1 / 36

Data Protection Act 1998 NICVA 27 October 2011 Nigel Treanor

Data Protection Act 1998 NICVA 27 October 2011 Nigel Treanor. Mission Statement. The ICO’s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. ICO’s Role. Enforce and regulate

karlyn
Download Presentation

Data Protection Act 1998 NICVA 27 October 2011 Nigel Treanor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Act 1998 NICVA 27 October 2011 Nigel Treanor

  2. Mission Statement • The ICO’s mission is • to uphold information rights • in the public interest, • promoting openness by public bodies • and data privacy for individuals.

  3. ICO’s Role • Enforce and regulate • Freedom of Information Act • Environmental Information Regulations • Data Protection Act • Privacy and Electronic Communications Regulations • Provide information to individuals and organisations • Adjudicate on complaints • Promote good practice

  4. Information Concerns Recognition by the public that Data Protection is relevant to the following areas: Preventing crime Protecting people’s personal information Unemployment (2004 - 50% by 2009 - 93%) The National Health Service (2004 – 78% by 2009 - 90%) National security Environmental issues Equal rights for everyone Improving standards in education Protecting freedom of speech Access to information held by public authorities

  5. Royston House DFP Background Health Data HMRC November 2007 Street View North Lanarkshire Council

  6. Causes of Reported Data Loss

  7. Charities and ICO Enforcement • Charities breached data rules over unencrypted computer thefts • Sheffield-based charity Asperger’s Children and Carers Together (ACCT) • Nottingham-based charity Wheelbase Motor Project • Both breached the Data Protection Act by failing to encrypt computers that contained sensitive information relating to young people (80 children and 50 young people ). • Both incidents occurred when the devices were stolen

  8. Data Protection Act 1998 • The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is held and handled properly.

  9. Charitable groups andData Protection Act – Examples of areas that are covered • Human resource information • Holding service user/volunteer/staff information • Sharing service user/volunteer/staff details • Service Users or staff requesting their personal data • Direct Marketing and Promotional Campaigns • Redundancy and Employment issues • Information Security • Retention Periods • Database Management and Accuracy • Photographs of service users, volunteers or staff • CCTV images and video footage

  10. Data Protection Act 1998 • An Act to regulate the processing of information about individuals • Drawn from European Directive 95/46/EC • “Reserved” matter in Northern Ireland • Provides rights for individuals and sets out responsibilities for data controllers • 8 Data Protection Principles provide a framework for handling personal data

  11. Eight Principles of DPA • The Data Protection Act states that anyone who processes • personal information must comply with eight principles, which • make sure that personal information is: • Fairly and lawfully processed • Processed for limited purposes • Adequate, relevant and not excessive • Accurate and up to date • Not kept for longer than is necessary • Processed in line with your rights • Secure • Not transferred to other countries without adequate protection And, all data controllers must comply with the principles

  12. Definitions • Personal Data means data which relate to a living individual who can be identified -from those data, or -from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, • -and includes any expression of opinion about the individual or any other person in respect of that individual and any indications of intentions of the data controler or any other person in respect of that individual. • Relevant Filing System/Accessible Record • Processing is a compendious definition such as obtaining, recording, consultation, use, disclosure, destructionor carrying out any operation or set of operations on the information or data etc.

  13. Definitions – Sensitive Personal Data • Sensitive Personal Data means personal data where content relates to: • Racial and ethnic origin • Political opinions • Religious or other beliefs • Trade union membership • Physical or mental health • Sexual life • Criminal convictions/alleged offences • Sensitive Personal Data are subject to extra safeguards before they can be processed

  14. Definitions • Data Subject - means an individual who is the subject of personal data • Data Controller - meansany person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. • Data Processor - in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller

  15. What this means for the individual • How to Access Information • This allows you to find out what information is held about you on a computer and within some manual records, such as medical records, files held by public bodies and financial information held by credit reference agencies. • Correcting Information • This allows you to apply to a court to order a data controller to correct, block, remove or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information. • Preventing Processing of Information • This means you can ask a data controller not to process information about you that causes substantial unwarranted damage or distress. The data controller is not always bound to act on the request. • Preventing Unsolicited Marketing • This means a data controller is required not to process information about you for direct marketing purposes if you ask them not to. For example, you have the right to stop unsolicited mail.

  16. What this means for the individual • Preventing Automated Decision Making • This means you can object to decisions made only by automatic means. For example, where there is no human involvement. • Claiming Compensation • This allows you to claim compensation through the courts from a data controller for damage, and in some cases distress, caused by any breach of the act. • Exempt Information • This allows you to ask the ICO to investigate and assess whether the data controller has breached the act. Please read our how to complain section, which explains how to do this

  17. Notification • Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Failure to notify is a criminal offence. • Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers, which is available to the public for inspection • Notification Helpline: 0303 123 1113 (Mon-Fri 9am-5pm) • Changes to the notification fee structure came into effect on 1 October 2009. The fee structure is now tiered to reflect the costs to the ICO of regulating data controllers of different sizes

  18. Fair Processing Notice • Oral or Written statement that individuals are given when information is being collected • A Privacy Notice should tell people - who you are, what you are going to do with the information and who it will be shared with • It can go further and include access rights, security arrangements • A Privacy Notice should be genuinely informative • A Privacy Notice which is legalistic or drafted with the primary objective of indemnifying an organisation is unlikely to achieve this objective

  19. Right of Access (Subject Access Request) • A request for access must be received in writing • A request covers finding out whether personal data are processed and, if so (within 40 days) • providing a description of the personal data processed, of the purpose of the processing and of any Recipient or classes of Recipient's • providing a copy of the information constituting the personal data in an intelligible form, and providing information about the source, if available • providing information about any automated decision that significantly affects the Data Subject.

  20. Right of AccessData controller has to consider…. • Identification of Data Subject and seeking assistance from Data Subject to locate the personal data • Any exemption which may apply (eg prevention of crime) • Deciding whether it is reasonable to disclose third party information. If consent of the other individual has been obtained, there should be no problem revealing the information • In the absence of consent of the other individual, the test of “reasonableness” needs consideration (e.g. any duty of confidence to the other individual; has consent been refused; can consent in practice be obtained; steps taken to obtain consent) • Removal of the minimum amount of information which identifies another individual – this, in some circumstances, could be just a name of the other individual

  21. What it means for charities • Heading in the right direction? • Do I really need this information about an individual? Do I know what I'm going to use it for? • Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for? • If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this? • Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it secure? • Is access to personal information limited to those with a strict need to know? • Am I sure the personal information is accurate and up to date? • Do I delete or destroy personal information as soon as I have no more need for it? • Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice? • Do I need to notify the Information Commissioner and if so is my notification up to date?

  22. Section 55 & ‘The Blagging Offence’ • “55 (1) A person must not knowingly or recklessly, without the consent of the data controller – • Obtain or disclose personal data or the information contained in personal data, or • Procure the disclosure to another person of the information contained in the personal data”

  23. Reporting Data breaches • At present, there is no law expressly requiring you to notify a • breach but sector specific rules may lead you towards issuing a • notification to the ICO. • ICO has issued guidance on data security breach management • and guidance on reporting a data breach to the ICO (available • at www.ico.gov.uk) • But... Revisions to Directive 2002/58/EC Directive on Privacy • and Electronic Communications Directive in relation to • compulsory breach reporting

  24. Changes to the Law • Significant losses of personal data in 2007/8 • Existing powers deemed inadequate • Public calls for criminal offence • Criminal Justice and Immigration Act s 77 Power for Secretary of State to alter penalty for unlawfully obtaining personal data • Preferred option was power to impose a Monetary Penalty – civil sanction • New power inserted into section 55 of Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (CJIA)

  25. Main features • -ICO may serve a Monetary Penalty Notice on a data controller requiring payment of a Monetary Penalty which must not exceed £500,000 • -Applies to all data controllers in the private, public and voluntary sectors except Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3) DPA 1998-Royal Household

  26. Specific requirements • Before the ICO can impose a Monetary Penalty it has to be satisfied under section 55A DPA 1998 that: • There has been a serious contravention of data protection principles by the data controller, • The contravention was of a kind likely to cause substantial damage or substantial distress and either…

  27. Specific requirements continued • -The contravention was deliberate or, • -The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention

  28. First Monetary Penalty Notices • (i) Hertfordshire County Council - £100,000 penalty (Nov 2010) • http://www.ico.gov.uk/~/media/documents/library/Data_Prote • ction/Notices/hertfordshire_cc_monetary_penalty_notice.ashx • (ii) A4e Ltd - £60,000 penalty (Nov 2010) • http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/a4e_monetary_penalty_notice.ashx

  29. Second Monetary Penalty Notices • February 2011 • Ealing Council - £80,000 and Hounslow Council £70,000 • Two laptops containing the details of around 1,700 individuals were stolen • from an employee’s home. Almost 1,000 of the individuals were clients of • Ealing Council and almost 700 were clients of Hounslow Council. Both • laptops were password protected but unencrypted – despite this being in • breach of both councils’ policies. There is no evidence to suggest that the • data held on the computers has been accessed and no complaints from • clients have been received by the data controllers to date but there was • nevertheless a significant risk to the clients’ privacy. • Ealing Council breached the Data Protection Act by issuing an unencrypted • laptop to a member of staff in breach of its own policies. This method of • working has been in place for several years and there were insufficient • checks that relevant policies were being followed or understood by staff. • Hounslow Council breached the Act by failing to have a written contract in • place with Ealing Council. Hounslow also did not monitor Ealing Council’s • procedures for operating the service securely.

  30. Misdirected Emails– June 2011 • ICO served Surrey County Council with a monetary penalty for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions. • The first incident and most significant of the three, took place on 17 May last year. A member of staff working for one of the council’s Adult Social Care Teams emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address. • The group email address included a large number of transportation companies, including taxi firms, coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.

  31. Misdirected Emails - £120,000 • A second misdirected email sent on 22 June 2010 lead to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter. • In a third incident, the council’s Children Services department sent confidential sensitive information, which included data relating to an individual’s health, to the wrong internal group email address on 21 January 2011. While the data did not leave the council’s network this breach led to sensitive data being circulated to individuals who should not have received it. • The penalty of £120,000 recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information.

  32. Information Sharing Code of Practice

  33. Sharing Of Personal Data – Issues to consider: • Do you have the power or legal provisions to share the information? • What is the sharing intended to achieve? • Do you need to share personal data? • What information needs to be shared? • When should it be shared? • Who does it need to be shared with? • How should it be shared? • What benefits are sought from the proposed sharing? • What risks are there? • What are the likely effects on individuals/society? • Consider the consequences of not sharing. • Consent? Choice? Transparency? • Make the citizen/client/consumer the focus of the decision.

  34. Advice and Guidance • Information Commissioners Office • 51 Adelaide Street • Belfast • BT2 8FE • Tel. 02890 269380 • Fax. 02890 269388 • Website: www.ico.gov.uk • Enquiries by email . ni@ico.gsi.gov.uk • Notification Team – 0303 123 1113 • (Mon-Fri 9am to 5pm)

  35. Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews

More Related