Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office.

Published byDorcas McKenzie Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office."— Presentation transcript:

1 Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office

2 Content What is Personal Data? Working with Personal Data
Rights and Obligations Preparing for GDPR

3 What is Personal Data?

4 Personal Data is... Personal data relates to a living individual who can be identified from those data and/or other information likely to be in the possession of the data controller. Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Personal data includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person. Under GDPR the definition of personal detail has been expanded and made more specific.

5

6 Not all data is the same…
Race or ethnicity Political opinions Religious or philosophical beliefs Trade union membership Physical or mental health Sexual life or orientation Genetic or biometric The Data Protection Act has two types of personal data, normal personal data and sensitive personal data. Sensitive personal data is separated out from ordinary personal data as worthy of more consideration and security following conflicts in Europe. Under GDPR sensitive personal data is referred to as special categories of data. Genetic and biometric data is added as a new class of special category data. Data about criminal convictions and offences is dealt with separately but still regarded as sensitive and to be used in limited circumstances. There is one piece of information missing which most people assume would be classed as sensitive personal data and that is financial data. Although Financial data is not classed as sensitive personal data by the DPA or the GDPR the ICO treats a breach of this data as if it were sensitive data because of the impact a breach can have on an individual.

7 Personal Data isn’t Always Obvious!
We need to be aware of what other information is out there that people can piece together to identify an individual. GDPR makes reference to this by stating that personal data is data which allows someone to be identified either directly or indirectly. If you are using anonymisation or pseudonyms to protect an individual’s identity think carefully about how they are created. If they use initials or dates of birth then it’s possible people could identify an individual from them. For example, your driving licence number is made up of your name and date of birth. Likewise pseudonyms or locations may make an individual identifiable. It is about common sense and you have to consider what is reasonably likely in regards to the risk of individuals being identified. Someone would have to want to identify a person and actively search out the additional information. The likelihood of this happening will depend on who you work with, with some people more likely to be at risk than others. Some examples of data which can be used to identify individuals include locations, medication, the car you drive, work you’ve undertaken, in particular research work, even the name of your pet. Personal Data isn’t Always Obvious!

8

9 Working with Personal Data

10 Lorem ipsum dolore sit amet
Subtitle can go here

11

12 The Accountability Principle
The controller shall be responsible for, and be able to demonstrate compliance It is currently good practice to keep a record of your data processing as evidence of compliance. GDPR makes this a requirement.

13 Schedule Conditions for Processing
Personal data: Consent Contract Legal obligation Vital interests of individual Public function under enactment/public interest Legitimate interests of the data controller and third party but not prejudicial to individual Sensitive personal data: Explicit consent Employment law Vital interests of anyone Not-for-profit TU/religious/ political/philosophical groups Already in public domain Legal proceedings/advice Public function under enactment Anti-fraud activity Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417) Consent Contract Legal Obligation Vital interests of individual Public function under enactment/public interest Legitimate interests of the data controller and third party but not prejudicial to individual At present in order to use personal data lawfully, you need to be able to rely on at least one Condition for processing from Schedule 2 (personal data). If it is sensitive personal data, you need to be able to rely on at least one Condition for processing from each of the Schedules 2 and 3 (sensitive personal data). Under GDPR the conditions for processing personal data are under Article 6 and the conditions for processing sensitive personal data are under Article 9. If you process children’s data you must take into consideration Article 8. If you rely on consent you must take into consideration Article 7. All Conditions have equal weighting: one does not carry any more status than any other. It is for the data controller to be satisfied that they are relying on the appropriate Condition. Schedule Conditions for Processing

14 Lets talk about the elephant in the room…

15 Consent The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it. Data cannot be processed based on consent if there is an inbalance of power e.g. the provision of a service based on an individual consenting to data processing. Consent

16 GDPR requires privacy notices to be provided at the time personal data is collected.
Article 13 sets out what must be included in a privacy notice. Article 12 states that any communication regarding the processing of an individual’s data must be in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. Privacy Notices

17 Data Sharing Know why and how data will be shared
Be transparent about data sharing Use our data sharing checklist: Data Sharing

18 Personal Data Security

19

20 The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold. DATA BREACHES

21 Rights and Obligations under GDPR
Access Accuracy/ Rectification To Be Forgotten (Erasure) Restrict Processing Object Data Portability Fundamentally, the DPA is about establishing rights for individuals and placing obligations on organisations using personal data. Individuals get all the rights: organisations have all the responsibility!!

22 Preparing for the GDPR

23

24

25

26

27

28

29

30

31

32

33

34

35

36 Keep in touch ICO Scotland 45 Melville Street Edinburgh EH3 7HL
T: E: Subscribe to our e-newsletter at or find us on… @iconews

Download ppt "Data Protection – The Essentials Alison Johnston Lead Policy Officer - Scotland Information Commissioner’s Office."

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Overview

Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.

Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.
Bernadette Malone – Chief Executive Perth and Kinross Council and Chair of GIRFEC National Implementation Working Group Alan Small -Information Sharing.

Bernadette Malone – Chief Executive Perth and Kinross Council and Chair of GIRFEC National Implementation Working Group Alan Small -Information Sharing.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
The future of data protection: General Data Protection Regulation

The future of data protection: General Data Protection Regulation
Issues of personal data protection in scientific research

Issues of personal data protection in scientific research

Similar presentations

Ads by Google