830 likes | 947 Views
Data Protection Compliance. Title goes here. Subtitle goes here. 5 March 2012. Name Surname One. Sue Pawar-Price, Barrister. Name Surname Two. INTRODUCTION. Background Definitions 8 Data Protection Principles Data Sharing Data Protection Reform. BACKGROUND (1).
E N D
Data Protection Compliance Title goes here Subtitle goes here 5 March 2012 Name Surname One Sue Pawar-Price, Barrister Name Surname Two
INTRODUCTION Background Definitions 8 Data Protection Principles Data Sharing Data Protection Reform
BACKGROUND (1) Eu Data Protection Directive (Directive 95/46/Ec) • Directive 95/46/EC addressed to all 27 member states. • Requirement on each member state to transpose the Directive into internal law. • Directive 95/46/EC had to be transposed by end of 1998. • Each member state enacted it’s own Data Protection Legislation. • UK enacted Data Protection Act 1998 (DPA) • Similarly, Malta enacted it’s own Data Protection Act; Finland enacted the Finish Data Protection Act; Norway enacted the Personal Data Act 2000 etc…
BACKGROUND (2) UK DATA PROTECTION ACT 1998 • UK also used this as an opportunity to review existing legislation and 1984 Act was repealed by the 1998 Act. • Main piece of legislation that governs the protection of personal data in the UK. • The Act itself does not refer to PRIVACY. • Intended to balance the interests of data subjects with data controllers. • Freedom to process data Vs. Privacy of individuals.
BACKGROUND (3) UK DPA is large! It has a reputation of being a very complex piece of legislation! The new legal framework is also very complex (more later)!
TERRITORIAL SCOPE OF THE ACT: s5 DPA 1988 The Act applies to any Data Controller (DC) in respect of any Data where: • Data Controller is established in UK & data processed in context of that establishment; • Data Controller is not established in UK or any other EEA state but uses equipment in UK for processing data o/w than for the purposes of transit through UK.
DEFINITIONS. S1(1) & s2 DPA contain all the relevant definitions: • Data • Personal Data • Sensitive Personal Data • Processing • Data Controller/Data Processor • Relevant Filing System • Information Commissioner • Data Sharing Once you understand the terminology – you can begin to understand the law and the compliance obligations on you.
DATA “Data” means information which: • Is being processed by means of equipmentoperating automatically in response to instructions given for that purpose i.e., computer based data. • Is recorded with the intention that it should be processed by means of such equipment; • Is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or • Does not fall within paragraphs (a), (b) or (c) but forms part of an accessible record as defined by s68.
PERSONAL DATA (1) Personal data means data which relates to a living individual who can be identified: • From those data, or • From those data and other information which is in the possession of, or is likely to come into the possession of the data controller.
PERSONAL DATA (2) • It includes any expression of opinion or fact such as: • date of birth, postal address, e-mail address, telephone number, NI number, bank a/c number, credit card number, photos, video footage etc… • Whether the data relates to the particular individual in each case will be a question of fact in each case.
SENSITIVE PERSONAL DATA S2 DPA states sensitive personal data means personal data consisting of information as to: • Racial or ethnic origin • Political opinions • Religious/similar beliefs • Trade Union Membership • Physical or mental health or condition • Sexual Life • Offences • Proceedings for any offence committed or alleged to have been committed, the disposal of proceedings or sentence passed. *Sensitive personal data very often root cause for privacy issues.
PROCESSING Processing information or data includes: • Organising, adapting or altering information or data; • Retrieving, consulting or using information or data; • Disclosing through transmission, dissemination or otherwise making available; • Alignment, combination, blocking, erasure or destruction of the information or data. • This means that just about any use, or non-use, of data is covered, including simply keeping it!
DATA CONTROLLER? (1) • Data Controller (DC) means a person who (alone or jointly with other persons) determines the manner in which and the purpose for which personal data are to be processed. • Data processor (DP) is any person (other than an employee of a Data Controller) who processes data on behalf of the Data Controller e.g. third party mailing house.
DATA CONTROLLER (2) Posting data on HIFID: • The Company that holds the information will be the DC & will be processing that data. • Following transfer, IMTRC Solutions Ltd is also the DC. • The Company which then accesses that information by retrieving it will at that point also become DC.
DATA CONTROLLER (3) • This means that all of you are DCs: • Members that use HIFID are DCs; • IMTRC Ltd is DC. • Para 6 User Agreement: “IMTRC Solutions will act as DC and third party manager of the data logged”.
DATA CONTROLLER (4) • Being a DC carries with it serious legal responsibilities. • Including ensuring compliance. • A DP has no responsibilities under DPA for personal data processed by it. • DC is responsible for the actions of the DP under DPA. • DP have very limited obligations.
INFORMATION COMISSIONER New name for Data Protection Registrar. UK’s Independent authority set up to uphold information rights in public interest, promote openness & data privacy for individuals. Sponsored by the Ministry of Justice. Based in Wilmslow, Cheshire.
DATA SHARING (1) ICO Data Sharing Code of Practice, May 2011. • Published under s52 DPA (so it’s the statutory Code of Practice): • “The disclosure of data from one or more organisations to a third party organisation or organisations or the sharing of data between different parts of an organisation” • If you are going to share data – make sure it is covered in your Register entry.
DATA SHARING (2) ICO Data Sharing Code of Practice, May 2011. • Does not impose additional legal obligations. • Not an authoritive statement of law. • If there has been a breach of Code ICO cannot take action unless there is also a breach of DPA. • But Code can be used as evidence in any legal proceedings (not just proceedings under DPA).
DATA SHARING AGREEMENT Does not provide you with immunity from action under DPA. It helps you to justify your data sharing & demonstrate that you have thought about compliance issues and documented them.
Data Sharing Agreements • Data Sharing Code of Practice recommends the Agreement covers the following issues: • Purpose of the data sharing initiative • Data items to be shared • Legal basis for data sharing • Access and individual rights under DPA and FOIA • Information governance • Which data sets are shared • Provisions to ensure accuracy e.g; periodic sampling • Compatibility of data sets and how data is recorded • Rules for retention and deletion of data • Technical and organisational security measures, including procedures for transmission of data and breaching agreement • Procedures for DPA/FOI access • Timescales for review of data sharing arrangements and the agreement • Procedures for dealing with termination and consequences.
STARTING POINT (1) DOES THE SHARING COMPLY WITH LAW? • The organisations in the Data Sharing Agreement must have the power to share information with each other.
STARTING POINT (2) You need to ensure that the data sharing complies with the 8 Data Protection Principles. • At the outset when the data is first shared/provided; & • On an on-going basis for the duration of the data sharing agreement.
STARTING POINT (3) What data is to be shared? • Personal Data? • Sensitive Personal Data? • Both?
8 DATA PROTECTION PRINCIPLES It is your responsibility as DCs to ensure that data is: • Processed fairly & legally • Processed for limited purposes in an appropriate way. • Relevant & sufficient for the purpose • Accurate • Kept for no longer than is necessary • Processed in line with individual’s rights • Secure • Only transferred to countries that have suitable data protection controls.
PRINCIPLE 1 (1) • Non sensitive personal data must be processed fairly & lawfully & shall not be processed unless one of the below is met (Sch.2): • Consent – the most important • Contract • Legal obligation • Vital interests of the subject (life or death) • Public functions • Balance of interests • What has the individual(s) been told about who processes their data, how it will be used and who it will be shared with? • What are their expectations regarding use of their data? • Do any exemptions apply (s29 – Crime & taxation)
PRINCIPLE 1 (2) SENSITIVE PERSONAL DATA • Sensitive personal data can only be held if one of the following is met: • Explicit & informed consent • Employment law • Vital interests of subject (life or death) • Legal proceedings • Medical purposes (by medical professionals) • Equal opportunities monitoring
PRINCIPLE 1 (3) DATA POSTED ON HIFID (PERSONAL OR SENSITIVE PERSONAL DATA?) • Data posted on HIFID is personal data: • E.g. name, date of birth, fraud type, region. • No evidence is posted here e.g., no medical records. • No sensitive personal data. • Privacy Notice warning members that the information is provided in accordance with Data Protection and Privacy legislation in country of issue.
PRINCIPLE 1 (4) CONSENT • Must be “freely given”, “specific” & “informed”. • Cannot use implied consent. • Cannot use blanket consent. Note: you are unlikely to get consent from a person under investigation for fraud! Note: If you tip off individual it would allow them to destroy evidence, dissipate funds and is highly likely to prejudice a prosecution.
PRINCIPLE 1 (5) EXEMPTION s29(3) DPA 1988 states that personal data processed for: • the prevention or detection of a crime, • the apprehension or prosecution of offenders; • the assessment or collection of any tax or duty or of any imposition of a similar nature is exempt from the first data protection principle but only to the extent that it causes prejudice. • This is the crucial section. • No consent is necessary & no obligation to process data fairly or disclose it to the data subject. • It has very wide & general application. • Covers the activities of HICFG.
PRINCIPLE 1 (6) What is meant by a Crime? • “F” word rarely used – commercial and/or tactical reasons. • Beyond the legal definition of Fraud (contained in s1 Fraud Act 2006), there is no UK statutory definition of Health care fraud (other than the various categories/baskets which have evolved over time such as Upcoding, Unbundling, phantom billing, double billing, unnecessary services, misrepresenting etc…). The reality is that you “process” personal data in order to detect & prevent crime/fraud. It is also done with a possible prosecution in mind. The prosecution can be a public prosecution or a private prosecution.
PRINCIPLE 1 (7) What is meant by a crime? • Defrauding insurance companies usually involves an element of DISHONESTY. • Where there is dishonesty, there is usually an associated crime. Examples include: • Fraud by false representation: s2 Fraud Act 2006 • Fraud by failure to disclose information when there is a legal duty to do so: s3 Fraud Act 2006 • Obtaining services by deception: s11 Fraud Act 2006 • Theft: Theft Act 1968
PRINCIPLE 1 (8) What about those cases with no dishonesty? • If a claim has been made honestly but mistakenly – then this is nota crime. • So investigating these sorts of cases cannot amount to investigation of a crime. • However, these sorts of cases will probably start out as an investigation into potential criminal activity then may stop short of discovery of a criminal act. • Strong argument – investigating honestly made but mistaken claims which bear all the hall marks of a fraud (but ultimately turn out not to be a fraud) is also investigation of a criminal activity.
PRINCIPLE 1 (9) PARA 6 USER AGREEMENT States • “Use of the health fraud hub and HIFID database is done under the exemption section within the Data Protection or Privacy Act from the country in which you operate for the purpose of fraud detection, fraud prevention, fraud management the apprehension or prosecution of offenders”. • “Data will be used for the exclusive objective of detecting and preventing fraud within Private Medical Insurance”.
PRINCIPLE 2 • Data must be obtained only for one or more specified & lawful purposes. • For what purpose does the sharing organisation obtain data? • Will the sharing of information with the receiving organisation be for a new purpose? • Are the old and new purposes compatible?
PRINCIPLES 3 & 4 • Personal Data must be adequate, relevant & not excessive • You must not stock up on data unnecessarily! • Which datasets will it be necessary to share with the receiving organisation to meet it’s particular purpose? • Will it be necessary to restrict some datasets to use only for particular purposes? • Personal Data shall be accurate & up to date. • This is an on-going requirement & means data needs to be kept under constant review.
PRINCIPLE 5 (1) How long should the data be kept on HIFID? • Principle 5 says that data should notbe kept for longer than necessary for the purposes of the primary processing. • 1995 Directive does not set any time limits.
PRINCIPLE 5 (2) Para 13 User Agreement states that information will be destroyed automatically after 7 years. • This follows guidance from ICO. • Key – to look at limitation period. • In UK the Limitation period for dishonesty cases is 6 years from the date the cause of action arises. • Time does not begin to run until the fraud has, or with reasonable diligence would have been discovered if the defendant deliberately conceals any act relevant to the cause of action (s32 Limitation Act). • Arguably – no reason for information to be destroyed at all. • But 7 years is reasonable.
PRINCIPLE 7 (1) • Technical or organisational measures must be taken to prevent unauthorised or unlawful processing of data, accidental loss, damage or destruction of data. • Firstly, it relates to IT Systems in place (access, backups, password security etc…) for all the Users and IMTRC Ltd? • Secondly, it relates to the individuals using the system (adopt “need to know” principles). • See ICO Checklist on Data Sharing
PRINCIPLE 7 (2) Build a culture within your organisation where employees know and understand good practice in respect of: • Your own data; & • Data received from other organisations.
PRINCIPLE 7 (3) • What security measures have been built around HIFID? • User agreement contains an agreed set of security standards.
PRINCIPLE 7 (4) USER AGREEMENT states: • Health Fraud Hub and HIFID Software is registered with the ICO: Para 3 • It adheres to best practice of Office of European Commission: Para 3 • The System is hosted by IMT RC Solutions Ltd on a secure Rack space server located in UK: Para 4. • It adheres to strictest of security information standards, has undertaken “bust testing” and has been scrutinised on site by a consortium of technology security experts provided by it’s members: Para 4. • IMTRC Solutions Ltd agrees to sign up to a Non Disclosure Agreement: Para 7.
PRINCIPLE 7 (5) USER AGREEMENT also states: • The Principles and Practices of sound data management must be adhered to: Para 2. • Ensure that only authorised individuals have access: Para 2(g); • Information shared amongst users must be treated as highly confidential & not to be disclosed to TP w/o prior written consent of IMTRC: Para 2(f). • The number of users having access to the information is restricted, exclusive & relevant: Para 3. • Ensure system users are trained & made aware of principles of data protection: Para 3. • Ensure that their systems are registered with the ICO in UK and that registration is up to date: Para 3. • Changes in employment status of company employees with access to Health Fraud Hub and HIFID: Para 5. • Ensure that if a TP is given access then they too are contractually bound: Para 6 • All members agree not to disclose (Non Disclosure agreement) data outside the controlled user group: Para 7.
PRINCIPLE 8 (1) INTERNATIONAL DATA TRANSFER • Putting things on a website is tantamount to transfer of data. • The transfer takes place at the point when someone accesses the website. • If Data is accessed in a country outside EEA then there will be a transfer outside EEA. • The Law says that you may transfer personal data to countries within EEA on the same basis you transfer data in UK (no restrictions).
PRINCIPLE 8 (2) EEA Austria Greece Netherlands Belgium Hungary Norway* Bulgaria Iceland* Poland Cyprus Ireland Portugal Czech Republic Italy Romania Denmark Latvia Slovakia Estonia Lichtenstein* Slovenia Finland Lithuania Spain France Luxemburg Sweden Germany Malta United Kingdom EEA comprises 27 EU member states with the addition of Iceland, Lichtenstein and Norway.
PRINCIPLE 8 (3) Transferring data to countries outside EEA • You can only send personal data to a country outside EEA if • that country or territory ensures an adequate level of protection for it; or (b) one of the exemptions apply.
PRINCIPLE 8 (4) EXEMPTIONS • Data can be transferred to any country outside EEA where at least one of the following applies: • The data subject has given his or her consent to the transfer • Transfer necessary for the performance of a contract between data controller and data subject; or a contract between data controller and TP entered into at request of data subject; or is in interests of data subject; • Transfer is necessary for legal proceedings or defending legal rights; • The transfer is necessary for reasons of substantial public interest • Transfer necessary to protect vital interests of the data subject (life or death) • Transfer is part of the personal data on a public register.
PRINCIPLE 8 (5) COUNTRIES OUTSIDE EEA WITH ADEQUATE PROTECTION The European Commission has decided that the following countries outside EEA also have adequate level of protection for personal data. Andorra Faroe Islands Jersey Argentina Guernsey New Zealand Australia Isle of Man Switzerland Canada Israel Uruguay
PRINCIPLE 8 (6) USA • USA has no national-level data protection legislation. • USA is notincluded in the European Commission list. • However, companies that sign up to the “Safe Harbor” scheme have an adequate level of protection. • These companies effectively agree to: • Voluntary self certification scheme; • Follow the 7 principles of information handling; & • Be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes; • There are some types of institutions that cannot sign up to the Safe Harbor Scheme (e.g., Higher education & research institutions).
PRINCIPLE 8 (7) What about countries that are: • Not in EEA • Not on list. • Not signed up to “Safe Harbor” • Does not come within one of the exceptions Then you need to assess adequacy yourself: • Is the level of protection in that country adequate? • If not, can you put in place adequate safeguards? • Model Contract clauses (standard contractual clauses approved by EC) • Binding Corporate Rules (applies to multi national organisations transferring out of EEA but within their group of companies) • Or other contractual arrangements Transfer unlikely to be adequate if • Transfer is to an unstable country; & • Nature of information means it is at particular risk.