Welcome To Your Data Protection Journey. Paula Tighe Information Governance Executive

Transcription

1 Welcome To Your Data Protection Journey Paula Tighe Information Governance Executive

2 Legal Statement All information in this presentation is protected under copy right and where indicated protected under trademark. No one is allowed to use, disseminate or copy the information from this information pack or power point without the explicit written consent of: Wright Hassall LLP Olympus Avenue Leamington Spa Warwickshire CV34 6BF Please contact for more information on: 1.This statement 2.Data Protection Trusted Advisor services 3.Data Protection Training 4.Data Protection working group studies for tenants and leaseholders Paula Tighe: or by ing

3 Data Protection in the Workplace Make it simple by knowing What is the regulators view How can it be applied

4 Regulator Source of information and help: Lynne Shackley Lead Policy Officer Regulator of DPA & FOIA : Information Commissioner Office Christopher Graham: Information Commissioner

5 Aim Data Protection Act Privacy Rights For Living Individuals (Data Subjects) Controls processing requirements of Individuals personal data 8 Guiding Principles Obligations on Organisations who collect and process Individuals personal data Defines obligations for Data Controllers

6 Back to Basics - Data Controller Organisation Person Who decides the purpose and manner in which a individuals personal data will be processed

7 Data controller s responsibilities Comply with all the provisions of the Act Ensure the right data is collected, used and shared in line with the Act Notify the ICO of all the purposes they intend to collect and process personal data for Ensure they comply with the individual s (Data Subject s) rights Comply with the 8 Data Protection Principles Understand and comply with Directors responsibilities (sec 61)

8 Back to Basics - Data Processor Can be a person or organisation A third party which the data controller has instructed by contract to carry out functions on their behalf. Where you have detailed their obligations to ensure compliance with the DPA and supplied them individuals personal data

9 Data processor responsibilities Processes personal data on behalf of a Data Controller (not employee of the data controller) They are not legally responsible for the personal data They make no decisions about how the data will be used, shared, stored, secure and destroyed The data controller carries all the risk

10 Back to basics - Personal Data (schedule two) Data which relates to a living individual who can be identified from that data. This includes an expression or opinion about any living individual: Name Bank account Details Telephone number Image Address address CCTV Footage Gender Barbie has rang again about her leaking tap, for the 10 th time can you arrange for a plumber to go out again!!! I know you have gone out before and found no problems she is old and may have a bit of dementia coming on!!.

11 When collecting and processing Personal Data the organisation has to Obtain informed consent (Show and Tell) It can be obtained in different ways: A proposed or agreed contract tenancy agreement, lease agreement or employment contract Statement on website, back of receipts or letter/ ASB wittiness statement or interview/report form But you can process without informed consent if: Need to comply with legal obligations Protect the vital interests of an individual Comply administration of justice or to exercise functions of a public nature which is in the public interest Legitimate interest ensuring the processing is justifiable to the individual s rights

12 Get the Basics Right - Sensitive Personal Data Ethnicity Religious or Other Beliefs Political Opinions Membership of a Trade Union Sexual Life Offences Committed or Alleged to have been Committed by that Individual Medical History

13 When collecting Sensitive Personal Data the organisation has to Obtain Explicit Consent It can be obtained in different ways, but you need to ensure that the consent you obtain is "unambiguous, freely given and fully understood A signature or a verbal agreement which is recorded and confirmed But you can process without explicit consent if: The individual has made the information public To protect the vital interests of an individual legal proceedings and/or legal advice Exercising contractual obligations (DBS checks for a job)

14 Fair and Lawful data sharing As long as you are C.O.T you can process and share without consent: For the prevention or detection of crime and fraud For the apprehension or prosecution of offenders For the assessment or collection of tax or duty owed to customs & excise In connection with legal proceedings In relation to the physical or mental health of an individual, where disclosure is required to protect them or vital interests

15 Fair and Lawful data sharing For research and statistical purposes (anonymous) To carry out contractual obligations Administration of justice, exercise functions of public nature in public interest Legitimate interests except where unwarranted prejudices individual rights To comply with the law

16 Fair and Lawful data sharing Consider when consent should be sought and is it reasonable to disclose personal data without consent? What duty of confidentiality do we owe the 3 rd party Have steps been taken to seek consent and note refusal and/or objection? Have steps been taken to record legal and/or regulatory grounds for disclosure? Only supply the data if you have relevant authority and paper work It is fine to positively challenge the request and ask for it in writing BUT

17 Fair and Lawful data sharing To protection a person(s) vital interests Never delay responding to a request which has been verified from the: Police Prevention/Detection of crime Social Services Protection of a child or vulnerable person Health Protection of a child or vulnerable person Child Protection Unit Protection of a child or young person If in doubt ASK

18 Fair and Lawful data sharing - Third parties If the personal data requested involves disclosing information about third parties, you should: 1. Consider whether it can be anonymised Where the organisation cannot comply with the request without disclosing third party data it is not obliged to comply unless: 2. Third party consents, or 3. It is reasonable in all the circumstances to comply without the consent of that individual

19 Fair and Lawful data sharing Processing is necessary for the purposes of legitimate interests of the data controller or by third parties to whom the data are disclosed. If the use of the data prejudice s the rights and freedoms or legitimate interests of the individual then you need to : Assess on a case by case basis Balance your interests and that of the individual Share only what is legitimate for the purpose it is intended for You have confirmed and recorded if you do or do not need informed and explicit consent for sharing Example LA Supplying Association names/addresses of elderly people for the provision of support services

20 Your First Principle Process personal data fairly and lawfully Clear Open and Transparent Collect Use Share and Secure data correctly Confirm when you need consent 1 Personal Data Informed Sensitive Personal Data Explicit

21 Your First Principle Made Easy Tell them who the data controller or data processor is and what and when their data will be collected and Used Shared Stored Retained Secured Destroyed This is a fair processing notice do you recall seeing one?

22 Your First Principle Made Easy Now ask yourself do you have customers who are vulnerable? Do they understand why their data is being collected? Do they understand why you are collecting, using, sharing and securing their data? Do they have the mental capacity to clearly understand the above? Find their advocate and open the conversation and record Next of Kin Representative Social Worker

23 Your Second Principle Personal data must be used for the specified purposes you informed the individual about Do not be use their data for any incompatible purpose use the C.O.T approach Think about what the recipient of the data will use it for 2 Do you need to review your notification and inform individuals of the new form of processing

24 Your Second Principle in practice Personal data originally obtained for administrative purposes Name and date of birth of all occupants in a given address Shared with the Police to detect and prevent crime means the two purposes are compatible. But you need to share it in the right way. Proof of identification, relevant disclosure form detailing the purposes of the request, to whom it relates and do they restrict you informing the individuals of the data sharing Personal data obtained from the letting process Name/address Used by the communications team to send out marketing material regarding a new garden service people can pay for from an external third party contractor supply. This is a new purpose and incompatible.

25 Principles in practice Relevant and Adequate data sharing agreements does not mean a catch all approach. Look at what is the objective of the sharing and what is needed for that purpose. Why receive other RP or agency data only hold what is relevant and adequate for your purposes Accurate and up to date records you are sending troubled family data to a public body at their request thus enabling them to obtain funding. They will have limited responsibility. You need to ensure accuracy in you re and their systems on a regular basis Keep data for as long as it is needed ensure both parties retain the data for the pre-agreed time scale. Put in your sharing agreements provision for use, further sharing and retention. Attach a retention destruction schedule 3 4 5

26 Your Sixth Principle Your rights individuals Access personal data 40 days from valid request Object to the use of data that causes damage or 6 distress Seek correction, and destruction of personal data Object to the use of data for direct marketing Know about automated decision making Seek compensation

27 Your Seventh Principle - keep data secure Ensuring appropriate technical measures are in place Ensure you prevent unauthorised access and processing Ensure you prevent unlawful obtaining of personal data Train your staff 7

28 Your Eighth Principle - Limits on overseas transfers Personal data should not be transferred outside the outside EEA unless there is adequate protection for the rights of individuals Check if your third parties sub contract Check if your third parties secure your data at all times Check when you need to obtain the individuals consent to send data outside UK 8

29

30 Enforcement and Sanctions Regulator ICO Information Notice s and Assessment Requests Power to service Undertaking or Enforcement Notices Revoke right to process data Monetary Penalty (Up to Half Million Pounds) Evoke Sec 61 Directors Liability Evoke Sec 55 Personal Legal Accountability & Liability Power to enter LA/Government Audits Criminal & Civil Action Support people in court

31 Enforcement and Sanctions Courts Review the handling of subject access requests Order the payment of compensation Prosecute individuals for section 55 (theft of data) Data Controller Could suffer loss of confidence from customers, stakeholders and employees Could consider disciplinary action

32 Exemptions in practice There is always time when you can give or share individuals data without consent or knowledge. Its knowing the why, when and the how to make if fair and lawful Section 29 Crime and taxation Section 35 Required by the law

33 Exemptions Crime and Taxation Section 29 Personal data held for the purposes of preventing or detecting crime, apprehending or prosecuting offenders, or assessing and collecting any tax or duty are exempt if disclosure would prejudice one of these purposes. The exemption is restricted to bodies such as the Police, Inland Revenue and Rate Collection Agencies (utilities companies) council tax, benefit agency, CSA. Association can use Sec29 for prevention and detection of crime, fraud or for the use of misuse of public funds Check the investigator complies with the list of approved bodies appointed Debt collecting agencies cannot use of sec29 Private investigators cannot use of sec29

34 Exemptions Section 29 Taxation Taxation covers Water, Gas and Electric and Customs They have to put request on in writing (headed paper) They need to supply name of the debtor When the debt was incurred and by whom (start and end) What legal action they are seeking to recover the debt They have to quoting they want to evoke section 29 provisions Data controller can only supply the forwarding address of the debtor if it is known, it cannot be a corresponding and/or next of kin address. Tell your customers how you will share data without their consent for this purpose in your fair processing notice

35 Exemptions Section 35 - Comply with Law or Legal Proceedings Where the disclosure is required by or under any enactment, rule of law, or order of the court, or Where disclosure is necessary for the purpose of or in connection with, any legal proceedings (including prospective ones) The purpose of obtaining legal advice The purposes of establishing, exercising or defending legal rights

36 Exemptions Disclosures relating to the physical or mental health or condition of the individual If you are not a qualified health professional the information should not be provided unless the appropriate health professional has been consulted. If the organisation intends to rely upon an existing opinion obtained within the previous six months, they must consider whether it is reasonable in all the circumstances whether to re-consult the health professional However if a subject access request has been made and the organisation is satisfied the individual has previously seen and/or already have information you can decide to share or not as they already have it Note: circumstances change if unsure obtain health professional opinion

37 Privacy Impact Assessments Information sharing protocols Mandatory for all government departments to carry out PIA on new policies and processes involving individuals persona data. PIA would be required when entering into sharing exercises with other agencies (e.g. troubled families) They help understand and evaluate potential risks for the individual and organisation regarding the sharing Help make informed risked based and recorded decisions Help decide if the sharing should take place Have you ever asked to see your LA PIA s

38 Data Sharing Agreements (Protocol) They need to formally define the sharing purposes, agents, privacy rights of the individuals and obligations of the agencies. Clauses: Purpose and Members of the project What data is to be shared PD, SPD or anonymous What is the purpose of sharing (sec29) What legitimate and legal obligations have the agencies in place to share data with or without consent Proportionate Test Further use of the data (prevent recipient from processing activities) Roles, Responsibilities and Accountabilities Security requirements of all parties

39 Data Sharing Agreements (Protocol) Integrity of the shared data and each controllers obligations Freedom of information or Environmental Information Regulations Inspection and data protection audit reviews Loss or unauthorised release steps (breach management procedure) Actions for end of project

40

41 Case Study A housing officer is attending a child protection case conference at social services. They take the housing association case file home as the meeting is the next day. They stop off for a drink at the pub with some friends of the office. Whilst getting their drinks their bag is stolen with all the paper work in: Q What risks do you feel their maybe to the persons in the file? Q Name one risk to the organisation?

42 Case Study A applicant for housing is being interviewed by the housing provider before making an offer of accommodation. The provider telephones her contact at the Community Safety Unit and supplies them with their name, date of birth, national insurance number and last known address. They ask them to confirm this persons criminal history and any convictions as they have some suspicions. Q What do you think the response and outcome will be based on what you have in your toolkit?

43 Case Study Police contact a housing officer and request them to supply them with all of the tenants and their occupants names for a block of 30 flats. They want their names, any telephone or contact details you hold and copies of CCTV footage of the entrance for the last month. The request is over the phone and they inform you they need this as they are investigating an attempted murder case. Q What would you consider and use in your toolkit today in helping you answer this request?

44 Fair and lawful use Accurate and, where necessary, kept up to date In accordance with individual rights Relevant, adequate, not excessive Not kept longer than necessary Expected purposes only Security measures Safe transfers overseas

45

46 FEEDBACK THANK YOU FOR YOUR PARTICIPATION