data protection act 1998 nicva 27 october 2011 nigel treanor
TRANSCRIPT
Data Protection Act 1998
NICVA27 October 2011
Nigel Treanor
Mission Statement
The ICO’s mission is to uphold information rights
in the public interest,promoting openness by public bodies
and data privacy for individuals.
Enforce and regulate
– Freedom of Information Act
– Environmental Information Regulations
– Data Protection Act
– Privacy and Electronic Communications Regulations
Provide information to individuals and organisations
Adjudicate on complaints
Promote good practice
ICO’s Role
Information Concerns
Recognition by the public that Data Protection is relevant to the following areas:
Preventing crimeProtecting people’s personal information Unemployment (2004 - 50% by 2009 - 93%)The National Health Service (2004 – 78% by 2009 - 90%)National securityEnvironmental issuesEqual rights for everyoneImproving standards in educationProtecting freedom of speechAccess to information held by public authorities
Background
Royston House DFP
HMRC
November 2007
Health Data
Street View
North Lanarkshire Council
Causes of Reported Data Loss
%
24%
24%7%3%
31%
8% 3%
Disclosed in Error
Lost Data/Hardware
Lost in Transit
Non-secure Disposal
Stolen Data/Hardware
Technical/Procedural
Other
Charities and ICO Enforcement
Charities breached data rules over unencrypted computer thefts
Sheffield-based charity Asperger’s Children and Carers Together (ACCT)
Nottingham-based charity Wheelbase Motor Project
Both breached the Data Protection Act by failing to encrypt computers that contained sensitive information relating to young people (80 children and 50 young people ).
Both incidents occurred when the devices were stolen
Data Protection Act 1998
The Data Protection Act gives individuals the right to know what information is held about them. It provides a framework
to ensure that personal information is held and handled properly.
Charitable groups and Data Protection Act –
Examples of areas that are covered
Human resource informationHolding service user/volunteer/staff informationSharing service user/volunteer/staff detailsService Users or staff requesting their personal dataDirect Marketing and Promotional CampaignsRedundancy and Employment issuesInformation SecurityRetention PeriodsDatabase Management and AccuracyPhotographs of service users, volunteers or staffCCTV images and video footage
Data Protection Act 1998
An Act to regulate the processing of information about individualsDrawn from European Directive 95/46/EC“Reserved” matter in Northern IrelandProvides rights for individuals and sets out responsibilities for data controllers 8 Data Protection Principles provide a framework for handling personal data
Eight Principles of DPA
The Data Protection Act states that anyone who processespersonal information must comply with eight principles, which
make sure that personal information is:
– Fairly and lawfully processed – Processed for limited purposes – Adequate, relevant and not excessive – Accurate and up to date – Not kept for longer than is necessary – Processed in line with your rights – Secure – Not transferred to other countries without adequate
protection
And, all data controllers must comply with the principles
DefinitionsPersonal Data means data which relate to a living individual who can
be identified-from those data, or-from those data and other information which is in the possession of, or is
likely to come into the possession of, the data controller,-and includes any expression of opinion about the individual or any
other person in respect of that individual and any indications of intentions of the data controler or any other person in respect of that individual.
Relevant Filing System/Accessible Record
Processing is a compendious definition such as obtaining, recording, consultation, use, disclosure, destruction or carrying out any operation or set of operations on the information or data etc.
Definitions – Sensitive Personal Data
Sensitive Personal Data means personal data where content relates to:
Racial and ethnic originPolitical opinionsReligious or other beliefs
Trade union membershipPhysical or mental healthSexual lifeCriminal convictions/alleged offences
Sensitive Personal Data are subject to extra safeguards before they can be processed
Definitions
Data Subject - means an individual who is the subject of personal data
Data Controller - means any person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor - in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller
What this means for the individualHow to Access Information
This allows you to find out what information is held about you on a computer and within some manual records, such as medical records, files held by public bodies and financial information held by credit reference agencies.
Correcting InformationThis allows you to apply to a court to order a data controller to correct, block, remove or destroy personal details if they are inaccurate or contain expressions of opinion based on inaccurate information.
Preventing Processing of Information This means you can ask a data controller not to process information about you that causes substantial unwarranted damage or distress. The data controller is not always bound to act on the request.
Preventing Unsolicited Marketing
This means a data controller is required not to process information about you for direct marketing purposes if you ask them not to. For example, you have the right to stop unsolicited mail.
What this means for the individual
Preventing Automated Decision Making This means you can object to decisions made only by automatic means. For example, where there is no human involvement.
Claiming CompensationThis allows you to claim compensation through the courts from a data controller for damage, and in some cases distress, caused by any breach of the act.
Exempt Information
This allows you to ask the ICO to investigate and assess whether the data controller has breached the act. Please read our how to complain section, which explains how to do this
Notification
Notification is a statutory requirement and every organisation that processes personal information must notify the Information Commissioner’s Office (ICO), unless they are exempt. Failure to notify is a criminal offence.
Notification is the process by which a data controller gives the ICO details about their processing of personal information. The ICO publishes certain details in the register of data controllers, which is available to the public for inspection
Notification Helpline: 0303 123 1113 (Mon-Fri 9am-5pm)
Changes to the notification fee structure came into effect on 1 October 2009. The fee structure is now tiered to reflect the costs to the ICO of regulating data controllers of different sizes
Fair Processing Notice
Oral or Written statement that individuals are given when information is being collected
A Privacy Notice should tell people - who you are, what you are going to do with the information and who it will be shared with
It can go further and include access rights, security arrangements
A Privacy Notice should be genuinely informative
A Privacy Notice which is legalistic or drafted with the primary objective of indemnifying an organisation is unlikely to achieve
this objective
Right of Access (Subject Access Request)
A request for access must be received in writingA request covers finding out whether personal data are processed and, if so (within 40 days)
– providing a description of the personal data processed, of the purpose of the processing and of any Recipient or classes of Recipient's
– providing a copy of the information constituting the personal data in an intelligible form, and providing information about the source, if available
– providing information about any automated decision that significantly affects the Data Subject.
Right of Access Data controller has to consider….
Identification of Data Subject and seeking assistance from Data Subject to locate the personal data
Any exemption which may apply (eg prevention of crime)
Deciding whether it is reasonable to disclose third party information. If consent of the other individual has been obtained, there should be no problem revealing the information
In the absence of consent of the other individual, the test of “reasonableness” needs consideration (e.g. any duty of confidence to the other individual; has consent been refused; can consent in practice be obtained; steps taken to obtain consent)
Removal of the minimum amount of information which identifies another individual – this, in some circumstances, could be just a name of the other individual
What it means for charitiesHeading in the right direction?
– Do I really need this information about an individual? Do I know what I'm going to use it for? – Do the people whose information I hold know that I've got it, and are they likely to understand what it will be used for? – If I'm asked to pass on personal information, would the people about whom I hold information expect me to do this? – Am I satisfied the information is being held securely, whether it's on paper or on computer? And what about my website? Is it
secure? – Is access to personal information limited to those with a strict need to know? – Am I sure the personal information is accurate and up to date? – Do I delete or destroy personal information as soon as I have no more need for it? – Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
– Do I need to notify the Information Commissioner and if so is my notification up to date?
Section 55 & ‘The Blagging Offence’
“55 (1) A person must not knowingly or recklessly, without the consent of the data controller –
Obtain or disclose personal data or the information contained in personal data, or Procure the disclosure to another person of the information contained in the
personal data”
Reporting Data breaches
At present, there is no law expressly requiring you to notify abreach but sector specific rules may lead you towards issuing anotification to the ICO.
ICO has issued guidance on data security breach management and guidance on reporting a data breach to the ICO (available at www.ico.gov.uk)
But... Revisions to Directive 2002/58/EC Directive on Privacy and Electronic Communications Directive in relation to compulsory breach reporting
Changes to the Law
Significant losses of personal data in 2007/8
Existing powers deemed inadequate
Public calls for criminal offence
Criminal Justice and Immigration Act s 77 Power for Secretary of State to alter penalty for unlawfully obtaining personal data
Preferred option was power to impose a Monetary Penalty – civil sanction
New power inserted into section 55 of Data Protection Act 1998 by section 144 of the Criminal Justice and Immigration Act 2008 (CJIA)
Main features
-ICO may serve a Monetary Penalty Notice on a data controller requiring payment of a Monetary Penalty which must not exceed £500,000
-Applies to all data controllers in the private, public and voluntary sectors except Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3) DPA 1998-Royal Household
Specific requirements
Before the ICO can impose a Monetary Penalty it has to be satisfied under section 55A DPA 1998 that:
– There has been a serious contravention of data protection principles by the data controller,
– The contravention was of a kind likely to cause substantial damage or substantial distress and either…
Specific requirements continued
-The contravention was deliberate or,
-The data controller knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention
First Monetary Penalty Notices
(i) Hertfordshire County Council - £100,000 penalty (Nov 2010)
http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/hertfordshire_cc_monetary_penalty_notice.ashx (ii) A4e Ltd - £60,000 penalty (Nov 2010)http://www.ico.gov.uk/~/media/documents/library/
Data_Protection/Notices/a4e_monetary_penalty_notice.ashx
Second Monetary Penalty Notices February 2011
Ealing Council - £80,000 and Hounslow Council £70,000
Two laptops containing the details of around 1,700 individuals were stolenfrom an employee’s home. Almost 1,000 of the individuals were clients ofEaling Council and almost 700 were clients of Hounslow Council. Bothlaptops were password protected but unencrypted – despite this being inbreach of both councils’ policies. There is no evidence to suggest that thedata held on the computers has been accessed and no complaints fromclients have been received by the data controllers to date but there wasnevertheless a significant risk to the clients’ privacy.
Ealing Council breached the Data Protection Act by issuing an unencryptedlaptop to a member of staff in breach of its own policies. This method ofworking has been in place for several years and there were insufficientchecks that relevant policies were being followed or understood by staff.
Hounslow Council breached the Act by failing to have a written contract inplace with Ealing Council. Hounslow also did not monitor Ealing Council’sprocedures for operating the service securely.
Misdirected Emails – June 2011
ICO served Surrey County Council with a monetary penalty for a serious breach of the Data Protection Act after sensitive personal information was emailed to the wrong recipients on three separate occasions.
The first incident and most significant of the three, took place on 17 May last year. A member of staff working for one of the council’s Adult Social Care Teams emailed a file containing sensitive personal information relating to 241 individuals’ physical and mental health to the wrong group email address.
The group email address included a large number of transportation companies, including taxi firms, coach and mini bus hire services. The council attempted to recall the email, but was later unable to confirm that all the recipients had destroyed it. As the information was not encrypted or password protected, it had the potential to be viewed by a significant number of unauthorised individuals.
Misdirected Emails - £120,000
A second misdirected email sent on 22 June 2010 lead to confidential personal data relating to a number of individuals being mistakenly emailed to over one hundred unintended recipients who had, in fact, registered to receive a council newsletter.
In a third incident, the council’s Children Services department sent confidential sensitive information, which included data relating to an individual’s health, to the wrong internal group email address on 21 January 2011. While the data did not leave the council’s network this breach led to sensitive data being circulated to individuals who should not have received it.
The penalty of £120,000 recognises the council’s failure to ensure that it had appropriate security measures in place to handle sensitive information.
Information Sharing Code of Practice
Sharing Of Personal Data – Issues to consider:
• Do you have the power or legal provisions to share the information?• What is the sharing intended to achieve?• Do you need to share personal data?• What information needs to be shared?• When should it be shared?• Who does it need to be shared with? • How should it be shared?• What benefits are sought from the proposed sharing?• What risks are there?• What are the likely effects on individuals/society?• Consider the consequences of not sharing.• Consent? Choice? Transparency?• Make the citizen/client/consumer the focus of the decision.
Advice and Guidance
Information Commissioners Office
51 Adelaide Street
Belfast
BT2 8FE
Tel. 02890 269380
Fax. 02890 269388
Website: www.ico.gov.uk
Enquiries by email . [email protected]
Notification Team – 0303 123 1113
(Mon-Fri 9am to 5pm)
www.twitter.com/iconews
Keep in touch
Subscribe to our e-newsletter at www.ico.gov.ukor find us on…