DATA PROTECTION REFORM THE GENERAL DATA PROTECTION REGULATION

DATA PROTECTION REFORM & THE GENERAL DATA PROTECTION REGULATION Coming to Nottingham on 25 th May 2018

Introduction • • • Housekeeping (and ground-rules) Who am I? What we will cover: Data Protection as it is! Data Protection as it (probably) will be! Questions and quiz

Definitions/jargon • Personal data is information about a living individual. • A data controller is a person or organisation that collects and keeps data about people. • A data subject is someone who has data about them stored somewhere by a data controller. • A data processor is someone who makes use of personal data on a data controllers behalf; and • Processing-everything from collection to disposal of personal data.

Why do you need to know this? • You collect and deal with complex and sensitive information. • Data Protection requires you protect people’s personal data (from loss, unauthorised use etc. ) • For all staff, it is your responsibility; and • It is (should be) in your contract of employment! • Wilful/negligent breach • Gross misconduct/prosecution

GDPR Overview • New EU Regulation – to be adopted in full by all EU member States so as to harmonise Data Protection across Europe • In force across the EU from 25 th May 2018

GDPR Overview (2) • Despite Brexit plans, the UK has confirmed it will adopt the Regulation • Similar to the UK’s Data Protection Act but with more (definite) protection for data subjects; and • (probably) Larger fines!

Derogations BUT… • The Regulation allows Member States to do some parts of the Regulation in their own way • There are 50+ of these derogations • The UK Government will need to pass legislation to implement these before 25 th May 2018 • Data Protection Bill published 14 th Sept 2017

RECAP Current Data Protection Act

Currently-The Law as is • Data Protection Act 1998 – applies to PERSONAL information that is held and processed by you. • Applies to living individuals • 8 principles of the Act • If you have lawful basis to act-allows you to. • The Information Commissioner (ICO)-regulator • Serious consequences for failing to comply to the Act. – Data Controller-Up to £ 50 ok fine for a serious information breach – You-Disciplinary and possibly dismissal It is everyone’s responsibility to understand the principles in relation to your role and team.

Personal Data Identifies a living individual

Sensitive Personal Data (a) Racial or Ethnic Origin (b) Political Opinions or Persuasion (c) Religious Beliefs or other beliefs of a similar nature (d) Trade Union Membership or Affiliation (e) Physical or Mental Health or Condition (f) Sexual Life (g) Commissioned or Alleged Commission of Offences (h) Any proceedings for any offence, committed or alleged, including any sentencing decisions made by the Court

Conditions for processing • Uses of Personal data-must meet a condition from Schedule 2 • Uses of Sensitive personal data- must meet a conditions from Schedule 2 and 1 from Schedule 3 • Can get consent – but ideally rely on something else!

8 Data Protection Principles

Question

Requests for Information Who can you be asked? Living individuals/agents – Subject Access Requests (YOU CAN CHARGE UP TO £ 50) Access to Health Records 1990 -deceased/manual records Police – Section 29 Solicitors & Insurance companies – Section 35 Freedom of Information? If in doubt, refer to Information Governance at CCG

Question-who is covered by Data Protection?

Who regulates this? • The Information Commissioners Office (ICO) • Promotes transparency in government, proactive approach to enforcement of access and privacy laws • Provides guidance and advice • Reports to Parliament • Independent of Government • And…………. .

Who regulates (2) • • • Investigates breaches; and Imposes Civil Monetary Penalties (CMP) £ 500 K per breach…. . currently Bad press/enforcement action Possible prosecution of individuals/organisations

Breaches

CMP issued-examples • North East Lincolnshire Council were issued with a £ 80, 000 fine in 2013 -loss of child data on USB • Aberdeen City Council were issued with a £ 100, 000 fine in 2013 -accidental upload to web • Chelsea and Westminster Hospital NHS Foundation were issued with a £ 180, 000 fine in 2016 -email sent to 700 plus users openly • Nottinghamshire County Council were issued with £ 70, 000 fine in 2017. They left vulnerable people’s personal data exposed online for five years

Penalties for individuals • Ex-Leicester City Council Worker Fined £ 160, plus £ 364. 08 prosecution costs and a £ 20 victim surcharge, Stole 349 service user and staff records to help set up new business. • Medical Receptionist, 2 year conditional discharge, £ 614 costs, Unlawfully obtained her sister-in-law’s medical records • Bank cashier Fined £ 2990, £ 250 costs, £ 120 victim fee, Used position to illegally access customer details

And…. . Caldicott Principles 1. Justify the purpose(s) for using confidential information 2. Don't use personal confidential data unless it is absolutely necessary 3. Use the minimum necessary personal confidential data 4. Access to personal confidential data should be on a strict need-to-know basis 5. Everyone with access to personal confidential data should be aware of their responsibilities 6. Comply with the law 7. The duty to share information can be as important as the duty to protect patient confidentiality

THE FUTURE GDPR/Bill… what’s different?

New Data Protection Bill (1) Part 1 & 2 – Definitions and General Processing (GDPR) Part 3 – Law Enforcement Part 4 – Intelligence Services Part 5 – Information Commissioner’s Office Part 6 – Enforcement Part 7 – Miscellaneous!

New Data Protection Bill (2) Law Enforcement under Clauses 27 -79. Organisations will only be subject to these clauses if they are • a Competent Authority, or • processing for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

The Regulation Modernises (1) • Adds biometric and genetic data as classes of special category data (formerly known as sensitive personal data) • Gives added protection to children using sites such as Facebook & Snapchat (Information Services)

The Regulation Modernises (2) • Profiling – defines as ‘automated processing intended to evaluate certain personal aspects of an individual’ • Pseudonymisation – Pseudonymised data is clearly categorised as personal data

Future 6 Principles 1. Fair & lawful -> Lawfulness, fairness and transparency 2. For specific, explicit and legitimate purpose -> Purpose limitation 3. Adequate, relevant & limited -> Data minimisation 4. Accurate & up to date -> Accuracy 5. Not kept longer than necessary -> Storage limitation 6. Ensure appropriate security -> Integrity and confidentiality

2 Missing Principles? 1. Data Subject Rights get a whole section to themselves in Articles 12 -20 2. Transfer outside EEA defunct as new Regulation apples worldwide

Additional ‘Principles’ (1) Overarching new embedded principle: Accountability An organisation must demonstrate that it complies: • Implement appropriate technical and organisational measures that ensure and demonstrate that you comply e. g. policies, procedures, security. • Maintain relevant documentation on processing activities. • Where appropriate, appoint a Data Protection Officer. • Implement measures that meet the principles of data protection by design and data protection by default. • Use Data Protection Impact Assessments where appropriate.

Break

Data Subject Rights The Rights of the Data Subject (Articles 12 to 20) • • Right to Access Right to Rectification Right to Erasure Right to Restriction Right to Data Portability Right to Object Right to Complain

Subject Access Requests • Can no longer charge £ 10/£ 50 • Unless… extra copies = reasonable fee; or • Manifestly unfounded or excessive = reasonable fee (based on Administrative costs) • Provide a copy of the data being processed; and • Details of how, and by whom! • 1 month to respond… can be extended by another 2 months if excessive

Controller-Processor • Your Data Processors are now also as liable as Data Controllers for fines; but • You must review all contracts to update as necessary to reflect new obligations • Undertake DPIA pre-tender process • Use Model DP Questions in ITTs • Use Model EU DP Clauses in contracts • Use Model Data Processing Agreements

Scope & Territory GDPR will apply to the processing of personal data: • For activities of an organisation in the EU, regardless of whether the data processing takes place in the EU or not; and • of data subjects residing in the EU by an organisation not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU. • Issues for UK post-Brexit?

Conditions for Processing Data Conditions for processing non-special personal data under GDPR (Article 6): • Consent • Contract • Legal obligation • Vital interest of data subject • Public interest • Legitimate interest (can no longer be used by public authorities)* * core tasks

Conditions for Processing Data (2) Conditions for processing special category data under GDPR: • Explicit consent • Employment, social security or social protection law • Vital interest of data subject or another • Not-for-profit bodies • Made public by data subject • Legal claims • Substantial public interest • Medicine, health or social care • Public health • Research and statistics • + national derogations – all the same as now

Consent If you use consent as a basis for using data you must • Consent – clear, affirmative, informed, freely given and unambiguous – & if special category data it must be EXPLICIT – opt in, not opt out • Record – Must show an audit trail • Use consent as last resort where possible. If they withdraw it you have problems!

It is not just about consent! • Other conditions for processing will apply • Like……. . Article 9!

Health-Article 9 conditions • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

What about the Duty of Confidence? • Art 6 condition - yes • Art 9 condition - yes • Especially for direct care / team around the patient • BUT • Common law… is there a duty of confidence? • If yes, consent still needed but this can be implicit

Information Society Services E-Commerce Reg - Where online services are provided to a child and consent is relied on, consent must be given or authorised by a person with parental responsibility for the child. This requirement applies to children under the age of 16 (unless the Member State has made provision for a lower age limit -which may be no lower than 13). Other processing – Gillick Competency

Privacy Notices (1) • Privacy Notices must be in plain English, child friendly • ICO says be innovative e. g. videos

Privacy Notices (2) A Privacy Notice must include: • Identity and contact details of the controller; • Contact details of the Data Protection Officer (if have one); • Purposes of processing and legal basis for processing – including the “legitimate interest” pursued by the controller if this is the legal basis. • Recipients, or categories of recipients. • Details of data transfers outside the EU - including how the data will be protected (e. g. the recipient is in an adequate country; Binding Corporate Rules are in place etc. ); and how the individual can obtain a copy of the BCRs or other safeguards, or where such safeguards have been made available.

Privacy Notices (3) A Privacy Notice must include: • The retention period for the data – if not possible, then the criteria used to set this. • That the individual has a right to access and port data, to rectify, erase and restrict his or her personal data, to object to processing and, if processing is based on consent, to withdraw consent. • That the individual can complain to a supervisory authority e. the ICO. • Whethere is a statutory or contractual requirement to provide the data and the consequences of not providing the data. • If there will be any automated decision taking – together with information about the logic involved and the significance and consequences of the processing for the individual.

Data Protection Officer(1) • All public sector organisations must have one (covered by FOI) • Can appoint 1 DPO to multiple organisations • Role can be part of another job – but no conflict of interest (Cannot be CX, SIRO, Caldicott, Head of IT etc. ) • Expert knowledge in Data Protection law and practice • Can outsource • Anyone in the Practice fit the bill(yet)?

Data Protection Officer(2) • Report to top level management but independent • Protected from dismissal / coercion. • Resourced. • Contact details published • Defined duties – training, policy review, report breaches, complaints etc.

Record of Processing Activities Kept by the DPO and basically an Information Asset Register + extra GDPR requirements, to include: • Purpose for processing • Categories and subject of data • Transfers/disclosures • Retention • Security

Privacy by Design • Data Protection Impact Assessments (ex-PIAs) will be mandatory for some processing of data • Mandatory DPIAs must be OK’d by the data protection officer if you have one • Mandatory DPIAs must be submitted to the ICO for sign off if still pose a risk • Build in DPIAs into your normal business practice • Allow time in your processes for ICO turnaround (could be several weeks)

Data Breaches • Report to ICO within 72 hours if risk to an individual • Later if ‘reasoned justification’ for this • Business fines up to 2% or 4% (up to € 20 m) of global turnover… whichever is the greater! • UK ICO-may or may not go there!

Data Breaches (2) • Report to the individual concerned too if serious risk to them You will need a robust incident reporting process in place.

Data Breaches Higher level fines for : • P 1 fair and lawful • Consent • Misuse of special category data • Data subjects rights • Transfer to 3 rd countries

Contracts • Data Processors are now also as liable as Data Controllers for fines • Review all contracts to update as necessary to reflect new obligations • Must have data processing agreement in place with contractors via contract

Training • Responsibility of the Data Protection Officer • Staff are key risk area • Ensure all are aware of new requirements before 25 th May 2018!

Challenges for Practices (1) • • Appointing a Data Protection Officer-shared? Contracts-review Getting/managing consent and lawful basis Requests & rights Giving Privacy Notices & revised guidance Completing DPIAs Reporting data breaches Records of Processing Activities

Challenges for Practices (2) • Co-located services – honorary NHS contracts? • Electronic Record Sharing – access to GPs systems? • Better Care Together work • Contracts (inc. commissioning)

Support available • Nottingham City CCG-support to practices • Briefings for Practices • Advice and guidance • Information Commissioners Office Data protection reform | ICO But: • External organisations – beware the cowboys!

The Future • Caldicott 3 - National Data Standards & Consent Models • Electronic Records 2020 • Social Care/Health Integration • New IG Toolkit (including Training)

Questions & Quiz

Contact Loretta Bradley Head of Information Governance (0115 8839508) Helen Clark Information Governance Officer (0115 8839442)