Presentation is loading. Please wait.

Presentation is loading. Please wait.

a principle-based approach to compliance

Published byAileen Long Modified over 6 years ago

Similar presentations

Presentation on theme: "a principle-based approach to compliance"— Presentation transcript:

1 a principle-based approach to compliance
Data Protection: a principle-based approach to compliance 19 September 2018 Maureen H Falconer Regional Manager - Scotland

2 Compliance is not about doing just one thing or ticking one box
Compliance is not about doing just one thing or ticking one box. It’s about building up a wall of compliance one brick at a time. However, the important point of this illustration is the way in which each ‘bock’ fits into place with its neighbouring block: interaction and integration are key to ensuring no ‘gaps’ are left to weaken the overall structure! Building compliance

3 The Six Data Protection Principles
The six data protection principles are the ‘building blocks’ required for overall compliance and the standard to which all data controllers should aspire. Fair and Lawful: make sure you tell people what you are doing with their personal data through good Privacy Notices. Make sure you are relying on an appropriate Condition for processing and working within your powers. Limited Purposes: only use personal data for the lawful purposes required and don’t use it for something completely different. Data Quality: only use enough relevant personal data required for the purpose to avoid excessiveness. Accuracy: update data as necessary and correct when alerted to any inaccuracies. Also alert any corrections to those to whom data are disclosed. Retention: keep personal data for as long as required to comply with legal obligations and business need. Think about filtering records. Appropriate technological and organisational measures must be taken to secure the personal data. The more sensitive the data the more security will be required.

4 Personal information must be…
…processed lawfully and fairly …collected for specified, explicit and legitimate purposes The First and Second Principles

5 Legal Bases - GDPR Special Category data (Art9) Personal data (Art6)
Explicit consent Consent In order to use personal data lawfully, you need to be able to rely on at least one condition for processing from the personal data column. If it is special category data, you need to be able to rely on at least one condition for processing from each column. Other than consent, the legal bases require that the processing is necessary. Consent has its own particular requirements. All bases have equal weighting: one does not carry any more status than any other. It is for the data controller to be satisfied that they are relying on the appropriate legal basis and it is recommended that a record is kept of the rationale on which the use is being made. This is especially important when not relying on consent.

6 What’s not consent? Relying on silence, pre-ticked boxes or inactivity; Having no genuine or free choice or being unable to refuse or withdraw without detriment; In any specific case, having an imbalance between the person and the controller, especially where the controller is a public authority and it’s unlikely for consent to have been freely given in all the circumstances of that case; Not allowing separate consent to be given to different processing despite it being appropriate in any individual case; or Making the performance of a contract dependent on consent when it’s not necessary for such performance. Remember that you can rely on alternative legal bases to consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests. Where you already rely on consent that was sought under the DPA or the EC Data Protection Directive (95/46/EC), you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR (see Recital 171). Implementation of the GDPR will require a review of consent mechanisms to ensure they meet the standards required under the legislation. If you cannot reach this high standard of consent then you must find an alternative legal basis or cease or not start the processing in question.

7 Legal Bases - GDPR Special Category data (Art9) Personal data (Art6)
Explicit consent Or where necessary for: Employment, social security, social protection law Vital interests and incapacity Not for profit religious, political or trade union bodies Put in public domain by the person Substantial public interest based on law Health, medical, social care Public health protection Archiving, research, statistical purposes Consent Or where necessary for: Contract with the individual Comply with a legal obligation Protecting vital interests Task in the public interest/ Exercise of official authority Legitimate interests of the data controller, as long as not prejudicial to the person (NB: not available for PA carrying out its tasks) In order to use personal data lawfully, you need to be able to rely on at least one condition for processing from the personal data column. If it is special category data, you need to be able to rely on at least one condition for processing from each column. Other than consent, the legal bases require that the processing is necessary. Consent has its own particular requirements. All bases have equal weighting: one does not carry any more status than any other. It is for the data controller to be satisfied that they are relying on the appropriate legal basis and it is recommended that a record is kept of the rationale on which the use is being made. This is especially important when not relying on consent.

8 Legal Bases – DPA 2018 Special Category Data – Schedule 1
Part 1 – Employment, etc. Processing is necessary for: Employment, social security & social protection Health or social care purposes Public health Research Part 2 – Substantial pubic interest Processing is necessary for: Statutory & Govt’ purposes Equal Opportunities Prevention & detection of crime Protection against dishonesty, etc. Support for disability/medical condition by NFP organisation Confidential counselling Safeguarding of wellbeing of children and adults at risk Safeguarding of economic wellbeing of adults

9 Additional Safeguards…
Special Category Data – Schedule 1, Part 4, s39 The controller can only rely on the Schedule 1 legal bases if an ‘appropriate policy document’ is in place to explain: Procedures for securing compliance with the Data Protection Principles Policies on retention (including for how long) and erasure; The controller must: Retain the ‘appropriate policy document’ for up to 6 months after the processing in question as ended Review and update the document as necessary during the period of processing Make it available to the Information Commissioner on request.

10 What information must be supplied? Obtained from individual
Not obtained from individual Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer Purpose of the processing and the lawful basis for the processing The legitimate interests of the controller or third party, where applicable Categories of personal data Any recipient or categories of recipients of the personal data Details of transfers to third country and safeguards Retention period or criteria used to determine the retention period The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply is determined by whether or not you obtained the personal data directly from individuals as per the above table and on the next slide. The information you supply about the processing of personal data must be:  concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.

11 What information must be supplied? Obtained from individual
Not obtained from individual The existence of each of data subject’s rights The right to withdraw consent at any time, where relevant The right to lodge a complaint with a supervisory authority The source the personal data originates from and whether it came from publicly accessible sources Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences When should information be provided? If the data are obtained from the individual, the notice should be provided at the time the data are obtained. If not, the notice should be provided within a reasonable period of having obtained the data (within one month). If the data are used to communicate with the individual, the notice should be provided, at the latest, when the first communication takes place. If disclosure to another recipient is envisaged, the notice should be provided, at the latest, before the data are disclosed.

12 Personal information must be:
adequate, relevant and limited to what is necessary accurate and, where necessary, kept up to date

13 Personal information must be:
kept in an identifiable form for no longer than is necessary kept secure - appropriate to the nature of the data

14 Accountability Principle

15 Can you share? Yes you can!
Often it is fear of doing something wrong that stops the lawful and effective sharing of personal information. People can also think that unless they have the consent of the individual in question, they can’t do anything with the data. This is not the case. The aim of this presentation is to show you how sharing can take place lawfully, fairly and in compliance with the law.

16 Preamble of legislation…
...on the protection of natural persons with regard to the processing of personal data and on the free movement of such data… People are often unaware of the secondary purpose of data protection legislation as set out in the original 1995 Directive on basis of which the 1998 DPA was predicated. Moreover, it is replicated in the preamble to the GDPR. Yes, it’s about protection, but it’s also about free movement in a safe, secure and compliant manner. GDPR

17 Data Sharing Code of Practice
Do you need to share personal data? Do you have the power to share? What is your legal basis for sharing? Have you told people this type of sharing may happen? What is the purpose and is it justified? Is the sharing proportionate to the issue? Is the data fact or opinion? Is the sharing secure and to an appropriate person? Is the data given in confidence? What’s the risk of sharing and not sharing? Have you recorded your reasons? Do you need a data-sharing agreement? Data Sharing Code of Practice

18 Learning from the past? “What has clearly emerged, at least to us, is a failure of the system compounded of several factors of which the greatest and most obvious must be that of the lack of, or ineffectiveness of, communication and liaison.” T.G. Field-Fisher 1974 Maria Colwell Inquiry “The suffering and death of Victoria was a gross failure of the system and was inexcusable.” Lord Laming 2003 Victoria Climbie Inquiry “There was no system in place whereby one of the agencies responsible for Declan’s well-being was in overall charge and there was no system whereby one named individual was responsible for coordinating all available information.“ Declan Hainey Fatal Accident Inquiry 2014 “The loss of this intelligence cannot be blamed on the data protection legislation. [It was] caused by the failings of Humberside Police’s record-keeping systems.” Sir Michael Bichard 2004 Jessica Chapman & Holly Wells Inquiry

19 Keep in touch Scotland Office: 45 Melville Street Edinburgh EH3 7HL
T: E: Subscribe to our e-newsletter at or find us on… /iconews @iconews

Download ppt "a principle-based approach to compliance"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Overview

Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.

Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office.
Bernadette Malone – Chief Executive Perth and Kinross Council and Chair of GIRFEC National Implementation Working Group Alan Small -Information Sharing.

Bernadette Malone – Chief Executive Perth and Kinross Council and Chair of GIRFEC National Implementation Working Group Alan Small -Information Sharing.
Health & Social Care Apprenticeships & Diploma

Health & Social Care Apprenticeships & Diploma
The Data Protection Act 1998 The Eight Principles.

The Data Protection Act 1998 The Eight Principles.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.

Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.

Similar presentations

Ads by Google