Audiences NI Data Protection Workshop Rachael Gallagher Senior Policy Officer Information Commissioner’s Office 2 December 2014 40 minutes 12:15 -> 12:55
Welcome Information session 1 – Introduction to Data Protection Comfort break Information session 2 - Data sharing Case study Questions Close
An Introduction to Data Protection 40 minutes 12:15 -> 12:55
Information Session 1 About the ICO Key Definitions of the Data Protection Act Data Protection Principles What must I do to comply? What happens if we don’t comply? Learn from others what not to do
About the ICO Advice and Guidance Audit and Advisory Visits Assess concerns Enforcement Powers
Personal Data Personal data is not just a person’s name It is any information that relates to or identifies a person and: Is held on a computer Is intended to be held on computer Forms part of a ‘relevant filing system’ Forms part of an ‘accessible record’ (information relating to health or education)
Sensitive Personal Data Racial/ethnic origin Political opinion Religious belief Trade Union membership Physical/mental health Sexual life Commission of criminal offence Proceedings for any offence/alleged offences
Key Definitions Data subject is the person who the information is about e.g.) customer Data controller is the person who makes decisions with the information Data processor handles the information under the instruction of the controller e.g.) staff members
Data Protection Principles The DPA is underpinned by a set of eight straightforward, common sense principles that organisations should follow. They state that personal data should be: 1) Processed fairly and lawfully 2) Processed for limited purposes 3) Adequate, relevant and not excessive 4) Accurate and up to date 5) Kept for no longer than necessary 6) Processed in accordance with the rights of individuals 7) Kept secure 8) Transferred outside the EEA only with adequate protection
Principle 1 – Fairly and Lawfully Processed Be fair to individuals by using a ‘Privacy Notice’ which explains: Who you are What you are going to do with their information Any other information which would make it fair Make sure you do not do anything unlawful with personal information Meeting one or more ‘Conditions’ to use personal information Consent (explicit consent for sensitive personal data) Legal obligation Performance of a contract
Principle 2 – Processing for Limited Purposes Be clear why you need the information and what you intend to do with it Communicate to individuals what you intend to do with their information Ensure any new uses for the information are fair
Principle 3 –Adequate, Relevant and not Excessive Only collect and hold the personal information you need Be clear about why you need the information Do not hold information ‘just in case’ Hold the right amount of information
Principle 4 –Accurate and Up to Date Take steps to ensure personal information is accurate and up to date Ask individuals to advise you if their details change Consider whether it is necessary to update the information
Principle 5 – Not held for longer than is Necessary Regularly review the personal information to determine if you still need it Establish retention periods for different types of information No minimum or maximum time frame Retention period depends on business/legal need
Principle 6 – Data Subject’s Rights The right to access personal information The right to object to processing likely to cause damage or distress The right to prevent direct marketing The right to apply to a court to have information rectified, blocked, erased or destroyed The right to compensation
Rights as an Individual to Access Personal Data The right of subject access Ask for a copy of personal information Be provided with the information within 40 calendar days In writing either by letter or email A fee of up to £10 can be charged for dealing with a request
Individual right to object to direct marketing You must stop any promotional activity directed at an individual if they write and ask you to stop You must stop within a ‘reasonable period’ Marketing electronically? You will also have to comply with Privacy and Electronic Communications Regulations 2003 (PECR)
Principle 7 - Security You should have security that is appropriate to the - Nature of the information You should consider IT Cost Assess the risk Information stored electronically/manually Homeworkers, staff who work outside the office
Think about Security Staff Training Policies on data protection, homeworking, IT Physical security Sending information by post/fax/email? Quality of doors, locks, alarm systems, CCTV Supervising visitors Disposal of confidential waste Computer security (including mobile, removable devices) Anti-virus and anti-malware Encryption & password protection
Principle 8 -Transfer outside of EEA Personal information should only be transferred outside the EEA where there is ‘adequate protection’ Particularly relevant to cloud computing
Privacy and Electronic Communication Regulations 2003 Electronic marketing and cookies Explicit consent or soft opt-in Soft opt-in: Contact details of the recipient obtained in the course of a sale or negotiations for the sale of a product or service to that recipient; marketing material relates to your similar products and services only; and the recipient is given chance of opting out with each communication
Think W3 Limited Think W3 Limited, the online travel company was served with a £150,000 monetary penalty after a hacker extracted a total of 1,163,996 credit and debit card records. Cardholders details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.
Department of Justice (NI) A monetary penalty notice of £185,000 was served on the Department of Justice (NI) after a cabinet containing details of a terrorist incident was sold at auction.
Comfort Break 40 minutes 12:15 -> 12:55
Data Sharing
Data Sharing An organisation providing information to a third party Systematic or ‘one-off’ data sharing Establish the data controller Comply with the Data Protection Principles Data Sharing Code of Practice
Considerations Principle 1: Fair and lawful Privacy notice Condition for processing Principle 6: Data subjects rights Right to object to direct marketing Subject access rights Principle 7: Kept secure Appropriate technical and organisational measure Compliance with PECR if marketing electronically
Case Study
Useful guidance The Guide to Data Protection Privacy Notices Code of Practice The Guide to the Privacy and Electronic Communication Regulations 2003 The Subject Access Code of Practice
Questions
Keep in touch Information Commissioner’s Office 3rd Floor, 14 Cromac Place, Gasworks, Belfast BT7 2JB. Tel: 028 90278757 / 0303 123 1114 Email: ni@ico.org.uk Subscribe to our e-newsletter at www.ico.org.uk or find us on… www.twitter.com/iconews