Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report.

Published byCornelius Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report."— Presentation transcript:

1 www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report

2 Format of report: Executive summary Introduction Main body of report (15 sections) Appendix 1: Glossary Appendix 2: Overview of main areas of law Appendix 3: Sources Appendix 4: Data processor agreements Appendix 5: Data protection notice toolkit Information Law Report

3 Executive Summary The Executive Summary sets out: What is considered in the Information Law Report: i.e. the information law issues connected with a Smartcard Scheme including data protection, human rights, administrative law and freedom of information. A summary of the conclusions reached in each section of the Information Law Report.

4 Introduction The Introduction explains: the purpose of the report; the parameters of the report; the assumptions that have been made in order to draft the Information Law Report. Please note that the report should be read in conjunction with the Introductory Report and appropriate sections of the Card Governance Report.

5 Lawfulness for processing data and vires Human Rights Act 1998 Requirement to comply with Article 8 ECHR – “Everyone has the right to respect for his private and family life, his home and correspondence” Principle 1 Data Protection Act Requirement for lawfulness –a Card Issuer must act within its statutory powers What powers do Card Issuers have? A question of administrative law Powers may be express or implied Examples of implied powers: Local Government Act 1972 Local Government Act 2000

6 Status of the parties for data protection purposes Data Controllers Control the purposes for and manner of the processing Data Processors Process on behalf of a Data Controller

7 Status of the parties for data protection purposes Consider: Card Issuers Secondary Service Providers Joint Card Issuers Card Suppliers Other Card Issuers and other Secondary Service Providers External Project Manager/Consultants Contractors and Sub-contractors Employees Data Subjects/Card Users Ensure changes to status are taken into account

8 Data involved in the Smartcard Scheme Personal Data Includes manual and computerised Data Sensitive Personal Data E.g. health/disability Requires a higher level of protection Consider whether this is necessary Anonymous Data and non-Personal Data Is this truly anonymous? Consider treating everything as Personal Data to ensure DPA and HRA compliance

9 Grounds for processing Personal Data Data Controllers must have a schedule 2 Data Protection Act grounds In particular Necessary for the exercise of any function conferred on any person by or under enactment Necessary for the exercise of any other function of a public nature exercised in the public interest by any person

10 Grounds for processing Personal Data What is “necessary”? “encompasses matters which are “reasonably required or legally ancillary to” the accomplishment of the specified purposes”. Does not have to be “absolutely essential” – DCA Is it proportionate to the aim pursued?

11 Grounds for processing Personal Data Data Controllers must have a schedule 3 Data Protection Act grounds for Sensitive Personal Data In particular Necessary for the exercise of any function conferred on any person by or under an enactment Is it necessary to process Sensitive Personal Data?

12 Information for Data Subjects Data Subjects must be told or have readily available to them: Identity of the Data Controller Purposes for the processing (NB including non- obvious purposes) Any other information necessary in the circumstances to make the processing fair How to make this information available? Data protection notice/privacy statement

13 Information for Data Subjects DCA consultation suggests: Public services trust guarantee Service specific statement Code of practice Management guidance Complaints procedure Data sharing protocols

14 Use of Personal Data for Marketing Data Protection Act requirements Fairness and compliance with the principles Absolute right to object to direct marketing Privacy and Electronic Communications (EC Directive) Regulations 2003 Cover marketing by e-mail, SMS, MMS, telephone, fax and automated calling systems Regulate “cookies” Consider: Joint notices Where to provide notices Accessibility issues Whether consent should be obtained at the same time

15 Use of any Smartcard Number General Identifiers Currently none prescribed but beware of this if any prescribed in the future Use of certain numbers restricted e.g. NHS Number, Pupil Identification Number, NI Number – do not use these in a Smartcard Scheme unless purpose is authorised. Use of a unique Smartcard number Will be Personal Data therefore comply with the DPA

16 Data Sharing Involves consideration of: Administrative law Human Rights Act 1998 Data Protection Act 1998 Confidentiality

17 Data Sharing Practical Issues for a Smartcard Scheme What does the Card Issuer want to do and why? Does it have the power to do this? Who does it want to do this with? Does that organisation have the power to do this? How will it be done? Impact on the individual? Can impact by minimised? DPA, HRA and confidentiality considered? Data Sharing protocols Take into account the DCA toolkit on data sharing

18 Disclosures Non-disclosure exemptions in the DPA: Section 29 Data Protection Act Gives a discretion to disclose for the prevention or detection of crime, the apprehension or prosecution of offenders or the assessment or collection of any tax or duty Section 35 Data Protection Act Allows for mandatory disclosures where required by or under enactment or court order. Allows for disclosures in connection with legal proceedings, obtaining legal advice or where necessary for establishing, defending or exercising legal rights. Card Issuer should have disclosure policies in place

19 Data Matching Requirement for lawfulness Requirement for fairness Ensure that there is a power to cross match and that the law is complied with

20 Security Principle 7 Data Protection Act Technical and organisational measures must be in place to protect Personal Data Consider: Access and segregation Employees Data Processors Segregation for data sharing and Reader purposes Reader Security Data sharing Disclosures Identity of Card Users Loss or theft Biometrics

21 Subject Access and Individual Rights Subject access to Smartcard Data Comply with the DPA in providing access (40 day timescale) Consider how access can be provided within a shorter timescale (e-Envoy policy framework) Consider how to provide access in a joint scheme Consider policy for providing access to children directly and to others on behalf of a child Other individual rights Right to object to direct marketing Automated decision making Processing likely to cause damage or distress Inaccuracy

22 Compliance with other Data Protection Principles Principle 1 Fairness generally – e.g. how are the Data obtained? Principle 2 Specified, lawful and, when further processing, compatible purposes Principle 3 Adequate, relevant and not excessive Principle 4 Accurate and, where necessary, up to date Principle 5 Kept no longer than necessary Principle 8 Adequate protection for transfers outside the European Economic Area

23 Notification Requirement to notify Information Commissioner Criminal offence to fail to notify and to keep notification up to date Ensure that notification covers Smartcard purposes

24 Freedom of Information Consider: Status for freedom of information purposes Freedom of information at the tender stage Freedom of information at the contract stage Freedom of information and Personal Data Policies

25 Appendices 1-3 Appendix 1 Glossary of terms specific to the Information Law Report Appendix 2 Overview of main areas of law: a brief summary of the Data Protection Act 1998, Article 8 of the Human Rights Act, Freedom of Information Act 2000 and common law confidentiality Appendix 3 A list of primary and secondary source materials

26 Appendix 4 Processor Agreements Guidance for completion Data Processor Contract Letter A Data Processor Contract Letter B Data Processor Contract Clauses Full Data Processor Agreement

27 Appendix 5 Data Protection Notice Toolkit Guidance notes Sample notice

Download ppt "Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Information Law Report."

Similar presentations

NATIONAL INFORMATION GOVERNANCE BOARD

NATIONAL INFORMATION GOVERNANCE BOARD
Overview of ‘Public Sector Data Sharing – Guidance on the Law’ as published by the Department for Constitutional Affairs Nov ‘03 John Harrison, Edentity.

Overview of ‘Public Sector Data Sharing – Guidance on the Law’ as published by the Department for Constitutional Affairs Nov ‘03 John Harrison, Edentity.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date: 09.07.14.

BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date:
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
Www.nationalsmartcardproject.org.uk www.scnf.org.uk National Smartcard Project Work Package 8 – Card Governance Report.

National Smartcard Project Work Package 8 – Card Governance Report.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Act 1998. Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.

Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.

Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.

1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.

Similar presentations

Ads by Google