DATA PROTECTION AND RUNNING A COMPLIANT PUB WATCH SCHEME Nigel Connor Head of Legal –JD Wetherspoon PLC

WHAT IS DATA PROTECTION? How our personal information (or data)is kept secure. Key legislation is Data Protection Act 1998 or DPA. Protected data covered by Act = electronic and paper records including names/addresses/telephone numbers/job titles/DOBs. Confidentiality not a requirement for protection. DPA imposes restrictions how that data is processed. Processing very widely defined = obtaining,holding, using, disclosing, sharing data. Processing has to be automatic or partly automatic or manual if in from of a filing system. Any activity involving personal data is covered in practice. JDW LEGAL

WHO DOES IT APPLY TO? The data controller. Defined as a person who decides purpose for /or manner personal data is to be processed. i.e. a company or business is data controller of its employees or customer’s personal details. i.e. a doctor’s surgery is data controller of it’s patients records. i.e. a Pubwatch is the data controller of images shared among members i.e. a Police force is the data controller of images circulated to a Pubwatch. JDW LEGAL

WHAT ARE THE DPA OBLIGATIONS? Any processor must notify ICO if it controls/processes data. Adherence to a number data protection principles: 1. Data obtained and processed for both fair and lawful purposes only 2. Data must be adequate, relevant and not excessive for purpose. 3. Must be accurate and in some cases kept up to date. 4. Must be kept no longer than necessary. 5. Must be processed in accordance with rights of data subjects. 6. Appropriate security measures must be taken to prevent unlawful processing/loss or destruction JDW LEGAL

IF I DON’T COMPLY? Information Commissioner(ICO) and/or court responsible for enforcement. Individuals encouraged to contact data controller first if a concern. If no response or not satisfactory, individual can ask ICO or court to intervene. ICO can assess a possible breach and issue a notice requiring compliance or request an undertaking. Serious cases a fine of up to £500k. Courts can also make a number of orders including compensation for any damage. Reputational damage. JDW LEGAL

HOW DOES A PUBWATCH COMPLY? Data sharing at heart of Pubwatch. Pictures of banned individuals = personal data and subject to DPA with or without names. Sharing within scheme means all scheme members are data controllers for DPA. The sharing of those images is not a breach of DPA as it meets the condition of lawful processing because it is legitimate interests of the members of the Pubwatch to keep premises safe/promote the LOs. However to ensure compliance a number of steps have to be put in place and complied with as follows to meet the data protection principles/requirements of DPA. JDW LEGAL

HOW DOES A PUBWATCH COMPLY? NOTIFICATION Scheme as a data controller must notify ICO before sharing images. Cost = £ Can be done on-line via ICO webpage and quite simple process. Basic information needed. Needs renewing annually. Any change to details have to be notified in 28 days. Failure to notify/renew/update = criminal offence. Make renewal a standing agenda item. JDW LEGAL

HOW DOES A PUBWATCH COMPLY? DATA SHARING PROTOCOL FOR MEMBERS. Not statutory but strongly recommended. Key components 1. What data is being shared and benefits and why; 2. Organisations involved in it; 3. Type of data; 4. Basis for sharing; 5. Common rules for sharing/security of data; 6. Rules for how long stored and deletion; National Pubwatch have pro-forma – get it, use it and review it. JDW LEGAL

HOW DOES A PUBWATCH COMPLY DATA SECURITY – DOS AND DONTS Lack of adequate data security likely to be main source of a breach. Images/names must be kept securely – i.e. Pubwatch on-line system / Folder in the office held in a place where no general access. Do not:  Display on notice boards front or back of house;  Leave hanging around the bar;  Place on social media;  If images transferred by personal equipment, remove once transferred;  Share data for any reasons other than aims of scheme. JDW LEGAL

HOW DOES A PUBWATCH COMPLY RIGHTS OF DATA SUBJECTS Individuals have a number of rights under DPA to access data held on them = Data Access Request Must comply in 40 days Can charge £10 admin fee Reply must tell them what data held and why held, who disclosed to and source of the data. Individual can object to data storage if causing substantial and unwarranted damage or distress. Reply must be in 21 days.Requirement to stop only if damage/distress substantial/unwarranted. No unqualified right to object. JDW LEGAL

PPOLICE AND DATA PRTOECTION Many schemes rely on Police for images/details of barred individuals/service of barring orders. Police generally content to share this data under s29 DPA as to prevent crime and disorder. Police also have statutory and common law powers of disclosure for policing purposes. Data sharing = Lawful Police will insist on an information sharing agreement. Contains basis of sharing of data and process of sharing it with scheme plus obligations of the scheme it self. Obligations include secure site to circulate/share data + own data sharing protocol consistent with the information sharing agreement. Some forces drawing back from participation for fear of breach. JDW LEGAL

ANY QUESTIONS? JDW LEGAL