1 / 60

DATA PROTECTION REFORM & THE GENERAL DATA PROTECTION REGULATION

Join us in Nottingham on May 25th, 2018 for a seminar on the upcoming data protection reforms and the General Data Protection Regulation (GDPR). Learn about key definitions, the impact on your responsibilities, and the potential consequences of non-compliance. Don't miss this opportunity to ensure your organization is prepared for the changes.

baezr
Download Presentation

DATA PROTECTION REFORM & THE GENERAL DATA PROTECTION REGULATION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DATA PROTECTION REFORM & THE GENERAL DATA PROTECTION REGULATION Coming to Nottingham on 25th May 2018

  2. Introduction • Housekeeping (and ground-rules) • Who am I? • What we will cover: • Data Protection as it is! • Data Protection as it (probably) will be! • Questions and quiz

  3. Definitions/jargon • Personal data is information about a living individual. • A data controller is a person or organisation that collects and keeps data about people. • A data subject is someone who has data about them stored somewhere by a data controller. • A data processor is someone who makes use of personal data on a data controllers behalf; and • Processing-everything from collection to disposal of personal data.

  4. Why do you need to know this? • You collect and deal with complex and sensitive information. • Data Protection requires you protect people’s personal data (from loss, unauthorised use etc.) • For all staff, it is your responsibility; and • It is (should be) in your contract of employment! • Wilful/negligent breach • Gross misconduct/prosecution

  5. GDPR Overview • New EU Regulation – to be adopted in full by all EU member States so as to harmonise Data Protection across Europe • In force across the EU from 25th May 2018

  6. GDPR Overview (2) • Despite Brexit plans, the UK has confirmed it will adopt the Regulation • Similar to the UK’s Data Protection Act but with more (definite) protection for data subjects; and • (probably) Larger fines!

  7. Derogations BUT… • The Regulation allows Member States to do some parts of the Regulation in their own way • There are 50+ of these derogations • The UK Government will need to pass legislation to implement these before 25th May 2018 • Data Protection Bill published 14th Sept 2017

  8. RECAP Current Data Protection Act

  9. Currently-The Law as is • Data Protection Act 1998 – applies to PERSONAL information that is held and processed by you. • Applies to living individuals • 8 principles of the Act • If you have lawful basis to act-allows you to. • The Information Commissioner (ICO)-regulator • Serious consequences for failing to comply to the Act. • Data Controller-Up to £50ok fine for a serious information breach • You-Disciplinary and possibly dismissal It is everyone’s responsibility to understand the principles in relation to your role and team.

  10. Personal Data Identifies a living individual

  11. Sensitive Personal Data (a) Racial or Ethnic Origin (b) Political Opinions or Persuasion (c) Religious Beliefs or other beliefs of a similar nature (d) Trade Union Membership or Affiliation (e) Physical or Mental Health or Condition (f) Sexual Life (g) Commissioned or Alleged Commission of Offences (h) Any proceedings for any offence, committed or alleged, including any sentencing decisions made by the Court

  12. Conditions for processing • Uses of Personal data-must meet a condition from Schedule 2 • Uses of Sensitive personal data- must meet a conditions from Schedule 2 and 1 from Schedule 3 • Can get consent – but ideally rely on something else!

  13. 8 Data Protection Principles

  14. Question

  15. Requests for Information Who can you be asked? • Living individuals/agents – Subject Access Requests (YOU CAN CHARGE UP TO £50) • Access to Health Records 1990-deceased/manual records • Police – Section 29 • Solicitors & Insurance companies – Section 35 • Freedom of Information? • If in doubt, refer to Information Governance at CCG

  16. Question-who is covered by Data Protection?

  17. Who regulates this? • The Information Commissioners Office (ICO) • Promotes transparency in government, proactive approach to enforcement of access and privacy laws • Provides guidance and advice • Reports to Parliament • Independent of Government • And……………………..

  18. Who regulates (2) • Investigates breaches; and • Imposes Civil Monetary Penalties (CMP) • £500K per breach…..currently • Bad press/enforcement action • Possible prosecution of individuals/organisations

  19. Breaches

  20. CMP issued-examples • North East Lincolnshire Council were issued with a £80,000 fine in 2013-loss of child data on USB • Aberdeen City Council were issued with a £100,000 fine in 2013-accidental upload to web • Chelsea and Westminster Hospital NHS Foundation were issued with a £180,000 fine in 2016-email sent to 700 plus users openly • Nottinghamshire County Council were issued with £70,000 fine in 2017. They left vulnerable people’s personal data exposed online for five years

  21. Penalties for individuals • Ex-Leicester City Council Worker Fined £160, plus £364.08 prosecution costs and a £20 victim surcharge, Stole 349 service user and staff records to help set up new business. • Medical Receptionist, 2 year conditional discharge, £614 costs, Unlawfully obtained her sister-in-law’s medical records • Bank cashier Fined £2990, £250 costs, £120 victim fee, Used position to illegally access customer details

  22. And…..Caldicott Principles • Justify the purpose(s) for using confidential information • Don't use personal confidential data unless it is absolutely necessary • Use the minimum necessary personal confidential data • Access to personal confidential data should be on a strict need-to-know basis • Everyone with access to personal confidential data should be aware of their responsibilities • Comply with the law • The duty to share information can be as important as the duty to protect patient confidentiality

  23. THE FUTURE GDPR/Bill… what’s different?

  24. New Data Protection Bill (1) Part 1 & 2 – Definitions and General Processing (GDPR) Part 3 – Law Enforcement Part 4 – Intelligence Services Part 5 – Information Commissioner’s Office Part 6 – Enforcement Part 7 – Miscellaneous!

  25. New Data Protection Bill (2) • Law Enforcement under Clauses 27 -79. Organisations will only be subject to these clauses if they are • a Competent Authority, or • processing for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

  26. The Regulation Modernises (1) • Adds biometric and genetic data as classes of special category data (formerly known as sensitive personal data) • Gives added protection to children using sites such as Facebook & Snapchat (Information Services)

  27. The Regulation Modernises (2) • Profiling – defines as ‘automated processing intended to evaluate certain personal aspects of an individual’ • Pseudonymisation– Pseudonymised data is clearly categorised as personal data

  28. Future 6 Principles • Fair & lawful -> Lawfulness, fairness and transparency • For specific, explicit and legitimate purpose -> Purpose limitation • Adequate, relevant & limited -> Data minimisation • Accurate & up to date -> Accuracy • Not kept longer than necessary -> Storage limitation • Ensure appropriate security -> Integrity and confidentiality

  29. 2 Missing Principles? • Data Subject Rights get a whole section to themselves in Articles 12-20 • Transfer outside EEA defunct as new Regulation apples worldwide

  30. Additional ‘Principles’ (1) Overarching new embedded principle: Accountability An organisation must demonstrate that it complies: • Implement appropriate technical and organisational measures that ensure and demonstrate that you comply e.g. policies, procedures, security. • Maintain relevant documentation on processing activities. • Where appropriate, appoint a Data Protection Officer. • Implement measures that meet the principles of data protection by design and data protection by default. • Use Data Protection Impact Assessments where appropriate.

  31. Break

  32. Data Subject Rights The Rights of the Data Subject (Articles 12 to 20) • Right to Access • Right to Rectification • Right to Erasure • Right to Restriction • Right to Data Portability • Right to Object • Right to Complain

  33. Subject Access Requests • Can no longer charge £10/£50 • Unless… extra copies = reasonable fee; or • Manifestly unfounded or excessive = reasonable fee (based on Administrative costs) • Provide a copy of the data being processed; and • Details of how, and by whom! • 1 month to respond… can be extended by another 2 months if excessive

  34. Controller-Processor • Your Data Processors are now also as liable as Data Controllers for fines; but • You must review all contracts to update as necessary to reflect new obligations • Undertake DPIA pre-tender process • Use Model DP Questions in ITTs • Use Model EU DP Clauses in contracts • Use Model Data Processing Agreements

  35. Scope & Territory GDPR will apply to the processing of personal data: • For activities of an organisation in the EU, regardless of whether the data processing takes place in the EU or not; and • of data subjects residing in the EU by an organisation not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU. • Issues for UK post-Brexit?

  36. Conditions for Processing Data Conditions for processing non-special personal data under GDPR (Article 6): • Consent • Contract • Legal obligation • Vital interest of data subject • Public interest • Legitimate interest (can no longer be used by public authorities)* * core tasks

  37. Conditions for Processing Data (2) Conditions for processing special category data under GDPR: • Explicit consent • Employment, social security or social protection law • Vital interest of data subject or another • Not-for-profit bodies • Made public by data subject • Legal claims • Substantial public interest • Medicine, health or social care • Public health • Research and statistics • + national derogations – all the same as now

  38. Consent If you use consent as a basis for using data you must • Consent – clear, affirmative, informed, freely given and unambiguous – & if special category data it must be EXPLICIT – opt in, not opt out • Record – Must show an audit trail • Use consent as last resort where possible. If they withdraw it you have problems!

  39. It is not just about consent! • Other conditions for processing will apply • Like……..Article 9!

  40. Health-Article 9 conditions • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

  41. What about the Duty of Confidence? • Art 6 condition - yes • Art 9 condition - yes • Especially for direct care / team around the patient • BUT • Common law… is there a duty of confidence? • If yes, consent still needed but this can be implicit

  42. Information Society Services E-Commerce Reg - Where online services are provided to a child and consent is relied on, consent must be given or authorised by a person with parental responsibility for the child. This requirement applies to children under the age of 16 (unless the Member State has made provision for a lower age limit -which may be no lower than 13). Other processing – Gillick Competency

  43. Privacy Notices (1) • Privacy Notices must be in plain English, child friendly • ICO says be innovative e.g. videos

  44. Privacy Notices (2) A Privacy Notice must include: • Identity and contact details of the controller; • Contact details of the Data Protection Officer(if have one); • Purposes of processing and legal basis for processing – including the “legitimate interest” pursued by the controller if this is the legal basis. • Recipients, or categories of recipients. • Details of data transfers outside the EU - including how the data will be protected (e.g. the recipient is in an adequate country; Binding Corporate Rules are in place etc.); and how the individual can obtain a copy of the BCRs or other safeguards, or where such safeguards have been made available.

  45. Privacy Notices (3) A Privacy Notice must include: • The retention period for the data – if not possible, then the criteria used to set this. • That the individual has a right to access and port data, to rectify, erase and restrict his or her personal data, to object to processing and, if processing is based on consent, to withdraw consent. • That the individual can complain to a supervisory authority e. the ICO. • Whether there is a statutory or contractual requirement to provide the data and the consequences of not providing the data. • If there will be any automated decision taking – together with information about the logic involved and the significance and consequences of the processing for the individual.

  46. Data Protection Officer(1) • All public sector organisations must have one (covered by FOI) • Can appoint 1 DPO to multiple organisations • Role can be part of another job – but no conflict of interest (Cannot be CX, SIRO, Caldicott, Head of IT etc.) • Expert knowledge in Data Protection law and practice • Can outsource • Anyone in the Practice fit the bill(yet)?

  47. Data Protection Officer(2) • Report to top level management but independent • Protected from dismissal / coercion. • Resourced. • Contact details published • Defined duties – training, policy review, report breaches, complaints etc.

  48. Record of Processing Activities Kept by the DPO and basically an Information Asset Register + extra GDPR requirements, to include: • Purpose for processing • Categories and subject of data  • Transfers/disclosures • Retention • Security

  49. Privacy by Design • Data Protection Impact Assessments (ex-PIAs) will be mandatory for some processing of data • Mandatory DPIAs must be OK’d by the data protection officer if you have one • Mandatory DPIAs must be submitted to the ICO for sign off if still pose a risk • Build in DPIAs into your normal business practice • Allow time in your processes for ICO turnaround (could be several weeks)

  50. Data Breaches • Report to ICO within 72 hours if risk to an individual • Later if ‘reasoned justification’ for this • Business fines up to 2% or 4% (up to €20m) of global turnover… whichever is the greater! • UK ICO-may or may not go there!

More Related