2. This presentation is intended to help you
understand aspects of the Data Protection Act
1998 and related legislation.
It is not intended to provide detailed advice on
specific points, and is not necessarily a full
statement of the law.
Data Protection - All Change or More of the Same?
3. What Data Protection is about: 1
Protecting data
Protecting people
Prevent harm to the individuals whose data we
hold, or other people
• Keep information in the right hands
• Hold good quality data
Data Protection - All Change or More of the Same?
4. What Data Protection is about: 2
Give us
more
money!
Support our
campaign!
We sold your
details to
someone else
Reassure people that we use their information
responsibly, so that they trust us
• Be transparent – open and honest, don‟t hide
things or go behind people‟s back
• Offer people a reasonable choice over how you
use their data, and what for
Data Protection - All Change or More of the Same?
5. What Data Protection is about: 3
Comply with specific legal requirements, such as:
Right to opt out of direct marketing
Right of Subject Access
Notification
(And others)
Data Protection - All Change or More of the Same?
6. The main topics for today
Top priorities
• Security
And while we‟re about it
• Transparency
• Latest developments on
• Choice
• Enforcement
• Accuracy & data quality
• Guidance
• New EU Regulation
But first:
• The Data Protection Principles
• The definition of Personal data
• Confidentiality
Data Protection - All Change or More of the Same?
7. The Data Protection Principles
1. Data „processing‟ must be „fair‟ and legal
2. You must limit your use of data to the purpose(s)
you obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects‟ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad
Data Protection - All Change or More of the Same?
8. Personal data
The Act applies to information that is „personal‟ and
„data‟
The personal part means that it is about:
identifiable, living individuals
The data part means that it is recorded:
• on a computer or automated system
• in a „relevant filing system‟
• with the intention of going into one of these
systems
• (others apply to public bodies)
Data Protection - All Change or More of the Same?
9. How DP and Confidentiality overlap
Data Protection
Confidentiality
Clear boundaries
Data Protection - All Change or More of the Same?
11. Security (Principle 7)
The Data Protection Act says you must prevent:
• unauthorised access to personal data
• accidental loss or damage of personal data
The security measures must be appropriate.
They must also be technical and organisational.
The Information Commissioner can
impose a penalty of up to £???????
for gross breaches of security (or
other Data Protection requirements)
Data Protection - All Change or More of the Same?
12. Key security measures
Protect „data in transit‟
• passwords, encryption on USB devices, tablets
and laptops
• extreme care when faxing, e-mailing & posting
• think about encryption on e-mails if appropriate
Network security – anti-virus, firewall, log-ons, etc.
Website security – „OWASP top ten‟ or similar
Bring Your Own Device policy
External contractors („Data Processors‟)
Secure destruction – shredding, etc.
Access controls, clear desks, locked filing cabinets
Staff DBS checks, supervision and monitoring
Data Protection - All Change or More of the Same?
13. ‘Fair’ processing (Pr. 1): Transparency
One part of being fair to people is to make sure they
have no unpleasant surprises when you use data
about them.
This means you must always think whether you
need to tell them anything about:
• who is collecting their information
• what purposes you hold their data for
• who you might pass the data on to
• how to contact you if they want to stop you from
using their data or check what you are doing
Data Protection - All Change or More of the Same?
14. ‘Fair’ processing (Pr. 1): Choice
The other important part of being fair is to give
people a reasonable choice over how their
information is used.
People must be given a choice over Direct
marketing
Choices can be:
• Opt out (we‟ll do it unless you say „no‟)
• Opt in (we‟ll only do it if you say „yes‟)
Be clear about what choices are offered, record
them carefully, and ensure that they are acted on.
Pre-ticked boxes are not good practice
Data Protection - All Change or More of the Same?
15. Conditions for fair processing
You must meet at least one of these:
• With consent of the Data Subject
(“specific, informed and freely given”)
• For a contract involving the Data Subject
• To meet a legal obligation
• To protect the Subject‟s „vital interests‟
• Government & judicial functions
• In your „legitimate interests‟ (or those you
disclose to) provided you don‟t infringe the Data
Subject‟s rights, freedoms or legitimate interests
Data Protection - All Change or More of the Same?
16. Data quality (Principles 3 & 4)
The Data Protection Act says that data must be:
• Adequate
• Relevant
• Not excessive
• Accurate
• Up to date (where necessary)
Data Protection - All Change or More of the Same?
17. Data Controller
The „person‟ legally responsible for complying with
the Data Protection Act
Staff & volunteers are part of the Data Controller
A trading company is a separate Data Controller
Organisations can be joint Data Controllers
Data Protection - All Change or More of the Same?
18. Data Processor
An organisation that has access to Personal Data
on your behalf for your purposes
The Data Controller remains responsible for what
happens to the data
There must be a written contract with the Data
Processor, setting out the relationship and, in
particular, their security responsibilities
Data Processors could include:
• Payroll service
• Cloud computing provider
• Tele-marketing company
• Client database maintenance & development
• Mailing house
• Contractor, delivering services
Data Protection - All Change or More of the Same?
19. Developments in enforcement
Recent penalties include:
• Fines for spam messaging
• Fine for breach caused by employee working
from home
• Fines for charities
Other options: enforcement notices, legally binding
undertakings
There have been a few successful challenges on
technicalities
Information Commissioner is consulting on a more
targeted approach to handling complaints
Data Protection - All Change or More of the Same?
20. Developments in ICO guidance
Recent publications include:
• a Code of Practice on handling Subject Access
• guidance on Bring Your Own Device policies
• a complete update of their guidance on Direct
Marketing
• guidance on Social Networking
• consultation on a review of the Privacy Notices
Code of Practice
Data Protection - All Change or More of the Same?
21. New EU Regulation: Rationale
1995: Directive 95/46/EC
1998: UK Data Protection Act (in force from 2000)
2003 (and earlier): Privacy & Electronic
Communications Regulations
Subsequently:
• World Wide Web
• Cloud computing
• Social media
• Profiling
• Cookies, GPS tracking ...
• Privacy awareness
Data Protection - All Change or More of the Same?
22. New EU Regulation: Timetable
January 2012: first draft published by Commission
2012: various EU bodies contribute views
2013: attempts to reconcile differing views, with
several conflicting drafts produced
October 2013: compromise draft agreed by
parliament
2015? Negotiations with Council
Mid-2015? Ratification of final Regulation
Data Protection - All Change or More of the Same?
23. New EU Regulation: Some key issues
Consent tightened up – no more pre-ticked boxes
Marketing is a „legitimate interest‟
Limited right of erasure
Right to object to profiling
More detailed privacy notices
Mandatory breach notification
Data Protection by default and by design
Mandatory Data Protection Officer
Privacy impact assessments replace Notification
Much-increased penalties (especially for multinational companies)
Data Protection - All Change or More of the Same?
24. Data Protection: the absolute basics
We are trying to:
• Prevent harm by
• Keeping data only in the right hands (and
being clear what „the right hands‟ are)
• Holding good quality data (accurate, up to
date and adequate)
• Reassure people so that they trust us
• Making sure people know enough about
what we are doing
• Giving people a choice where possible
Data Protection - All Change or More of the Same?
25. Thank you for listening
To go into more detail, join one of my webinars:
www.paulticher.com/webinars
Or contact me at:
0116 273 8191
paul@paulticher.com
Your Logo
www.paulticher.com
2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE