Data Protection Act 1998

Transcription

1 Data Protection Act 1998 Welcome to Data Protection Act 1998 online course; it takes about 30 minutes to complete. These are the 6 modules in this online course: Module 1: Overview Module 2: Glossary Module 3: Data Protection Principles Module 4: Subject Rights Module 5: Security Module 6: Transfer If you would like more information about Data Protection then please contact the IMPS Office on or on imps@reading.ac.uk.

2 Module 1: Overview What is it? The Data Protection Act 1998 came into full effect on 1 March It covers the regulation of processing of personal data relating to living individuals who can be identified from the information. The aim of the Act is to balance the rights of individuals to privacy with the legitimate interests of organisations to process personal data. Who is responsible for enforcement? There is an Information Commission responsible for: Data Protection Freedom of Information What are the main requirements of the Act? To comply with 8 Data Protection principles To comply with data subjects rights To submit an annual Notification to the Information Commission What happens if an organisation does not comply? Individuals have the right to: Complain to the Information Commission if they think any of the Data Protection Principles have been breached Take action for compensation if they have suffered damage by any contravention of the Act It is a criminal offence: To fail to notify processing to the Information Commission To unlawfully obtain or sell personal data

3 Module 2: Glossary What is Data Subject? A data subject is a living individual to whom the personal data relates. If an individual has died or their details have been anonymised then their data does not fall within the Act. If you have anonymised the data and hold the key to the individual's identity then their data falls within the Act. What is Personal Data? Personal data is information where an individual is the main focus and it is of biographical significance. This includes opinions about them and other peoples' intentions towards them. All computerised data falls within the Act such as: computer files databases CCTV pictures Web pages photographs All manual data such as: paper files card index microfiche What is Processing? Processing is very widely defined and covers almost any action involving personal data. Examples include: Obtaining, Recording, Holding, Using, Destroying

4 Who is the Data Controller? The Data Controller is the organisation but the term also applies to any employee who is responsible for the processing of personal data. Under the Act, we all have a duty of care. What are Data Processors? A Data Processor is anyone who is not an employee of the organisation but who processes data on the organisationʼs behalf. Examples include: IT Consultants Couriers Cleaning contractors Recruitment agencies Storage companies Waste disposal firms

5 QA: Q1: Which of the following do you think falls within the definition of personal data? Medical records, Obituary or Statistics? Q2: Who is a living individual that personal data relates to? Data controller? Data subject? Data processor? (Go to the next page for the answers)

6 QA Answers: Q1: The answer is Medical Records. It's not Obituary as the person is dead. It's not Statistics when the data is anonymous. However, it falls within the Act if you hold the key to the anonymisation. Q2: The answer is Data Subject. A Data Subject is a living individual to whom personal data relates. The Data Controller is the organisation but the term also applies to any employee who is responsible for the processing of personal data. A Data Processor is anyone who is not an employee of the organisation but who processes data on the organisationʼs behalf.

7 Module 3: Data Protection Principles What are the Data Protection Principles? The 8 Data Protection Principles are: First Principle - Personal data shall be processed fairly and lawfully. Second Principle - Personal data shall be processed for specified purposes. Third Principle - Personal data shall be adequate, relevant and not excessive. Fourth Principle - Personal data shall be accurate and where necessary up-to-date. Fifth Principle - Personal data shall not be kept for longer than is necessary. Sixth Principle - Personal data shall be processed in accordance with data subject rights. Seventh Principle - Personal data must be kept secure. Eighth Principle - Transfers to countries outside the EEA are restricted.

8 First Principle The first principle is that personal data must be processed fairly and lawfully. What is meant by "fairly"? The Act has a Fair Processing Code, which requires that at the time of data collection the individual is informed of: The name of the organisation The purposes for processing the personal data Who the data will be disclosed to Anything else to make processing fair What is meant by "lawfully"? One of the following conditions must be met before processing takes place: The data subject has given consent It's necessary for the performance of a contract with the data subject Itʼs required under a legal obligation Itʼs necessary to protect the vital interests of the data subject Itʼs necessary for the administration of justice Itʼs necessary in order to pursue the legitimate interests of the data controller unless it prejudices the data subjectʼs rights What is sensitive personal data? Seven types of personal data have been designated as sensitive. Racial or ethnic origin Political opinions Religious beliefs Trade Union membership Physical and mental health Sex life Criminal matters What do I have to do to process sensitive personal data? There are nine conditions for processing sensitive data. One of these conditions must also be met before processing takes place.

9 For example: The data subject has given explicit consent Itʼs necessary to meet employment law obligations Itʼs necessary to protect the vital interests of the data subject Itʼs necessary for the administration of justice The data has deliberately been made public by the data subject Itʼs necessary for medical purposes and is undertaken by a health professional or equivalent What is meant by explicit consent? Proof of explicit consent must be obtained. Summary of First Principle This principle requires that processing is: Fair by providing a Fair Collection Notice at the time of collection. Lawful by meeting one condition of processing for ordinary personal data and, where appropriate, one additional condition of processing for sensitive personal data.

10 Second Principle The second principle is that personal data must be obtained for specified purposes and only processed in accordance with those purposes. Data should only be used for the purposes specified at the time of collection. If you wish to use data for a new purpose then the data subject should at least be informed. Example: A researcher would need to seek a patientʼs consent to take part in a survey. The GP or consultant could be asked to send an introductory letter. Third Principle The third principle is that personal data must be adequate, relevant and not excessive. Do not collect more than you need! Fourth Principle The fourth principle is that personal data must be kept accurate and, where necessary, up-to-date. Inaccuracy is something people can complain about. Check data entry is accurate Check data is kept up-to-date Example: HR sends you a print out of your personal details periodically and asks you to let them know of any amendments.

11 Fifth Principle The fifth principle is that personal data must be kept only for so long as is necessary for the specified purpose. Decide how long the data needs to be kept and routinely destroy data that is no longer of value Filter data that is to be archived and only keep what is needed Ensure that data destruction is confidential Recommended retention periods may be found in the JISC Study of the Records Lifecycle and also the University's records management pages. Sixth Principle The sixth principle is that personal data shall be processed in accordance with the rights of the data subject under the Act. This will be explained further in the Subject Rights section Seventh Principle Appropriate measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of data. This will be explained further in the Security module. Eighth Principle The eighth principle is that personal data shall not be transferred to a country outside of the EEA unless the country passes an Adequacy Test or exceptions apply. This will be explained further in the Transfer module.

12 Module 4 Subject Rights Reminder - The Sixth Principle The sixth principle is that personal data shall be processed in accordance with the rights of the data subject under the Act. What are data subject rights? Data subjects have the following rights: Access Accuracy To prevent processing likely to cause damage or distress To prevent direct marketing To prevent automated decision making To seek compensation For no third party access What is meant by access? An individual can make a subject access request for copies of all personal data held about them and ask to whom it has been disclosed. Remember An individual potentially has access to personal comments written about them. It is an offence to deliberately edit or destroy data once a request has been received. Who answers subject access requests at the organisation? Subject access requests must be referred immediately to the organisation's Data Protection Officer who will respond to the question within 40 calendar days. The request must be in writing The identity of the individual must be verified A maximum of 10 can be charged

13 Can a third party access personal data? NO! Generally there is no third party access unless it is in the vital interests of an individual. What about confidential references? An individual may ask to see a reference received by a data controller even if it is marked confidential. BUT references given by a data controller are exempt from access. Permission to disclose the reference to the data subject should be sought from the referee before a reference is released.

14 Module 5 Security Reminder - The Seventh Principle Appropriate measures must be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of data. What are appropriate security measures? The seventh principle concerns security and controlling access to data. To determine what is an appropriate level of security for data conduct a risk assessment: What is the nature of the data? Is it sensitive? What harm will be caused if it gets into the wrong hands or is misused? Who should have access to the data both internally and externally? Then consider what security measures should be applied. What about Data Processors? Responsibility for the security of data and the rights of data subjects remains with the Data Controller even when it is being processed on the organisation's behalf by a Data Processor. A contract must be held with a Data Processor which includes clauses outlining their obligations. BUT Data Processors acting on behalf of an organisation must have a clause in their contract outlining their Data Protection responsibilities. Contractors disposing of confidential data must have a clause in their contract ensuring that there will be security measures in place. Example: There have been stories in the news of medical records being found dumped by the roadside. A hospital would be equally liable with the waste disposal contractor for this breach.

15 Module 6 Transfer Reminder - The Eighth Principle The eighth principle is that personal data shall not be transferred to a country outside of the EEA unless that country passes an Adequacy Test or exceptions apply. Which are the EEA countries? EEA Countries Austria, Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, Netherlands, Portugal, Spain, Sweden, UK, Iceland, Lichtenstein, Norway, Czech Republic, Estonia, Cyprus, Hungary, Latvia, Lithuania, Slovakia, Slovenia, Poland Additional countries designated adequate by Information Commission Argentina, Canada, Guernsey, Isle of Man, Switzerland USA Safe Harbour Companies in the USA have to sign up to Safe Harbour principles individually. See the Information Commission website for further information. What is an Adequacy Test? Before a transfer outside the EEA takes place apply the Adequacy Test. To determine whether an adequate level of protection exists assess: The nature of the personal data Laws in force in the country of destination Security measures in place Purposes of processing

16 What are exceptions? Exceptions may also apply which allow data to be transferred outside the EEA: Consent of the data subject Performance of a contract with the data subject Substantial public interest Vital interest of data subject Legal proceedings World Wide Web Remember placing data on a website involves an international transfer to any country in the world and consent is required.

17 Summary We all have a duty of care under the Act. Good questions to ask yourself are: Am I treating someone elseʼs personal data in the way that I would want mine to be treated? Would someone be surprised to learn that I hold their personal data and the purpose for which I am processing it? What are they key points to remember? Conditions need to be met before processing can take place There are additional restrictions on processing sensitive data Adequate measures should be taken to ensure the integrity and security of information Written contracts should be held with Data Processors Transfers outside EEA countries should not take place unless there is adequate protection or a relevant exception Data subjects have various rights including o Right of access o Right to prevent processing o Right to sue for breach