Dealing With Information Rights Concerns



Similar documents
Creative England are committed to being open and accessible and welcomes all comments on its work and the services that it provides.

Request under the Freedom of Information Act 2000 (FOIA)

Notification of data security breaches to the Information Commissioner s

Request under the Freedom of Information Act 2000 (FOIA)

Creating a sporting habit for life. Sport England Complaints Procedure

Request under the Freedom of Information Act 2000 (FOIA)

Request under the Freedom of Information Act 2000 (FOIA)

Request under the Freedom of Information Act 2000 (FOIA)

Data Protection Policy

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (FOIA) Decision notice

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014

Request under the Freedom of Information Act 2000 (FOIA)

Request under the Freedom of Information Act 2000 (FOIA)

Request under the Freedom of Information Act 2000 (FOIA)

SUBJECT ACCESS REQUEST

Freedom of Information Act 2000 (FOIA) Environmental Information Regulations 2004 (EIR) Decision notice

Principles of Good Complaint Handling

Application to the Renaissance Major Grants programme - making a complaint

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

HERTSMERE BOROUGH COUNCIL

DATA PROTECTION POLICY

12th January Dear Mr. Graham, Complaint: Internet Eyes

Access to Health Records

Request under the Freedom of Information Act 2000 (FOIA)

Rick Parsons Information Governance Officer County Hall

Subject access code of practice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

FREEDOM OF INFORMATION REQUEST

Data Protection and Community Councils Briefing Note

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Freedom of Information Act 2000 (FOIA) Decision notice

Policies and Procedures

An Easyread guide on how to deal with Nuisance phone calls and text messages. Northamptonshire Learning Disability Partnership Board

Freedom of Information: guidance for applicants

Freedom of Information Act 2000 (FOIA) Decision notice

Privacy and Electronic Communications Regulations

I would also be grateful to receive the name of the contact we should liaise with.

Data Protection Policy

Spectrum Housing Group, Spectrum House, Grange Road, Christchurch, Dorset, BH23 4GE. Dear Sir/Madam. Shared Ownership

FREEDOM OF INFORMATION REQUEST

Guidance on data security breach management

Freedom of Information Act 2000 (FOIA) Decision notice

Operating procedure. Managing customer contacts

Freedom of Information Act Section 14 (1) Refusal Notice - Vexatious Requests

Patient Information Whose information is it anyway? Your health records

Environmental Information Regulations POLICY STATEMENT

FREEDOM OF INFORMATION REQUEST

The first requirement of the Act is that we should confirm whether or not we hold information of the description set out in your request.

Data Protection Policy

Freedom of Information Act 2000 (FOIA) Decision notice

Criminal Injuries Compensation Authority. Data protection audit report

Request under the Freedom of Information Act 2000 (FOIA)

Customer Care and Service Standards

Asda Car Insurance. Terms of Business. money

FOI. Details of IT equipment and maintenance

Freedom of Information Policy Version 6.0

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (FOIA) Decision notice

Data protection. Credit explained

Freedom of Information Act 2000 (FOIA) Decision notice

Data Protection Act. Public Guide

FREEDOM OF INFORMATION REQUEST

If your complaint is concerning a funding application, we can only look at your application again if:

Thank you for your request for information regarding ACPO UAS Steering Group which has now been considered.

Data Protection Policy

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

What can I complain about?

Quick guide to the employment practices code

Clydebank Housing Association Ltd. Factoring Complaints Handling Procedure

Request under the Freedom of Information Act 2000 (FOIA)

Guidance for Access to Health Records Requests under the Data Protection Act 1998

Council accounts: a guide to your rights. Update July 2013

Request under the Freedom of Information Act 2000 (FOIA)

NHS Complaints Advocacy. A step by step guide to making a complaint about the NHS.

the ombudsman and smaller businesses

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (FOIA) Decision notice

Freedom of Information Act 2000 (Section 50) Decision Notice. Date: 02 June 2011

Freedom of Information Act 2000 (FOIA) Decision notice

The Immigration Services Commissioner s Complaints Scheme Complaints form

FREEDOM OF INFORMATION REQUEST

Request under the Freedom of Information Act 2000 (FOIA)

Request under the Freedom of Information Act 2000 (FOIA)

ATI 305. Freedom of Information Request- Fixed Telephony, Broadband and WAN Contract Information

Auditing data protection a guide to ICO data protection audits

The Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended. Monetary Penalty Notice. Dated: 22 September 2014

FREEDOM OF INFORMATION REQUEST

Freedom of Information Act 2000 (FOIA) Decision notice

Information Governance. and what it means for you

A practical guide to IT security

Request under the Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (Section 50) Decision Notice

What can I complain about? You can complain if you think that:

Transcription:

I Data Protection Act How we deal with complaints and concerns A guide for data controllers 1

Data Protection Act How we deal with complaints and concerns The ICO is the UK s independent public authority set up to uphold information rights. We provide a range of services to help us do this. These include dealing with information rights concerns raised by members of the public and using them to help improve the practices of those we regulate. This guidance explains how we deal with concerns raised with us that those responsible for processing personal information, known as data controllers, have not complied with the Data Protection Act 1998 (DPA). We deal with data protection concerns in line with our Information Rights Strategy. This means we take a case by case approach. We will consider the concerns raised with us and put most of our effort into dealing with matters we think will make the biggest difference to information rights practice, either in that case or to address a more systemic concern. Any action we take could take a variety of forms. In the most serious cases, we can serve monetary penalties of up to 500,000. What does the law say? Under section 42 of the DPA, any person who is, or believes that he is, directly affected by the processing of personal data, can ask the Information Commissioner to consider whether the processing is likely to comply with the law. On receiving such a request, the Commissioner is obliged to consider the concern and make an assessment. The Commissioner can do this in whichever way he or she believes is most appropriate. The Commissioner will usually share the view formed and any action taken as a result. Our approach Good information rights practice doesn t just mean complying with the law. Organisations that hold and process personal information should also be clear and open about their practices even when things go wrong. 2

If a member of the public is concerned about your information rights practices, we believe that you, as the organisation responsible, should deal with it. We expect you to respond to any information rights concerns you receive, clarifying how you have processed the individual s personal information in that case and explaining how you will put right anything that's gone wrong. How we deal with each concern we receive We will not usually look into an information rights concern about your organisation unless the member of the public concerned has first raised it with you. If it appears that they haven t, we will tell them to do so, pointing them to relevant advice to help them. If the member of the public has raised their concern with you, we will usually ask them for copies of: any relevant documents evidencing their concern, and the correspondence they have exchanged with you in an attempt to resolve it. We would expect this to include a clear explanation from you of the actions taken to address or respond to the concern. We will assign a case officer to the case, who will be your point of contact throughout any investigation we choose to undertake. It will be the case officer s job to decide (in conjunction with other ICO colleagues as necessary): whether or not your organisation has breached the DPA; and if so, whether we need take any action as a result. Deciding whether an organisation has breached the DPA We have considerable discretion when considering compliance with the DPA. We can choose to reach our decisions based solely on the information provided by the member of the public, if we think it appropriate. We will put more resource into reaching decisions if the matter appears to give us an opportunity to improve information rights practice. If it does not appear that you have breached the DPA, we will tell the member of the public and close the case. It is unlikely that we will contact you, as the matter is unlikely to give us an opportunity to improve information rights practice. However, we will always tell you if we think you have breached the DPA. 3

Deciding whether to take action There are a series of factors case officers will consider to help them initially assess the concern and consider the opportunity it may give us to improve information rights practice. These include (but are not limited to) the following: The severity of the potential breach The case officer will consider whether the matter is serious, in terms of the nature of the data affected, the number of people affected, and the effect (or likely effect) on the individual(s) concerned. The more serious the breach, the more likely it is we will take action in relation to it. How you have dealt with any related concern raised with you The case officer will consider how well you engaged with the member of the public, whether and how well you explained what happened and whether you made reasonable attempts to rectify any problems. The context The case officer will also consider any other relevant information we may hold about the matter, your organisation or your sector along with our own regulatory priorities. What does this mean for you as an organisation we regulate? If a member of the public raises a concern with you about your information rights practice, you should take it seriously. In most cases, we will use the explanation you gave to them to make our decision about whether you have complied with the DPA. As such, it is important that you demonstrate to your customers (and to us as the regulator) that you understand your information rights obligations. A good explanation of how you have applied the principles of the DPA can help avoid escalating disputes unnecessarily. Rather than simply referring the issue or individual to the ICO, you should retain ownership of the concerns raised and work with the member of the public to try to resolve matters. Helping you deal with concerns When dealing with an information rights concern you should review your information rights practices. To help you do this, we provide the following: 4

Guidance on our website to help you understand your information rights obligations. A helpline to give you the opportunity to ask questions and get advice. Informal visits or meetings to help you get things right. As a longer term measure, audits of business processes to help you ensure good practices for the future. If we think you have failed to comply with the DPA, but the breach was minor and does not provide a realistic opportunity to improve your general practices, we will tell you and keep the details on file. If we identify a possible opportunity for you to improve your information rights practice we will contact you. We will expect you to reconsider your practices and discuss with us how things can improve in future. If we write to you asking for more information or for your views, we will tell you when we expect your response. It is your responsibility to meet this deadline and make sure you have arrangements in place to allow you to cooperate fully with our investigation. If you think you won t be able to meet the deadline, you must tell the case officer immediately. Failure to reply to the ICO s enquiries can result in a formal information notice. It can also result in us making decisions on the case based purely on the information we already have. Taking action If we think the concern, or a pattern of concerns, raised with us provides an opportunity for you to improve your information rights practices, we will take appropriate action. This could take a variety of forms, depending on what we think would be most appropriate and effective in the circumstances. This could be giving advice about the way you respond to the public s information rights concerns, asking you to put right what went wrong in a particular case, asking you to produce an action plan to make improvements to information rights policies or taking more formal action in accordance with our Data protection regulatory action policy. This is not an exhaustive list. Any action or actions we recommend will depend on the circumstances of the case. We expect you to commit to any actions we recommend to improve your practices and to understand that if you fail to address poor practice, or cause substantial damage or distress through poor practice, we have the power to enforce the law and serve you with a monetary penalty. 5

Where we don t take direct action in response to an individual s concern, we will keep a record of it and use the information that we hold to inform future regulatory decisions. Understanding our priorities We want to be open about our work and so publish information about the action we take and the improvements made by organisations to their information rights practice. Self reporting incidents Organisations can also report incidents to us themselves, particularly regarding data security, to help make sure they take the right steps in response. For more information about how to decide whether to report an incident to us and how to do it, please see the Guidance on data security breach management on our website. Information requests about the case If we receive any requests for information about the case, we have a duty under the Freedom of Information Act 2000 (FOIA) to respond. It is in the public interest that we are open, transparent and accountable for the work that we do. It is also important that we do not undermine the trust and confidence of those who raise concerns with us. If you do have reasons why information sent to us in the course of an investigation should not be shared with anyone else, you should explain this to your case officer as part of your submission. Contacting us If you have any issues or outstanding queries about a case, contact your case officer. You will find their contact details on the correspondence they have sent. Feedback on our service We are committed to providing high standards of service to the public and making sure our work with those we regulate does not represent a disproportionate regulatory burden. All feedback about our service is valuable to us. Feedback about how those we regulate have been treated by the ICO helps us understand what we're doing well, need to put right or improve. If you think we should have done something differently in how we have handled a concern about your organisation, or how we have treated you, 6

you can let us know. For more information, please see 'What you can expect from the ICO'. 7

www.ico.org.uk Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 Version 1 1 April 2014 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information