Data Protection 2020 This presentation should take approximately

Data Protection 2020 This presentation should take approximately 30 minutes Learning & Development

Introduction and Objectives Data protection • Data protection is making sure that the use of collected personal and sensitive information is strictly controlled. This will help to not put it at risk of unlawful processing or loss. Objectives • Have an awareness of the fundamentals of data protection • Demonstrate what to do if there is a security incident • Be able to collect, use and share data legally • Know how to follow the correct procedures for seeking consent • Evaluate how data protection effects new projects Learning & Development

What is data protection? • Data protection is controlling the use of personal and sensitive data. • It ensures the data is not at risk of unauthorised or unlawful processing, as well as protection against loss, damage or destruction. • All individuals have the right to access information held about them. • There are methods of enforcing best practice, potentially via the Information Commissioner’s Office (ICO). Data protection effects everyone, as almost every interaction with an organisation involves sharing personal data. Learning & Development

Why complete this training? • As a local authority, we gather a variety of data on local residents such as names, addresses and other data that can identify an individual. • If the Council were to lose or otherwise compromise someone’s personal information it could not only have a serious effect on the rights and privacy of the individual, but also put that person at risk of physical harm and/or financial exploitation. • Completing this learning is a key step in ensuring that the Council stays compliant with all Data Protection legislation and that we keep the data of our service users secure. Learning & Development

The legislation • DPA 2018 – Data Protection Act 2018 • The DPA 2018 has modernised data protection laws, and applies only to the UK. • GDPR - General Data Protection Regulations (EU) • GDPR is an EU legislation, because of this we will need to comply with the laws when interacting with EU states. Learning & Development

Types of data Personal data • The act describes personal data as “a name, identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. ” • Simply put, personal data is anything that could allow a living person to be identified. • This applies to data stored digitally, as a hard copy, or in a visual or audio format. • Identifiable information is information that easily identifies an individual or a group of individuals. • Anonymised information has had all personal data removed so that an individual or group of individuals cannot be identified. Learning & Development

Types of data Special category (sensitive) data • Some personal data is particularly sensitive. • Special category (sensitive) data refers to any details could be more detrimental to the individual if the data is misused. • Some examples of this data include: Health Political opinions Racial or ethnic origin Genetic or Sexual orientation Tradeunion membership Religious and biometric data philosophical beliefs • Sensitive financial data is subject to different standards, under financial services regulation. Learning & Development

Principles of data protection • These six principles relate to the collection, use, storage and disposal of personal information. Principle 1 Fair and lawful Principle 2 Purposes Personal information must be processed lawfully, fairly, and transparently. Data must be collected for a specific purpose, and should not be used for any other reason. Principle 3 Adequacy Principle 4 Accuracy The information The data must be collected must be accurate and kept relevant and up to date. limited to the purpose it is being processed. Principle 5 Retention Data which can identify individuals should be kept for the length of time it is being processed. Principle 6 Integrity and confidentiality The data must be processed securely, but utilising appropriate technical measures to protect against loss or damage.

Who is involved in collecting personal data? There are three main parties involved in collecting personal data: • the data subject • the data processor • the data controller Data processor Anyone who processes the data on behalf of the Data Controller Data subject This is the person who’s data is being used Data The ICO (Information Commissioner’s Office) monitors the use of personal information, to ensure organisations are compliant with the act. They use different methods of monitoring, such as investigations, audits, and these can lead to fines and court orders. Find out more at https: //ico. org. uk/ Data controller Determines how and why the data will be processed

DPA Quiz As mentioned earlier, some types of data could be detrimental to the individual if the data is misused. This data is called special category (sensitive) data. Which of the below examples are classified as special category (sensitive) data? Genetic biometric Tradeunion data membership Home address Racial or ethnic origin Location data Credit reference ID card number Political opinions Email address or Health Bank details Religious and philosophical beliefs Sexual orientation Learning & Development

DPA Quiz Special category (sensitive) data is shown in green below. Keep in mind, financial information fall under financial services regulations. Genetic biometric Tradeunion data membership Home address Racial or ethnic origin Location data Credit reference ID card number Political opinions Email address or Health Bank details Religious and philosophical beliefs Sexual orientation Learning & Development

Who is responsible for data protection within the Council? SBC is legally responsible for ensuring that the use of personal and sensitive data is compliant with the Data Protection Act 2018 as we are a Data Controller All levels of management need to make sure staff are kept up to date with relevant training All employees have a responsibility to comply with the act by following Data Protection policies and procedures, as well as reporting concerns or breaches. The Council is responsible under the Act for ensuring that the information is not put at risk by commissioned organisations. However, the commissioned organisation is also responsible for the data and may be penalised if there is any loss or compromise of that data. Learning & Development

Accountability • The DPA introduces the principle of accountability. • This requires us to take responsibility when complying with principles, and be able to provide evidence to demonstrate that we comply. • When using commissioned services, both that service and SBC are responsible for keeping data compliant with the Act Learning & Development

Staying Safe • Don’t share passwords with anyone/keep passwords strong • Take care of equipment which may be used to carry personal and sensitive information • Take great care when clicking on links to access or download items • Don’t save personal or sensitive data to any non-council supplied equipment, for example a memory stick. • Take precautionary checks to ensure you are talking to the appropriate person before disclosing personal or sensitive information • Personal and sensitive information must never be stored on personal devices • If you receive any requests from service users regarding the information that the Council holds about them, you should immediately pass the information to the team that deals with these requests. Learning & Development

Data Protection Incidents A security incident occurs if any personal and sensitive information is: Seen, accessed by or overheard by anyone who has no need to know of it. Held on equipment or in hard copy that is mislaid, even if it is encrypted. A report on the incident must be submitted as soon as you become aware of it and always within 24 hours so that the Council can determine how serious it is. You must tell your manager and SBC Information Security Officer Learning & Development

Data Protection Incidents Step 3: Informing Subjects The Act requires that we inform those whose personal information is affected if their rights or privacy could be at risk. Step 1: Investigation Look at what and why it happened Limit impact Learn from it Step 2: Information Commissioner We don’t need to tell someone whose information has been compromised unless the incident could affect their rights or privacy. If the incident is deemed to be serious, the Council must report the details to the Information Commissioner within 72 hours of the incident becoming known Learning & Development

Consent is needed to use data in the following circumstances: • When providing a non-statutory service – a service that the Council isn’t required to provide by law. • If the data is going to be used for something other than it’s original stated purpose, including when it is shared to other teams or third parties. You must be able to: 1. Provide evidence of consent including whether it was given or withheld. 2. Confirm exactly what you told them before consent was provided 3. Reference the details in a system to ensure that you check regularly whether they have changed their mind 4. Update the record if anything changes. Remember that the data subject can withdraw consent at any time. Learning & Development

Sharing Data Sharing data means passing information to someone within the Council to use for a different purpose to what it was collected for Before you share, check the following: • Check that the sharing is legal. • Ensure that the person receiving the information needs to see it. • Make sure that the information is accurate and up to date. • Share only that information that is needed. • Always share the information by a secure means. • Make a note somewhere prominent that the sharing has taken place, why and with whom. • Information Sharing Agreements are only needed if the sharing takes place regularly. • Recipients must be told if the information that has been shared is incorrect as this may affect actions they take. Learning & Development

DPA Quiz What do you think you should do if you receive a request from a service user who wants access to their record and who questions who has access to their personal information? A. Take the service user’s details and pass the information onto your manager or the team that deals with these requests. Additionally ask the service user to put their request in writing. B. Provide the service user with the information they want. Learning & Development

Privacy Notices • A Privacy Notice explains who is collecting the personal information, why they are collecting it, what will happen to it and when it will be disposed of. • It also gives details of how the person can exercise their rights in relation to the information being collected and who to contact to do this. All of SBC’s Privacy Notices are published on the external website: https: //www. swindon. gov. uk/info/20028/open_data_and_transparency/912/privacy_notice Learning & Development

Using Contractors • You must ensure that the provider understands the importance and urgency of reporting any incident involving personal and sensitive information to the Council immediately, so that the Council can meet the 72 hours deadline for reporting incidents to the Information Commissioner. This will be specified in the contract. • The Council doesn’t need consent to share the information with a contracted provider, but we do need to inform the service user that a provider will be contacting them. This should be made clear in your privacy notice. Learning & Development

What rights do individuals have? • Data subjects have the right to be told if their personal information is lost or compromised and, as a result, their privacy and rights are at risk. Individuals have the right to be told: • Who is using their information and why/whether the information will be shared/how long the information will be kept/how to contact the organisation and gain access to their record • Also, request that any inaccuracies are corrected/Ask for information to be delated if it doesn’t need to be retained/ right to object where they believe their personal information shouldn’t be used at all Learning & Development

DPA Quiz A resident uses a number of council services and is aware that the council hold some personal and sensitive information about them. They are alarmed by an article that they have read about their local authority. The article claims that the personal data of hundreds of residents have been published online. They decide to call the Council to question what data is on their file, and how it is being used. Which of these statements are true or false? A. B. C. D. The Council can charge for supplying the information The service user can ask for their personal information to be updated at any time The service user has a right to know how long their information will be kept on file for The Council must supply them with the information being requested Learning & Development

Who to go to for further Data Protection Advice • Data Protection Officers – The Data Protection Officer advises the Council about, and monitors compliance with, the requirements of the Act. • The Information Governance Team - The Information Governance Team addresses day to day compliance with the Act, managing incidents, providing guidance and advice to managers and staff, maintaining policies and procedures and risk assessing change. Contact Information Governance team: IG@Swindon. gov. uk Learning & Development

Thank you Please ensure you follow the link below and complete the survey so Learning and Development team can keep a training record for you. https: //www. smartsurvey. co. uk/s/Mandatoryelearnin g 2020/ Learning & Development