Ewan Robson Director, IG Compliance ltd 1 Todays Training Look at - - PowerPoint PPT Presentation

Data Protection Act 1998/General Data Protection Regulation 2016 Freedom of Information Act

Ewan Robson

Director, IG Compliance ltd

1

Todays Training

 Look at the History of the Data Protection Act/General Data Protection Regulation/Freedom of Information Act  Your Responsibilities  Analyse the Acts  ICO  Training Rules

2

Data Protection Act General Data Protection Regulation

What do you know?

3

Your Responsibilities

 Have in place a Fair Processing Notice/Privacy Notice  Have in place agreements for sharing information with partners?  Have in place procedures for responding to data protection subject access requests?

• Have in place a Fair Processing

Notice/Privacy Notice

• Have in place agreements for

sharing information with partners?

• Have in place procedures for

responding to data protection subject access requests?

4

Your Responsibilities (2)

 Have in place an officer responsible for data protection  Register with the Information Commissioners Office as required by the Data Protection Act?  Give members and officers training on data protection and information sharing and ensure that knowledge is kept up to date?

• Have in place an officer

responsible for data protection

• Tiered approach (1st April 2018)
• £55
• Give members and officers

training on GDPR and information sharing and ensure that knowledge is kept up to date?

5

Legal Definitions

 (Data) Controller

 a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

 (Data) Processor

 in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

 (Data) Subject

 means an individual (Natural Person) who is the subject of personal data

 The definition of personal data is data which relates to a living (natural person) individual who can be identified

 from that data, or  from that data and other information which is in the possession of, or is likely to come into the possession of, the (data) controller

6

 DPA – Principle 1

 Personal data shall be processed fairly and lawfully

 GDPR – Article 5(1)(a)

 Processed lawfully, fairly and in a transparent

manner in relation to the data subject

Principle 1

7

 DPA – Principle 2  Personal data shall be obtained only for one or more specified and lawful purposes,  GDPR – Article 5(1)(b)  Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Principle 2

8

 DPA – Principle 3  Adequate, relevant and not excessive  GDPR – Article 5(1)(c)  Adequate, relevant and limited to what is necessary;

Principle 3

9

 DPA – Principle 4  Personal data shall be accurate and, where necessary, kept up to date  GDPR – Article 5(1)(d)  accurate and, where necessary, kept up to date;

Principle 4

10

 DPA – Principle 5  Personal data shall not be kept for longer than is necessary  GDPR – Article 5(1)(e)  kept in a form which permits identification of data subjects for no longer than is necessary

Principle 5

11

 DPA – Principle 6  Personal data shall be processed in accordance with the rights of data subjects  GDPR – Article 15

Principle 6

12

 DPA – Principle 7  Appropriate technical and organisational measures  GDPR – Article 5(1)(f)  processed in a manner that ensures appropriate security of the personal data

Principle 7

13

 DPA – Principle 8  Personal data shall not be transferred to a country or territory outside the European Economic Area  GDPR – Removed

Principle 8

14

Data Subject Rights – Article 15

 Given a description of the personal data, the reasons it is being processed, and whether it will be given to any

• ther organisations or people;

 Given a copy of the information comprising the data;  Apply in writing (form or Letter)  Name  Address/contact details  Fee if appropriate  40 days to complete the request  To communicate the information in an intelligible form  Rights to complain to the ICO

• Given a description of the personal data,

the reasons it is being processed, and whether it will be given to any other

• rganisations or people;
• Given a copy of the information comprising

the data;

• Apply in writing (form/Letter or verbal)

– Name – Address/contact details – No Fee

• 1 calendar month to complete the request
• To communicate the information in an

intelligible form

• Rights to complain to the Regulatory

Authority

15

 Article 37 - Designation of the data protection officer  The controller and the processor shall designate a data protection officer in any case where:

 (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

16

Data Protection Officer

 Article 38 - Position of the data protection officer

 The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.  The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.  The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.  Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.  The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.  The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

17

Data Protection Officer (2)

 Article 39 - Tasks of the data protection officer  The data protection officer shall have at least the following tasks:

 (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;  (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;  (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;  (d) to cooperate with the supervisory authority;  (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any

• ther matter.



• 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk

associated with processing operations, taking into account the nature, scope, context and purposes

• f processing.

18

Data Protection Officer (3)

Who is the ICO

• UK

Independent Authority What do they do

• Advice
• Complaints
• Enforcement

notices

• Decision

notices What does that mean

• Investigation
• Fines

19

GENERAL DATA PROTECTION REGULATION

20

Why was the change needed

 Aim to reinforce individuals rights in the digital age  Free flow of personal data in the digital market  To give citizens back control over their personal data  Simplify the regulatory environment for business  Applicable to all EU Member states

21

Headline changes

 A single set of rules throughout the EU  Privacy by Design  Mandatory Data Protection Officers for public authorities  Greater focus on obtaining explicit consent  Mandatory reporting of high risk incidents within 72 hours  Increase in sanctions (2-4% of turnover)  Right to be forgotten & Data Portability  Liabilities of Controller and Processor  Rights of the Data Subject

22

Articles of Note

Article 3: Territorial scope Article 4: Definitions Article 5: Principles relating to personal data processing Article 6: Lawfulness of processing Article 7: Conditions for consent Article 9: Processing of special categories of personal data

23

Chapter 3: Rights of the Data Subject

Article 15: Rights of Access by the Data Subject Article 16: Right to rectification Article 17: Right to erasure ('right to be forgotten') Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification

• r erasure of personal data or restriction of processing

Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling

24

Chapter 4: Controller and Processor

Article 24: Responsibility of the controller Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer

25

Where do I start?

 12 Steps to Prepare  Assign a DPO  Article 30 – what are you processing?  Fair Processing Notice/Privacy Notice

26

Time for a break 10mins

27

Freedom of Information Act

 Official Secrets Act 1911  Freedom of Information and Privacy Bill 1977  Became a manifesto in 1997 by the Labour Party  The act came into force on 1st January 2005  Freedom of Information (Amendment) Bill 2007

 Exempt MP’s from the provisions of the act, but failed.

28

What is a Public Document?

 The Act covers all recorded information held by a public authority.  Draft documents  Emails (personal/corporate accounts)  Notes  Recordings of telephone conversations  CCTV recordings  Letters  Policies & Procedures  Minutes

29

When does it apply/not apply

 When you don’t hold the information  When you have to recreate the information to comply  When it follows any exemption under the act  How do you decide if information is held by a public authority or held on behalf of another body  it is held by the authority, otherwise than on behalf of another person, or  it is held by another person on behalf of the authority

30

Freedom of Information Act 2000

 Relates to all non-personal information held by public bodies and recorded in any format  The organisation must respond within 20 working days  However old – the Act is fully retrospective  The requester need not quote the FOI Act however requests must be in writing (including letters and email)  Exemptions may apply for non disclosure – FOI Lead will determine this  Ensures accountability & fosters an open & honest culture  Environmental Information Regulations 2000

31

Your Responsibilities

 Corporate Records Structure  Publication Scheme  Disclosure log  Comply with requests for information

32

Corporate Records Structure

 Each record must have

 Strict Naming convention  Version controlled  Protective marking  Define the type of record  Corporate image  Agreed and minuted by appropriate committee  A track and trace system is to be in place  Made available to the public where appropriate  Only one version to be worked on to ensure accuracy  Retained till review or due for destruction  All of the above is to be recorded on a system or database

33

Exemptions

 There are two types of exemptions

 Qualified/conditional

 Public Interest Test  Neither Confirm Nor Deny (Section 17)

 Absolute

 Do not use NCND  Do not use Public interest Test

Refusing a Request

 Section 12 – Cost Exemption  Section 14 – Vexatious or repeated request  Require further information to commence request

34

Exemptions (2)

 Section 21: information available by other means  Section 22: information intended for future publication  Section 23: information supplied by, or related to, bodies dealing with security matters  Section 29: the economy

35

Exemptions (3)

 Section 30: investigations and proceedings conducted by public authorities  Section 31: law enforcement  Section 33: Audit functions  Section 36: prejudice to the effective conduct of public affairs

36

Exemptions (4)

 Section 37: communications with Her Majesty  Section 38: health and safety  Section 39: environmental Information  Section 40: personal information  Section 41: information provided in confidence  Section 42: legal professional privilege  Section 43: commercial interests  Section 44: prohibitions on disclosure

37

Recap

 History of the Data Protection Act  Analysed the DPA principles  ICO - Responsibilities  History of the Freedom of Information Act  Analysed the exemptions  After the training you will receive an email with relevant handouts from the training

38

ANY QUESTIONS

39

Contact Details

 Ewan Robson

 ewanrobson@igcompliance.co.uk  07976 279438

40