Using Information Sources

Sharing and Data Protection Issues

Suki Harrar

People and Information Governance Partner

Data Protection in the Workplace

Make it simple by knowing

What and Why you are collecting customers data

How to obtain right consent

How to share lawfully

How not to get caught out

I know the tenant

information file is

here some

where!!

Source of information and help:

Regulator

Christopher Graham:

Information Commissioner

Regulator of DPA & FOIA :

Information Commissioner Office

Aim – Data Protection Act

Privacy Rights For Living Individuals (Data Subjects)

Controls processing requirements of Individuals personal information

(that is your information)

8 Guiding Principles

Obligations on Housing Associations who collect and process your

personal data

Defines obligations for Housing Associations as Data Controllers

Data controller’s responsibilities

Decides the purpose and manner in which your personal data will be

processed and they have to comply with all the provisions of the Act

Ensure the right data is collected, used, shared, secured and destroyed in

line with the Act

Notify the ICO what, and why they are collecting and who they will share this

data with

Ensure they comply with your rights - Data Subject’s

Comply with the 8 Data Protection Principles

Ensure third parties they engage to deliver services are compliant

With the Act and the Housing Association's DP Policies

Collect the right data and obtain the right consent

Personal Data (schedule two)

Data which relates to a living individual who can be identified from that data.

This includes an expression or opinion about any living individual:

Name Address

Bank account Details E-mail address

Telephone number CCTV Footage

Image Gender

“Mrs Window has detailed on her tenant profile form she has complained about

her leaking tap, for the 10th time can you arrange for a plumber to go out again”

Personal Data - Need to obtain informed consent (Show and Tell)

When did you last go on line and buy something and read the

privacy statement ?

We buy and inadvertently may have accepting for the supplier to use our information for marketing

We can obtain informed consent in different ways:

• Tenant profile or census form

• Survey form

• In a proposed or agreed contract

• tenancy agreement, lease agreement or employment contract

• Statement on website, back of receipts or letter/email

• ASB wittiness statement or interview/report form

Personal Sensitive Data - Need to explicit on top of informed consent (Show, Tell and Record)

• Ethnicity

• Religious or Other Beliefs

• Political Opinions

• Membership of a Trade Union

• Sexual Life

• Offences Committed or Alleged to have been Committed by that Individual

• Medical History

It can be obtained in different ways, but you need to ensure that the consent you obtain is "unambiguous”, freely given and fully understood

• A signature or a verbal agreement which is recorded and confirmed

Personal and Sensitive Personal Data How to obtain the right consent and help the person understand the WHY…

Customer census or profile forms should have a separate ‘tear’ off sheet with

this information on

You should tell people that they do not have to supply the information but how it

will help them if they do

You should have a recorded consent from each individual – You cannot supply

the information for other people in your household and it cannot be used if

consent is not recorded

You should have a information leaflet explaining why you want the information

and how you will use, share, retain, secure and destroy the information

Have you got a customer profile procedure or leaflet?

We can use and share your personal and sensitive personal data without consent

Some examples:

• Need to comply with legal obligations

• Protect the vital interests of an individual

• Comply administration of justice or to exercise functions of a public nature which is in the public interest

• Legitimate interest ensuring the processing is justifiable to the individual’s rights

• The individual has made the information public

• For prospective or current legal proceedings and/or legal advice

• Exercising contractual obligations

8 Principles – Sharing has to be Fair and Lawful

data sharing As long as you are C.O.T you can use and share without consent:

For the prevention or detection of crime and fraud

For the apprehension or prosecution of offenders

For the assessment or collection of tax or duty owed to customs & excise

In connection with legal proceedings

In relation to the physical or mental health of an individual, where disclosure is required to protect them or others vital interests

8 Principles – Sharing has to be Fair and Lawful data

sharing

For research and statistical purposes (anonymous)

To carry out contractual obligations

Administration of justice, exercise functions of public nature in public interest

Legitimate interests except where unwarranted prejudices individual rights

To comply with the law

8 Principles – Sharing has to always be Fair and

Lawful data sharing Consider when consent should be sought and is it reasonable to disclose personal data without consent? What duty of confidentiality do we owe the 3rd party can it be anonymised Have steps been taken to seek consent and note refusal and/or objection? Have steps been taken to record legal and/or regulatory grounds for disclosure? It is fine to positively challenge the request and ask for it in writing Do not put someone at risk by withhold information

Your First Principle

Process personal data fairly and lawfully

Clear Open and Transparent

Collect Use Share and Secure data correctly

Confirm when you need consent

Personal Data Informed

Sensitive Personal Data Explicit

1

Your Second Principle

Personal data must be used for the stated purpose you

informed the individual about

Do not be use their data for any incompatible purpose –

use the C.O.T approach

Think about what the recipient of the data will use it for

Do you need to review your notification and inform

individuals of the new form of processing

2

You Next Set Of Principles in practice

3 Relevant and Adequate – data sharing agreements does

not mean a ‘catch all’ approach. Look at what is the objective of

the sharing and what is needed for that purpose. Why receive

other RP or agency data only hold what is relevant and

adequate for your purposes

4 Accurate and up to date records – you are sending

troubled family data to a public body at their request thus

enabling them to obtain funding. They will have limited

responsibility. You need to ensure accuracy in you’re and their

systems on a regular basis

5 Keep data for as long as it is needed – ensure both

parties retain the data for the pre-agreed time scale. Put in

your sharing agreements provision for use, further sharing

and retention. Attach a retention destruction schedule

Your Sixth Principle – Your rights individuals

• Access personal data 40 days from valid request

• Object to the use of data that causes damage or distress

• Seek correction, and destruction of personal data

• Object to the use of data for direct marketing

• Know about automated decision making

• Seek compensation

6

Your Seventh Principle - keep data secure

Ensuring appropriate technical measures are in place

Ensure you prevent unauthorised access and processing

Ensure you prevent unlawful obtaining of personal data

Train your staff, Board and Customer Panels

7

Your Eighth Principle - Limits on overseas

transfers Personal data should not be transferred

outside the outside EEA unless there is

adequate protection for the rights of

individuals

Check if your on-line buying means your

date is being shared with third parties

sub contract (Read your privacy statement)

Check if your data is secure at all times

Check what consent is needed to send data

outside

UK

8

Enforcement and Sanctions

Regulator – ICO

• Information Notice’s and Assessment Requests

• Power to service Undertaking or Enforcement Notices

• Revoke right to process data

• Monetary Penalty (Up to Half Million Pounds)

• Evoke Sec 61 Directors Liability

• Evoke Sec 55 Personal Legal Accountability & Liability

• Power to enter LA/Government – Audits

• Criminal & Civil Action

• Support people in court

Enforcement and Sanctions

Courts

Review the handling of subject access requests

Order the payment of compensation

Prosecute individuals for section 55 (theft of data)

Data Controller

Could suffer loss of confidence from customers, stakeholders and employees

Could consider disciplinary action

Data Sharing Agreements (Protocol)

They need to formally define the sharing purposes, agents, privacy rights of the

individuals and obligations of the agencies. Clauses:

• Purpose and Members of the project

• What data is to be shared PD, SPD or anonymous

• What is the purpose of sharing (sec29)

• What legitimate and legal obligations have the agencies in place to share

data with or without consent

• Proportionate Test

• Further use of the data (prevent recipient from processing activities)

• Roles, Responsibilities and Accountabilities

• Security requirements of all parties

Data Sharing Agreements (Protocol)

• Integrity of the shared data and each controllers obligations

• Freedom of information or Environmental Information Regulations

• Inspection and data protection audit reviews

• Loss or unauthorised release steps (breach management procedure)

• Actions for end of project

Sharing In Practice Your Second Principle

Personal data obtained for housing service

Sample 1 Name and date of birth of all occupants in a given

address

Shared with the Police to detect and prevent crime

Sharing is permissible. But you need to share it in the right way. Confirm it is the

police, why they want it, collect relevant paperwork for sharing

Sample 2 personal data obtained for housing services

• Name, address, telephone number and email

Used by the communications team to send out marketing calls, texts and

emails regarding a new payable garden service

X Not compatible. This is a new purpose.

Sharing In Practice Your Second Principle

Personal data obtained for housing benefit service and rent

payments

Recorded and it is used for sending confirmation to housing benefit department

what their rent of the property is and what the person is claiming as housing

benefit. Housing Benefit form and make rent payments to Housing Association.

Sharing is permissible. As the landlord/council has duty under section 29

to ensure tax payment are made and report any overpayments of benefits

etc.

Recorded and want to share the rent arrears balance, current legal action to

recover date and submit the persons name and address to be considered for a

discretionary housing payment from council which may cover all or part of their

debt.

X Not compatible. They never informed the tenant they would

share data for this reason, they can put statement on next

arrears letter and newsletter and internet to make it fair

Sharing In Practice Your Second Principle

Sensitive Personal data obtained for anonymised statistical

purposes

Sample 1 Sexuality and Ethnicity

Recorded and it is used for sending reports to show we are meeting the Equality Act

and not discriminated.

Sharing is permissible. As you are not identify the people to whom the data relates

to and it is going to company board for governance reasons.

Sample 2 Identified Sexuality and Ethnicity

Collected for the above reason, told person it will be only used for this purpose.

But organisation inserts peoples sexuality and ethnicity onto the computer

system which contractors can see.

X This is not compatible and is unfair and unlawful as the

Person does not know you had intended to do this and

did not consent

Housing Association has a tenant profile form and they want to

collect all the people who live in the house hold ethnicity and

sexuality. However only the main tenant has a place to sign and

give consent. The form says “we collect your data to deliver you a

service and we comply with the Act.”

Q Have they obtained the right consent for the sensitive personal

data on the form?

Q Have they told the people where to look to find out how their

information will be used, shared, stored, secured an destroyed?

Lets Discuss

Data Protection is not a BLOCKER

it is ther to help, apply and work

together

Fair and lawful use

Accurate and, where necessary, kept

up to date

In accordance with individual rights

Relevant, adequate, not excessive

Not kept longer than necessary

Expected purposes only

Security measures

Safe transfers overseas

Paula makes data protection simple and fun

Thank you

Paula.Tighe@wrighthassall.co.uk

01926 884 697