New Data Protection Legislation July 2018

Training objectives To provide a broad overview of the new data protection legislation To signpost to where further resources are available

What is personal data? How would you define personal data? What examples of personal data can you give?

Definition of personal data under GDPR “any information relating to an identified or identifiable natural person” Data Controllers and Data Processors

Special categories Biometric and genetic data The racial or ethnic origin of the data subject(s) Their political opinions Their religious beliefs or beliefs of a similar nature Whether they are members of a Trade Union Their physical or mental health or condition Their sexual life The commission or alleged commission by them of any offence Any proceedings for any offence committed or alleged, the disposal of such proceedings or the sentence of any court

Principles Processed fairly, lawfully and in a transparent manner Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose Adequate, relevant and limited to what is necessary in relation to the purposes Accurate and kept up to date    Kept in a form that permits identification no longer than is necessary Processed in a way that ensures appropriate security of the personal data

Processing conditions Consent of the data subject Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract Necessary for compliance with a legal obligation – this is broadly the same as current DPA, however the law does not need to be statutory. Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent

Processing conditions Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – this condition will apply when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. These functions must arise under Member State or EU law.

Consent must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes freely given, specific and informed – equal balance of power. “audit trail” / record of consent right to withdraw consent children

Privacy / transparency notices Who is the data controller? Who is the Data Protection Officer? What is the legal basis for processing? How long is data kept for? Who is the data shared with? Statement of rights of data subjects

Privacy / transparency notice XXXX is the Data Controller under data protection law and will use the information you provide <on this form> in order to <eg. provide you with xxx service>. The legal basis for processing this data is <eg. our legal obligations under xxx Act / performance of a task carried out in the public interest or in the exercise of official authority vested in the council / your consent to do so. You can withdraw your consent at any time by notifying us. Our contact details to do so, or for any other queries, are {contact details}>. We will keep your data for <retention period>. Your information will not be shared further / will be shared with <other team / organisation> in order to provide you with the service. <delete as applicable> Individuals have a number of rights under data protection law, including the right to request their information. You also have a right to make a complaint about our handling of your personal data to the Information Commissioner’s Office https://ico.org,ukttps://ico.org.uk/ You can contact the council’s Data Protection Officer, Carol Trachonitis, via informationgovernance@herefordshire.gov.ukinformationgovernance@herefordshire.gov.uk

Rights of individuals Right to be informed Right of access Data portability the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.

Rights of individuals Right to rectification Right to erasure Right to restrict processing Right to object

Pseudonymisation The separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.

Data breaches Bigger penalties Mandatory reporting to the ICO Within 72 hours of the breach being discovered Notification to the individuals affected by the breach

What does a data breach look like? Hampshire: Social care files left in building after office moves: £100,000 Devon: Social worker used a previous case as template for adoption panel report and sent out a copy of the old report instead of the new one: £90,000 Powys : Social worker sent a report relating to family A to family B due to a mix up of papers at the printer: £130,000 Worcestershire: Employee emailed highly sensitive & excessive info about a large number of vulnerable people to 23 unintended recipients: £80,000

Preventing data breaches Check the post goes to the correct addressee. Who can see or hear confidential information? Don’t leave information where those not authorised can see it, only discuss individuals for professional reasons. Secure / lock away confidential material. Wipe memory sticks after use, only use encrypted devices. Tailgating Be proportionate when sharing / using personal information. Only access confidential information for the right reasons.

Preventing data breaches Is what you do secure? What do you need to change?

Implications Destroy data once it is no longer needed Care with recording Report data breaches Co-operate over requests for information Security

Any Questions?