Data Protection. Paul Veysey & Bethan Walsh. Introduction. Data Protection is about protecting people b y responsibly managing their data in ways they expect and understand. 90%. Penalties.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Paul Veysey & Bethan Walsh
Data Protection is about protecting people
by responsibly managing their data in ways they expect and understand
The DPA is concerned with ‘Personal Data’ held by ‘Data Controllers’
Identifiable - living - individuals
Information held on a computer
Information in a relevant manual filing system
Information intended to join one of the above
Most organisations that process personal data must register (notify) with the ICO. Failure to notify is a criminal offenceand a fine can be imposed
Personal data cannot be processed until registration has taken place
£35 per year
(If you have more than 249 employees and a turnover in excess of £25.9 million – the fee is £500 for notification - unless a charity)
Not for profit organisations have the benefit of an opt out where their functions are limited to:• establishing or maintaining membership; • supporting a not-for-profit body or association; or • providing or administering activities for either the members or those who have regular contact with it.
1. Process fairly and lawfully2. Obtain and process for specified purposes only3. Adequate, relevant and not excessive 4. Accurate and up to date
5. Not kept longer than is necessary6. Processed in accordance with the rights of the individual7. Appropriate security measures against unauthorised or unlawful use of data and against loss, destruction or damage8. Transfer outside the EEA only where adequate protection is in place
What can I do with personal data?
The Act sets out ‘conditions for processing’, one of which must be complied with for processing to take place
The key condition is CONSENT
The safest route to compliance is to ensure the individual knows what will be done with their data at the point of collection
“The personal data shall be obtained only for one or more specified lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes”
Identify the purpose in your Privacy Notice (unless the purpose is obvious)
Register the purpose when notifying the Information Commissioner (unless you are exempt).
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”
Only hold data which is sufficient for your purpose and no more (or less)
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes”
Adopt a policy to set out how long you will keep information and why
Regularly review the data
Ensure it is securely deleted or archived when it is no longer needed
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
“Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
Assuming the correct notices / consents have been given or can be safely assumed, direct marketing is usually permitted
Privacy and Electronic Communications Regulations
What are the rules governing unsolicited;
E-mails, texts and voicemails
What are the data issues?