Data Protection for Church of Scotland Congregations.

Slides:



Advertisements
Similar presentations
The Data Protection (Jersey) Law 2005.
Advertisements

Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Data Protection Act.
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Health & Social Care Apprenticeships & Diploma
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
INFORMATION GOVERNANCE AND CONFIDENTIALITY Information Governance Facilitator.
Data Protection and research Rachael Maguire Records Manager.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
DATA PROTECTION AND RUNNING A COMPLIANT PUB WATCH SCHEME Nigel Connor Head of Legal –JD Wetherspoon PLC.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
The Data Protection Act 1998
Data Protection GCSE ICT Mrs N Steventon-2005.
Data Protection and Confidentiality
Issues of personal data protection in scientific research
Data Protection Act.
Data Protection The Current Regime
General Data Protection Regulation
GDPR Overview Gydeline – October 2017
The Data Protection Act 1998
Data Protection Legislation
GDPR Overview GDPR - General Data Protection Regulations
GDPR Overview Gydeline – October 2017
PERSONAL DATA PROTECTION ACT 2010
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
G.D.P.R General Data Protection Regulations
Data Protection and Running a Compliant Pub Watch SCHeme
General Data Protection Regulation
Data Protection principles
Data Protection and You
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Mathew Norman, Policy & Public Affairs Officer, RLA Wales
General Data Protection Regulations 2018
Understanding Data Protection
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Presentation transcript:

Data Protection for Church of Scotland Congregations

How many of the following have happened to you? You have received junk-mail which used your name and address. An unsolicited telesales call has been made to your home. Your bank has alerted you to ‘unusual’ activity in relation to your account. Your car has been ‘cloned’ and you have received speeding fines that you weren’t due.

Some questions that are worth asking: How did these people get access, or why do they want access, to your personal data? Who else holds personal information about you? How might that information be used or misused? What rights do you have in relation to personal data and privacy?

This evening's session What is Data Protection Case studies Recommendations Data security Questions

Data Protection: It’s the new Health and Safety law…

Some reasons for having ‘Data Protection’ legislation Information is… everywhere!

Ask yourselves the following Who has personal information about you, what do they hold and how is it used? Have you ever been contacted directly by a company and wondered how it came to have your details? Have you ever been a victim of identity fraud? Why do ‘criminals’ want access to your data?

Some reasons for having ‘Data Protection’ legislation To safeguard personal privacy. To prevent information about individuals from being used unfairly or fraudulently. To ensure that bodies which hold personal information respect confidentiality and observe good practice. To give individuals the right to know what information is held about them.

What does this mean for the Congregations? The Church is a body which holds personal information about individuals. As office bearers you are charity trustees and so you have an obligation to behave responsibly in relation to the information that is held. The Church must observe good practice and also abide by the provisions of the Data Protection Act 1998, where it applies to use of personal data.

Transparency Choice Data Quality Security Individual rights The Data Protection Act 1998 Key Themes

Data Information What is ‘Personal Data’? Information which relates to a living individual identified: – from that data – from that data and other information which is or is likely to be in the possession of the Data Controller – held electronically or manually in a relevant filing system E.g. Name, job title, telephone number, address, date of birth, postal address.

Sensitive Personal Data Personal Data consisting of information on: racial or ethnic origin political opinions religious or similar beliefs trade union details health data sexual orientation data offences or alleged offences court proceedings

EITHER the data must be used in the course of the congregation’s legitimate activities and be ‘not for profit’; the data must be used with appropriate safeguards for the rights and freedoms of the people concerned; the data must be restricted to those who are members or who have regular contact with the Church; and the data must not be disclosed to any third party. OR the data subjects must have given explicit consent for this particular use Before a congregation uses any data of this nature, the following conditions must be satisfied: Sensitive Personal Data

Who are Data Subjects? The Individual to whom Personal Data relates, for example: An Employee A Job applicant A Former employee A Minister An Office Bearer A Committee Member A Church Member An adherent

Data Processing Processing is handling data in any way: – collecting personal data; – storing in a database; – ordering in a filing system; – editing data records; – transmission onwards to a third party. Including public availability of data A “Data Processor” any person or organisation who processes personal data on behalf of the data controller

Data Controller Data Controller: is a person or organisation that determines the purposes for which and the manner in which personal data will be processed. For congregations this is the Presbytery Clerk. It is necessary to notify the Information Commissioner on an annual basis. Small exemption for ‘not for profit’ organisation. But remember CCTV!

Data Controller Data Controller: is a person or organisation that determines the purposes for which and the manner in which personal data will be processed. For congregations this is the Presbytery Clerk. It is necessary to notify the Information Commissioner on an annual basis.

The Act does not prohibit the use or distribution of information, rather it governs the way information and people are treated. The Basics

What are the 8 data protection principles? The Basics

Be processed fairly and lawfully; Be obtained for specific and lawful purposes; Be kept accurate and up to date; Be adequate, relevant and not excessive in relation to the purpose for which it is used; Data Protection Principles

Not be kept for longer than is necessary for the purpose for which it is used; Be processed in accordance with the rights of Data Subjects; Be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and Not be transferred to any country outside the EEA. Data Protection Principles

Sanctions?

The Information Commissioner’s Office “The UK’s Independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” The ICO: Promotes good practice, Produces guidance on various topics, Makes rulings on complaints against organisations, and Takes action where there are breaches of the Act.

The Information Commissioner Enforcement Notices Criminal Sanctions Fines – up to £500,000 Brighton and Sussex NHS Trust: £375,000 Ealing Council £80,000 Hounslow Council £70,000 A4e Limited £60,000 Norwood Ravenswood £70,000

Don’t get caught out!

Areas of Good Practice: Access to IT Building Security Confidential Waste Implement a Data Protection Policy Areas for Improvement: Password security Clear Desk Policy Home working? IT Security features Training The ICO Study Recommendations for Congregations

DATA PROTECTION PACK FOR CONGREGATIONS subjects/law_circulars Recommendations for Congregations

Recommendations Adopt and implement a Data Protection Policy. Begin the process of obtaining consent for all people you have data for. Put in place consent forms for new members. Data Audit and Risk Assessment. Data security and encryption.

Take time and care to draw up a list of all areas of Church life where personal data is held and used. For each of these, consider whether you can observe better practice in line with the eight principles, the areas of good practice and areas of improvement in the ICO Report. Always take special care over any data which would be classed as ‘sensitive’. Do not use data for any ‘broader’ purpose, without first consulting the Presbytery Clerk. Recommendations for Congregations Conduct an audit of your current data handling:

Archive any records that you are obliged to keep – e.g. minute books and baptismal registers. Consider deleting or destroying any records that are no longer required. Take care over how you dispose of these. Consider deleting any information that you would be embarrassed to disclose if you received a ‘data request’. Recommendations for Congregations Carry out a review of any historical records that your congregation holds, in either electronic or manual form.

Data Security Storage of Data, paper and electronic Data Encryption More than password protection Password Strength Passphrases, special characters Whole machine or just a USB stick? Two types of encryption

BUT what happens if the worst happens and there is actually a data protection breach??

DON’T PANIC!

Any Questions?