Data Protection Awareness For the Human Resources Department

  • Slides: 36
Download presentation
Data Protection Awareness – For the Human Resources Department

Data Protection Awareness – For the Human Resources Department

Areas that we’ll cover The Data Protection Legislation Personal Data Subject Rights Personal Data

Areas that we’ll cover The Data Protection Legislation Personal Data Subject Rights Personal Data Breaches and Things to consider and remember…

The Data Protection Legislation EU (2016/679) General Data Protection Regulation (GDPR) The UK Data

The Data Protection Legislation EU (2016/679) General Data Protection Regulation (GDPR) The UK Data Protection Act 2018 (DPA) They replace the previous Data Protection Act 1998.

Complying with Data Protection Legislation What is personal information?

Complying with Data Protection Legislation What is personal information?

Complying with Data Protection Legislation Personal information includes any information about a living individual

Complying with Data Protection Legislation Personal information includes any information about a living individual that identifies them, or which could be used in combination with some other information to identify them.

Special Category Data • • Racial or Ethnic origin Political opinions Religious or philosophical

Special Category Data • • Racial or Ethnic origin Political opinions Religious or philosophical beliefs Trade union membership Health Sex life or sexual orientation Genetic data Biometric data

Special Category Data Criminal record?

Special Category Data Criminal record?

Definitions What does Processing mean?

Definitions What does Processing mean?

Definitions Processing covers a wide range of operations performed on personal data, including by

Definitions Processing covers a wide range of operations performed on personal data, including by manual or automated means.

Definitions It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation,

Definitions It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data. . essentially, any use.

Data Protection Principles There are 7 principles that the Service needs to comply with

Data Protection Principles There are 7 principles that the Service needs to comply with when processing personal Data: Principle 1 - Fair, Lawful and Transparent Principle 2 - Purpose Limitation Principle 3 - Data minimisation Principle 4 - Accuracy Principle 5 - Storage limitation Principle 6 - Integrity and Confidentiality Principle 7 - Accountability

Data Subject Rights of the Data Subject Individuals are entitled to find out what

Data Subject Rights of the Data Subject Individuals are entitled to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.

Data Subject Rights • • The right to be informed The right of access

Data Subject Rights • • The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights in relation to automated decision making and profiling

Data Subject Rights – the right of access Subject Access Requests (SARs) Individuals have

Data Subject Rights – the right of access Subject Access Requests (SARs) Individuals have a right to a copy of their personal data (in most circumstances). We must act on the subject access request without undue delay and at the latest within one month of receipt.

Data Subject Rights – the right of access If you receive a request from

Data Subject Rights – the right of access If you receive a request from someone that relates to theirs*, or someone else's, personal data, contact the Information Governance team without delay Data. Protection@rbfrs. co. uk.

Things to consider If you are using a spreadsheet or database and copy information,

Things to consider If you are using a spreadsheet or database and copy information, remember that you have now duplicated or created new information.

Things to consider It will still be subject to the principles of the Data

Things to consider It will still be subject to the principles of the Data Protection legislation and the Service’s retention schedules. Can it be deleted or anonymised after use?

Things to consider Remember When working with spreadsheets and reports, be mindful that there

Things to consider Remember When working with spreadsheets and reports, be mindful that there may be hidden information which you, or whoever will be using the spreadsheet next, may not be aware of.

Things to remember • If you need to email personal or confidential information make

Things to remember • If you need to email personal or confidential information make sure you use Mimecast secure email. • When forwarding emails, check that there is no personal information contained within the trail. • Ensure that the recipient of the personal or confidential information should be allowed access to it.

Things to remember • If you need to dispose of personal or confidential information,

Things to remember • If you need to dispose of personal or confidential information, use the confidential waste facilities provided. • Ensure personal and confidential information is locked away when you are not using it and when you leave your desk • Ensure your computer is locked when you leave your desk

Sending hard copy information If you need to mail personal or confidential information a

Sending hard copy information If you need to mail personal or confidential information a return address should always be included.

Sending hard copy information The envelope should be addressed stating the name of the

Sending hard copy information The envelope should be addressed stating the name of the intended recipient and marked ‘ADDRESSEE ONLY’. Whilst the contents should be protectively marked the envelope should not be.

Sending hard copy information The Information Asset Owner should decide whether the information is

Sending hard copy information The Information Asset Owner should decide whether the information is too sensitive to be sent using Royal Mail. In these circumstances a courier or hand delivery should be used.

Personal Data Breaches What is a data breach?

Personal Data Breaches What is a data breach?

Personal Data Breaches A personal data breach means a breach of security leading to

Personal Data Breaches A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Personal Data Breaches The Data Protection legislation places a duty on all organisations to

Personal Data Breaches The Data Protection legislation places a duty on all organisations to report certain types of personal data breach to the Information Commissioner’s Office. We must do this within 72 hours of becoming aware of the breach.

Personal Data Breaches - examples • Laptop left in vehicle and then stolen. •

Personal Data Breaches - examples • Laptop left in vehicle and then stolen. • Forwarded email containing personal data in the email trail. • S drive folder containing sensitive information open to all users. • Sensitive information being put in a general waste bin

Personal Data Breaches - examples • Email sent to the wrong recipient. • Hidden

Personal Data Breaches - examples • Email sent to the wrong recipient. • Hidden columns containing personal data in XL Spreadsheet. • Confidential papers left on display in vehicle. • Confidential papers sent to the wrong postal address

Personal Data Breaches What to do if you notice or suspect a data breach…

Personal Data Breaches What to do if you notice or suspect a data breach…

Personal Data Breaches Don’t ignore it or try to cover it up!

Personal Data Breaches Don’t ignore it or try to cover it up!

Personal Data Breaches Make a quick assessment of the nature and extent of the

Personal Data Breaches Make a quick assessment of the nature and extent of the breach, so you can at least describe what’s happened.

Personal Data Breaches Take any remedial steps you can to limit the impact of

Personal Data Breaches Take any remedial steps you can to limit the impact of the breach.

Personal Data Breaches Complete the Data Breach Report form (available on Siren). Send the

Personal Data Breaches Complete the Data Breach Report form (available on Siren). Send the form to the Information Governance Team at Data. Breach@rbfrs. co. uk.

Personal Data Breaches If you are in any doubt as to whether a breach

Personal Data Breaches If you are in any doubt as to whether a breach has occurred or what to do, contact the Information Governance Team or the Service’s Data Protection Officer (Becca Chapman) as soon as possible.

Further information For more information, you can check out our Team pages on Siren

Further information For more information, you can check out our Team pages on Siren - http: //siren/services/informationgovernance/ If you have any queries or concerns you can contact the Information Governance Team – Information. Governance@rbfrs. co. uk / Ext. 4554 / First floor open plan office, HQ.

Further information Any questions?

Further information Any questions?