Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Framework for Compliance

Published byDortha Day Modified over 5 years ago

Similar presentations

Presentation on theme: "A Framework for Compliance"— Presentation transcript:

1 A Framework for Compliance
JB Data Protection: A Framework for Compliance Jenny Brotchie Senior Policy Officer Maureen H Falconer Regional Manager - Scotland

2 Overview: JB Ice Breaker The Data Protection Principles;
Individuals’ Rights & Organisational Obligations; What if it all goes wrong??? Any further questions? The workshop will be split between information giving and activities that will cement your learning but also give you something practical to take back to your own organisation’s to implement. Here is what we will cover today: Begin with an icebreaker and think about why data protection is important anyway. Take a look at the 6 data protection principles. Complete our first activity. Give you an overview of personal data rights and your obligations as data controller (more on that later!) Complete our second activity. Tell you what you need to do if it all goes wrong and there is a data breach. Complete our final activity. Opportunity for questions but please do cut in if there is anything that you want to ask as we go through. You can also grab either Maureen or myself at the end.

3 Personal data! It’s about…
JB It’s about… Any information relating to an identified or identifiable [living] natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as… Personal data! Before we begin – some data protection 101! 1. The GDPR protects am individuals right to protection of personal data. Definition: Personal data relate to a living individual who can be identified from those data and/or other information likely to be in the possession of the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person about the individual. This could also include a description of an individual rather than actual data items if the description is enough to identify one individual from another in a given setting. This also includes ‘unique identifiers’ such as case/client reference numbers, community health index number, NI number, passport number, driving license number, etc. 2. The GDPR covers data that is processed wholly or partly by automated means (computer) or which form part of a filing system. 3. Does not cover personal or household processing.

4 Special categories JB Race or ethnicity Political opinions
Religious or philosophical beliefs Trade union membership Physical or mental health Genetic or biometric Sexual life or orientation The DPA refers to these types of data as sensitive personal data and separates this from ordinary personal data as worthy of more consideration and security. GDPR refers to these as Special Category data. This kind of data is given special protection under the GDPR There are seven specific categories: Race or ethnic origin; political opinions; religious or philosophical belief; trade union membership; physical or mental health; genetic or biometric; and sexual life (not just sexuality!). Note that genetic data is a new category and that data relating to criminal or alleged criminal activity is no longer included. Criminal activity is dealt with under a separate Law Enforcement Directive (EU 2016/680). Although Financial data is not included the ICO treats a breach of this data as if it were special category because that’s how individuals think of it. A breach involving special category data is likely to take it into the ‘serious’ category and may incur a Civil Monetary Penalty.

5 JB “The processing of personal data should be designed to serve mankind.” Recital 4 GDPR

6 The Six Data Protection Principles
MF The Six Data Protection Principles The six data protection principles are the ‘building blocks’ required for overall compliance and the standard to which all data controllers should aspire. Fair and Lawful: make sure you tell people what you are doing with their personal data through good Privacy Notices. Make sure you are relying on an appropriate Condition for processing and working within your powers. Limited Purposes: only use personal data for the lawful purposes required and don’t use it for something completely different. Data Quality: only use enough relevant personal data required for the purpose to avoid excessiveness. Accuracy: update data as necessary and correct when alerted to any inaccuracies. Also alert any corrections to those to whom data are disclosed. Retention: keep personal data for as long as required to comply with legal obligations and business need. Think about filtering records. Appropriate technological and organisational measures must be taken to secure the personal data. The more sensitive the data the more security will be required.

7 Legal Bases - GDPR MF Personal data (Art6)
Special Category data (Art9) Explicit consent Or where necessary for: Employment, social security, social protection law Vital interests and incapacity Not for profit religious, political or trade union bodies Put in public domain by the person Substantial public interest based on law Health, medical, social care Public health protection Archiving, research, statistical purposes See also Schedules 1 DPA 2018 Consent Or where necessary for: Contract with the individual Comply with a legal obligation Protecting vital interests Task in the public interest/ Exercise of official authority Legitimate interests of the data controller, as long as not prejudicial to the person (NB: not available for PA carrying out its tasks) In order to use personal data lawfully, you need to be able to rely on at least one condition for processing from the personal data column. If it is special category data, you need to be able to rely on at least one condition for processing from each column. Other than consent, the legal bases require that the processing is necessary. Consent has its own particular requirements. All bases have equal weighting: one does not carry any more status than any other. It is for the data controller to be satisfied that they are relying on the appropriate legal basis and it is recommended that a record is kept of the rationale on which the use is being made. This is especially important when not relying on consent.

8 MF What’s not consent? Relying on silence, pre-ticked boxes or inactivity; Having no genuine or free choice or being unable to refuse or withdraw without detriment; In any specific case, having an imbalance between the person and the controller, especially where the controller is a public authority and it’s unlikely for consent to have been freely given in all the circumstances of that case; Not allowing separate consent to be given to different processing despite it being appropriate in any individual case; or Making the performance of a contract dependent on consent when it’s not necessary for such performance. Remember that you can rely on alternative legal bases to consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests. Where you already rely on consent that was sought under the DPA or the EC Data Protection Directive (95/46/EC), you will not be required to obtain fresh consent from individuals if the standard of that consent meets the new requirements under the GDPR (see Recital 171). Implementation of the GDPR will require a review of consent mechanisms to ensure they meet the standards required under the legislation. If you cannot reach this high standard of consent then you must find an alternative legal basis or cease or not start the processing in question.

9 MF What information must be supplied? Obtained from individual
Not obtained from individual Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer Purpose of the processing and the lawful basis for the processing The legitimate interests of the controller or third party, where applicable Categories of personal data Any recipient or categories of recipients of the personal data Details of transfers to third country and safeguards Retention period or criteria used to determine the retention period The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply is determined by whether or not you obtained the personal data directly from individuals as per the above table and on the next slide. The information you supply about the processing of personal data must be:  concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge.

10 MF What information must be supplied? Obtained from individual
Not obtained from individual The existence of each of data subject’s rights The right to withdraw consent at any time, where relevant The right to lodge a complaint with a supervisory authority The source the personal data originates from and whether it came from publicly accessible sources Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences When should information be provided? If the data are obtained from the individual, the notice should be provided at the time the data are obtained. If not, the notice should be provided within a reasonable period of having obtained the data (within one month). If the data are used to communicate with the individual, the notice should be provided, at the latest, when the first communication takes place. If disclosure to another recipient is envisaged, the notice should be provided, at the latest, before the data are disclosed.

11 Individuals' rights : The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights related to automated decision-making and profiling JB As with the current regime, all the obligations are on organisations and all the rights are on individuals! The rights under the current regime will continue but some will be enhanced, such as subject access, and some are new, such as profiling.

12 JB Subject access

13 Rectification, erasure and restriction
JB Rectification, erasure and restriction

14 Objection to processing
JB Objection to processing

15 Accountability Principle
MF Accountability Principle

16 JB Breach notification

17 MF Any questions?

18 Keep in touch Scotland Office: 45 Melville Street Edinburgh EH3 7HL
T: E: Subscribe to our e-newsletter at or find us on… /iconews @iconews

Download ppt "A Framework for Compliance"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
The Data Protection Act - an absolute right to ask but a qualified right to receive Maureen H Falconer Senior Policy Officer, ICO CELCIS, Scottish University.

The Data Protection Act - an absolute right to ask but a qualified right to receive Maureen H Falconer Senior Policy Officer, ICO CELCIS, Scottish University.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection Overview

Data Protection Overview
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.

Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.

Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Sharing Information Legally Lindsay Ould London Borough of Lewisham.

Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Similar presentations

Ads by Google