1 / 15

Data protection refresher training

Data protection refresher training. Nigel Adshead CUG & Regulatory Policy Manager.

Download Presentation

Data protection refresher training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data protectionrefresher training Nigel Adshead CUG & Regulatory Policy Manager

  2. The Data Protection Act 1998 administered by the Information Commissioner’s Office (ICO) establishes a framework of rights and duties designed to safeguard personal data. It is underpinned by a set of eight straightforward common sense ‘Principles’. What is the Data Protection Act? Equifax takes its responsibility in this area very seriously and as our regulator, the ICO expect our employees to have a good understanding of these Principles. The purpose of this presentation is not only to provide a refresher about Equifax’s responsibilities under the Act, but also to allow staff to obtain a better understanding of how the Act affects their day to day responsibilities.

  3. An Act to make provision for the regulation of the processing of information relating to individualsincluding the obtaining, holding, use or disclosure of such information Concerns data pertaining to an individual – It does not cover Limited Co data, but DOEScover sole trader/partnership Commercial data. Data Protection Act Defines responsibilities of Data Controllers and Data Processors. Defines the rights of the Data Subject.

  4. PERSONAL DATA means data which relate to a living individual, who can be identified from it. • A name, address or a Date of Birth processed in isolation would not be personal data, however if 2 or more of these variables were combined , you may be able to identify the individual, and therefore in this scenario this becomes personal data. DATA SUBJECT means an individual who is the subject of personal data PROCESSING Processing data can have several meanings but the most common are, obtaining, recording, holding, organising, adapting, altering, disclosing. All Equifax clients will almost certainly process personal data DATA CONTROLLER A person or organisation who determines the purposes for which and the manner in which any personal data is to be processed. • E.g. Both Equifax and our client would be joint data controllers. Key Definitions in the Data Protection Act

  5. DATA PROCESSOR A person or organisation (other than an employee of the data controller) who processes the data on behalf of the data controller E.g. IBM would be a data processer, as they process on our behalf RELEVANT FILING SYSTEM In addition to data held electronically, if data is structured, so that specific information relating to a particular individual is readily accessible, this would also be covered by the act. E.g.. Paper HR files SENSITIVE PERSONAL DATA For example, Race/Ethnic origin, political opinions, religious beliefs, trade union membership, physical/mental health conditions, sexual life. • Financial information is not classed as sensitive personal data Key Definitions in the Data Protection Act

  6. Fair and lawful processing • Specified and lawful purposes • Adequate, relevant and not excessive • Accurate, and where necessary kept up to date • Not kept for longer than necessary • Rights of data subjects • Security of data • Data transfers outside the EEA Data Principles

  7. Data Protection Principles The following acronym is one way to remember the principles Fair Specific Adequate Accurate Retention Rights Security Transfer Fish Swim All Around Reefs wRecks & Sunken Treasure

  8. DPA refers to ‘consent’ in the first two Principles: ‘Fair’ and ‘Specific’ processing • The ICO expect Consumers to be in no doubt what they have consented to. • ‘Consent Clauses/Privacy Notices/Fair Processing Notices’ have standard wording which can facilitate use of data for the following examples: • Credit assessment • Customer management • Debt Collection • Fraud prevention Principle 1 &2 Consent / Privacy

  9. We place the responsibility on our client, to ensure consent has been obtained prior to carrying out a search, we vet or can assist in the creation of these clauses. We expect: • our clients have gained consent from applicants and consumers • client data access and foot-printing is transparent to the consumer • consent clauses provide for use of personal data for trace and debt collection • all clients use data only for contracted purposes Consent If we become aware of instances where the assumptions do not hold true, we must take appropriate action.

  10. As the majority of what Equifax do is in relation to the Credit Industry and Identity verification, we should only be holding information that is relevant to those sorts of enquiries. • E.g. we should be holding information relating to how you manage your accounts, your address, and DOB. • However it would be unwarranted to hold information of eye colour, membership of a Trade Union, or religious beliefs. Principle 3. Adequate

  11. The first part of this principle is self explanatory in that Equifax must take reasonable steps to ensure that data we hold is accurate. Where we receive data items from a 3rd party (e.g CCJ’s, Insight) we must ensure there is a process to verify its accuracy if it is disputed by the data subject. • This second part of the Principle covers how often data must be updated to retain it’s accuracy. Some data items like Searches for example are a matter of fact and would not be updated, however Insight data would expect to be updated on a monthly basis. Principle 4. Accurate

  12. This principle states that data should only be retained for as long as necessary for the purpose it is being processed. The guidance isn’t specific, but there are industry rules that have been agreed by the ICO relating to how long we keep data. These timeframes generally relate to the period of time the data has been proven to be predictive. • Recently Equifax were challenged by the ICO, regarding the length of time certain searches were held and used. As Equifax were unable to demonstrate that the use of this data for this period was predictive, we were asked to amend the archiving of these searches to a shorter period. • All searches are now displayed for only 12 months, unless they are Debt Collection or Locate tracing searches which are held for 24 months Principle 5. Retention

  13. Includes the right to gain access to information pertaining to them held by the Data Controller. • Equifax deliver a ‘credit report’ as a standard response. • Can also be required to deliver a ‘Subject Access Request’ response, which covers ALL data held by Equifax. E.g. HR files, marketing data, as well as credit information • The data subject has the right to know who accessed their credit file. • Search footprints describe who, when and why. E.g. • SR - Credit Search • PV - Personnel Vetting Principle 6. Rights

  14. Equifax have a responsibility to keep the data we hold “technically secure”, and make sure there is no unauthorised access to our data. • This is achieved by various information security techniques, including the use of Firewalls and various intrusion prevention systems. • All access to the network is based upon user IDs and passwords defined to a central directory.  • The ICO has recently issued several fines for data security breaches. They have the power to fine up to £500,000 per breach. • Any inappropriate access of our data, could generate a similar fine, however our biggest issue would be the reputational risk and bad publicity associated with an breach of this nature. • Breaches of the Act do not always mean that the appropriate action is taken against the Company. If the breach involves a criminal offence, the individuals concerned could face criminal proceedings in the High Court which would mean unlimited fines. The ICO continues to push for custodial sentences for the most serious breaches. Principle 7. Data Security

  15. This principle simply covers the fact that personal data must be processed in no less a standard in other countries as is expected in the UK. • Data kept within the European Economic Area (EEA) would not be restricted under this principle • If data was to be transferred out of the EEA then appropriate contracts including specific model clauses would need to be in place to ensure compliance with this principle. • “Safe Harbour” allows US Companies to register their certification so the above specific contracts/clauses are not required. Principle 8. Data Transfer

More Related