Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

Slides:



Advertisements
Similar presentations
NATIONAL INFORMATION GOVERNANCE BOARD
Advertisements

Overview of ‘Public Sector Data Sharing – Guidance on the Law’ as published by the Department for Constitutional Affairs Nov ‘03 John Harrison, Edentity.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Data Protection Information Management / Jody McKenzie.
BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date:
The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child
National Smartcard Project Work Package 8 – Card Governance Report.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.
National Smartcard Project Work Package 8 – Security Issues Report.
The Information Commissioner’s Office David Evans.
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Implementation of Security and Confidentiality in GP Practices.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
EHRs and the European Union – current legislation and future directions. Dr Richard Fitton.
Public rights of access to information Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services.
The Data Protection Act 1998 The Eight Principles.
The Eighth Asian Bioethics Conference Biotechnology, Culture, and Human Values in Asia and Beyond Confidentiality and Genetic data: Ethical and Legal Rights.
Confidentiality and responsible information handling Legal and ethical considerations Brayne & Carr: Law for Social Workers: 10e Chapter 4.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
Sharing Pupil Data North Yorkshire County Council Schools Conference Robert Beane and Louise Jackson.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data protection and compliance in context 19 November 2007 Stewart Room Partner.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Human Rights Act, Privacy in the context of auditing Phil Huggins Chief Technologist, IRM PLC
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Data protection—training materials [Name and details of speaker]
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
The Data Protection Act 1998
The Data Protection Act 1998
Trevor Ellis Trainee Programmer (1981 – 28 years ago)
Data Protection The Current Regime
General Data Protection Regulation
Data protection issues in regulatory investigations
APP entities (organisations)
The Data Protection Act 1998
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
G.D.P.R General Data Protection Regulations
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Presentation transcript:

National Smartcard Project Work Package 8 – Information Law Report

Format of report: Executive summary Introduction Main body of report (15 sections) Appendix 1: Glossary Appendix 2: Overview of main areas of law Appendix 3: Sources Appendix 4: Data processor agreements Appendix 5: Data protection notice toolkit Information Law Report

Executive Summary The Executive Summary sets out: What is considered in the Information Law Report: i.e. the information law issues connected with a Smartcard Scheme including data protection, human rights, administrative law and freedom of information. A summary of the conclusions reached in each section of the Information Law Report.

Introduction The Introduction explains: the purpose of the report; the parameters of the report; the assumptions that have been made in order to draft the Information Law Report. Please note that the report should be read in conjunction with the Introductory Report and appropriate sections of the Card Governance Report.

Lawfulness for processing data and vires Human Rights Act 1998 Requirement to comply with Article 8 ECHR – “Everyone has the right to respect for his private and family life, his home and correspondence” Principle 1 Data Protection Act Requirement for lawfulness –a Card Issuer must act within its statutory powers What powers do Card Issuers have? A question of administrative law Powers may be express or implied Examples of implied powers: Local Government Act 1972 Local Government Act 2000

Status of the parties for data protection purposes Data Controllers Control the purposes for and manner of the processing Data Processors Process on behalf of a Data Controller

Status of the parties for data protection purposes Consider: Card Issuers Secondary Service Providers Joint Card Issuers Card Suppliers Other Card Issuers and other Secondary Service Providers External Project Manager/Consultants Contractors and Sub-contractors Employees Data Subjects/Card Users Ensure changes to status are taken into account

Data involved in the Smartcard Scheme Personal Data Includes manual and computerised Data Sensitive Personal Data E.g. health/disability Requires a higher level of protection Consider whether this is necessary Anonymous Data and non-Personal Data Is this truly anonymous? Consider treating everything as Personal Data to ensure DPA and HRA compliance

Grounds for processing Personal Data Data Controllers must have a schedule 2 Data Protection Act grounds In particular Necessary for the exercise of any function conferred on any person by or under enactment Necessary for the exercise of any other function of a public nature exercised in the public interest by any person

Grounds for processing Personal Data What is “necessary”? “encompasses matters which are “reasonably required or legally ancillary to” the accomplishment of the specified purposes”. Does not have to be “absolutely essential” – DCA Is it proportionate to the aim pursued?

Grounds for processing Personal Data Data Controllers must have a schedule 3 Data Protection Act grounds for Sensitive Personal Data In particular Necessary for the exercise of any function conferred on any person by or under an enactment Is it necessary to process Sensitive Personal Data?

Information for Data Subjects Data Subjects must be told or have readily available to them: Identity of the Data Controller Purposes for the processing (NB including non- obvious purposes) Any other information necessary in the circumstances to make the processing fair How to make this information available? Data protection notice/privacy statement

Information for Data Subjects DCA consultation suggests: Public services trust guarantee Service specific statement Code of practice Management guidance Complaints procedure Data sharing protocols

Use of Personal Data for Marketing Data Protection Act requirements Fairness and compliance with the principles Absolute right to object to direct marketing Privacy and Electronic Communications (EC Directive) Regulations 2003 Cover marketing by , SMS, MMS, telephone, fax and automated calling systems Regulate “cookies” Consider: Joint notices Where to provide notices Accessibility issues Whether consent should be obtained at the same time

Use of any Smartcard Number General Identifiers Currently none prescribed but beware of this if any prescribed in the future Use of certain numbers restricted e.g. NHS Number, Pupil Identification Number, NI Number – do not use these in a Smartcard Scheme unless purpose is authorised. Use of a unique Smartcard number Will be Personal Data therefore comply with the DPA

Data Sharing Involves consideration of: Administrative law Human Rights Act 1998 Data Protection Act 1998 Confidentiality

Data Sharing Practical Issues for a Smartcard Scheme What does the Card Issuer want to do and why? Does it have the power to do this? Who does it want to do this with? Does that organisation have the power to do this? How will it be done? Impact on the individual? Can impact by minimised? DPA, HRA and confidentiality considered? Data Sharing protocols Take into account the DCA toolkit on data sharing

Disclosures Non-disclosure exemptions in the DPA: Section 29 Data Protection Act Gives a discretion to disclose for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty Section 35 Data Protection Act Allows for mandatory disclosures where required by or under enactment or court order. Allows for disclosures in connection with legal proceedings, obtaining legal advice or where necessary for establishing, defending or exercising legal rights. Card Issuer should have disclosure policies in place

Data Matching Requirement for lawfulness Requirement for fairness Ensure that there is a power to cross match and that the law is complied with

Security Principle 7 Data Protection Act Technical and organisational measures must be in place to protect Personal Data Consider: Access and segregation Employees Data Processors Segregation for data sharing and Reader purposes Reader Security Data sharing Disclosures Identity of Card Users Loss or theft Biometrics

Subject Access and Individual Rights Subject access to Smartcard Data Comply with the DPA in providing access (40 day timescale) Consider how access can be provided within a shorter timescale (e-Envoy policy framework) Consider how to provide access in a joint scheme Consider policy for providing access to children directly and to others on behalf of a child Other individual rights Right to object to direct marketing Automated decision making Processing likely to cause damage or distress Inaccuracy

Compliance with other Data Protection Principles Principle 1 Fairness generally – e.g. how are the Data obtained? Principle 2 Specified, lawful and, when further processing, compatible purposes Principle 3 Adequate, relevant and not excessive Principle 4 Accurate and, where necessary, up to date Principle 5 Kept no longer than necessary Principle 8 Adequate protection for transfers outside the European Economic Area

Notification Requirement to notify Information Commissioner Criminal offence to fail to notify and to keep notification up to date Ensure that notification covers Smartcard purposes

Freedom of Information Consider: Status for freedom of information purposes Freedom of information at the tender stage Freedom of information at the contract stage Freedom of information and Personal Data Policies

Appendices 1-3 Appendix 1 Glossary of terms specific to the Information Law Report Appendix 2 Overview of main areas of law: a brief summary of the Data Protection Act 1998, Article 8 of the Human Rights Act, Freedom of Information Act 2000 and common law confidentiality Appendix 3 A list of primary and secondary source materials

Appendix 4 Processor Agreements Guidance for completion Data Processor Contract Letter A Data Processor Contract Letter B Data Processor Contract Clauses Full Data Processor Agreement

Appendix 5 Data Protection Notice Toolkit Guidance notes Sample notice