ship conference data protection mini-briefing nick billingham head of housing management devonshires
TRANSCRIPT
![Page 1: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/1.jpg)
SHiP Conference
Data Protection Mini-Briefing
Nick BillinghamHead of Housing Management
Devonshires
![Page 2: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/2.jpg)
Data Protection – An overview and topical issues in the supported housing context
Reform of the European Data Protection Regime – the General Data Protection Regulation
![Page 3: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/3.jpg)
• Key Definitions– Data– Personal Data– Sensitive Personal Data– Data Subject– Data Controller– Processing
DPA 1998 – An Overview
![Page 4: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/4.jpg)
• There are Eight DPPs:
1. Processing to be fair and lawful
2. Only for specified and lawful purposes
3. Not excessive
4. Accurate and Up to date
5. Kept for no longer than necessary
6. Processed in accordance with rights of Data Subject
7. Technical and Organisational Measures
8. Data not to be transferred outside EEA
DPA 1998 – the DP Principles
![Page 5: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/5.jpg)
• First DPP – Processing shall be fair and lawful and shall not be processed unless: – At least one Schedule 2 condition is met– Where sensitive personal data, at least one
Schedule 3 condition is met• Data subject consent is a Sch 2 and 3 condition. • Other conditions, e.g. legal obligation,
administration of justice.
The Non-Disclosure Principle
![Page 6: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/6.jpg)
• Schedule 2, para 6:– The processing is necessary for the purposes
of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of the prejudice to the rights and freedoms or legitimate interests of the data subject.
Legitimate Interest
![Page 7: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/7.jpg)
The DPA at work: Issues in the Supported Housing Context
![Page 8: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/8.jpg)
Is it personal information?
• Can we disclose it/can the tenant demand it?• First question is whether it is personal information• Information about a living identifiable individual• But individual must be the focus of the information• Information must affect or say something about the
individual’s private life - personal, family, business or professional
• Mere passing reference to individual in documents or correspondence NOT sufficient - Durant –v- FSA [2003]
![Page 9: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/9.jpg)
Disclosure to third parties (Sch 2 DPA 1998)
• Six exceptions permitting processing/disclosure• Consent = first and most obvious (para 1, Sch 2)• Use of consent forms when signing up tenants• Tenancy terms relating to DPA consent• BUT majority of processing/disclosure already
covered by para 6, Schedule 2 “necessary for the legitimate interests of the business…”
• Belt & braces
![Page 10: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/10.jpg)
Other commonly-used exceptions to non-disclosure
• S29 – crime and taxation: prevention or detection of crime/apprehension or prosecution of offenders
• Also covers other investigations eg HB investigations• S31 – regulatory activity eg TSA inspections/inquiries• S35 – disclosures required by law or made in
connection with legal proceedings• Para 3, Sch 2: compliance with legal obligation eg
names and addresses of tenants requested by Electoral Officer
![Page 11: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/11.jpg)
Dealing with sensitive personal information
• S2 – racial/ethnic origins; political opinions; religious beliefs; membership of Trade Union; physical or mental health or condition; sexual life; conviction or prosecution for alleged offence
• Main one for social landlords will be health• Cannot use legitimate interests of business exception to disclose • Consent = most likely/safest course• Must be explicit consent • Other possible exception: protecting vital interests of subject or
another person and consent cannot be given or the data controller cannot reasonably be expected to obtain consent
![Page 12: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/12.jpg)
Information sharing agreements
• In most cases unnecessary because disclosure is in your legitimate interests, but
• Control – “mandating” how information to be processed and disposed of and controlling any onward use
• Imposing security requirements• Evidential and presentational value in cases of breach• ICO likes them• But… keep them simple
![Page 13: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/13.jpg)
Data subject access requests from tenants
• S7 DPA – 40 days and £10 fee for copies• Remember could be computer data or docs from
‘relevant filing system’ – DPA covers both• Tenancy files NOT relevant filing system – must be
structured system (more akin to card index system)• Maintenance files NOT personal information• Should refuse request for manual records but offer own
policy on disclosure – should provide for tenant to review own tenancy file and request copies
![Page 14: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/14.jpg)
Use of CCTV
• Personal information includes images
• Directed covert surveillance by HAs generally not permitted– must be with police backing
• Signage – clearly visible; who undertaking it; and for what purpose
• Ensure no intrusion into private areas (Human Rights issues) – consult with neighbours if risk of overlooking
• Security of recordings; not retaining longer than necessary
• ICO CCTV guidance
![Page 15: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/15.jpg)
• Violent Persons Registers
• Fair Processing Obligations:
– Information must be accurate. Is it the right tenant?
– Is circulation of register proportionate? Clift v Slough BC [2009] EWHC 1550.
Violent Persons Markers
![Page 16: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/16.jpg)
Reform of the European Data Protection Regime – the General Data Protection Regulation
![Page 17: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/17.jpg)
Background to new Regulation
• Last Directive 1995 (led to DPA 1998) outdated• Advances in technology• Need for harmonised DP laws across 27 states of Europe• Announced 25 January 2012• Go to:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm
![Page 18: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/18.jpg)
When coming in?
• Currently being negotiated in EU - due to conclude before end 2015 but could be earlier
• Regulation will be immediately binding once ratified (no need for legislation unlike last DP Directives)
• Understanding what is on the horizon and implications for organisations especially since proposals unlikely to change significantly
• Because Regulation => law will be much more prescriptive than before
![Page 19: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/19.jpg)
Key points
• DP Principles and definitions of data subject, personal data etc broadly the same
• Notification to ICO no longer required• Need for Data Protection Officers• Changes to definition of consent• Legitimate Interest• Data subject rights enhanced• More robust requirements of data security• New penalties
![Page 20: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/20.jpg)
Notification
• Current requirement to notify ICO of DP activities• New law – no longer required, but…• Organisations with more than 250 employees must
have document describing their processing activities• Document must be available for inspection by DP
authority (ie ICO)
![Page 21: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/21.jpg)
Data Protection Officers
• DPO required where processing undertaken by:- public body
- business of more than 250 people
- business whose core activity involves regular and systematic monitoring of subjects
• DPO must be independent• DPO tasks include monitoring policies and
procedures, audits, training and maintenance of risk and compliance register
![Page 22: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/22.jpg)
Consent
• Consent should be given explicitly by any appropriate method enabling a freely given, specific and informed indication of the data subject’s wishes either by…statement or…clear affirmative action…”
• Burden of proof on controller – no implied consent• Consent will not suffice where “significant imbalance
between position of data subject and the controller”• Right to withdraw consent at any time
![Page 23: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/23.jpg)
Consent (cont)
• Parental consent required if child under 13• 13-18, child can consent but the fair processing
language must be appropriate• Age verification must be reasonably made
![Page 24: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/24.jpg)
Legitimate interest
• Heavily relied on currently• Narrowed so as not to cover legitimate interests of
third parties• Must take particular care where child involved• Express prohibition on public authorities relying on this
condition (public authority not defined…)• Data subject right to object
![Page 25: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/25.jpg)
Data Subject Rights
• “Right to be forgotten” – ie have personal data erased particularly if obtained when a child
• The Google case• Data portability – gives individuals right to obtain copy
of their data in an electronic and structured format • Profiling – right to object to automatic profiling
![Page 26: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/26.jpg)
Data security
• Enhanced requirements• Mandatory breach notification procedure for all but
smallest organisations• Data subjects must also be notified within 24 hours of
breach (“where feasible”)
![Page 27: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/27.jpg)
New Penalties
• New three tier system of administrative sanctions covering wide range of infringements
• Highest sanction = either 1M euros or 2% of organisation’s world-wide turnover
![Page 28: SHiP Conference Data Protection Mini-Briefing Nick Billingham Head of Housing Management Devonshires](https://reader030.vdocuments.site/reader030/viewer/2022032414/56649efa5503460f94c0d0e0/html5/thumbnails/28.jpg)
Steps to take
• Be prepared• Getting an understanding of the changes• Who will be your DPO?• Training for DPO• Check internal policies and procedures to
ensure can be readily updated