Data Protection - All Change or More of the Same?Paul Ticher
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.
It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
Data Protection - All Change or More of the Same?
What Data Protection is about: 1
Prevent harm to the individuals whose data we hold, or other people
• Keep information in the right hands
• Hold good quality data
Data Protection - All Change or More of the Same?
Protecting people
Protecting data
What Data Protection is about: 2
Reassure people that we use their information responsibly, so that they trust us
• Be transparent – open and honest, don’t hide things or go behind people’s back
• Offer people a reasonable choice over how you use their data, and what for
Data Protection - All Change or More of the Same?
Give us more
money!Support our campaign! We sold your
details to someone else
What Data Protection is about: 3
Comply with specific legal requirements, such as:
Data Protection - All Change or More of the Same?
Right to opt out of direct marketing
Right of Subject Access
Notification
(And others)
The main topics for today
Top priorities
• Security
• Transparency
• Choice
• Accuracy & data quality
But first:
• The Data Protection Principles
• The definition of Personal data
• Confidentiality
Data Protection - All Change or More of the Same?
And while we’re about it
• Latest developments on
• Enforcement
• Guidance
• New EU Regulation
The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal
2. You must limit your use of data to the purpose(s) you obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects’ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad
Data Protection - All Change or More of the Same?
Personal data
The Act applies to information that is ‘personal’ and ‘data’
The personal part means that it is about:
identifiable, living individuals
The data part means that it is recorded:
• on a computer or automated system
• in a ‘relevant filing system’
• with the intention of going into one of these systems
• (others apply to public bodies)
Data Protection - All Change or More of the Same?
How DP and Confidentiality overlap
Data Protection - All Change or More of the Same?
ConfidentialityData Protection
Clear boundaries
Circumventing security
Scams
Gossip
Taking confidentiality seriously
Data Protection - All Change or More of the Same?
Security (Principle 7)
The Data Protection Act says you must prevent:
• unauthorised access to personal data
• accidental loss or damage of personal data
The security measures must be appropriate.
They must also be technical and organisational.
Data Protection - All Change or More of the Same?
The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security (or other Data Protection requirements)
Key security measures
Protect ‘data in transit’
• passwords, encryption on USB devices, tablets and laptops
• extreme care when faxing, e-mailing & posting
• think about encryption on e-mails if appropriate
Network security – anti-virus, firewall, log-ons, etc.
Website security – ‘OWASP top ten’ or similar
Bring Your Own Device policy
External contractors (‘Data Processors’)
Secure destruction – shredding, etc.
Access controls, clear desks, locked filing cabinets
Staff DBS checks, supervision and monitoring
Data Protection - All Change or More of the Same?
‘Fair’ processing (Pr. 1): Transparency
One part of being fair to people is to make sure they have no unpleasant surprises when you use data about them.
This means you must always think whether you need to tell them anything about:
• who is collecting their information
• what purposes you hold their data for
• who you might pass the data on to
• how to contact you if they want to stop you from using their data or check what you are doing
Data Protection - All Change or More of the Same?
‘Fair’ processing (Pr. 1): Choice
The other important part of being fair is to give people a reasonable choice over how their information is used.
People must be given a choice over Direct marketing
Choices can be:
• Opt out (we’ll do it unless you say ‘no’)
• Opt in (we’ll only do it if you say ‘yes’)
Be clear about what choices are offered, record them carefully, and ensure that they are acted on.
Pre-ticked boxes are not good practice
Data Protection - All Change or More of the Same?
Conditions for fair processing
You must meet at least one of these:
• With consent of the Data Subject (“specific, informed and freely given”)
• For a contract involving the Data Subject
• To meet a legal obligation
• To protect the Subject’s ‘vital interests’
• Government & judicial functions
• In your ‘legitimate interests’ (or those you disclose to) provided you don’t infringe the Data Subject’s rights, freedoms or legitimate interests
Data Protection - All Change or More of the Same?
Data quality (Principles 3 & 4)
The Data Protection Act says that data must be:
• Adequate
• Relevant
• Not excessive
• Accurate
• Up to date (where necessary)
Data Protection - All Change or More of the Same?
Data Controller
The ‘person’ legally responsible for complying with the Data Protection Act
Staff & volunteers are part of the Data Controller
A trading company is a separate Data Controller
Organisations can be joint Data Controllers
Data Protection - All Change or More of the Same?
Data Processor
An organisation that has access to Personal Data on your behalf for your purposes
The Data Controller remains responsible for what happens to the data
There must be a written contract with the Data Processor, setting out the relationship and, in particular, their security responsibilities
Data Processors could include:
• Payroll service
• Cloud computing provider
• Tele-marketing company
• Client database maintenance & development
• Mailing house
• Contractor, delivering services
Data Protection - All Change or More of the Same?
Developments in enforcement
Recent penalties include:
• Fines for spam messaging
• Fine for breach caused by employee working from home
• Fines for charities
Other options: enforcement notices, legally binding undertakings
There have been a few successful challenges on technicalities
Information Commissioner is consulting on a more targeted approach to handling complaints
Data Protection - All Change or More of the Same?
Developments in ICO guidance
Recent publications include:
• a Code of Practice on handling Subject Access
• guidance on Bring Your Own Device policies
• a complete update of their guidance on Direct Marketing
• guidance on Social Networking
• consultation on a review of the Privacy Notices Code of Practice
Data Protection - All Change or More of the Same?
New EU Regulation: Rationale
1995: Directive 95/46/EC
1998: UK Data Protection Act (in force from 2000)
2003 (and earlier): Privacy & Electronic Communications Regulations
Subsequently:
• World Wide Web
• Cloud computing
• Social media
• Profiling
• Cookies, GPS tracking ...
• Privacy awareness
Data Protection - All Change or More of the Same?
New EU Regulation: Timetable
January 2012: first draft published by Commission
2012: various EU bodies contribute views
2013: attempts to reconcile differing views, with several conflicting drafts produced
October 2013: compromise draft agreed by parliament
2015? Negotiations with Council
Mid-2015? Ratification of final Regulation
Data Protection - All Change or More of the Same?
New EU Regulation: Some key issues
Consent tightened up – no more pre-ticked boxes
Marketing is a ‘legitimate interest’
Limited right of erasure
Right to object to profiling
More detailed privacy notices
Mandatory breach notification
Data Protection by default and by design
Mandatory Data Protection Officer
Privacy impact assessments replace Notification
Much-increased penalties (especially for multi-national companies)
Data Protection - All Change or More of the Same?
Data Protection: the absolute basics
We are trying to:
• Prevent harm by
• Keeping data only in the right hands (and being clear what ‘the right hands’ are)
• Holding good quality data (accurate, up to date and adequate)
• Reassure people so that they trust us
• Making sure people know enough about what we are doing
• Giving people a choice where possible
Data Protection - All Change or More of the Same?
Or contact me at:
2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE
0116 273 8191
www.paulticher.com
Your Logo
Thank you for listening
To go into more detail, join one of my webinars:
www.paulticher.com/webinars