Audiences NI

Data Protection Workshop

Rachael GallagherSenior Policy Officer

Information Commissioner’s Office2 December 2014

Welcome

• Information session 1 – Introduction to Data Protection

• Comfort break

• Information session 2 - Data sharing

• Case study

• Questions

• Close

An Introduction to Data Protection

Information Session 1

• About the ICO

• Key Definitions of the Data Protection Act

• Data Protection Principles

• What must I do to comply?

• What happens if we don’t comply?

• Learn from others what not to do

About the ICO

• Advice and Guidance

• Audit and Advisory Visits

• Assess concerns

• Enforcement Powers

Personal Data

• Personal data is not just a person’s name

• It is any information that relates to or identifies a person and:

• Is held on a computer• Is intended to be held on computer • Forms part of a ‘relevant filing system’• Forms part of an ‘accessible record’ (information

relating to health or education)

Sensitive Personal Data

• Racial/ethnic origin• Political opinion• Religious belief• Trade Union membership• Physical/mental health• Sexual life• Commission of criminal offence • Proceedings for any offence/alleged offences

Key Definitions

Data subject is the person who the information is about e.g.) customer

Data controller is the person who makes decisions with theinformation

Data processor handles the information under theinstruction of the controller e.g.) staff members

Data Protection Principles

The DPA is underpinned by a set of eight straightforward, common sense principles that organisations should follow. They state that personal data should be:

1) Processed fairly and lawfully2) Processed for limited purposes3) Adequate, relevant and not excessive 4) Accurate and up to date 5) Kept for no longer than necessary 6) Processed in accordance with the rights of individuals 7) Kept secure 8) Transferred outside the EEA only with adequate protection

Principle 1 – Fairly and LawfullyProcessed• Be fair to individuals by using a ‘Privacy Notice’ which explains:

- Who you are- What you are going to do with their information- Any other information which would make it fair

• Make sure you do not do anything unlawful with personal information

• Meeting one or more ‘Conditions’ to use personal information- Consent (explicit consent for sensitive personal data)- Legal obligation - Performance of a contract

Principle 2 – Processing for Limited Purposes• Be clear why you need the information and what you intend

to do with it

• Communicate to individuals what you intend to do with their information

• Ensure any new uses for the information are fair

Principle 3 –Adequate, Relevant and not Excessive• Only collect and hold the personal information you need

• Be clear about why you need the information

• Do not hold information ‘just in case’

• Hold the right amount of information

Principle 4 –Accurate and Up to Date• Take steps to ensure personal information is accurate and

up to date

• Ask individuals to advise you if their details change • Consider whether it is necessary to update the information

Principle 5 – Not held for longer than is Necessary• Regularly review the personal information to determine if

you still need it

• Establish retention periods for different types of information • No minimum or maximum time frame

• Retention period depends on business/legal need

Principle 6 – Data Subject’s Rights• The right to access personal information

• The right to object to processing likely to cause damage or distress

• The right to prevent direct marketing

• The right to apply to a court to have information rectified, blocked, erased or destroyed

• The right to compensation

Rights as an Individual to Access Personal Data• The right of subject access

• Ask for a copy of personal information

• Be provided with the information within 40 calendar days

• In writing either by letter or email

• A fee of up to £10 can be charged for dealing with a request

Individual right to object to direct marketing• You must stop any promotional activity directed at an

individual if they write and ask you to stop

• You must stop within a ‘reasonable period’

• Marketing electronically? You will also have to comply with Privacy and Electronic Communications Regulations 2003 (PECR)

Principle 7 - Security

• You should have security that is appropriate to the- Nature of the information

• You should consider - IT- Cost

• Assess the risk- Information stored electronically/manually- Homeworkers, staff who work outside the office

Think about SecurityStaff• Training • Policies on data protection, homeworking, IT

Physical security • Sending information by post/fax/email?• Quality of doors, locks, alarm systems, CCTV• Supervising visitors• Disposal of confidential waste

Computer security (including mobile, removable devices)• Anti-virus and anti-malware• Encryption & password protection

Principle 8 -Transfer outside of EEA• Personal information should only be transferred outside the

EEA where there is ‘adequate protection’

• Particularly relevant to cloud computing

Privacy and Electronic Communication Regulations 2003• Electronic marketing and cookies • Explicit consent or soft opt-in• Soft opt-in: 1. Contact details of the recipient obtained in the course of a

sale or negotiations for the sale of a product or service to that recipient;

2. marketing material relates to your similar products and services only; and

3. the recipient is given chance of opting out with each communication

Think W3 Limited

Think W3 Limited, the online travel company was served with a £150,000 monetary penalty after a hacker extracted a total of 1,163,996 credit and debit card records.

Cardholders details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed.

Department of Justice (NI)

A monetary penalty notice of £185,000 was served on the Department of Justice (NI) after a cabinet containing details of a terrorist incident was sold at auction.

Comfort Break

Data Sharing

Data Sharing

• An organisation providing information to a third party

• Systematic or ‘one-off’ data sharing

• Establish the data controller

• Comply with the Data Protection Principles

• Data Sharing Code of Practice

Considerations

• Principle 1: Fair and lawful- Privacy notice- Condition for processing

• Principle 6: Data subjects rights - Right to object to direct marketing - Subject access rights

• Principle 7: Kept secure- Appropriate technical and organisational measure

• Compliance with PECR if marketing electronically

Case Study ‘Rock and Roll Promotions’ has approached music venue ‘The White Arts Centre’ in Belfast to hold an event in which chart toppers ‘The Wild Hearts’ will perform. The White Arts centre agrees to this, and an agreement is drawn up between the venue and promoters, stipulating the terms of the contract. The White Box sells tickets for the event through its Box Office, collecting payment details and contact details from customers purchasing tickets. The event is completely sold out and receives excellent reviews. Due to its huge success, the venue is keen to promote events of a similar nature to customers who purchased tickets; the promoters are keen to obtain customer contact details so they too can market these customers for future events; and The Wild Hearts are eager to increase their mailing list about tour dates etc.

Useful guidance

• The Guide to Data Protection

• Privacy Notices Code of Practice • The Guide to the Privacy and Electronic Communication

Regulations 2003

• The Subject Access Code of Practice

Questions

www.twitter.com/iconews

Keep in touchInformation Commissioner’s Office

3rd Floor,14 Cromac Place,

Gasworks, Belfast BT7 2JB.

Tel: 028 90278757 / 0303 123 1114 Email: ni@ico.org.uk

Subscribe to our e-newsletter at www.ico.org.uk

or find us on…