Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection Overview

Similar presentations

Presentation on theme: "Data Protection Overview"— Presentation transcript:

1 Data Protection Overview
Data Protection & Information Security Officer Background in IT Programmer/Analyst at Teesside CBC in 1970 Cleveland CC Project Leader, Systems Development Manager, Business Analyst RCBC Business Support - new role of Data Protection & Information Security Officer November 2002 Interest in Data Protection since pushing for current post since then - includes FoI, HRA, RIPA etc as well as DPA 1

2 Outline Reasons for/History of Data Protection Definitions
Data Protection Principles Rights of Data Subjects Data Subject Access Request Definitions of: The Information Commissioner; The Council The Data Subject; Personal Data; Sensitive Personal Data 2

3 Data Protection? Why? Ensure data relating to individuals are managed properly. Assure individuals that their data are managed properly. 3

4 Data Protection History
Data Protection Act 1984 only applied to data processed “by equipment operating automatically” Data Protection Act 1998 applies to data processed both by computer and manually. 1984 Act resulted from fear of what was being done with information on computer - mainly inaccuracy; credit agencies; security Never understood why only computerised Some organisations bypassed by using manual records 4

5 The Information Commissioner
Initially the Data Protection Registrar Subsequently the Data Protection Commissioner Now the Information Commissioner Registration Role Enforcement Role Registrar maintained a Register of Data Users and Computer Bureaux Commissioner basically the same but Register now of Data Controllers and Data Processors - later Information Commissioner because role extended to include responsibility for Freedom of Information Act 2000 as well as Data Protection Act 1998. Elizabeth France, former Home Office civil servant, 1994 Richard Thomas, formerly director of public policy at Clifford Chance 5

6 The Council Data Controller - determines the purposes for which and the manner in which any personal data are, or are to be, processed. Data Processor - processes data on behalf of other data controllers. 6

7 Data Subject An individual who is the subject of Personal Data.
Only natural persons, not companies. Must be a living individual. 7

8 Personal Data Data which relate to a living individual who can be identified: from those data; OR from those data and other information which is in the possession of, or is likely to come into the possession of, the Council AND includes any expression of opinion about the individual and any indication of the intentions of the Council or any other person in respect of the individual. Name is personal data Photograph is personal data Address - even postcode - could be personal data - approx 450 postcodes in R&C for single address - approx 70 of them could identify individuals 8

9 Personal Data Information which
is being processed by means of equipment operating automatically in response to instructions given for that purpose OR is recorded with the intention that it should be processed automatically OR Information on a computer (or similar device) Information recorded manually prior to being put onto computer. 9

10 Personal Data Information which
is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system OR does not fall within the above but forms part of an accessible record (Health, Education or “accessible public records”) Relevant Filing System - one which is structured in such a way that specific information relating to a particular individual is readily accessible. Accessible Public Record - as far as RCBC is concerned, information held for any purpose of the authority's social services functions. 10

11 Personal Data “In practice, virtually any reference to an identifiable living individual may constitute personal data”. 11

12 8 categories of Sensitive Personal Data
The racial or ethnic origin of the data subject; His political opinions; His religious beliefs or other beliefs of a similar nature; Whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992); His physical or mental health or condition; 12

13 8 categories of Sensitive Personal Data
His sexual life; The commission or alleged commission by him of any offence; or Any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. 13

14 Eight Data Protection Principles
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: at least one of the conditions in Schedule 2 of the DPA is met, and in the case of sensitive personal data, at least one of the conditions in Schedule 3 of the DPA is also met. Refer to notes on Schedule 2 Refer to notes on Schedule 3 14

15 Eight Data Protection Principles
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. When you ask for personal data tell people what they will be used for. Do not use data for a different purpose without checking that it is legal to do so. Don't ask for more or less data than are actually needed for the job in hand. Refer to Forms of Words. 15

16 Eight Data Protection Principles
Personal data shall be accurate and, where necessary, kept up to date. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Personal data shall be processed in accordance with the rights of data subjects under the DPA. Make sure systems are in place to maintain accuracy - remove expressions of opinion which cannot be justified. Don't keep multiple copies. Don't keep manual data which conflicts with central files. Implement adequate records management which identified when data should be disposed of and how disposal should take place. Rights - later. 16

17 Eight Data Protection Principles
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Make sure that personal data are adequately protected from access by unauthorised people. Use passwords where appropriate. Lock cabinets etc. where necessary. Don't leave papers on desks. Make sure backup is adequate. 17

18 Eight Data Protection Principles
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Make sure appropriate legislation or "Safe Harbour" arrangements are in place. 18

19 Rights of Data Subjects
To be informed whether any personal data are being processed by the Council and, if so, what they are, the purposes and to whom data may be disclosed; To be informed of any potential decision based solely on automatic processing; To be provided with the data (in an intelligible form) and details of where they were sourced from. If people are told properly up front - e.g. on an application form - it is easy to refer them to that. See separate notes. Auto processing examples: Housing Benefits calculations; Job Evaluation. Make sure that systems are capable of producing reports which data subjects can read and show where the data were obtained from (e.g. application form, referral). 19

20 Data Subject Access Request
Any request by a data subject for access to information must: be in writing; be accompanied, where applicable, by the required fee. The Council has designed a Data Subject Access Application Form which asks that requests be sent to me at Eston Town Hall. We cannot insist on its use - or on delivery to the Town Hall. We can ask for information identifying the data subject and to locate the information. Cannot limit how much requested (though data subject can). Fee is £10 - waive in hardship cases (Chief Officer decides) and for ex children in care. 20

21 Data Subject Access Request
Must be responded to within 40 days - BUT No right to see third party data. Exemptions from requirement to provide information. Strict time limit for response - flowcharts of stages in Part 3 of Manual. Must be information at time of request. Third party data should normally be removed unless permission given - see separate notes. Can refuse vexatious requests (e.g. repeated) Certain exemptions - later. 21

22 Third Party Data File on data subject could contain information on others. Potential conflict between data subject’s right of access and third party’s right to privacy. 22

23 Third Party Data Can third party information be removed?
Will third party consent to disclosure? If no consent is it still reasonable to disclose? Is there a duty of confidentiality to the third party? Some statutory exemptions. Exemptions re Health, Social Work & Education are covered in statutory instruments. 23

24 Exemptions from Disclosure
Prevention/detection of crime. Apprehension/prosecution of offenders. Assessment/collection of tax/duty. Processing for the discharge of statutory functions. Assessment of risk in relation to the tax/duty & crime exemptions above. Para of Part 1 (pages 9-10). 24

25 Exemptions from Disclosure
Data relating to Health, Education & Social Work where the Secretary of State has made orders. Discharge of regulatory functions. References given (but not those received). Management forecasting/planning. 25

26 Exemptions from Disclosure
Records of the Council’s intentions in relation to negotiations with the data subject. Information recorded by exam candidates. Legal professional privilege. 26

27 Further Data Subject Rights
To have inaccurate data corrected or deleted; To prevent processing likely to cause damage or distress; To prevent processing for purposes of direct marketing; To prevent automated decision taking. Make sure that systems used are capable of operating as demanded by data subjects. Uncertainty regarding CRM systems - ensure anyway that systems only process data as sanctioned by the data subject. Clauses 10 to 12 27

28 Remedies & Compensation
Data subject may be able to claim compensation for damage or distress. Data subject may apply to court for an order for rectification, blocking, erasure or destruction. Data subject may apply to Information Commissioner for an enforcement notice. Clauses 13 & 14 28

29 Summary Obtain data properly in the first place.
Ensure data subjects know what & why. Record and process data properly. Keep data only as long as necessary - and dispose of properly. Ensure data are accessible to respond to access requests promptly. 29

30 Further Information Information Commissioner’s web site or The Council’s Data Protection & Information Security Manual 30

Download ppt "Data Protection Overview"

Similar presentations

Ads by Google