When is it OK to share information about other people?

Transcription

1 When is it OK to share information about other people? Max Todd, Council Secretariat Geoff Hemmings, Legal Services Wednesday 1 October 2014

2 What is personal data? Data that relates to a living person, who can be identified from that data, on its own or in combination with other data e.g. address student or staff number photos Sensitive personal data : Data relating to health, race/ethnicity, religious/political beliefs, trade union membership, sexual life, criminal record

3 What is sharing? Disclosure of personal data to a third party (individual or organisation) or sharing of data between different parts of the same organisation Disclosure of student data by University to a college (or vice-versa) Disclosure of data to the Police or council Disclosure of data to a service provider e.g. mailing house, IT contractor

4 Data Protection Act: Key Requirements Sharing must satisfy all 8 data protection principles. But certain principles are particularly relevant to question of whether data can be shared. Principle 1 Fair and lawful processing Principle 2 Limited purpose

5 Principle 1 Fair and lawful processing Provide a Privacy notice, indicating: Who is processing the data? What will be done with the data? Any other information needed for processing to be fair e.g. disclosures to 3 rd parties Consider impact of processing on individual: Will any adverse effect be justified?

6 Principle 2 Purpose limitation Personal data shall not be used for a purpose incompatible with the purposes for which it was originally collected i.e. beyond the reasonable expectations of the individual

7 University privacy notices Generic Staff Student Alumni: Ad-hoc purposes e.g. research, libraries, online shop

8 Can I share? Checklist (1) What is the objective? What is the sharing meant to achieve? Does that objective require personal data or could it be achieved with anonymised data?

9 Can I share? Checklist (2) Does the privacy notice give me authority to share? For internal sharing, consider purpose only For external sharing, consider disclosure provisions, as well as purpose

10 Can I share? Checklist (3) If not authorised by a privacy notice, is the sharing something the individual would expect me to do? Would it have an adverse effect on individual? If outside reasonable expectations, seek the individual s consent Disclosure to a 3 rd party will usually require consent, unless specifically authorised in privacy notice

11 Exemptions Exemptions allow sharing when not authorised in a privacy notice or no consent is sought To prevent or detect crime To assess or collect tax To meet a legal requirement For the purpose of legal proceedings

12 How can I share? Once you have established that data can be shared, certain principles are relevant to how data is shared. Principles 3 & 4 quality of data Principle 7 security & integrity Principle 8 transfers outside the EEA

13 Principles 3 & 4 quality of data Shared data must be: adequate, relevant and not excessive accurate and (where necessary) up-to-date

14 Principles 7 security & integrity (1) Appropriate measures against: Misuse Loss Destruction Damage In transit and at destination.

15 Principles 7 security & integrity (2) Ensure reliability of employees who have access to data Where subcontracting: Sufficient guarantees Written agreement specific provisions Ensure compliance

16 Principles 8 transfers outside EEA Prohibited unless to a country providing adequate protections Approved countries list very short does not include USA Exemptions consent & appropriate contracts Don t rely on US-EU Safe Harbor

17 How can I share? - Checklist Specific agreement required? Due diligence on the recipient Quality of data shared Transfer outside the EEA?

18 Further information

19 QUESTIONS?