Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audiences NI Data Protection Workshop

Similar presentations

Presentation on theme: "Audiences NI Data Protection Workshop"— Presentation transcript:

1 Audiences NI Data Protection Workshop
Rachael Gallagher Senior Policy Officer Information Commissioner’s Office 2 December 2014 40 minutes 12:15 -> 12:55

2 Welcome Information session 1 – Introduction to Data Protection
Comfort break Information session 2 - Data sharing Case study Questions Close

3 An Introduction to Data Protection
40 minutes 12:15 -> 12:55

4 Information Session 1 About the ICO
Key Definitions of the Data Protection Act Data Protection Principles What must I do to comply? What happens if we don’t comply? Learn from others what not to do

5 About the ICO Advice and Guidance Audit and Advisory Visits
Assess concerns Enforcement Powers

6 Personal Data Personal data is not just a person’s name
It is any information that relates to or identifies a person and: Is held on a computer Is intended to be held on computer Forms part of a ‘relevant filing system’ Forms part of an ‘accessible record’ (information relating to health or education)

7 Sensitive Personal Data
Racial/ethnic origin Political opinion Religious belief Trade Union membership Physical/mental health Sexual life Commission of criminal offence Proceedings for any offence/alleged offences

8 Key Definitions Data subject is the person who the information is about e.g.) customer Data controller is the person who makes decisions with the information Data processor handles the information under the instruction of the controller e.g.) staff members

9 Data Protection Principles
The DPA is underpinned by a set of eight straightforward, common sense principles that organisations should follow. They state that personal data should be: 1) Processed fairly and lawfully 2) Processed for limited purposes 3) Adequate, relevant and not excessive 4) Accurate and up to date 5) Kept for no longer than necessary 6) Processed in accordance with the rights of individuals 7) Kept secure 8) Transferred outside the EEA only with adequate protection

10 Principle 1 – Fairly and Lawfully Processed
Be fair to individuals by using a ‘Privacy Notice’ which explains: Who you are What you are going to do with their information Any other information which would make it fair Make sure you do not do anything unlawful with personal information Meeting one or more ‘Conditions’ to use personal information Consent (explicit consent for sensitive personal data) Legal obligation Performance of a contract

11 Principle 2 – Processing for Limited Purposes
Be clear why you need the information and what you intend to do with it Communicate to individuals what you intend to do with their information Ensure any new uses for the information are fair

12 Principle 3 –Adequate, Relevant and not Excessive
Only collect and hold the personal information you need Be clear about why you need the information Do not hold information ‘just in case’ Hold the right amount of information

13 Principle 4 –Accurate and Up to Date
Take steps to ensure personal information is accurate and up to date Ask individuals to advise you if their details change Consider whether it is necessary to update the information

14 Principle 5 – Not held for longer than is Necessary
Regularly review the personal information to determine if you still need it Establish retention periods for different types of information No minimum or maximum time frame Retention period depends on business/legal need

15 Principle 6 – Data Subject’s Rights
The right to access personal information The right to object to processing likely to cause damage or distress The right to prevent direct marketing The right to apply to a court to have information rectified, blocked, erased or destroyed The right to compensation

16 Rights as an Individual to Access Personal Data
The right of subject access Ask for a copy of personal information Be provided with the information within 40 calendar days In writing either by letter or A fee of up to £10 can be charged for dealing with a request

17 Individual right to object to direct marketing
You must stop any promotional activity directed at an individual if they write and ask you to stop You must stop within a ‘reasonable period’ Marketing electronically? You will also have to comply with Privacy and Electronic Communications Regulations 2003 (PECR)

18 Principle 7 - Security You should have security that is appropriate to the - Nature of the information You should consider IT Cost Assess the risk Information stored electronically/manually Homeworkers, staff who work outside the office

19 Think about Security Staff Training
Policies on data protection, homeworking, IT Physical security Sending information by post/fax/ ? Quality of doors, locks, alarm systems, CCTV Supervising visitors Disposal of confidential waste Computer security (including mobile, removable devices) Anti-virus and anti-malware Encryption & password protection

20 Principle 8 -Transfer outside of EEA
Personal information should only be transferred outside the EEA where there is ‘adequate protection’ Particularly relevant to cloud computing

21 Privacy and Electronic Communication Regulations 2003
Electronic marketing and cookies Explicit consent or soft opt-in Soft opt-in: Contact details of the recipient obtained in the course of a sale or negotiations for the sale of a product or service to that recipient; marketing material relates to your similar products and services only; and the recipient is given chance of opting out with each communication

22 Think W3 Limited Think W3 Limited, the online travel company was served with a £150,000 monetary penalty after a hacker extracted a total of 1,163,996 credit and debit card records. Cardholders details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

23 Department of Justice (NI)
A monetary penalty notice of £185,000 was served on the Department of Justice (NI) after a cabinet containing details of a terrorist incident was sold at auction.

24 Comfort Break 40 minutes 12:15 -> 12:55

25 Data Sharing

26 Data Sharing An organisation providing information to a third party
Systematic or ‘one-off’ data sharing Establish the data controller Comply with the Data Protection Principles Data Sharing Code of Practice

27 Considerations Principle 1: Fair and lawful Privacy notice
Condition for processing Principle 6: Data subjects rights Right to object to direct marketing Subject access rights Principle 7: Kept secure Appropriate technical and organisational measure Compliance with PECR if marketing electronically

28 Case Study

29 Useful guidance The Guide to Data Protection
Privacy Notices Code of Practice The Guide to the Privacy and Electronic Communication Regulations 2003 The Subject Access Code of Practice

30 Questions

31 Keep in touch Information Commissioner’s Office
3rd Floor, 14 Cromac Place, Gasworks,  Belfast BT7 2JB. Tel: /   Subscribe to our e-newsletter at or find us on…

Download ppt "Audiences NI Data Protection Workshop"

Similar presentations

Ads by Google