Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection What you need to know

Published byAgneta Nyberg Modified over 5 years ago

Similar presentations

Presentation on theme: "Data Protection What you need to know"— Presentation transcript:

1 Data Protection What you need to know
Tim Turner IRRV February 2018

2 Article 4: definition of data
Any information relating to an identified or identifiable natural person ‘data subject’ = identifiable person who can be identified by an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to person’s physical, physiological, genetic, mental, economic, cultural or social identity

3 Anonymised Pseudonymised data Personal data

4 Profiling / automated decisions
Analysis of person or prediction about behaviour In particular, performance at work, economic situation, health, interests and preferences, behaviour and reliability, location and movements Automated decisions A decision using personal data made by an automated process

5 Part 4: intelligence services
GDPR Applies as normal Applied GDPR Applies to matters outside EU competence Part 3: Law Enforcement Implements directive Part 4: intelligence services Applies GDPR-style standards to intelligence

6 Law enforcement purpose
Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

7 DP Bill: Public authorities
6) Any reference to public authorities or public bodies in the GDPR means: Freedom of Information Act 2000 Freedom of Information (Scotland) Act 2002 Anyone added by Secretary of State Implications: DPO, legitimate interests, manual processing

8 Controller Processor Decides how and why data is used
Does as required under contract with Controller Responsible if they do anything outside the contract

9 Art 26: Joint Controllers
Definition: two or more controllers jointly determine the purposes and means of processing Agreement should set out *transparently* how they will comply; in particular: rights of the data subject duties to provide fair processing

10 e) Purpose limitation d) Accuracy c) Data minimisation A5: Principles
a) Lawfulness, fairness and transparency b) Purpose limitation c) Data minimisation d) Accuracy e) Purpose limitation f) Integrity and confidentiality Controller is responsible for and shall be able to demonstrate compliance

11 GDPR Conditions Consent Necessary for contract Legal obligation
Vital interests Official authority / public interest Legitimate interest

12 Law enforcement purpose
Conditions Consent Law enforcement purpose

13 Law enforcement purpose
Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security

14 Law enforcement accuracy
Controllers should distinguish between Suspects / potential subjects Those who have been convicted Victims / potential victims Witnesses and other interested parties

15 SPECIAL CATEGORIES

16 Article 9: Special categories Racial / ethnic origin
Political opinions Religious / philosophical beliefs Trade union Biometric data Health Sex life / sexual orientation

17 Special categories conditions
Article 9: Special categories conditions Explicit consent Employment law Vital interests no consent Special category group use Made public by subject Public interest underpinned by law Establish / defend legal claims Health / social care Public health Archiving / research with safeguards

18 Substantial public interest AND
Government / legal Equality of treatment Preventing or detecting unlawful acts Protecting public against dishonesty Disclosure for journalism Fraud / terror financing Counselling Insurance Political parties Elected representatives

19 CRIMINAL RECORDS DATA

20 Criminal records conditions
Government / legal Equality of treatment Preventing or detecting unlawful acts Protecting public against dishonesty Disclosure for journalism Fraud / terror financing Counselling Insurance Political parties Elected representatives

21 Criminal records conditions (cont.d)
Consent from data subject Vital interests (subject cannot consent) Political, religious / philosophical, religious or trade union groups Subject has put data in public domain

22 Article 13 & 14: fair processing
Must use concise and transparent language Information must be reasonably accessible

23 TRANSPARENCY & RIGHTS

24 Provide if subject gives you the data
Article 13 Provide if subject gives you the data ID of data controller Contact of Data Protection Officer Purposes and legal basis of processing Legitimate interests Recipients of data International transfers Retention period or criteria Right to request rectification Right to withdraw consent Right to complain to ICO Consequences of failure to supply data Existence of profiling and other automated decision making

25 Fair processing if you get data from 3rd party
Article 14 Fair processing if you get data from 3rd party ID of data controller ID of Data Protection Officer Categories Purposes and legal basis of processing Recipients of data International transfers Retention period or criteria Legitimate interests* Right to request rectification / restriction Right to withdraw consent* Right to complain to ICO Source of data Existence of profiling and other automated decision making

26 Objection to optional processing Limitations on automated processing
RIGHTS FOR SUBJECTS Subject access Rectification Portability Restriction Right to be Forgotten Objection to optional processing Limitations on automated processing

27 Rights Rights disapplied when relevant personal data is processed in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty

28 Other processing EXEMPTIONS for
avoid obstructing an official or legal inquiry, investigation or procedure avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties protect public security protect national security protect the rights and freedoms of others

29 Other rights Subject access Rectification (fairly unrestricted)
Erasure (AKA RTBF) Breach of principles Processing data without condition where personal data must be erased in order to comply with a legal obligation restriction of processing in limited circs

30 Rights (cont.d) 46: limitations on automated ‘significant’ decisions (only where authorised by law) Definition of significant decision is producing an adverse legal effect concerning the data subject or significantly affects the data subject.

31 EXEMPTIONS

32 Exemptions All principles, rights and obligations apply at start
Exemption identifies a subject area (e.g. prevention / detection of crime) Exemption then identifies provisions that can be set aside First group of exemptions set aside the most provisions Each group after that sets aside less At the end, only transparency and SAR are covered

33 Main exemptions Removes transparency, rights including SAR, purpose limitation Crime prevention, detection, imposition of taxes, duties etc Immigration controls Legal obligations to publish / disclose, legal proceedings

34 Additional exemptions
Removes transparency / rights Functions to protect public Regulation of complaints in health, legal and children’s services Other regulators Parliamentary privilege, courts, honours

35 SECURITY AND BREACH NOTIFICATION

36 Processed with appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

37 Loss Article 4 Security breach definition Breach of security
Personal data breach is: INCIDENT i.e. Destruction Loss Alteration Unauthorised disclosure / access LEADING TO: Breach of security

38 Unless unlikely to cause risk to rights and freedoms of data subjects
Article 33 – 34 Breach notification Unless unlikely to cause risk to rights and freedoms of data subjects IN 72 HOURS If likely to cause high risk to rights of data subjects ICO can order you to report REPORT TO ICO REPORT TO SUBJECTS

39 Article 33(3): ICO report Nature of breach
Numbers & categories of subjects Numbers of records Provide name & contact details of DPO Likely consequences of breach Measures taken to address / mitigate breach Can tell the ICO this information in phases

40 General controller obligations

41 GENERAL CONTROLLER REQUIREMENTS
Art 24: Ability to demonstrate compliance with GDPR Art 25: Data Protection by design and by default Art 26: arrangements / agreements with joint controllers

42 DATA PROTECTION OFFICER

43 a) Public authorities & public bodies
Art 37(1): DPO is required by three sector; org can be controller or processor a) Public authorities & public bodies b) Core activities involve regular and systematic monitoring of subjects on a large scale c) Core activities involve large scale processing of special categories / criminal convictions & offences Government can add sectors if it wishes – Art29 WP recommends that other sectors might have them Public authority can include private bodies- lack of choice for subjects is a significant factor

44 a) Public authorities & public bodies
Art 37(1): DPO is required by three sector; org can be controller or processor a) Public authorities & public bodies b) Core activities involve regular and systematic monitoring of subjects on a large scale c) Core activities involve large scale processing of special categories / criminal convictions & offences Government can add sectors if it wishes – Art29 WP recommends that other sectors might have them Public authority can include private bodies- lack of choice for subjects is a significant factor

45 A37(5): DPO designated on basis of:
“professional qualities” “expert knowledge of data protection law and practice” “ability to fulfil tasks” set out in Article 39 No mention of qualifications: RISK BASED APPROACH

46 Article 38(6): Conflict of interest
DPO can carry out other tasks as long as no conflict of interest Case by case decision depending on organisation’s structure LIKELY CONFLICTS: senior management, other role involved in determination of purposes

47 Article 39: TASKS Advise the organisation and staff on obligations under GDPR Monitor compliance with GDPR, UK DP laws, org’s own policies and procedures Provide advice on impact assessments and monitor performance Cooperate with ICO on GDPR issues and act as contact point with them

48 Article 38: DPO’s position
Must be “properly and in timely manner involved in all issues which relate to protection of personal data” Org must support DPO with necessary resources, access to data and systems DPO cannot be given instructions on how to carry out tasks; cannot be dismissed for performing those tasks; must report to senior management Must be available to be contacted by data subjects

49 Impact assessments

50 IMPACT ASSESSMENTS

51 Article 35 IMPACT ASSESSMENTS
On high-risk processing before it happens Profiling with significant effects Public surveillance on large scale Large scale special categories / criminal data

52 IMPACT ASSESSMENTS: ART 29 WP
Article 35 IMPACT ASSESSMENTS: ART 29 WP AT LEAST TWO OF THESE Automated decisions Systematic monitoring Sensitive data Large scale processing Matching datasets Vulnerable subjects Innovative techniques International transfers Processing that limits rights

53 Article 35 IMPACT ASSESSMENTS
Systematic description of project and purposes Assess necessity and proportionality Identify risks Apply suitable measures and safeguards

54 CONTROLLER / PROCESSOR

55 Controller Processor Decides how and why data is used
Does as required under contract with Controller Responsible if they do anything outside the contract

56 Controller / processor
Only select processors that offer ‘sufficient guarantees’ on ability to comply with Regulation and protect subject rights Must have binding contract Processor cannot enlist / change sub-processor controller consent Contract requirements passed down the chain

57 Controller / processor
Binding contract Nature of processing, data, subjects Act only on instructions Ensure confidentiality All necessary security measures Assist controller with subject rights, security & risk assessment Delete or return data

58 Contact 2040 for advice and training
Tel:

Download ppt "Data Protection What you need to know"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics.

© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.

Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust.

Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Similar presentations

Ads by Google