ten things you should know about data protection
DESCRIPTION
Ten things you should know about Data Protection. Paul Simpkins Director, Act Now Training Ltd. www.actnow.org.uk. 1. Learning the lingo. www.actnow.org.uk. Definitions. Personal Data Data Controller Data Processor Data Subject Notification Subject Access Request. www.actnow.org.uk. - PowerPoint PPT PresentationTRANSCRIPT
www.actnow.org.uk
Ten things you should know
about Data Protection
Paul Simpkins
Director, Act Now Training Ltd
www.actnow.org.uk
1. Learning the lingo
www.actnow.org.uk
Definitions
Personal Data
Data Controller
Data Processor
Data Subject
Notification
Subject Access Request
www.actnow.org.uk
Notification
One notification per organisation
£35 Tier 1 or £500 Tier 2
250 FTE
Criminal Offences
Viewable online
www.actnow.org.uk
2. Five types of data
www.actnow.org.uk
Category (a)
On Computer
CCTV & video
DIP
Audio
Swipe cards & Oysters
www.actnow.org.uk
Category (b)
Intended to be automated
www.actnow.org.uk
Category (c)
Paper or Card
Relevant Filing System
Structured by reference to individuals
Readily Accessible
Durant Guidance
www.actnow.org.uk
Category (d)
Medical Records
Social work records
Housing Records
Education Records
www.actnow.org.uk
Unstructured Data
Category (e) data
From 2005
Only Public Bodies
Some exemptions
2 access regimes to data
www.actnow.org.uk
3. Fair, honest & open
www.actnow.org.uk
Principle 1
Personal data shall be
processed fairly and lawfully
www.actnow.org.uk
Principle 1
The data controller should ensure that the data subject is provided with at least
• the identity of the data controller
• the purpose for which data is processed
• any further information necessary
www.actnow.org.uk
CCTV signs
Clearly visible and Legible
Size matters
Information
Identity of controller
Purpose of scheme
Details of contact
www.actnow.org.uk
4. Can I share data with…?
www.actnow.org.uk
Partnership Working
Central Govt desire for joint working
ICO data sharing code of practice
Fair Obtaining & Processing – Principle 1
Lawful Gateways
Data Sharing Protocols
www.actnow.org.uk
Lawful Gateways
Crime & Disorder Act 1998 Section 115Anti-terrorism, Crime & Security Act 2001National Health Services Act 1977Education Act 1966 s 520 (school nurses)Children Act 2004 s10, 11, 12 (databases)Local Government Act 1972 & 2003Localism Act 2011
www.actnow.org.uk
Data Sharing Protocols
Purpose
Powers to share
Partners
Processes
Public Document
www.actnow.org.uk
5. Good Records
www.actnow.org.uk
Principle 3
Personal data shall be adequate,
relevant and not excessive
www.actnow.org.uk
Principle 4
Personal data shall be accurate and, where necessary, kept up to date.
www.actnow.org.uk
Principle 5
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
www.actnow.org.uk
6. Read me my rights
www.actnow.org.uk
Principle 6
1. Subject Access
2. Prevent Processing
3. Direct Marketing
4. Automated Decisions
5. Compensation/Rectification
6. To request an assessment
www.actnow.org.uk
Subject Access
A valid request is
Application in writing
Proof of identity
Fee
Some direction
www.actnow.org.uk
Subject Access
Controller must respond promptly
In any event within 40 days
Starting on the relevant day
www.actnow.org.uk
Direct Marketing
Communication (by whatever means) of any advertising or marketing material which is
directed to a particular individual
www.actnow.org.uk
Computer says no…
People can object to an automated decision
Some exemptions
Once you know…
…you can object in writing
Controller has 21 days.
www.actnow.org.uk
7. Keep your data safe
www.actnow.org.uk
Principle 7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
www.actnow.org.uk
Principle 7
Training
Policies & Procedures
Data security breach policy
Civil Monetary Penalties
Passwords
www.actnow.org.uk
Principle 7
Contracts With Data Processors
Made or evidenced in writing
Processor to act only on Controller’s instructions
Controller should check Processor’s Security and Employees
www.actnow.org.uk
8. Who’s the daddy?
www.actnow.org.uk
Enforcement
Request for assessment
Information Notice
Enforcement Notice
Prosecution
Tribunal
Supreme court
www.actnow.org.uk
Offences
Failure to notify or to notify changes
Failure to comply with written request
Failure to comply with a Notice
Unauthorised obtaining/disclosing
Procuring a disclosure to another person
Unlawful selling
Enforced Subject Access
www.actnow.org.uk
Penalties
Undertakings
Notices from ICO
Prosecution
£500K Fines & Jail time
Inspect public sector without notice
PR disasters
www.actnow.org.uk
9. Exemptions
www.actnow.org.uk
Exemptions
S. 28 - National security
S. 29 - Crime and taxation
S. 30 - Health, education & social work
S. 31 - Regulatory activity
S. 32 - Journalism, literature & art
www.actnow.org.uk
Exemptions
S. 33 - Research, history & statistics
S. 34 - Publicly available by any enactment
S. 35 - Required by law/proceedings
S. 36 - Domestic purposes
www.actnow.org.uk
10. Social Media
www.actnow.org.uk
Policy or Prosecution?
Social Media Policy
Disciplinary offence
Bringing the organisation into disrepute
Preece v Wetherspoons
Defamation
