1 / 0

Data Protection Update

Data Protection Update. 15 May 2014 Mairead O’Reilly Joanna Stokes. Introduction. High profile data protection breaches by charities BPAS £200,000 fine Global Witness ICO consultation on data protection and the media EU Regulation

sema
Download Presentation

Data Protection Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Update 15 May 2014 Mairead O’Reilly Joanna Stokes
  2. Introduction High profile data protection breaches by charities BPAS £200,000 fine Global Witness ICO consultation on data protection and the media EU Regulation ICO guidance on direct marketing – stricter rules on obtaining consent
  3. What we will look at today Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent cases – BPAS, Global Witness Direct marketing Unlocking supporter databases European developments
  4. Key areas of law Data Protection Act 1998 ICO duty to promote good practice Privacy and Electronic Communications Regulations 2003 Electronic Marketing
  5. … and in addition to the Law … Relationship with clients/supporters/the public Respecting them and their data Preventing harm to those whose data you hold Reputational issues
  6. Overview of data protection – Quick test Which of the following are personal data? a photo of a supporter attending an event list of mobile numbers of people who have given text donations to your charity an online gift aid form completed by a donor an email address “suppressed” details of a contact Return envelope marked “now deceased” Handwritten notes about a major donor prospect
  7. Definition: Personal Data Information about a living individual from which they are identifiable (either from that piece of information or in conjunction with other personal data held) Held either on a computer or in a relevant filing system Most physical files are exempt Examples: records of donors, newsletter mailing lists, details of attendees at a talk
  8. Data controllers and data processors Data Controller The organisation which determines how personal data is used must comply with the DPA for instance the Charity Data Processor Not subject to the DPA for instance fulfilment house
  9. obtaining recording holding organising adapting amending destroying Very widely defined: anything you do with personal data retrieving consulting using disclosing blocking erasing! Processing
  10. The eight data protection principles: fair and lawful processing of personal data obtained only for specified and lawful purposes adequate, relevant, not excessive accurate and up to date not to be kept longer than necessary process in accordance with subject’s rights appropriate security measures (technical and organisational) no transfer outside EEA without adequate protection
  11. FAIR AND LAWFUL PROCESSING
  12. Fair & Lawful Processing (First Principle) Fair information requirements identity of the Data Controller purposes (e.g. organisation’s general activities, specific appeals) including who else you will pass their details to (not including people acting on your behalf) any other necessary information Applies to Personal Data held by: the data controller a trading company an associated local/regional branch or group consultants
  13. Fair & Lawful Processing (First Principle) Also must fulfil a schedule 2 condition – most likely to be either: consent; or legitimate interests (balancing act); Other rarer alternatives include: necessary for compliance with a legal obligation or to perform a contract; or Vital interests; or Others listed in the 1998 Act
  14. Sensitive Personal Data Includes: religious or similar beliefs political opinions racial/ethnic origin union membership physical/mental condition sexual life alleged or actual criminal offences * NB : Financial information and age are personal data but NOT sensitive personal data Must satisfy one ordinary (sch 2) condition PLUS additional (sch 3) condition (see next slide – e.g. explicit consent)
  15. Sensitive Personal Data – Schedule 3 obtain explicit consent unless: already in public domain or under a legal obligation in connection with employment or a not for profit organisation – political, philosophical, religion, trade union purposes PROVIDED THAT safeguards for rights of data subjects are in place members/regular supporters only no third party disclosure without consent other rarer conditions
  16. DATA SECURITY
  17. Data Security – Overview Data security breaches 500 laptops stolen or lost in two year period to May 2010 from 11 government departments 502 complaints made against charities in the 5 years to 2012 About 15% relate to security Most fines issued by the ICO relate to security breaches Seventh Data Protection Principle Must take appropriate technical and organisational measures to protect against unauthorised processing of data and against accidental loss or destruction of, or damage to, data
  18. Data Security – Appropriate Security Measures ICO’s view – what is appropriate depends on circumstances Risk-based approach Level of security appropriate to risks presented by processing Security policy Control access to information (physical security and access) Who has access to premises? How is waste (including redundant computers) containing personal information disposed of? Encrypt personal information held electronically which leaves the office – not just password access for laptops, remote access, blackberries Especially if information will cause damage or distress if lost or stolen
  19. Data Security – Employees Data controller must take reasonable steps to ensure reliability of staff having access to personal data Practical Steps Vet staff at entry point, checking history of employment, criminal records checks, references, for existing staff as well as new recruits Restrict access to personal data to those who need it Training Education on importance of data security Comprehensive policy and ensure staff have read and are familiar with procedures relevant to their role Part of induction process?
  20. Data Security – Outsourcing When processing is carried out by data processor on behalf of data controller (e.g. fulfilment houses, PFOs, payroll processing, disposing of data), the data controller is responsible Data controller should ensure: Sufficient guarantees in respect of their technical and organisational measures Ensure compliance with those measures Carried out under written contract Act only on data controller’s instructions Complies with security obligations
  21. Negotiating Contracts with Partners and Suppliers Agreement will normally set out commercial terms Data controller Service level specifications & security measures Ensure it owns all rights created in connection with personal data and obtain assignment Restrictions on overseas transfers of information by processor without data controller’s written consent Restrict appointment of sub-processors or enter into direct agreements with each sub-processor
  22. New ICO guidance on Security Threats Published 12 May Protecting personal data in online services: learning from the mistakes of others Lists top 8 computer security vulnerabilities, including: Failure to keep software security up to date Poor decommissioning of old software and services Insecure storage of passwords http://ico.org.uk/news/latest_news/2014/top-it-data-security-threats-revealed-and-what-organisations-must-do-to-stop-them-12052014
  23. Case Study: British Pregnancy Advisory Service BPAS fined £200,000 Feb 2014 Website attacked by hacker with anti-abortion views Call back details for 9,900 people
  24. What personal data was involved? Names, addresses, DoB, phone numbers of those who requested call-back Website gave reasons why call-back could be requested, eg contraceptive advice, abortion, STI screening Ethnicity and social background could have led to serious harm and even death
  25. How did security breach arise? BPAS employed 2 IT companies to develop site in 2003 and 2008 BPAS did not realise call-back details retained on the site No written agreement with either company
  26. Which parts of DPA were breached? Serious breach of 7th principle: did not have appropriate technical and organisational measures in place against unauthorised or unlawful processing of personal data and against accidental loss or destruction or damage to personal data ICO - should have ensured website did not store details or that appropriate measures were in place, eg storing passwords securely should have carried out appropriate security testing to show up vulnerabilities should have ensured website software up-to-date
  27. Breach of 7th principle ICO – serious contravention that BPAS unaware that 9900 people’s details unprotected Unacceptable in view of very sensitive and personal services provided by BPAS No agreement with IT companies
  28. Breach of 5th principle Kept call-back details for 5 years longer than was necessary Privacy policy gave false assurances about security and confidentiality
  29. Lessons for charities from BPAS case (1) Ensure you have in place security measures appropriate to the sensitivity of the personal data that you are holding. Carry out an audit of the personal data that you are collecting and holding and ensure that the security measures you have in place would withstand scrutiny in the event of a breach. Ensure you have clear internal procedures for managing a data security breach. Make sure you have proper written agreements in place with all suppliers processing data on your behalf. Take steps to ensure the reliability of organisations processing data on your behalf and ensure that they have sufficient knowledge of the security of data protection rules relating to security.
  30. Lessons for charities from BPAS case (2) Where your organisation is processing sensitive personal data (for instance, health data), consider whether you have appropriate expertise on your board of trustees and at management level to be aware of the wider risks faced by the organisation to understand how risks can be managed Ensure that privacy policy and other documents properly reflect the security measures and data protection measures that you have in place – do not simply adopt off the shelf policies without adapting them to reflect the security measures your organisation has in place. Carry out regular testing to identify any vulnerabilities on your website or within your organisation.
  31. Lessons for charities from BPAS case (3) Ensure you have a clear understanding of what information is being collected and stored on your website. Do not retain details, whether fundraising personal details or otherwise for any longer than is necessary. Have clear documents in place relating to data retention, with a clear justification for the period for which you are retaining personal data. In the event of a breach, consider self notification, particularly where other third parties will be informed of the breach e.g. data subjects or the police.
  32. CASE STUDIES
  33. SUBJECT ACCESS REQUESTS
  34. Accessing Personal Data Access to personal data you hold about data subjects On request, must tell subject the information you hold about them: the data the purposes it is used for people to whom it has or may have been disclosed any automated decision making to which it is subject
  35. Accessing Personal Data - Subject Access Requests Written request Enough information to: Identify subject Enable compliance £10 fee 40 days Unless: Not possible Disproportionate effort – but IT systems search is unlikely to be disproportionate Subject agrees Recent compliance Disclosure of third party data Other exemptions
  36. Subject Access Requests - Disclosure of Third Party Data Obtain consent of the third party Unless otherwise reasonable to disclose having regard to: Confidentiality Steps to obtain consent Capability of consenting Express refusal
  37. Case Study: Global Witness Steinmetz and others v Global Witness Investigations into allegations of fraud Subject access requests – breach of section 7 Global Witness did not give claimants fair processing information
  38. Case Study: Global Witness- the claim Failed to comply with section 4(4) (Data Protection Principles) Obtained data unfairly Processed sensitive personal data without satisfying Schedule 3 Data has not been kept accurate Processing is causing or likely to cause substantial damage and distress
  39. Journalism exemption Section 32 DPA (1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if -…” Special purposes are (a) the purposes of journalism, (b) artistic purposes, and (c) literary purposes No definition of journalism in DPA Should be interpreted widely (a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material (b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest
  40. BWB input in ICO consultation on data protection and journalism Section 4 relates to journalism exemption BWB submitted that guidance should make clear that organisations other than traditional media and citizen bloggers can be engaged in journalism and rely on the exemption Finalised guidance from ICO expected in June
  41. DIRECT MARKETING
  42. Direct Marketing “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals” ICO says: Includes messages with some marketing elements even if not their main purpose Includes ‘promoting an organisation’s aims and ideals’ i.e. promotional and campaigning activities such as encouraging supporters to attend a rally – not just selling goods or services
  43. Direct Marketing - Restrictions s11 DPA gives individuals the right to stop direct marketing Mailing preference service Telephone preference service Privacy and Electronic Communication Regulations 2003 NB: only limited rights to prevent other types of processing
  44. Summary – The Privacy & Electronic Communications Regulations 2003 email, fax, text messaging no unsolicited e-marketing to “individual subscribers” unless consent exception: prior consent not necessary if pre-existing relationship in connection with sale of similar goods/services (“Soft opt-in”) NB: Does not apply to donations consent must be given to the sender/caller (ie no bought in lists unless marketing is solicited)
  45. Consent for e-marketing Positive indication of consent Can use opt-in or opt-out tick boxes Don’t have to use a tick box Need communication where consent indicated e.g. subscribing to service, completing “sign up” form If you don’t use tick box, make sure they understand giving consent Recent ICO guidance: need separate consents for separate types of communication (but not the law) Potential impact of draft EU Regulation
  46. Consent opt-outOffline version XYZ Organisation Data Protection Act 1998 We [and our subsidiary companies] would like to use your information: (a) For use in connection with our activities including fundraising (b) To pass to other organisations [with similar objects] Please tick the appropriate box(es) if you do not wish us to do this
  47. E-marketing - summary Need prior consent Given to sender Exception for soft-opt-in
  48. Electronic marketing to corporate and public bodies Must say who marketing is from Include contact details Consent not mandatory ICO recommends, as best practice, treat in same way as individual subscribers If emailing named person at business, they have a right under DPA to ask to stop marketing
  49. Summary of rules in data protection statements (1) What will you use information for? make wide enough to include marketing “We may use your information to send you updates on campaigns and activities that we think you might be interested in”. Will you be sharing with other organisations e.g. corporate partners, trading subsidiary? Provide a means of stopping marketing Keep record of preferences on database e.g. “post only”
  50. Case Study Charity A wishes to send a hard copy newsletter with information about beneficiaries of the Charity to individuals who have donated to the Charity. The newsletter only provides information and does not ask for donations. Does it need consent from the donors? What if the newsletter was sent by email?
  51. “UNLOCKING” SUPPORTER DATABASES
  52. “Unlock” supporter databases Historical data without clear record of preferences May be acting unlawfully in contacting people
  53. Contacting people by post Risk of contacting people who have requested suppression Breach of DPA even if you didn’t realise they had sent you an opt-out request
  54. Contacting people by email PECR prohibit unsolicited marketing without consent Marketing interpreted widely How do you “unlock”?
  55. Cautious approach Don’t contact by post unless confident they haven’t opted out No emails unless consent to unsolicited marketing
  56. Possible solution Write to individuals and ask whether they’d like to receive marketing, going forward Silence not consent Should not contain marketing “Fact-finding exercise” Consider likelihood of consent Technical breach so there is a risk of complaints
  57. Solution Get data collection statements right from the beginning Model statements for organisation
  58. EU DEVELOPMENTS
  59. Draft EU Data Protection Regulation Still being debated within the EU institutions Not expected to come into effect until 2017 at the earliest Likely to be some transitional period after it comes into effect Directly applicable across the EU – no need for individual laws such as the Data Protection Act 1998 in each country
  60. Draft Regulation – key provisions Registration and supervision Remove requirement for registration with the ICO May be a substantial saving for charities who have many branches which are registered A “one stop shop” – able to deal with the supervisory authority in one country rather than multiple authorities Data processors will now be required to comply with data protection law (currently only data controllers have to comply) Implications for charities which act as data processors for others e.g. when providing services to a public body
  61. Draft Regulation – key provisions ‘Right to be forgotten’ Individual’s right to request erasure of their personal data Where certain conditions apply Take reasonable steps to inform third parties Technological issues with implementation Data Protection Officers Mandatory requirement for data protection officer Where 250+ employees or regularly and systematically monitoring data subjects Many charities will already have person fulfilling the functions
  62. Draft Regulation – key provisions Consent No longer distinction between ordinary and explicit consent Consent to be ‘freely given, informed, specific and explicit’ Requires either a statement or a clear affirmative action by the individual Likely to prevent use of pre-ticked boxes But remember: consent is not always needed Children under 13: can only process personal data online with parental consent May be difficult for charities which engage with children online Additional information to be included in data collection statements
  63. Data Regulation – key provisions Sanctions/breaches Mandatory requirement to notify ICO, and in some cases the data subjects, of data security breaches without delay and within 24 hours Increased fine – up to €1,000,000 or 2% annual worldwide turnover for the most serious breaches Lower level of fines (€250,000 or 0.5% of turnover) for failures relating to subject access requests
  64. Contact details Mairead O’Reilly Senior Associate Charity & Social Enterprise Department Bates Wells & Braithwaite London LLP 2-6 Cannon Street London EC4M 6YH m.oreilly@bwbllp.com Tel: 020 7551 7796 Joanna Stokes Solicitor Charity & Social Enterprise Department Bates Wells & Braithwaite London LLP 2-6 Cannon Street London EC4M 6YH j.stokes@bwbllp.com Tel: 020 7551 7793
More Related