Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection The Current Regime

Published byTheodore George Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Protection The Current Regime"— Presentation transcript:

1 Data Protection The Current Regime
Crispin Dick – September 2017

2 Data Protection Act 1998 – Terminology
DATA CONTROLLER determines purposes and manner of processing (may be more than one) WIDGETS LTD DATA Computerised or in a relevant filing system PERSONAL DATA Relates to an individual Name: Joe Bloggs Employee No: Age: Telephone No: Joe Bloggs DATA SUBJECT DATA PROCESSOR processes on behalf of a data controller PAYROLLS R US SENSITIVE PERSONAL DATA Data on: ethnicity, religion, union membership, health, sex life, criminal record Ethnic Origin: Aborigonal Union Membership: Yes Health Notes: Diabetic PROCESSING Anything you can do with data!

3 DPA 1998 – the 8 principles (in summary)
Personal data must be: Processed fairly and lawfully and only if one or more specified conditions are met. Processed for limited purposes and not in any manner incompatible with those purposes. Adequate, relevant and not excessive. Accurate. Not kept for longer than is necessary. Processed in line with data subjects’ rights under the Act. Secure. Not transferred to countries that do not protect personal data adequately.

4 DPA – 1st principle Personal Data shall be processed fairly and lawfully. This means data controller must Provide fair processing information to Data Subject - identity of data controller (and any representative) - purposes for which data to be processed - other information required to make processing fair. Meet one of the conditions in Schedule 2 of the Act. Meet one of the conditions in Schedule 3 of the Act, if sensitive personal data.

5 DPA 1998 – Schedule 2 conditions (in summary)
Processing of all personal data must satisfy at least one of the Schedule 2 Conditions, namely: The consent of data subject has been obtained. The processing is necessary for the performance of a contract to which the data subject is a party. for compliance with any legal obligation (non-contractual) on the data controller. in order to protect the vital interests of the data subject. for the administration of justice or public functions. to pursue a legitimate interest of the data controller, as long as data subjects not unduly prejudiced.

6 DPA 1998 – Schedule 3 conditions (in summary)
Processing of all personal data must satisfy at least one of the Schedule 3 Conditions, namely: The explicit consent of the data subject has been obtained. Necessary to perform legal obligation in connection with employment. Necessary to protect the vital interests of the data subject or another person. For legitimate activities of a political, religious or trade union body relating to a member. Personal data made deliberately public by data subject. Necessary for legal proceedings. Necessary for administration of justice or public functions. Necessary for medical purposes and carried out by health professional. Necessary to review equality of opportunity. Circumstances specified by Secretary of State.

7 Data Exports – 8th principle
Data must not be transferred outside the EEA unless there is an adequate level of protection Consider: Cloud based services – where will the processing take place? Do any of the exemptions in the Act apply? Has the country been confirmed as adequate by the European Commission? EU / US Privacy Shield Model contract clauses Corporate Binding Rules

8 Privacy and Electronic Communications Regulations (“PECR”)
Applies to direct marketing by automated phone call, , text, fax and other forms of electronic mail. Requires consent (knowingly, freely given, clear and specific). Does not apply to: Soft-opt in for similar goods and services. Messages sent to business addresses. Postal mail or live voice calls (but note the regulator’s view on voice calls and the need to check the TPS). PECR likely to be replaced with a new EU regulation, but timetable not yet confirmed.

9 When does processing take place?
Examples of initial processing at point of collection: a one off donation or an ongoing donation; participation in an event or campaign; signing up to receive a newsletter; or volunteering / employment. Examples of subsequent processing: storing personal data in database; requests to increase regular donations; campaign requests; details of fund raising events; invitation to subscribe to newsletter; sharing with third party fund raiser; or sharing with other charities.

10 How to ensure compliance?
Point of collection: Provide fair processing information terms and conditions privacy policies telephone scripts Obtain consent or satisfy yourself that one of the other conditions necessary for processing applies. Subsequent Processing Ensure data is only processed for the purposes for which it was collected. Check against what fair processing information was provided Comply with other data protection principles, and refresh consents periodically.

11 How to ensure compliance (2)
Appoint data processors in writing and impose security constraints Ensure adequate protections exist before exporting data outside EEA Keep data up to date and accurate and for no longer than necessary Keep data secure Maintain suppression lists for any supporters that have said they no longer wish to be contacted. Comply with subject access requests Notification

12 Enforcement Enforcement notices Information notices
Data subject rights Monetary Penalty Notices Publicity

13 Crispin Dick Partner T: E:

Download ppt "Data Protection The Current Regime"

Similar presentations

Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
© 2012 Morgan Cole LLPExpertise | Experience | Efficiency | Contribution 11th October 2012 Avoiding Data Protection pitfalls when collecting Equality Information.

© 2012 Morgan Cole LLPExpertise | Experience | Efficiency | Contribution 11th October 2012 Avoiding Data Protection pitfalls when collecting Equality Information.
1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 7 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales  2074 6677  2074 5626 

DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.

Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Similar presentations

Ads by Google