1 / 35

NICVA Essentials Seminar Series An Introduction to Data Protection

NICVA Essentials Seminar Series An Introduction to Data Protection. Nigel Treanor Information Commissioner’s Office. Introduction. Aims for this evening - Dispelling the myths around data protection - Obligations under the Data Protection Act 1998 - Enforcement powers of the ICO

bryant
Download Presentation

NICVA Essentials Seminar Series An Introduction to Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NICVA Essentials Seminar SeriesAn Introduction to Data Protection Nigel Treanor Information Commissioner’s Office

  2. Introduction • Aims for this evening • - Dispelling the myths around data protection • - Obligations under the Data Protection Act 1998 • - Enforcement powers of the ICO • - Data protection and issues for charities • tice

  3. Introduction • The Information Commissioner’s Office • What is the Data Protection Act? • What does it mean for the individual? • What concerns the ICO? • ICO enforcement powers • What do charities need to do? • ICO audits

  4. The Information Commissioner’s Office • Regulator of primary legislation: • Freedom of Information Act 2000 • Data Protection Act 1998 • Privacy and Electronic Communications Regulations • The structure of the ICO in the UK and Northern Ireland: • Offices • Roles and Responsibilities • Advice, Assistance and Action • Enquiries and Advice • Complaint resolution • Audit • Enforcement

  5. What is the Data Protection Act?

  6. What is the Data Protection Act?The type of information caught - Human resource information - Holding the personal data of staff, clients or service users - Sharing personal data with other organisations - Requests by individuals for their personal data - Promotional campaigns, events and direct marketing - Redundancy and employment issues - Retention and destruction schedules - Database management and accuracy - Photographs, CCTV images and video footage

  7. What is the Data Protection Act? • - An Act to regulate the processing of information about individuals • - Drawn from European Directive 95/46/EC • - “Reserved” matter in Northern Ireland • - Provides rights for individuals and sets out responsibilities for data controllers • - Eight Data Protection Principles provide a framework for handling personal data

  8. What is the Data Protection Act? The Data Protection Principles • The Data Protection Act states that anyone who processes • personal information must comply with eight principles, which • make sure that personal information is: • Fairly and lawfully processed • Processed for limited purposes • Adequate, relevant and not excessive • Accurate and up to date • Not kept for longer than is necessary • Processed in line with your rights • Secure • Not transferred to other countries without adequate protection • And, all data controllers must comply with the principles

  9. What is the Data Protection Act? Definitions • - Personal Data means data which relates or is focused upon a living individual • - Sensitive Personal Data means personal data relating to an individual’s: • Race/ethnicity • Religious beliefs • Political opinions • Trade Union Membership • Health • Sexual life or orientation • Criminal convictions (or alleged convictions)

  10. What is the Data Protection Act? Definitions • - TheDataSubject is the person to whom the data relates • - The DataController is the (legal) person determining the purposes • and means of processing • - A Data Processor carries out data processing on behalf of the Data • Controller • Processing is a compendious definition such as obtaining, • recording,consultation, use, disclosure, destructionor carrying out • any operation or set of operations on the information or data etc. • - Definition of a Relevant Filing System

  11. What is the Data Protection Act? Conditions for processing - Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –- (a) at least one of the conditions in Schedule 2 is met, and- (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. First Data Protection Principle

  12. What is the Data Protection Act? Conditions for processing • Schedule 2 conditions • - Consent • - Contract • - Legal obligation • - Vital interests • - Administration of justice • - Legitimate interests of data controller • Schedule 3 conditions • - Explicit consent • - Employment • - Vital interests • - Not for profit, Trade Unions, religious, political, philosophical groups • - Already in public domain by data subject • - Legal proceedings / advice • - Administration of justice • - Medical purposes • - Equal Opportunity monitoring • - Substantial public interest

  13. What is the Data Protection Act?Privacy Notice • A Privacy Notice is an oral or written statement that individuals are • given when information is being collected • - It should detail who you are, what you are going to do with the • information and who it will be shared with • - It can go further and include access rights, security arrangements • - A Privacy Notice should be genuinely informative • - A Privacy Notice which is legalistic or drafted with the primary objective • of indemnifying an organisation is unlikely to achieve this objective

  14. What does it mean for the individual?

  15. What does it mean for the individual? - Accessing Information This allows the data subject to discover what information is held about them on a computer and within some manual records, such as medical records, files held by public bodies and financial information held by credit reference agencies. - Correcting Information This allows the data subject to apply to a court to order a data controller to correct, block, remove or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information. - Preventing Processing of Information This allows a data subject to ask a data controller not to process information that causes substantial unwarranted damage or distress. The data controller is not always bound to act on the request. - Preventing Unsolicited Marketing This means a data controller is required not to process information about a data subject for direct marketing purposes if the data controller is asked not to. For example, the right to stop unsolicited mail.

  16. What does it mean for the individual? - Preventing Automated Decision Making This means you can object to decisions made only by automatic means. For example, where there is no human involvement. - Claiming Compensation This allows you to claim compensation through the courts from a data controller for damage, and in some cases distress, caused by any breach of the act. - Refer to ICO You can ask the ICO to investigate a complaint.

  17. What does it mean for the individual? Right of Access (Subject Access Request) • - A request for access must be received in writing • A fee of £10 can be charged (up to £50 for educational or health records) • - Data controller has 40 calendar days to respond • - Data subject has right to be informed if personal data is being processed, • description of the Data, purpose of processing, the source of the data • - The logic behind an automated decision

  18. What does it mean for the individual? Right of Access - Data Controller has to consider…. - Identification of Data Subject and seeking assistance from Data Subject to locate the personal data - Any exemption which may apply (eg prevention of crime) - Deciding whether it is reasonable to disclose third party information. If consent of the other individual has been obtained, there should be no problem revealing the information - In the absence of consent of the other individual, the test of “reasonableness” needs consideration (e.g. any duty of confidence to the other individual; has consent been refused; can consent in practice be obtained; steps taken to obtain consent)

  19. What concerns the ICO?

  20. What concerns the ICO?Section 55 “Section 55 (1) A person must not knowingly or recklessly, without the consent of the data controller – Obtain or disclose personal data or the information contained in personal data, or Procure the disclosure to another person of the information contained in the personal data”

  21. What concerns the ICO?Notification - Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Failure to notify is a criminal offence. - Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers, which is available to the public for inspection.

  22. ICO Enforcement Powers

  23. ICO Enforcement Powers Investigatory - Assessment - Complaints Regulatory - Enforcement notice - Undertakings - Audit Punitive - Civil Monetary penalties - Prosecution

  24. ICO Enforcement Powers Civil Monetary Penalties Before the ICO can impose a Monetary Penalty it has to be satisfied that: • - There has been a serious contravention of data protection principles by the data controller, • - The contravention was of a kind likely to cause substantial damage or substantial distress and either… • - The contravention was deliberateor, • - The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention

  25. ICO Enforcement Powers In 2012, 24 fines totalling £3,120,000 in Civil Monetary Penalties were levied. Summary of causes - Theft of laptops and papers (outside of the office) - Mis-directed emails and faxes - Confidential material disclosed to wrong recipients Types of personal data - Sensitive information relating to Children and vulnerable people - Detailed medical information

  26. ICO Enforcement Powers - Highest Monetary penalty (PECR) - 28 November 2012 A monetary penalty of £440,000 has been served to the joint owners of Tetrus Telecoms. The company had sent millions of unlawful spam texts to the public over the past three years. - First Northern Ireland Penalty in 2012 A monetary penalty notice of £225,000 has been served to Belfast Health and Social Care Trust following a serious breach of the Data Protection Act. The breach led to the sensitive personal data of thousands of patients and staff being compromised. The Trust also failed to report the incident to the ICO. - Data loss outside the office A monetary penalty of £100,000 has been issued to Croydon Council after a bag containing papers relating to the care of a child sex abuse victim was stolen from a London pub - First ICO monetary penalty Hertfordshire County Council were fined £100,000 for faxing personal data to the wrong recipient

  27. What concerns the ICO? Regulatory Action and Charities or Social Care Providers 2012 - Praxis Care Limited breached both the UK Data Protection Act and the Isle of Man Data Protection Act by failing to keep peoples’ data secure. An unencrypted memory stick was lost on the Isle of Man, containing personal information relating to 107 Isle of Man residents and 53 individuals from Northern Ireland. - Youth charity Fairbridge lost two unencrypted laptops containing employee information. - Community Integrated Care, a national social care charity had an unencrypted laptop stolen containing personal and sensitive personal data. - Enable Scotland (Leading the Way), lost two unencrypted memory sticks and papers containing the personal details of up to 101 individuals, which were stolen from an employee’s home. All were asked to sign an undertaking

  28. What concerns the ICO? Regulatory Action and Charities or Social Care Providers 2012  10 October 2012 A social care charity, Norwood Ravenswood Ltd was served with a monetary penalty of £70,000 after highly sensitive information about the care of four young children was lost after being left outside a London home. A social worker, who worked for Norwood Ravenswood Ltd, left the detailed reports at the side of the house on 5 December 2011 after attempting to deliver the items to the children’s prospective adoptive parents. At the time neither occupant was at the house, but when they returned to the property the reports were gone. The information has never been recovered. The reports contained sensitive information, including details of any neglect and abuse suffered by the children, along with information about their birth families. The ICO’s investigation found that the social worker had not received data protection training, in breach of the charity’s own policy, and received no guidance on how to send personal data securely to prospective adopters.

  29. What do charities need to do?

  30. What do charities need to do?Avoid Risks • - Adhere to the Data Protection Principles • - Question the need for processing • - Data minimisation: • - volume of personal data • - time held • - Identify and mitigate risks • - Privacy by Design • - Privacy Impact Assessment • - Review regularly

  31. What do charities need to do?Take Action • - Ensure data protection policies are in place and up to date • - Restrict access to personal data • - Identify a senior level individual to act as senior information risk owner • - Continually make staff aware of the existing information governance policies and guidelines • - Secure data internally and externally • - Develop data protection within homeworking and IT policies • - Maintain a Retention and Destruction Schedule • - Be aware of changes to Privacy and Electronic Communications Regulations

  32. ICO Audits

  33. ICO Audits • - Think about an Audit • - Types of Audits • Self Assessment • Voluntary Audits • Compulsory Audit • Advisory Audit

  34. ICO Advisory Visit • ‘Data protection advice. In a day. For free’ • Aimed at small to medium sized businesses and for charitable organisations • One day, informal visit from the ICO to give you practical advice • Three main areas that are examined: security, records management and requests for personal information • The visit can be tailored to your organisation and will be flexible enough for questions about data protection. • There is no expense to your organisation and you get a short report at the end which summarises what you should do next. • to find out more: http://www.ico.gov.uk/for_organisations/data_protection/working_with_the_ico/advisory_visits.aspx • or email advisory@ico.gsi.gov.uk to register your interest.

  35. Contact Details ICO Belfast Office 3rd Floor 14 Cromac Place Belfast BT7 2JB 0303 123 1114 ni@ico.org.uk www.ico.org.uk

More Related