Data Protection and IDEA
1 like893 views
This document discusses the importance of data protection and outlines the key aspects of the UK Data Protection Act of 1998. It notes that the Act is overseen by the UK Information Commissioner and outlines potential civil and criminal liability for non-compliance. It defines personal data and sensitive personal data. It also explains the differences between a data controller and data processor and their respective obligations under the Act. The document provides guidance on key issues like notification requirements, fair processing practices, data subject rights, security obligations, and exemptions under the Act.
Data Protection and IDEA
- 1. Data Protection and IDEA Joanne Bone & Neil Bentley Irwin Mitchell 11 May 2004
- 2. Why Is Data Protection Important? • Data Protection Act 1998 • Overseen by the UK’s Information Commissioner • Potential Civil and Criminal Liability
- 3. Why Is Data Protection Important? • Criminal Liability • Fines for breach – Up to £5000 in Magistrates’ Court – Unlimited in Crown Court • Company officers, directors and managers can be personally liable
- 4. Why Is Data Protection Important? • Civil Liability • Any breach of the Act is actionable • Compensation for damage and/or distress • In practice Courts are awarding damages for breach of the Act
- 5. So When Does The Data Protection Act Apply? • The Act applies to the PROCESSING of PERSONAL DATA
- 6. What Is Personal Data? • Personal data can be any information which relates to a living individual who is identifiable from that data alone or in conjunction with other data • Both paper and electronic records can be covered
- 7. What Is Personal Data? • Durant v Financial Services Authority • Definition of personal data interpreted by the Court in a more restrictive way • Information now only personal data where it affects the individual’s privacy – Is the information biographical? – Is the information focused on the individual?
- 8. What Is Personal Data? • Payroll/salary details? • Internet logs? • Health records? • e-mails? • Electoral register? • CCTV images? • Bank details? • Social Services records?
- 9. Paper Records • “Relevant Filing System” • “Temp test” – could a reasonably competent temporary worker retrieve the information relating to a specific individual without leafing through the file?
- 10. Paper Records • Manual files structured solely in chronological order are unlikely to be covered • Freedom of Information Act will expand the category of paper records covered by the Data Protection Act – Applies to public authorities or bodies carrying out public functions – In force from January (probably) 2005
- 11. Types Of Data • Ordinary vs Sensitive Personal Data • Sensitive Personal Data includes: – Race/Ethnic origin – Religion – Sexual life – Trade union membership – Physical or Mental Health – Commission of offences/criminal proceedings – Political opinion
- 12. What Is Personal Data? • Payroll/salary details? • Internet logs? • Health records? • e-mails? • Electoral register? • CCTV images? • Bank details? • Social Services records?
- 13. When Am I Processing Personal Data? • Any manipulation of data • This will include: – collection – calling data up on screen – auditing the information – storage – destruction
- 14. Who Is Responsible For Processing? • Data Controller vs Data Processor • Data Controller – Determines the purposes for which the data are processed and how – Legally responsible for what happens to the data • Data Processor – Processes data on behalf of/under instruction of Data Controller
- 15. Who Is Responsible For Processing? • In a nutshell: – Do you determine what is done with the data? (= data controller) – Do you deal with data under instruction of third party? (= data processor) • Internal auditor (=data controller) • External auditor (=data processor) • Statutory Auditor (depends)
- 16. Who Is Responsible For Processing? • Data Controller responsible for compliance with the Act • Data Processor is not BUT may be required to undertake compliance obligations by contract – Security/confidentiality – Only use the data as instructed • Can be both data controller & processor
- 17. Who Is Responsible For Processing? • Outsourced functions – Company to which functions outsourced likely to be data processor – Should be a written contract in place between organisation and company to which functions outsourced – Original organisation remains responsible for compliance
- 18. Notification • Must notify if: – You are a DATA CONTROLLER and – process PERSONAL DATA – on COMPUTER • Not strictly required if a data processor for accountancy/audit purposes • Annual renewal, £35 • 28 days to notify changes
- 19. Are We Entitled To Process The Data? • Data to be processed fairly & lawfully • Ordinary Data – unambiguous consent – actual consent – necessary to perform a contract – necessary to decide whether to enter into a contract – necessary to comply with a legal obligation • Sensitive Data – explicit consent
- 20. Are We Entitled To Process The Data? • Responsibility of the data controller – If data processor, seek warranty in contract • Fair processing notice: – Who will process the data – What purposes the data will be used for • is audit included? – Any further information necessary to be given for the processing to be fair • Should notify BEFORE collect data
- 21. Are We Entitled To Process The Data? • Opt-in, opt-out or neither? – is it optional? – is it for marketing purposes? – does it allow contact by e-mail or SMS? • “Do not solicit” databases • Issues of using data collected by third parties
- 22. Are We Entitled To Process The Data? • Employee data: – restrictions on accessing e-mails, call recordings, CCTV and website logs • Not only a Data Protection Act issue: – Human Rights Act; Art 8 ECHR – Regulation of Investigatory Powers Act 2000 – Telecommunications (Lawful Business Practice) … Regulations 2000
- 23. Are We Entitled To Process The Data? • Employee Monitoring and Acceptable Use Policies: – for data protection, rely upon “consent” or “necessary for legitimate interests unless unwarranted prejudice to data subject” – for interception, see RIPA & LBP Regs – see also Data Protection Code, Part 3 • Data processors - seek warranties
- 24. What Are The Other Obligations? • Data to be adequate, relevant and not excessive • Data to be accurate and, where necessary, kept up to date • Data not to be kept for any longer than is necessary • Data controller needs systems for data management, review and disposal
- 25. What Are The Other Obligations? • Individuals (=data subjects) have rights of access to personal data – statutory obligation to reply to requests – 40 day timetable – maximum £10 fee – both electronic and paper records – beware of identifying other individuals • Data Controller should have a Subject Access Procedure
- 26. What Are The Other Obligations? • Appropriate steps to be taken to hold data securely – physical and technological measures – ensure employee reliability – written contracts with data processors • Be aware of restrictions on data transfer to non-EEA countries – seek consent, “safe harbor” or contract
- 27. Are There Any Exemptions? • Exemption from the eight principles – e.g. national security; domestic purposes • Exemption from the non-disclosure provisions – e.g. where required by law; to detect crime • Exemptions from the subject information provisions – e.g. regulatory activity; negotiations; management forecasting and planning
- 28. Data Protection And Freedom Of Information • For “public authorities” caught by Freedom of Information Act 2000: – data protection obligations expanded – particularly subject access rights • Publication Schemes • General “Right to Know” • January 2005 commencement date
- 29. In Summary Examine the basis for your work: • are you a data controller or a data processor?
- 30. In Summary If you are the data controller: • Appoint a compliance officer • Have systems in place for data collection, review and disposal • Have appropriate contracts with third party data processors • Set up standard letters for data requests
- 31. In Summary If you are a data processor: • Should follow controller’s instructions • Data controller may propose a written contract – their obligation, not yours – you should seek warranties about data collection and compliance with the Act • Do you need a notification?
- 32. Any more questions? Joanne Bone bonej@irwinmitchell.co.uk Neil Bentley bentleyn@irwinmitchell.co.uk Helen Goldthorpe goldthorpeh@irwinmitchell.co.uk 0870 1500 100