Data Protection Overview
Download
Report
Transcript Data Protection Overview
Data Protection
Overview
Data Protection &
Information Security
Officer
Outline
•
•
•
•
•
Reasons for/History of Data Protection
Definitions
Data Protection Principles
Rights of Data Subjects
Data Subject Access Request
Data Protection? Why?
• Ensure data relating to individuals are
managed properly.
• Assure individuals that their data are
managed properly.
Data Protection History
Data Protection Act 1984
• only applied to data processed “by
equipment operating automatically”
Data Protection Act 1998
• applies to data processed both by
computer and manually.
The Information Commissioner
Initially the Data Protection Registrar
Subsequently the Data Protection
Commissioner
Now the Information Commissioner
• Registration Role
• Enforcement Role
The Council
• Data Controller - determines the purposes
for which and the manner in which any
personal data are, or are to be, processed.
• Data Processor - processes data on behalf of
other data controllers.
Data Subject
• An individual who is the subject of Personal
Data.
• Only natural persons, not companies.
• Must be a living individual.
Personal Data
Data which relate to a living individual who
can be identified:
• from those data; OR
• from those data and other information which is
in the possession of, or is likely to come into
the possession of, the Council
• AND includes any expression of opinion about
the individual and any indication of the
intentions of the Council or any other person in
respect of the individual.
Personal Data
Information which
• is being processed by means of equipment
operating automatically in response to
instructions given for that purpose OR
• is recorded with the intention that it should
be processed automatically OR
Personal Data
Information which
• is recorded as part of a relevant filing
system or with the intention that it should
form part of a relevant filing system OR
• does not fall within the above but forms part
of an accessible record (Health, Education
or “accessible public records”)
Personal Data
“In practice, virtually any reference to an
identifiable living individual may constitute
personal data”.
8 categories of Sensitive Personal Data
• The racial or ethnic origin of the data subject;
• His political opinions;
• His religious beliefs or other beliefs of a similar
nature;
• Whether he is a member of a trade union (within
the meaning of the Trade Union and Labour
Relations (Consolidation) Act 1992);
• His physical or mental health or condition;
8 categories of Sensitive Personal Data
• His sexual life;
• The commission or alleged commission by him
of any offence; or
• Any proceedings for any offence committed or
alleged to have been committed by him, the
disposal of such proceedings or the sentence of
any court in such proceedings.
Eight Data Protection Principles
• Personal data shall be processed fairly and
lawfully and, in particular, shall not be
processed unless:
• at least one of the conditions in
Schedule 2 of the DPA is met, and
• in the case of sensitive personal data, at
least one of the conditions in Schedule
3 of the DPA is also met.
Eight Data Protection Principles
• Personal data shall be obtained only for one or
more specified and lawful purposes, and shall
not be further processed in any manner
incompatible with that purpose or those
purposes.
• Personal data shall be adequate, relevant and
not excessive in relation to the purpose or
purposes for which they are processed.
Eight Data Protection Principles
• Personal data shall be accurate and, where
necessary, kept up to date.
• Personal data processed for any purpose or
purposes shall not be kept for longer than is
necessary for that purpose or those purposes.
• Personal data shall be processed in accordance
with the rights of data subjects under the DPA.
Eight Data Protection Principles
• Appropriate technical and organisational
measures shall be taken against unauthorised
or unlawful processing of personal data and
against accidental loss or destruction of, or
damage to, personal data.
Eight Data Protection Principles
• Personal data shall not be transferred to a
country or territory outside the European
Economic Area, unless that country or
territory ensures an adequate level of
protection for the rights and freedoms of
data subjects in relation to the processing of
personal data.
Rights of Data Subjects
• To be informed whether any personal data
are being processed by the Council and, if
so, what they are, the purposes and to whom
data may be disclosed;
• To be informed of any potential decision
based solely on automatic processing;
• To be provided with the data (in an
intelligible form) and details of where they
were sourced from.
Data Subject Access Request
Any request by a data subject for access to
information must:
• be in writing;
• be accompanied, where applicable, by
the required fee.
Data Subject Access Request
Must be responded to within 40 days - BUT
• No right to see third party data.
• Exemptions from requirement to provide
information.
Third Party Data
• File on data subject could contain
information on others.
• Potential conflict between data subject’s
right of access and third party’s right to
privacy.
Third Party Data
• Can third party information be removed?
• Will third party consent to disclosure?
• If no consent is it still reasonable to
disclose?
• Is there a duty of confidentiality to the third
party?
• Some statutory exemptions.
Exemptions from Disclosure
•
•
•
•
Prevention/detection of crime.
Apprehension/prosecution of offenders.
Assessment/collection of tax/duty.
Processing for the discharge of statutory
functions.
• Assessment of risk in relation to the
tax/duty & crime exemptions above.
Exemptions from Disclosure
• Data relating to Health, Education & Social
Work where the Secretary of State has made
orders.
• Discharge of regulatory functions.
• References given (but not those received).
• Management forecasting/planning.
Exemptions from Disclosure
• Records of the Council’s intentions in
relation to negotiations with the data
subject.
• Information recorded by exam candidates.
• Legal professional privilege.
Further Data Subject Rights
• To have inaccurate data corrected or
deleted;
• To prevent processing likely to cause
damage or distress;
• To prevent processing for purposes of direct
marketing;
• To prevent automated decision taking.
Remedies & Compensation
• Data subject may be able to claim
compensation for damage or distress.
• Data subject may apply to court for an order
for rectification, blocking, erasure or
destruction.
• Data subject may apply to Information
Commissioner for an enforcement notice.
Summary
•
•
•
•
Obtain data properly in the first place.
Ensure data subjects know what & why.
Record and process data properly.
Keep data only as long as necessary - and
dispose of properly.
• Ensure data are accessible to respond to
access requests promptly.
Further Information
Information Commissioner’s web site
http://www.dataprotection.gov.uk or
http://www.informationcommissioner.gov.uk
The Council’s Data Protection & Information
Security Manual