1 / 108

Data Protection Act 1998

Data Protection Act 1998. Introduction to Data Protection Alan Shipman Group 5 Training Limited. BSI Training. Objective for Session To help you understand the Data Protection Act 1998, and be able to assess your organisations level of compliance. BSI Training Workshop. Agenda

tansy
Download Presentation

Data Protection Act 1998

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Act 1998 Introduction to Data Protection Alan Shipman Group 5 Training Limited

  2. BSI Training Objective for Session To help you understand the Data Protection Act 1998, and be able to assess your organisations level of compliance

  3. BSI Training Workshop Agenda • Definitions • Data Protection Principles • Responsibilities • Policies and Notification • Dealing with Data Processors • Subject Access Procedures • Manual Records • Human Resource

  4. BSI Training Workshop Agenda • Do you need to audit • How to audit • Data audit • Responsibilities • Procedures and processes • How an audit is carried out • Corrective Procedures • Demonstrating compliance

  5. Introductions

  6. Definitions

  7. The Act Data Protection Act 1998 ‘An Act to make provision for the regulation of the processing of information relating to individuals …’

  8. The Act EU Data Protection Directive 95/46/EC Objectives … • No restriction on personal data flow in EU • Right to privacy Deadline for implementation • 24 October 1998

  9. Definitions Personal Data Data which relates to a living individual who can be identified from those data, or from those data and other information which is in, or likely to come into, the possession of the data controller

  10. Definitions Processing • Includes obtaining, holding and carrying out any operation on data • No requirement that processing is by reference to data subject

  11. The Eight Principles

  12. Principles The 8 Data Protection Principles (Schedule 1)

  13. First Principle Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless:- a) at least 1 of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least 1 of the conditions in Schedule 3 is also met

  14. Schedule 2 What is fair? • Consent • Contract • Legal obligation • Vital interests • Public functions • Legitimate interests

  15. Sensitive Data Personal data relating to: • Racial or ethnic origin • Political beliefs • Religious or other beliefs • Trade union membership • Physical or mental health • Sexual life • Commission of any offence • Proceedings / convictions for any offence

  16. Schedule 3 What is fair? • Explicit consent • Employment law • Vital interests • Activities of political, religious or trade unions • Information made public • Legal / regulatory proceedings • Administration of justice • Medical purposes

  17. Second Principle Personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or purposes

  18. Third Principle Personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed

  19. Fourth Principle Personal data shall be accurate and where necessary, kept up to date

  20. Fifth Principle Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose

  21. Sixth Principle Personal data shall be processed in accordance with the rights of data subjects under this Act

  22. Seventh Principle Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

  23. Eighth Principle Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of Data Protection Note: Does not apply if at least 1 of the conditions in Schedule 4 is met

  24. Schedule 4 When can you do it? • Consent • Performance of contract with data subject • Performance of contract with other • Substantial public interest • Legal proceedings • Vital interests • Public register • Authorised by the Commissioner

  25. Responsibilities

  26. Responsibilities The ‘Data Controller’ is the organization, but…….. • Someone must have overall responsibility • co-ordination role • ensure that notification is up to date • ensure that appropriate strategy is implemented • focal point for queries • reporting of issues

  27. Responsibilities Policy • Who writes it • Who approves it Approval by top management (e.g. the Board) demonstrates support and buy-in

  28. Responsibilities Compliance audit • Is the policy being implemented • Are individuals following the procedures • Audit report • Resolve non-compliances • Annual report (maybe)

  29. Responsibilities Who! • Who is actually responsible • Who will be the first to get it wrong? Any member of staff who handles personal data

  30. Responsibilities Training • Do individuals know what they must do • when talking to data subjects • when handling personal data • during system design • when deciding security issues • Ensure no-one acts recklessly

  31. Responsibilities Training • Give everyone guidelines • Do they understand their responsibilities • And what happens if they get it wrong

  32. Responsibilities Subject access • Who deals with subject access requests • How are they dealt with • procedures • time scales • fees

  33. Notification

  34. Notification What you have to do • Review current registration(s) • Determine timescales • Categorise your data • Use the Notification Handbook • Check security arrangements

  35. Notification Notification • Check for exemptions • from notification • from the Act • Decide method • phone • web

  36. Notification Current registration(s) • Get details of all registrations • Find out when each one expires • As current registrations run out - combine • When last registration run out - notify • Or just notify ASAP

  37. Notification Categorise Personal Data • Get relevant OIC notification template • Compare with information audit results • Categorise data • why have you got it (purpose) - Handbook 3.1.8 • who is it about (data subject) - Handbook 3.1.9 • what have you got (data class) - Handbook 3.1.10 • who might it be disclosed to (recipients) - Handbook 3.1.11

  38. Notification Check security arrangements • Comply with BS 7799? • Security policy / procedures • Disaster recovery plans • Security during transfer • physical • encryption

  39. Notification Notification • What information do you need • identity • purposes • for each purpose • data subject • data class • recipients • what countries are involved • security measures

  40. Notification How? • Method • phone • web • What happens next • check form • pay fees • check register • Keep it up to date (28 days)

  41. Notification Phone Notification • Be ready • Contact by phone • Answer questions

  42. Notification Web Notification • Where to go • What do you see • How does it work

  43. Data Processors

  44. Data Processors Definition Process personal data on behalf of a Data Controller, and does not implement its own purposes

  45. Data Processors Responsibilities Who is responsible for data processed by a Data Processor? The Data Controller - i.e. you!

  46. Subject Access Procedures

  47. Subject Access Whole purpose of Data Protection law is to protect information about living individuals and guard their privacy

  48. Subject Access Procedures • Who will deal with requests • How will request be verified • identity • in writing • fees • What has been requested (reasonable?) • Keep an audit trail of requests

  49. Subject Access Procedures • How to respond • is processing occurring • don’t correct it! • copy of the data • source (if known) • not disclosed due to exemption • disproportionate effort • what if a third party is identified • When to respond by (40 days)

  50. Subject Access Procedures • How to handle blocking requests • made by data subject • validity • ensure action • audit trails • Compensation

More Related