Download presentation
Presentation is loading. Please wait.
Published byJasper Osborne Modified over 8 years ago
1
Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust
2
Introduction New Act must be interpreted in the light of the EU Directive on data protection Must come into force on or before 24 October 1998 What should the Trust be doing to prepare?
3
Some things for data controllers to consider... Is processing legitimate? Data Protection Audit Data Protection Officer Changes to systems
4
Some things for data controllers to consider... Notification Manual data files Data processors Fair collection and fair processing
5
Is processing legitimate? Cannot process unless one of the conditions in Schedule 2 is met and In the case of sensitive data, one of the conditions in Schedule 3 is met In both cases processing has to be “necessary”
6
Data Protection Audit What type of data are processed? Does processing comply with data protection law, general law and best practice? Distribute questionnaires to named individuals
7
Data Protection Audit The Audit should ask about –collection –storage –processing and disclosure –subject information procedures –data quality –security –destruction –archiving
8
Data Protection Co-ordinator The Data Protection Co-ordinator will –ensure compliance with the Data Protection Act –manage the Data Protection Audit –train staff and raise awareness –draft the data protection policy
9
Data Protection Supervisor Subject to order being made Will independently monitor the data controller’s processing activities to ensure compliance with the 1998 Act Appointment = exempt from requirement to notify
10
Changes to systems Wider subject access information means that information regarding sources and recipients (including own employees) will need to be disclosed Archived data and back up data This will have cost implications
11
Notification Notification will involve: –notifying the registrable particulars and –providing a description of security measures taken to comply with the seventh principle Currently waiting for notification regulations to be made 10
12
Notification Some processing will be exempt from notification Notification regulations may exempt processing for the purposes of: –payroll –personnel & work planning administration –purchase and sales administration –advertising, marketing and PR –general administration
13
Notification The Bill exempts innocuous manual processing (including processing of accessible records) from notification But must have a statement of processing
14
Notification Should a data controller voluntarily register manual processing? Consider: –do you process data both manually and automatically? –if so can you differentiate easily between the two?
15
Notification Registration will be on a yearly basis Data controllers will remain registered provided pay the annual renewal fee No longer have to re-submit all details of processing every three years - only have to notify changes when these occur.
16
Notification What can an organisation do in the meantime?
17
Notification Update your register entry NOW Registrations will be converted to notifications by the Commissioner Notification regulations are expected during the autumn Data users registered under the 1984 Act are exempt from notification until registration has expired
18
Processing of manual data Organisations must review their manual data - do they fall within the ambit of the new Act? What is meant by “manual data”?
19
Processing of manual data Manual data are data recorded as part of a “relevant filing system” What is a “relevant filing system?”
20
Relevant filing system Defined in the Bill as any set of information relating to individuals to the extent that the set is structured either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
21
Relevant filing system “Specific information” means: –distinct information within the file –which can be distinguished from other information in the file and –can be separately accessed 20
22
Relevant filing system Three views: –Home Office –Data Protection Registrar –Government and personnel officers
23
Relevant filing system Home Office: –narrow interpretation –card index –file with dividers/pro formas –file arranged in chronological order –must allow easy access –must be “specific information”
24
Relevant filing system Registrar’s view: –wider interpretation –alphabetical arrangement - eg filing system organised alphabetically by doctors’ names and which contains patient information –size of file is a factor to consider
25
Relevant filing system Government and personnel officers Personnel files likely to be the most common manual files Manual data - although structured - should not be caught if relate to personnel files
26
Relevant filing system Data controller caught in the middle Commissioner is to enforce the provisions of the new Act
27
Data processor No registration requirement Not an employee of the data controller Anyone instructed to do any operation in relation to the personal data New requirements under the seventh principle
28
Data processors Contract in writing Guarantees in respect of “technical and organisational” security measures Only act in accordance with instructions No disclosure except as instructed May not use personal data for processor’s own purposes
29
Data processors Record all information accurately and ensure that it is kept up to date No defamatory statements No other information to be kept in the records Assistance with subject information requests
30
Fair collection notices These enable data to be obtained fairly and lawfully, and specify the purposes for which the data are to be used. Any non-obvious uses must be clearly specified.
31
Fair collection notices Review fair collection notices and consider: –how are they given? –what information do they contain? –is the data subject’s consent obtained? Ensure they are as broad as possible 30
32
Fair collection notices Where information is obtained about a data subject from a third party: must have procedures to allow Article 11 notices to be given must ensure that consent was obtained initially to enable you to process those data now
33
Fair processing Must process fairly and lawfully Compliance with Schedule 2 and (for sensitive data) Schedule 3 Breach of confidentiality makes processing unlawful Comply with Schedule 1, Part II which imposes additional obligations
34
Schedule 2 Consent Performance of a contract Compliance with a legal obligation Vital interests Administration of justice Legitimate interests
35
Sensitive data Sensitive data are: –racial or ethnic origin –political opinions –religious beliefs –trade union membership –physical or mental health –sexual life –commission of offences –criminal offences
36
Schedule 3 Explicit consent Employment Vital interests Political, philosophical, religious or trade union purposes Information is made public by the data subject
37
Schedule 3 Establishing, exercising or defending legal rights Administration of justice Medical purposes Monitoring of equality of opportunity Circumstances specified by order
38
Fair processing Personal data will not be processed fairly unless: –an Article 10 notice is given where the data are obtained from the data subject –an Article 11 notice is given where the data are obtained from a third party
39
Article 10 notice Must give the data subject the following information: –the identity of the data controller –the identity of its nominated representative –the purposes for which the data are being processed –any further information (eg identities or categories of recipient, right of access to personal data)
40
Article 11 notice Must give the data subject the following information: the information for an Article 10 notice given at the “relevant time” which means (i) the time when data are first processed by the data controller or (ii) where disclosed to a third party, the time when first disclosed to that party
41
Article 11 notice unless provision of the information would be a “disproportionate effort” or the data are recorded or disclosed in order for the data controller to meet a legal obligation 40
42
Other data subject rights Data subject rights have been extended For example: –access to manual data –access to the logic of any computerised decision making process –right to prevent certain processing –rights in relation to automated decision taking
43
Subject access rights Request in writing and payment of fee Right to be informed: –whether personal data are being processed and if so –to be given a description of the personal data and the purposes for the processing
44
Subject access rights also, right to have communicated to him in an intelligible form –the sources of those data –the recipients of those data (which includes employees and data processors) –the logic of a decision (if taken by solely automatic means)
45
Preventing processing An individual can require the data controller to cease processing his personal data if –the processing is causing substantial damage or distress and –that damage or distress is unwarranted
46
Preventing processing The right does not apply: –if individual has given his consent –for performance of a contract –compliance with a legal obligation –to protect the vital interests of the individual
47
Rectification, blocking, erasure and destruction Application to the court for an order The court may also order notification to third parties Where inaccurate data have been obtained from the data subject, the court may order a statement of the true facts to be added to the data
48
Compensation A data subject who suffers damage because of the data controller’s breach is entitled to compensation He may claim compensation for distress if he has also suffered damage or the breach is in respect of the special purposes
49
Enforcement Assessment Information Notice Warrant Enforcement notice
50
Transitional provisions New automatic processing of data and new processing of manual data must comply with the 1998 Act immediately
51
Transitional provisions - manual data - Manual data which are subject to processing already under way before 24 October 1998 are exempt from: –the data protection principles –Part II (rights of data subjects) –Part III (notification) until 24 October 2001 50
52
Transitional provisons - manual data - What is meant by “processing already under way”? New file inserted into an existing database will form part of “processing already under way”
53
Transitional provisions - manual data - manual data which form part of an “accessible record” (ie a health record which consists of information relating to the physical or mental health of an individual and has been made by a health professional)
54
Transitional provisions - manual data - are exempt from : –the data protection principles –Part II (rights of data subjects) –Part III (notification except that accessible records are not exempt from s7 (rights of access to personal data)
55
Transitional provisions - manual data - this exemption applies irrespective of whether the data were subject to processing which was already under way before 24 October 1998 until 24 October 2001
56
Transitional provisions - manual data - In other words... from 24 October 1998, data subjects must be given rights of access to manual data that form part of an accessible record, but not to any other type of manual data
57
Transitional provisions - automatically processed data - Automatically processed data which are subject to processing already under way on 24 October 1998 are exempt from the new provisions of the Act Until 24 October 2001 Such processing remains subject to the 1984 Act
58
Transitional provisions - from 24 October 2001 - As from 24 October 2001, manual data, including accessible records will be exempt from: –the first data protection principle, except to the extent it requires compliance with paragraph 2, of Part II of Schedule 1 –the 2nd, 3rd, 4th and 5th principles –section 14(1) to (3)
59
Transitional provisions - from 24 October 2001 - In other words... from 24 October 2001, data subjects will have rights of access to manual data and accessible records they will be able to request the rectification, erasure or blocking of the manual data (but not apply for a court order)
60
Transitional provisions - from 24 October 2001 - Automatically processed data has no further exemption after 24 October 2001. They must conform with the new Act.
61
Final thoughts Don’t be misled because a new provision looks familiar - it may have very different consequences under the new Act. If in doubt, look to the Directive for guidance 60
62
Exemptions Crime and taxation Personal data processed for the purposes of the: –prevention or detection of crime –apprehension or prosecution of offenders –or assessment or collection of tax or duty are exempt from the first principle and s7 if the application of those provisions would be likely to prejudice any of those matters
63
Crime and taxation What do you do if your organisation is approached by the police to disclose information?
64
Crime and taxation Consider confidentiality obligations (may only be able to disclose under a court order) Obtain a statement in writing signed by a senior police officer stating that in his opinion the situation described in the statement is one to which s28 applies
65
Crime and taxation What about other disclosures of information not requested by the police?
66
Crime and taxation Confidentiality obligations Will have to rely on this exemption Must consider each request on a case by case basis Must have in place procedures or a policy stating what situations will fall within a s28 disclosure
67
Research, history and statistics Processing for these purposes in compliance with the relevant conditions means that a data controller: –can keep the data indefinitely (irrespective of the fifth principle) –does not have to give individuals access to the data under s7
68
Research, history and statistics The relevant conditions are: –the data are not processed to support decisions in respect of particular individuals –and the data are not processed in such a way that substantial damage or distress is caused to any individual
69
Confidential references Personal data are exempt from s7 if they consist of a reference given in confidence by the data controller for the purposes of: –education, training, employment of the data subject –appointment of the data subject to office –provision by the data subject of any service
70
Management forecasts and negotiations Personal data processed for the purposes of management forecasting or management planning are exempt from the subject information provisions
71
Management forecasts and negotiations Personal data consisting of records of the data controller’s intentions in relation to any negotiations with the data subject are exempt from the subject information provisions
72
Legal professional privilege Personal data are exempt from the subject information provisions if the data consist of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings
73
Final thoughts Don’t be misled because a new provision looks familiar - it may have very different consequences under the new Act. If in doubt, look to the Directive for guidance
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.