1 / 18

The ICO and the DPA

The ICO and the DPA. Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010. Contents. The Information Commissioner The Data Protection Act The Commissioner’s Powers. The Information Commissioner.

Download Presentation

The ICO and the DPA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30th September 2010

  2. Contents The Information Commissioner The Data Protection Act The Commissioner’s Powers

  3. The Information Commissioner Appointed by the Crown Independent, but sponsored by the MoJ Period of Office is 5 years Current Commissioner is Christopher Graham (appointed 2009)

  4. The ICO – our organisation Head Office: Wilmslow, Cheshire Regional Offices: Belfast, Cardiff, Edinburgh C 350 Staff (4 in Edinburgh !!)

  5. The ICO – what we regulate Data Protection Act 1998 Privacy & Electronic Communications Regs 2003 Freedom of Information Act 2000 Environmental Information Regulations 2004

  6. The ICO – what we don’t regulate Freedom of Information (Scotland) Act 2002 Environmental Information (Scotland) Regulations 2004 Kevin Dunion The Scottish Information Commissioner

  7. The ICO – what we do Promote the legislation Influence public policy Resolve complaints Maintain the register of data controllers Prosecute offenders

  8. The Data Protection Act • Personal data must be: • fairly and lawfully processed • processed for specified purposes • adequate, relevant and not excessive • accurate and up-to-date • not kept for longer than is necessary • processed in line with individual rights • kept secure • not transferred to countries without adequate protection

  9. Fair and Lawful Processing (1) • Vires • For example: • Local Government (Scotland) Act 1973 • Local Government in Scotland Act 2003 • Fair Processing • Transparency • Code of Practice on Privacy Notices (June 2009)

  10. Fair and Lawful Processing (2) Personal Data: Consent Contract Legal obligation Vital interests Public function Legitimate interest of data controller Sensitive Personal Data: Explicit consent Employment law Vital interests Membership of various not-for-profit groups Already in public domain Legal proceedings/advice Public functions Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417)

  11. S33 - The Research Exemption (1) In this section— “research purposes” includes statistical or historical purposes; “the relevant conditions”, in relation to any processing of personal data, means the conditions— (a) that the data are not processed to support measures or decisions with respect to particular individuals, and (b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

  12. S33 - The Research Exemption (2) For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained. (3) Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.

  13. S33 - The Research Exemption (4) Personal data which are processed only for research purposes are exempt from section 7 if— (a)they are processed in compliance with the relevant conditions, and (b)the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.

  14. S33 - The Research Exemption (5) For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed— (a)to any person, for research purposes only, (b)to the data subject or a person acting on his behalf, (c)at the request, or with the consent, of the data subject or a person acting on his behalf, or (d)in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).

  15. The DPA – Breaches Failure to comply with the Principles May lead to an investigation by the ICO Serious breaches may result in enforcement action

  16. The DPA – Offences Unlawfully obtaining or disclosing personal data Selling of personal data Failure to notify / notify changes Failure to comply with a Notice from the Commissioner Reckless breach of the data protection principles

  17. How to get it right • Speak to your DPO • Read the ICO guidance • Consult with the ICO • Treat others’ personal data as you would your own

  18. Contact details The Information Commissioner’s Office 93-95 Hanover St EDINBURGH EH2 1DJ 0131 301 5071 scotland@ico.gsi.gov.uk www.ico.gov.uk

More Related