close

Вход

Забыли?

вход по аккаунту

?

DATA PROTECTION FREEDOM OF INFORMATION AND

код для вставкиСкачать
DATA PROTECTION FREEDOM OF
INFORMATION AND CONTRACTS training
for
GOLDSMITHS COLLEGE
by Sue Cullen
Amberhawk Training Limited
July 2010
sue.cullen@amberhawk.com
Note: Amberhawk claims copyright in the contents of this slideshow
1
THREE ACCESS REGIMES
• Data Protection Act 1998
- Protection of personal information via the 8 DP
Principles
• Environmental Information Regulations 2004
- Access to environmental information
• Freedom of Information Act 2000
- Access to all information held by a public authority
NB: Separate FOI Act for Scotland
2
DATA PROTECTION ACT 1998
THE BASICS
3
WHAT IS DATA PROTECTION?
• Data protection is about aspects of personal privacy
• It sets out rules for handling “people information”
• Universal – all organisations, and many individuals, use
“personal data” (and have liability under the Data
Protection Act)
• Current issues in data protection:
• I/D Cards legislation – erosion of personal privacy by the state
• Retention of DNA data by the police
• Security breaches by banks, hospitals, HMRC
4
IMPACT OF DATA PROTECTION ON MY
JOB
• Information about:
• me or my fellow employees
• Students, consultants
• other people we do business with, e.g. suppliers
• Sending information by email; information on the
website; security camera recordings
• Collection:
• Filling in forms
• Taking it down over the phone
• Getting it from other departments/schools/universities
•
Sharing – with other departments, other organisations,
under FOI, for official enquiries
5
DEFINITION OF PERSONAL DATA
“Personal data” means:
data which relate to a living individual
who can be identified
from those data, or from them together with other
information you already have or are likely to obtain
- includes expressions of opinion and intentions towards
the individual
6
EXAMPLES OF PERSONAL DATA
sue.cullen@amberhawk.com
Sue Cullen, Director, Amberhawk Training Limited
“Sue is a workaholic with no personality”
“Sue carried out Sally’s appraisal”
“Sue was present at the 3rd Annual Subject Access
Convention”
7
WHO IS RESPONSIBLE?
“Data Controller” – the person or persons who determine
the purposes of processing personal data
- e.g. anything done by an organisation for its business;
full liability under DPA
“Data Processor” – a person who processes personal data
on behalf of the data controller
- e.g. outsourcing – processors have no liability under DPA,
but the controller is responsible for their mistakes
8
DATA PROTECTION PRINCIPLES
The data controller has a statutory duty to ensure that
personal data are:
1. Processed fairly and lawfully, plus schedules 2 & 3
2. Processed only for specified and lawful purpose(s)
3. Adequate, relevant and not excessive
4. Accurate and kept up-to-date
5. Not kept longer than necessary
6. Respectful of data subjects’ rights
7. Kept secure by technical/organisational means
8. Transferred outside EEA only if privacy is respected.
9
DATA SUBJECT RIGHTS
• Individuals have the following rights under the DPA:
1. Subject access
2. Object to processing in certain circumstances
3. Object to direct marketing (promotion of aims & ideals is
marketing)
4. Automated decisions
5. Ask court to order compensation for damage caused by
controller’s breach of principles
6. Ask court to order correction of inaccurate data
• Controller liable under 6th Principle for 1-4 above
10
DPA ISSUES AND RISKS
• Records management: security & staff training (7th
Principle); subject access (6th Principle) data quality
(principles 1, 3, 4)
• HR information: most SAR’s are from current and
former staff members, usually with a grievance – tests
DPA compliance
• Fair processing notices: what do we tell people about
the information we hold on them?
• Data sharing: who can we disclose to – police?
parents? Other universities? hospitals? Social services?
11
CCTV AND RELATED DP ISSUES
12
COMPLYING WITH 1ST PRINCIPLE
• Personal data must be processed fairly:
• General obligation to be fair
• Specific obligation to ensure that the individual knows
who is processing, why, and anything else necessary
for fairness
• First principle also requires lawfulness, e.g. must not:
• Breach confidence
• Breach copyright
• Be ultra vires (outside your powers)
13
FAIR COLLECTION - INFORMING THE
DATA SUBJECT
• Data protection notice must include:
• Identity of the data controller
• Purposes for which the data will be processed
(especially any non-obvious purposes)
• Anything else necessary to make it fair
• Purposes should be as wide as possible: cover any
projected new purpose e.g. sharing for fraud initiatives,
using CCTV for disciplinary matters
• This is NOT a PR exercise – beware “Your information
is regulated under the DPA”; “Your privacy is very
important to us”; “We will never …”
14
WHAT TO INCLUDE IN YOUR NOTICE
Anything that the data subject ought to know about what will
happen to his information in your hands, such as:
• What you use it for (purposes for processing)
• Any relevant rights, e.g. to opt out of marketing
• Who do you share it with, and why?
• How long you/they keep it
• What responses on forms are obligatory, and what
information is not essential
• Will it be sent outside the UK?
• Any special security issues?
• Any sensitive data (e.g. health, religion, criminality)?
15
JUSTIFYING PROCESSING UNDER 1ST
PRINCIPLE
Schedule 2 conditions are:
1. Data subject consent
2. Necessary for contract with data subject
3. Legal obligation of data controller
4. Vital interests of data subject
5. Necessary for public functions
6. Necessary in legitimate interests of data controller,
or 3rd party recipient, except where unwarranted
prejudice is caused to the data subject
16
WHAT IS CONSENT?
Consent is not defined but general requirements are:
• Must be fully informed
• Freely given
• Capable of being withdrawn
Has the data subject given some positive indication of his
wishes? Is the data subject free to refuse?
NB: Consent does not work as a justification for processing
HR data – deemed duress.
17
CCTV QUESTIONS
• Can CCTV images be “personal data”?
• What conditions legitimise the processing (Sch. 2 & 3)?
• Must you identify the Data Controller and purposes of the
processing (e.g. public safety, crime prevention)?
• When don’t you need signage?
• Could improper positioning of cameras can be unfair to
Data Subjects and result in the processing of excessive
personal data?
• Can the Section 36 exemption be used by parents who
record infant school nativity plays?
18
CCTV QUESTIONS
• Can you disclose the images (e.g. to the police)?
• How long can you retain them?
• Does the right of access apply - what are the obvious
problems? (e.g. other individuals on the CCTV footage)
• Can the Data Subject object to the processing?
• Security of images (e.g. who has access, training,
criminal offences could apply if CCTV data misused)
• Can damage arise from a breach of a Principle?
• ICO CCTV Code of Practice (essential reading).
19
FOIA EXEMPTIONS RELEVANT TO
GOLDSMITHS
20
FOI EXEMPTIONS RELEVANT TO
GOLDSMITHS
• Exemption for personal data s.40
• Exemption for prejudice to commercial interest s.43
• Exemption for confidential information s.41
• No exemption for research (except for Scottish
authorities) nor for copyright (except if is environmental
information)
21
WHEN DOES FOI INVOLVE PERSONAL
DATA ?
• FOIA covers all information held by a public authority
• Includes information about staff, students, contacts from
other universities, service users, business contacts,
enquirers, complainers, (patients, suspects, taxpayers
etc, depending on who is the authority)
• Personal data may be included in publication schemes
• Personal data may be requested under s.1
22
INTERFACE WITH FOIA
• FOIA s.40 gives an exemption for �personal data’
• Personal data of the requester are exempt because
access under FOI cannot displace subject access under
DPA rules
• Personal data of a third party are exempt to protect
personal privacy – but this is governed by the DPA
principles, which cannot be displaced by FOIA
• If it would breach any DPA principle to disclose third
party personal data to all the world under FOIA, than the
information is absolutely exempt – no Public Interest
Test
23
DISCLOSURE OF PERSONAL DATA
UNDER FOIA
• All 8 principles apply, but usually tested under Principle 1
- fairness, lawfulness, compliance with schedules 2 & 3
• Lawfulness usually means no breach of confidence
• Fairness is about what data subjects (staff? officials?)
ought to expect
• Generally, information about staff in their official capacity
can be in the public domain, e.g. payscales; expenses
• Personal information about their private life (e.g. health,
home life) is likely to be exempt
• The more senior the individual, the more public exposure
• Detailed ICO guidance
24
COMMERCIAL INTERESTS (s.43)
• Qualified exemption for disclosures which are :
• Trade secrets, or
• Disclosures which could prejudice the commercial
interests of any person, including the authority holding
the information
• Commercial interests:
• more than just financial – must involve trade or
commerce
• exemption from duty to confirm or deny
• National Maritime Museum Tribunal decision
25
COMMERCIAL INTERESTS: ISSUES
• Commercial interest of a public authority or a third party:
• Is there a commercial activity? Financial interests
insufficient
• Is there prejudice?
• Where does the balance of the public interest lie?
• Tender and contractual processes:
•
•
•
•
Include information with bid documentation
Distinguish between current and new contracts
Classification at the start of the contract
Process agreed under the contract for classification during
the life of the contract
26
CONFIDENTIALITY (s.41)
• Absolute exemption for information provided in
confidence, but information:
• must have been obtained from another person, and
• disclosure must give rise to an actionable breach of
confidence
• No public interest test if information qualifies
• Internally generated information will not count
• Exemption can apply to duty to confirm or deny
27
FREEDOM OF INFORMATION ACT 2000
THE BASICS
28
THREE ACCESS REGIMES
• Data Protection Act 1998
- Protection of personal information via the 8 DP
Principles
• Environmental Information Regulations 2004
- Access to environmental information
• Freedom of Information Act 2000
- Access to all information held by a public authority
NB: Separate FOI Act for Scotland
29
WHAT DOES FOIA DO?
• Presumption of right of access to any information held by
a public authority
• Anything not available is covered by an exemption
• Information is free up to a costs limit
• Codes of Practice
• On handling requests
• On records management
• An enforcement mechanism and an independent
regulator
30
HOW DOES FOIA WORK?
Two routes of access to information:
• Pro-active duty to publish information generally
(publication scheme)
• Specific request for information – s.1 FOIA
Twofold duty under s.1:
• Duty to confirm or deny whether information is held
• Duty to communicate information
31
PROCEDURES AND OTHER
OBLIGATIONS
• Formal request-handling procedures and time limits, e.g.
• 20 working days for response
• Communicate information in requester’s preferred form
• S.45 Code of Practice on Handling Requests, e.g.
• Transferring requests
• Consultation with third parties
•
•
•
•
Duty to help requesters and prospective requesters
Formalities for refusals
Obligation to deal with complaints
S.46 Code of Practice on Records Management
32
WHEN CAN WE REFUSE?
Exemptions in FOI include:
• Requests that are too costly
• Nuisance requests
• Information already accessible, e.g. Public registers
• National security, investigations, law enforcement
• Personal privacy (via the DPA rules)
• Health & safety
• Confidential information
• Commercial interests
...and most are subject to a public interest test.
33
FOI ISSUES FOR CONTRACTS AND
TENDERING
34
CONTRACTS AND FOI
• Disclosing information about your contractors in
response to an FOI request
• What exemptions might be relevant?
• What should you agree to in your contract?
• ICO Guidance, and S.45 Code of Practice
• Managing the expectations of your contractors
35
COMMERCIAL INTERESTS (s.43)
• Qualified exemption for disclosures which are :
• Trade secrets, or
• Disclosures which could prejudice the commercial
interests of any person, including the authority holding
the information
• Commercial interests:
• more than just financial – must involve trade or
commerce
• exemption from duty to confirm or deny
• National Maritime Museum Tribunal decision
36
COMMERCIAL INTERESTS: ISSUES
• Commercial interest of a public authority or a third party:
• Is there a commercial activity? Financial interests
insufficient
• Is there prejudice?
• Where does the balance of the public interest lie?
• Tender and contractual processes:
•
•
•
•
Include information with bid documentation
Distinguish between current and new contracts
Classification at the start of the contract
Process agreed under the contract for classification during
the life of the contract
37
CONFIDENTIALITY (s.41)
• Absolute exemption for information provided in
confidence, but information:
• must have been obtained from another person, and
• disclosure must give rise to an actionable breach of
confidence
• No public interest test if information qualifies
• Internally generated information will not count
• Exemption can apply to duty to confirm or deny
38
PROVIDING ADVICE AND ASSISTANCE
• Duty to provide advice and assistance to persons who
propose to make requests, or who have made
requests for information (s.16)
• Does not apply to publication schemes
• S.45 Code of Practice published by DCA/MOJ sets out
what authorities must do to help
• Compliance with Code discharges s.16 duty
• EIRs have same requirement (Reg.9)
39
SECTION 45 CODE
• Publish your procedures for dealing with requests for
information
• Draw the Act to the attention of potential applicants
• Help potential applicants make requests in writing
• Help potential applicants frame their requests
• Consider what can be provided free of charge if
applicant does not want to pay
• Consider what can be provided within the upper limit if
request exceeds limit
40
SECTION 45 CODE
• Advises on procedures for the transfer of requests from
one public authority to another (but NB EIRs)
• Provides for consultation with persons affected by an
FOI request
• Considers what confidentiality contract clauses should
be used by public bodies
• Deals with complaints procedures
41
INFORMATION HELD BY CONTRACTOR
• Requests made for information which is in the hands of
your contractor
• Complying with procedures & time limits
• What about costs of contractor response, and the FOI
costs exemption?
• What you should try to negotiate in your contract
NB: Remember that rules are different for EIRs
42
COSTS UNDER FOIA
Three kinds of costs under FOIA:
1. Costs you can’t do anything about (e.g. costs of dealing
with the applicant; considering an exemption)
2. Appropriate Limit costs (determining, locating etc)
3. Communication costs (P&P)
In practice information is free and you hardly ever charge a
fee or send a fees notice
43
EXCEEDING APPROPRIATE LIMIT
• No obligation to comply if the authority estimates that
cost would exceed the appropriate limit (s.12)
• No exemption from duty to confirm or deny unless this
alone would exceed the appropriate limit.
• Reg.4: The only factors to be taken into account are:
•
•
•
•
Determining whether information is held
Locating it
Retrieving it
Extracting it
• NB: Does extracting include redacting exempt materials?
• Staff time is chargeable at £25 per hour
44
COMMUNICATION COSTS
• If appropriate limit not exceeded, communication costs
may be charged
• Reg.6: Limited to informing requestor whether
information is held and communicating the information.
• Specifically include costs of:
• Complying with any preferred means of communication (s.11)
• Reproducing any document
• Postage and other transmission costs
• BUT staff time spent on any of the above may not be
charged (NB: except in voluntary responses!)
45
OUTSOURCING – SUPERVISING DATA
PROCESSORS
WHO IS A DATA PROCESSOR?
A data processor is an individual/organisation who processes
data on behalf of the controller, for example:
• Outsourced Payroll
• Offshore Call-Centre (increasingly common in India)
• Mailing house
• CCTV Security Firm
• Document Destruction (e.g. a shredding company)
47
DATA PROCESSOR CONTRACTS
• Data processors are not liable under the DPA
• A data controller must:
• Choose a processor with sufficient security guarantees
• Take reasonable steps to ensure that processors comply with
these guarantees
• Impose a written contract under which the processor is obliged
to act only on the instructions of the controller and covenants to
observe and perform all the obligations of the Seventh Principle
• NB – link with Principle 8 for overseas transfers but
separate requirements
48
INFORMATION SECURITY - 7TH
PRINCIPLE
• Take appropriate technical and organisation measures
against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or
damage to, personal data
• Determine what is appropriate having regard to • the nature of the personal data to be protected
• the resulting harm which might arise from a breach
• state of the art & implementation cost
• the effectiveness of existing measures
• reliability of staff (e.g. appropriate training for all staff)
49
In the news…
50
RISK MANAGEMENT (1)
• Is there proof that all reasonable steps have been taken to
comply with DPA’s security duties?
• Are security standards for industry or sector being met?
• Is there a security policy?
• Is there a business continuity plan if to cover inability to
process data in an emergency?
• Does management take security seriously?
• Are the service provider’s staff adequately trained in
respect of data protection requirements? Have they been
security vetted?
51
RISK MANAGEMENT (2)
• What contractual security obligations have you imposed
upon the service provider?
• Is there a duty upon the service provider to report data
security breaches?
• What powers do you have to audit the service provider to
ensure that they are complying with their data protection
obligations?
• What are the known risks for the kind of processing
undertaken?
• Are data transferred securely?
• Is encryption used when data are processed on mobile
devices?
52
OVERSEAS TRANSFERS
SOLUTIONS AND APPROACHES
INCLUDING MODEL CLAUSES AND SAFE
HARBOR
LEGAL ISSUES
• Data Protection Act 1998, Principle 8
“Personal data
data shall
shall not
not be
be transferred
transferred to
to a
a country
country or
or
“Personal
territory outside
outside the
the European
European Economic
Economic Area
territory
Area unless
unless that
that
country or
or territory
territory ensures
ensures an
an adequate
adequate level
level of
of protection
protection
country
for the
the rights
rights and
and freedoms
freedoms of
of data
data subjects
subjects in
in relation
relation to
to
for
the processing
processing of
of personal
personal data”
data”
the
• Don’t forget the other data protection principles
54
EUROPEAN ECONOMIC AREA
Canada
Iceland
Norway
Liechtenstein
Guernsey
Isle of
Man
Argentina
55
OPTIONS FOR COMPLIANCE- THE 8TH
PRINCIPLE
1. Findings of Adequacy by the EU (or Safe Harbor for USA)
2. Assessment of Adequacy as set out in the 8th principle
3. Seek an exemption from the adequacy obligation
•
•
•
•
•
Consent of data subject
Necessary for performance of contract
Substantial public interest, vital interests, legal proceedings
Model contracts
Binding corporate rules
56
THE END
DATA PROTECTION FREEDOM OF
INFORMATION AND CONTRACTS
training for
GOLDSMITHS COLLEGE
Copyright Amberhawk Training Limited July 2010
www.amberhawk.com
57
Документ
Категория
Презентации
Просмотров
8
Размер файла
2 017 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа