Managing Data Darren Wright

Objectives Legal requirements GDPR Looking at the types of data that you collect How to balance data types Open data

Issues with data Compliance Accuracy Feedback loop

Legal Requirements Personal data should be processed fairly and lawfully Data should be collected for a clear purpose Collection should be adequate for that purpose Data shouldn’t be kept for too long People supplying data should understand their rights

What is personal sensitive data? Data that relates to racial or ethnic origin Data that relates to religious beliefs Data that relates to a physical or mental health condition Data that relates to someone’s sexual life Data that relates to political views New – Biometric and genetic data

Conditions for processing One of the following must be met:- Individual has explicitly consented Processing is necessary to enter into a contract Processing is required as part of a legal obligation Processing is necessary to protect vital interests

Update of the Data Protection Directive 1995 GDPR Regulations Update of the Data Protection Directive 1995 Privacy and Electronic Communications (EC Directive) Regulations 2003 – Cookies & Direct Marketing Three objectives:- One unified regulation for 27 member states Managing corporate data transfer rules outside the European Union Emphasising individual control over personal identifying data Compliance date of 25th May 2018

GDPR - Significant changes Removes the distinction between a data controller and data processor Pays attention to how data moves across EU boundaries Greater fines (20 million euros or 4% of global turnover) Much more of a focus on consent and transparency Right to be forgotten and data portability Right to object to processing and automation

GDPR Key Elements Data Protection policy and procedure Knowing what data you collect Informed consent & Privacy

Accountability How is data protection monitored at board level? Is your formal mechanism set out in the policy? Who is the accountable individual if there is a data breach? Do you meet the criteria for a Mandatory Data Protection Officer? How is policy communicated to staff (induction/training)?

Data collection Is your data schema incorporated into your policy? Do you record who has access to data? Do you have a process for removing access to data? Do you have a process for dealing with subject access requests? How and when do you remove data?

Consent Is your consent process incorporated into your policy? Do you carry out privacy impact assessments for projects? (data protection by design) Review dates (for both consent and policy itself)

Data Protection Policy - Other Infrastructure – patch policy for IT equipment Password policy Basic cyber security Cyber Security Guidance for Business How do you manage a change in IT provider?

All organisations collect four types of data Demographics – Data that identifies individuals Activity – What has happened to an individual Outcome – What benefits, or disbenefits, have been received Satisfaction – How happy the individual is

Name Definition Examples Strengths Weaknesses Demographic data The identifying factors for individuals Gender Age Ethnicity Can help to measure how representative of a community a service is Can be used as a comparator for outcome data On its own it is not very useful data Ease of collection can result in excess collection Data protection issues Activity data A measurement of the inputs provided by a service Number of people that have used a service Number of referrals (in and out) Number of sessions carried out Easy to measure An important element in calculating your costs More of a measure of how busy a service is rather than how effective Not a measure of quality Outcome data A measurement of the change in an individual Clients that have given up smoking Clients that have lost weight Clients accessing entitled range of benefits. Much more focus on the person receiving the service A measure of the quality of the service you provide Can be used to compare with other services Can be hard to measure Requires measurement at two points Satisfaction data Perception of the intervention Client satisfaction surveys Satisfaction is important in assessing if people will return to a service Can be used as a basis adding a personal element to reporting Inherently subjective Not comparable inside an organisation let alone with other organisations People liking a service doesn’t mean it is a good service

Audit your data List every item of data you collect Identify which type of data it is List the function of collection Identify how long you keep it for If data has no purpose, stop collecting it

Privacy and Consent Privacy is a statement of values e.g. you could obtain data through wider means than consent Consent is an affirmative action and granular in what it tries to achieve

Managing Consent Be clear on why data is being collected What are you going to do with it? Consent cannot be hidden in terms of conditions Consent cannot be a condition for receiving a service Consent cannot be given by opt out (pre-ticked boxes)

Privacy Contact details of controller Reason for collecting and processing Third party relationships Method to remove consent Existence of automated decision making process

Emphasis on the individual Must comply with right of access (subject access requests) Information must be provided within a month Two months if compliance can be shown to be complex Cannot charge for access unless request is “manifestly unfounded” Right of access requests should be able to be made electronically

Right to erasure Right of erasure is not absolute Should erase when original purpose is no longer necessary When consent is withdrawn Information has been unlawfully processed To comply with legal obligation

Right to erasure - Exemptions Exercising right of freedom of expression To comply with legal obligation Public health purposes (public interest) Archiving purpose (public interest) Defence of legal claim

Right to object to processing There are three rights to object to processing Direct marketing (absolute) Research processing (relating to personal situation) Legitimate/public interest (compelling legitimacy or defence of legal claim)

Legitimate Interest The most flexible reason for data processing Would people reasonably expect the way you use data? Three part test:- Identify a legitimate interest; Show that the processing is necessary to achieve it; and Balance it against the individual’s interests, rights and freedoms

Legitimate Interest The legitimate interests can be your own interests & can include commercial interests If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. You must balance your interests against the individual’s. You must include details of your legitimate interests in your privacy information.

Reconsent Do you need to seek fresh consent? Generally no Are you sure you originally got consent? Did the consent relate to the current condition for processing? Can you audit consent? PECR 2003 – soft opt in on existing data (opt out as part of a sale)

Consent – Things to remember You must inform 3rd parties you have shared data with when erasure takes place The heart of consent is transparency of why you collect data and what you do with it You must review your consent process to ensure it reflects the things you use data for Consent must be in plain language Consent must be easily revoked

Open data Anonymised data Machine readable format Consistent structure

Data for social good Local services know more about communities than anyone else Local data is more responsive than national data You can influence the way services develop Authority gives you more power in commissioning Linking with other data promotes integration

Data for business planning Outcomes assessed against demographics can give you insight into where you have greater access to communities Outcomes assessed against demographics can highlight training needs for staff Outcomes divide by the cost of the service can be used as a unit costing mechanism Business insight provides a basis for tender opportunities

Data collection tips:- 1. There should be a balance in data types you collect 2. All data collected should have a purpose 3. If data isn’t analysed then free text provides improved narrative 4. Audit your data; if you don’t know why you’re collecting it, stop 5. The more data you collect the more errors you collect 6. Old data can be harmful 7. You know a lot about the area you work in, share it