Get to Grips with the Data Protection Act and New General Data Protection Regulation
What’s it all about? (includes the requirements of the EU General Data Protection Regulation)
What the Act applies to
- Living/identifiable people (of any age) – include link to the Freedom of Information Act (for public authorities where access to information about the deceased/statistical information is concerned)
- What the Act means by “personal data” and “sensitive data”
- What it applies to, including computer/automated systems and manual records
- How the new Regulation applies to data processors (individuals or organisations who process personal information on your behalf)
Applying the Data Protection Principles:
- Fair obtaining, and receipt – the importance of informing individuals and transparency, plus circumstances where they do not have to be informed eg police investigations
- Keeping within the law – spotlight on other relevant laws staff need to be aware of such as the common law duty of confidentiality and Human Rights Act (basic awareness)
- Ensuring you have a legitimate justification to process personal data – brief outline of conditions for processing
- Use of personal data for other purposes – change of use for example sharing with other organisations or departments
Use of personal data for marketing purposes – Privacy and Electronic Communications Regulations.
Practical steps to ensure personal data are well-managed:-
- Ensuring it is covered by your register entry – what it is, why it is important to help keep it up to date (what happens to it under the General Data Protection Regulation)
- Adequate, relevant and not excessive
- Accurate and kept up to date
- Not held longer than necessary – include reference to your retention policies/schedules, with examples
- Kept secure – focus on importance of security – in particular sensitive data.
- Protecting information held on computer and paper (emphasis on importance of good password management, anti-virus measures, signing off from computer workstations when not in use, physical protection, backups, transit, and disposal) etc
- Home and out-of-office working – do’s and don’ts
- Managing and reporting data breaches (new)
- Service providers (data processors) and what actions must be taken to ensure they comply with the Data Protection Act.
- Individual’s rights – Focus on how to handle requests from people who want to see a copy of information held about themselves:
- How to identify a request for access – normal business enquiry or formal request?
- What is a valid request and the responsibilities of your organisation, such as the importance of legal deadlines
- Brief reference to relevant exemptions
- Brief summary of other rights for basic awareness – including the new Right to be Forgotten
- Sending information overseas
- Consent – when to seek it (eg for internet publishing) and circumstances/countries where it is not required.
- Offences and Penalties
Focus on those relevant to your organisation and include reference to further implications of breaches (loss of trust, harm/damage to others)
Focus on dealing with disclosures, requests for information and information sharing – When to seek consent and circumstances where information may be disclosed without consent (for example in relation to legal proceedings)
Sharing information – within your organisation and externally
Information sharing agreements and protocols – what they should include in line with the Information Commissioner’s Data Sharing Code of Practice.
Focus on managing relationships with your Data Processors (those providing services for you) and how the General Data Protection Regulations affect them.
You can choose from any of the above areas and mix and match according to your individual requirements. Practical examples are provided during the sessions for trainees to work through in groups, provided by your organisation (to make it relevant using internal scenarios/issues), or by DP Assist, and opportunities are given for discussion and questions throughout.