data protection n.
Skip this Video
Loading SlideShow in 5 Seconds..
Data Protection PowerPoint Presentation
Download Presentation
Data Protection

Data Protection

242 Views Download Presentation
Download Presentation

Data Protection

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Data Protection the basics

  2. Data Protection (DP) objectives • Why DP is important? • Overview of the Act (the basics) • Help/support

  3. Data Protection: why is it important? • Privacy a fundamental right in Human Rights Act • Costs of unfair processing • Identity theft • ‘Information injustice’ – social networking sites and jobs • Brandon Mayfield • Personnel • Security breaches – HMRC, MOD • Individuals (data subjects) have strong rights under the Act which cost the University • Individuals will complain if the University gets it wrong – media, decision notices

  4. Data Protection: overview • DP Act 1998: came into full effect in March 2000. • Regulates of processing of personal data relating to living individuals who can be identified from the information. • Basic aim of the Act: to balance the rights of individuals to privacy with the legitimate interests of organisations in processing personal data • Scope of the Act very wide: covers all processing. The proliferation of data, particularly electronic, means many media covered – emails, PDAs, CCTV, photographs, etc

  5. Data Protection: key terms Data…. Recorded electronic or manual information Personal data …is data that: - relates to a identifiable living individual • has the living individual as the main focus • is of ‘biographical significance’ to the individual This includes opinions about them and other peoples’ intentions towards them. Personal data can take many forms…..egs Data processing…all aspects of data handling Data controller…is the organisation (term can apply to employees) who determines the manner and purposes of processing Sensitive personal data….trade union membership, religious beliefs, sexual life, political opinions, criminal history, health

  6. Data Protection: the Act itself From the University’s point of view the main requirements are: • - To comply with 8 DP principles • - To comply with data subject rights in the DP Act • - To notify the Information Commission of its processing

  7. 1. Data protection principles • Personal data not to be transferred outside EEA without protection • Appropriate technical and organisational measures shall be taken to prevent unauthorised processing and loss, destruction or damage to that personal data (a challenge to comply, ie home working?) Explanation of 7th Principle – the University must: - Have a regard to technological developments to ensure a level of security appropriate to: - Harm that might result from unauthorised processing - The nature of the data to be protected - Take reasonable steps to ensure reliability of employees - Data processors must operate under written contract and ‘reasonable steps’ must be taken to ensure compliance

  8. Data protection principles (cont.) 6. Processed in accordance with the rights of the data subject 5. Kept only for so long as is necessary for the specified purpose 4. Accurate (people complain about inaccuracy!) 3. Adequate, relevant and not excessive (Do not collect more than you need!) 2. Obtained and processed for limited purposes • Processed fairly and lawfully. This means: • Issue a fair collection notice at the time of collection • meeting one condition of processing, ie Schedule 2

  9. 1. Schedule 2 – conditions for processing • Consent Or it is necessary for: 2. Contract 3. Legal obligation 4. Vital interests 5. Justice or Crown or Government 6. ‘The balancing act’ - Legitimate interests of data controller/Third parties, but not prejudice rights of individual

  10. 1. Exemptions • DP principles apply to all processing and all personal data unless exemption applies. Examples include: • References • Crime and taxation (prejudice test) • Journalism • Research • Examination marks and scripts • Domestic purposes • Legal professional privilege

  11. 2. Data subject rights • Accuracy –ensure their personal data is accurate • Prevent processing likely to cause damage or distress • Seek compensation • For no 3rd party access • Access to their personal data (subject access request) • Data Protection Officer must answer within 40 days • Offence to destroy ‘stuff’ after a request is received • Requests must be received in writing • Identity of individual must be identified • Maximum of £10 charged

  12. 3. Notification to IC As a data controller, the University of Reading must: • Notify the IC on what personal data it is processing and keep this up to date (given the complexity and size of the University with its semi-autonomous) Schools/Offices this is quite a big operation • Declare a Data Protection Officer • Be compliant with the Data Protection act

  13. DP enforcement • Information Commissioner is responsible for enforcement for DP (and also Freedom of Information FOI and Environmental Information Regulations (EIR)) What does the IC do? • ‘….is the UK's independent authority set up to promote access to official information and to protect personal information’

  14. DP Help • Data protection is complex. Any data protection issue or concern you have talk it through with IMPS. Remember: it is best to check *before* processing • IMPS network • Online training modules - • IMPS contact details: Lee Shailer,, Ext 8981

  15. Data Protection the basics