CHASE 2014 data protection presentation Paul Ticher

Data Protection - All Change or More of the Same?Paul Ticher

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.

It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

Data Protection - All Change or More of the Same?

What Data Protection is about: 1

Prevent harm to the individuals whose data we hold, or other people

• Keep information in the right hands

• Hold good quality data


Protecting people

Protecting data


Reassure people that we use their information responsibly, so that they trust us

• Be transparent – open and honest, don’t hide things or go behind people’s back

• Offer people a reasonable choice over how you use their data, and what for


Give us more

money!Support our campaign! We sold your

details to someone else


Comply with specific legal requirements, such as:


Right to opt out of direct marketing

Right of Subject Access

Notification

(And others)

The main topics for today

Top priorities

• Security

• Transparency

• Choice

• Accuracy & data quality

But first:

• The Data Protection Principles

• The definition of Personal data

• Confidentiality


And while we’re about it

• Latest developments on

• Enforcement

• Guidance

• New EU Regulation

The Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal

2. You must limit your use of data to the purpose(s) you obtained it for

3. Data must be adequate, relevant & not excessive

4. Data must be accurate & up to date

5. Data must not be held longer than necessary

6. Data Subjects’ rights must be respected

7. You must have appropriate security

8. Special rules apply to transfers abroad


Personal data

The Act applies to information that is ‘personal’ and ‘data’

The personal part means that it is about:

identifiable, living individuals

The data part means that it is recorded:

• on a computer or automated system

• in a ‘relevant filing system’

• with the intention of going into one of these systems

• (others apply to public bodies)


How DP and Confidentiality overlap


ConfidentialityData Protection

Clear boundaries

Circumventing security

Scams

Gossip

Taking confidentiality seriously


Security (Principle 7)

The Data Protection Act says you must prevent:

• unauthorised access to personal data

• accidental loss or damage of personal data

The security measures must be appropriate.

They must also be technical and organisational.


The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security (or other Data Protection requirements)

Key security measures

Protect ‘data in transit’

• passwords, encryption on USB devices, tablets and laptops

• extreme care when faxing, e-mailing & posting

• think about encryption on e-mails if appropriate

Network security – anti-virus, firewall, log-ons, etc.

Website security – ‘OWASP top ten’ or similar

Bring Your Own Device policy

External contractors (‘Data Processors’)

Secure destruction – shredding, etc.

Access controls, clear desks, locked filing cabinets

Staff DBS checks, supervision and monitoring


‘Fair’ processing (Pr. 1): Transparency

One part of being fair to people is to make sure they have no unpleasant surprises when you use data about them.

This means you must always think whether you need to tell them anything about:

• who is collecting their information

• what purposes you hold their data for

• who you might pass the data on to

• how to contact you if they want to stop you from using their data or check what you are doing


‘Fair’ processing (Pr. 1): Choice

The other important part of being fair is to give people a reasonable choice over how their information is used.

People must be given a choice over Direct marketing

Choices can be:

• Opt out (we’ll do it unless you say ‘no’)

• Opt in (we’ll only do it if you say ‘yes’)

Be clear about what choices are offered, record them carefully, and ensure that they are acted on.

Pre-ticked boxes are not good practice


Conditions for fair processing

You must meet at least one of these:

• With consent of the Data Subject (“specific, informed and freely given”)

• For a contract involving the Data Subject

• To meet a legal obligation

• To protect the Subject’s ‘vital interests’

• Government & judicial functions

• In your ‘legitimate interests’ (or those you disclose to) provided you don’t infringe the Data Subject’s rights, freedoms or legitimate interests


Data quality (Principles 3 & 4)

The Data Protection Act says that data must be:

• Adequate

• Relevant

• Not excessive

• Accurate

• Up to date (where necessary)


Data Controller

The ‘person’ legally responsible for complying with the Data Protection Act

Staff & volunteers are part of the Data Controller

A trading company is a separate Data Controller

Organisations can be joint Data Controllers


Data Processor

An organisation that has access to Personal Data on your behalf for your purposes

The Data Controller remains responsible for what happens to the data

There must be a written contract with the Data Processor, setting out the relationship and, in particular, their security responsibilities

Data Processors could include:

• Payroll service

• Cloud computing provider

• Tele-marketing company

• Client database maintenance & development

• Mailing house

• Contractor, delivering services


Developments in enforcement

Recent penalties include:

• Fines for spam messaging

• Fine for breach caused by employee working from home

• Fines for charities

Other options: enforcement notices, legally binding undertakings

There have been a few successful challenges on technicalities

Information Commissioner is consulting on a more targeted approach to handling complaints


Developments in ICO guidance

Recent publications include:

• a Code of Practice on handling Subject Access

• guidance on Bring Your Own Device policies

• a complete update of their guidance on Direct Marketing

• guidance on Social Networking

• consultation on a review of the Privacy Notices Code of Practice


New EU Regulation: Rationale

1995: Directive 95/46/EC

1998: UK Data Protection Act (in force from 2000)

2003 (and earlier): Privacy & Electronic Communications Regulations

Subsequently:

• World Wide Web

• Cloud computing

• Social media

• Profiling

• Cookies, GPS tracking ...

• Privacy awareness


New EU Regulation: Timetable

January 2012: first draft published by Commission

2012: various EU bodies contribute views

2013: attempts to reconcile differing views, with several conflicting drafts produced

October 2013: compromise draft agreed by parliament

2015? Negotiations with Council

Mid-2015? Ratification of final Regulation


New EU Regulation: Some key issues

Consent tightened up – no more pre-ticked boxes

Marketing is a ‘legitimate interest’

Limited right of erasure

Right to object to profiling

More detailed privacy notices

Mandatory breach notification

Data Protection by default and by design

Mandatory Data Protection Officer

Privacy impact assessments replace Notification

Much-increased penalties (especially for multi-national companies)


Data Protection: the absolute basics

We are trying to:

• Prevent harm by

• Keeping data only in the right hands (and being clear what ‘the right hands’ are)

• Holding good quality data (accurate, up to date and adequate)

• Reassure people so that they trust us

• Making sure people know enough about what we are doing

• Giving people a choice where possible


Or contact me at:

2 Old College Court, 29 Priory Street, Ware, Hertfordshire, SG12 0DE

0116 273 8191

[email protected]

www.paulticher.com

Your Logo

Thank you for listening

To go into more detail, join one of my webinars:

www.paulticher.com/webinars

CHASE 2014 data protection presentation Paul Ticher

Technology

Transcript of CHASE 2014 data protection presentation Paul Ticher