An Introduction to the Data Protection Act

Similar documents
Rick Parsons Information Governance Officer County Hall

DATA PROTECTION POLICY

Data Protection Policy

Human Resources and Data Protection

DATA PROTECTION ACT 1998 COUNCIL POLICY

Corporate ICT & Data Management. Data Protection Policy

Little Marlow Parish Council Registration Number for ICO Z

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Policy

Data Protection Guidance

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Merthyr Tydfil County Borough Council. Data Protection Policy

HERTSMERE BOROUGH COUNCIL

Data Compliance. And. Your Obligations

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Data Protection Policy

DATA PROTECTION POLICY

DATA PROTECTION POLICY

Data Protection Act a more detailed guide

Data Protection Policy

Information Governance Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Scottish Rowing Data Protection Policy

Data Protection Good Practice Note

DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

DATA PROTECTION AUDIT GUIDANCE

Dublin City University

Data Protection and Community Councils Briefing Note

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Data Protection Procedures

10 DATABASE PRACTICE

So the security measures you put in place should seek to ensure that:

Data protection policy

Data Security and Extranet

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Falkirk Council Data Protection Guidelines

Data Protection Policy

DATA PROTECTION POLICY

Photography and filming in schools Code of Practice

University of Limerick Data Protection Compliance Regulations June 2015

Human Resources Policy documents. Data Protection Policy

Data Protection and Privacy Policy

Data Protection. Policy and Application July 2009

E-SAFETY POLICY 2014/15 Including:

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection Policy

DATA PROTECTION POLICY

CORK INSTITUTE OF TECHNOLOGY

Data Protection Policy Information for Clients

How To Protect Your Personal Information At A College

How To Understand The Data Protection Act

Policy Document Control Page

Guidelines on Data Protection. Draft. Version 3.1. Published by

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

START UP LOANS PRIVACY AND DATA PROTECTION TERMS AND CONDITIONS

Data Protection Policy June 2014

Data Protection Policy

John Leggott College. Data Protection Policy. Introduction

Data Protection Training Module MMU Legal Department 2015

A common sense guide to the Data Protection Act 1998 for volunteers

The Manitowoc Company, Inc.

AlixPartners, LLP. General Data Protection Statement

Information Security Policy. Appendix B. Secure Transfer of Information

PRIVACY POLICY Personal information and sensitive information Information we request from you

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.

RECORDS MANAGEMENT POLICY

DATA PROTECTION POLICY

DATA PROTECTION POLICY

singapore american school

Data Protection Workshop: How the Law Affects You Practice Questions

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Data Protection Policy

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Policy

Somerset County Council - Data Protection Policy - Final

Enterprise Information Security Procedures

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

Data Protection and Data security Policy

DATA PROTECTION AND DATA STORAGE POLICY

FIDELITY APPLICANT PRIVACY AND PROTECTION NOTICE

work Privacy Your Your right to Rights Know

SAFEGUARDING CHILDREN AND CHILD PROTECTION POLICY

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

Data Protection for the Guidance Counsellor. Issues To Plan For

Information Governance

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

Data Protection for Charities

Subject Access Request, Procedure, Guidance and Information

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

ETHICAL AND LEGAL ISSUES IN DATA SHARING - OVERVIEW

technical factsheet 176

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

Quick guide to the employment practices code

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Transcription:

An Introduction to the Data Protection Act

Introduction In this course, you will learn:- About the key requirements of the Data Protection Act and how these may arise in your day to day role How the Data Protection Act can affects what you can do with it and how you must handle it To recognise key issues and common restrictions so you can anticipate issues before they arise Introduction to the Data Protection Act Transcript of Audio slide Data protection is a serious issue for Barnardo's. As the largest children s charity helping to improve children s lives, we deal with data on a regular basis. Often this data is sensitive and concerns the most vulnerable children in our society, who have gone through difficult and challenging issues which we need to help them with. As well as the information about children, young people, their parents and carers, we must process data about our own staff and volunteers as well as the donors and funders who support our work, in order to meet our objectives. It is therefore essential that we as an organisation are aware of rules and standards for protecting data that belongs to children as well as the others involved in our work. Non compliance with the Data Protection Act has legal as well as other consequences, which could compromise the trust of our service users and the confidence of those who support us, as you will see in this training course. Please take the time to read and understand the important information contained in it. Thank you. Page 1 of 18

The Data Protection Act and what it means to you This section of the course introduces you to data - what it is and the risks to Barnardo s when data is stored. What does the Data Protection Act 1998 (DPA) cover? The DPA governs the processing of personal data by organisations and grants rights to individuals. Taking and storing photographs and/or videos. Use of CCTV and making and storing voice recordings Creating/receiving emails or other correspondence Storing/archiving a file or document for future use Reading a file or document Reviewing a file (paper or electronic) The recording of information via telephone calls The recording and updating of personal details (data) Page 2 of 18

What is data? Data is any information that is processed by automated means or information held in manual records (e.g. paper files and microfiche provided that these are structured in such a way as to make information about particular individuals readily accessible). This means any information that is processed on computers, tablets, mobile devices, CCTV, cameras, voice recorders or paper records is subject to the DPA. It also includes information which is intended to be stored or processed by automated means. For example, if someone applies for a loan online, the website uses automated credit searching to provide an immediate yes/no decision on the application. It does not matter how the data was obtained; information provided via the internet, email, social media, post or written comments can all be classed as personal data. What ARE the legal risks to Barnardo s? Financial penalties - fine up to 500,000 Enforcement action e.g. data processing activities may need to be modified or stopped Audit and or investigation Officers and directors may be convicted of a criminal offence What ARE the other risks to Barnardo s? Compromising the safety of individuals if data got into the wrong hands Damage to Barnardo's reputation, which could affect our ability to win contracts Compromising the public s trust in Barnardo's, including current and prospective donors Page 3 of 18

What is Personal Data? Personal Data is any data which relates to a living individual who:- can be identified from that data, or can be identified from any other data or information which, when combined, enables recognition (for example a surname and date of birth combined) What is Sensitive Personal Data? Sensitive personal data is a special sub-category of personal data and relates to:- racial or ethnic origin political beliefs religious or other beliefs trade union membership health sex Sensitive personal data requires a higher level of protection, due to its sensitive nature and greater risk of harm to the individual if improperly processed or disclosed. Page 4 of 18

So what personal data might Barnardo s process? You may deal with data for at least one of the areas of work below, maybe more. Look at each section below for information on the data you might collect for these groups. Age; CCTV footage; contact details; employee number; expressions of opinion about an individual; health such as a staff member s medical condition or occupational health reports; name; race; religion. Bank account details; contact details; donor number; marketing preferences; medical information (e.g. of those running in the marathon); name; political affiliation; race; religion. Contact details; CCTV footage; ethnicity; information given by service users about themselves; information about physical or mental health; information about sexual activity; information from other people about the service user; name; photographs; professional opinions about service users; record of the work undertaken; religion. Page 5 of 18

The eight principles of the Data Protection Act explained This section of the course explains each of the eight principles of the Data Protection Act and how it might affect you. All the principles are important but the first principle personal data must be processed fairly and lawfully has particular relevance to how we work and therefore this section is the most detailed. Data Protection Principles Barnardo s must comply with the 8 Data Protection Principles. Principle 1: process personal data fairly and lawfully (including providing notice to individuals Principle 2: process personal data only for the purpose(s) specified Principle 3: process personal data that is adequate, relevant and not excessive Page 6 of 18

Principle 4: process personal data that is accurate and up-to-date Principle 5: process personal data only for as long as is necessary Principle 6: process personal data in accordance with the individuals rights Principle 7: process personal data in a safe and secure way Principle 8: process personal data by only transferring it outside the European Economic Area (EEA) if adequate protection exists Page 7 of 18

Principle 1: Fairly and lawfully (Personal Data) Principle 1 details how Barnardo s must process information fairly and lawfully. This means:- we must process personal and sensitive personal data legally we must be aware of how principle one affects the way we can collect data for our area of work we must provide notice to individuals that explains what we will use data for and how we will handle it Page 8 of 18

Principle 1: Fairly and lawfully (Personal Data) Barnardo s must satisfy at least one legal condition in order to process personal data. The individual has given their consent. The individual has a contract with Barnardo s. The processing is necessary in pursuance of the legitimate interests of Barnardo s. This condition is a balancing exercise between the interests of Barnardo s and individuals. The processing must be proportionate to Barnardo s legitimate interests and must not prejudice the rights and freedoms of affected individuals. So if there is a serious mismatch between Barnardo s interests and the individual s, the individual s legitimate interests will come first. Principle 1: Fairly and lawfully (Sensitive Personal Data) If Barnardo s process sensitive personal data, it must satisfy an additional legal condition. The most commonly used by Barnardo s are:- The individual has given their explicit consent The processing is necessary to comply with legal obligations in connection with employment Page 9 of 18

The processing is necessary for the purpose of obtaining legal advice The processing is necessary in order to protect the vital interests of an individual (and consent cannot be obtained) How does Principle 1 apply to the areas of work you are involved in? There must be legitimate interests in order to process contact details and photographs of staff/volunteers for the purposes of a staff contact directory or the individual has given consent for the data to be shared with a third party, for example a pension provider, HMRC, a Solicitors as part of legal proceedings. You must rely on consent for processing supporters and donor personal data where they have responded to a marketing campaign. You must rely on legitimate interests or consent in order to maintain a record of the service provided, demonstrate to service users what has been achieved, record information required by regulators, commissioners and funders, demonstrate quality of service (e.g. place a service user in a home or include them in an outreach programme). Page 10 of 18

Principle 1: Fairly and lawfully (Notice) As part of the requirement to process personal data fairly and lawfully, Barnardo's must provide notice to individuals which tells them:- What Barnardo s is using their data for Barnardo s contact details How Barnardo's will safeguard the data Whether Barnardo's will share the data outside of the European Economic Area ( EEA ) Any recipients to whom data may be disclosed If the individual is being sent marketing communications, an opportunity to opt out Any further information to make the processing fair Principle 1: Fairly and lawfully (Notice) If Barnardo s does not inform individuals of this information, it may not be able to use the data as it wishes. Page 11 of 18

Principles 2 & 3: Specific and limited purposes Principle 2: Purpose Specified Personal Data shall be not be processed for another, unrelated purpose Principle 3: Adequate and relevant Personal data shall be adequate, relevant and not excessive. This means, you must: have a valid and specific reason to process the data process the data for that purpose only only use data for the purpose for which you have told individuals (or you will need to get their further consent to process for additional purposes) Principles 2 & 3: Specific and limited purposes Principle 4: Data Quality Personal data must be accurate and up-to-date. This means you must:- record data accurately not collect or record data because it might be useful in the future not record unprofessional or inappropriate personal remarks or opinions about individuals identify any professional opinions as such verify any information received from a third party where you have reason to doubt its accuracy Page 12 of 18

ensure that where you are notified that information is inaccurate promptly correct it if appropriate Principle 5: Data Retention Only keep data as long as is necessary for the specified purpose. This means there is no specific period for which you can retain data but you must:- Spring clean data storage systems using organisational guidance on retention periods where this in place. Not keep data for longer than necessary (this varies across departments and types of data) check with your line manager if you are unsure. Remember that when you hold data, you must comply with all the requirements of the DPA. Principle 6: Individual Rights Individuals have a number of rights under the DPA; these are. An individual has the right to compensation if damage or distress is caused. An individual has the right to have inaccurate data corrected or deleted. An individual has the right to prevent processing for the purposes of direct marketing. Where Barnardo s sends email, text or postal marketing communications to individuals. An individual has the right to prevent processing likely to cause damage or distress. For example, damage would be if Barnardo s processing of personal data causes financial loss or physical harm; distress would be a level of upset, or emotional or Page 13 of 18

mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent. An individual has the right to see what data is held about them and Barnardo s must give this access in 40 days. This is called a Subject Access Request and the Corporate and Children s Services Data Protection Policies explain what to do if you receive such a request. Ask your manager for a copy of this policy. Principle 6: Individual Rights On the previous page, one of the rights mentioned was Subject Access Request. When a request is made, the individual has the right to be informed of:- the personal data about them an organisation is processing why personal data is being processed whether and to whom the personal data is disclosed the source of the personal data (if available) Page 14 of 18

Principle 7: Security Principle 7 of the DPA, covers protection of personal data from unauthorised or accidental access, use, alteration or destruction. Hover over each button to see what you need to do to comply. All electronic data must be stored on Barnardo s central IT systems or the approved systems of commissioners or partner agencies Ensure that data is only sent to those who have a right to see it using the correct address Always use encryption when sending personal data by email to any external email address Only use Barnardo s devices that are protected by passwords and encryption for temporary storage of data Principle 7: Security (other things required as part of Barnardo s security measures) Ensure personal data is appropriately protected when it is transferred, for example use of couriers, recorded delivery, electronic portals Only send personal information via fax if the recipient is present to receive it Keep paper copies of personal information in a locked cabinet when not being used Ensure confidential information removed from the office base is always kept secure Ensure hard copies of data, including photographs are destroyed securely when no longer needed. Page 15 of 18

Principle 8: Transfers Outside the European Economic Area (EEA) Barnardo s must not transfer personal data outside of the EEA, unless an adequate level of data protection exists. It s very easy to transfer personal data outside the EEA, without even knowing you ve done it. For example free services on the Internet for storage or email may process personal data on servers outside the EEA. Some third party services that Barnardo s may wish to engage may transfer personal data outside the EEA (this should be considered prior to the third party being contracted by Barnardo s). Where you think that personal data may be transferred outside the EEA, additional safeguards are needed. Contact your Data Protection Manager if you suspect this might be the case (a link to a list is on the elearning page). Introduction to the Data Protection Act That s the end of the course. You should now know:- The key requirements of the Data Protection Act and how they may arise in your day to day role Page 16 of 18

How the Data Protection Act can affect how you handle data and what you can do with it How to recognise key issues and common restrictions, and anticipate issues before they arise You now need to complete and pass the DPA Assessment to demonstrate your understanding of the Data Protection Act. Name Date of completion Page 17 of 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information