1. New Data Protection Legislation
July 2018

2. Training objectives
To provide a broad overview of the new data protection legislation
To signpost to where further resources are available

3. What is personal data?
How would you define personal data? What examples of personal data can you give?

4. Definition of personal data under GDPR
“any information relating to an identified or identifiable natural person” Data Controllers and Data Processors

5. Special categories Biometric and genetic data
The racial or ethnic origin of the data subject(s)
Their political opinions
Their religious beliefs or beliefs of a similar nature
Whether they are members of a Trade Union
Their physical or mental health or condition
Their sexual life
The commission or alleged commission by them of any offence
Any proceedings for any offence committed or alleged, the disposal of such proceedings or the sentence of any court

6. Principles Processed fairly, lawfully and in a transparent manner
Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with the original purpose
Adequate, relevant and limited to what is necessary in relation to the purposes
Accurate and kept up to date   
Kept in a form that permits identification no longer than is necessary
Processed in a way that ensures appropriate security of the personal data

7. Processing conditions
Consent of the data subject
Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract
Necessary for compliance with a legal obligation – this is broadly the same as current DPA, however the law does not need to be statutory.
Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent

8. Processing conditions
Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – this condition will apply when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. These functions must arise under Member State or EU law.

9. Consent
must be a positive indication. It cannot be inferred from silence, inactivity or pre-ticked boxes
freely given, specific and informed – equal balance of power.
“audit trail” / record of consent
right to withdraw consent
children

10. Privacy / transparency notices
Who is the data controller?
Who is the Data Protection Officer?
What is the legal basis for processing?
How long is data kept for?
Who is the data shared with?
Statement of rights of data subjects

11. Privacy / transparency notice
XXXX is the Data Controller under data protection law and will use the information you provide <on this form> in order to <eg. provide you with xxx service>.
The legal basis for processing this data is <eg. our legal obligations under xxx Act / performance of a task carried out in the public interest or in the exercise of official authority vested in the council / your consent to do so. You can withdraw your consent at any time by notifying us. Our contact details to do so, or for any other queries, are {contact details}>.
We will keep your data for <retention period>.
Your information will not be shared further / will be shared with <other team / organisation> in order to provide you with the service. <delete as applicable>
Individuals have a number of rights under data protection law, including the right to request their information. You also have a right to make a complaint about our handling of your personal data to the Information Commissioner’s Office
You can contact the council’s Data Protection Officer, Carol Trachonitis, via

12. Rights of individuals Right to be informed Right of access
Data portability
the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.

13. Rights of individuals
Right to rectification Right to erasure Right to restrict processing Right to object

14. Pseudonymisation
The separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.

15. Data breaches Bigger penalties Mandatory reporting to the ICO
Within 72 hours of the breach being discovered
Notification to the individuals affected by the breach

16. What does a data breach look like?
Hampshire: Social care files left in building after office moves: £100,000
Devon: Social worker used a previous case as template for adoption panel report and sent out a copy of the old report instead of the new one: £90,000
Powys : Social worker sent a report relating to family A to family B due to a mix up of papers at the printer: £130,000
Worcestershire: Employee ed highly sensitive & excessive info about a large number of vulnerable people to 23 unintended recipients: £80,000

19. Preventing data breaches
Check the post goes to the correct addressee.
Who can see or hear confidential information? Don’t leave information where those not authorised can see it, only discuss individuals for professional reasons.
Secure / lock away confidential material.
Wipe memory sticks after use, only use encrypted devices.
Tailgating
Be proportionate when sharing / using personal information.
Only access confidential information for the right reasons.

20. Preventing data breaches
Is what you do secure?
What do you need to change?

21. Implications
Destroy data once it is no longer needed Care with recording Report data breaches Co-operate over requests for information Security

22. Any Questions?