Data Protection webinar: Overview of Data Protection & Confidentiality 22 nd April 2015 Welcome. We’re just making the last few preparations for the webinar to start at Keep your speakers or headphones turned on and you will shortly hear a voice!

Please note:  If you want to make the links and animations in this presentation work, you need to Show it as a slideshow (press F5)  If you can see this slide, you are not in Show mode and the links and animations won’t work

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

What Data Protection is about: 1  Prevent harm to the individuals whose data we hold, or other people  Keep information in the right hands  Hold good quality data Protecting people   Protecting data Clients Service users EmployeesVolunteers DonorsMembers SupportersProfessional contacts

Examples  Giving out an address or phone number allows someone to be harassed or stalked  Poor security over financial details gives opportunities for ID fraud  Losing information means that you can’t deliver the service someone needs  Wrong information leads to someone not getting a job they were eligible for

What Data Protection is about: 2  Reassure people that we use their information responsibly, so that they trust us  Be transparent – open and honest, don’t hide things or go behind people’s back  Offer people a reasonable choice over how you use their data, and what for Give us more money! Support our campaign! We sold your details to someone else

 Comply with specific legal requirements, such as: What Data Protection is about: 3   Right to opt out of direct marketing  Right of Subject Access  Notification  (And others)

 Security  Transparency  Choice  Accuracy & data quality But first:  The Data Protection Principles  The definition of Personal data  Confidentiality The main topics for this webinar:

The Data Protection Principles 1.Data ‘processing’ must be ‘fair’ and legal 2.You must limit your use of data to the purpose(s) you obtained it for 3.Data must be adequate, relevant & not excessive 4.Data must be accurate & up to date 5.Data must not be held longer than necessary 6.Data Subjects’ rights must be respected 7.You must have appropriate security 8.Special rules apply to transfers abroad

DataNot data Personal Not personal Personal data

The Act applies to information that is ‘personal’ and ‘data’ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded:  electronically or on an automated system  in a ‘relevant filing system’  with the intention of going into one of these systems

Confidentiality Clear boundaries Data Protection and Confidentiality overlap a lot, but they are not the same Data Protection

Confidentiality  Define the boundaries: who needs access to what information for what purposes? How do we decide?  Does everyone affected understand where the boundaries are?  How do you make sure all your staff and volunteers take the boundaries seriously?

Taking confidentiality seriously Gossip Scams/ mistakes ‘Too onerous’ security

Weak points on confidentiality  Discussing confidential information with partner or friend  Talking about confidential information in public  Working on confidential material in public  Losing confidential documents/leaving them around  Giving out information over the phone without checking  Sharing or disclosing computer access details  Sharing information about people who have not given permission  Disposing of information carelessly

You could be breaking the law if you don’t respect confidentiality It is a Criminal offence ‘knowingly or recklessly’ to:  access data you are not authorised to access  allow another person unauthorised access Examples:  Criminal record and fine for operator who looked to see if her friends were on the police database  Criminal record and fine (and no job) for bank clerk who looked up finances of partner’s ex-wife

Security (Principle 7) The Data Protection Act says you must prevent:  unauthorised access to personal data  accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security. £500,000

Key security measures  Protect ‘data in transit’  passwords, encryption on s, USB devices and laptops  extreme care when faxing, ing & posting  Network security – anti-virus, firewall, log-ons, etc.  Website security – ‘OWASP top ten’  ‘Bring Your Own Device’ policy  External contractors (‘Data Processors’)  Secure destruction – shredding, etc.  Access controls, clear desks, locked filing cabinets  Staff DBS checks, supervision and monitoring

‘Fair’ processing (Principle 1): Transparency  One part of being fair to people is to make sure they have no unpleasant surprises when you use data about them.  This means you must always think whether you need to tell them anything about:  who is collecting their information  what purposes you hold their data for  who you might pass the data on to  how to contact you if they want to stop you from using their data or check what you are doing

Transparency

‘Fair’ processing (Principle 1): Choice  The other important part of being fair is to give people a reasonable choice over how their information is used.  People must be given a choice over Direct marketing  Choices can be:  Opt out (we’ll do it unless you say ‘no’)  Opt in (we’ll only do it if you say ‘yes’)  Be clear about what choices are offered, record them carefully, and ensure that they are acted on.  Pre-ticked boxes are not good practice

Conditions for fair processing  With consent of the Data Subject (“specific, informed and freely given”)  For a contract involving the Data Subject  To meet a legal obligation  To protect the Subject’s ‘vital interests’  Government & judicial functions  In your ‘legitimate interests’ provided the Data Subject’s interests are respected

Transparency & choice

Data quality (Principles 3 & 4) The Data Protection Act says that data must be:  Adequate  Relevant  Not excessive  Accurate  Up to date (where necessary)

Why does data quality matter?  Insufficient information about a volunteer’s medical condition --» they get placed in a risky situation  Wrong address --» cheque goes astray  Failure to update all your records --» further mailings after you have been told that they died  Irrelevant/biased information --» client gets treated poorly by other staff

Data Controller  (Staff & volunteers are part of the Data Controller)  A trading company is a separate Data Controller  Organisations can be joint Data Controllers    The ‘person’ legally responsible for complying with the Data Protection Act

The Data Protection Principles 1.Data ‘processing’ must be ‘fair’ and legal 2.You must limit your use of data to the purpose(s) you obtained it for 3.Data must be adequate, relevant & not excessive 4.Data must be accurate & up to date 5.Data must not be held longer than necessary 6.Data Subjects’ rights must be respected 7.You must have appropriate security 8.Special rules apply to transfers abroad ( )

Data Protection: the absolute basics We are trying to:  Prevent harm by  Keeping data only in the right hands (and being clear what ‘the right hands’ are)  Holding good quality data (accurate, up to date and adequate)  Reassure people so that they trust us  Making sure people know enough about what we are doing  Giving people a choice where possible

Many thanks Follow-up questions: To come by *Link to evaluation questionnaire *Link to download the presentation, after you have completed the questionnaire