© 2012 Morgan Cole LLPExpertise | Experience | Efficiency | Contribution 11th October 2012 Avoiding Data Protection pitfalls when collecting Equality Information.

Slides:



Advertisements
Similar presentations
Equality Act 2010 The Public Sector Equality Duty - how will it affect the third sector? Overview of where we are with legislation that came into force.
Advertisements

The Data Protection (Jersey) Law 2005.
Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Audiences NI Data Protection Workshop
Line Managers Date: updated March 2011
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team.
1 HR Business Partners Date: updated March 2011 Equality Act 2010.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection for Church of Scotland Congregations.
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
7/7/20161 The Public Sector Equality Duty for Schools in England Jonathan Timbers – Policy Manager, PSED Team, Equality and Human Rights Commission.
Data protection act. During the second half of the 20th century, businesses, organisations and the government began using computers to store information.
Understanding Privacy An Overview of our Responsibilities.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
The Data Protection Act 1998
The Data Protection Act 1998
Data Protection GCSE ICT Mrs N Steventon-2005.
Data Protection and Confidentiality
Data Protection Act.
Data Protection The Current Regime
The Data Protection Act 1998
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
New Data Protection Legislation
G.D.P.R General Data Protection Regulations
The Public Sector Equality Duty
General Data Protection Regulation
Data Protection principles
Data Protection and You
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
IMPLICATIONS OF GDPR ROBERT BELL.
General Data Protection Regulations 2018
The Public Sector Equality Duty
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Handling information 14 Standard.
Presentation transcript:

© 2012 Morgan Cole LLPExpertise | Experience | Efficiency | Contribution 11th October 2012 Avoiding Data Protection pitfalls when collecting Equality Information Mererid McDaid Associate

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 2 Equality Act 2010 Section 149(1) provides that a public authority must in exercising its functions have due regard to:  Eliminate conduct prohibited by the Act  Advance equality of opportunity  Foster good relations between persons Welsh Ministers prepared Regulations for the purpose of better performance of the general duty Application to Housing Associations

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 3 The Regulatory Framework Published 2 December 2011 Purpose  “Delivering high quality services – providing services that meets people’s needs and expectations…” Governance & Financial Management  “We place the people who want to use our service at the heart of our work…”  “Our activities and services reflect the diversity of the communities where we operate, are free from discrimination and promote equality of opportunity”

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 4 What is equality monitoring data Likely to include the following details:  Name  Address  Details of any dependants  Details of any illnesses or other health issues Could also include data relating to:  Age  Disability  Gender reassignment  Marriage and civil partnership  Race  Religion or beliefs  Sex  Sexual orientation All ‘protected characteristics’

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 5 Equality Data and Personal Data (1) Data collected likely to be “personal data” Personal data defined as:  Information in electronic format or in tightly structured manual files that relates to identifiable living individuals  Also includes where an individual can be identified from context or information can be linked with other information that allows an individual to be identified

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 6 Equality Data and Personal Data (2) Data may also be “sensitive personal data” Sensitive personal data defined as:  racial or ethnic origin  political opinions  religious (or similar) beliefs  trades union membership  physical or mental health  sexual life  commission or alleged commission of criminal offence  prosecution for alleged offences

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 7 What activities are covered by the DPA? Any and all handling of personal data e.g. Recording Copying Sharing Disclosing (including verbally) ing Faxing Updating Retrieving Storing Destroying Reading Organising or rearranging

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 8 Data Collection and DPA If collecting equality data, a Housing Association will:  Collect  Analyse and  Possibly, publish data Therefore “processing” for purposes of DPA

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 9 Impact of DPA Anyone that processes personal information must comply with the eight key principles Failure to do so can result in enforcement action, including penalties being imposed Other possible consequences include:  Lose the confidence of your tenants/other stakeholders  Reputational risk

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 10 Data Protection Principles Personal Data must be… handled fairly and lawfully used for specified purposes adequate, relevant and not excessive accurate and up to date Personal Data must… not be kept for longer than necessary be handled in accordance with individual rights be handled securely not be transferred to a country outside Europe unless there is adequate protection for privacy

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 11 Principle 1: Handling data fairly All personal data must be processed “fairly and lawfully” and for specified purposes What does this mean?

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 12 Handling data fairly Individuals must be told about your use of their data  Who is responsible for looking after their data  Why their data is being collected and used  Any other relevant information anything else that might surprise them about the use of their data, anything you feel they should know about, especially if they might wish to object e.g. whether the data will be shared with others, or used for marketing, or handled abroad  Whether you are planning to use their details (especially and mobile numbers) for promotional or marketing purposes

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 13 Handling data fairly You don’t always need consent to use personal data but if you have made promises about the way you will use it, it will be unfair if you then use it in a different way without going back to the individual e.g. “We will only use your mobile number so we can contact you in an emergency” It would be unfair then to use mobile numbers for routine calls or to send promotional text messages

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 14 Handling data fairly Personal Data must be handled “lawfully” Personal data that has been supplied to you in confidence must be treated in confidence Otherwise there will be a breach of the DPA as well as a breach of confidence

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 15 Confidentiality Certain information is “confidential” if it is supplied and received with the understanding that it should be kept private Individuals can bring legal action if their confidential information is disclosed without consent Confidential information can be disclosed in exceptional cases if necessary in the public interest e.g. to save life and limb or expose wrong doing

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 16 What may people expect you to treat as confidential? Name address and telephone number Date of birth Personal circumstances including employment Their involvement with other agencies Financial circumstances Medical circumstances Information about other household members Racial or ethnic origin Religion History of criminal offences Any other information that they specifically say is being provided in confidence

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 17 Fair handling In addition to any duty of confidentiality, personal data should be “processed” only if one of the following six conditions applies Remember this applies every time you use personal data for any purpose at all

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 18 Personal Data: Schedule 2 condition Consent Processing necessary for the performance of a contract Processing necessary to comply with a legal obligation Processing necessary to protect vital interests Processing necessary for the exercise of statutory/public functions Processing necessary for legitimate interests provided there is no unwarranted interference with the rights and freedoms of the individuals concerned

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 19 Sensitive Data: Schedule 3 condition If handling sensitive personal data must also satisfy a condition in Schedule 3, which include:  Explicit consent  Necessary for the purpose of any statutory functions  Necessary for identifying/keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial/ethnic origins with a view to promoting/maintaining equality and is carried out with appropriate safeguards

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 20 Fair handling Information should  be used only for specified purposes  not used for any “incompatible purpose” (unless an exemption applies) Exemptions  prevent/detect crime  carry out serious internal investigations  obtain legal advice, deal with legal proceedings

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 21 Fair Processing Information If sensitive personal data is being collected and is to be processed on the basis of consent, the fair processing notice should be written in such a way that explicit consent to processing is obtained

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 22 Torbay Care Trust (1) Served a Civil Monetary Penalty (CMP) Online publication of sensitive personal data collected with the Trust’s duties under EA 2010 Information collected by staff survey was stored on the Trust’s electronic staff records system. Workforce development team was then asked to supply information from the system for the purpose of publishing equality data.

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 23 Torbay Care Trust (2) Excel spreadsheet prepared containing details of 1,373 staff including;  Names and DOB,  NI numbers and  sensitive personal data such as race, religious beliefs, disability and sexual orientation Published on Trust’s website and remained online for 19 weeks until a member of the public made the ICO aware of document

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 24 Torbay Care Trust (3) ICO investigation found:  No guidance for staff on what information should not be published online  Trust had failed to put in place adequate checks to identify potential problems  ICO considered the breach extremely serious because of the large number of employee records involved and the sensitive and confidential nature of the personal data Served a CMP of £175,000

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 25 Good practice (1) Make data protection statements on monitoring forms easy to understand and include:  What the information is going to be used for  If information will be shared and if so, to whom Be clear as to the reasons why monitoring, particularly whether obliged to provide information for monitoring If publishing information – anonymise results (critically review) Tell individuals of their rights under DPA Make sure information collected is accurate and kept up to date

Expertise | Experience | Efficiency | Contribution© 2012 Morgan Cole LLP 26 Good practice (2) Periodic review of information collected to ensure still needed for monitoring purposes Develop a policy on how long information will be kept for Assess what appropriate security measures are required to ensure the information is kept secure Make sure that only staff who need to view the information collected are able to gain access and ensure such staff are appropriately trained Make sure information is disposed of securely when it is no longer needed

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.