Transcript Slide 1

Introduction to Data Protection
»






Plan
Brief Introduction to Data Protection
Example
Principles
P3, 4, 7
Sensitive Data
Conditions for Processing
Penalties
» Worked example
Introduction to Data Protection
 Data Protection is exciting
 Data Protection CAN be
exciting
 Should be boring
How DP can be “Exciting"
»
»
News release: 30 August 2013 www.ico.gov.uk
The Information Commissioner’s Office (ICO) has
served Aberdeen City Council with a monetary
penalty of £100,000
after a serious data breach resulted in sensitive
information relating to social services
involvement with several individuals being
published online. The information included
details relating to the care of vulnerable children.
»
The information was released after a council
employee accessed documents, including meeting
minutes and detailed reports, from her home
computer. A file transfer program installed on the
machine automatically uploaded the documents to a
website, publishing sensitive information about
several vulnerable children and their families,
including details of alleged criminal offences.
Principles
»
»
»
»
»
»
1) Fairly and lawfully processed
2) Processed only for limited and lawful purposes
3) Adequate Relevant, not excessive
4) Accurate
5) Not kept for longer than necessary
6) Processed in accordance with the rights of the
individual
» 7) Appropriate technical and organisational
measures are taken to keep data secure
» 8) Not transferred out of EU to Country without
adequate protection.
Principle 3: Personal data held for any purpose should be
adequate, relevant and not excessive in relation to the purpose or
purposes for which processed.
» This aims to ensure that personal data held is sufficient
for a specific purpose, but no more that that. Data
users should seek to ensure that personal data is not
recorded merely because there is a possibility that it
has a future use. The old adage “Knowledge is power”
has no place within data protection.
Principle 4: Personal data should be accurate and,
when necessary, kept up to date.
» Where it is necessary to keep personal information for some time it may
become out of date and inaccurate. In order to prevent this it is important
that systems are in place to review and update the information on a
regular basis.
» The consequences of using out of date personal information can be
enormous.
» inaccurate payments being made,
» correspondence sent to the wrong address,
» confidential personal information being wrongly disclosed to a third
party etc.
» claims for compensation or enforcement action or prosecution
proceedings being instituted by the Information Commissioner.
Principle 7 Appropriate technical and organisational measures are
taken to keep data secure
» Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.
» This principle requires the data controller to ensure that it has security
measures in place to avoid loss, damage or destruction to data. Also the
Act sets out specific considerations for ensuring security
» Organisational responsibilities include items such as Firewall, GCSX
Training etc
» Personal responsibility Appropriate method of sending appropriate
relevant information – Care for the information you hold & use
Conditions Relevant for Processing Personal Information
»
Que does Data Protection stop you sharing personal information?
»
»
»
»
»
Schedule 2 – Any personal data
1 – The data subject has given consent.
2 - The processing is necessary –
a)
For the performance of a contract to which the data subject is a party; or
a)
For the taking of steps at the request of the data subject with a view to entering into a
contract.
»
»
»
»
»
»
»
3 – The processing is necessary to comply with any legal obligation to which the data controller
is subject, other than an obligation imposed by contract.
4 – The processing is necessary in order to protect the vital interest of the data subject.
5 – The processing is necessary –
a)
For the administration of justice; or
b)
For the exercise of any function conferred by or under any enactment; or
c)
For the exercise of any functions of a government department; or
d)
For the exercise of any other functions of a public nature exercised in the public
interest.
6 – The processing is necessary for the purposes of legitimate interests pursued by the data
controller or by the third party or parties to whom the data are disclosed, except where the
processing is unwarranted in any particular case by reason of prejudice to the rights and
freedoms or legitimate interest of the data subject.
s2 Sensitive Data
» “SENSITIVE PERSONAL DATA” means personal data consisting of
information as to—
» (A)THE RACE or ETHNICITY,
» (B)POLITICAL OPINIONS,
» (C)RELIGIOUS BELIEFS OR OTHER BELIEFS OF A SIMILAR NATURE,
» (D)WHETHER HE IS A MEMBER OF A TRADE UNION
» (E)HIS PHYSICAL OR MENTAL HEALTH OR CONDITION,
» (F)HIS SEXUAL LIFE,
» (G)THE COMMISSION OR ALLEGED COMMISSION BY HIM OF ANY
OFFENCE, OR
» (H)ANY PROCEEDINGS FOR ANY OFFENCE COMMITTED OR
ALLEGED TO HAVE BEEN COMMITTED BY HIM, THE DISPOSAL OF
SUCH PROCEEDINGS OR THE SENTENCE OF ANY COURT IN SUCH
PROCEEDINGS.
SCHEDULE 3 - Conditions necessary for processing sensitive personal
information
1 – The data subject has given his/her explicit consent.
2 – The processing is necessary to perform legal obligations and rights in the context of
employment.
3 (a) – The processing is necessary to protect the vital interests of the data subject or another
person where consent cannot be given or the data controller cannot reasonably be expected to
obtain consent.
(b) – The processing is necessary to protect the vital interests of another person where consent
has been unreasonably withheld by the data subject.
4 – The processing is carried out by certain non-profit making bodies and relates to their members.
5 – The information has been made public as a result of steps deliberately taken by the data
subject.
6 – The processing –
» a)
Is necessary for the purposes of legal proceedings; or
» b)
It is necessary for the purpose of obtaining legal advice; or
» c)
Is otherwise necessary for establishing exercises or defending legal rights.
7 – The processing is necessary » a)
For the administration of justice; or
» b)
For the exercise of any functions conferred by or under any enactment; or
» c)
For the exercise of any functions of a government department
8 – The processing is necessary for medical purposes and undertaken by a health professional or by
a person who has a similar duty of confidentiality.
9 – The processing of information as to racial or ethnic origin and is necessary for equality
monitoring purposes.
MUST be able to fulfil one condition from schedule 2 & 3
Penalties
» Fines up to £500,000
» Public Undertaking note signed by Data Controller
» Enforcement notices
» Read the enforcement notices and ‘stop now’ orders we have
issued to organisations in breach of the legislation, requiring them
to take specified steps in order to ensure they comply with the law.
» Prosecutions
» Details of the criminal prosecutions under the legislation.
Cautionary Tales
»
Customer given access to another customer’s data. Basic checks were not carried out
»
• Key fobs attached to memory sticks with the passwords written on. Passwords are used
to protect data from unauthorised access. P7
»
• Personal information emailed to the wrong people/groups. This has happened on
numerous occasions. Adequate checks were not carried out when selecting the recipient
from the address book. Other authorities have incurred fines for similar breaches…..P7
»
• User id shared with a family member who carried out work on their behalf..
Disciplinary action was taken against the employee. P7, P1, P6
»
• Disc containing personal data lost. The chain of custody was not maintained meaning no
one officer had responsibility for the disc. P7 etc
»
• Envelope incorrectly addressed resulting in personal data being sent to the wrong
address. Other authorities have incurred fines for similar breaches.