Presentation on theme: "The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010."— Presentation transcript:
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010
Contents The Information Commissioner The Data Protection Act The Commissioner’s Powers
The Information Commissioner Appointed by the Crown Independent, but sponsored by the MoJ Period of Office is 5 years Current Commissioner is Christopher Graham (appointed 2009)
The ICO – our organisation Head Office: Wilmslow, Cheshire Regional Offices: Belfast, Cardiff, Edinburgh C 350 Staff (4 in Edinburgh !!)
The ICO – what we regulate Data Protection Act 1998 Privacy & Electronic Communications Regs 2003 Freedom of Information Act 2000 Environmental Information Regulations 2004
The ICO – what we don’t regulate Freedom of Information (Scotland) Act 2002 Environmental Information (Scotland) Regulations 2004 Kevin Dunion The Scottish Information Commissioner
The ICO – what we do Promote the legislation Influence public policy Resolve complaints Maintain the register of data controllers Prosecute offenders
Personal data must be: fairly and lawfully processed processed for specified purposes adequate, relevant and not excessive accurate and up-to-date not kept for longer than is necessary processed in line with individual rights kept secure not transferred to countries without adequate protection The Data Protection Act
Fair and Lawful Processing (1) Vires For example: Local Government (Scotland) Act 1973 Local Government in Scotland Act 2003 Fair Processing Transparency Code of Practice on Privacy Notices (June 2009)
Fair and Lawful Processing (2) Personal Data: Consent Contract Legal obligation Vital interests Public function Legitimate interest of data controller Sensitive Personal Data: Explicit consent Employment law Vital interests Membership of various not-for- profit groups Already in public domain Legal proceedings/advice Public functions Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417)
S33 - The Research Exemption (1) In this section— “research purposes” includes statistical or historical purposes; “the relevant conditions”, in relation to any processing of personal data, means the conditions— (a) that the data are not processed to support measures or decisions with respect to particular individuals, and (b) that the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.
S33 - The Research Exemption (2) For the purposes of the second data protection principle, the further processing of personal data only for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which they were obtained. (3) Personal data which are processed only for research purposes in compliance with the relevant conditions may, notwithstanding the fifth data protection principle, be kept indefinitely.
S33 - The Research Exemption ( 4) Personal data which are processed only for research purposes are exempt from section 7 if— (a)they are processed in compliance with the relevant conditions, and (b)the results of the research or any resulting statistics are not made available in a form which identifies data subjects or any of them.
S33 - The Research Exemption (5) For the purposes of subsections (2) to (4) personal data are not to be treated as processed otherwise than for research purposes merely because the data are disclosed— (a)to any person, for research purposes only, (b)to the data subject or a person acting on his behalf, (c)at the request, or with the consent, of the data subject or a person acting on his behalf, or (d)in circumstances in which the person making the disclosure has reasonable grounds for believing that the disclosure falls within paragraph (a), (b) or (c).
The DPA – Breaches Failure to comply with the Principles May lead to an investigation by the ICO Serious breaches may result in enforcement action
The DPA – Offences Unlawfully obtaining or disclosing personal data Selling of personal data Failure to notify / notify changes Failure to comply with a Notice from the Commissioner Reckless breach of the data protection principles
How to get it right Speak to your DPO Read the ICO guidance Consult with the ICO Treat others’ personal data as you would your own
Contact details The Information Commissioner’s Office 93-95 Hanover St EDINBURGH EH2 1DJ 0131 301 5071 email@example.com www.ico.gov.uk