general data protection regulation gdpr 101 training v1 · of negotiation, eu publishes the gdpr....
TRANSCRIPT
1
General Data Protection Regulation GDPR – 101 trainingv1.0
Opening and Introduction
2
1
Learning Objectives
At the end of today’s session, participants will:
• Have a working knowledge of GDPR concepts and specifics for key requirements.
• Understand GDPR data protection principles and applicability.
• Understand how the GDPR will directly affect the HSE.
• Understand the overall HSE approach to GDPR.
• Be ready to start to plan for GDPR in service lines.
6
What is the GDPR?
• Stands for “General Data Protection Regulation”
• Created to provide the utmost protection of an individual’s personal information
• Replaces EU Data Protection Directive
• Creates uniform data protection law through EU’s 28 Member States (with limited exceptions)
GDPR reinforces the core principles of current data protection legislation and adds more protection for service users, current, past and prospective employees.
Background
4
13% of the
queries
received last
year by the
DPC in Ireland
were health-
related
52% (1272) of
the complaints
to the DPC in
2017 were to do
with Access
Rights
58% of Data
Breaches
reported to the
DPC in 2017
were from the
Public Sector
82% of Public
Sector
Breaches were
due to
unauthorised
disclosure
(non-electronic)
20 Hospitals
were
investigated
by the Data
Protection
Commissioner
(DPC) in 2017
Data
Protection
Act
EU Data Protection Directive
Data
Protection (Amendment)
Act
1988 1995 2003 2016
GDPR
Published
May 25th
2018
2018
Ireland issues
legislation to
protect privacy
of individuals
with regards
to personal
data.
EU issues a directive to protect individuals with regards to processing of personal data.
Ireland issues an amending act to pass the 1995 EU Directive into Irish law.
General Data Protection Regulation will be enforced by the Data Protection Commissioner.
Following years of negotiation, EU publishes the GDPR. It includes 2 Years for transition to compliance.
5
Extract from ODPC Annual Report
6
Current StateWhat is the current state of Data Protection within the HSE?
Current Data Protection policy
is DATA PROTECTION – IT’S
EVERYONE’S
RESPONSIBILITY
References data protection
acts 1988 and 2003
No creation or revision dates /
version number
Current Setup:
Regional DPO’s who deal
with SAR’s, breaches and
FOI requests.
NB OoCIO are first port of
call for electronic data
breaches AND Consumer
Affairs DPO
Each Service line is responsible for their
own Data Protection.
Service lines currently report into a
regional DPO, depending on their area:
Liam Quirke - West & South (South
currently being recruited)
Debbie Keyes – Dublin Mid Leinster
Rosalie Smith Lynch – Dublin North East
7
Understanding the GDPR requirements
2
Personal data is any information about a person or information from which a person could be identified
All of the following are considered personal data:
• John Murphy
• PPS Number 1234567a
• @johnmurphy10
• John Murphy, No. 1 Cork Rd, Dublin
What is personal data?
8
A SAR is a request from a service
user or a current, past or prospective
employee for access to a copy of any
record held by the HSE that contains
their personal data. A SAR can also
contain a request for the details of
data processing carried out.
What is a SAR?
!
Some categories of Personal Data pose a
bigger risk to an individual if it is wrongly
disclosed. These are known as special categories
of personal data and extra care must be taken
when handling them.
The following are special categories of Personal
Data:
• Health related data
• Genetic or biometric data
• Trade union membership status
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Sex life/Sexual orientation
9
GDPR and You
• It is your responsibility to be extremely
careful when dealing with personal data –
a breach of policy could lead to
disciplinary action
• Only ask for data you need and get it fairly
• Only use data for the purpose that you
obtained it for
• Keep data secure
• Don’t keep data for longer than you need
to
• Don’t disclose data to unauthorised third
parties
• Never leave paper files or electronic
devices unattended
• Dispose of data appropriately
Contact the data
protection team
immediately if:
• You receive a subject
access request (SAR)
• You think a data
breach may have
occurred
!
• Routine data-protection impact
assessments (DPIAs) for all processing
involving sensitive personal data and for
any technology change
• Irish government Bill (soon to be Data
Protection Act 2018) public bodies can be
fined up to €1,000,000
• 1 month to respond (was 40 days) to
Subject Access Requests (SAR), no fee
needed
• Number of SAR’s expected to increase by
25-40%
• Compensation rights for material and non-
material damages
GDPR and the HSE
10
GDPR provides data protection rights
for all ‘living’ people. It specifies:
• Mandatory data inventory and record
keeping of all internal and third-party
processing
• Mandatory data-breach notification
to regulator (72 hours) and the
individuals whose information is
compromised following information-
security failures
• Comprehensive individual rights to
access, correct, port, and object to the
processing of their data
• Full transparency with regards to
processing
Limit, Protect and Respect
311
Data Minimisation – Ask yourself how much data you need to collect for the purpose in mind and collect as little as necessary.
Purpose Limitation – Only use the data you have collected for the exact reason it was collected.
Data Retention – Only keep data for as long as needed or required. Our Records Retention Policy can help with this.
Anonymisation – Use anonymised data where possible, for example if you have a list of names and birthdays, if you remove the names an individual cannot be identified by the dates so the birthdays are no longer personal data.
Pseudonymisation – Use pseudonymisation where full anonymisation is not possible. Pseudonymisation is when personal data, such as a name, is replaced with a reference to the data. The only way to identify someone from the pseudonymised data is with the list of pseudonyms. This list of pseudonyms must be strictly protected.
Limit
12
RespectProtect
Protect Access to Data - Review
and update regularly who can
access folders and documents.
This will help prevent
unauthorised access.
Protect paper files
Don’t leave paper files
unattended.
Only transfer files to staff who
are authorised to see them.
Dispose of unneeded files in
accordance with our retention
and disposal policies.
Protect data by thinking before
you click
Check you have the right
recipients before you send an
email or fax.
Encrypt information where
possible.
Respect data be ensuring its
accuracy
Make sure data is correct when
you collect it.
Make sure data is kept accurate
and up to date.
Keep in mind the purpose of
processing.
Respect data when
transferring it
If you want to transfer personal
data from one area to another,
make sure you have permission
to do so and you are not
breaching the rights of any of
the service users or employees
involved.
Key GDPR Requirements
There are FIVE GDPR requirements which will cause the biggest impact on the HSE:
Mandatory data inventorying
and record keeping of all
internal and third-party
processing of personal data.
Mandatory data-breach
notification to regulators and
individuals whose information is
compromised following
information-security failures.
Comprehensive individual
rights to access, correct, port
and object to the processing of
their data.
Routine data-protection impact
assessments for technology,
process and organisational
change.
Mandatory data protection
officers and an overall
rethinking of privacy strategy,
governance, and risk
management.
9
Key GDPR Requirements
Comprehensive individual
rights to access, correct, port
and object to the processing of
their data.
9
Article 7 – Consent• Where consent is sought, the
Data Controller shall be able to demonstrate that the data subject has consented (Record of consent is required)
• Consent can be withdrawn and this should be as easy as giving consent in the first place
Article 6 – Lawfulness of Processing• Consent - Article 6 . 1 . (a) Consent is given –
Required for research and special circumstances (ref MNCMS Discharge Letter)
• Contract - Article 6 . 1 . (b) necessary for performance of contract – Employment Also Article 88
• Public Interest and Health Act 2004 – Article 6 . 1 . (e) this is the primary legal basis on which we process patient and service user personal data
Article 9 – Special Categories• Racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation or sex life….
• Article 9 . 2. (h) – Medical diagnosis, provision and management of health and social care services
Key GDPR Requirements
9
Article 33 – Notification of Breach ODPC• Within 72 hours – If not possible,
clear and credible explanation required
• Must act to mitigate adverse effects without undue delay
• Follow HSE Data Breach Policy
Article 32– Security of Processing• Security measures must be related to a risk
assessment• Appropriate levels of security to include
• Pseudonymisation and encryption• Ensure confidentiality, integrity, availability
and resilience• Disaster recovery• Regular assessment of security
Article 34 – Notification of Breach – Data Subject• Follow HSE Data Breach Policy• Must notify without undue delay• Describe breach in plain language• Describe what data was compromised as
described in Article 33 (3)• Not required if data is unintelligible (encrypted)• If mass data breach – public notification may be
acceptable – Through the DPO Office Only!
Mandatory data-breach
notification to regulators and
individuals whose information is
compromised following
information-security failures.
Key GDPR Requirements
9
Article 38 – Position of DPO• Must be resourced to fulfil tasks
as described in Article 39• May not be penalised or
dismissed for carrying out these tasks
• Must be contactable by data subjects
• May have other responsibilities provided they do not conflict
Article 37– Designation of DPO• As a public body, HSE must designate a DPO• All organisations processing on a large scale (not
clearly defined!) special category data (Article 9) must designate a DPO
• Must have expert knowledge of data protection laws
• Can be an employee or a contracted external person
Article 39 – Tasks of the DPO• Advise on obligations of controller/processor• Monitor compliance, train staff, raise awareness• Perform audits across the organisation• Advise on Data Protection Impact Assessments• Co-operate with ODPC• Act as contact point for ODPC• Monitor risk associated with processing of
personal data in the organisation
Mandatory data protection
officers and an overall
rethinking of privacy strategy,
governance, and risk
management.
Key GDPR Requirements
9
Article 36 – Prior Consultation with ODPC• The Controller is required to
consult with the ODPC in advance of processing where a DPIA is required
• The ODPC may publish this processing publically (on its website)
• The ODPC may prevent the Controller from implementing new processing
Article 35– Data Protection Impact Assessments• Must be done where any new processing or
changes to existing processing will result in additional risk to the rights and freedoms of the “natural person”
• Specifically mentions special categories of personal data (Article 9)
• New technologies in particular are specified
GENERAL RULE• If in doubt, ask your local Deputy DPO (DDPO –
Consumer Affairs) or the DPO• If implementing new technologies, consult
DDPO and OoCIO Information Security Officer
Routine data-protection impact
assessments for technology,
process and organisational
change.
Key GDPR Requirements
9
Impact of Article 30• All organisations must make a
record of all data processing activities in accordance with the details described in Article 30
• This will be a very onerous task, but must be done
• Standard template available from OoCIO Information Security on hse.ie
• Need to create an inventory of Data Processors engaged by your organisation
Article 30– Records of Processing• Must maintain a record of all processing activity
• Name and contact details of controller, processor and DPO
• Purpose of processing• Categories of Data Subjects and Data
Categories• List of recipients of the data• Specific detail if data going out of EEA• Retention policy• Description of security measures
ODPC• This will be one of the fundamental checks that
the ODPC will carry out post May 25th 2018
Mandatory data inventorying
and record keeping of all
internal and third-party
processing of personal data.
A new ‘Transparency
framework’
• The HSE will need to be much
clearer about how and why
they collect, store and use
personal data.
• Data subject access rights are
boosted and the response
time is shortened.
• Mandatory breach disclosure,
means we must come clean
after failure to both the
regulator (DPC) and the data
subjects.
• Enhanced rights of regulatory
inspections and audit.
A new ‘Compliance
Journey’
• ‘Privacy by Design’ means the
HSE will have to get data
handling right from the start.
• ‘Privacy Impact Assessments’
will have to be carried out
routinely.
• ‘Accountability’ means all data
collection, use and storage
has to be documented.
• ‘Data Inventory means we
must KNOW what personal
data we have and where it is
stored.
A new ‘Punitive
Regime’
• Tougher enforcement powers
for regulators. Up to €1m fine
per breach envisaged in
current draft of Bill.
• Litigation rights for Civil
Society organisations.
• Data Processors liable in their
own right.
10
20
Consequences
4
Consequences
21
Reputational damage – There is a potential for
the loss of patient and service user trust in the
event of a breach. This reputational damage has
the ability to jeopardise the current transform
project.
Increased regulatory supervision
– Notice on the HSE will increase the
view of the Data Protection
Commissioner which can lead to
increased audit and further intrusion
due to the power’s of the DPC
increasing along with GDPR.
Under-the-surface costs resulting
from organisational disruption.
Increased risk of fraud due to identify theft - There is more value attached to healthcare-
related data than other types of personally identifiable information.
A stolen credit card has a finite life because once the customer discovers the fraud, the card
can be cancelled and stolen funds recovered.
Public Health Information contains government-issued identity numbers such as PPS
numbers, as well as medical, prescription, health and an individual’s personal data that is
permanent and cannot be cancelled / replaced.
Fines – The HSE can be fined up to €1,000,000
for non compliance
Main impacts on our staff
522
• Under the GDPR, where an individual’s personal data is being processed, he/she has the right to make
a SAR.
• In responding to a SAR we must give a description of the data we hold, the reasons for processing and
our lawful basis to have the data, among other things.
• SARs must be responded to within 1 month.
• Anyone can receive a SAR and there is no set format a SAR has to take so if in doubt report it to the
data protection team.
• If you receive a SAR or think you have received a SAR contact the data protection team immediately.
Subject Access Requests (SARs)
23
What if an incident occurs?Identify
A personal data incident is when there is the potential for the:
– Accidental,
– Unauthorised or,
– Unlawful
access, acquisition, alteration, destruction, disclosure, loss or misuse of personal data.
We need to identify when something goes wrong as soon as possible in order to limit the potential damages.
Most breaches are a result of internal error as opposed to external attacks.
Report
As soon as you become aware you an incident you need to report it immediately to the data protection team.
Don’t worry if you think you might be wrong, it’s the data protection team’s responsibility to check if it is an incident, it’s
your responsibility to report it – it’s better to be safe than sorry.
There are a number of factors to consider to ensure that you handle
personal data correctly:
• Remember to Limit, Protect and Respect the personal data you
work with;
• Minimise the amount of personal data collected, check it’s accurate ,
and don’t store it for longer than you need to;
• Be clear with colleagues, patients, service users and others about
how we collect, store, share and use their personal data;
• Contact the Data Protection Team immediately if there has been or is
a chance of a personal data incident;
• If in doubt, visit our GDPR site or contact your local deputy DPO.
Summary
24
25
What’s being done…
6
Pre May 2018 Goals
• Setup a GDPR programme,
governance structure and mobilise a
data protection team.
• Conduct a high level current state
assessment across the group to
ascertain current maturity levels of the
data protection programme and
structures in relation to governance,
people, processes and technology.
• Identify current gaps against GDPR
requirements and outline high risk
areas and recommendations.
• Develop a GDPR Remediation
Roadmap and prioritise the Work-
Streams on a risk based approach.
26
High Level Project Plan
Current Focus
• Build a paper shield – ensure documentation
required by GDPR is in place and meets
requirements. This will include documentation such
as Policies, Procedures, Privacy Notices and Third
Party (Processor) contracts.
• Identify and implement “quick wins” to be put in
place before May 25th which will run in parallel to the
above. These will include:
• Setup the HSE National Data Protection
Office with a defined operating model.
• Provide GDPR Training and support to
regional Data Protection Officers.
• Deliver a GDPR seminar to senior
executives to provide thought leadership,
training and achieve project buy-in.
• Support a single CHO in completing a
gap analysis and roadmap.
Due to the restrictive compliance timelines (25th may), we are fast-tracking the
setup of important foundational structures for a GDPR programme:
1. National Data Protection Office to drive the GDPR Operating Model
2. Paper Shield to ensure GDPR documentation is in place.
1. HSE National Data Protection Office
Setup and recruitment of a team for the National Data Protection Office.
Deliver training at all levels, as follows:
1. Directorate - Executive briefing to gain buy in and an overview of our
approach
2. HG's & CHO’s – Executive briefing
3. Services – in-depth GDPR training for regional DPO’s
Design of a data protection operating model to be piloted in a test phase
before being transitioned into day-to-day operations - The operating model will
leverage existing data protection structures within the group, where relevant
(e.g. regional level data protection officers and service line data protection
officers).
27
National DPO office:
Policies
Processes /Procedures
Notices & Contracts
Paper Shield:
28
Policies should be “best-in-class”, concise and
independent to demonstrate data protection policies
and a transparent approach..
Accurate documentation of standard operating
procedures (SOPs) is necessary to demonstrate
accountability. At a minimum, core process and
procedures like a data protection process and governance
structure in line with GDPR requirements should be
formally defined and documented.
Reviews of privacy notices and contracts with third
parties should be undertaken, with a focus towards
GDPR and privacy. Align to Generally Accepted
Privacy Principles (GAPP), include Model Clauses
and GDPR requirements – update / create where
necessary.
29
Sample Service Line Journey
7
GDPR Compliance Roadmap
24
Operate and Sustain
• Achieving the compliance requirements within the required
compliance period is only part of the GDPR compliance journey.
• The HSE will be required to maintain its GDPR Programme and
ensure that all requirements are maintained after the compliance
deadline.
• Through constant assessment and maintenance of GDPR
Programme requirements and activities, The HSE should identify
opportunities to enhance the efficiency and effectiveness of its internal
controls.
• The HSE should establish ongoing compliance mechanisms, with
reporting functions to relevant stakeholders, to promote continued
compliance and accountability.
Ongoing Programme Operation
Maintenance
25
PwC
1. Make an inventory of all personal data processing that is happening in your are
2. Make an inventory of all of the personal data you are storing
3. Review all Data Privacy Notices in your public and staff areas and on websites
4. Ensure you communicate to individuals in advance of processing relating to; Legal basis for processing, Retention Period, Right of Complaint, Whether data will be subject to automated decision making
5. Review your procedures to ensure compliance
6. Review your procedures for dealing with access requests
7. Examine your legal basis for processing data and document it. This needs to be clearly stated in plain English on your Privacy Notices
8. Examine where you require consent and ensure there are adequate procedures and processes for this
9. Review the processing of personal data of Children
10. Review your data breach reporting and ensure your staff are aware of them
11. Review your data processing and associated systems to determine whether a DPIA is needed
12. Designate a Data Protection Champion in your area to monitor data processing (not necessarily full time)
So What Should I Do Now???
8
Quiz
33
All personal data must be:a) Accurate and up to date
b) Deleted when no longer required
c) Available only to those who need it
d) Anonymised/Pseudonymised where possible
In addition to health data what other data can
be considered a special category?a) Credit card information
b) Genetic/Biometric Data
c) Trade Union Membership Status
d) Religion
Who/what benefits from our strict data
protection policy?a) Our Patients/Service Users
b) Our Staff
c) Our Vendors
d) Our Reputation
Which of these could be used to identify
someone, meaning it is personal data?a) Photograph of a living person
b) PPSN
c) School Attended
d) Home address
What is the definition of personal data?a) Any information about a person of information
from which the person could be identified
b) Any information about a person, their family and
friends
c) Any information your employer holds on you
In the case of non-compliance or a personal
data incident what are the potential
consequences to you?a) Legal Action or Fine
b) Disciplinary Action
c) Civil Litigation
d) Nothing, It’s the HSEs responsibility as a whole
A Subject access request (SAR) is a request
from an individual for the data we process
belonging to them. What is the maximum
response period for SARs?a) 3 Months
b) 40 Days
c) 1 Month
d) 1 Week
You notice a patient file on a chair in an
empty waiting room. You don’t know how
long it has been there. What should you do?a) Return it to the filing room before anyone sees
it
b) Find out who left it there and tell them to be
more careful in future
c) Leave it there, whoever left it will come back for
it
d) Report it to the data protection team it is a
potential data breach
If you receive a SAR you should:a) Do nothing, it’s not your job to deal with SARs
b) Check to make sure it’s a SAR
c) Inform the data protection team
d) Starting gathering the information to respond to
the request
34
If you receive a deletion request from a
patient you should delete all of their data
straight away?a) True
b) False
35
How many processing conditions must apply
when processing non sensitive personal
data?a) All six processing conditions must be satisfied
before I process non-sensitive personal data.
b) At least one of the six processing conditions
must apply before processing non sensitive
personal data.
In the event of a personal data breach should I report it
directly to the data protection commissioner
a) Yes, you should report the breach directly to the
DPC within 72 hours of becoming aware of the
breach
b) No, under no circumstances should you report
directly to the DPC. Report the breach to the
data protection office. The DPO and deputy
DPO are the only ones who should report to the
DPC.
A personal data breach must be reported to the Data
Protection Commissioner within how many hours of
knowing about the breach
a) 24 hours
b) 72 hours
c) 48 hours
Which of the following are examples of data subject
rights
a) The right to Access
b) The right to rectification
c) The right to erasure
d) The right to data portability
.
When is a person entitled to seek compensation as a
result of a data breach?
a) Only if they suffer material damages
b) If they suffer material or non material damages
The HSE can be fined up to 1 million euro for non
compliance with GDPR and the Irish Data Protection
Act.
A) True
B) False
Select the instances where you would contact the
HSE’s Data Protection Office
a) In the event of a potential data breach
b) When you receive a query about data subjects
rights such as SARs and data protection
c) If you have a question about data protection
.
All personal data must be:a) Accurate and up to date
b) Deleted when no longer required
c) Available only to those who need it
d) Anonymised/Pseudonymised where possible
In addition to health data what other data can
be considered a special category?a) Credit card information
b) Genetic/Biometric Data
c) Trade Union Membership Status
d) Religion
Who/what benefits from our strict data
protection policy?a) Our Patients/Service Users
b) Our Staff
c) Our Vendors
d) Our Reputation
Which of these could be used to identify
someone, meaning it is personal data?a) Photograph of a living person
b) PPSN
c) School Attended
d) Home address
What is the definition of personal data?a) Any information about a person of information
from which the person could be identified
b) Any information about a person, their family and
friends
c) Any information your employer holds on you
In the case of non-compliance or a personal
data incident what are the potential
consequences to you?a) Legal Action or Fine
b) Disciplinary Action
c) Civil Litigation
d) Nothing, It’s the HSEs responsibility as a whole
A Subject access request (SAR) is a request
from an individual for the data we process
belonging to them. What is the maximum
response period for SARs?a) 3 Months
b) 40 Days
c) 1 Month
d) 1 Week
You notice a patient file on a chair in an
empty waiting room. You don’t know how
long it has been there. What should you do?a) Return it to the filing room before anyone sees
it
b) Find out who left it there and tell them to be
more careful in future
c) Leave it there, whoever left it will come back for
it
d) Report it to the data protection team it is a
potential data breach
If you receive a SAR you should:a) Do nothing, it’s not your job to deal with SARs
b) Check to make sure it’s a SAR
c) Inform the data protection team
d) Starting gathering the information to respond to
the request
36
If you receive a deletion request from a
patient you should delete all of their data
straight away?a) True
b) False
37
How many processing conditions must apply
when processing non sensitive personal
data?a) All six processing conditions must be satisfied
before I process non-sensitive personal data.
b) At least one of the six processing conditions
must apply before processing non sensitive
personal data.
In the event of a personal data breach should I report it
directly to the data protection commissioner
a) Yes, you should report the breach directly to the
DPC within 72 hours of becoming aware of the
breach
b) No, under no circumstances should you report
directly to the DPC. Report the breach to the
data protection office. The DPO and deputy
DPO are the only ones who should report to the
DPC.
A personal data breach must be reported to the Data
Protection Commissioner within how many hours of
knowing about the breach
a) 24 hours
b) 72 hours
c) 48 hours
Which of the following are examples of data subject
rights
a) The right to Access
b) The right to rectification
c) The right to erasure
d) The right to data portability
.
When is a person entitled to seek compensation as a
result of a data breach?
a) Only if they suffer material damages
b) If they suffer material or non material damages
The HSE can be fined up to 1 million euro for non
compliance with GDPR and the Irish Data Protection
Act.
A) True
B) False
Select the instances where you would contact the
HSE’s Data Protection Office
a) In the event of a potential data breach
b) When you receive a query about data subjects
rights such as SARs and data protection
c) If you have a question about data protection
.
38
Discussion
9