THE IDIOTS GUIDE To data protection Amanda Kearsley
- Slides: 37
THE IDIOTS GUIDE To data protection Amanda Kearsley Director
THE IDIOT’S GUIDE To data protection Amanda Kearsley Director
THE IDIOTS’ GUIDE To data protection Amanda Kearsley Director
Introductory Guide to Data Protection HLA Conference 2011 Amanda Kearsley Director
Why data protection matters to you … CONSEQUENCES OF GETTING IT WRONG ENFORCEMENT FINES CRIMINAL LIABILITY (potentially personal) NEGATIVE PUBLICITY CLAIMS FOR COMPENSATION REDUCED DATABASE VALUE
THE DATA PROTECTION ACT and RELATED LAWS QUICK QUIZ A DATA CONTROLLER IS USUALLY THE IT MANAGER OR DATA PROTECTION COMPLIANCE OFFICER BLUFF YOU CAN DO PRETTY MUCH ANYTHING YOU WANT TO WITH PERSONAL DATA TRUE WILLIAM SHAKESPEARE IS ENTITLED TO DPA PROTECTION FOR HIS PERSONAL DATA BLUFF IF YOU WANT TO MARKET BY EMAIL OR SMS YOU NEED AN ‘OPT-IN’ FROM THE INDIVIDUAL BLUFF
What’s it all about? THE DATA PROTECTION ACT DATA CONTROLLERS PROCESSING PERSONAL DATA SUBJECTS
‘Data controller’ … is a person determines the purpose for which and the manner in which personal data are processed Examples: • Marks and Spencer PLC • Vodafone Limited • Leicestershire & Rutland Organisation for the Relief of Suffering Limited NOT employees or third party data processors
‘Processing’ … Virtually ANYTHING that can be done with personal data Examples: • • • obtaining, recording, holding organising, altering retrieving, consulting, using disclosing, transmitting combining, blocking, erasing, destroying
‘Data’ … Information that is AUTOMATICALLY processed Examples: • on computers, PDAs, Black. Berrys • video systems, CCTV cameras, audio systems Information processed in HIGHLY STRUCTURED MANUAL FILES Examples: • index card systems • HR files
‘Personal data’ … Data relating to a LIVING IDENTIFIABLE INDIVIDUALS who can be identified from: • THOSE DATA or • from those data AND OTHER DATA in the possession of or likely to come into the possession of the data controller Examples: • • contact details video footage of staff leaving premises list of winners of a competition staff appraisals
‘Data subject’ … An individual who is the subject of personal data Examples: • • staff officials suppliers family members
Recap … Any person who is a DATA CONTROLLER that PROCESSES PERSONAL DATA relating to a DATA SUBJECT will be subject to the Data Protection Act 1998
THE 8 DATA PROTECTION PRINCIPLES
Principle 1 THE DATA PROTECTION ACT 1 FAIR & LAWFUL JUSTIFY PROCESSING ORDINARY SENSITIVE Consent Explicit consent Necessary Vital interests Legitimate interests Legal rights/ obligations
Principle 2 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES NOTIFY ON REGISTER OF DATA CONTROLLERS DATA PROTECTION NOTICES
WHAT TO NOTIFY FULL LEGAL ENTITY NAME OF THE DATA CONTROLLER PURPOSES FOR PROCESSING Staff, customers. suppliers Staff admin, marketing, trading in personal data DATA CLASSES RECIPIENTS TRANSFERS OUTSIDE EEA FEES ARE PAYABLE RENEWABLE ANNUALLY Data subject himself, data processors
EXEMPTION FROM NOTIFICATION CERTAIN ‘NOT FOR PROFIT ORGANISATIONS’ MUST BE CONSTITUTED AS ‘NOT FOR PROFIT’ MUST ONLY USE THE PERSONAL DATA FOR THE FOLLOWING STAFF ADMINSTRATION (including payroll) OWN ADVERTISING, MARKETING AND PR OWN ACCOUNTS AND RECORDS
CONTENT OF A DATA PROTECTION NOTICE IDENTITY OF DATA CONTROLLER(S) DESCRIPTION OF PURPOSES (especially non obvious ones) Commercial partners Administration, marketing, profiling DESCRIPTION OF DISCLOSURES AND DISCLOSEES PURPOSES MARKETING METHODS OPT-IN or OPT-OUT FOR DIRECT MARKETING RIGHT TO ACCESS PERSONAL DATA RIGHT TO CORRECT INACCURACIES Email and SMS require consent
MUST BE CLEAR, PROMINENT AND UNDERSTANDABLE GIVEN AT TIME DATA ARE COLLECTED (if by 3 rd party give as soon as reasonably practicable) CAN BE USED TO OBTAIN CONSENT eg for processing sensitive personal data or email marketing “by ticking this box you consent to. . . ” “if you do not consent to. . . then tick this box. . . ” “by clicking on the submit button you consent to. . . ”
Recap … What you say in a data protection notice dictates what you can do with the personal data • make sure your notices are wide but accurate • future proof them as much as possible • don’t miss anything out
Principle 3 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH
Principle 4 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE POLICIES ON UPDATING
Principle 5 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY RETENTION and DESTRUCTION POLICIES
Principle 6 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS SUBJECT ACCESS OPT-OUT OF DIRECT MARKETING OBJECT TO AUTOMATED DECISIONS
Principle 7 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS 7 APPROPRIATE SECURITY
Principle 7 THE DATA PROTECTION ACT 1 FAIR & LAWFUL MEASURES REQUIRED 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS Nature of the data State of technology? Cost Reliable employees Using data processors? Security guarantee Audit compliance 7 APPROPRIATE SECURITY Written contract Controller’s instructions 7 th principle obligations
Principle 8 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS 7 APPROPRIATE SECURITY 8 TRANSFERS OUTSIDE EEA ONLY TO TERRITORIES WITH AN ‘ADEQUATE LEVEL OF PROTECTION’
CAN YOU? Demonstrate you have not been an Idiot …
QUESTION 1 Which of the following is not a power of the ICO? (a) to impose fines (b) to issue an enforcement notice (c) to impose a custodial sentence (d) to enter property and seize documents ✓
QUESTION 2 Which of the following is not a data subject? (a) Prince Charles (b) Princess Diana (c) Prince William (d) The Duke and Duchess of Cambridge’s first born ✓ ✓
QUESTION 3 Which of the following is not ‘data’? (a) An email (b) A message on a post-it note (c) CCTV image (d) A HR file ✓
QUESTION 4 Which of the following are not ‘personal data’? (a) Date of birth of the head of your organisation (b) Address of your organisation (c) The name of the person who answers the phone in your business (d) A customer’s opinion of your latest scratch card competition ✓
QUESTION 5 Which of the following are not ‘sensitive personal data’? ✓ (a) Financial records (b) Criminal Records Bureau disclosures (c) Staff medical records (d) Political opinions
QUESTION 6 Which of the following are not DPA principles? (a) The data controller must process fairly and lawfully (b) The data controller must make sure that personal data are accurate and up-to-date (c) The data controller must obtain consent for direct marketing (d) The data controller must take appropriate security measures to protect personal data ✓
QUESTION 7 Which of the following is not a right given to data subjects under the DPA? ✓ (a) The right to access all information held (b) The right to opt-out of direct marketing (c) The right to object to automated decision making (d) The right to prevent processing likely to cause and distress damage
THE IDIOTS’CHECKLIST On the basics for data protection compliance 1 DPO. Appoint somebody within your organisation to be responsible for data protection 2 Notification. Notify the ICO – unless your organisation is exempt and ensure your notification is kept up to date 3 Data protection notices. Have well drafted and future proof data protection notices (and use them!!) 4 Justification. Justify your processing 5 Quality. Ensure you capture data accurately and keep it up to date 6 Data processors. Have contracts in place with your data processors and monitor they are doing what they say they will do 7 Security. Have and use appropriate security for all personal data 8 Policies. Have appropriate policies in place (including retention, deletion, security) 9 Rights. Comply with all data subject rights (eg right to opt out if direct marketing and right of access) 10 Training. Ensure staff are trained in their responsibilities
- Idiots guide to gdpr
- Moore ve kearsley 2005
- Vfr communications
- Unhcr data protection policy
- Data protection act 1998 bbc bitesize
- Raid system of data protection
- Data protection policy
- Data protection plan
- Data protection act teach ict
- Handle information in care settings
- Azure data
- Data protection
- State service of ukraine on personal data protection
- Data protection act 1998 ict
- Edpo gdpr
- Convention 108 data protection
- Hình ảnh bộ gõ cơ thể búng tay
- Ng-html
- Bổ thể
- Tỉ lệ cơ thể trẻ em
- Voi kéo gỗ như thế nào
- Chụp phim tư thế worms-breton
- Chúa yêu trần thế alleluia
- Kể tên các môn thể thao
- Thế nào là hệ số cao nhất
- Các châu lục và đại dương trên thế giới
- Công thức tính độ biến thiên đông lượng
- Trời xanh đây là của chúng ta thể thơ
- Mật thư tọa độ 5x5
- Phép trừ bù
- độ dài liên kết
- Các châu lục và đại dương trên thế giới
- Thơ thất ngôn tứ tuyệt đường luật
- Quá trình desamine hóa có thể tạo ra
- Một số thể thơ truyền thống
- Cái miệng xinh xinh thế chỉ nói điều hay thôi
- Vẽ hình chiếu vuông góc của vật thể sau
- Biện pháp chống mỏi cơ