GDPR Presentation

GDPR Presentation
Data Protection and GDPR
Starting point … • How does data protection impact on your work? • What do you think are the current data protection related challenges within your library service? • Do you know where to go within your organisation for more information on data protection legislation?
Reminder: Data Protection Act 1998 The Data Protection Act 1998 is a law which protects personal information (personal data) about individuals*, and sets out how such information can be legally collected, used and stored by organisations. *Depending on the organisation individuals can be members of the public, members of staff, students, patients, alumni, research subjects etc. Balance: Data v Privacy
General Data Protection Regulation (GDPR) At the end of 2015, the European Parliament and Council agreed a final draft of a new General Data Protection Regulation (GDPR) which will apply in the UK and EU member states from 25 May 2018. The main aims of the GDPR involve improving consumer protection and general levels of privacy for individuals, along with mandatory reporting of data protection breaches and an increased emphasis on gaining explicit consent to process information. Both the UK and the Republic of Ireland will replace their current Data Protection Acts in the next few months, and the drafts are currently going through relevant parliamentary processes. Organisations should start to look at their data protection compliance activities to ensure they will be compliant with the GDPR when it’s provisions are transferred into new data protection acts by May 2018.
Scope of current legislation • Paper : information held in manual form or printed out from an electronic format • Electronic : e mails, databases, spreadsheets and reports • Photographs: Marketing photographs, ID Cards and Passes; • CCTV images (both central CCTV system and any localised systems / webcams) • Publications: Marketing / information brochures with photographs • Web pages GDPR: all of the above plus information which may be associated with online identifiers provided by devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers. This may leave traces which, in particular when combined with other identifiers and information received by the servers, may be used to create profiles of the individuals and identify them.
Personal Data Personal data (personal information) is any data which relates to a living individual (a “data subject”), who can be identified - From the data - From the data and other information which is in the possession of, or likely to come into the possession of an organisation This data would include any expression of opinion about the individual and any intentions which the organisation (or another person) has in respect of this individual GDPR this definition is simplified and will be - Any information relating to an identified, or identifiable natural person (the data subject).
Grounds for Processing Personal Data Consent This will be broadly the same as the requirement under current legislation. However GDPR has a narrower view of what constitutes consent. Consent must be a freely given, specified, informed and unambiguous indication of an individual’s wishes. There must be some form of clear affirmative action – a “positive opt in”, consent cannot be inferred from silence, pre-ticked boxes or inactivity Necessary for the performance of a contract with the data subject or to take steps to prepare for a contract Necessary for compliance with a legal obligation
Grounds for Processing Personal Data Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing the data, e.g. for medical emergencies. Necessary for the performance of a task carried out in the public interest or as a consequence of an official authority vested in the institution Necessary for the purposes of legitimate interests This condition is in the current legislation, but will not be available for public authorities post May 2018.
Special categories of data Under current legislation special categories of data (known currently as “sensitive personal data”) are: • the racial or ethnic origin of the data subject; • political opinions; • religious beliefs or other beliefs of a similar nature; • whether they are a member of a trade union; • physical or mental health or condition; • sexual life; • the commission or alleged commission of any offence; or • any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. GDPR: Special Categories of Data the definition will include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation. There will also be separate but more stringent controls over criminal convictions data
Grounds for Processing Special Categories of Data Explicit consent -The same stringent consent threshold is required - freely given, specified, informed and unambiguous indication of an individual’s wishes. How can you ensure the individual is informed? Necessary for obligations under employment, social security or social protection law, or a collective agreement - This is a wider definition than within current legislation Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent - This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing the data, e.g. for medical emergencies Data made public by the data subject Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity - This is a wider definition than within current legislation
Grounds for Processing Special Categories of Data Necessary for reasons of substantial public interest Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care Necessary for reasons of public interest in the area of public health Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes - This is a new condition under the GDPR and provides that sensitive data can be processed for the purposes of archiving, research and statistics.
Data Protection Principles In the GDPR, and therefore in the new data protection legislation there will be 6 principles (as opposed to the current 8) Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency') Currently organisations are required to process the data fairly and lawfully. The inclusion of the principle of transparency is a new provision. Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Current legislation places similar restrictions on processing of data, the GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing. Data processed is adequate, relevant and limited to what is necessary Current legislation uses the term excessive, the GDPR requirements take the opposite view and only permits processing of data that is necessary. Data is accurate and, where necessary, kept up to date No change Data should not to be kept longer than is necessary for the purpose Currently organisations can keep information “as long as is necessary”, with exceptions for statistical or historical purposes where the data can be kept indefinitely. GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving purposes in the public interest and/or scientific purposes, in addition to the statistical or historical purposes. Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction No change Principles 6 and 8 in current legislation (data subject access rights and international transfers) are dealt with elsewhere in the new legislation
Data processed lawfully, fairly and in a transparent manner “Lawfully” Consider what are your grounds for processing both personal data and the special categories of data. There is no grounds for “it may be useful”. “Fair” Remember that if you are relying on consent it must be a freely given, specified, informed and unambiguous indication of an individual’s wishes. Ensure there is a form of clear affirmative action – a “positive opt in”. Consent cannot be inferred from silence, pre- ticked boxes or inactivity “Transparent” Look at your privacy notices, are they comprehensive and clear? Where is the information located? Can the individual reasonably be expected to locate the privacy notice, and to make an informed decision to grant consent (where necessary)? Are you informing the individual why you are collecting the data, and what grounds you are relying on? (i.e. if you are not relying on consent what are you relying on, make this clear)
Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Decide what is your basis for collecting the personal information and make this known to the individuals concerned e.g. in any T&Cs, on your website, in any literature. Make sure you have a clear privacy notice in place and that the web site privacy statement is explicit with regard to use of the data. This is essential in order to ensure specified, informed and unambiguous consent Remember you cannot use information collected for one purpose for a different purpose without gaining further consent
Data processed is adequate, relevant and limited to what is necessary Only collect and use what you need and importantly, only what is compatible with the reasons and purposes which the individuals were informed of, or the purposes for which you are legally entitled to hold the information.* *Always refer back to your privacy notice Importantly don’t collect (or hold) any data “in case it might come in handy”
Data is accurate and, where necessary, kept up to date Organisations have a responsibility to make sure that any personal data, or special categories data collected is recorded accurately. The individual then needs to notify organisations of any change in their data. However, best practice suggests organisations should check periodically to make sure the data held is still up to date If notified of any changes every reasonable step must be taken to ensure that this is erased or rectified without delay, and in any event within a month of receiving the request
Data should not to be kept longer than is necessary for the purpose Organisations only have the right to hold data as long as it’s needed for the purpose notified to the individual (this could also mean holding it in the archive as set out in the any retention schedule) Once the purpose is no longer valid or the retention date has passed then the organisation should not continue to hold the information Organisations have a legal responsibility to make sure that the information is held securely, and that it is securely disposed of at the end of the retention period
Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction Personal and special categories data must be kept secure. The information must only be available to those with a right to see it. Matters to consider:- • Transferring information from one section / function / department to another, or transferring externally – it’s sometimes essential to do this. But consider what information actually needs to be transferred, to whom and how is it possible to ensure the confidentiality and the security of the information • Information is disclosed to members of staff in order for them to carry out their specific roles. This information should not under any circumstances be disclosed or handed over to anyone other than those with a need to see it • Staff must be careful with memory sticks, laptops and other portable media – use encryption / passwords etc. Consult your Information Security Policy.
Principles of Information Security Paper records Appropriate storage for paper / manual records would include: • Locked metal cabinets with keys limited to authorised staff only; • Locked drawer in a desk (or other storage area) with keys limited to authorised staff only; • Locked room accessed by key or coded lock where access to the key/code is limited to authorised staff only; Appropriate disposal for paper / manual records would either be: • Secure disposal via an accredited confidential waste disposal company Or • Shredding (best practice would suggest use of a cross-cut shredder)
Principles of Information Security Electronic records and Database Systems • Never disclose your password • Ensure your password is robust – change it regularly • Always log off, or lock a workstation before leaving it • When working on confidential work and / or work involving personal data make sure no one else can read your screen • Protect equipment from physical theft (especially laptops and memory sticks) • Store all records on the appropriate organisational network so that it is backed up regularly • Remember to back up and secure work mobile devices (laptop / phone) as well • When sending emails internally or externally it is essential to check that the appropriate recipient has been selected, before sending the message • Particular care is required when forwarding emails, in particular ones with attachments so that information is only sent to people with a real ‘need to know’. Before forwarding attachments at all you should check that the information is not available to them by other secure means. Remember the same retention guidelines apply to records held electronically and in paper / manual format
GDPR: Individual Rights • The right to be informed (privacy notice) • The right of access (subject access request) • The right to rectification (if data is inaccurate or incomplete) • Organisation must respond to this request within a month, if rectification isn’t possible the individual must receive an explanation as to why that is • The right to erasure (the right to be forgotten) • This does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances: • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed, when the individual withdraws consent, or objects to the processing and there is no overriding legitimate interest for continuing the processing. • The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR), or it has to be erased in order to comply with a legal obligation. • The right to restrict processing • Where an individual contests the accuracy of the personal data, where an individual has objected to the processing and the organisation is considering their legal reason for processing, where processing is unlawful and the individual opposes erasure and requests restriction instead, where the organisation no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim. • The right to data portability • Organisation must respond within a month. Allows individuals to move, copy or transfer personal data in order to obtain and reuse for their own purposes across different services. • The right to object (e.g. to direct marketing) • Rights in relation to automated decision making and profiling • Establishes safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Organisations should identify whether any processing operations constitute automated decision making and consider whether appropriate procedures are needed to deal with the requirements of the GDPR.
The right to be informed The GDPR requires organisations to be transparent and to provide accessible information to individuals about how their information will be used. The usual way in which to provide this information is through the use of a “privacy notice”. The term “privacy notice” is used to describe all the different ways in which an organisation can provide privacy information to individuals – on the web, in any literature etc. The starting point of a privacy notice should be: • who are the organisation; • what is the organisation going to do with the individual’s information; and • who will it be shared with Also consider why you need to collect the information (are there any consequences if the information is not given?), how long will the information be kept for (retention), what are the procedures for individuals who wish to withdraw consent (where consent is being relied upon), what are the procedures for requesting a copy of their data etc.
The right of access Individuals have the right to find out what information is held about them within organisations In order to make a request to see / obtain a copy of the information an individual should make a request in writing There is no charge for making the request, and the request must be dealt without delay, and at the latest within one month of receipt of the request*. *Under current legislation organisations can charge a £10 fee, and the legal compliance date is 40 calendar days
Children’s Personal Data The GDPR contains new provisions intended to enhance the protection of children’s personal data. Privacy notices for children Where services are offered directly to a child, organisations must ensure that the relevant privacy notice is written in a clear, plain way that a child will understand. Online services offered to children Proposals in relation to online services would mean children aged 13 years old or above would be able to consent to their data being processed. For children under 13 years old their parents or guardians would need to consent. Withdrawing consent will also be simplified for children.
Transfer of data outside the European Union Organisations can transfer data outside the European Union where the receiving organisation has provided adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer. Examples of adequate safeguards would be: • a legally binding agreement between public authorities or bodies; • binding corporate rules (agreements governing transfers made between organisations within in a corporate group); • standard data protection clauses in the form of template transfer clauses adopted by the Commission; • standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission; • compliance with an approved code of conduct approved by a supervisory authority; • certification under an approved certification mechanism as provided for in the GDPR; • contractual clauses agreed authorised by the competent supervisory authority; or • provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory authority. Any current data protection clauses which are put into contracts will need to be updated to ensure they remain compliant with the GDPR requirements and new data protection legislation.
Personal or Special Categories Data Breach The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data / special categories data. Organisations will have to notify where the breach is likely to result in a risk to the rights and freedoms of individuals, and must do so within 72 hours. Failing to notify a breach when required to do so can result in a fine, as well as a significant fine for the breach itself … up to 10 million Euros or 2 per cent of an organisation’s global turnover, and for very significant breaches up to 20 million Euros / 4% of global turnover. (Under current legislative provision the maximum fine is £500,000, and mandatory reporting is only required in certain sectors.)
When should you notify? Organisations should notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. The individuals themselves will also need to be notified in certain cases. Whether to notify or not has to be assessed by the organisation on a case by case basis, although it is expected that organisations will issue staff with an internal breach reporting procedure. Issues to consider – would the breach have a significant detrimental effect on the individuals affected – e.g. result in discrimination, damage to reputation, financial loss, loss of confidentiality, identify theft or any other significant disadvantage. The UK Information Commissioner’s Office guidance states that when reporting a breach to them they would expect the following information to be shared: • The nature of the personal data breach including, where possible the categories and approximate number of individuals concerned; and • the categories and approximate number of personal data records concerned; • The name and contact details of the data protection officer or other contact point where more information can be obtained; • A description of the likely consequences of the personal data breach; and • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.
Staff Responsibilities Staff (including e.g. volunteers, external members of committees and contractors) have a responsibility to ensure that personal data: • is kept on a need to know basis, treated sensitively and disposed of securely; • is not disclosed, orally or in writing, intentionally, or accidentally, to any unauthorised member of staff or external third party If you need to share personal data with another member of staff, or with an external third party, make sure that you have satisfied yourself that they have the right to know the information, and if they have that you have made them aware of the need for confidentiality. Compliance with data protection legislation is both a personal and an organisational responsibility
Case Studies
Case Study 1 You’re asked to organise an event in your library, involving members of staff from your organisation, and also members of the public. The local press might also send a photographer • Attendance at the event will be via registration from an online website • You are asked to keep an attendance list on the day, indicating who has / hasn’t attended • You’re asked to set up a database of those who’ve attended, but also those who haven’t, and make them aware of follow up events occurring in the next few months What are the data protection challenges you face? Are there any additional GDPR challenges?
Case Study 2 Your library service is moving to a new building, the library desk is located in a large open plan area where library users are also encouraged to make use of the flexible learning space. Desk services staff place reserved items on trolley located nearby, each book having the reservation slip (which contains the name of the patron, their email / telephone number) placed into the book with the details visible. A library user, who has reserved a book, complains that their personal data is available so publically How will you respond to the library user? Are there any additional GDPR challenges?
Case Study 3 Your library service has agreed with the local high school that pupils revising for their GCSE and A level examinations can use the library after school to access online resources, to borrow books and to revise The agreement is well used by pupils from the school, who appreciate having access to the resources and having the ability to borrow books A parent approaches the library desk requesting a print out of all the books their child has taken out of the library, and also all the resources they have accessed on line. They maintain they have a right to this information as their child is under 18 What are the data protection challenges you face? Are there any additional GDPR challenges?
Case Study 4 A user comes to the library desk and reports that two other library users are involved in a heated argument in a corridor outside one of the reading rooms. You make your way to the location and on arrival realise the argument has now turned into a scuffle. In the meantime another user has called the Police and they are soon on site, taking both individuals out of the library for a discussion. A few minutes later a police officer comes back into the library and requests information, explaining that both involved are accusing the other of starting the argument, the root of which is unexplained. The police request that you give them: • Name, address and contact details of both individuals • Frequency of their visits to the library • Internet history for both • Name, address and contact details of all witnesses • CCTV images showing the argument, and anything leading up to this point What are the data protection challenges you face? What “evidence” do you have, and would you share it? Who would you report this incident to? Are there any additional GDPR challenges?
Case Study 5 Your library has bought an integrated library management system which works seamlessly with all other databases held by your organisation. This means you have a large amount of data on your library users, fed through from other systems, but also historical data (borrowing record etc.) transferred from your old system. • What are the data protection challenges with this? • How can you ensure your data is kept up to date? • How long should you keep the data? A user comes to the library desk one day and exercises their right to erasure (to be forgotten), they want everything about them deleted • What are the challenges in complying with this request? • Can you comply in full or are the legitimate reasons why you need to keep some information?* • * Remember that Article 21 of the GDPR states that the onus is on the controller to show "compelling legitimate grounds" as to why the processing should continue
Final thoughts ….. Things to do now 1. Raise awareness of the changes amongst your staff 2. Consider what information you hold, and identify your lawful basis for processing the information 3. Look at your Privacy Notices, and include updated information 4. Are you able to deal with the changes in individuals’ rights? 5. Do you handle your own subject access requests, if not find out who does 6. Do you rely on consent to process information, and if so how will you ensure you comply with the more stringent requirements? Think about what needs doing both for current information and in the future 7. Do children use your services? Consider what information needs to be provided to them 8. Are you familiar with your organisation’s data breach procedure 9. Data Protection by Design – build this into your processes especially with new technology projects 10. Who is your Data Protection Officer? It will be mandatory to have a DPO after May 2018

Check these out next

GDPR Presentation

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a GDPR Presentation(20)

Más de CILIP Ireland (20)

Último(20)

GDPR Presentation