Presentation on theme: "Www.actnow.org.uk Ten things you should know about Data Protection Paul Simpkins Director, Act Now Training Ltd."— Presentation transcript:
Ten things you should know about Data Protection Paul Simpkins Director, Act Now Training Ltd
1. Learning the lingo
Definitions Personal Data Data Controller Data Processor Data Subject Notification Subject Access Request
Notification One notification per organisation £35 Tier 1 or £500 Tier FTE Criminal Offences Viewable online
2. Five types of data
Category (a) On Computer CCTV & video DIP Audio Swipe cards & Oysters
Category (b) Intended to be automated
Category (c) Paper or Card Relevant Filing System Structured by reference to individuals Readily Accessible Durant Guidance
Category (d) Medical Records Social work records Housing Records Education Records
Unstructured Data Category (e) data From 2005 Only Public Bodies Some exemptions 2 access regimes to data
3. Fair, honest & open
Principle 1 Personal data shall be processed fairly and lawfully
Principle 1 The data controller should ensure that the data subject is provided with at least the identity of the data controller the purpose for which data is processed any further information necessary
CCTV signs Clearly visible and Legible Size matters Information Identity of controller Purpose of scheme Details of contact
4. Can I share data with…?
Partnership Working Central Govt desire for joint working ICO data sharing code of practice Fair Obtaining & Processing – Principle 1 Lawful Gateways Data Sharing Protocols
Lawful Gateways Crime & Disorder Act 1998 Section 115 Anti-terrorism, Crime & Security Act 2001 National Health Services Act 1977 Education Act 1966 s 520 (school nurses) Children Act 2004 s10, 11, 12 (databases) Local Government Act 1972 & 2003 Localism Act 2011
Data Sharing Protocols Purpose Powers to share Partners Processes Public Document
5. Good Records
Principle 3 Personal data shall be adequate, relevant and not excessive
Principle 4 Personal data shall be accurate and, where necessary, kept up to date.
Principle 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Subject Access A valid request is Application in writing Proof of identity Fee Some direction
Subject Access Controller must respond promptly In any event within 40 days Starting on the relevant day
Direct Marketing Communication (by whatever means) of any advertising or marketing material which is directed to a particular individual
Computer says no… People can object to an automated decision Some exemptions Once you know… …you can object in writing Controller has 21 days.
7. Keep your data safe
Principle 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
Principle 7 Training Policies & Procedures Data security breach policy Civil Monetary Penalties Passwords
Principle 7 Contracts With Data Processors Made or evidenced in writing Processor to act only on Controller’s instructions Controller should check Processor’s Security and Employees
8. Who’s the daddy?
Enforcement Request for assessment Information Notice Enforcement Notice Prosecution Tribunal Supreme court
Offences Failure to notify or to notify changes Failure to comply with written request Failure to comply with a Notice Unauthorised obtaining/disclosing Procuring a disclosure to another person Unlawful selling Enforced Subject Access
Penalties Undertakings Notices from ICO Prosecution £500K Fines & Jail time Inspect public sector without notice PR disasters
Exemptions S National security S Crime and taxation S Health, education & social work S Regulatory activity S Journalism, literature & art
Exemptions S Research, history & statistics S Publicly available by any enactment S Required by law/proceedings S Domestic purposes
10. Social Media
Policy or Prosecution? Social Media Policy Disciplinary offence Bringing the organisation into disrepute Preece v Wetherspoons Defamation