THE IDIOTS GUIDE To data protection Amanda Kearsley
- Slides: 37
THE IDIOTS GUIDE To data protection Amanda Kearsley Director
THE IDIOT’S GUIDE To data protection Amanda Kearsley Director
THE IDIOTS’ GUIDE To data protection Amanda Kearsley Director
Introductory Guide to Data Protection HLA Conference 2011 Amanda Kearsley Director
Why data protection matters to you … CONSEQUENCES OF GETTING IT WRONG ENFORCEMENT FINES CRIMINAL LIABILITY (potentially personal) NEGATIVE PUBLICITY CLAIMS FOR COMPENSATION REDUCED DATABASE VALUE
THE DATA PROTECTION ACT and RELATED LAWS QUICK QUIZ A DATA CONTROLLER IS USUALLY THE IT MANAGER OR DATA PROTECTION COMPLIANCE OFFICER BLUFF YOU CAN DO PRETTY MUCH ANYTHING YOU WANT TO WITH PERSONAL DATA TRUE WILLIAM SHAKESPEARE IS ENTITLED TO DPA PROTECTION FOR HIS PERSONAL DATA BLUFF IF YOU WANT TO MARKET BY EMAIL OR SMS YOU NEED AN ‘OPT-IN’ FROM THE INDIVIDUAL BLUFF
What’s it all about? THE DATA PROTECTION ACT DATA CONTROLLERS PROCESSING PERSONAL DATA SUBJECTS
‘Data controller’ … is a person determines the purpose for which and the manner in which personal data are processed Examples: • Marks and Spencer PLC • Vodafone Limited • Leicestershire & Rutland Organisation for the Relief of Suffering Limited NOT employees or third party data processors
‘Processing’ … Virtually ANYTHING that can be done with personal data Examples: • • • obtaining, recording, holding organising, altering retrieving, consulting, using disclosing, transmitting combining, blocking, erasing, destroying
‘Data’ … Information that is AUTOMATICALLY processed Examples: • on computers, PDAs, Black. Berrys • video systems, CCTV cameras, audio systems Information processed in HIGHLY STRUCTURED MANUAL FILES Examples: • index card systems • HR files
‘Personal data’ … Data relating to a LIVING IDENTIFIABLE INDIVIDUALS who can be identified from: • THOSE DATA or • from those data AND OTHER DATA in the possession of or likely to come into the possession of the data controller Examples: • • contact details video footage of staff leaving premises list of winners of a competition staff appraisals
‘Data subject’ … An individual who is the subject of personal data Examples: • • staff officials suppliers family members
Recap … Any person who is a DATA CONTROLLER that PROCESSES PERSONAL DATA relating to a DATA SUBJECT will be subject to the Data Protection Act 1998
THE 8 DATA PROTECTION PRINCIPLES
Principle 1 THE DATA PROTECTION ACT 1 FAIR & LAWFUL JUSTIFY PROCESSING ORDINARY SENSITIVE Consent Explicit consent Necessary Vital interests Legitimate interests Legal rights/ obligations
Principle 2 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES NOTIFY ON REGISTER OF DATA CONTROLLERS DATA PROTECTION NOTICES
WHAT TO NOTIFY FULL LEGAL ENTITY NAME OF THE DATA CONTROLLER PURPOSES FOR PROCESSING Staff, customers. suppliers Staff admin, marketing, trading in personal data DATA CLASSES RECIPIENTS TRANSFERS OUTSIDE EEA FEES ARE PAYABLE RENEWABLE ANNUALLY Data subject himself, data processors
EXEMPTION FROM NOTIFICATION CERTAIN ‘NOT FOR PROFIT ORGANISATIONS’ MUST BE CONSTITUTED AS ‘NOT FOR PROFIT’ MUST ONLY USE THE PERSONAL DATA FOR THE FOLLOWING STAFF ADMINSTRATION (including payroll) OWN ADVERTISING, MARKETING AND PR OWN ACCOUNTS AND RECORDS
CONTENT OF A DATA PROTECTION NOTICE IDENTITY OF DATA CONTROLLER(S) DESCRIPTION OF PURPOSES (especially non obvious ones) Commercial partners Administration, marketing, profiling DESCRIPTION OF DISCLOSURES AND DISCLOSEES PURPOSES MARKETING METHODS OPT-IN or OPT-OUT FOR DIRECT MARKETING RIGHT TO ACCESS PERSONAL DATA RIGHT TO CORRECT INACCURACIES Email and SMS require consent
MUST BE CLEAR, PROMINENT AND UNDERSTANDABLE GIVEN AT TIME DATA ARE COLLECTED (if by 3 rd party give as soon as reasonably practicable) CAN BE USED TO OBTAIN CONSENT eg for processing sensitive personal data or email marketing “by ticking this box you consent to. . . ” “if you do not consent to. . . then tick this box. . . ” “by clicking on the submit button you consent to. . . ”
Recap … What you say in a data protection notice dictates what you can do with the personal data • make sure your notices are wide but accurate • future proof them as much as possible • don’t miss anything out
Principle 3 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH
Principle 4 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE POLICIES ON UPDATING
Principle 5 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY RETENTION and DESTRUCTION POLICIES
Principle 6 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS SUBJECT ACCESS OPT-OUT OF DIRECT MARKETING OBJECT TO AUTOMATED DECISIONS
Principle 7 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS 7 APPROPRIATE SECURITY
Principle 7 THE DATA PROTECTION ACT 1 FAIR & LAWFUL MEASURES REQUIRED 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS Nature of the data State of technology? Cost Reliable employees Using data processors? Security guarantee Audit compliance 7 APPROPRIATE SECURITY Written contract Controller’s instructions 7 th principle obligations
Principle 8 THE DATA PROTECTION ACT 1 FAIR & LAWFUL 2 LAWFUL & STATED PURPOSES 3 ADEQUATE, RELEVANT & NOT TOO MUCH 4 ACCURATE & UP-TO-DATE 5 NOT FOR LONGER THAN NECESSARY 6 RIGHTS OF INDIVIDUALS 7 APPROPRIATE SECURITY 8 TRANSFERS OUTSIDE EEA ONLY TO TERRITORIES WITH AN ‘ADEQUATE LEVEL OF PROTECTION’
CAN YOU? Demonstrate you have not been an Idiot …
QUESTION 1 Which of the following is not a power of the ICO? (a) to impose fines (b) to issue an enforcement notice (c) to impose a custodial sentence (d) to enter property and seize documents ✓
QUESTION 2 Which of the following is not a data subject? (a) Prince Charles (b) Princess Diana (c) Prince William (d) The Duke and Duchess of Cambridge’s first born ✓ ✓
QUESTION 3 Which of the following is not ‘data’? (a) An email (b) A message on a post-it note (c) CCTV image (d) A HR file ✓
QUESTION 4 Which of the following are not ‘personal data’? (a) Date of birth of the head of your organisation (b) Address of your organisation (c) The name of the person who answers the phone in your business (d) A customer’s opinion of your latest scratch card competition ✓
QUESTION 5 Which of the following are not ‘sensitive personal data’? ✓ (a) Financial records (b) Criminal Records Bureau disclosures (c) Staff medical records (d) Political opinions
QUESTION 6 Which of the following are not DPA principles? (a) The data controller must process fairly and lawfully (b) The data controller must make sure that personal data are accurate and up-to-date (c) The data controller must obtain consent for direct marketing (d) The data controller must take appropriate security measures to protect personal data ✓
QUESTION 7 Which of the following is not a right given to data subjects under the DPA? ✓ (a) The right to access all information held (b) The right to opt-out of direct marketing (c) The right to object to automated decision making (d) The right to prevent processing likely to cause and distress damage
THE IDIOTS’CHECKLIST On the basics for data protection compliance 1 DPO. Appoint somebody within your organisation to be responsible for data protection 2 Notification. Notify the ICO – unless your organisation is exempt and ensure your notification is kept up to date 3 Data protection notices. Have well drafted and future proof data protection notices (and use them!!) 4 Justification. Justify your processing 5 Quality. Ensure you capture data accurately and keep it up to date 6 Data processors. Have contracts in place with your data processors and monitor they are doing what they say they will do 7 Security. Have and use appropriate security for all personal data 8 Policies. Have appropriate policies in place (including retention, deletion, security) 9 Rights. Comply with all data subject rights (eg right to opt out if direct marketing and right of access) 10 Training. Ensure staff are trained in their responsibilities
Idiots guide to gdpr
Moore ve kearsley 2005
Vfr communications
Unhcr data protection policy
Data protection act 1998 bbc bitesize
Raid system of data protection
Data protection policy
Data protection plan
Data protection act teach ict
Handle information in care settings
Azure data
Data protection
State service of ukraine on personal data protection
Data protection act 1998 ict
Edpo gdpr
Convention 108 data protection
Hình ảnh bộ gõ cơ thể búng tay
Ng-html
Bổ thể
Tỉ lệ cơ thể trẻ em
Voi kéo gỗ như thế nào
Chụp phim tư thế worms-breton
Chúa yêu trần thế alleluia
Kể tên các môn thể thao
Thế nào là hệ số cao nhất
Các châu lục và đại dương trên thế giới
Công thức tính độ biến thiên đông lượng
Trời xanh đây là của chúng ta thể thơ
Mật thư tọa độ 5x5
Phép trừ bù
độ dài liên kết
Các châu lục và đại dương trên thế giới
Thơ thất ngôn tứ tuyệt đường luật
Quá trình desamine hóa có thể tạo ra
Một số thể thơ truyền thống
Cái miệng xinh xinh thế chỉ nói điều hay thôi
Vẽ hình chiếu vuông góc của vật thể sau
Biện pháp chống mỏi cơ
