Summary of feedback on Big data and data protection and ICO response

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Summary of feedback on Big data and data protection and ICO response"

Transcription

1 Summary of feedback on Big data and data protection and ICO response Contents Introduction... 2 Question Impacts and benefits; privacy impact assessments (PIAs)... 3 New approaches to data protection... 3 Legitimate interests... 4 Public sector... 4 EU General Data Protection Regulation (EU GDPR)... 4 Anonymisation... 5 Access to personal data... 5 Question Question Privacy engineering... 8 Technical security... 9 Privacy Impact Assessments... 9 Personal data services... 9 Terms and conditions Limiting data collection Actions to raise awareness

2 Introduction Our paper on Big data and data protection was published on 28 July It set out our understanding of the data protection issues raised by big data and contributed to the ongoing discussion of big data and privacy. The launch of the paper was widely reported across websites dealing with IT and information law. The House of Commons Science and Technology Committee quoted our paper in their report on Responsible use of data 1. It was well received at the 36 th International Conference of Data Protection and Privacy Commissioners and their Resolution on big data 2 reflected the approach we put forward in the paper. The paper included three questions on which we invited feedback. We originally gave a deadline of 12 September 2014 for this but, recognising that more time was needed because of the summer holidays, we extended it to 17 October. We received responses to the consultation from ten organisations. Four of these came from companies, two from trade associations, two from organisations dealing with information and privacy, one from the higher education sector and one from a media organisation. Most of the responses were detailed and lengthy, in some cases with references to other research and current projects. Some included paragraph-by-paragraph comments on our paper while others put forward more general arguments. This has provided us with a great deal of useful material, and we thank all those who gave their time in providing these responses. In this document we are not able to list all the points made by every respondent, but we have picked out and discussed what we consider to be the key themes. There appears to be a consensus that the general approach we put forward in the paper is on the right lines, but there are many suggestions about changes of emphasis and new points that could be added. We will make some revisions to the paper and re-issue it in the light of this feedback in summer House of Commons. Science and Technology Committee Responsible use of data. HC245. The Stationery Office Ltd, November Accessed 6 February th International Conference of Data protection and Privacy Commissioners. Resolution on big data. Conference, October Accessed 6 February

3 Responses to questions Question 1 Does this paper adequately reflect the data protection issues arising from big data or are there other relevant issues that are not covered here? If so, what are they? Impacts and benefits; privacy impact assessments (PIAs) A theme that emerged in a number of responses was the importance of assessing the impact of the analytics on individuals, and differentiating between levels of impact. For example, big data analytics may be used to offer a product to a consumer, but it was suggested that people would see this as less significant or sensitive than using it to make a decision about their application for life assurance. We d broadly agree with this point. The importance of making a proper assessment of the benefits of the processing in question, and explaining this to data subjects, was also stressed. Assessing impacts on and benefits to individuals is a key part of determining whether processing is fair. A central theme of our paper is the continuing relevance of the DPA principle of fairness. We are also pleased to note a number of respondents support our view of the role of PIAs. We discuss this further in relation to Question 3 below. New approaches to data protection In the paper, we consider the argument that big data requires a regulatory focus on how data is used, rather than on how it is collected. We argue that data protection principles are still relevant to big data analytics, and that it is still necessary to tell people about the processing through privacy notices. Most respondents agreed with our general position, although the difficulty of providing privacy information and of seeking consent in a big data context was recognised. One respondent argued that there should be equal focus on the use (or misuse) of data and that it is better to regulate at the point where the potential for harm is created. We recognise the challenges of providing privacy notices. Some respondents mentioned the need to develop new ways of delivering these and we will continue to look for innovative examples of how to do this in a big data context. 3

4 Legitimate interests One respondent suggested that the paper focussed too much on consent as a condition, and that it is not always practical to obtain this in a big data context. They suggested that the paper did not sufficiently recognise the relevance of the legitimate interests condition for processing personal data. They argued that this condition can authorise new uses of the data, since it provides that personal data may be processed if it is necessary for the legitimate interests of the data controller (or a third party) unless there is unwarranted prejudice to the rights, freedoms and legitimate interest of the data subject. This condition puts an emphasis on organisational accountability rather than individual responsibility for giving consent. Our paper deals with consent at greater length than legitimate interests, partly because the former is an issue which is the subject of current debate in the context of big data. We did not mean to imply that consent is the only or the most important condition; any of the conditions listed in the Data Protection Act and the Data Protection Directive can legitimise the processing of personal data. The need to balance the legitimate interests of the data controller with the rights and freedoms of individuals is a key theme in our paper. We agree also that this is consistent with organisational accountability. Public sector One respondent noted that the paper was mainly focussed on private sector uses of big data, and commented that there are differences in the way that personal data is handled in public authorities, in that they often rely on conditions other than consent, and because of the potential role of the Senior Information Risk Owner (SIRO) in addressing data protection concerns. While the paper makes some reference to public sector uses of big data, we accept that it does not directly address the differences between that and the private sector. This reflects the research carried out for the paper and the examples available to us. We will consider developing the theme of big data in the public sector in the new version of the paper. EU General Data Protection Regulation (EU GDPR) Several respondents felt that we should have said more about the possible impact of the proposed EU GDPR and its implications for big data. 4

5 In the paper we tried to show how the proposed provisions reflect some of the data protection issues posed by big data. However, we did not try to give a detailed commentary on the EU GDPR, since we have previously published commentaries on the draft versions and also because the proposals have not yet been agreed by the EU. If the EU GDPR is passed, guidance will have to be issued on any provisions relating to profiling, but it is premature to analyse further at this stage. Anonymisation Some respondents mentioned the role of anonymisation and said that big data used for the analysis of general trends is often anonymised, so that it is no longer personal data. At the same time it was also pointed out that the knowledge gained from analysing anonymised data can be used to make decisions that impact upon individuals, and we agree that this is the case. Access to personal data The paper discusses ways of facilitating people s access to their own data. It was pointed out that website interactions automatically generate a large amount of data, and it is important to enable people to see the major items of personal data held about them, rather than necessarily all of this data. We agree that new ways of facilitating access to personal data should be a tool for transparency by enabling people to understand what data is held about them and how it is used. At the same time we must recognise that the subject access provisions of the DPA give data subjects a wideranging right to obtain their personal data. 5

6 Question 2 Should the ICO produce further guidance documents to help organisations that are doing big data analytics to meet data protection requirements? If so, what should they cover? Suggestions made in response to this question included the following: The ICO should encourage organisations to undertake a cost benefit analysis as part of big data projects. This would include estimating in advance how useful the datasets are likely to be and then measuring and reviewing this once they are being used. Some respondents wanted to see more practical, technical guidance, including guidance on particular technologies. At the same time it was recognised that this is not necessarily a job for the ICO alone, and that industry has a role to play, for example in developing standardised categories to inform people of how their data is being used. One respondent wanted to see further guidance on what the EU GDPR means for big data analytics, once the Regulation is agreed. One respondent wanted to see more guidance on encryption and deletion of records in the cloud. One respondent wanted to see examples of how an organisation could communicate possible future uses of data in a privacy notice. One respondent suggested that the paper should be reorganised and reissued to improve usability and readability. Another suggested that it should be split into smaller separate documents on specific topics, to make it easier to read. Our document on Big data and data protection was intended as a discussion paper, setting out our view of the data protection issues involved in big data. It was therefore a contribution to the growing debate, rather than a guidance document. We recognise that it was particularly long, and this was because we were trying to cover a large number of complex issues. As noted at the beginning, we will publish a new version of the paper in the summer, with some revisions based on the comments received. After 6

7 that, we envisage that any future work we do on big data is likely to be in the context of specific issues, as the need arises. We welcome the recognition that there is a role for business and other organisations doing big data analytics to develop standards and guidance, and we are happy to support this. We have started a review of our Privacy notices code of practice, and as part of this we will consider how the Code can reflect the issues discussed here about transparency in the context of big data. We expect that the review will be concluded by the end of June

8 Question 3 This paper refers to a number of practical measures and tools that can help to protect data privacy in the context of big data analytics: anonymisation, privacy impact assessments, privacy by design, privacy notices, data portability and privacy seals. Are other practical measures and tools needed? If so, what are they? Respondents mentioned a number of measures and tools in response to this question: Privacy engineering One respondent pointed out that the paper mentions Privacy by Design but does not give practical advice on how to implement it. It was also argued that Privacy by Design is not just a legal question but an engineering one, and that the protection it gives is constrained by the technical architecture of the system. There is therefore a role for privacy engineering, which would involve bringing legal and policy people in an organisation together with technical experts to develop ethical approaches to designing systems. It was suggested that there is a role for the ICO in encouraging colleges and universities to build this into the curriculum, and also a role in providing technical guidance to, and working with, privacy engineers. We agree that Privacy by Design involves using a range of organisational and technical measures, and that although some useful work has been done, which we reference in the paper, there is a need for more work and practical examples. One example we are working on is researching privacy enhancing technologies. The ICO s in-house capacity for developing technical solutions is limited, but we are happy to work with external technical experts, as we have done, for example, with the UK Anonymisation Network 3. We will also consider how we can encourage the recognition of privacy and data protection issues in university IT and information management courses, which will often teach the techniques related to big data. 3 UK Anonymisation Network website Accessed 6 February

9 We are also active members of the newly formed Internet Privacy Engineering Network 4 (IPEN) and will continue to input into work on privacy by design solutions for big data at an international level. Technical security One respondent suggested that the measures and tools should include recognition of the role played by technical security measures in protecting personal data. We agree that people are concerned not only about whether organisations are using their data in unexpected ways, but also whether they are keeping it securely. We will continue to emphasise the need for adequate security of personal data in any future work on big data. Privacy Impact Assessments Some respondents mentioned PIAs as a tool in making the assessment of impacts and benefits, and as a way of highlighting less privacy-intrusive methods. It was emphasised that these should not be used simply to rubber stamp a previously agreed plan. We agree that PIAs are particularly important in the context of big data analytics. We will continue to promote our Privacy impact assessment code of practice which contains practical advice on how to do PIAs. One respondent argued for the importance of privacy risk assessments: they can enable responsible decisions about data use, they place the burden of privacy protection on the organisation and they allow for flexibility in the application of the data protection principles. We agree with these points and we think that the principles of a privacy risk assessment, as described, are very much in line with those of PIAs. We will liaise with key stakeholders to discuss the development of more specific PIA guidance on big data that uses the ICO PIA code as a framework. We would look to identify a sector, professional or industry body to take this work forward. This should also be supplemented by case studies. Personal data services One respondent suggested that we should say more about the role of personal data services (trusted third parties managing access to personal data on behalf of data subjects). We are aware of developments in this 4 IPEN website https://secure.edps.europa.eu/edpsweb/edps/edps/ipen Accessed 6 February

10 area, although we consider that at the moment there is a need for more pilot projects and practical examples to show their potential. Terms and conditions It was suggested that there is scope for developing simplified terms and conditions, based on agreed categories of data usage. This supports the points we have made about the need for innovation in delivering privacy notices. Limiting data collection One respondent said that there should be more emphasis on limiting data collection to that which is actually needed, and that this would reduce the amount of information that needs to be analysed and make it easier for people to understand what information has been collected. Our paper addresses the issue of data minimisation and says that organisations need to be clear about what data they actually need for their purposes. Actions to raise awareness In order to raise awareness of the data protection risks, highlight case studies and best practice, and continue discussions about innovative privacy enhancing solutions we plan to hold a seminar on privacy and big data later in We will provide more details and ask for expressions of interest in due course. We intend this event to follow on from the planned sectoral work on PIAs. 10

RESPONSE TO THE INFORMATION COMMISSIONER S OFFICE BIG DATA AND DATA PROTECTION PAPER 1. BACKGROUND

RESPONSE TO THE INFORMATION COMMISSIONER S OFFICE BIG DATA AND DATA PROTECTION PAPER 1. BACKGROUND HUNTON & WILLIAMS 30 ST MARY AXE LONDON, EC3A 8EP TEL +44 (0)20 7220 5700 FAX +44 (0)20 7220 5772 BOJANA BELLAMY DIRECT DIAL: +44 (0)20 7220 5703 EMAIL: BBELLAMY@HUNTON.COM RESPONSE TO THE INFORMATION

More information

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking The Information Commissioner has responsibility for promoting and enforcing the

More information

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Act. Conducting privacy impact assessments code of practice Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3

More information

The U.K. Information Commissioner s Office Report on Big Data and Data Protection

The U.K. Information Commissioner s Office Report on Big Data and Data Protection reau of National Affairs, Inc. (800-372-1033) http://www.bna.com WORLD DATA PROTECTION REPORT >>> News and analysis of data protection developments around the world. For the latest updates, visit www.bna.com

More information

23/1/15 Version 1.0 (final)

23/1/15 Version 1.0 (final) Information Commissioner s Office response to the Cabinet Office s consultation on the proposal to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 ( PECR ), to enable the

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2010-11: Visit Four March 2011 Report distribution Timetable For action: Head of Good Practice Scoping meeting: 5 January 2011 Good Practice Group Fieldwork

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Experian supporting compliant practices in debt collection. Guidance Note

Experian supporting compliant practices in debt collection. Guidance Note Experian supporting compliant practices in debt collection Guidance Note Contents Introduction 3 Principles of Good Practice 4 Data Accuracy 4 Deceptive and/or unfair methods 4 Addressing the challenges

More information

8970/15 FMA/AFG/cb 1 DG G 3 C

8970/15 FMA/AFG/cb 1 DG G 3 C Council of the European Union Brussels, 19 May 2015 (OR. en) 8970/15 NOTE RECH 141 TELECOM 119 COMPET 228 IND 80 From: Permanent Representatives Committee (Part 1) To: Council No. prev. doc.: 8583/15 RECH

More information

The new EU Clinical Trials Regulation How NHS research and patients will benefit

The new EU Clinical Trials Regulation How NHS research and patients will benefit the voice of the NHS in Europe Briefing September 2014 Issue 19 The new EU Clinical Trials Regulation How NHS research and patients will benefit Who should read this briefing? This briefing will be of

More information

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance

Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance QIPP Digital Technology Electronic Palliative Care Co-Ordination Systems: Information Governance Guidance Author: Adam Hatherly Date: 26 th March 2013 Version: 1.1 Crown Copyright 2013 Page 1 of 19 Amendment

More information

BIG DATA REGULATION: COMING SOON TO A BUSINESS LIKE YOURS?

BIG DATA REGULATION: COMING SOON TO A BUSINESS LIKE YOURS? BIG DATA REGULATION: COMING SOON TO A BUSINESS LIKE YOURS? 08 December 2016 London Legal Briefings The Financial Times recently referred to Big Data as "a vague term for a massive phenomenon that has rapidly

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Preparing for the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR) Data protection Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now 7 Consent You should review

More information

Nottinghamshire County Council. Data protection audit report

Nottinghamshire County Council. Data protection audit report Nottinghamshire County Council Data protection audit report Executive summary October 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

Southampton City Council

Southampton City Council Southampton City Council Data protection audit report Executive summary March 2016 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection

More information

INFORMATION GOVERNANCE STRATEGY NO.CG02

INFORMATION GOVERNANCE STRATEGY NO.CG02 INFORMATION GOVERNANCE STRATEGY NO.CG02 Applies to: All NHS LA employees, Non-Executive Directors, secondees and consultants, and/or any other parties who will carry out duties on behalf of the NHS LA.

More information

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Here are the answers to the questions we were asked during the webinar. There are a few questions we are still

More information

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment This template is provided to support the police service and other law enforcement agencies (LEA)

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Response of the German Medical Association

Response of the German Medical Association Response of the German Medical Association To the Green Paper on mobile Health ( mhealth ) of the European Commission Berlin, 3 July 2014 Bundesärztekammer Herbert-Lewin-Platz 1 10623 Berlin We are grateful

More information

IDENTITY ASSURANCE PRINCIPLES

IDENTITY ASSURANCE PRINCIPLES IDENTITY ASSURANCE PRINCIPLES PRIVACY AND CONSUMER ADVISORY GROUP (PCAG) V3.1 (for publication) CONTENTS 1. Introduction 3 2. The Context of the Principles 4 3. Definitions 6 4. The Nine Identity Assurance

More information

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers

Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers Big Data, Not Big Brother: Best Practices for Data Analytics Peter Leonard Gilbert + Tobin Lawyers March 2013 How Target Knew a High School Girl Was Pregnant Before Her Parents Did just because you can,

More information

How we deal with complaints and concerns

How we deal with complaints and concerns I Data Protection Act How we deal with complaints and concerns A guide for data controllers 1 Data Protection Act How we deal with complaints and concerns The ICO is the UK s independent public authority

More information

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits Big Data, Key Challenges: Privacy Protection & Cooperation Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits Seminar arranged by the Office

More information

Establishing and Operating a Quality Management System Experiences of the EUROSAI Training Committee Seminar in Budapest

Establishing and Operating a Quality Management System Experiences of the EUROSAI Training Committee Seminar in Budapest Workshop Management of an SAI Berlin (Germany), 9-11 April 2008 Establishing and Operating a Quality Management System Experiences of the EUROSAI Training Committee Seminar in Budapest (Dr. Árpád Kovács,

More information

EUROPEAN COMMISSION HIGH LEVEL PROCESS OF REFLECTION ON PATIENT MOBILITY AND HEALTHCARE

EUROPEAN COMMISSION HIGH LEVEL PROCESS OF REFLECTION ON PATIENT MOBILITY AND HEALTHCARE EUROPEAN COMMISSION HIGH LEVEL PROCESS OF REFLECTION ON PATIENT MOBILITY AND HEALTHCARE DEVELOPMENTS IN THE EUROPEAN UNION Document: Meeting of the high level process of reflection on patient mobility

More information

A Changing Commission: How it affects you - Issue 1

A Changing Commission: How it affects you - Issue 1 A Changing Commission: How it affects you - Issue 1 Contents Overview... 3 Change Programme... 4 Introduction... 4 Reviewing how we regulate and engage... 4 What are the key changes... 5 What does it mean

More information

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Proposed guidance for firms outsourcing to the cloud and other third-party IT services Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is

More information

Data protection. Data sharing code of practice

Data protection. Data sharing code of practice Data protection Data sharing code of practice Contents 3 Contents 1. Information Commissioner s foreword 4 2. About this code 6 Who should use this code of practice? 7 How the code can help 7 The code

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

On the edge Lexis PSL Restructuring & Insolvency

On the edge Lexis PSL Restructuring & Insolvency On the edge Lexis PSL Restructuring & Insolvency Data protection law for insolvency practitioners November 2014 Welcome to your third edition of On the edge, a series of guides highlighting a selection

More information

Information Governance Management Framework

Information Governance Management Framework Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date

More information

Stakeholder workshop Central government. Thursday 26 March 2015

Stakeholder workshop Central government. Thursday 26 March 2015 Stakeholder workshop Central government Thursday 26 March 2015 Welcome Sue Markey Government and Society Team Strategic Liaison Introductions This afternoon s programme 13.30 14.20 Data Protection and

More information

INFORMATION GOVERNANCE REVIEW EVIDENCE GATHERING: COMMISSIONING

INFORMATION GOVERNANCE REVIEW EVIDENCE GATHERING: COMMISSIONING INFORMATION GOVERNANCE REVIEW EVIDENCE GATHERING: COMMISSIONING Introduction In producing these questions, the Information Governance Review Panel has reviewed the legal and statutory basis for the processing

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

9360/15 FMA/AFG/cb 1 DG G 3 C

9360/15 FMA/AFG/cb 1 DG G 3 C Council of the European Union Brussels, 29 May 2015 (OR. en) 9360/15 OUTCOME OF PROCEEDINGS From: To: Council Delegations RECH 183 TELECOM 134 COMPET 288 IND 92 No. prev. doc.: 8970/15 RECH 141 TELECOM

More information

Review of Quality Assurance: Terms of Reference. Background

Review of Quality Assurance: Terms of Reference. Background Review of Quality Assurance: Terms of Reference Background 1. The Quality Improvement Framework (QIF) consolidates previous work by the GMC on the quality assurance of basic medical education (QABME) and

More information

Cleveland Police. Data protection audit report. Executive summary November 2014

Cleveland Police. Data protection audit report. Executive summary November 2014 Cleveland Police Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority

Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority Memorandum of Understanding between the Financial Conduct Authority and the Bank of England, including the Prudential Regulation Authority Purpose and scope 1. This Memorandum of Understanding (MoU) sets

More information

Setting Processes for Electronic Signature

Setting Processes for Electronic Signature Setting Processes for Electronic Signature Dr. Joachim Schiff On behalf of the SPES Consortium Workgroup City of Saarbruecken IKS Nell-Breuning-Allee 1 D-66115 Saarbruecken Germany Tel. 0049 681 905 5000

More information

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP Published by Life Sciences Law360 on January 26, 2015. Also ran in Health Law360. The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP Law360, New

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Commercial Energy Management 11 Questions to ask your Energy Broker

Commercial Energy Management 11 Questions to ask your Energy Broker Commercial Energy Management 11 Questions to ask your Energy Broker Benchmark your Broker Introduction Do you use or are you looking to use a Business Energy Broker? It s important to find the right partner

More information

Privacy in mobile apps

Privacy in mobile apps Data protection Privacy in mobile apps Guidance for app developers Privacy in mobile apps Guidance for app developers Contents Introduction... 2 Will your app deal with personal data?... 3 Who will control

More information

Guidance on political campaigning

Guidance on political campaigning I ICO guidance Guidance on political campaigning 3 Guidance on political campaigning Data Protection Act Privacy and Electronic Communications Regulations Contents Introduction... 3 A. Why comply?... 5

More information

BCS, The Chartered Institute for IT Consultation Response to:

BCS, The Chartered Institute for IT Consultation Response to: BCS, The Chartered Institute for IT Consultation Response to: A Comprehensive Approach to Personal Data Protection in the European Union Dated: 15 January 2011 BCS The Chartered Institute for IT First

More information

Cookies Compliance Advisory

Cookies Compliance Advisory Cookies Compliance Advisory Note: this is an advisory notice that summarises the current position of the Article 29 Working Group and makes suggestions as to how organisations might practically achieve

More information

Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data

Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data David Haynes, City University, School of Informatics, Department of Information Science August 2011 Background Two surveys

More information

Cloud (educational apps) software services and the Data Protection Act

Cloud (educational apps) software services and the Data Protection Act Cloud (educational apps) software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies October 2014 Contents 1. Summary 3 About

More information

The European Qualifications Framework for Lifelong Learning (EQF)

The European Qualifications Framework for Lifelong Learning (EQF) European Qualifications Framework The European Qualifications Framework for Lifelong Learning (EQF) Europe Direct is a service to help you find answers to your questions about the European Union Freephone

More information

The public transport ticketing schemes block exemption

The public transport ticketing schemes block exemption The public transport ticketing schemes block exemption Consultation document 13 April 2016 CMA53con Crown copyright 2016 You may reuse this information (not including logos) free of charge in any format

More information

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Comments and proposals on the Chapter IV of the General Data Protection Regulation Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Birmingham Women s NHS Foundation Trust

Birmingham Women s NHS Foundation Trust Birmingham Women s NHS Foundation Trust Data protection audit report Executive summary January 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with

More information

This strategy has been developed by Corporate Procurement in line with The Council s high level priorities which are as follows:-

This strategy has been developed by Corporate Procurement in line with The Council s high level priorities which are as follows:- PROCUREMENT STRATEGY 1 Introduction Introduction to the Corporate Strategy for Procurement This document sets out the Council s Corporate. Its purpose is to provide Officers, Members, Contractors and the

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

FG 16/5 - Guidance for firms outsourcing to the cloud and other third-party IT services

FG 16/5 - Guidance for firms outsourcing to the cloud and other third-party IT services Finalised guidance FG 16/5 - Guidance for firms outsourcing to the cloud and other third-party IT services July 2016 Background 1.1 1.2 1.3 The purpose of this guidance is to clarify the requirements on

More information

Ethical issues in accessing and using big data

Ethical issues in accessing and using big data Ethical issues in accessing and using big data Libby Bishop Research Data Management Team UK Data Service University of Essex Big Data and Analytics Summer School BD014 Secure Access Protocols for Big

More information

All Party Parliamentary Group (APPG) on Nuisance Calls inquiry into Nuisance Telephone Calls. Written evidence from BT.

All Party Parliamentary Group (APPG) on Nuisance Calls inquiry into Nuisance Telephone Calls. Written evidence from BT. All Party Parliamentary Group (APPG) on Nuisance Calls inquiry into Nuisance Telephone Calls Written evidence from BT September 2013 1 The Culture, Media and Sport Committee inquiry into Nuisance Telephone

More information

Diving into the Data Pool

Diving into the Data Pool Diving into the Data Pool Exploring public views about the way medical data is shared Report from public event on 31 October 2013 Should it be easier for medical data to be shared to help research? What

More information

Plus500UK Limited. Statement on Privacy and Cookie Policy

Plus500UK Limited. Statement on Privacy and Cookie Policy Plus500UK Limited Statement on Privacy and Cookie Policy Statement on Privacy and Cookie Policy This website is operated by Plus500UK Limited ("we, us or our"). It is our policy to respect the confidentiality

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

Bigger Picture Telstra 2013 Sustainability Reporting Series. Customer experience

Bigger Picture Telstra 2013 Sustainability Reporting Series. Customer experience Bigger Picture Telstra 2013 Sustainability Reporting Series Customer experience PUTTING OUR CUSTOMERS AT THE CENTRE CONTENTS Highlights 03 Context 04 Customer service 05 Customer advocacy 05 Managing bill

More information

Information Commissioner s Office. ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974

Information Commissioner s Office. ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 Information Commissioner s Office ICO response to the discussion paper on the Rehabilitation of Offenders Act 1974 14 November 2013 1 Contents Introduction Response Further issues About the ICO The ICO

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: December 2015 Version: 6.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

Improving quality through regular reviews:

Improving quality through regular reviews: Implementing Regular Quality Reviews at the Office for National Statistics Ria Sanderson, Catherine Bremner Quality Centre 1, Office for National Statistics, UK Abstract There is a requirement under the

More information

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin Welcome to the nineteenth edition of the information governance bulletin Our regular bulletin about information governance and the work of the IG transition programme Publication Gateway Reference: 02465

More information

How to gather and evaluate information

How to gather and evaluate information 09 May 2016 How to gather and evaluate information Chartered Institute of Internal Auditors Information is central to the role of an internal auditor. Gathering and evaluating information is the basic

More information

Cardiff Council. Data protection audit report. Executive summary June 2014

Cardiff Council. Data protection audit report. Executive summary June 2014 Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Standardising privacy and security for the cloud

Standardising privacy and security for the cloud Standardising privacy and security for the cloud Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements Like to thank organisers of event for inviting me to contribute.

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

Digital Continuity Plan

Digital Continuity Plan Digital Continuity Plan Ensuring that your business information remains accessible and usable for as long as it is needed Accessible and usable information Digital continuity Digital continuity is an approach

More information

12th January 2011. Dear Mr. Graham, Complaint: Internet Eyes

12th January 2011. Dear Mr. Graham, Complaint: Internet Eyes 12th January 2011 Mr Christopher Graham Information Commissioner The Office of the Information Commissioner, Water Lane, Wycliffe House, Wilmslow, Cheshire SK9 5AF UNITED KINGDOM Dear Mr. Graham, Complaint:

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Case Id: 0993d72f-a100-4bb7-862d-dfc55b7b69f1

Case Id: 0993d72f-a100-4bb7-862d-dfc55b7b69f1 Case Id: 0993d72f-a100-4bb7-862d-dfc55b7b69f1 Questionnaires on introducing the European Professional Card for nurses, doctors, pharmacists, physiotherapists, engineers, mountain guides and estate agents

More information

ABI response to the FSA s consultation on Regulatory Reform: PRA and FCA regimes relating to aspects of authorisation and supervision (CP12/24)

ABI response to the FSA s consultation on Regulatory Reform: PRA and FCA regimes relating to aspects of authorisation and supervision (CP12/24) ABI response to the FSA s consultation on Regulatory Reform: PRA and FCA regimes relating to aspects of authorisation and supervision (CP12/24) The UK Insurance Industry 1. The UK insurance industry is

More information

HERON (No: 649690): Deliverable D.2.6 DATA MANAGEMENT PLAN AUGUST 2015. Partners: Oxford Brookes University and Università Commerciale Luigi Bocconi

HERON (No: 649690): Deliverable D.2.6 DATA MANAGEMENT PLAN AUGUST 2015. Partners: Oxford Brookes University and Università Commerciale Luigi Bocconi HERON (No: 649690): Deliverable D.2.6 DATA MANAGEMENT PLAN AUGUST 2015 Partners: Oxford Brookes University and Università Commerciale Luigi Bocconi Institutions: Low Carbon Building Group, Oxford Brookes

More information

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine

International Privacy and Data Security Requirements. Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine International Privacy and Data Security Requirements Benedict Stanberry, LLB LLM MRIN Director, Centre for Law Ethics and Risk in Telemedicine Aims of this Presentation. To provide a brief overview of

More information

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer When things go wrong: information governance breaches and the role of the ICO David Evans, Senior Policy Officer Where it did go wrong NHS Surrey 200,000 MPN June 2013 The events leading up to the MPN

More information

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media The RFID agenda of the European Commission RFID i Danmark 2011 May 3, 2011, IT-University in Copenhagen Florent Frederix European Commission Directorate General Information Society and Media This document

More information

European Commission Green Public Procurement (GPP) Training Toolkit - Module 1: Managing GPP Implementation. Joint procurement.

European Commission Green Public Procurement (GPP) Training Toolkit - Module 1: Managing GPP Implementation. Joint procurement. European Commission Green Public Procurement (GPP) Training Toolkit - Module 1: Managing GPP Implementation Joint procurement Fact sheet Toolkit developed for the European Commission by ICLEI - Local Governments

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information

Captain Compare Privacy Policy

Captain Compare Privacy Policy Captain Compare Privacy Policy This Privacy Policy contains important information about the type of personal information we collect from you on the Captain Compare website (www.captaincompare.com.au) (Website),

More information

OUR CUSTOMERS. Exciting, beautifully designed, excellent quality clothing and homeware that reflects the aspirations and means of our customers

OUR CUSTOMERS. Exciting, beautifully designed, excellent quality clothing and homeware that reflects the aspirations and means of our customers OUR CUSTOMERS Content Our Approach Our aim is to meet or exceed our customers expectations of Next as a company and the products we sell by providing: Exciting, beautifully designed, excellent quality

More information

Data Protection as a Competitive Differentiator. Getting ready for the General Data Protection Regulation

Data Protection as a Competitive Differentiator. Getting ready for the General Data Protection Regulation Data Protection as a Competitive Differentiator Getting ready for the General Data Protection Regulation ...For many online offerings which are presented or perceived as being free, personal information

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Prepared By: Malkiat Thiarai Head of Corporate Information Management Date of Publication: 23/01/2013 Version: 5.0 Classification: Not Protectively Marked Page 1 Table of Contents

More information

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate

More information

DELIVERING OUR STRATEGY

DELIVERING OUR STRATEGY www.lawsociety.org.uk DELIVERING OUR STRATEGY Our three year plan 2015 2018 >2 > Delivering our strategy Catherine Dixon Chief executive Foreword Welcome to our three year business plan which sets out

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Compliance Review Department of Education, Training and Employment

Compliance Review Department of Education, Training and Employment Compliance Review Department of Education, Training and Employment Review of Department of Education, Training and Employment compliance with the Right to Information Act 2009 (Qld) and the Information

More information

PRIVACY IMPACT ASSESSMENT template

PRIVACY IMPACT ASSESSMENT template Screening questions PRIVACY IMPACT ASSESSMENT template 1. Will the project involve the collection of new information about individuals? If yes, please detail the information to be collected, below. 2.

More information