Data Protection What you need to know Tim Turner IRRV February 2018
Article 4: definition of data Any information relating to an identified or identifiable natural person ‘data subject’ = identifiable person who can be identified by an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to person’s physical, physiological, genetic, mental, economic, cultural or social identity
Anonymised Pseudonymised data Personal data
Profiling / automated decisions Analysis of person or prediction about behaviour In particular, performance at work, economic situation, health, interests and preferences, behaviour and reliability, location and movements Automated decisions A decision using personal data made by an automated process
Part 4: intelligence services GDPR Applies as normal Applied GDPR Applies to matters outside EU competence Part 3: Law Enforcement Implements directive Part 4: intelligence services Applies GDPR-style standards to intelligence
Law enforcement purpose Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
DP Bill: Public authorities 6) Any reference to public authorities or public bodies in the GDPR means: Freedom of Information Act 2000 Freedom of Information (Scotland) Act 2002 Anyone added by Secretary of State Implications: DPO, legitimate interests, manual processing
Controller Processor Decides how and why data is used Does as required under contract with Controller Responsible if they do anything outside the contract
Art 26: Joint Controllers Definition: two or more controllers jointly determine the purposes and means of processing Agreement should set out *transparently* how they will comply; in particular: rights of the data subject duties to provide fair processing
e) Purpose limitation d) Accuracy c) Data minimisation A5: Principles a) Lawfulness, fairness and transparency b) Purpose limitation c) Data minimisation d) Accuracy e) Purpose limitation f) Integrity and confidentiality Controller is responsible for and shall be able to demonstrate compliance
GDPR Conditions Consent Necessary for contract Legal obligation Vital interests Official authority / public interest Legitimate interest
Law enforcement purpose Conditions Consent Law enforcement purpose
Law enforcement purpose Prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
Law enforcement accuracy Controllers should distinguish between Suspects / potential subjects Those who have been convicted Victims / potential victims Witnesses and other interested parties
SPECIAL CATEGORIES
Article 9: Special categories Racial / ethnic origin Political opinions Religious / philosophical beliefs Trade union Biometric data Health Sex life / sexual orientation
Special categories conditions Article 9: Special categories conditions Explicit consent Employment law Vital interests no consent Special category group use Made public by subject Public interest underpinned by law Establish / defend legal claims Health / social care Public health Archiving / research with safeguards
Substantial public interest AND Government / legal Equality of treatment Preventing or detecting unlawful acts Protecting public against dishonesty Disclosure for journalism Fraud / terror financing Counselling Insurance Political parties Elected representatives
CRIMINAL RECORDS DATA
Criminal records conditions Government / legal Equality of treatment Preventing or detecting unlawful acts Protecting public against dishonesty Disclosure for journalism Fraud / terror financing Counselling Insurance Political parties Elected representatives
Criminal records conditions (cont.d) Consent from data subject Vital interests (subject cannot consent) Political, religious / philosophical, religious or trade union groups Subject has put data in public domain
Article 13 & 14: fair processing Must use concise and transparent language Information must be reasonably accessible
TRANSPARENCY & RIGHTS
Provide if subject gives you the data Article 13 Provide if subject gives you the data ID of data controller Contact of Data Protection Officer Purposes and legal basis of processing Legitimate interests Recipients of data International transfers Retention period or criteria Right to request rectification Right to withdraw consent Right to complain to ICO Consequences of failure to supply data Existence of profiling and other automated decision making
Fair processing if you get data from 3rd party Article 14 Fair processing if you get data from 3rd party ID of data controller ID of Data Protection Officer Categories Purposes and legal basis of processing Recipients of data International transfers Retention period or criteria Legitimate interests* Right to request rectification / restriction Right to withdraw consent* Right to complain to ICO Source of data Existence of profiling and other automated decision making
Objection to optional processing Limitations on automated processing RIGHTS FOR SUBJECTS Subject access Rectification Portability Restriction Right to be Forgotten Objection to optional processing Limitations on automated processing
Rights Rights disapplied when relevant personal data is processed in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty
Other processing EXEMPTIONS for avoid obstructing an official or legal inquiry, investigation or procedure avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties protect public security protect national security protect the rights and freedoms of others
Other rights Subject access Rectification (fairly unrestricted) Erasure (AKA RTBF) Breach of principles Processing data without condition where personal data must be erased in order to comply with a legal obligation restriction of processing in limited circs
Rights (cont.d) 46: limitations on automated ‘significant’ decisions (only where authorised by law) Definition of significant decision is producing an adverse legal effect concerning the data subject or significantly affects the data subject.
EXEMPTIONS
Exemptions All principles, rights and obligations apply at start Exemption identifies a subject area (e.g. prevention / detection of crime) Exemption then identifies provisions that can be set aside First group of exemptions set aside the most provisions Each group after that sets aside less At the end, only transparency and SAR are covered
Main exemptions Removes transparency, rights including SAR, purpose limitation Crime prevention, detection, imposition of taxes, duties etc Immigration controls Legal obligations to publish / disclose, legal proceedings
Additional exemptions Removes transparency / rights Functions to protect public Regulation of complaints in health, legal and children’s services Other regulators Parliamentary privilege, courts, honours
SECURITY AND BREACH NOTIFICATION
Processed with appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Loss Article 4 Security breach definition Breach of security Personal data breach is: INCIDENT i.e. Destruction Loss Alteration Unauthorised disclosure / access LEADING TO: Breach of security
Unless unlikely to cause risk to rights and freedoms of data subjects Article 33 – 34 Breach notification Unless unlikely to cause risk to rights and freedoms of data subjects IN 72 HOURS If likely to cause high risk to rights of data subjects ICO can order you to report REPORT TO ICO REPORT TO SUBJECTS
Article 33(3): ICO report Nature of breach Numbers & categories of subjects Numbers of records Provide name & contact details of DPO Likely consequences of breach Measures taken to address / mitigate breach Can tell the ICO this information in phases
General controller obligations
GENERAL CONTROLLER REQUIREMENTS Art 24: Ability to demonstrate compliance with GDPR Art 25: Data Protection by design and by default Art 26: arrangements / agreements with joint controllers
DATA PROTECTION OFFICER
a) Public authorities & public bodies Art 37(1): DPO is required by three sector; org can be controller or processor a) Public authorities & public bodies b) Core activities involve regular and systematic monitoring of subjects on a large scale c) Core activities involve large scale processing of special categories / criminal convictions & offences Government can add sectors if it wishes – Art29 WP recommends that other sectors might have them Public authority can include private bodies- lack of choice for subjects is a significant factor www.actnow.org.uk
a) Public authorities & public bodies Art 37(1): DPO is required by three sector; org can be controller or processor a) Public authorities & public bodies b) Core activities involve regular and systematic monitoring of subjects on a large scale c) Core activities involve large scale processing of special categories / criminal convictions & offences Government can add sectors if it wishes – Art29 WP recommends that other sectors might have them Public authority can include private bodies- lack of choice for subjects is a significant factor www.actnow.org.uk
A37(5): DPO designated on basis of: “professional qualities” “expert knowledge of data protection law and practice” “ability to fulfil tasks” set out in Article 39 No mention of qualifications: RISK BASED APPROACH www.actnow.org.uk
Article 38(6): Conflict of interest DPO can carry out other tasks as long as no conflict of interest Case by case decision depending on organisation’s structure LIKELY CONFLICTS: senior management, other role involved in determination of purposes
Article 39: TASKS Advise the organisation and staff on obligations under GDPR Monitor compliance with GDPR, UK DP laws, org’s own policies and procedures Provide advice on impact assessments and monitor performance Cooperate with ICO on GDPR issues and act as contact point with them
Article 38: DPO’s position Must be “properly and in timely manner involved in all issues which relate to protection of personal data” Org must support DPO with necessary resources, access to data and systems DPO cannot be given instructions on how to carry out tasks; cannot be dismissed for performing those tasks; must report to senior management Must be available to be contacted by data subjects
Impact assessments
IMPACT ASSESSMENTS
Article 35 IMPACT ASSESSMENTS On high-risk processing before it happens Profiling with significant effects Public surveillance on large scale Large scale special categories / criminal data
IMPACT ASSESSMENTS: ART 29 WP Article 35 IMPACT ASSESSMENTS: ART 29 WP AT LEAST TWO OF THESE Automated decisions Systematic monitoring Sensitive data Large scale processing Matching datasets Vulnerable subjects Innovative techniques International transfers Processing that limits rights
Article 35 IMPACT ASSESSMENTS Systematic description of project and purposes Assess necessity and proportionality Identify risks Apply suitable measures and safeguards
CONTROLLER / PROCESSOR
Controller Processor Decides how and why data is used Does as required under contract with Controller Responsible if they do anything outside the contract
Controller / processor Only select processors that offer ‘sufficient guarantees’ on ability to comply with Regulation and protect subject rights Must have binding contract Processor cannot enlist / change sub-processor controller consent Contract requirements passed down the chain
Controller / processor Binding contract Nature of processing, data, subjects Act only on instructions Ensure confidentiality All necessary security measures Assist controller with subject rights, security & risk assessment Delete or return data
Contact 2040 for advice and training www.2040training.co.uk Tel: 07508341090 Email: tim@2040training.co.uk