Data Protection Act 1998/General Data Protection Regulation 2016 Freedom of Information Act Ewan Robson Director, IG Compliance ltd 1
Todays Training Look at the History of the Data Protection Act/General Data Protection Regulation/Freedom of Information Act Your Responsibilities Analyse the Acts ICO Training Rules 2
Data Protection Act General Data Protection Regulation What do you know? 3
Your Responsibilities Have in place a Fair Processing • Have in place a Fair Processing Notice/Privacy Notice Notice/Privacy Notice Have in place agreements for • Have in place agreements for sharing information with sharing information with partners? partners? Have in place procedures for • Have in place procedures for responding to data protection responding to data protection subject access requests? subject access requests? 4
Your Responsibilities (2) Have in place an officer • Have in place an officer responsible for data protection responsible for data protection Tiered approach (1 st April 2018) • Register with the Information • £55 Commissioners Office as required by the Data Protection Act? • Give members and officers Give members and officers training on GDPR and training on data protection and information sharing and ensure information sharing and ensure that knowledge is kept up to that knowledge is kept up to date? date? 5
Legal Definitions (Data) Controller a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. (Data) Processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. (Data) Subject means an individual (Natural Person) who is the subject of personal data The definition of personal data is data which relates to a living (natural person) individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the ( data ) controller 6
Principle 1 DPA – Principle 1 Personal data shall be processed fairly and lawfully GDPR – Article 5(1)(a) Processed lawfully, fairly and in a transparent manner in relation to the data subject 7
Principle 2 DPA – Principle 2 Personal data shall be obtained only for one or more specified and lawful purposes, GDPR – Article 5(1)(b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 8
Principle 3 DPA – Principle 3 Adequate, relevant and not excessive GDPR – Article 5(1)(c) Adequate, relevant and limited to what is necessary; 9
Principle 4 DPA – Principle 4 Personal data shall be accurate and, where necessary, kept up to date GDPR – Article 5(1)(d) accurate and, where necessary, kept up to date; 10
Principle 5 DPA – Principle 5 Personal data shall not be kept for longer than is necessary GDPR – Article 5(1)(e) kept in a form which permits identification of data subjects for no longer than is necessary 11
Principle 6 DPA – Principle 6 Personal data shall be processed in accordance with the rights of data subjects GDPR – Article 15 12
Principle 7 DPA – Principle 7 Appropriate technical and organisational measures GDPR – Article 5(1)(f) processed in a manner that ensures appropriate security of the personal data 13
Principle 8 DPA – Principle 8 Personal data shall not be transferred to a country or territory outside the European Economic Area GDPR – Removed 14
Data Subject Rights – Article 15 Given a description of the personal • Given a description of the personal data, data, the reasons it is being processed, the reasons it is being processed, and and whether it will be given to any whether it will be given to any other other organisations or people; organisations or people; Given a copy of the information • Given a copy of the information comprising comprising the data; the data; Apply in writing (form or Letter) • Apply in writing (form/Letter or verbal) Name – Name Address/contact details – Address/contact details Fee if appropriate – No Fee 40 days to complete the request • 1 calendar month to complete the request To communicate the information in an • To communicate the information in an intelligible form intelligible form Rights to complain to the ICO • Rights to complain to the Regulatory Authority 15
Data Protection Officer Article 37 - Designation of the data protection officer The controller and the processor shall designate a data protection officer in any case where: (a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; 16
Data Protection Officer (2) Article 38 - Position of the data protection officer The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law. The data protection officer may fulfill other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. 17
Data Protection Officer (3) Article 39 - Tasks of the data protection officer The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; (d) to cooperate with the supervisory authority; (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 18
Who is the What do they What does ICO do that mean • Advice • Investigation • UK Independent • Fines Authority • Complaints • Enforcement notices • Decision notices 19
GENERAL DATA PROTECTION REGULATION 20
Why was the change needed Aim to reinforce individuals rights in the digital age Free flow of personal data in the digital market To give citizens back control over their personal data Simplify the regulatory environment for business Applicable to all EU Member states 21
Headline changes A single set of rules throughout the EU Privacy by Design Mandatory Data Protection Officers for public authorities Greater focus on obtaining explicit consent Mandatory reporting of high risk incidents within 72 hours Increase in sanctions (2-4% of turnover) Right to be forgotten & Data Portability Liabilities of Controller and Processor Rights of the Data Subject 22
Articles of Note Article 3: Territorial scope Article 4: Definitions Article 5: Principles relating to personal data processing Article 6: Lawfulness of processing Article 7: Conditions for consent Article 9: Processing of special categories of personal data 23
Recommend
More recommend