Transcript Women’s Aid The Data Protection Act: It is the Law

Local Government Reform
and Compliance with the DPA
Ken Macdonald
Assistant Commissioner (Scotland & Northern Ireland)
Information Commissioner’s Office
2 December 2014
Contents
• Local Government Reorganisation
• Data Protection Principles
• Meeting the Principles
Local Government Reorganisation
Council
Existing powers
Super
New organisation
Council
Council
Council
Local Government Reorganisation
Planning
Urban
Regeneration
/ Community
Development
Historical
Buildings
Transferred powers
New organisation
Super
Council
Off-street
Parking
Community
Planning
Housing
Regulation
Economic
Development
& Tourism
Data Protection Principles
The DPA is underpinned by a set of eight straightforward,
common sense principles that organisations should follow.
They state that personal data should be:
1)
2)
3)
4)
5)
6)
7)
8)
Processed fairly and lawfully
Processed for specified purposes
Adequate, relevant and not excessive
Accurate and up to date
Held for no longer than is necessary
Processed in accordance with the rights of individuals
Kept secure
Transferred outside the EEA only with adequate protection
Principle 1 – Fair and Lawful
Processing
Personal data shall be processed fairly and lawfully
• Register with the ICO
• Inform service users of forthcoming change…….
…………..and again after reorganisation
• Have Retention and Disposal Schedules approved
Principle 2 – Processing for
Specified Purposes
Personal data shall be obtained only for one or more specified
and lawful purposes, and shall not be further processed in any
manner incompatible with that purpose or those purposes.
• Review Privacy Policies
• Integrate where appropriate
• Ensure any new uses for the information are fair
Principle 3 –Adequate, Relevant
and Not Excessive
Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are
processed.
• Undertake a data audit
• Review need
• Dip sample, where appropriate
Principle 4 –Accurate and Up
to Date
Personal data shall be accurate and, where necessary, kept up
to date.
• Take appropriate steps to ensure accuracy
• Test new integrated systems with dummy data
• Ensure records are up-to-date where necessary
• Dip sample
Principle 5 – Hold for no longer
than is necessary
Personal data processed for any purpose or purposes shall not
be kept for longer than is necessary for that purpose or those
purposes.
• Use the opportunity to weed systems
• Consider statutory and business requirements
• Prepare revised and extended Retention & Disposal
Schedules
Principle 6 – Process in Accordance
with the Data Subject’s Rights
Personal data shall be processed in accordance with the rights
of data subjects under this Act.
• Be aware of what information is held
• Consider issues around processing likely to cause damage or
distress
• Stop direct marketing if requested. Abide by PECR for
electronic marketing
• Put policies and procedures in place
Principle 7 - Security
Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage
to, personal data.
• Secure disposal and/or transfer to new authority
• Data/system compatibility
• Encryption of all mobile devices
• Home/mobile working policies
Principle 8 -Transfer outside of EEA
Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or
territory ensures an adequate level of protection for the rights
and freedoms of data subjects in relation to the processing of
personal data.
• If using cloud computing ensure the server is located within
the EEA
All Principles:
Learn from others
(what not to do)
Department of Justice (NI)
£185,000
A monetary penalty notice of £185,000 was served on the
Department of Justice (NI) after a cabinet containing details of
a terrorist incident was sold at auction.
London Borough of Lewisham
£70,000 CMP
A CMP of £70,000 was imposed on the Council after a social
worker left sensitive documents in a plastic shopping bag on a
train, after taking them home to work on. The files, which
were later recovered from the rail company’s lost property
office, included GP and police reports and allegations of sexual
abuse and neglect.
Aberdeen City Council
£100,000 CMP
A council employee inadvertently uploaded four documents
containing sensitive personal information about children and
families on to the internet whilst home-working using an
infected second-hand PC. A home working and data protection
policy was in place at the time of the breach but the technical
measures to assist staff to adhere to it were not provided. The
Council was fined £100k.
Contact us:
ICO
3rd Floor
14 Cromac Place
Belfast
BT7 2JB
0303 123 1114
[email protected]
www.ico.org.uk