Data Protection Act ‘ What you need to know’ Corporate Information Governance Team Strategic Intelligence

data protection act What does this presentation cover? What does the Act do? What is personal data? Data Protection Principles How do people exercise their rights? Information Security Incidents Unauthorised or unlawful disclosure Summary

data protection act What does the act do? The Data Protection Act 1998 protects information which is about living people who can be identified. This is known as personal data. The act provides a framework which balances the legitimate needs of organizations to collect and use personal data against the right of individuals to respect the privacy of their personal details.

data protection act What is personal data? Personal data is information about a living person who can be identified from information, for example by their name or address, a photograph, a unique reference number such as a CareFirst ID number and so on. The Council holds personal data about lots of different groups of people such as staff, customers, clients, family and friends of clients, carers etc. It can be stored in any format whether on computer or on paper. The Council and its staff have a legal duty under the Data Protection Act to ensure that the personal data it holds or has access to, is protected and handled in accordance with the Data Protection Act’s principles. Failure to comply with the data protection principles could amount to a criminal offence or a disciplinary offence

data protection act 1. Data Protection principles Processing must be fair and lawful The Data Protection Act is underpinned by a set of eight common-sense principles, which must be adhered to whenever we process personal data. Processing includes obtaining, recording, using, holding, disclosing and deleting personal data. When you process personal data, the Act says you must do so fairly and lawfully. This means you must tell the person what you are doing with their information (there are some *exceptions to this) and make sure that you have a legitimate and lawful power to process their personal data. *exceptions – you do not have to tell the person if a) they will have a reasonable expectation that their information will be used in that way b) it will put a person at risk of harm c) it will prejudice the prevention or detection of a crime.

data protection act What are legitimate and lawful powers? Here are some examples of when it is considered lawful under the Data Protection Act to process someone’s personal data: If you have the person’s consent If it is for the legitimate purposes of your job and does not cause the person unwarranted prejudice to their rights and freedoms If it is necessary to comply with a court order or other legal obligation If it is necessary to protect someone’s life or to protect them from serious harm If it is necessary to assist in the prevention or detection of an unlawful act If it is necessary for the Council or another organisation to undertake its official duties and is in the public interest

data protection act 2. Data Protection principles Processing must be for limited purposes Whenever we use or disclose personal data, we must ensure it is for the purpose we stated at the time the information was collected. In other words, we cannot collect personal data for one purpose and then use it for something completely different, unless the person has an expectation that this will happen. If you want to use or share their information for a different purpose, you should seek their consent to do so unless you have another lawful power to do it.

data protection act 3. Data Protection principles Personal data must be adequate, relevant & not excessive Whenever we collect, use or disclose personal data, we must ensure that it is adequate, relevant and not excessive for the purpose it is intended. This means that when you collect, use or disclose personal data, you need to decide what information is really needed about that person for you or someone else to do their job effectively. Irrelevant or unnecessary personal data should not be recorded or disclosed. For example, do not record or disclose personal data if depersonalized (anonymous) information would suffice.

data protection act 4. Data Protection principles Personal data must be accurate and up to date It is everyone’s responsibility to ensure that they check the accuracy of the information they record, use or disclose. By doing this, we can be confident that the information we are using is correct and where relevant up to date. Take care when you are recording information and ask for confirmation that any previously obtained details are correct. If you identify any errors or misleading information, you should take steps to ensure the information is corrected – do not assume that others have spotted the error and ignore it!

data protection act 5. Data Protection principles Personal data must not be kept longer than necessary The Council must ensure that it does not hold personal data for longer than it needs to. The Council has developed a Record Retention Policy which states how long certain types of information should be held for. Here are some examples of retention periods which are either derived from statute or from a business need: financial records – 7 years; some children’s records – 75 years; some legal records – 6 years from settlement of the matter employment records – 6 years from when the employee leaves More information about record retention can be found on the records management pages on the Source.

data protection act 6. Data Protection principles Personal data must be processed in accordance with peoples’ rights People have several rights under the Data Protection Act, for example: the right to have a copy of their personal data - this is known as ‘Subject Access’ the right to stop their information being used in a way which causes them damage or distress the right to compensation for damage or distress caused by the Council not complying with the Data Protection Act the right to have inaccurate or misleading information held about them corrected or deleted

data protection act How do people exercise their rights? The Corporate Information Governance Team deals with these matters and therefore people should be directed to this team if they want to exercise their rights under the Data Protection Act or make a complaint about the way their information has been used, recorded or shared. Tel: Address: Room L10, County Hall, Exeter, EX2 4QD Further information is also available about this on the public website at

data protection act 7. Data Protection principles Personal data must be kept secure It is everyone’s responsibility to ensure they protect the personal data they have access to from unauthorised or unlawful access or disclosure, theft or accidental destruction. This can be achieved by following a few simple rules: avoid leaving sensitive paperwork on your desk when you are not there put personal data on paper, disks or CDs in lockable drawers or cupboards choose passwords which are difficult for others to guess do not write your password down or tell somebody else what it is lock your computer screen when away from your desk (Ctrl, Alt, Delete) lock doors and windows when the office is unattended only discuss or disclose personal data to those who are legally entitled to it delete suspicious s and do not open suspicious attachments, to prevent viruses destroy personal data securely - shred it or put it in a confidential waste sack lock away laptops, tablets and other mobile equipment when not in use

data protection act Information Security Incidents If you lose or find personal data or equipment please the Corporate Information Governance Team at complete the Security Incident reporting form on the Source. We need to identify, report and investigate every incident so we can learn from our mistakes and prevent incidents re-occurring. The Council takes it’s security obligations very seriously. If a serious security incident occurs the Council could be fined up to £500,000 and more importantly, the individual whose personal data has been lost, stolen or inappropriately disclosed, could suffer serious damage or distress as a result of the incident. It is therefore important that we all make every effort to keep personal data safe and also report instances where a security incident could have occurred so procedures can be improved.

data protection act Unauthorised or unlawful disclosure It is a a disciplinary offence and criminal offence for any person to knowingly or recklessly disclose personal data; allow access to personal data or sell or offer to sell personal data to other people who are not authorized to have it. You are given access to information held by the Council for work purposes only. You are prohibited from sharing this information with your family, friends or any other person who is not legally entitled to the information. The Council systems are regularly audited and monitored to ensure there is no abuse of access. The Council treats unauthorized and unlawful access or disclosures as security incidents. If you suspect someone is inappropriately or recklessly disclosing personal data to people who should not have access, you must report this immediately to the Corporate Information Governance Manager on

data protection act 8. Data Protection principles Personal data must not be transferred to countries without adequate security The Council is not permitted to disclose personal data to countries outside the European Economic Area (EEA), unless that country has adequate security in place to protect the data and offer the same rights and freedoms to data subjects as the United Kingdom. This principle has particular relevance in cases where the Council collects personal data using an on-line form, questionnaire or survey. In some cases the Council may work with another organization who will collect and hold that data for the Council. This could for example be an American based company, in which case the Council must have a contract in place with that company, stipulating what security they must have in place to protect our data. If you are involved in collecting personal data on-line or think you may need to disclose personal data outside the EEA, contact the Information Governance Team for advice.

data protection act Summary – handling personal data properly Tell people if you want to use or share their data & get their consent where appropriate Only use data for the purpose it was collected, or seek consent for further use Only collect or share data that you really need to – keep it to a minimum Routinely check the data is accurate and up to date and amend inaccuracies Don’t keep data longer than you need to – check the Record Retention Policy Remember people have rights e.g. the right to see their data - ‘Subject Access’ Use a common sense approach to keeping data secure Only disclose personal data to people who are legally entitled to know – seek advice Report security incidents or ‘near misses’ to Seek advice if you want to share personal data with countries outside the EEA Contact the Information Governance Team for further advice or guidance Tel: