Download presentation
Presentation is loading. Please wait.
Published byScot Rodgers Modified over 8 years ago
1
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics
2
2 Data Protection (DP) objectives Why DP is important? Overview of the Act (the basics) Help/support
3
3 Data Protection: why is it important? Privacy a fundamental right in Human Rights Act Costs of unfair processing - Identity theft - ‘Information injustice’ – social networking sites and jobs - Brandon Mayfield - Personnel Security breaches – HMRC, MOD Individuals (data subjects) have strong rights under the Act which cost the University Individuals will complain if the University gets it wrong – media, decision notices
4
4 Data Protection: overview DP Act 1998: came into full effect in March 2000. Regulates of processing of personal data relating to living individuals who can be identified from the information. Basic aim of the Act: to balance the rights of individuals to privacy with the legitimate interests of organisations in processing personal data Scope of the Act very wide: covers all processing. The proliferation of data, particularly electronic, means many media covered – emails, PDAs, CCTV, photographs, etc
5
5 Data Protection: key terms Data…. Recorded electronic or manual information Personal data …is data that: - relates to a identifiable living individual - has the living individual as the main focus - is of ‘biographical significance’ to the individual This includes opinions about them and other peoples’ intentions towards them. Personal data can take many forms…..egs Data processing …all aspects of data handling Data controller …is the organisation (term can apply to employees) who determines the manner and purposes of processing Sensitive personal data …. trade union membership, religious beliefs, sexual life, political opinions, criminal history, health
6
6 Data Protection: the Act itself From the University’s point of view the main requirements are: 1. - To comply with 8 DP principles 2. - To comply with data subject rights in the DP Act 3. - To notify the Information Commission of its processing
7
7 1. Data protection principles 8. Personal data not to be transferred outside EEA without protection 7. Appropriate technical and organisational measures shall be taken to prevent unauthorised processing and loss, destruction or damage to that personal data (a challenge to comply, ie home working?) Explanation of 7 th Principle – the University must: - Have a regard to technological developments to ensure a level of security appropriate to: - Harm that might result from unauthorised processing - The nature of the data to be protected - Take reasonable steps to ensure reliability of employees - Data processors must operate under written contract and ‘reasonable steps’ must be taken to ensure compliance
8
Data protection principles (cont.) 6.Processed in accordance with the rights of the data subject 5.Kept only for so long as is necessary for the specified purpose 4.Accurate (people complain about inaccuracy!) 3.Adequate, relevant and not excessive (Do not collect more than you need!) 2.Obtained and processed for limited purposes 1. Processed fairly and lawfully. This means: - Issue a fair collection notice at the time of collection - meeting one condition of processing, ie Schedule 2 8
9
9 1. Schedule 2 – conditions for processing 1. Consent Or it is necessary for: 2.Contract 3.Legal obligation 4.Vital interests 5.Justice or Crown or Government 6.‘The balancing act’ - Legitimate interests of data controller/Third parties, but not prejudice rights of individual
10
10 1. Exemptions DP principles apply to all processing and all personal data unless exemption applies. Examples include: References Crime and taxation (prejudice test) Journalism Research Examination marks and scripts Domestic purposes Legal professional privilege
11
11 2. Data subject rights Accuracy –ensure their personal data is accurate Prevent processing likely to cause damage or distress Seek compensation For no 3rd party access Access to their personal data (subject access request) – Data Protection Officer must answer within 40 days – Offence to destroy ‘stuff’ after a request is received – Requests must be received in writing – Identity of individual must be identified – Maximum of £10 charged
12
12 3. Notification to IC As a data controller, the University of Reading must: Notify the IC on what personal data it is processing and keep this up to date (given the complexity and size of the University with its semi-autonomous) Schools/Offices this is quite a big operation Declare a Data Protection Officer Be compliant with the Data Protection act
13
13 DP enforcement Information Commissioner is responsible for enforcement for DP (and also Freedom of Information FOI and Environmental Information Regulations (EIR)) What does the IC do? ‘….is the UK's independent authority set up to promote access to official information and to protect personal information’
14
14 DP Help Data protection is complex. Any data protection issue or concern you have talk it through with IMPS. Remember: it is best to check *before* processing IMPS network Online training modules - http://www.icr.ac.uk/icre8/org/Courses/reading/reading_dpa/html/ http://www.icr.ac.uk/icre8/org/Courses/reading/reading_dpa/html/ IMPS contact details: Lee Shailer, imps@reading.ac.uk, Ext 8981imps@reading.ac.uk www.reading.ac.uk/data_protection www.reading.ac.uk/foi
15
© University of Reading 2007 www.reading.ac.uk/data_protection Lee Shailer 06 June 2016 Data Protection the basics
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.