Colleges and public authority status under data protection legislation
|
|
- Jody Richards
- 6 years ago
- Views:
Transcription
1 Colleges and public authority status under data protection legislation Introduction 1. This paper sets outs the likelihood that Colleges (and the University) will be designated as public authorities under the General Data Protection Regulation (GDPR), and the implications of such a designation. It also outlines some early proposals on how to address some of those implications. The GDPR will apply in the UK from 25 May 2018: it is anticipated that UK legislation (a new Data Protection Act) will come into force from that same date. GDPR and public authorities 2. The GDPR does not define public authorities but does outline some key elements of how the GDPR applies to them specifically. In particular, data controllers designated as public authorities: may be restricted in which legal bases they are permitted to use to process data, notably a restriction on a reliance on a controller s legitimate interest to do so (see Annex 1); and must employ or appoint a Data Protection Officer, a new governance role not dissimilar to an internal audit function (see Annex 2). 3. The GDPR derogates responsibility for designating the status of public authorities to national governments. The UK is responding to this (and other derogations) through the current Data Protection Bill. The Data Protection Bill and public authorities 4. The Data Protection Bill clearly outlines the intention of the UK government that universities (and the Colleges) are designated as public authorities under national legislation. Its current draft reads: 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) a public authority as defined by the Freedom of Information Act 2000, subject to subsection (2), (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13)2002 (asp 13), subject to subsection (2), and (c) an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. Colleges are caught due to their public authority status under the Freedom of Information Act.
2 5. Attention is drawn, however, to paragraph 6(2), outlining that the Secretary of State can otherwise exclude data controllers from the definition. A range of lobbying is currently taking place to establish the position of schools, universities and colleges, with two main approaches being taken by a range of lobbyists: i) to draft a legislative clause specifically excluding schools, universities and colleges from the definition in the Bill; ii) to draft a legislative clause to introduce the concept of a hybrid body (not recognised in the GDPR), whereby a public authority may have non-public functions for which they are not designated as public authorities (principally an approach to secure a broader range of legal bases of data processing than those outlined in the GDPR). Annex 3 provides further information on those proposed lobbying positions. 6. The Department for Digital, Culture, Media and Sport (DCMS) (the government department leading on data protection legislation) is on record as noting the importance of the use of legitimate interest as a legal basis for data processing for universities (see Annex 1 for further details). 7. The DCMS and the Information Commissioner are currently of the view that it is lawful to designate hybrid bodies in non-statutory guidance of the Information Commissioner (i.e. that the concept of hybrid bodies is not incompatible with the GDPR and/or the GDPR does not prevent legitimate interest being a legal basis for data processing for public authorities). This does not accord with the Counsel Opinions seen by the Office of Intercollegiate Services (Jonathan Swift QC; Hugh Tomlinson QC) or informal advice from local solicitors (Penningtons; Mills and Reeve). 8. The University is currently relying on the stated views of the DCMS, and is working on the assumption that the University will be a public authority but also be able to use its legitimate interest as a basis for data processing for its non-public functions (however they may be defined!). 9. In conclusion, at this point, it is unclear whether Colleges will be designated as public authorities, but is likely unless lobbying as outlined in paragraph 5i is successful. It is more likely that paragraph 5ii will be enacted. Consequently, it is recommended that Colleges should proceed on the basis that: they will continue to be able to use their legitimate interest to process personal data; and they will need to appoint or employ a Data Protection Officer.
3 Annex 1: the importance of legitimate interest as a legal basis for data processing A1.1 As a reminder, the GDPR outlines the following legal bases for data processing (author s emphases): Article 6: Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. A1.2 It is this last sentence that is causing the legal angst: the DCMS and Information Commissioner are of the view that the inclusion of the phrase in the performance of their tasks limits the exclusion of (6)(1)(f) to statutory public duties: as outlined in paragraph 7, a body of legal opinion disagrees with that interpretation. A1.3 Where possible, Colleges are being advised to rely on a legal basis other than consent ((6)(1)(a)), as consent can only be relied upon where it can be freely withdrawn and processing stopped: in draft advice from the Information Commissioner, it is considered inappropriate where the data controller has authority over the data subject (i.e. both staff and students). A1.4 For a large number of data processing functions, Colleges will rely on other legal bases as a matter of course e.g. necessary for the performance of a contract student applications and activities staff applications and activities Fellowship activities data sharing with the University and CAm necessary for compliance with a legal obligation financial transactions health and safety PREVENT
4 A1.5 A large number of processes may be uncomfortably allocated to either of the above, but more naturally would fit with necessary for the purposes of the legitimate interests pursued by the controller, including: alumni relations and fundraising; 1 national widening participation initiatives (e.g. tracking school students through their engagements with higher education institutions prior to any enrolment); sharing of personal data with the local council (to ease students interactions relating to council tax liabilities); sharing of personal data with the student unions, and independent clubs and societies; pre-contact investigations into potential honorary Fellowships, or due diligence prior to external members appointments onto College committees; informal disciplinary procedures; processing of personal data for network and information security purposes. This list is not exhaustive, but is intended to give an indication of how limiting it may be to the business activities of the Colleges, or where there would be a serious lack of clarity of the legal basis for standard personal data processing. 1 This activity has been the principal focus of discussions with the DCMS and Information Commissioner to date.
5 Annex 2: Data Protection Officer(s) for the Colleges A2.1 Articles of the GDPR state that certain data controllers (and notably public authorities) must appoint a Data Protection Officer (DPO). This role is not like the current roles currently designated as such in Colleges (which tend to focus on the operational matters relating to personal data protection and often reside in either IT or HR functions). The new DPO role is related much more to governance and counsel over the proper interpretation of the GDPR: it should not be interpreted as a parallel or expanded role of existing data protection officers (dpo) nominated in Colleges under the Data Protection Act. A2.2 The new DPO role is not an operational role and its appointment/designation must be discrete from data protection operational activities. Article 39 outlines what the person appointed is responsible for (author s emphases and [additions]): (a) (b) (c) (d) (e) to inform and advise the controller or the processor [the College] and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor [the College] in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; to cooperate with the supervisory authority [the Information Commissioner s Office (ICO)]; to act as the contact point for the supervisory authority [the ICO] on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. A2.3 In addition, the DPO is: a. expected to investigate and manage complaints from data subjects and to facilitate them in exercising their rights; b. required to ensure that any other duties/responsibilities they hold are not in conflict with these roles; c. appointed on the basis of their professional qualities and, in particular, expert knowledge of data protection law and practices ; d. to be in a position where he or she reports to the highest management level, without interference or instruction or risk of penalty or dismissal; e. provided with appropriate resources to carry out their duties, including their own professional development; and f. accessible to any data subject for the discussion of any issues or management of their rights. A person can act as a DPO for more than one organisation, making the appointment/outsourcing of a DPO for two or more Colleges a possibility. A2.4 Colleges, as small organisations, will likely find the identification/appointment of an inhouse Data Protection Officer who can be sufficiently independent challenging: the role is unlikely to be of significant volume but would otherwise be needed to act quickly (e.g. data breaches need resolution and reporting within 72 hours).
6 A2.5 Various options which could be explored by Colleges, individually and collectively are: i. Designation of a senior member of the College to fulfil the role The allocation of the role to a member of the governing body (Fellow) is a possibility, but would require that person to remain appraised of both UK and EU data protection law and practice. The role will also not obviate the need for other members of the College to manage the operational aspects of personal data protection. ii. Designation of a senior member from another College to fulfil the role Each College already has a senior person responsibility for data protection matters (commonly referred to as a data protection officer but to avoid confusion here referred to as a data protection manager ): this is often a Bursar of the College. This option would be for the data protection manager of one College to be appointed as the formal Data Protection Officer for another College. (It would need to be clarified whether Colleges would either pair up, or otherwise collaborate in small groups to act for another in this way. All data protection managers would need to remain appraised of both UK and EU data protection law and practice, in order to advise formally the other College(s). iii. Employment of a Data Protection Officer for the Colleges As outlined above, a single Data Protection Officer may act for more than one data controller: it would be feasible to consider the appointment of a member of staff within the Office of Intercollegiate Services to perform the role for all Colleges. A role profile and estimated salary/volume would need to be conducted. iv. Employment of a Data Protection Officer for the Colleges in collaboration with the University Instead of a discrete post for the Colleges, the possibility of a jointly-funded post with the University could be explored. An advantage of this approach would be that it could cover issues and concerns which stretch across the collegiate University. Again, a role profile and estimated salary/volume would need to be conducted, with an additional exercise of negotiating how to divide the costs of the post between the University and the Colleges. v. Engagement of an external firm on retainer It is highly likely that law firms and/or independent auditors will offer services in this area, although no clear marketing of such services is evident at the moment, making it unclear whether this would be more cost-effective than other models. vi. Engagement of an external firm on retainer as part of the collegiate University Similar to above, but retaining external services alongside the University may offer the opportunity of a more effective negotiated rate.
7 Annex 3: proposed lobbying amendments to Clause 6 of the Data Protection Bill Option 1 clause to exclude schools, universities and schools from the definition The below amendment would enshrine in the Regulation a more permanent way of exercising the powers indicated in clause 6(2): 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) (b) (c) a public authority as defined by the Freedom of Information Act 2000 (with the exception of those public authorities listed in Part IV of Schedule 1 to that Act), subject to subsection (2), a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13) (with the exception of those public authorities listed in Part 5 of Schedule 1 to that Act), subject to subsection (2), and an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. Option 2 clause to legislate for hybrid bodies The below amendment would legitimise the concept of hybrid bodies : 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) (b) (c) a public authority as defined by the Freedom of Information Act 2000, subject to subsection (2), a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), subject to subsection (2), and an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. (4) In the second subparagraph of Article 6(1) of the GDPR (lawfulness of processing), the tasks of public authorities as defined in this paragraph are limited to their official functions as laid down by European Union law or the law of the United Kingdom or a part of the United Kingdom.
A summary of the implications of the General Data Protection Regulations (GDPR)
Introduction A summary of the implications of the General Data Protection Regulations (GDPR) 1. The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. Various implications
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Operational Owner: Executive Owner: James Newby Data Protection Officer Sarah Litchfield Senior Information Risk Officer Effective date: 25 th May 2018 Review date: May 2021 Related
More informationData Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors
Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors This document, produced by SWGfL is designed to support governors/trustees/directors of schools / colleges
More informationTHE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER
THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER Contents 1 Introduction 2 2 Key messages 3 3 The requirement to appoint a Data Protection Officer 4 3.1 Public
More informationDATA PROTECTION POLICY VERSION 1.0
VERSION 1.0 1 Department of Education and Skills Last updated 21 May 2018 Table of Contents 1. Introduction... 4 2. Scope & purpose... 4 3. Responsibility for this policy... 5 4. Data protection principles...
More informationSCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools
SCHOOLS DATA PROTECTION POLICY Guidance Notes for Schools Please read this policy carefully and ensure that all spaces highlighted in the document are completed prior to publication. Please ensure that
More informationFoundation trust membership and GDPR
05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection
More informationTimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents
Company Name: Document DP3 Topic: ( the Company ) Data Protection Policy Data Protection Date: April 2018 Version: 001 Contents Introduction Definitions Data processing under the Data Protection Laws 1.
More informationThe General Data Protection Regulation: What does it mean for you?
The General Data Protection Regulation: What does it mean for you? We are here to help The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up
More informationTraining Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak
PROFESSIONAL INDEPENDENT ADVISERS LTD DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Training Manual Data Protection Officer is Mike Bandurak GDPR introduction
More informationKEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY
KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY Member of staff responsible Head teacher Governor responsible Chair of LGB & DPO Date
More informationData Protection Policy
Data Protection Policy Contents 1. Purpose and scope... 2 2. Background... 2 3. Principles... 2 4. Aims and commitments... 3 5. Roles and responsibilities... 3 6. Breaches of data privacy legislation...
More informationGDPR: What Every MSP Needs to Know
Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights
More informationIntroduction. Summary
The Information Commissioner s response to the Department for Digital, Culture, Media & Sport consultation on the Security of Network and Information Systems. Introduction 1. The Information Commissioner
More informationBaptist Union of Scotland DATA PROTECTION POLICY
Baptist Union of Scotland DATA PROTECTION POLICY Adopted: May 2018 1 1.The Baptist Union of Scotland 48, Speirs Wharf, Glasgow G4 9TH (Charity Registration SC004960) is committed to protecting all information
More informationCHANNING SCHOOL DATA PROTECTION POLICY
CHANNING SCHOOL DATA PROTECTION POLICY The School may amend/change/update this Policy from time to time. 1. Background Data protection is an important legal compliance issue for Channing School. During
More informationIntroduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance
The Role of the Data Protection Officer Key points of the recent ODPC guidance and the Article 29 Working Group Guidance September 2017 00 Introduction Key points of the recent ODPC guidance, and the Article
More informationTHE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC
THE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC ZOLTÁN ANGYAL Faculty of Law, University of Miskolc Abstract The Maastricht criteria are to ensure the convergence of economic performance as a basis
More informationDATA PROTECTION POLICY 2018
DATA PROTECTION POLICY 2018 Amesbury Baptist Church is committed to protecting all information that we handle about people we support and work with, and to respecting people s rights around how their information
More informationGDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES
GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES CERTIFICATION CRITERIA Working draft for public consultation - 29 May 2018 Abstract Document to the attention of organizations that want to obtain
More informationVBI VACCINES INC. BOARD OF DIRECTORS MANDATE. Adopted September 23, 2016
BOARD OF DIRECTORS MANDATE Adopted September 23, 2016 1. Purpose The members of the Board of Directors (the Board ) have the duty to supervise the management of the business and affairs of SciVac Therapeutics
More informationHow employers should comply with GDPR
02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact
More informationGeneral Personal Data Protection Policy
General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,
More informationBoard and Committee Charters. The Gruden Group Limited
Board and Committee Charters The Gruden Group Limited The Gruden Group Limited (Gruden) ABN 56 125 943 240 Approved by the Board on 26 May 2016 Board Charter In carrying out the responsibilities and powers
More informationThe template uses the terms students / pupils to refer to the children or young people at the institution.
This document is for advice and guidance purposes only. It is anticipated that schools / colleges will use this advice alongside their own data protection policy. This document is not intended to provide
More informationSt Michael s CE Primary School Data Protection Policy
St Michael s CE Primary School Data Protection Policy We will prepare the children at St. Michael's school for life, by giving them the opportunity to fulfil their potential within a happy caring Christian
More informationECIIA Comments on the EBA consultation: Guidelines on Internal Governance (EBA/CP/2016/16)
page para Wording Amendments / Additions suggested Rationale 7 20 The independent internal audit function as the third line of defence, conducts risk-based and general audits and reviews that the internal
More informationThe Charities Property Association. The impact of the GDPR (including its affect on your direct marketing and fundraising activities)
The Charities Property Association The impact of the GDPR (including its affect on your direct marketing and fundraising activities) Mark Harvey, Consultant Jonathan McDonald, Senior Associate charlesrussellspeechlys.com
More informationThe Gym Group plc. (the Company ) Audit and Risk Committee - Terms of Reference. Adopted by the board on 14 October 2015 (conditional on Admission)
The Gym Group plc (the Company ) Audit and Risk Committee - Terms of Reference Adopted by the board on 14 October 2015 (conditional on Admission) 1. BACKGROUND The board of directors of the Company (the
More informationOFFICIAL. Date 18 April 2018 Pacific Quay, Glasgow General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.
Meeting Date Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.2 Presented By ACC Alan Speirs Recommendation to Members
More informationScottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY
Dingwall Baptist Church DATA PROTECTION POLICY Adopted: By Trustees Dingwall Baptist Church May 2018 1 Dingwall Baptist Church is committed to protecting all information that we handle about people we
More informationData Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General
Data Protection Document Detail Type of Document (Stat Policy/Policy/Procedure) Policy Category of Document (Trust HR-Fin-FM-Gen/Academy) General Index reference number Approved 26/04/18 Approved by Trust
More informationDepartment for Culture, Media and Sport Call for Views: GDPR Derogations
Sense About Science Department for Culture, Media and Sport Call for Views: GDPR Derogations Response by health and research organisations 10 May 2017 KEY MESSAGES The Department of Culture, Media and
More informationLEICESTER HIGH SCHOOL DATA PROTECTION POLICY
LEICESTER HIGH SCHOOL DATA PROTECTION POLICY 1. Background Data protection is an important legal compliance issue for Leicester High School. During the course of the School's activities it collects, stores
More informationPreparing for the GDPR
Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection
More informationINTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT
WHAT GDPR MEANS FOR RECORDS MANAGEMENT Presented by: Sabrina Guenther Frigo Overview Background Basic Principles Scope Lawful Processing Data Subjects Rights Accountability & Governance Data Transfers
More informationARTICLE 29 Data Protection Working Party
ARTICLE 29 Data Protection Working Party 17/EN WP264 rev.01 Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data Adopted on 11
More informationSection a What this Policy is for Policy Statement. 2. Why this policy is important... 3
Norwich Central Baptist Church DATA PROTECTION POLICY Adopted: May.2018 Norwich Central Baptist Church (NCBC) is committed to protecting all information that we handle about people we support and work
More informationGetting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations
Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy
More informationIntroduction to the General Data Protection Regulation (GDPR)
Introduction to the General Data Protection Regulation (GDPR) #CIPR / @CIPR_UK This guide is worth 5 CPD points Introduction to the General Data Protection Regulation (GDPR) / 2 Contents 1 Introduction
More informationNOT PROTECTIVELY MARKED
Meeting Audit Committee Public Session Date and Time Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) SPA Preparedness Item Number 9.4 Presented By Catherine Topley
More informationBOARD OF DIRECTORS CHARTER AMENDED MARCH 2016
BOARD OF DIRECTORS CHARTER AMENDED MARCH 2016 BOARD OF DIRECTORS CHARTER OF WSP GLOBAL INC. (THE "CORPORATION") AMENDED MARCH 2016 A. PURPOSE The role of the board of directors of the Corporation (the
More informationERO COPPER CORP. BOARD OF DIRECTORS MANDATE. As of May 15, 2017
ERO COPPER CORP. BOARD OF DIRECTORS MANDATE As of May 15, 2017 1. Purpose The members of the Board of Directors (the Board ) have the duty to supervise the management of the business and affairs of Ero
More informationWe reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.
What is the purpose of this document? NORTHERN IRELAND SCREEN COMMISSION (Company Number NI031997) whose registered office is at 3 rd Floor Alfred House, 21 Alfred Street, Belfast, BT2 8ED is committed
More informationA PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018
A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018 1 PURPOSE OF THIS DOCUMENT 2 This document is to be used as a guide for advertisers on how they should work with their agencies,
More informationProposed Public Sector and MPP Accountability and Transparency Act, 2014: Implications for Toronto's Ombudsman Function
STAFF REPORT ACTION REQUIRED Proposed Public Sector and MPP Accountability and Transparency Act, 2014: Implications for Toronto's Ombudsman Function Date: March 25, 2014 To: From: Wards: City Council City
More informationData Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents
Company Name: Document: Topic: System People ( the Company ) Data Protection Policy Data protection Date: 28/4/2018 Version: 1 Contents Introduction Definitions Data processing under the Data Protection
More informationEARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY
EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY Adopted: 5 June 2018 1 Earls Hall Baptist Church is committed to protecting all information that we handle about people we support and work with, and to
More informationData Protection Policy
Data Protection Policy Version Date Revision Author Summary of Changes 1.0 21 st May 2018 Ashleigh Morrow EXECUTIVE STATEMENT At CASTLEREAGH NURSERY SCHOOL (the School ), we believe privacy is important.
More informationLords Bill Committee on Digital Economy Bill Information Commissioner s briefing
Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing Introduction 1. The Information Commissioner has responsibility in the UK for promoting and enforcing the Data Protection
More informationThe General Data Protection Regulation in health & social care. 6 October 2016 Leeds
The General Data Protection Regulation in health & social care 6 October 2016 Leeds Session outline 09.05am: Roadmap of the GDPR 10.15am: Coffee break 10.30: GDPR impact: Streetview Employment Rights of
More informationPreparing Your Vendor Agreements for the General Data Protection Regulation
Preparing Your Vendor Agreements for the General Data Protection Regulation Oliver Yaros Partner - London +44 (0)203 130 3698 oyaros@mayerbrown.com Lei Shen Senior Associate - Chicago +1 312 701 8852 lshen@mayerbrown.com
More informationData Protection Practitioners Conference 2018 #DPPC2018. Lawful basis myths
Data Protection Practitioners Conference 2018 #DPPC2018 Myth #1 This lawful basis stuff is all new. Reality It s not new. The six lawful bases for processing are very similar to the old conditions for
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP265 Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data Adopted on 11 April
More informationAudit and Risk Management Committee Charter
Audit and Risk Management Committee Charter Qube Holdings Limited ACN 149 723 053 Audit and Risk Management Committee Charter (revised June 2018 ) Page 1 of 8 1. Introduction 1.1 Objectives The objectives
More informationGENERAL DATA PROTECTION REGULATION Guidance Notes
GENERAL DATA PROTECTION REGULATION Guidance Notes What is the GDPR? Currently, the law on data protection requiring the handling of data which identifies people to be done in a fair way, is contained in
More informationSample Data Management Policy Structure
Sample Data Management Policy Structure This document has been produced by The Audience Agency. You are free to edit and use this document in your business. You may not use this document for commercial
More informationCHARTER AUDIT COMMITTEE
CHARTER AUDIT COMMITTEE Article 1. Tasks and powers 1.1 The Audit Committee shall supervise the activities of the Management Board with respect to: a) the operation of the internal risk management and
More informationBrasenose College Data Protection Policy Statement v1.2
Brasenose College Data Protection Policy Statement v1.2 1. Introduction All documents referred to in this policy can be found online at the address below: https://www.bnc.ox.ac.uk/privacypolicies 1.1 Background
More informationData Protection Policy
Data Protection Policy This policy will be reviewed by the Trust Board three yearly or amended if there are any changes in legislation before that time. Date of last review: Autumn 2018 Date of next review:
More informationGDPR in schools and academies. Dai Durbridge, Partner Browne Jacobson LLP
GDPR in schools and academies Dai Durbridge, Partner Browne Jacobson LLP Welcome Partner in the Education team at Browne Jacobson Lead the Manchester Education team Expert information management lawyers
More informationRSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )
RSD Technology Limited - Data protection policy: Introduction Company Name: Document DP3 Topic: RSD Technology Limited ( the Company ) Data Protection Policy Data protection Date: 25 th May 2018 Version:
More informationData Protection (internal) Audit prior to May (In preparation for that date)
Data Protection (internal) Audit prior to May 2018. (In preparation for that date) For employers without a dedicated data protection or compliance function, a Data Protection Audit can seem like an overwhelming
More informationRULES FOR THE SUPERVISORY BOARD
RULES FOR THE SUPERVISORY BOARD OF B&S GROUP S.A. These Rules were adopted by the Supervisory Board on 9 March 2018 CONTENTS 1. Definitions 3 2. Status and contents of the rules 3 3. Responsibilities of
More informationSandwell Metropolitan Borough Council
Sandwell Metropolitan Borough Council 17 April 2018 Agenda Item 12 Subject: Director: Contribution towards Vision 2030: Contact Officer(s): Appointment of Statutory Officers: Senior Information Risk Owner,
More informationEDPS Opinion on the proposed common framework for European statistics relating to persons and households
Opinion 2/2017 EDPS Opinion on the proposed common framework for European statistics relating to persons and households 1 March 2017 1 P a g e The European Data Protection Supervisor (EDPS) is an independent
More informationThe current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.
Page 2 of 10 Data Protection Policy Chief Information Officer Chief Information Officer Data Protection Officer The current version (July 2018) is derived from, and supersedes, the version published in
More informationSupervisory Board Charter of the Audit Committee
Adopted by the Supervisory Board on September 8, 2004 Amendment approved by the Supervisory Board December 8, 2009 Amendment approved by the Supervisory Board June 18, 2014 CONTENT 0. INTRODUCTION... 3
More informationIdentifying data controllers and data processors Data Protection Act 1998
ICO lo Identifying data controllers and data processors Data Protection Act 1998 Contents Overview... 2 What the DPA says... 2 Key consideration in determining who is a data controller - Degree of latitude/discretion/independence
More informationDATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017
DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017 TOPICS GDPR overview Concept of the DPO Recruitment process Job description Liability Your to do s: GDPR Responsibility and
More informationGDPR factsheet Key provisions and steps for compliance
GDPR factsheet Key provisions and steps for compliance Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance
More informationTerms of Reference Audit Committee. Adyen N.V.
Terms of Reference Audit Committee Adyen N.V. 4 June 2018 Contents Contents... 2 Introduction... 2 1 Composition... 2 2 Duties and Powers... 2 3 Duties regarding the External Auditor... 4 4 Meetings...
More informationAudit and Risk Committee Charter
Audit and Risk Committee Charter Magellan Financial Group Limited ACN 108 437 592 Approved and with effect from 20 June 2018 Audit and Risk Committee Charter 1. Introduction 1.1 Magellan Financial Group
More informationMemorandum of understanding between the Competition and Markets Authority and NHS Improvement
1 April 2016 Memorandum of understanding between the Competition and Markets Authority and NHS Improvement Contents Page Foreword... 2 Summary points of the MoU... 3 Memorandum of understanding between
More informationWhitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017
Whitepaper What are the changes regarding data protection in the future General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017 Authors: Prof. Dr. Christoph Bauer, Dr Frank Eickmeier, Dr
More informationNEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021
NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY Adopted: 20 June 2018 To be reviewed: June 2021 NEW LIFE BAPTIST CHURCH, NORTHALLERTON (referred to in this policy as NLBC) is committed to
More informationCOUNCIL APPOINTMENT OF EXTERNAL AUDITOR
Report No: 7/2017 PUBLIC REPORT COUNCIL 9 January 2017 APPOINTMENT OF EXTERNAL AUDITOR Report of the Director for Resources Strategic Aim: All Exempt Information Cabinet Member(s) Responsible: No Councillor
More informationMINISTRY OF THE ENVIRONMENT BILL, 2017
MINISTRY OF THE ENVIRONMENT BILL, 2017 Arrangement of Sections Section PART I - PRELIMINARY 2 1. Short title and commencement...2 2. Interpretation...2 PART II MINISTRY OF THE ENVIRONMENT 3 3. Establishment
More informationCORPORATE GOVERNANCE GUIDELINES
CORPORATE GOVERNANCE GUIDELINES Alcoa Corporation ( Alcoa or the Company ) is a values-based company. Our Values guide our behavior at every level and apply across the Company on a global basis. We expect
More informationcloser look at Definitions The General Data Protection Regulation
A closer look at Definitions The General Data Protection Regulation September 2017 V1 www.inforights.im Important This document is part of a series, produced purely for guidance, and does not constitute
More informationA data processor is responsible for processing personal data on behalf of a data controller.
AfrAsia Bank Limited (we, us, our) is committed to safeguarding the privacy of your personal data. We understand that the protection of your personal data is an essential requirement for you and that you
More informationThe Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.
MARCH 2017 GENERAL DATA PROTECTION REGULATION ROTHERHAM CCG ACTION PLAN Themes of the GDPR: Refining/tightening up of existing concepts Standardised law across the EU New concepts in regulation; accountability,
More informationGDPR: AN OVERVIEW.
GDPR: AN OVERVIEW www.amicuslegalconsultants.com AN OVERVIEW OF GDPR AND THE ROLE OF THE DATA PROTECTION OFFICER 1 INTRODUCTION The GDPR comes into effect across EU States on 25 May 2018, creating a level
More informationBriefing No. 2 GDPR. 1 mccann fitzgerald
Briefing No. 2 GDPR This briefing was produced by the Institute of Directors in association with McCann FitzGerald for use in Ireland. McCann FitzGerald is one of Ireland s premier law firms, providing
More informationDepartment for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017
Department for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017 The CBI welcomes the opportunity to respond to the Department for Culture
More informationCOMMISSION DECISION. of
EUROPEAN COMMISSION Brussels, 16.10.2017 C(2017) 6760 final COMMISSION DECISION of 16.10.2017 on the general provisions for implementing Article 79(2) of the Conditions of Employment of Other Servants
More informationComply or explain manual Dutch Corporate Governance Code as of December 2018
Comply or explain manual Dutch Corporate Governance Code as of December 2018 Comply or explain The Dutch Corporate Governance Code (the "Code") provides that the company must explicitly state in a separate
More informationThe Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION
The Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION Scheme for the Delegation of Board Powers and Executive Limitations 1. Context This Scheme forms part
More informationRULES OF PROCEDURE AUDIT COMMITTEE SUPERVISORY BOARD RABOBANK 1
RULES OF PROCEDURE AUDIT COMMITTEE SUPERVISORY BOARD RABOBANK 1 1 Adopted by the Supervisory Board on 11 August 2017 with effective date 1 September 2017 1 1. Introduction 1.1. These rules of procedure
More informationPaul Jordan Thursday 12 October,
GDPR Readiness: Role of the DPO OXS 17 Brussels Paul Jordan Thursday 12 October, 2017 Overview General DPO requirements under the GDPR: legitimacy of the DPO role International Research findings in Data
More informationEDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics
Opinion 10/2017 EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics 20 November 2017 1 P a g e The European Data
More informationAudit Committee Charter
Commonwealth Bank of Australia ACN 123 123 124 Audit Committee Charter 1. Purpose and Duties of the Audit Committee 1.1. It is the policy of the Group to have an Audit Committee of the Board at all times.
More informationSupervisory Board Charter of the Audit Committee
Adopted by the Supervisory Board on September 8, 2004 Amendment approved by the Supervisory Board December 8, 2009 Amendment approved by the Supervisory Board June 18, 2014 Amendment approved by the Supervisory
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated) Adopted on 29 November 2017 INTRODUCTION
More informationWhat do companies need to do?
Briefing GDPR The General Data Protection Regulation ( GDPR ) will come into effect on 25 May 2018. The GDPR will replace the existing data protection laws in all EU member states and is designed to result
More informationScottishPower Data Protection Policy
SCOTTISHPOWER CORPORATE SECURITY Nov / 2017 ScottishPower Data Protection Policy In accordance with the Scottish Data Protection Policy ( the policy ) and the Global Personal Data Protection Framework
More informationDelegations under Section 41 of the State Sector Act 1988
SSC Guidance Delegations under Section 41 of the State Sector Act 1988 Introduction Effective April 2014 1 The State Sector Act 1988, Public Finance Act 1989, and Crown Entities Act 2004 were amended in
More informationScottish Parliament Edinburgh EH99 1SP. Dear Convener
Minister for UK Negotiations on Scotland s Place in Europe Michael Russell MSP T: 0300 244 4000 E: scottish.ministers@gov.scot Bruce Crawford MSP, Convener of the Finance and Constitution Committee & Graham
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Mission Statement WeST holds a deep seated belief in education and lifelong learning. Effective collaboration, mutual support and professional challenge will underpin our quest to
More information***I REPORT. EN United in diversity EN. European Parliament A8-0226/
European Parliament 2014-2019 Plenary sitting A8-0226/2018 27.6.2018 ***I REPORT on the proposal for a regulation of the European Parliament and of the Council on the European citizens initiative (COM(2017)0482
More information