Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing  Penalties »Worked example

Introduction to Data Protection Data Protection is exciting Data Protection CAN be exciting Should be boring

How DP can be “Exciting" »News release: 30 August »The Information Commissioner’s Office (ICO) has served Aberdeen City Council with a monetary penalty of £100,000a monetary penalty of £100,000 after a serious data breach resulted in sensitive information relating to social services involvement with several individuals being published online. The information included details relating to the care of vulnerable children. »The information was released after a council employee accessed documents, including meeting minutes and detailed reports, from her home computer. A file transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences.

Principles »1) Fairly and lawfully processed »2) Processed only for limited and lawful purposes »3) Adequate Relevant, not excessive »4) Accurate »5) Not kept for longer than necessary »6) Processed in accordance with the rights of the individual »7) Appropriate technical and organisational measures are taken to keep data secure »8) Not transferred out of EU to Country without adequate protection.

Principle 3: Personal data held for any purpose should be adequate, relevant and not excessive in relation to the purpose or purposes for which processed. »This aims to ensure that personal data held is sufficient for a specific purpose, but no more that that. Data users should seek to ensure that personal data is not recorded merely because there is a possibility that it has a future use. The old adage “Knowledge is power” has no place within data protection.

Principle 4: Personal data should be accurate and, when necessary, kept up to date. »Where it is necessary to keep personal information for some time it may become out of date and inaccurate. In order to prevent this it is important that systems are in place to review and update the information on a regular basis. »The consequences of using out of date personal information can be enormous. »inaccurate payments being made, »correspondence sent to the wrong address, »confidential personal information being wrongly disclosed to a third party etc. »claims for compensation or enforcement action or prosecution proceedings being instituted by the Information Commissioner.

Principle 7 Appropriate technical and organisational measures are taken to keep data secure »Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. »This principle requires the data controller to ensure that it has security measures in place to avoid loss, damage or destruction to data. Also the Act sets out specific considerations for ensuring security »Organisational responsibilities include items such as Firewall, GCSX Training etc »Personal responsibility Appropriate method of sending appropriate relevant information – Care for the information you hold & use

Conditions Relevant for Processing Personal Information »Que does Data Protection stop you sharing personal information? »Schedule 2 – Any personal data »1 – The data subject has given consent. »2 - The processing is necessary – »a) For the performance of a contract to which the data subject is a party; or »a) For the taking of steps at the request of the data subject with a view to entering into a contract. 3 – The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. »4 – The processing is necessary in order to protect the vital interest of the data subject. »5 – The processing is necessary – »a) For the administration of justice; or »b) For the exercise of any function conferred by or under any enactment; or »c) For the exercise of any functions of a government department; or »d) For the exercise of any other functions of a public nature exercised in the public interest. »6 – The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the data subject.

s2 Sensitive Data »“SENSITIVE PERSONAL DATA” means personal data consisting of information as to— »(A)THE RACE or ETHNICITY, »(B)POLITICAL OPINIONS, »(C)RELIGIOUS BELIEFS OR OTHER BELIEFS OF A SIMILAR NATURE, »(D)WHETHER HE IS A MEMBER OF A TRADE UNION »(E)HIS PHYSICAL OR MENTAL HEALTH OR CONDITION, »(F)HIS SEXUAL LIFE, »(G)THE COMMISSION OR ALLEGED COMMISSION BY HIM OF ANY OFFENCE, OR »(H)ANY PROCEEDINGS FOR ANY OFFENCE COMMITTED OR ALLEGED TO HAVE BEEN COMMITTED BY HIM, THE DISPOSAL OF SUCH PROCEEDINGS OR THE SENTENCE OF ANY COURT IN SUCH PROCEEDINGS.

SCHEDULE 3 - Conditions necessary for processing sensitive personal information 1 – The data subject has given his/her explicit consent. 2 – The processing is necessary to perform legal obligations and rights in the context of employment. 3 (a) – The processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given or the data controller cannot reasonably be expected to obtain consent. (b) – The processing is necessary to protect the vital interests of another person where consent has been unreasonably withheld by the data subject. 4 – The processing is carried out by certain non-profit making bodies and relates to their members. 5 – The information has been made public as a result of steps deliberately taken by the data subject. 6 – The processing – »a) Is necessary for the purposes of legal proceedings; or »b) It is necessary for the purpose of obtaining legal advice; or »c) Is otherwise necessary for establishing exercises or defending legal rights. 7 – The processing is necessary - »a) For the administration of justice; or »b) For the exercise of any functions conferred by or under any enactment; or »c) For the exercise of any functions of a government department 8 – The processing is necessary for medical purposes and undertaken by a health professional or by a person who has a similar duty of confidentiality. 9 – The processing of information as to racial or ethnic origin and is necessary for equality monitoring purposes. MUST be able to fulfil one condition from schedule 2 & 3

Penalties »Fines up to £500,000 »Public Undertaking note signed by Data Controller »Enforcement noticesEnforcement notices »Read the enforcement notices and ‘stop now’ orders we have issued to organisations in breach of the legislation, requiring them to take specified steps in order to ensure they comply with the law. »ProsecutionsProsecutions »Details of the criminal prosecutions under the legislation.

Cautionary Tales » Customer given access to another customer’s data. Basic checks were not carried out » Key fobs attached to memory sticks with the passwords written on. Passwords are used to protect data from unauthorised access. P7 » Personal information ed to the wrong people/groups. This has happened on numerous occasions. Adequate checks were not carried out when selecting the recipient from the address book. Other authorities have incurred fines for similar breaches…..P7 » User id shared with a family member who carried out work on their behalf.. Disciplinary action was taken against the employee. P7, P1, P6 » Disc containing personal data lost. The chain of custody was not maintained meaning no one officer had responsibility for the disc. P7 etc » Envelope incorrectly addressed resulting in personal data being sent to the wrong address. Other authorities have incurred fines for similar breaches.