Presentation is loading. Please wait.

Presentation is loading. Please wait.

Regional Membership Team, CII

Published byGary Norman Modified over 7 years ago

Similar presentations

Presentation on theme: "Regional Membership Team, CII"— Presentation transcript:

1 Regional Membership Team, CII
Working with data Regional Membership Team, CII

2 Agenda Data Protection Act Information Commissioner’s Office
Subject Access Requests Electronic marketing – eflyers and opt outs

3 What is Data Protection?
“Regulation of the processing of information relating to individuals, including the obtaining, recording, holding, use or disclosure of such information.” Data Protection Act 1998 Relating to ‘a living and identifiable individual’. The Data Protection Act 1998 covers the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information. The data must be related to a living and identifiable individual in order for the act to apply.

4 8 Data Protection Principles
Personal data shall be processed fairly and lawfully Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data shall be accurate and, where necessary, kept up to date. The first principle relates to consent which must be given by an individual, this is the most important part of the DPA. The CII is what is called a Data Controller - holding personal data, such as membership data, in an electronic database. LIs are Data Controllers if they collect data, such as people registering for an event.

5 8 Data Protection Principles
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. How long? It depends on the personal data: Invoicing records Membership records Pension records People often question how long data can be kept for. There is no single answer to this question as it depends on the personal data and what it is being used for. The original purpose of data may have been exhausted, but there could be an additional purpose why it is keep e.g. invoicing.

6 8 Data Protection Principles
6. Personal data shall be processed in accordance with the rights of data subjects under this Act (e.g. Subject Access Requests) 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

7 Why must we follow DPA? Protects individuals - ensures that their personal data does not end up in the hands of those who may use it for an illegal or unwanted purpose Expectation of individuals – so members understand what the CII and the local institutes do with their data Penalties – ICO can issue monetary penalties up to £500,000 for serious breaches of the DPA occurring on or after 6 April 2010

8 Penalties – the reality
Ministry of Justice reported on 22nd October 2013 A member of the public reported to the data controller that he had received by details of inmates at HMP Cardiff. He was the intended recipient of the which accidentally attached a file containing the details of 1,182 inmates including; name, DOB, address, details of physical marks including tattoos, wing location, sentence lengths, release dates, offence types and ethnicity. ICO fined them £140,000 as data was personal and sensitive, Breach of 7th principal: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

9 Information Commissioner's Office (ICO) Registration
As not-for-profit associations, local institutes are exempt from needing to register with the ICO to process personal information. Local institutes may still be data controllers in respect of information they obtain directly from their members (e.g. record of attendance at local event). Local institutes are unincorporated associations and representatives are personally liable for its breaches. It is therefore essential to comply with DPA and its ancillary legislation. LIs do NOT need to register with (and pay a fee to) the Information Commissioner’s Office as a data controller, the position is that there is an exemption whereby not-for-profit organisations do not have to do so: if your organisation was established for not-for-profit making purposes and does not make a profit; if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must: only process information necessary to establish or maintain membership or support; only process information necessary provide or administer activities for people who are members of the organisation or have regular contact with it; only share the information with people and organisations necessary to carry out the organisation’s activities- if individuals give you permission to share their information, this is OK; only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration. The LI is still a data controller for most of its work and must still comply with the Data Protection Act and its ancillary legislation as it is still liable for any breaches by it or a data processor acting on the LI’ instructions. All the exemption means is that LI’s do not have to actively tell/register with the ICO that the LI is a data controller. Even if local institutes are collating their own data list separate from CII membership data, and therefore they are a Data Controller, they do not need to register and pay a fee with the ICO as they are still not-for-profit making.

10 Subject Access Requests
Requests from an individual for Personal Data which an organisation holds about them. An individual who makes a written request (and if applicable, pays a fee – currently £10) is entitled to be: told whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the information comprising the data; given details of the source of the data.

11 Subject Access Requests
What is an individual entitled to? Only their own personal data, not information relating to other people. This includes internal s e.g. those sent from one council member to another. Redaction of s may be required to comply with an LIs DPA obligations. Neither are they entitled to information simply because they may be interested in it. There are various exemptions that might restrict the ability to disclose the personal data. There is a 40 day time limit from the date of the written request to comply and supply the information. All Subject Access Requests need to be registered: the CII should be informed if you receive one.

12 Electronic marketing - eflyers
Privacy and Electronic Communication Regulations 2003 – Reg 22 The law requires: You cannot transmit, or instigate the transmission of, unsolicited marketing material by electronic mail to an individual subscriber unless they have previously notified you, the sender, that they consent, for the time being, to receiving such communications. lists are automatically updated monthly for local institutes on the eflyer system to ensure that any opt-outs are managed.

13 Electronic marketing - eflyers
Privacy and Electronic Communication Regulations Reg 23 The law requires: You cannot transmit any marketing by electronic mail where: (i) your identity has been disguised or concealed or you have not provided a valid address to which the recipient can send an opt-out request. (ii) contravenes regulations 7 or 8 (i.e. must clearly identify the nature of the communication and that it is unsolicited. You cannot insinuate that an is a reply to one sent by an individual) (iii) encourages recipients to visit websites which contravene regulations Eflyers include the logo and name of your institute so that it is clear who is sending the , plus an unsubscribe option.

14 Opt-outs By law, we have to offer all customers/members the option to opt out of electronic communications. A member can contact us at any time to opt out of s. No longer have a declaration about sharing data with third parties, as the CII never sells data to third parties Two declarations, CII s and local institute s, give members the option to opt out of either CII or local institute s, or both. If a member opts out of local institute s, when the monthly data is next supplied to the local institute, the member’s address field will show as ‘no contact requested by ’. Third Parties - however we do provide data to third parties to carry out services on behalf of the CII (i.e. data is provided to the company who run the bi annual membership survey) – a data protection agreement is signed and data files are password protected

15 Membership declarations
Sharing information with your employer: The CII will, upon request, provide your employer with details of your examination assessment and accreditation, including all attempts and future entries, along with your CII Permanent Identity Number, unless you tick the following box: Privacy and electronic communications regulations The CII may from time to time wish to draw your attention to other CII products and services electronically which are likely to be of interest to you. The CII will assume you consent to us using your data in this way, unless you tick the following box: The CII, will share your data with your Local Institute (LI) so they may communicate to you, electronically, any local events, products and services that complement those offered by the CII. The CII will assume that you consent to us using your data in this way, unless you tick the following box: The membership declarations now refer to: 1 – sharing information with your employer 2 – CII contacting you 3 – sharing information with local institutes so they can contact you

16 Scenarios Scenario 1: Prizes
The President of the Insurance Institute of Wessex has requested a list of all LI members in the area containing their qualification results for R06 Financial Planning Practice so that the LI can determine who should receive a prize. Can CII disclose the list?

17 Scenarios Scenario 1: Prizes
No the full list should not be disclosed as there is no reason for the local institute to have the details of all members’ results for R06. The CII should disclose the top 3 or 4 candidates, according to the criteria, for the local institute to choose from.

18 Scenarios Scenario 2: Networking Event
Barry works for ABC Financial Ltd and recently organised a networking event. As part of the registration process Barry collected personal addresses and contact numbers in order to send delegates joining instructions. The event was a success with high attendance and excellent feedback. Two days later Barry receives a phone call from one of the delegates, Mrs Davis, who says that she made some excellent contacts but has lost the business card of Ms Jones whom she had spoken to at length and promised to be in contact with. Mrs Davis asks Barry if he could send her Ms Jones’ contact details. What should Barry do?

19 Scenarios Scenario 2: Networking Event
Barry is unable to pass on Ms Jones’ details without her permission. Barry could contact Ms Jones’ and ask if she would agree to Barry passing on her details to Mrs Davies.

20 Scenarios Scenario 3: Data
The Insurance Institute of Northwich is organising a summer ball and would like to invite members of the Insurance Institute of Crewe. Northwich ask Crewe to send them a data list of their members, only containing names and addresses, so that they can them details of the summer ball. Can Crewe send Northwich the requested data?

21 Scenarios Scenario 3: Data
The Insurance Institute of Crewe is not allowed to send the Insurance Institute of Northwich any of their member data. Members who have given consent to receive s from Crewe, have not consented to have their data passed on to another third party (Norwich) to contact them.

Download ppt "Regional Membership Team, CII"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.

Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Email Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.

Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Computers, the law and ethics  Lesson Objective: Understand some of the legal & ethical issues in developing computer systems  Learning Outcome: Know.

Computers, the law and ethics  Lesson Objective: Understand some of the legal & ethical issues in developing computer systems  Learning Outcome: Know.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.

Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
FatMax 2007. Licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 LicenseCreative Commons Attribution-NonCommercial-ShareAlike 2.5.

FatMax Licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 2.5 LicenseCreative Commons Attribution-NonCommercial-ShareAlike 2.5.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Similar presentations

Ads by Google