2The Data Protection Rules Fair obtaining & processingConsentSpecified purposeNo disclosureunless “compatible”Safe and secureAccurate, up-to-dateRelevant, not excessiveRetention periodRight of access
3The Acts create: Background Data Protection Acts, 1998 RIGHTS for individualsRESPONSIBILITIESusers of personal data
4Rights and Obligations Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
5Definitions(1) Personal Data Data Manual Data Any Data relating to a living identifiable individualDataAutomated data or structured manual dataManual DataStructured by reference to individuals in a way that makes data readily accessible
6Definitions(2) Data Controller Data Processor a person who controls the contents and use of personal dataData ProcessorA person who processes personal data on behalf of a data controller
7Definitions(3) Data Subject Processing an individual who is the subject of personal dataProcessingAnything done with personal data, from collection to disposal
8Sensitive Data (special protection) Physical or mental healthRacial originPolitical opinionsReligious or other beliefsCriminal convictionsAlleged commission of offenceTrade Union membership
9Rights of Individuals to fairness when giving information to get a copy of their personal information – includes both computer and certain manual filesto have wrong information correctedto opt out of marketing - includes mail & phoneto complain to the Data Commissioner
10Obtain & Process Fairly I Rule 1Obtain & Process Fairly IData controller must give full information aboutidentitypurposesdiscloseesany other data necessary for “fairness”Third party data controllersmust contact data subject to provide these detailsmust give name of original data controller
11Obtain & Process Fairly II Rule 1Obtain & Process Fairly IIOne of these conditions required:ConsentLegal obligationContract with individualNecessary to protect vital interestsNecessary for a public function (Justice)necessary for ‘legitimate interests’
12Processing Sensitive Data Rule 1Processing Sensitive DataOne of these additional conditions is requiredExplicit consentNecessary under employment lawTo prevent injury or protect vital interestsProcess the data of members/clients of non-profit orgs.Legal adviceFor Medical PurposesStatutory function
13Disclosure PolicyThe Data Controller should have a policy in place to determine how requests for data from third parties are handled.This policy should be consulted by appropriate staff members
14Keep Safe and Secure Rule 4 Appropriate security measures Appropriate to the harm that might result..Appropriate to the nature of the dataMay have regard to cost of implementationMay have regard to the current state of technologyStaff must know and comply with measuresInternal review of security measures-part of Internal Audit function ?
15Security - practicalCare must also be taken regarding paper records, especially sensitive or financial data.Ideally data not left in a way that non-relevant staff can access files.Attention paid to how visitors move around an office.
16Data Protection Training. Obligation on employer to ensure staff are aware of data protection obligations.TrainingPolicy.A Code of Practice.Person in charge
17Accurate, Complete and Up-to-Date Rule 5Accurate, Complete and Up-to-DateLonger personal data is held, more likely it will be inaccurate and out-of-dateRight to have errors rectified (see later)
18Relevant and not Excessive Rule 6Relevant and not ExcessiveNo right to ask for, or hold, information not relevant to service etc being providedChallenge: who do you need all this personal data ?
19Retain no longer than necessary Rule 7Retain no longer than necessaryLegal obligations to hold data?Customer filesDo you need to hold all that data?Payment records might have one retention periodExam results might have longer retention periodCredit card details retained with consentMust have policy thought throughDefend retention as necessary for purpose.
20Right of Access: Empowerment Rule 8Right of Access: EmpowermentThe Right of Access empowers individuals by enabling them to supervise the processing of their personal data.
21Right of erasureDoesn’t apply if you have a lawful purpose in retaining dataSuch as auditing or accreditation purposes