copyright of SFMKeddie - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M Keddie - the Data Compliance Centre

copyright of SFMKeddie - all rights reserved Main characteristics  covers all data about living individuals e.g. customers, employees, directors, sole traders  includes accounts, marketing and credit scores, orders, performance measures, health, etc.  cover automated data and manual data  sets rules and places obligations on companies  provides rights for individuals  includes penalties for failing to comply  is actively supervised by the Data Protection Commissioner THE DATA PROTECTION ACT 1998

copyright of SFMKeddie - all rights reserved 8 ENHANCED PRINCIPLES NEW RIGHTS OF DATA SUBJECT CAME INTO FORCE - 1st MARCH 2000 includes Transitional arrangements NEW PENALTIES CHANGES TO DEFINITIONS AND WIDER COVER THE 1998 ACT

copyright of SFMKeddie - all rights reserved WHAT’S NEW IN THE 1998 ACT?

copyright of SFMKeddie - all rights reserved  DATA USER BECOMES DATA CONTROLLER  PROCESSING NO LONGER BY REFERENCE  PERSONAL DATA INCLUDES INTENTIONS  STRUCTURED MANUAL FILES  ASSESSMENT PROCESS CHANGES TO DEFINITIONS AND WIDER COVER

copyright of SFMKeddie - all rights reserved TRANSITIONAL ARRANGEMENTS 1ST MARCH 2000 ACT APPLIES IN FULL TO  FUNCTIONS PROCESSING AUTOMATED DATA WHICH WEREN’T IN PLACE ON OCTOBER 24TH 1998  AND TO MANUAL RECORDS HELD BY A HEALTH PROFESSIONAL

copyright of SFMKeddie - all rights reserved MARCH 1ST 2000 FOR ALL FUNCTIONS WITH REGARD TO THE PROCESSING OF AUTOMATED DATA  THERE ARE NEW POWERS OF ENTRY AND INFORMATION NOTICE  AND A REQUIREMENT TO ASSESS SECURITY OF DATA PROCESSORS 1984 ACT STILL APPLIES IN THE MAIN TRANSITIONAL ARRANGEMENTS

copyright of SFMKeddie - all rights reserved 24TH OCTOBER ACT APPLIES IN FULL TO ALL FUNCTIONS WITH RESPECT TO THE PROCESSING OF  AUTOMATED DATA  DATA ITEMS ADDED TO A STRUCTURED MANUAL FILE SINCE 23RD OCTOBER 1998  ALL DATA IN STRUCTURED MANUAL FILES WHICH HAVE BEEN SET UP SINCE 23RD OCTOBER 1998 TRANSITIONAL ARRANGEMENTS

copyright of SFMKeddie - all rights reserved 24TH OCTOBER ACT APPLIES IN FULL TO:  ALL DATA HELD IN A STRUCTURED MANUAL FILE BEFORE 24TH OCTOBER 1998 TRANSITIONAL ARRANGEMENTS

copyright of SFMKeddie - all rights reserved PENALTIES FOR NON-COMPLIANCE  ASSESSMENT OF COMPLAINTS MADE BY THE PUBLIC VIA ODPC  INFORMATION NOTICE  POWERS OF ENTRY AND INSPECTION  ENFORCEMENT NOTICE [preliminary or fast-track]  TRANSFER PROHIBITION NOTICE  GENERAL RAISING OF COMPLAINTS AND REQUIREMENTS  COMPENSATION FOR INACCURACY, LOSS, UNAUTHORISED ACCESS OR DISCLOSURE  DIRECTORS LIABLE IF OFFENCE COMITTED WITH CONSENT, CONNIVANCE OR BY NEGLECT

copyright of SFMKeddie - all rights reserved REASONS TO COMPLY  COSTS OF  RESOURCING INVESTIGATIONS,  IMPLEMENTING ACTIONS REQUESTED BY THE COMMISSIONER  COMPENSATION PAYMENTS  COURT HEARINGS  COSTS OF BEING UNABLE TO USE DATA  ETHICAL AND LEGAL RESPONSIBILITIES

copyright of SFMKeddie - all rights reserved British Computer Society Code of Conduct The Public Interest 2. Members shall have due regard to the legitimate rights of third parties. 3. Members shall ensure that within their chosen fields they have knowledge and understanding of relevant legislation, regulations and standards and that they comply with such requirements. 4. Members shall in their professional practice have regard to basic human rights and shall avoid any actions that adversely affect such rights. Duty to Employers and Clients 5. Members shall carry out work with due care and diligence in accordance with the requirements of the employer or client and shall, if their professional judgement is overruled, indicate the likely consequences.

copyright of SFMKeddie - all rights reserved POLICY GUIDELINES INVENTORY PROCESSES ORGANISATION EDUCATION AND TRAINING MANAGING DATA PROTECTION

copyright of SFMKeddie - all rights reserved WHAT DOES GOOD DP PRACTICE LOOK LIKE?  A clear, complete and relevant policy  An inventory of personal data  Controls to ensure that data are collected legally  Only relevant data and sufficient data are collected  Controls to ensure that data are only used in accordance with how they were collected

copyright of SFMKeddie - all rights reserved WHAT DOES GOOD DP PRACTICE LOOK LIKE?  A clear, complete and relevant policy  An inventory of personal data  Controls to ensure that data are collected legally  Only relevant data and sufficient data are collected  Controls to ensure that data are only used in accordance with how they were collected  Procedures to correct inaccurate data  Procedures to delete data when the purpose is completed  Procedures to meet requests from individuals to see their data within the legal time limit  Staff understand their responsibilities and meet them

copyright of SFMKeddie - all rights reserved Check Notification to ensure legality of purpose and processing Check processing only reflects Data Protection collection statement Establish where the appropriate controls are to be placed in order to control processing DEMONSTRATING COMPLIANCE All initiation, specification and design documents A Data Protection Compliance Controls document - joint ownership

copyright of SFMKeddie - all rights reserved Contractual agreement with third- party data processors Meeting requirements of principle 7 Risk assessment To establish likelihood of harm to individuals DEMONSTRATING COMPLIANCE

copyright of SFMKeddie - all rights reserved  WHEN DATA ARECOLLECTED DIRECTLY FROM THE DATA SUBJECT THEY ARE ENTITLED TO KNOW: - PRINCIPLE 1. - PROCESSING FAIRLY AND LAWFULLY INFORMED CONSENT  WHO i.e. WHICH COMPANY ?  WHAT WILL THE DATA BE USED FOR?

copyright of SFMKeddie - all rights reserved For all credit applications we carry out a search using a Credit Reference Agency which will record the search: details of how you conduct this account will be shared with credit reference agencies and other lenders. This information may be used to make credit decisions about you and members of your household, for occasional debt tracing and fraud prevention. The Really Nice Retailing Company Ltd. Registered Office address. Telephone Number. PRINCIPLE 1. - FAIR OBTAINING or INFORMED CONSENT

copyright of SFMKeddie - all rights reserved  WHEN DATA ARECOLLECTED DIRECTLY FROM THE DATA SUBJECT THEY ARE ENTITLED TO KNOW: - PRINCIPLE 1. - PROCESSING FAIRLY AND LAWFULLY INFORMED CONSENT  WHO i.e. WHICH COMPANY ?  WHAT WILL IT BE USED FOR?  HOW TO GIVE OR WITHDRAW CONSENT WHERE RELEVANT?

copyright of SFMKeddie - all rights reserved For all credit applications we carry out a search using a Credit Reference Agency which will record the search: details of how you conduct this account will be shared with credit reference agencies and other lenders. This information may be used to make credit decisions about you and members of your household, for occasional debt tracing and fraud prevention. We will use your data for marketing and research purposes. If you do not wish to receive further marketing information from us please advise us at the address below. The Really Nice Retailing Company Ltd. Registered Office address. Telephone Number. PRINCIPLE 1. - FAIR OBTAINING or INFORMED CONSENT

copyright of SFMKeddie - all rights reserved THE TELECOMMUNICATIONS (DATA PROTECTION AND PRIVACY) REGULATIONS TELEMARKETING  Inform the data subject beforehand  “ Offer a mechanism for opting -out”  Check with the Telephone Preference Service  “Distinguish between out-bound telemarketing and in-bound”

copyright of SFMKeddie - all rights reserved For all credit applications we carry out a search using a Credit Reference Agency which will record the search: details of how you conduct this account will be shared with credit reference agencies and other lenders. This information may be used to make credit decisions about you and members of your household, for occasional debt tracing and fraud prevention. We will use your data for marketing and research purposes. If you do not wish to receive further marketing information from us please advise us at the address below. We may telephone you to tell you of promotional offers, discuss account details or for market and service research. If you do not want to receive such calls please advise us at the address below. The Really Nice Retailing Company Ltd. Registered Office address. Telephone Number. PRINCIPLE 1. - FAIR OBTAINING or INFORMED CONSENT

copyright of SFMKeddie - all rights reserved For all credit applications we carry out a search using a Credit Reference Agency which will record the search: details of how you conduct this account will be shared with credit reference agencies and other lenders. This information may be used to make credit decisions about you and members of your household, for occasional debt tracing and fraud prevention. We will use your data for marketing and research purposes. If you do not wish to receive further marketing information from us please advise us at the address below. We may telephone you to tell you of promotional offers, discuss account details or for market and service research. If you do not want to receive such calls please advise us at the address below. Further offers may also be made to you by carefully selected third parties. If you do not want to hear from third parties please tick this box  and we will respect your wishes. The Really Nice Retailing Company Ltd. Registered Office address. Telephone Number. PRINCIPLE 1. - FAIR OBTAINING or INFORMED CONSENT

copyright of SFMKeddie - all rights reserved STORE COLLECT legal entity purposesconsent/objections USE CONTROLS SUMMARY

copyright of SFMKeddie - all rights reserved  WHEN WE ARE COLLECTING DATA DIRECTLY FROM THE DATA SUBJECT THEY ARE ENTITLED TO KNOW: - PRINCIPLE 1. - PROCESSING FAIRLY AND LAWFULLY INFORMED CONSENT  WHO i.e. WHICH COMPANY ?  WHAT WILL IT BE USED FOR?  HOW TO GIVE OR WITHDRAW CONSENT WHERE RELEVANT?  WE ALSO MUST GIVE THIS INFORMATION IF WE RECEIVE DATA FROM ANOTHER SOURCE

copyright of SFMKeddie - all rights reserved PRINCIPLE 2 - ONLY OBTAINED FOR SPECIFIED AND LAWFUL PURPOSES AND NOT FURTHER PROCESSED IN AN INCOMPATIBLE MANNER [ including by an employee or a third-party recipient] STORE COLLECT legal entity purposesconsent/objections USE disclose

copyright of SFMKeddie - all rights reserved PRINCIPLE 3 - DATA SHOULD BE ADEQUATE, RELEVANT AND NOT EXCESSIVE Could lead to challenges regarding the data being collected and the purpose(s) for which they are being collected adequacy - e.g. collecting forename and date of birth for credit-checking relevance - collecting names and addresses when no credit, home delivery or other such service is involved not excessive - NB - WEB-SITES

copyright of SFMKeddie - all rights reserved PRINCIPLE 4 - DATA MUST BE ACCURATE AND, WHERE NECESSARY, KEPT UP-TO-DATE Accuracy - not incorrect or misleading as to any matter of fact, including other data e.g. expressions of opinion based on inaccurate data penalties - rectification, blocking, erasure or destruction of both sets of data - compensation for damage or damage and distress no liability if - accurate recording of data as provided by third-party, where reasonable steps taken to check accuracy and any dissent by data subject is noted and associated Up-to-date e.g. recording of late payments v final default status

copyright of SFMKeddie - all rights reserved PRINCIPLE 5 - NOT KEPT FOR LONGER THAN NECESSARY FOR THE PURPOSE FOR WHICH IT WAS PROCESSED  Remove data as soon as the purpose is complete - but keep all data required for statutory purposes  The subject is entitled to see all data including archives  Research data are exempt

copyright of SFMKeddie - all rights reserved SUBJECT ACCESS -40 days to comply a] general information: -  description of the personal data;  the purposes for which the data are or will be processed;  recipients or classes of recipients;  the logic of any automated decision- making [ not commercial secrets]: b] specifically: -  an accessible copy of all data [ including archives, s, CCTV, recorded calls];  any explanations for coding and abbreviations;  and what source was used Exemptions  Data relating to a third-party who should and hasn’t consented  References provided by the Data Controller PRINCIPLE 6 - RIGHTS OF THE DATA SUBJECT

copyright of SFMKeddie - all rights reserved RIGHTS OF DATA SUBJECT - TO OBJECT TO DIRECT MARKETING What is Direct Marketing? Must it be opt-out or opt-in? What about envelope stuffing? What about offering credit -insurance and similar offers? Can you differentiate between types of offer e.g. special discounts? How do you effect compliance?

copyright of SFMKeddie - all rights reserved RIGHTS OF DATA SUBJECT - TO PREVENT PROCESSING LIKELY TO CAUSE DAMAGE OR DISTRESS Substantial damage to themselves or another Can require processing to not start or cease at the end of a reasonable period Notice can be for a specific purpose or in a specific manner Can apply to Court and Court can order compliance Exemptions Data Subject consented - ref.. fair obtaining Performance of or entering into contract with Data Subject Other legal obligation of Data Controller Need procedures to: Receive and respond to notice If necessary comply by deleting relevant data

copyright of SFMKeddie - all rights reserved RIGHTS OF DATA SUBJECT - TO REJECT AUTOMATED DECISION  Data Controller must tell Data Subject if they’ve been significantly affected by such a mechanism  Data Subject then has 21 days to object  Data Controller has 21 days to write back giving steps that will be taken to comply  Either:  review all such decisions manually before action or  set up procedures to advise Data Subject of the decision and review the decision on receipt of a request [ Data Controller can still uphold the decision ]

copyright of SFMKeddie - all rights reserved RIGHTS OF DATA SUBJECT - COMPENSATION Damage [ and distress] caused by any contravention of the Act Distress alone - if caused by processing for journalistic, artistic or literary purposes Defence reasonable care in the circumstances RECTIFICATION, BLOCKING, ERASURE AND DESTRUCTION Need to identify all places where those data are held If compensation was applicable then may need to inform third-party recipients

copyright of SFMKeddie - all rights reserved PRINCIPLE 7 - SECURED AGAINST UNAUTHORISED OR UNLAWFUL PROCESSING, ACCIDENTAL LOSS OR DESTRUCTION, DAMAGE  Measures to safeguard data to be balanced against degree of harm i.e. impact  Commissioner favours BS7799 -British Standard for Information Security Management  Compensation for damage or damage and distress

copyright of SFMKeddie - all rights reserved PRINCIPLE 7- continued  Breach of principles by a Data Processor results in Enforcement by Commissioner against Data Controller because they have the statutory duty to comply with the principles  Data Controller requires contract with Data Processor - made or evidenced in writing e.g. pavement surveys carried out by casual staff computer bureau out-sourced telemarketing out-sourced micro-fiching, scanning or printing of documents

copyright of SFMKeddie - all rights reserved PRINCIPLE 8 - TRANS-BORDER DATA FLOWS EEC, Norway, Lichtenstein and Iceland - OK extra-EEA eg IOM, Asia, USA - not OK Data Controller must consider:  level of protection in final destination  sensitivity of data and length of processing  country of origin of the data If the recipient is a Data Processor for the Data Controller then strong presumption of adequacy as Data Subjects can enforce rights against Data Controller NB - include these in the notification

copyright of SFMKeddie - all rights reserved E-COMMERCE - reminders  Declaring the use of cookies to process personal data  Where to place information about company, uses and opt-outs  Security requirements  Be aware of Godfrey v Demon  Trust UK, BSI and DPC guidelines

copyright of SFMKeddie - all rights reserved HUMAN RESOURCES - USE OF PERSONAL DATA No blanket right to process personal data without constraint Relevant issues include:  collecting and retaining excessive data  concern regarding the use of , phone-calls etc. in disciplinary action  illegal enforcement of subject access  automated CV scanning  data for monitoring compliance e.g. with Equal Opportunities should be kept separate from general HR records and strictly controlled Draft Code of Practice issued

copyright of SFMKeddie - all rights reserved THE END Please note this information should not be used without proper professional advice. S F M Keddie The Data Compliance Centre