© 2012 morgan cole llpexpertise | experience | efficiency | contribution 11th october 2012 avoiding...

© 2012 Morgan Cole LLP Expertise | Experience | Efficiency | Contribution

11th October 2012

Avoiding Data Protection pitfalls when collecting Equality Information

Mererid McDaidAssociate

Expertise | Experience | Efficiency | Contribution © 2012 Morgan Cole LLP 2

Equality Act 2010

• Section 149(1) provides that a public authority must in exercising its functions have due regard to: Eliminate conduct prohibited by the Act Advance equality of opportunity Foster good relations between persons

• Welsh Ministers prepared Regulations for the purpose of better performance of the general duty

• Application to Housing Associations

http://www.morgan-cole.com/index.html


The Regulatory Framework

• Published 2 December 2011• Purpose

“Delivering high quality services – providing services that meets people’s needs and expectations…”

• Governance & Financial Management “We place the people who want to use our service at the heart of our

work…” “Our activities and services reflect the diversity of the communities

where we operate, are free from discrimination and promote equality of opportunity”



What is equality monitoring data

• Likely to include the following details: Name Address Details of any dependants Details of any illnesses or

other health issues

• Could also include data relating to: Age Disability Gender reassignment Marriage and civil partnership Race Religion or beliefs Sex Sexual orientation

• All ‘protected characteristics’



Equality Data and Personal Data (1)

• Data collected likely to be “personal data” • Personal data defined as:

Information in electronic format or in tightly structured manual files that relates to identifiable living individuals

Also includes where an individual can be identified from context or information can be linked with other information that allows an individual to be identified



Equality Data and Personal Data (2)

• Data may also be “sensitive personal data”• Sensitive personal data defined as:

racial or ethnic origin political opinions religious (or similar) beliefs trades union membership physical or mental health sexual life commission or alleged commission of criminal offence prosecution for alleged offences



What activities are covered by the DPA?

Any and all handling of personal data e.g.

• Recording• Copying• Sharing• Disclosing (including verbally)• Emailing• Faxing

• Updating • Retrieving• Storing• Destroying• Reading• Organising or rearranging



Data Collection and DPA

• If collecting equality data, a Housing Association will: Collect Analyse and Possibly, publish data

• Therefore “processing” for purposes of DPA



Impact of DPA

• Anyone that processes personal information must comply with the eight key principles

• Failure to do so can result in enforcement action, including penalties being imposed

• Other possible consequences include: Lose the confidence of your tenants/other stakeholders Reputational risk



Data Protection Principles

Personal Data must be…• handled fairly and lawfully• used for specified purposes• adequate, relevant and not

excessive• accurate and up to date

Personal Data must…• not be kept for longer than

necessary• be handled in accordance with

individual rights• be handled securely• not be transferred to a country

outside Europe unless there is adequate protection for privacy



Principle 1: Handling data fairly

• All personal data must be processed “fairly and lawfully” and for specified purposes

• What does this mean?



Handling data fairly

• Individuals must be told about your use of their data Who is responsible for looking after their data Why their data is being collected and used Any other relevant information

• anything else that might surprise them about the use of their data,

• anything you feel they should know about, especially if they might wish to object

• e.g. whether the data will be shared with others, or used for marketing, or handled abroad

Whether you are planning to use their details (especially email and mobile numbers) for promotional or marketing purposes




• You don’t always need consent to use personal data but if you have made promises about the way you will use it, it will be unfair if you then use it in a different way without going back to the individual e.g.

“We will only use your mobile number so we can contact you in an emergency”

• It would be unfair then to use mobile numbers for routine calls or to send promotional text messages




• Personal Data must be handled “lawfully”• Personal data that has been supplied to you in confidence

must be treated in confidence• Otherwise there will be a breach of the DPA as well as a

breach of confidence



Confidentiality

• Certain information is “confidential” if it is supplied and received with the understanding that it should be kept private

• Individuals can bring legal action if their confidential information is disclosed without consent

• Confidential information can be disclosed in exceptional cases if necessary in the public interest e.g. to save life and limb or expose wrong doing



What may people expect you to treat as confidential?

• Name address and telephone number

• Date of birth• Personal circumstances including

employment• Their involvement with other

agencies• Financial circumstances

• Medical circumstances• Information about other household

members• Racial or ethnic origin• Religion• History of criminal offences• Any other information that they

specifically say is being provided in confidence



Fair handling

• In addition to any duty of confidentiality, personal data should be “processed” only if one of the following six conditions applies

• Remember this applies every time you use personal data for any purpose at all



Personal Data: Schedule 2 condition

• Consent• Processing necessary for the

performance of a contract• Processing necessary to

comply with a legal obligation

• Processing necessary to protect vital interests

• Processing necessary for the exercise of statutory/public functions

• Processing necessary for legitimate interests provided there is no unwarranted interference with the rights and freedoms of the individuals concerned



Sensitive Data: Schedule 3 condition

• If handling sensitive personal data must also satisfy a condition in Schedule 3, which include: Explicit consent Necessary for the purpose of any statutory functions Necessary for identifying/keeping under review the existence or

absence of equality of opportunity or treatment between persons of different racial/ethnic origins with a view to promoting/maintaining equality and is carried out with appropriate safeguards



Fair handling

• Information should be used only for specified purposes not used for any “incompatible purpose” (unless an exemption

applies)

• Exemptions prevent/detect crime carry out serious internal investigations obtain legal advice, deal with legal proceedings



Fair Processing Information

• If sensitive personal data is being collected and is to be processed on the basis of consent, the fair processing notice should be written in such a way that explicit consent to processing is obtained



Torbay Care Trust (1)

• Served a Civil Monetary Penalty (CMP)• Online publication of sensitive personal data collected with

the Trust’s duties under EA 2010• Information collected by staff survey was stored on the

Trust’s electronic staff records system. • Workforce development team was then asked to supply

information from the system for the purpose of publishing equality data.




• Excel spreadsheet prepared containing details of 1,373 staff including; Names and DOB, NI numbers and sensitive personal data such as

• race, • religious beliefs, • disability and • sexual orientation

• Published on Trust’s website and remained online for 19 weeks until a member of the public made the ICO aware of document




• ICO investigation found: No guidance for staff on what information should not be published

online Trust had failed to put in place adequate checks to identify potential

problems ICO considered the breach extremely serious because of the large

number of employee records involved and the sensitive and confidential nature of the personal data

• Served a CMP of £175,000



Good practice (1)

• Make data protection statements on monitoring forms easy to understand and include: What the information is going to be used for If information will be shared and if so, to whom

• Be clear as to the reasons why monitoring, particularly whether obliged to provide information for monitoring

• If publishing information – anonymise results (critically review)• Tell individuals of their rights under DPA• Make sure information collected is accurate and kept up to

date



Good practice (2)

• Periodic review of information collected to ensure still needed for monitoring purposes

• Develop a policy on how long information will be kept for• Assess what appropriate security measures are required to

ensure the information is kept secure• Make sure that only staff who need to view the information

collected are able to gain access and ensure such staff are appropriately trained

• Make sure information is disposed of securely when it is no longer needed


© 2012 morgan cole llpexpertise | experience | efficiency | contribution 11th october 2012 avoiding...

Documents

equality data

personal data personal

data collection

handling of personal

personal information

equality of opportunity

data protection pitfalls

equality act