© 2012 morgan cole llpexpertise | experience | efficiency | contribution 11th october 2012 avoiding...
TRANSCRIPT
© 2012 Morgan Cole LLP Expertise | Experience | Efficiency | Contribution
11th October 2012
Avoiding Data Protection pitfalls when collecting Equality Information
Mererid McDaidAssociate
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 2
Equality Act 2010
• Section 149(1) provides that a public authority must in exercising its functions have due regard to: Eliminate conduct prohibited by the Act Advance equality of opportunity Foster good relations between persons
• Welsh Ministers prepared Regulations for the purpose of better performance of the general duty
• Application to Housing Associations
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 3
The Regulatory Framework
• Published 2 December 2011• Purpose
“Delivering high quality services – providing services that meets people’s needs and expectations…”
• Governance & Financial Management “We place the people who want to use our service at the heart of our
work…” “Our activities and services reflect the diversity of the communities
where we operate, are free from discrimination and promote equality of opportunity”
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 4
What is equality monitoring data
• Likely to include the following details: Name Address Details of any dependants Details of any illnesses or
other health issues
• Could also include data relating to: Age Disability Gender reassignment Marriage and civil partnership Race Religion or beliefs Sex Sexual orientation
• All ‘protected characteristics’
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 5
Equality Data and Personal Data (1)
• Data collected likely to be “personal data” • Personal data defined as:
Information in electronic format or in tightly structured manual files that relates to identifiable living individuals
Also includes where an individual can be identified from context or information can be linked with other information that allows an individual to be identified
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 6
Equality Data and Personal Data (2)
• Data may also be “sensitive personal data”• Sensitive personal data defined as:
racial or ethnic origin political opinions religious (or similar) beliefs trades union membership physical or mental health sexual life commission or alleged commission of criminal offence prosecution for alleged offences
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 7
What activities are covered by the DPA?
Any and all handling of personal data e.g.
• Recording• Copying• Sharing• Disclosing (including verbally)• Emailing• Faxing
• Updating • Retrieving• Storing• Destroying• Reading• Organising or rearranging
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 8
Data Collection and DPA
• If collecting equality data, a Housing Association will: Collect Analyse and Possibly, publish data
• Therefore “processing” for purposes of DPA
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 9
Impact of DPA
• Anyone that processes personal information must comply with the eight key principles
• Failure to do so can result in enforcement action, including penalties being imposed
• Other possible consequences include: Lose the confidence of your tenants/other stakeholders Reputational risk
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 10
Data Protection Principles
Personal Data must be…• handled fairly and lawfully• used for specified purposes• adequate, relevant and not
excessive• accurate and up to date
Personal Data must…• not be kept for longer than
necessary• be handled in accordance with
individual rights• be handled securely• not be transferred to a country
outside Europe unless there is adequate protection for privacy
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 11
Principle 1: Handling data fairly
• All personal data must be processed “fairly and lawfully” and for specified purposes
• What does this mean?
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 12
Handling data fairly
• Individuals must be told about your use of their data Who is responsible for looking after their data Why their data is being collected and used Any other relevant information
• anything else that might surprise them about the use of their data,
• anything you feel they should know about, especially if they might wish to object
• e.g. whether the data will be shared with others, or used for marketing, or handled abroad
Whether you are planning to use their details (especially email and mobile numbers) for promotional or marketing purposes
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 13
Handling data fairly
• You don’t always need consent to use personal data but if you have made promises about the way you will use it, it will be unfair if you then use it in a different way without going back to the individual e.g.
“We will only use your mobile number so we can contact you in an emergency”
• It would be unfair then to use mobile numbers for routine calls or to send promotional text messages
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 14
Handling data fairly
• Personal Data must be handled “lawfully”• Personal data that has been supplied to you in confidence
must be treated in confidence• Otherwise there will be a breach of the DPA as well as a
breach of confidence
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 15
Confidentiality
• Certain information is “confidential” if it is supplied and received with the understanding that it should be kept private
• Individuals can bring legal action if their confidential information is disclosed without consent
• Confidential information can be disclosed in exceptional cases if necessary in the public interest e.g. to save life and limb or expose wrong doing
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 16
What may people expect you to treat as confidential?
• Name address and telephone number
• Date of birth• Personal circumstances including
employment• Their involvement with other
agencies• Financial circumstances
• Medical circumstances• Information about other household
members• Racial or ethnic origin• Religion• History of criminal offences• Any other information that they
specifically say is being provided in confidence
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 17
Fair handling
• In addition to any duty of confidentiality, personal data should be “processed” only if one of the following six conditions applies
• Remember this applies every time you use personal data for any purpose at all
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 18
Personal Data: Schedule 2 condition
• Consent• Processing necessary for the
performance of a contract• Processing necessary to
comply with a legal obligation
• Processing necessary to protect vital interests
• Processing necessary for the exercise of statutory/public functions
• Processing necessary for legitimate interests provided there is no unwarranted interference with the rights and freedoms of the individuals concerned
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 19
Sensitive Data: Schedule 3 condition
• If handling sensitive personal data must also satisfy a condition in Schedule 3, which include: Explicit consent Necessary for the purpose of any statutory functions Necessary for identifying/keeping under review the existence or
absence of equality of opportunity or treatment between persons of different racial/ethnic origins with a view to promoting/maintaining equality and is carried out with appropriate safeguards
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 20
Fair handling
• Information should be used only for specified purposes not used for any “incompatible purpose” (unless an exemption
applies)
• Exemptions prevent/detect crime carry out serious internal investigations obtain legal advice, deal with legal proceedings
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 21
Fair Processing Information
• If sensitive personal data is being collected and is to be processed on the basis of consent, the fair processing notice should be written in such a way that explicit consent to processing is obtained
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 22
Torbay Care Trust (1)
• Served a Civil Monetary Penalty (CMP)• Online publication of sensitive personal data collected with
the Trust’s duties under EA 2010• Information collected by staff survey was stored on the
Trust’s electronic staff records system. • Workforce development team was then asked to supply
information from the system for the purpose of publishing equality data.
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 23
Torbay Care Trust (2)
• Excel spreadsheet prepared containing details of 1,373 staff including; Names and DOB, NI numbers and sensitive personal data such as
• race, • religious beliefs, • disability and • sexual orientation
• Published on Trust’s website and remained online for 19 weeks until a member of the public made the ICO aware of document
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 24
Torbay Care Trust (3)
• ICO investigation found: No guidance for staff on what information should not be published
online Trust had failed to put in place adequate checks to identify potential
problems ICO considered the breach extremely serious because of the large
number of employee records involved and the sensitive and confidential nature of the personal data
• Served a CMP of £175,000
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 25
Good practice (1)
• Make data protection statements on monitoring forms easy to understand and include: What the information is going to be used for If information will be shared and if so, to whom
• Be clear as to the reasons why monitoring, particularly whether obliged to provide information for monitoring
• If publishing information – anonymise results (critically review)• Tell individuals of their rights under DPA• Make sure information collected is accurate and kept up to
date
Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 26
Good practice (2)
• Periodic review of information collected to ensure still needed for monitoring purposes
• Develop a policy on how long information will be kept for• Assess what appropriate security measures are required to
ensure the information is kept secure• Make sure that only staff who need to view the information
collected are able to gain access and ensure such staff are appropriately trained
• Make sure information is disposed of securely when it is no longer needed