Amanda Kearsley Director. Amanda Kearsley Director.

Amanda KearsleyDirector

Introductory Guide to Data ProtectionHLA Conference 2011

Amanda KearsleyDirector

Why data protection matters to you …

CONSEQUENCES OF GETTING IT WRONG

ENFORCEMENT

FINES

CRIMINAL LIABILITY (potentially personal)

NEGATIVE PUBLICITY

CLAIMS FOR COMPENSATIONREDUCED DATABASE VALUE

THE DATA PROTECTION ACT and RELATED LAWS

BLUFF

A DATA CONTROLLER IS USUALLY THE IT

MANAGER OR DATA PROTECTION COMPLIANCE

OFFICER

QUICK QUIZ

YOU CAN DO PRETTY MUCH ANYTHING YOU WANT TO WITH

PERSONAL DATA

BLUFFTRUE

WILLIAM SHAKESPEARE IS

ENTITLED TO DPA

PROTECTION FOR HIS

PERSONAL DATA

IF YOU WANT TO MARKET BY

EMAIL OR SMS YOU NEED AN ‘OPT-IN’ FROM

THE INDIVIDUAL

BLUFF

What’s it all about?

THE DATA PROTECTION ACT

PROCESSING

DATA CONTROLLERS

PERSONAL DATA

DATA SUBJECTS

‘Data controller’ …

is a person determines the purpose for which and the manner in which

personal data are processed

Examples:

• Marks and Spencer PLC• Vodafone Limited• Leicestershire & Rutland Organisation for the Relief of Suffering Limited

NOT employees or third party data processors

‘Processing’ …

Virtually ANYTHING that can be done with personal data

Examples:

• obtaining, recording, holding• organising, altering• retrieving, consulting, using• disclosing, transmitting• combining, blocking, erasing, destroying

‘Data’ …

Information that is AUTOMATICALLY processed

Examples:

• on computers, PDAs, BlackBerrys• video systems, CCTV cameras, audio systems

Information processed in HIGHLY STRUCTURED MANUAL FILES

Examples:

• index card systems• HR files

‘Personal data’ …

Data relating to a LIVING IDENTIFIABLE INDIVIDUALS who can be identified from:

• THOSE DATA or• from those data AND OTHER DATA in the possession

of or likely to come into the possession of the data controller

Examples:

• contact details• video footage of staff leaving premises• list of winners of a competition• staff appraisals

‘Data subject’ …

An individual who is the subject of personal data

Examples:

• staff• officials• suppliers• family members

Recap …

Any person who is a DATA CONTROLLER that PROCESSES PERSONAL DATA relating to a DATA SUBJECT will be subject to the Data Protection Act 1998

THE 8 DATA PROTECTION PRINCIPLES

Principle 1


FAIR & LAWFUL1 JUSTIFY PROCESSING

ORDINARY

Necessary

Legitimate

interests

SENSITIVE

Vital interests

Legal rights/

obligations

Consent

Explicit consent

Principle 2


NOTIFY ON REGISTER OF DATA

CONTROLLERS

FAIR & LAWFUL1

LAWFUL & STATED PURPOSES2

DATA PROTECTION NOTICES

WHAT TO NOTIFY

FULL LEGAL ENTITY NAME OF THE DATA CONTROLLER

TRANSFERS OUTSIDE EEA

FEES ARE PAYABLE

RENEWABLE ANNUALLY

RECIPIENTSData subject himself, data processors

DATA CLASSESStaff,

customers. suppliers

PURPOSES FOR PROCESSINGStaff admin, marketing, trading in

personal data

EXEMPTION FROM NOTIFICATION

CERTAIN ‘NOT FOR PROFIT ORGANISATIONS’

STAFF ADMINSTRATION (including payroll)

MUST BE CONSTITUTED AS ‘NOT FOR PROFIT’

MUST ONLY USE THE PERSONAL DATA FOR THE FOLLOWING

OWN ADVERTISING, MARKETING AND PR

OWN ACCOUNTS AND RECORDS

CONTENT OF A DATA PROTECTION NOTICE

IDENTITY OF DATA CONTROLLER(S)

OPT-IN or OPT-OUT FOR DIRECT MARKETING

RIGHT TO ACCESS PERSONAL DATA

RIGHT TO CORRECT INACCURACIES

MARKETING METHODS Email and SMS require consent

DESCRIPTION OF DISCLOSURES AND DISCLOSEES PURPOSES

Commercial partners

DESCRIPTION OF PURPOSES (especially non obvious ones)

Administration, marketing,

profiling

MUST BE CLEAR, PROMINENT AND UNDERSTANDABLE

GIVEN AT TIME DATA ARE COLLECTED (if by 3rd party give as soon as reasonably practicable)

CAN BE USED TO OBTAIN CONSENTeg for processing sensitive personal data or email

marketing“by ticking this box you consent to...”

“if you do not consent to ... then tick this box...”“by clicking on the submit button you consent

to...”

What you say in a data protection notice dictates what you can do with the personal

data• make sure your notices are wide but accurate

• future proof them as much as possible• don’t miss anything out

Recap …

Principle 3


FAIR & LAWFUL1


ADEQUATE, RELEVANT & NOT TOO MUCH

3

Principle 4


FAIR & LAWFUL1



3

ACCURATE & UP-TO-DATE4 POLICIES ON UPDATING

Principle 5


FAIR & LAWFUL1



3

ACCURATE & UP-TO-DATE4

NOT FOR LONGER THAN NECESSARY

5 RETENTION and

DESTRUCTION POLICIES

Principle 6


FAIR & LAWFUL1



3



5

RIGHTS OF INDIVIDUALS6 SUBJECT ACCESS

OPT-OUT OF DIRECT MARKETING

OBJECT TO AUTOMATED DECISIONS

Principle 7


FAIR & LAWFUL1



3



5

RIGHTS OF INDIVIDUALS6

APPROPRIATE SECURITY7

Principle 7


FAIR & LAWFUL1



3



5



MEASURES REQUIREDNature of the data

State of technology?Cost

Reliable employees

Using data processors?

Security guaranteeAudit compliance

Written contractController’s instructions7th principle obligations

Principle 8


FAIR & LAWFUL1



3



5



TRANSFERS OUTSIDE EEA8 ONLY TO TERRITORIES WITH

AN ‘ADEQUATE LEVEL OF

PROTECTION’

CAN YOU?

Demonstrate you have not been an Idiot …

QUESTION 1Which of the following is not a power of the ICO?

(a) to impose fines

(b) to issue an enforcement notice

(c) to impose a custodial sentence

(d) to enter property and seize documents

✓

QUESTION 2Which of the following is not a data subject?

(a) Prince Charles

(b) Princess Diana

(c) Prince William

(d) The Duke and Duchess of Cambridge’s first born

✓

✓

QUESTION 3Which of the following is not ‘data’?

(a) An email

(b) A message on a post-it note

(c) CCTV image

(d) A HR file

✓

QUESTION 4Which of the following are not ‘personal data’?

(a) Date of birth of the head of your organisation

(b) Address of your organisation

(c) The name of the person who answers the phone in your business

(d) A customer’s opinion of your latest scratch card competition

✓

QUESTION 5Which of the following are not ‘sensitive personal data’?

(a) Financial records

(b) Criminal Records Bureau disclosures

(c) Staff medical records

(d) Political opinions

✓

QUESTION 6Which of the following are not DPA principles?

(a) The data controller must process fairly and lawfully

(b) The data controller must make sure that personal data are accurate and up-to-date

(c) The data controller must obtain consent for direct marketing

(d) The data controller must take appropriate security measures to protect personal data

✓

QUESTION 7Which of the following is not a right given to data subjects under the DPA?(a) The right to access all information held

(b) The right to opt-out of direct marketing

(c) The right to object to automated decision making

(d) The right to prevent processing likely to cause damage and distress

✓

1 DPO. Appoint somebody within your organisation to be responsible for data protection 2 Notification. Notify the ICO – unless your organisation is exempt and ensure your

notification is kept up to date3 Data protection notices. Have well drafted and future proof data protection notices

(and use them!!)4 Justification. Justify your processing 5 Quality. Ensure you capture data accurately and keep it up to date6 Data processors. Have contracts in place with your data processors and monitor they

are doing what they say they will do7 Security. Have and use appropriate security for all personal data8 Policies. Have appropriate policies in place (including retention, deletion, security)9 Rights. Comply with all data subject rights (eg right to opt out if direct marketing and

right of access)10 Training. Ensure staff are trained in their responsibilities

Amanda Kearsley Director. Amanda Kearsley Director.

Documents

Transcript of Amanda Kearsley Director. Amanda Kearsley Director.