1. 1 Data Protection & Confidentiality Young Carers Workers Conference, Harrogate, 25 March 2009 Paul Ticher paul@paulticher.com

2. 2 What is Data Protection about? Prevent harm to the individuals whose data we hold, or other people (How?)How Reassure people that we use their information responsibly, so that they trust us (How?)How Comply with specific legal requirements (Such as?)Such as

3. 3 The Data Protection PrinciplesData Protection Principles Confidentiality & SecurityConfidentialitySecurity Accuracy & data qualitydata quality Transparency Choice Data sharing Acting for others Resources This presentation covers:

4. 4 Data Protection: the absolute basics We are trying to: Prevent harm by –Keeping data only in the right hands –Holding good quality data (accurate, up to date and adequate) Allay concerns and show respect by –Making sure people know enough about what we are doing –Giving people a choice where possible

5. 5 Additional material The definition of Personal DataPersonal Data Subject Access Data Controller Data Processor Redress

6. 6 The Data Protection Principles 1.Data ‘processing’ must be ‘fair’ and legal 2.You must limit your use of data to the purpose(s) you obtained it for 3.Data must be adequate, relevant & not excessive 4.Data must be accurate & up to date 5.Data must not be held longer than necessary 6.Data Subjects’ rights must be respected 7.You must have appropriate security 8.Special rules apply to transfers abroad

7. 7 Transparency and Choice Principle 1 Says that any organisation must be fair and legal in the way it uses personal data. This includes making sure that people know about what their information is being used for and who it is being passed on to. It also means having a good reason for what is being done, and in some cases giving people a choice. Principle 2 Says that information must be obtained for specific purposes, and must not be used for anything else.

8. 8 Good Quality Data Principle 3 Says that information must be adequate, relevant and not excessive. Principle 4 Says that information must be accurate and up to date. Principle 5 Says that information must not be kept longer than necessary

9. 9 Looking after People Principle 6 Says that every organisation must respect the rights of individuals. This includes the right to a copy of the data being held, and the right to opt out of marketing. Principle 7 Says that there must be adequate security to protect data against unauthorised access, and against accidental loss or damage Principle 8 Says that data must not be sent abroad without adequate protection.

10. 10 Personal data The Act applies to information that is ‘personal’ and ‘data’ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded: –on a computer or automated system –in a ‘relevant filing system’relevant filing system –with the intention of going into one of these systems Data can include pictures and other information as well as text. It includes e-mails as well as information in files and on the database.

11. 11 Data ProtectionConfidentiality Clear boundaries Data Protection and Confidentiality overlap a lot, but they are not the same.

12. 12 You could be breaking the law if you don’t respect confidentiality It is a Criminal offence: ‘Knowingly or recklessly’ to access data you are not authorised to access. ‘Knowingly or recklessly’ to allowing another person unauthorised access. This means, for example: Don’t share your computer access details. Don’t poke around to look at personal information you know you are not supposed to see.

13. 13 Security (Principle 7) Security is about ensuring that the boundaries set by your confidentiality policies are protected, so that information does not fall into the wrong hands. The Data Protection Act says you must prevent: –unauthorised access to personal data –accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational.

14. 14 Data quality (Principles 3 & 4) The Data Protection Act says that data must be: Adequate Relevant Not excessive Accurate Up to date (where necessary)

15. 15 How to ensure data quality Key points include: When you obtain data from clients or others, you are responsible for accuracy and data quality: ask the right questions. Be particularly careful when you are writing things in your own words: the information must be accurate and relevant. Don’t use old data that might be out of date. Check it first.

16. 16 ‘Fair’ processing (Principle 1): Transparency One part of being fair to people is to make sure they have no unpleasant surprises when you use data about them. This means you must always think whether you need to tell them anything about? –who is collecting their information –what purposes you hold their data for –who you might pass the data on to –how to contact you if they want to stop you from using their data or check what you are doing

17. 17 ‘Fair’ processing (Principle 1): Choice The other important part of being fair is to give people a reasonable choice over how their information is used. Choices can be: –Opt out (we’ll do it unless you say ‘no’) –Opt in (we’ll only do it if you say ‘yes’) It is important to be clear about what choices are offered, to record them carefully, and to ensure that they are acted on.

18. 18 Direct Marketing If you are going to use people’s information for direct marketing you must tell them – Principle 2 says you must specify your purpose(s). (What is Direct Marketing?)Direct Marketing They may ‘require’ you in writing to stop. If someone says ‘stop sending me stuff’ or ‘stop sending a particular type of stuff’ you must do as they ask.

19. 19 Preventing harm Keep information only in the right hands Hold accurate, good quality data

20. 20 Allaying concerns & showing respect Be transparent – open and honest, don’t hide things or go behind people’s back Offer people a reasonable choice over how you use their data, and what for

21. 21 Legal obligations Right to opt out of direct marketingdirect marketing Right of Subject AccessSubject Access (And others)

22. 22 Data Controller The ‘person’ legally responsible for complying with the Data Protection Act Can be an individual, but usually the organisation. (Staff & volunteers are ‘agents’ of the Data Controller.) A trading company, even wholly owned, would be a separate Data Controller Two or more organisations can be joint Data Controllers of the same data

23. 23 Data Processor An organisation that work is outsourced to, which involves accessing Personal Data The Data Controller remains responsible for what happens to the data, and must be satisfied with the Data Processor’s security There must be a written contract with the Data Processor, setting out what they are to do

24. 24 Subject Access The Data Controller must provide a permanent, intelligible copy of pretty much all the personal data held about that Data Subject The Data Subject may limit the request if they choose The Data Controller may withhold third party material, especially if any duty of confidentiality is owed, (and limited amounts of other material) The Data Controller may charge up to £10 The information must be provided within 40 calendar days

25. 25 Acting for others Everyone has their own individual Data Protection rights, but may have someone else act on their behalf To act on someone’s behalf you must be authorised: –through having parental responsibility –directly by the person (as long as they have the capacity) –under the Mental Capacity Act 2005 (or its Scottish equivalent) In Scotland children are expected to be able to exercise their own Data Protection rights from the age of 12 In England and Wales, it depends on the particular child’s capacity to understand

26. 26 Redress if things go wrong An individual can ask for an ‘assessment’ by the Information Commissioner of whether Data Protection has been breached They can go to court to get wrong information corrected, deleted or clarified They can get compensation for any harm (and associated distress) The court can also prevent processing that causes someone substantial harm The court can enforce Subject Access

27. 27 Relevant filing system This is defined as: a set of information [not held on computer] structured so that specific information relating to a particular individual is readily accessible

28. 28 Direct marketing definition The Data Protection Act is not very helpful. It defines Direct Marketing as: ‘[Unsolicited] communication by whatever means [of advertising or marketing material] directed to the Data Subject’ This probably means any unsolicited contact that asks people to do something for your benefit (even if they get something in return)

29. Data sharing Most work on data sharing being done by and for statutory agencies Part of the government agenda Must comply with all eight Data Protection Principles Could result in changes to legislation, to put data sharing on a clearer footing

30. 30 Principle 1 Must be legal: statutory agencies need vires Legal duty of confidentiality may prevent Data Subjects must normally know about the sharing Must meet one of the “conditions”: consent or another legitimate basis

31. 31 Conditions for fair processing With consent of the Data Subject (“specific, informed and freely given”) For a contract involving the Data Subject To meet a legal obligation To protect the Subject’s ‘vital interests’ Government functions In your ‘legitimate interests’ provided the Data Subject’s interests are respected

32. Principle 2 Purpose behind the sharing must be specified, normally when the data is collected Precautions must be taken against “function creep” once the data is held

33. Principles 3, 4 & 5 How is consent, etc, recorded? Who is responsible for accuracy and for updating? Who decides what information is relevant? How will partners be informed if data needs correcting or updating? Who is responsible for destruction, and will all partners retain data for the same time?

34. Principle 6 Right of Subject Access –Who handles requests? –How are Data Subjects informed of the right of access? –Who decides what to withhold (see also FoIA) Right to restrict harmful processing –Only available if processing is under Condition 5 (public functions) or 6 (legitimate interests)

35. Confidentiality Define the boundaries: who has access to what information for what purposes Be clear when it might not be maintained Does everyone (client, staff, etc.) understand the same thing? Criminal penalties for unauthorised breach Security = how you protect the boundaries you have set

36. Principle 7 Common understanding of what access is authorised Consistent approach Monitoring & checking Procedure for reporting breaches Care over transmission of data

37. Resources: Data Protection & Fair processing Data Protection: Information Commissioner, www.ico.gov.uk, 01625 545700www.ico.gov.uk Ministry of Justice, www.justice.gov.ukwww.justice.gov.uk DirectGov, www.direct.gov.ukwww.direct.gov.uk paul@paulticher.com Fair processing: Information Commissioner draft code of practice on fair processing –www.ico.gov.uk/upload/documents/library/data_protection/detail ed_specialist_guides/ico_privacy_notes_cop.pdfwww.ico.gov.uk/upload/documents/library/data_protection/detail ed_specialist_guides/ico_privacy_notes_cop.pdf

38. Resources: Data sharing & young people Information Commissioner framework code of practice on data sharing –www.ico.gov.uk/upload/documents/library/data_protection/detail ed_specialist_guides/pinfo-framework.pdfwww.ico.gov.uk/upload/documents/library/data_protection/detail ed_specialist_guides/pinfo-framework.pdf Independent data sharing review –www.justice.gov.uk/reviews/datasharing-intro.htmwww.justice.gov.uk/reviews/datasharing-intro.htm Old material from Department for Constitutional Affairs (now Ministry of Justice) –www.dca.gov.uk/foi/sharing/toolkit/infosharing.htm Children’s Legal Centre (www.childrenslegalcentre.com): material which may be relevant includeswww.childrenslegalcentre.com –Offering children confidentiality: law and guidance (£3)