Data Protection Corporate training 2012

Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts

Data Protection Act 1998 Regulates the processing of data Gives rights to individuals

How does it affect me? Fylde BC as a “data controller” has responsibilities for data under its control All employees handling data have responsibility

Concepts we will cover Data Personal Data Sensitive Personal Data The eight data protection principles Subject access rights

Data Any recorded information held by a public authority Narrower definition outside the public sector

Personal data Living individual Identified from data - or from other information Opinions Intentions

Sensitive personal data Race or ethnicity Political opinions Religion Union membership Health Sexual life Offences

Processing Obtaining Recording Holding Organising Adapting Altering Retrieving Consulting Using Disclosing Transmitting Disseminating Making available Aligning Combining Blocking Erasing Destroying

The data protection principles Personal data shall be: –processed fairly and lawfully –used only for specified and lawful purposes –adequate, relevant and not excessive –accurate –not be kept for longer than necessary –processed in line with rights of data subjects –protected against tampering and loss –not transferred to certain countries

The first principle: Fair processing “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless [at least one of certain] conditions are met…”

The first principle: Fair processing “Personal data shall be processed fairly AND lawfully AND in particular, shall not be processed unless [at least one of certain] conditions are met…”

The first principle: Fair processing “Fairly” –Consequences to subject –Fair processing information “Lawfully” –Powers –Legitimate expectation –Human rights

The first principle: The conditions for fair processing Consent of subject

The first principle: Fair processing Consent –Active communication –Freely given –Not by default –Appropriate to the circumstances

The first principle: The conditions for fair processing Consent of subject Contracts Legal obligations Public interest conditions Legitimate interests: Balance Necessity test

Sensitive personal data: Extra conditions “Explicit” consent Employer’s obligations Vital interests Political or religious bodies Public domain Legal proceedings Administration of justice Health purposes…

Sensitive personal data: Extra restrictions Equalities Detection or prevention of crime Public protection Counselling services Insurance Police

The second principle: Specified purposes “Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”

The second principle: Specified purposes Purposes can be satisfied by: Notice to data subject Registration with the Information Commissioner

Whose responsibility?

The third principle: Proportionality “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”

The third principle: Proportionality Minimum of data for the purpose Cannot hold information “just in case” Should not be held longer than needed

The fourth principle: Accuracy “Personal data shall be accurate and, where necessary, kept up to date”

The fourth principle: Accuracy Reasonable steps Right of data subject to mark inaccuracies Data must be updated “where necessary”

The fifth principle: Deleting old data “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”

The fifth principle: Deleting old data Need for system of review Depends on purpose data was held Exception for historical, statistical or research purposes

The sixth principle: Subjects’ rights “Personal data shall be processed in accordance with the rights of data subjects under this Act”

The sixth principle: Subjects’ rights Subject access requests Processing likely to cause damage or distress –notice procedure Processing for direct marketing Automatic decision-taking

Subject access request Made by data subject in writing (including e- mail) Fee of £10 Data controller must: –say if he holds personal data about that person –provide a copy of that data –say why they are being processed and –to whom they may be disclosed

Subject access request Promptly, or within 40 days Exceptions: –Disproportionate effort –Affect on health –Third party information –Unstructured personal data UNLESS The data is identified; and Within cost limit

Third party information “Information relating to an individual other than the the data subject who can be identified by that information” Where the third party has consented Reasonable in all the circumstances –duty of confidentiality –whether consent sought –Anonimysing

The seventh principle: Tampering and loss “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”

The seventh principle: Tampering and loss Risk management Security policy Access to PCs Passwords Authentication of callers Backups Virus protection Training

The eighth principle: Data Transfer “Personal data shall not be transferred to a country of territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data”

Further information Your line manager Tracy Morrison or Ian Curtis