Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Slides:



Advertisements
Similar presentations
Ten things you should know about Data Protection Paul Simpkins Director, Act Now Training Ltd.
Advertisements

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child
Data Protection.
Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Audiences NI Data Protection Workshop
Data Protection Overview
An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
The Data Protection Act
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations
The Information Commissioner’s Office David Evans.
The Data Protection Act 1998 The Eight Principles.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
Information Commissioner’s Office Sheila Logan Operations and Policy Manager Information Commissioner’s Office Business Matters 20 May 2008.
The Data Protection Act - Confidentiality and Associated Problems.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
BTEC ICT Legal Issues Data Protection Act (1998) Computer Misuse Act (1990) Freedom of Information Act (2000)
Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
THE DATA PROTECTION ACT Data Protection Act 1998 DPA 1. Reasons2. People3. Principles 4. Exemptions 4 key points you need to learn/understand/revise.
1 Data Protection & Confidentiality Young Carers Workers Conference, Harrogate, 25 March 2009 Paul Ticher
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Computing, Ethics & The Law. The Law Copyright, Designs and Patents Act (1988) Computer Misuse Act (1990) Data Protection Act (1998) (8 Main Principles)
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
DATA PROTECTION ACT DATA PROTECTION ACT  Gives rights to data subjects (i.e. people who have data stored about them on a computer)  Information.
DATA PROTECTION AND RUNNING A COMPLIANT PUB WATCH SCHEME Nigel Connor Head of Legal –JD Wetherspoon PLC.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Workshop Understanding your responsibilities under the Data Protection Act 1998 and the Freedom of Information Act 2000 Adele Rhodes Girling.
Data protection—training materials [Name and details of speaker]
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
The Data Protection Act 1998
The Data Protection Act 1998
PowerPoint presentation
Trevor Ellis Trainee Programmer (1981 – 28 years ago)
Data Protection The Current Regime
General Data Protection Regulation
Data Protection Act.
The Data Protection Act 1998
Data Protection Update – GDPR or bust
Data Protection Legislation
GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
G.D.P.R General Data Protection Regulations
Data Protection and Running a Compliant Pub Watch SCHeme
General Data Protection Regulation
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Presentation transcript:

Data Protection Paul Veysey & Bethan Walsh

Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect and understand 90%

Penalties Data Protection in the UK is supervised and enforced by the Information Commissioner who can serve notices on organisations to ensure compliance and can bring prosecutions. Criminal offences include: Failing to notify data processing to the ICO Unlawful obtaining and disclosure of personal information Civil claims for compensation can be brought by individuals where organisations have breached the provisions of the DPA causing them damage.

Pro-active Approach Organisations should: Appoint a senior member to take responsibility for Data Protection – The Data Protection Officer Ensure policies and procedures are in place such that data protection is always a consideration Ensure staff and volunteers have training and guidance available to them to ensure compliance Audit and review your data protection position

The Basics The DPA is concerned with ‘Personal Data’ held by ‘Data Controllers’ Personal Identifiable - living - individuals

The Basics Data? Information held on a computer Information in a relevant manual filing system Information intended to join one of the above

‘A person who determines the purpose for which and the manner in which personal data is, or is to be, processed’ Data Controller

Obtaining information What is ‘Processing’? Storing information Changing or copying Disclosing or passing on Destroying or erasing

Do I have to Notify? Most organisations that process personal data must register (notify) with the ICO. Failure to notify is a criminal offence and a fine can be imposed Personal data cannot be processed until registration has taken place

Do I have to Notify? Cost: £35 per year (If you have more than 249 employees and a turnover in excess of £25.9 million – the fee is £500 for notification - unless a charity)

Do I have to Notify? Not for profit organisations have the benefit of an opt out where their functions are limited to: establishing or maintaining membership; supporting a not-for-profit body or association; or providing or administering activities for either the members or those who have regular contact with it.

Data Protection Principles How to comply?

1. Process fairly and lawfully 2. Obtain and process for specified purposes only 3. Adequate, relevant and not excessive 4.Accurate and up to date The Principles

5. Not kept longer than is necessary 6. Processed in accordance with the rights of the individual 7. Appropriate security measures against unauthorised or unlawful use of data and against loss, destruction or damage 8.Transfer outside the EEA only where adequate protection is in place

1. Process Fairly and Lawfully You must collect data fairly and have legitimate grounds for collecting and using the data You must be transparent about how you intend to use the data You must not do anything unlawful with the data

1. Process Fairly and Lawfully What can I do with personal data? The Act sets out ‘conditions for processing’, one of which must be complied with for processing to take place The key condition is CONSENT The safest route to compliance is to ensure the individual knows what will be done with their data at the point of collection

1. Process Fairly and Lawfully Privacy Notices See Privacy Notices Code of Practice ( Sharing data with another organisation (Scenario 1) Using data for a new purpose (Scenario 2) The ‘legitimate interest’ exemption (Scenario 3) Lawful processing (Scenario 4) Other exemptions available

2. Obtain and process for specified purposes only “The personal data shall be obtained only for one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”

2. Obtain and process for specified purposes only 1.Identify the purpose in your Privacy Notice (unless the purpose is obvious) 2.Register the purpose when notifying the Information Commissioner (unless you are exempt).

2. Obtain and process for specified purposes only Can the data be used for purposes other than those specified? When is one purpose compatible with the other?

3. Adequate, relevant and not excessive “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”

3. Adequate, relevant and not excessive Only hold data which is sufficient for your purpose and no more (or less)

4.Accurate and up to date To an extent the purpose of the principle is obvious? Take reasonable steps to ensure accuracy Ensure the source of personal data is clear Consider challenges to the accuracy of the information and its impact Should you update?

5. Not kept longer than is necessary “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes”

5. Not kept longer than is necessary 1.Adopt a policy to set out how long you will keep information and why 2.Regularly review the data 3.Ensure it is securely deleted or archived when it is no longer needed

6. The rights of individuals

Rights of access to the data held Rights to object to processing likely to cause or causing harm A right to prevent direct marketing A right to object to decisions by automated means A right to have inaccurate data corrected or erased A RIGHT TO COMPENSATION for damage caused by a breach of the Act

7. Security “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”

7. Security Things to think about: Who should have access to data? Physical security Computer security Security Breach Management Plan

7. Security Breach Security Breach Management Plan Containment and Recovery Assessing risks Notification of breaches Evaluation and response

8.Transfer outside the EEA “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

Direct Marketing Assuming the correct notices / consents have been given or can be safely assumed, direct marketing is usually permitted

Direct Marketing Only covered if directed at individuals Covers communications by whatever means Includes marketing, advertising, campaigning, fundraising etc.

Direct Marketing Opt outs and stop notices – 28 days Delete or supress? Can I ask them to opt back in?

Electronic Marketing What are the rules governing unsolicited; 1.Phone calls 2.Fax marketing 3. s, texts and voic s Privacy and Electronic Communications Regulations

Electronic Marketing Websites: What are the data issues? Cookies?

Discussion Q&A

Workshop locations