Data protection
This presentation is the property of its rightful owner.
Sponsored Links
1 / 38

Data Protection PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on
  • Presentation posted in: General

Data Protection. Paul Veysey & Bethan Walsh. Introduction. Data Protection is about protecting people b y responsibly managing their data in ways they expect and understand. 90%. Penalties.

Download Presentation

Data Protection

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Data protection

Data Protection

Paul Veysey & Bethan Walsh


Introduction

Introduction

Data Protection is about protecting people

by responsibly managing their data in ways they expect and understand

90%


Data protection

Penalties

  • Data Protection in the UK is supervised and enforced by the Information Commissioner who can serve notices on organisations to ensure compliance and can bring prosecutions.

  • Criminal offences include:

  • Failing to notify data processing to the ICO

  • Unlawful obtaining and disclosure of personal information

  • Civil claims for compensation can be brought by individuals where organisations have breached the provisions of the DPA causing them damage.


Data protection

Pro-active Approach

  • Organisations should:

  • Appoint a senior member to take responsibility for Data Protection – The Data Protection Officer

  • Ensure policies and procedures are in place such that data protection is always a consideration

  • Ensure staff and volunteers have training and guidance available to them to ensure compliance

  • Audit and review your data protection position


The basics

The Basics

The DPA is concerned with ‘Personal Data’ held by ‘Data Controllers’

Personal

Identifiable - living - individuals


Data protection

The Basics

Data?

Information held on a computer

Information in a relevant manual filing system

Information intended to join one of the above


Data protection

Data Controller

‘A person who determines the purpose for which and the manner in which personal data is, or is to be, processed’


Obtaining information

What is ‘Processing’?

Obtaining information

Storing information

Changing or copying

Disclosing or passing on

Destroying or erasing


Data protection

Do I have to Notify?

Most organisations that process personal data must register (notify) with the ICO. Failure to notify is a criminal offenceand a fine can be imposed

Personal data cannot be processed until registration has taken place


Data protection

Do I have to Notify?

Cost:

£35 per year

(If you have more than 249 employees and a turnover in excess of £25.9 million – the fee is £500 for notification - unless a charity)


Data protection

Do I have to Notify?

Not for profit organisations have the benefit of an opt out where their functions are limited to:• establishing or maintaining membership; • supporting a not-for-profit body or association; or • providing or administering activities for either the members or those who have regular contact with it.


Data protection principles

How to comply?

Data Protection Principles


Data protection

The Principles

1. Process fairly and lawfully2. Obtain and process for specified purposes only3. Adequate, relevant and not excessive 4.Accurate and up to date


Data protection

The Principles

5. Not kept longer than is necessary6. Processed in accordance with the rights of the individual7. Appropriate security measures against unauthorised or unlawful use of data and against loss, destruction or damage8.Transfer outside the EEA only where adequate protection is in place


Data protection

1. Process FairlyandLawfully

  • You must collect data fairly and have legitimate grounds for collecting and using the data

  • You must be transparent about how you intend to use the data

  • You must not do anything unlawful with the data


Data protection

1. Process FairlyandLawfully

What can I do with personal data?

The Act sets out ‘conditions for processing’, one of which must be complied with for processing to take place

The key condition is CONSENT

The safest route to compliance is to ensure the individual knows what will be done with their data at the point of collection


Data protection

1. Process FairlyandLawfully

  • Privacy Notices

    • See Privacy Notices Code of Practice (www.ico.gov.uk)

  • Sharing data with another organisation (Scenario 1)

  • Using data for a new purpose (Scenario 2)

  • The ‘legitimate interest’ exemption (Scenario 3)

  • Lawful processing (Scenario 4)

  • Other exemptions available


Data protection

2. Obtain and process for specified purposes only

“The personal data shall be obtained only for one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”


Data protection

2. Obtain and process for specified purposes only

Identify the purpose in your Privacy Notice (unless the purpose is obvious)

Register the purpose when notifying the Information Commissioner (unless you are exempt).


Data protection

2. Obtain and process for specified purposes only

  • Can the data be used for purposes other than those specified?

  • When is one purpose compatible with the other?


Data protection

3. Adequate, relevant and not excessive

“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”


Data protection

3. Adequate, relevant and not excessive

Only hold data which is sufficient for your purpose and no more (or less)


Data protection

4.Accurate and up to date

  • To an extent the purpose of the principle is obvious?

  • Take reasonable steps to ensure accuracy

  • Ensure the source of personal data is clear

  • Consider challenges to the accuracy of the information and its impact

  • Should you update?


Data protection

5. Not kept longer than is necessary

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes”


Data protection

5. Not kept longer than is necessary

Adopt a policy to set out how long you will keep information and why

Regularly review the data

Ensure it is securely deleted or archived when it is no longer needed


Data protection

6. The rights of individuals


Data protection

6. The rights of individuals

  • Rights of access to the data held

  • Rights to object to processing likely to cause or causing harm

  • A right to prevent direct marketing

  • A right to object to decisions by automated means

  • A right to have inaccurate data corrected or erased

  • A RIGHT TO COMPENSATION for damage caused by a breach of the Act


Data protection

7. Security

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”


Data protection

7. Security

  • Things to think about:

  • Who should have access to data?

  • Physical security

  • Computer security

  • Security Breach Management Plan


Data protection

7. Security Breach

  • Security Breach Management Plan

  • Containment and Recovery

  • Assessing risks

  • Notification of breaches

  • Evaluation and response


Data protection

8.Transfer outside the EEA

“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”


Direct marketing

Direct Marketing

Assuming the correct notices / consents have been given or can be safely assumed, direct marketing is usually permitted


Data protection

Direct Marketing

  • Only covered if directed at individuals

  • Covers communications by whatever means

  • Includes marketing, advertising, campaigning, fundraising etc.


Data protection

Direct Marketing

  • Opt outs and stop notices – 28 days

  • Delete or supress?

  • Can I ask them to opt back in?


Data protection

Electronic Marketing

Privacy and Electronic Communications Regulations

What are the rules governing unsolicited;

Phone calls

Fax marketing

E-mails, texts and voicemails


Data protection

Electronic Marketing

Websites:

What are the data issues?

Cookies?


Discussion q a

Discussion Q&A


Workshop locations

Workshop locations


  • Login