Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection and Information Security Webinar

Published byMaurice Parker Modified over 6 years ago

Similar presentations

Presentation on theme: "Data Protection and Information Security Webinar"— Presentation transcript:

1 Data Protection and Information Security Webinar
Presented by Emma Hawksworth Slater and Gordon

2 3 ways to participate Ask questions – link below this presentation
Answer the polls – link below this presentation Comment and chat – click on ‘Say something nice’ (bottom-right) Good afternoon and welcome – introduction Please join in and participate in this webinar. If you look below this video stream you’ll see links for questions and polls. If you have any questions you’d like me to answer please submit them and I’ll do my best to answer as many as possible at the end. You also have a chat area to the right – do say hello, and chat the other participants, although don’t include questions for me there as I won’t see them, remember to include these via the links below the video

3 What’s it all about? Workplace reps may handle personal information about members, for example Member contact details Personal case correspondence and documents Membership lists As a union rep it’s important that you take steps to protect that information and keep it secure GDPR is bringing in important changes to the rules from 25 May 2018 So what’s today all about? As workplace reps you handle personal information about members all the time, for example….. Member contact details Personal case correspondence and documents Membership lists It’s important that you protect that information, and keep it secure. There is some new law in this area, the General Data Protection Regulation or GDPR which is coming into force in around 8 weeks, on 25 May This has significant implications for organisations and individuals who handle personal data, including unions and union representatives.

4 What’s changing? Overall, GDPR rules about protecting privacy are stricter There are some enhanced protections for individuals such as stronger subject access rights… …and some new rights, such as the right to be forgotten Your union will be making changes to comply with the GDPR, you may see: more detailed membership application forms or more information in privacy notices on the website So what’s changing? Our current data protection laws date back to 1998 and these haven’t kept pace with advances in technology and the way we use data now In 2016 the EU parliament approved new data protection rules contained in the GDPR. Overall, they are intended to provide people with better protection - There are some enhanced protections for individuals such as stronger subject access rights… …and some new rights for the digital age, such as the right to be forgotten. You may have read about a legal case brought by individuals who wanted Google to delete some very old results which came up when they searched their name, and which they argued didn’t’ comply with their right to privacy. The right to be forgotten looks like forming an important part of individual privacy rights in our increasingly digital world. So with these new rules which the GDPR is bringing in, your union head office will be making changes, and you may see: More detailed membership application forms or more detailed privacy notices on the website. Your union may have appointed a Data Protection Oficer or DPO to oversee this.

5 Today’s webinar Introduction: what do the data protection rules apply to? Preparing for the GDPR Keeping member information secure Respecting members’ rights In today’s session, I’m going to start with a brief introduction to explain when data protection rules apply. Then I’ll highlight three topics: Some initial steps you can take to prepare for the GDPR How you keep member information secure And finally respecting members’ rights Its important to say this is an introduction only, this is a vast subject, and the intention today is to highlight some aspects for you to think about, take away and do some further work on. So lets get started first, when do data protection rules apply? What information is covered?

6 What information is covered?
Any information about a living individual such as Name Job title Work department address Union membership number* ‘personal data’ *Special categories of data have stricter rules and require extra care Special categories include information about an individual’s: trade union membership or non- membership health politics Well, the data protection rules apply to any information about a living individual, from which the individual can be identified. That includes obvious things like name, date of birth, address, as well as less obvious things like IP address or address. The GDPR refers to all of this as ‘personal data’ In some cases the individual will be easily identifiable, for example if their name is included. But the rules still apply even if the individual is not identified by name, provided they are identifiable by some other feature, such as their union membership number. Some categories of data have stricter rules and are referred to as ‘Special categories of data’. This is also known as sensitive personal data. The special categories of data include information about an individuals TU membership, their health, their politics, their race or religion. You need to be particularly careful when handling special categories of data.

7 What activities are covered?
Collecting and using data Disclosing it to others Storing and deleting data ‘Processing’ Where? On a computer, or On paper in a filing system, or On paper intended to be put in a filing system So that explains what information is covered by data protection rules. Next, we need to look at what activities are covered. The GDPR refers to ‘processing’ of data which sounds as if it might be describing some technical computing function, but in fact refers to pretty much any use of data, including copying documents, reading them, sending by and also storing information, or deleting it, all these count as processing and so the rules apply to those activities as well. And this covers work on a computer or other electronic device, like creating documents or sending s but also covers paper records in a filing system, like personal case files, and any paper documents waiting to go into a hard copy or electronic filing system.

8 Processing personal data: examples
Membership database on computer Personal case files in a cabinet Grievance outcome ed to you by a member Handwritten notes from a meeting with a member If they are intended to go in the member’s file Contact details on your mobile phone or laptop But probably not handwritten notes in your diary So here are some examples of when your handling of member information will count as processing personal data which means the rules will apply. Accessing or working on a membership database on computer, or Personal case files in a cabinet Reading a Grievance outcome ed to you by a member Taking Handwritten notes from a meeting with a member, provided they are intended to go in the member’s file Looking through contact details on your mobile phone or laptop One type of information to which the rules may not apply handwritten notes in your diary where you’re not going to copy them to a hard copy or electronic file. You’ll see from this that the data protection rules are likely to apply to almost all information you handle as a workplace representative, especially member information In fact almost all personal information you handle as a workplace rep is likely to be special category data because it relates to trade union membership, and so the stricter rules will apply. This means you should take extra care when handling it.

9 Preparing for the GDPR Find out from your regional or full time officer what your union’s data protection and information security policies are Be familiar with your union’s policies, and make sure you follow them when you handle member information Be aware of the GDPR’s data protection principles which set out the golden rules for handling personal information I’m going to move on now to the three topics I want to cover today in a bit more detail. The first of these is what you can do to prepare for the GDPR. The first step is to find out from your regional or full time officer what your union’s data protection and information security policies are, read and get familiar with them, and make sure you follow them when you handle member information. Also you should be aware of what the GDPR calls the ‘data protection principles’. These are really the golden rules for handling personal information and I’m going to go through a short summary of those key principles now.

10 Data protection principles: handle data fairly
Follow the rules: you must only use data fairly and in line with the rules Only use member data in line with your union’s policies and in particular don’t share it with any third parties Take particular care with membership lists: if you have access to membership lists remember this is special category data, and take steps to protect this information First, the GDPR requires that you handle data fairly. This means you should only use member information in line with your union’s policies. In particular don’t share it with any third parties. Remember that membership lists are special category data so take extra care with this information.

11 Data protection principles: collect only what you need
Explain why you need it: collect data for a specific purpose For example: if you ask a member for copies of their GP letters to use for their personal case, tell them why you need the letters, what you are going to do with them, who you will send them to, what you will do with them afterwards And don’t take too much: collect only the data you need for that purpose For example: do you need to keep and share all the letters from the member’s GP? Are they all relevant? The GDPR’s golden rules also require you to be open and transparent when you collect information from a member. When a member gives you any information about themselves, whether that’s an address or a bundle of documents, make sure they know why you need and what you will do with it. So that might mean which address you will use to communicate with them. Or take the example where you’re assisting a member with a personal case about sickness absence. If you need copies of their GP letters, you need tell them why you need the letters, what you are going to do with them, who you will send them to, what you’ll do with them afterwards. If you intend give copies to the employer, check that the member understands this and is happy for you to do it. Also, don’t take more personal information than is needed for the purpose. The GDPR calls this ‘data minimisation’ – it really means, only take what you need. So if in example of the sickness absence case your member has a full copy of their GP record, but the latest letter has all the up to date information their employer has asked for, consider carefully whether you need the full file or whether just the latest letter is enough.

12 Data protection principles: update and retain data appropriately
Keep it up to date: data must be accurate and up to date For example: correct contact details when asked. But don’t keep it forever: data must be kept for no longer than necessary For example: what is your union’s guidance about how long you should keep personal case files for and where should they be held? Do you need to keep everything? Finally on the data protection principles, the GDPR requires that you keep data up to date and that you don’t keep it for longer than you need it. So, make sure you update your records when your members provide you with new information like new workplace, or home addresses, so you’re not sending personal information to the wrong place. And make sure that you know your unions policy on how long you should keep information for. Some issues you might want to consider include how long you keep information about old members, and personal case files.

13 Information security Hacking: Carphone Warehouse was fined £400,000 when 3m customer records were put at risk by a cyberattack: the company’s outdated software made it vulnerable Human error: a barrister was fined £1,000 when her files were uploaded to the internet by her husband while he updated software on their home computer Passwords/encryption: the ICO criticised a lawyer whose laptop was stolen; it contained confidential information about 8 individuals which contrary to ICO guidance was not password protected. So we’ve covered the first of the topics I’m going to deal with today, handling data fairly. I’m going to look now at the second topic which is information security. This is a fundamental part of handling member information properly. Unions and their reps will handle all sorts of very sensitive information about their members, and its really important to keep it secure. The Information Commissioner, known as the ICO, is the regulatory body who considers complaints about breaches of data protection and information security. Here are some examples of the ICO’s decisions on complaints of data breaches. Back in December… Last year, Another lawyer was criticised when she had failed to password protect a laptop and it was stolen when she was having work done in her home. The ICO’s guidance recommends that all mobile devices which contain confidential should have a password. in cases of loss or misuse of data that you become aware of you should immediately contact your regional or FT officer or your union's DPO so that they can advise you as to whether you need to take any other steps.

14 Keeping member information secure
Some issues to consider about paperwork, for home, in the workplace and on the move: Clear desk policy Files kept under lock and key Take care when travelling, laptops are more secure than paper files as they can be password protected On public transport don’t leave papers or a laptop unattended and don’t discuss anyone’s personal information with a colleague or on the phone Don’t leave papers or a laptop in your car Your union’s policies: it is important to read and apply the guidance your union provides about information security, and report any breaches Next I’m going to highlight some areas you might want to consider about how you keep your members information secure. The starting point for all these security issues is to read your union’s policies about keeping member information secure, and check that the way you work is in line with those policies. With paper files for example, do you have a clear desk policy when working on member’s cases at home or in the workplace to prevent other people in your workplace or home from seeing personal information? Do you need to keep files in a locked cabinet? You need to take particular care when travelling. Don’t leave papers or a laptop unattended and don’t discuss personal details on public transport when others can hear. You shouldn’t leave papers or a laptop in your car. Soft copies rather than papers copies are likely to be safer, because of the ability to password protect sensitive documents in digital form.

15 Keeping member information secure
Some issues to consider about computer use, for home and in the workplace: Use remote access to union system or a case management system if available Shared computers: use password protected individual user accounts Back-up issues Consider password protection of laptops/mobiles, and individual documents on devices Your union’s policies: it is important to read and apply the guidance your union provides about computer and mobile devices, and report any breaches Another important aspect to think about is your use of computers. Use remote access to union system or a case management system if available If that’s not available and you are using a shared computer, make sure you set up a password protected individual user account which other users can’t access. Loss of electronic documents can also cause members problems, so think about the arrangements you have for backing up your computers and other devices, and make sure these are safe too. Some 25% of complaints to the ICO relate to loss of data on mobile devices, so make sure your devices are password protected, and if you have particularly sensitive documents on a mobile device, consider adding a password to the individual document as well.

16 Keeping member information secure
Some issues to consider about use, for home and in the workplace: Work systems Home s – who has access? Double check addresses and attachments before sending Consider password protection of sensitive documents Your union’s policies: it is important to read and apply the guidance your union provides about use Finally on this, some issues to consider about use of s. Again, check your union’s policies as a starting point. With work s, practice may vary. In some workplaces reps won’t use the work system for communications with members, others may have facilities agreements permitting use of work s. If you’re unsure about the practice in your workplace, check with your union whether its OK to use your work , and if you are using it, be sure to include the words Private and Confidential in the subject line. If you are not able to use your work to correspond with members you could use your union address rather than a home address, especially if this is a shared family . If you don’t have a union address , you may need to sign up for an address which is only accessible by you. Again if you are concerned, think about password protection, particularly of sensitive documents In summary - read and understand your union’s policies, and check with your regional or full time officer if there is anything you are not sure about. Think about how you protect member data: both in the workplace and at home, on the move and when using mobile devices, computer and . Report any loss or unauthorised use of member data

17 Respecting members’ rights
Do not try to respond to subject access requests yourself: immediately pass the request to your regional or full time officer as they have a limited time to respond to the request Assist: promptly provide any information requested by your union to assist it with responding to a request, for example copies of your correspondence with a member Read your union’s policies: it is important to follow the guidance your union provides about members’ rights in relation to their data The focus so far has been on the data protection responsibilities of those who handle personal information. The third topic I want to highlight today is data protection rights of individuals. The best known of these is the right to make a subject access request. As I said earlier, the GDPR provides for stronger subject access rights. Individuals have the right to be given access to their personal information, generally without paying a fee, and in standard cases, information must be provided within a month. This applies to all organisations which handle data, including unions. Members have the right to request access to the personal data their union holds about them. There are two points to bear in mind about this. First of all, remember when making notes and corresponding about members that they have the right to ask for copies of what you have written about them. Secondly, if you receive a subject access request from a member, do not try to respond to it yourself: pass the request to your regional or full time officer. Do this immediately as they have a limited time to respond to the request. Also, if you are asked by the union to provide any information to assist with a response to a request, for example copies of your correspondence with a member, do so promptly. Finally, read your union’s policies so you understand the rights members have to access the information you hold about them.

18 Key points to sum up Check: read and apply the guidance your union provides about data protection and information security Think: about your use of member data – almost everything you deal with for members will be subject to the data protection rules Secure: keep all member information secure, at home, at work and on the move Report: if you receive a subject access request or in cases of loss or unauthorised use of member data, report immediately to your regional or full time officer or the union’s Data Protection Officer That brings us to the end of this part of the webinar, which I’ll sum up in these four points 1. Check your union’s policies and make sure you are applying them 2. Think about your use of member data, especially since the data protection rules will apply to almost everything you deal with 3. Keep member information secure 4. Report any subject access requests you receive and any loss or unauthorised use of member data. Now we have around 20 minutes for your questions.

19 Next webinar The Gender Pay Gap Date to be confirmed.
Subscribe to TUC Education on Crowdcast to be notified or check back on tuceducation.org.uk Before you go, here are some details of our next webinar when we’ll be discussing the Gender Pay Gap. More information and a date to follow. Hope you can join us.

20

Download ppt "Data Protection and Information Security Webinar"

Similar presentations

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
3 Is there something I should know? Exercising our rights.

3 Is there something I should know? Exercising our rights.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.

Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
Practical Information Management

Practical Information Management
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.

OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
12/12/2015 Data Protection Act 1998. 12/12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.

12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.

Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.

GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Understanding Privacy An Overview of our Responsibilities.

Understanding Privacy An Overview of our Responsibilities.
Data protection act. During the second half of the 20th century, businesses, organisations and the government began using computers to store information.

Data protection act. During the second half of the 20th century, businesses, organisations and the government began using computers to store information.
Understanding Privacy An Overview of our Responsibilities.

Understanding Privacy An Overview of our Responsibilities.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)
Data Protection GCSE ICT Mrs N Steventon-2005.

Data Protection GCSE ICT Mrs N Steventon-2005.
Poole CPD Online - Lisa Tickhill

Poole CPD Online - Lisa Tickhill
Quiz: How Are Your Meetings

Quiz: How Are Your Meetings

Similar presentations

Ads by Google