An Introduction to the Data Protection Act
Introduction In this course, you will learn:- About the key requirements of the Data Protection Act and how these may arise in your day to day role How the Data Protection Act can affects what you can do with it and how you must handle it To recognise key issues and common restrictions so you can anticipate issues before they arise Introduction to the Data Protection Act Transcript of Audio slide Data protection is a serious issue for Barnardo's. As the largest children s charity helping to improve children s lives, we deal with data on a regular basis. Often this data is sensitive and concerns the most vulnerable children in our society, who have gone through difficult and challenging issues which we need to help them with. As well as the information about children, young people, their parents and carers, we must process data about our own staff and volunteers as well as the donors and funders who support our work, in order to meet our objectives. It is therefore essential that we as an organisation are aware of rules and standards for protecting data that belongs to children as well as the others involved in our work. Non compliance with the Data Protection Act has legal as well as other consequences, which could compromise the trust of our service users and the confidence of those who support us, as you will see in this training course. Please take the time to read and understand the important information contained in it. Thank you. Page 1 of 18
The Data Protection Act and what it means to you This section of the course introduces you to data - what it is and the risks to Barnardo s when data is stored. What does the Data Protection Act 1998 (DPA) cover? The DPA governs the processing of personal data by organisations and grants rights to individuals. Taking and storing photographs and/or videos. Use of CCTV and making and storing voice recordings Creating/receiving emails or other correspondence Storing/archiving a file or document for future use Reading a file or document Reviewing a file (paper or electronic) The recording of information via telephone calls The recording and updating of personal details (data) Page 2 of 18
What is data? Data is any information that is processed by automated means or information held in manual records (e.g. paper files and microfiche provided that these are structured in such a way as to make information about particular individuals readily accessible). This means any information that is processed on computers, tablets, mobile devices, CCTV, cameras, voice recorders or paper records is subject to the DPA. It also includes information which is intended to be stored or processed by automated means. For example, if someone applies for a loan online, the website uses automated credit searching to provide an immediate yes/no decision on the application. It does not matter how the data was obtained; information provided via the internet, email, social media, post or written comments can all be classed as personal data. What ARE the legal risks to Barnardo s? Financial penalties - fine up to 500,000 Enforcement action e.g. data processing activities may need to be modified or stopped Audit and or investigation Officers and directors may be convicted of a criminal offence What ARE the other risks to Barnardo s? Compromising the safety of individuals if data got into the wrong hands Damage to Barnardo's reputation, which could affect our ability to win contracts Compromising the public s trust in Barnardo's, including current and prospective donors Page 3 of 18
What is Personal Data? Personal Data is any data which relates to a living individual who:- can be identified from that data, or can be identified from any other data or information which, when combined, enables recognition (for example a surname and date of birth combined) What is Sensitive Personal Data? Sensitive personal data is a special sub-category of personal data and relates to:- racial or ethnic origin political beliefs religious or other beliefs trade union membership health sex Sensitive personal data requires a higher level of protection, due to its sensitive nature and greater risk of harm to the individual if improperly processed or disclosed. Page 4 of 18
So what personal data might Barnardo s process? You may deal with data for at least one of the areas of work below, maybe more. Look at each section below for information on the data you might collect for these groups. Age; CCTV footage; contact details; employee number; expressions of opinion about an individual; health such as a staff member s medical condition or occupational health reports; name; race; religion. Bank account details; contact details; donor number; marketing preferences; medical information (e.g. of those running in the marathon); name; political affiliation; race; religion. Contact details; CCTV footage; ethnicity; information given by service users about themselves; information about physical or mental health; information about sexual activity; information from other people about the service user; name; photographs; professional opinions about service users; record of the work undertaken; religion. Page 5 of 18
The eight principles of the Data Protection Act explained This section of the course explains each of the eight principles of the Data Protection Act and how it might affect you. All the principles are important but the first principle personal data must be processed fairly and lawfully has particular relevance to how we work and therefore this section is the most detailed. Data Protection Principles Barnardo s must comply with the 8 Data Protection Principles. Principle 1: process personal data fairly and lawfully (including providing notice to individuals Principle 2: process personal data only for the purpose(s) specified Principle 3: process personal data that is adequate, relevant and not excessive Page 6 of 18
Principle 4: process personal data that is accurate and up-to-date Principle 5: process personal data only for as long as is necessary Principle 6: process personal data in accordance with the individuals rights Principle 7: process personal data in a safe and secure way Principle 8: process personal data by only transferring it outside the European Economic Area (EEA) if adequate protection exists Page 7 of 18
Principle 1: Fairly and lawfully (Personal Data) Principle 1 details how Barnardo s must process information fairly and lawfully. This means:- we must process personal and sensitive personal data legally we must be aware of how principle one affects the way we can collect data for our area of work we must provide notice to individuals that explains what we will use data for and how we will handle it Page 8 of 18
Principle 1: Fairly and lawfully (Personal Data) Barnardo s must satisfy at least one legal condition in order to process personal data. The individual has given their consent. The individual has a contract with Barnardo s. The processing is necessary in pursuance of the legitimate interests of Barnardo s. This condition is a balancing exercise between the interests of Barnardo s and individuals. The processing must be proportionate to Barnardo s legitimate interests and must not prejudice the rights and freedoms of affected individuals. So if there is a serious mismatch between Barnardo s interests and the individual s, the individual s legitimate interests will come first. Principle 1: Fairly and lawfully (Sensitive Personal Data) If Barnardo s process sensitive personal data, it must satisfy an additional legal condition. The most commonly used by Barnardo s are:- The individual has given their explicit consent The processing is necessary to comply with legal obligations in connection with employment Page 9 of 18
The processing is necessary for the purpose of obtaining legal advice The processing is necessary in order to protect the vital interests of an individual (and consent cannot be obtained) How does Principle 1 apply to the areas of work you are involved in? There must be legitimate interests in order to process contact details and photographs of staff/volunteers for the purposes of a staff contact directory or the individual has given consent for the data to be shared with a third party, for example a pension provider, HMRC, a Solicitors as part of legal proceedings. You must rely on consent for processing supporters and donor personal data where they have responded to a marketing campaign. You must rely on legitimate interests or consent in order to maintain a record of the service provided, demonstrate to service users what has been achieved, record information required by regulators, commissioners and funders, demonstrate quality of service (e.g. place a service user in a home or include them in an outreach programme). Page 10 of 18
Principle 1: Fairly and lawfully (Notice) As part of the requirement to process personal data fairly and lawfully, Barnardo's must provide notice to individuals which tells them:- What Barnardo s is using their data for Barnardo s contact details How Barnardo's will safeguard the data Whether Barnardo's will share the data outside of the European Economic Area ( EEA ) Any recipients to whom data may be disclosed If the individual is being sent marketing communications, an opportunity to opt out Any further information to make the processing fair Principle 1: Fairly and lawfully (Notice) If Barnardo s does not inform individuals of this information, it may not be able to use the data as it wishes. Page 11 of 18
Principles 2 & 3: Specific and limited purposes Principle 2: Purpose Specified Personal Data shall be not be processed for another, unrelated purpose Principle 3: Adequate and relevant Personal data shall be adequate, relevant and not excessive. This means, you must: have a valid and specific reason to process the data process the data for that purpose only only use data for the purpose for which you have told individuals (or you will need to get their further consent to process for additional purposes) Principles 2 & 3: Specific and limited purposes Principle 4: Data Quality Personal data must be accurate and up-to-date. This means you must:- record data accurately not collect or record data because it might be useful in the future not record unprofessional or inappropriate personal remarks or opinions about individuals identify any professional opinions as such verify any information received from a third party where you have reason to doubt its accuracy Page 12 of 18
ensure that where you are notified that information is inaccurate promptly correct it if appropriate Principle 5: Data Retention Only keep data as long as is necessary for the specified purpose. This means there is no specific period for which you can retain data but you must:- Spring clean data storage systems using organisational guidance on retention periods where this in place. Not keep data for longer than necessary (this varies across departments and types of data) check with your line manager if you are unsure. Remember that when you hold data, you must comply with all the requirements of the DPA. Principle 6: Individual Rights Individuals have a number of rights under the DPA; these are. An individual has the right to compensation if damage or distress is caused. An individual has the right to have inaccurate data corrected or deleted. An individual has the right to prevent processing for the purposes of direct marketing. Where Barnardo s sends email, text or postal marketing communications to individuals. An individual has the right to prevent processing likely to cause damage or distress. For example, damage would be if Barnardo s processing of personal data causes financial loss or physical harm; distress would be a level of upset, or emotional or Page 13 of 18
mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent. An individual has the right to see what data is held about them and Barnardo s must give this access in 40 days. This is called a Subject Access Request and the Corporate and Children s Services Data Protection Policies explain what to do if you receive such a request. Ask your manager for a copy of this policy. Principle 6: Individual Rights On the previous page, one of the rights mentioned was Subject Access Request. When a request is made, the individual has the right to be informed of:- the personal data about them an organisation is processing why personal data is being processed whether and to whom the personal data is disclosed the source of the personal data (if available) Page 14 of 18
Principle 7: Security Principle 7 of the DPA, covers protection of personal data from unauthorised or accidental access, use, alteration or destruction. Hover over each button to see what you need to do to comply. All electronic data must be stored on Barnardo s central IT systems or the approved systems of commissioners or partner agencies Ensure that data is only sent to those who have a right to see it using the correct address Always use encryption when sending personal data by email to any external email address Only use Barnardo s devices that are protected by passwords and encryption for temporary storage of data Principle 7: Security (other things required as part of Barnardo s security measures) Ensure personal data is appropriately protected when it is transferred, for example use of couriers, recorded delivery, electronic portals Only send personal information via fax if the recipient is present to receive it Keep paper copies of personal information in a locked cabinet when not being used Ensure confidential information removed from the office base is always kept secure Ensure hard copies of data, including photographs are destroyed securely when no longer needed. Page 15 of 18
Principle 8: Transfers Outside the European Economic Area (EEA) Barnardo s must not transfer personal data outside of the EEA, unless an adequate level of data protection exists. It s very easy to transfer personal data outside the EEA, without even knowing you ve done it. For example free services on the Internet for storage or email may process personal data on servers outside the EEA. Some third party services that Barnardo s may wish to engage may transfer personal data outside the EEA (this should be considered prior to the third party being contracted by Barnardo s). Where you think that personal data may be transferred outside the EEA, additional safeguards are needed. Contact your Data Protection Manager if you suspect this might be the case (a link to a list is on the elearning page). Introduction to the Data Protection Act That s the end of the course. You should now know:- The key requirements of the Data Protection Act and how they may arise in your day to day role Page 16 of 18
How the Data Protection Act can affect how you handle data and what you can do with it How to recognise key issues and common restrictions, and anticipate issues before they arise You now need to complete and pass the DPA Assessment to demonstrate your understanding of the Data Protection Act. Name Date of completion Page 17 of 18