Presentation is loading. Please wait.

Presentation is loading. Please wait.

DP BILL: GROUNDS FOR PROCESSING

Published byMaria do Mar Aldeia de Oliveira Modified over 5 years ago

Similar presentations

Presentation on theme: "DP BILL: GROUNDS FOR PROCESSING"— Presentation transcript:

1 DP BILL: GROUNDS FOR PROCESSING
LGA GDPR/DP Regional Conferences: Manchester & London (January 2018) Go through the courseware; identify action plan for controllers – parking rights for the moment

2 DP BILL WORKS IN SAME WAY AS THE DPA
1. Does organisation process in a way that engages the Act? Is the information processed “personal data”? Is the organisation a “data controller”? 2. If the Act is engaged then: Is there a lawful basis to process personal data? 3. If there is a lawful basis for the processing then: How do we process? Apply the Data Protection Principles and other obligations (e.g. rights)

3 DEFINITIONS (A.4; RECITALS 26-30)
More personal data covered (e.g. IP address, URLs) as identification is not by the controller Manual filing systems are structured processing by any criteria (e.g. relating to individuals, number) Controller, Processor, Processing, Recipient and Third Party more or less the same RFS and semi structured filing systems covered; Accessible Records might go the other way; Biometric = processing to make an ID (e.g. facial recognition, speed of pen in signature) Recital 30: Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

4 SPECIAL PERSONAL DATA (A.9)
All “Sensitive Personal Data” of the DPA plus: Sexual orientation Biometric in the context of ID (e.g. facial recognition CCTV) Genetic information (DNA or RNA) Criminal convictions not “special” (more like “extra special”) Photos not systematically “special personal data” (R.51) Make sure you have the right regime; criminal records processed in the context of law enforcement is Part 3 of the DP Bill have different grounds (consent, necessary for a law enforcement purpose or in Schedule 8). This session relates to grounds for “GENERAL PROCESSING” (described in Part 1/Part 2 of the Bill). deoxyribonucleic acid or ribonucleic acid,

5 GROUNDS FOR MOST CONTROLLERS
Article 6 little different from Schedule 2; Article 6 legal basis needed for each processing operation “Consent” changes as a result of Article 7 and related Recitals “Public task” defined in Clause 7 includes Sched 2, para 5 “Legitimate interests” cannot be used for public tasks; Article 9 (Schedule 3) has flexibility for Member States for some items of “Special Personal Data” (e.g. Health) Criminal records etc (Article 10) are not Special Personal Data, but are subject to the similar kind of restrictions. Legal basis now specified in the “Fair Processing Notice”; expect more challenges on “necessary” More prominence for the legal basis of the processing

6 DATA SUBJECT CONSENT ‘consent’ of data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes (e.g. by a statement, by a clear affirmative action) signifies agreement the processing of personal data. WP29: Direction of travel is “opt-in” for consent Burden of proof is on the controller to demonstrate that consent was given by the data subject. Recital 42: Controller to demonstrate that the data subject has given consent to the processing operation). Consent, in the public sector, is only realistic for fringe processing (e.g. supporters of the Local Museum) ICO CONSULTATION (widely acclaimed!). Might need a consent for each purpose. Also consent Recitals very important. Directive has “unambiguously given his consent” as part of its equivalent of Schedule 2; now it is part of the definition of consent.

7 CONSENT (A.7; RECITALS 32, 42 & 43)
Consent clearly distinguishable from the other matters (e.g. other statutory notices) and explained in an intelligible and easily accessible form, using clear & plain language. Any part of the consent declaration which constitutes an infringement of the Regulation can negate consent Right to withdraw consent at any time (no retrospective effect). It shall be as easy to withdraw consent as to give it; right to withdraw consent is identified in FPNs (A.13; A.14). Recital 32: pre-ticked boxes do not constitute consent Recital 42: Consent not valid if there is no effective choice

8 “NECESSARY” & DATA SUBJECT CONSENT
Third Principle: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Fifth Principle: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed A.6 grounds are “necessary” for something except consent. However, the 3rd and 5th Principle link necessary to consent

9 “PUBLIC TASK” (A.6(1)(e) & CLAUSE 7)
processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for— (a) the administration of justice, (b) the exercise of a function of either House of Parliament, (c) the exercise of a function conferred on a person by an enactment, or (d) the exercise of a function of the Crown, a Minister of the Crown or a government department. Right to object to the processing applies (consider it carefully) Functions of a public nature in the public interest

10 “LEGITIMATE INTERESTS” (A.6(1)(f))
Public authority cannot use this ground for public tasks (R.47) Controller’s “legitimate interest” explained in FPN (A.13; A.14) A.17 right: controller has to demonstrate compelling legitimate grounds for the processing which overrides the interests or fundamental rights and freedoms of data subject. Note that the S.10 threshold of substantial unwarranted damage or substantial unwarranted distress has gone. Right to restrict processing (A.18) until determination of whose legitimate interest prevails (and possible notify recipients; A.19) A.40 Code of conduct should be followed once it exists Identify Para 6 Schedule 2 processing as an action

11 GROUNDS FOR SPECIAL PERSONAL DATA
the data subject has given explicit consent to the processing of those personal data for one or more specified purposes necessary for the purposes of carrying out the obligations in the field of employment and social security and social protection law necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim;

12 GROUNDS FOR SPECIAL PERSONAL DATA
personal data manifestly made public by the data subject necessary for establishment, exercise or defence of legal claims necessary for reasons of substantial public interest (Member State law shall be proportionate to the aim pursued .. and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject) necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care

13 SCHEDULE 1: MORE RELEVANT GROUNDS TO LOCAL GOVERNMENT
Health and Social Care; Public health Research (linked to safeguards in Article 89 and Clause 18) Substantial Public interest (very broad but mirrors Clause 7) Equal Opportunities Preventing fraud, unlawful acts, dishonesty etc Elections, political parties and elected representatives Note: Criminal convictions need 3 conditions (a ground in A.6, one in A.9 or Schedule 1, Parts 1-3 & one in Schedule 1, Part 4) Can be a requirement for policies and other safeguards which can be assessed re Accountability Principle

14 SUMMARY CONCLUDING COMMENTS
Special Personal Data and Personal Data definitions are widened All Schedule 2 and 3 grounds in the DPA, can be found in Article 6 and Article 9/Schedule 1 (find them) Right to be informed: requires the grounds for the processing of personal data to be identified to the data subject other rights to be identified as part of the right to be informed (e.g. right to object; withdraw consent) Some grounds for processing Special Personal Data have mandatory recording requirements (e.g. policies) which will be assessed as part of the Accountability Principle

15 THE END Q U E S T I O N S More on the GDPR and LED in all Amberhawk DP courses …. and on HAWKTALK (wholly balanced blog) ©Chris Slane

Download ppt "DP BILL: GROUNDS FOR PROCESSING"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Getting data sharing right for every child

Getting data sharing right for every child
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.

Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.

Ethical, legal and social aspects of public health genomics Mark Taylor, School of Law, University of Sheffield 7 th November 2014.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.

Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Similar presentations

Ads by Google