DP Act Changes and EU Regulation

Data Protection - All Change
or More of the Same?
Paul Ticher

This presentation is intended to help you
understand aspects of the Data Protection Act
1998 and related legislation.
It is not intended to provide detailed advice on
specific points, and is not necessarily a full
statement of the law.

Data Protection - All Change or More of the Same?

What Data Protection is about: 1



Protecting data

Protecting people
Prevent harm to the individuals whose data we
hold, or other people
• Keep information in the right hands
• Hold good quality data




Give us
more
money!

Support our
campaign!

We sold your
details to
someone else

Reassure people that we use their information
responsibly, so that they trust us
• Be transparent – open and honest, don‟t hide
things or go behind people‟s back
• Offer people a reasonable choice over how you
use their data, and what for


Comply with specific legal requirements, such as:

Right to opt out of direct marketing



Right of Subject Access
Notification
(And others)


The main topics for today
Top priorities
• Security
And while we‟re about it
• Transparency
• Latest developments on
• Choice
• Enforcement
• Accuracy & data quality
• Guidance
• New EU Regulation
But first:
• The Data Protection Principles
• The definition of Personal data
• Confidentiality


The Data Protection Principles

1. Data „processing‟ must be „fair‟ and legal
2. You must limit your use of data to the purpose(s)
you obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects‟ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad


Personal data

The Act applies to information that is „personal‟ and
„data‟
The personal part means that it is about:
identifiable, living individuals
The data part means that it is recorded:
• on a computer or automated system
• in a „relevant filing system‟
• with the intention of going into one of these
systems
• (others apply to public bodies)


How DP and Confidentiality overlap

Data Protection

Confidentiality

Clear boundaries


Taking confidentiality seriously

Gossip

Scams
Circumventing
security


Security (Principle 7)

The Data Protection Act says you must prevent:
• unauthorised access to personal data
• accidental loss or damage of personal data
The security measures must be appropriate.
They must also be technical and organisational.

The Information Commissioner can
impose a penalty of up to £???????
for gross breaches of security (or
other Data Protection requirements)


Key security measures

Protect „data in transit‟
• passwords, encryption on USB devices, tablets
and laptops
• extreme care when faxing, e-mailing & posting
• think about encryption on e-mails if appropriate
Network security – anti-virus, firewall, log-ons, etc.
Website security – „OWASP top ten‟ or similar
Bring Your Own Device policy
External contractors („Data Processors‟)
Secure destruction – shredding, etc.
Access controls, clear desks, locked filing cabinets
Staff DBS checks, supervision and monitoring


‘Fair’ processing (Pr. 1): Transparency

One part of being fair to people is to make sure they
have no unpleasant surprises when you use data
about them.
This means you must always think whether you
need to tell them anything about:
• who is collecting their information
• what purposes you hold their data for
• who you might pass the data on to
• how to contact you if they want to stop you from
using their data or check what you are doing


‘Fair’ processing (Pr. 1): Choice

The other important part of being fair is to give
people a reasonable choice over how their
information is used.
People must be given a choice over Direct
marketing
Choices can be:
• Opt out (we‟ll do it unless you say „no‟)
• Opt in (we‟ll only do it if you say „yes‟)
Be clear about what choices are offered, record
them carefully, and ensure that they are acted on.
Pre-ticked boxes are not good practice


Conditions for fair processing

You must meet at least one of these:
• With consent of the Data Subject
(“specific, informed and freely given”)
• For a contract involving the Data Subject
• To meet a legal obligation
• To protect the Subject‟s „vital interests‟
• Government & judicial functions
• In your „legitimate interests‟ (or those you
disclose to) provided you don‟t infringe the Data
Subject‟s rights, freedoms or legitimate interests


Data quality (Principles 3 & 4)

The Data Protection Act says that data must be:
• Adequate
• Relevant
• Not excessive
• Accurate
• Up to date (where necessary)


Data Controller
The „person‟ legally responsible for complying with
the Data Protection Act


Staff & volunteers are part of the Data Controller
A trading company is a separate Data Controller
Organisations can be joint Data Controllers




Data Processor
An organisation that has access to Personal Data
on your behalf for your purposes
The Data Controller remains responsible for what
happens to the data
There must be a written contract with the Data
Processor, setting out the relationship and, in
particular, their security responsibilities
Data Processors could include:
• Payroll service
• Cloud computing provider
• Tele-marketing company
• Client database maintenance & development
• Mailing house
• Contractor, delivering services

Developments in enforcement

Recent penalties include:
• Fines for spam messaging
• Fine for breach caused by employee working
from home
• Fines for charities
Other options: enforcement notices, legally binding
undertakings
There have been a few successful challenges on
technicalities
Information Commissioner is consulting on a more
targeted approach to handling complaints


Developments in ICO guidance

Recent publications include:
• a Code of Practice on handling Subject Access
• guidance on Bring Your Own Device policies
• a complete update of their guidance on Direct
Marketing
• guidance on Social Networking
• consultation on a review of the Privacy Notices
Code of Practice


New EU Regulation: Rationale

1995: Directive 95/46/EC
1998: UK Data Protection Act (in force from 2000)
2003 (and earlier): Privacy & Electronic
Communications Regulations
Subsequently:
• World Wide Web
• Cloud computing
• Social media
• Profiling
• Cookies, GPS tracking ...
• Privacy awareness


New EU Regulation: Timetable

January 2012: first draft published by Commission
2012: various EU bodies contribute views
2013: attempts to reconcile differing views, with
several conflicting drafts produced
October 2013: compromise draft agreed by
parliament
2015? Negotiations with Council
Mid-2015? Ratification of final Regulation


New EU Regulation: Some key issues

Consent tightened up – no more pre-ticked boxes
Marketing is a „legitimate interest‟
Limited right of erasure
Right to object to profiling
More detailed privacy notices
Mandatory breach notification
Data Protection by default and by design
Mandatory Data Protection Officer
Privacy impact assessments replace Notification
Much-increased penalties (especially for multinational companies)


Data Protection: the absolute basics

We are trying to:
• Prevent harm by
• Keeping data only in the right hands (and
being clear what „the right hands‟ are)
• Holding good quality data (accurate, up to
date and adequate)
• Reassure people so that they trust us
• Making sure people know enough about
what we are doing
• Giving people a choice where possible


Thank you for listening

To go into more detail, join one of my webinars:
www.paulticher.com/webinars

Or contact me at:
0116 273 8191
paul@paulticher.com

Your Logo

www.paulticher.com

2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE

DP Act Changes and EU Regulation

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (12)

Similaire à DP Act Changes and EU Regulation

Similaire à DP Act Changes and EU Regulation (20)

Dernier

Dernier (20)

DP Act Changes and EU Regulation