possible, to provide remote access to a secure self-service system which would provide individuals with direct access to his or her information Where you process a large quantity of information, the GDPR permits you to ask the individual to specify the information that the request relates to Data Protection Practitioners’ Conference 2018 #DPPC2018

Right to rectification Individuals have the right to: Their personal data being accurate Request inaccurate data be corrected and incomplete data completed You must: Correct inaccurate matters of fact and confirm rectification Inform recipients of incorrect data of the rectification Inform the data subject if you are not amending the record and why Data Protection Practitioners’ Conference 2018 #DPPC2018

Right to erasure Individuals have the right to erasure if: Personal data is no longer necessary in relation to the purpose for which it was originally collected/processed Individuals withdraw consent Their data has been unlawfully processed There is legal obligation to erase The data was added to social media when the individual was a child You must: Comply with the request unless you have a legal obligation to continue processing the data Take steps to inform any other processors of the data subject’s request for erasure if personal data has been made public Data Protection Practitioners’ Conference 2018 #DPPC2018

Right to restrict processing Individuals can request: Restriction of processing until an accuracy claim is verified Retention of unlawfully processed data Retention of data for exercise or defence of legal claims You must: Take steps to ensure the restriction as requested Inform the data subject if data processing will recommence and why Data Protection Practitioners’ Conference 2018 #DPPC2018

Right to data portability Individuals have the right to: Receive their personal data in a structured, commonly used and machine readable format. Transmit their data to another controller without hindrance. This right only applies if: The individual has provided you with their personal data The data is processed by consent or a contract AND Processing is carried out by automated means This right does not apply when the data processing is necessary for the performance of a task carried out in the public interest or in the exercise of your official authority. However, it may be good practice to provide for portability regardless Data Protection Practitioners’ Conference 2018 #DPPC2018

Right to object Individuals have the right to object to: Processing for direct marketing Processing if done in the public interest or for your legitimate interests, including profiling You must: Comply immediately if you are direct marketing! No exemptions! For public and legitimate interests, comply unless you can demonstrate legitimate ground for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims Data Protection Practitioners’ Conference 2018 #DPPC2018

Rights in relation to ADM including profiling Under Article 22, individuals have the right not to be subject to a decision when: It is based solely on automated processing, including profiling AND It produces a legal or similarly significant effect on the individual You must identify whether any of your processing falls under Article 22 and, if so, make sure that you: Give individuals information about the processing Introduce simple ways to request human intervention or challenge a decision Carry out regular checks to make sure that your system works as intended Data Protection Practitioners’ Conference 2018 #DPPC2018

What rights will exist under GDPR? Your obligation to uphold these individual rights may vary depending on the lawful basis you are relying on For example, individuals’ rights to erasure and data portability do not apply where you are processing on the basis of ‘public task’ but individuals will have a right to object Please see the Individual Rights section of our Guide to the GDPR for further information Data Protection Practitioners’ Conference 2018 #DPPC2018

Accountability under GDPR The GDPR’s accountability principle (Article 5(2)) requires you to be able to demonstrate how you comply with the data protection principles This can be demonstrated by having effective policies and procedures in place such as: Processing data in a transparent manner Maintaining records of processing Appointing a DPO Carrying out DPIAs Data Protection Practitioners’ Conference 2018 #DPPC2018

Transparency under GDPR The first principle of the GDPR requires you to process data in a transparent manner in relation to the data subject (Article 5(1)(a)) The GDPR emphasises the need for transparency over how you use personal data. This can be achieved by providing individuals with privacy information (typically through a privacy notice) such as how their data will be processed, who it will be shared with and what their rights are with respect to it (Article 13 and 14) If individuals know this information from the outset, they will be able to make informed decisions in relation to their personal data Any information you supply relating to the processing of personal data should be easily accessible, easy to understand and written in clear and plain language Data Protection Practitioners’ Conference 2018 #DPPC2018

Security under GDPR #DPPC2018 Personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).” You are required to implement appropriate technical, organisational and security measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. This may include: Staff training Internal audits Pseudonymisation and encryption A process for regularly testing, assessing and evaluating measures Breach Management Data Protection Practitioners’ Conference 2018 #DPPC2018

Breach reporting #DPPC2018 Notify ICO: Not later than 72 hours (Can add detail later) Where likely to result in a risk to rights and freedoms of individuals Notify data subject: Without undue delay Where likely to result in a high risk to rights and freedoms of individuals Data Protection Practitioners’ Conference 2018 #DPPC2018

Subscribe to our e-newsletter at www.ico.org.uk Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on… /iconews http://ico.org.uk/livechat @iconews Data Protection Practitioners’ Conference 2018 #DPPC2018