Colleges and public authority status under data protection legislation

Size: px
Start display at page:

Download "Colleges and public authority status under data protection legislation"

Transcription

1 Colleges and public authority status under data protection legislation Introduction 1. This paper sets outs the likelihood that Colleges (and the University) will be designated as public authorities under the General Data Protection Regulation (GDPR), and the implications of such a designation. It also outlines some early proposals on how to address some of those implications. The GDPR will apply in the UK from 25 May 2018: it is anticipated that UK legislation (a new Data Protection Act) will come into force from that same date. GDPR and public authorities 2. The GDPR does not define public authorities but does outline some key elements of how the GDPR applies to them specifically. In particular, data controllers designated as public authorities: may be restricted in which legal bases they are permitted to use to process data, notably a restriction on a reliance on a controller s legitimate interest to do so (see Annex 1); and must employ or appoint a Data Protection Officer, a new governance role not dissimilar to an internal audit function (see Annex 2). 3. The GDPR derogates responsibility for designating the status of public authorities to national governments. The UK is responding to this (and other derogations) through the current Data Protection Bill. The Data Protection Bill and public authorities 4. The Data Protection Bill clearly outlines the intention of the UK government that universities (and the Colleges) are designated as public authorities under national legislation. Its current draft reads: 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) a public authority as defined by the Freedom of Information Act 2000, subject to subsection (2), (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13)2002 (asp 13), subject to subsection (2), and (c) an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. Colleges are caught due to their public authority status under the Freedom of Information Act.

2 5. Attention is drawn, however, to paragraph 6(2), outlining that the Secretary of State can otherwise exclude data controllers from the definition. A range of lobbying is currently taking place to establish the position of schools, universities and colleges, with two main approaches being taken by a range of lobbyists: i) to draft a legislative clause specifically excluding schools, universities and colleges from the definition in the Bill; ii) to draft a legislative clause to introduce the concept of a hybrid body (not recognised in the GDPR), whereby a public authority may have non-public functions for which they are not designated as public authorities (principally an approach to secure a broader range of legal bases of data processing than those outlined in the GDPR). Annex 3 provides further information on those proposed lobbying positions. 6. The Department for Digital, Culture, Media and Sport (DCMS) (the government department leading on data protection legislation) is on record as noting the importance of the use of legitimate interest as a legal basis for data processing for universities (see Annex 1 for further details). 7. The DCMS and the Information Commissioner are currently of the view that it is lawful to designate hybrid bodies in non-statutory guidance of the Information Commissioner (i.e. that the concept of hybrid bodies is not incompatible with the GDPR and/or the GDPR does not prevent legitimate interest being a legal basis for data processing for public authorities). This does not accord with the Counsel Opinions seen by the Office of Intercollegiate Services (Jonathan Swift QC; Hugh Tomlinson QC) or informal advice from local solicitors (Penningtons; Mills and Reeve). 8. The University is currently relying on the stated views of the DCMS, and is working on the assumption that the University will be a public authority but also be able to use its legitimate interest as a basis for data processing for its non-public functions (however they may be defined!). 9. In conclusion, at this point, it is unclear whether Colleges will be designated as public authorities, but is likely unless lobbying as outlined in paragraph 5i is successful. It is more likely that paragraph 5ii will be enacted. Consequently, it is recommended that Colleges should proceed on the basis that: they will continue to be able to use their legitimate interest to process personal data; and they will need to appoint or employ a Data Protection Officer.

3 Annex 1: the importance of legitimate interest as a legal basis for data processing A1.1 As a reminder, the GDPR outlines the following legal bases for data processing (author s emphases): Article 6: Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks. A1.2 It is this last sentence that is causing the legal angst: the DCMS and Information Commissioner are of the view that the inclusion of the phrase in the performance of their tasks limits the exclusion of (6)(1)(f) to statutory public duties: as outlined in paragraph 7, a body of legal opinion disagrees with that interpretation. A1.3 Where possible, Colleges are being advised to rely on a legal basis other than consent ((6)(1)(a)), as consent can only be relied upon where it can be freely withdrawn and processing stopped: in draft advice from the Information Commissioner, it is considered inappropriate where the data controller has authority over the data subject (i.e. both staff and students). A1.4 For a large number of data processing functions, Colleges will rely on other legal bases as a matter of course e.g. necessary for the performance of a contract student applications and activities staff applications and activities Fellowship activities data sharing with the University and CAm necessary for compliance with a legal obligation financial transactions health and safety PREVENT

4 A1.5 A large number of processes may be uncomfortably allocated to either of the above, but more naturally would fit with necessary for the purposes of the legitimate interests pursued by the controller, including: alumni relations and fundraising; 1 national widening participation initiatives (e.g. tracking school students through their engagements with higher education institutions prior to any enrolment); sharing of personal data with the local council (to ease students interactions relating to council tax liabilities); sharing of personal data with the student unions, and independent clubs and societies; pre-contact investigations into potential honorary Fellowships, or due diligence prior to external members appointments onto College committees; informal disciplinary procedures; processing of personal data for network and information security purposes. This list is not exhaustive, but is intended to give an indication of how limiting it may be to the business activities of the Colleges, or where there would be a serious lack of clarity of the legal basis for standard personal data processing. 1 This activity has been the principal focus of discussions with the DCMS and Information Commissioner to date.

5 Annex 2: Data Protection Officer(s) for the Colleges A2.1 Articles of the GDPR state that certain data controllers (and notably public authorities) must appoint a Data Protection Officer (DPO). This role is not like the current roles currently designated as such in Colleges (which tend to focus on the operational matters relating to personal data protection and often reside in either IT or HR functions). The new DPO role is related much more to governance and counsel over the proper interpretation of the GDPR: it should not be interpreted as a parallel or expanded role of existing data protection officers (dpo) nominated in Colleges under the Data Protection Act. A2.2 The new DPO role is not an operational role and its appointment/designation must be discrete from data protection operational activities. Article 39 outlines what the person appointed is responsible for (author s emphases and [additions]): (a) (b) (c) (d) (e) to inform and advise the controller or the processor [the College] and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor [the College] in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; to cooperate with the supervisory authority [the Information Commissioner s Office (ICO)]; to act as the contact point for the supervisory authority [the ICO] on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. A2.3 In addition, the DPO is: a. expected to investigate and manage complaints from data subjects and to facilitate them in exercising their rights; b. required to ensure that any other duties/responsibilities they hold are not in conflict with these roles; c. appointed on the basis of their professional qualities and, in particular, expert knowledge of data protection law and practices ; d. to be in a position where he or she reports to the highest management level, without interference or instruction or risk of penalty or dismissal; e. provided with appropriate resources to carry out their duties, including their own professional development; and f. accessible to any data subject for the discussion of any issues or management of their rights. A person can act as a DPO for more than one organisation, making the appointment/outsourcing of a DPO for two or more Colleges a possibility. A2.4 Colleges, as small organisations, will likely find the identification/appointment of an inhouse Data Protection Officer who can be sufficiently independent challenging: the role is unlikely to be of significant volume but would otherwise be needed to act quickly (e.g. data breaches need resolution and reporting within 72 hours).

6 A2.5 Various options which could be explored by Colleges, individually and collectively are: i. Designation of a senior member of the College to fulfil the role The allocation of the role to a member of the governing body (Fellow) is a possibility, but would require that person to remain appraised of both UK and EU data protection law and practice. The role will also not obviate the need for other members of the College to manage the operational aspects of personal data protection. ii. Designation of a senior member from another College to fulfil the role Each College already has a senior person responsibility for data protection matters (commonly referred to as a data protection officer but to avoid confusion here referred to as a data protection manager ): this is often a Bursar of the College. This option would be for the data protection manager of one College to be appointed as the formal Data Protection Officer for another College. (It would need to be clarified whether Colleges would either pair up, or otherwise collaborate in small groups to act for another in this way. All data protection managers would need to remain appraised of both UK and EU data protection law and practice, in order to advise formally the other College(s). iii. Employment of a Data Protection Officer for the Colleges As outlined above, a single Data Protection Officer may act for more than one data controller: it would be feasible to consider the appointment of a member of staff within the Office of Intercollegiate Services to perform the role for all Colleges. A role profile and estimated salary/volume would need to be conducted. iv. Employment of a Data Protection Officer for the Colleges in collaboration with the University Instead of a discrete post for the Colleges, the possibility of a jointly-funded post with the University could be explored. An advantage of this approach would be that it could cover issues and concerns which stretch across the collegiate University. Again, a role profile and estimated salary/volume would need to be conducted, with an additional exercise of negotiating how to divide the costs of the post between the University and the Colleges. v. Engagement of an external firm on retainer It is highly likely that law firms and/or independent auditors will offer services in this area, although no clear marketing of such services is evident at the moment, making it unclear whether this would be more cost-effective than other models. vi. Engagement of an external firm on retainer as part of the collegiate University Similar to above, but retaining external services alongside the University may offer the opportunity of a more effective negotiated rate.

7 Annex 3: proposed lobbying amendments to Clause 6 of the Data Protection Bill Option 1 clause to exclude schools, universities and schools from the definition The below amendment would enshrine in the Regulation a more permanent way of exercising the powers indicated in clause 6(2): 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) (b) (c) a public authority as defined by the Freedom of Information Act 2000 (with the exception of those public authorities listed in Part IV of Schedule 1 to that Act), subject to subsection (2), a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13) (with the exception of those public authorities listed in Part 5 of Schedule 1 to that Act), subject to subsection (2), and an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. Option 2 clause to legislate for hybrid bodies The below amendment would legitimise the concept of hybrid bodies : 6 Meaning of public authority and public body (1) For the purposes of the GDPR, the following (and only the following) are public authorities and public bodies under the law of the United Kingdom (a) (b) (c) a public authority as defined by the Freedom of Information Act 2000, subject to subsection (2), a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13), subject to subsection (2), and an authority or a body specified by the Secretary of State in regulations. (2) The Secretary of State may by regulations provide that a person specified in the regulations that is a public authority described in subsection (1)(a) or (b) is not a public authority or public body for the purposes of the GDPR. (3) Regulations under this section are subject to the affirmative resolution procedure. (4) In the second subparagraph of Article 6(1) of the GDPR (lawfulness of processing), the tasks of public authorities as defined in this paragraph are limited to their official functions as laid down by European Union law or the law of the United Kingdom or a part of the United Kingdom.

A summary of the implications of the General Data Protection Regulations (GDPR)

A summary of the implications of the General Data Protection Regulations (GDPR) Introduction A summary of the implications of the General Data Protection Regulations (GDPR) 1. The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. Various implications

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Operational Owner: Executive Owner: James Newby Data Protection Officer Sarah Litchfield Senior Information Risk Officer Effective date: 25 th May 2018 Review date: May 2021 Related

More information

Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors

Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors Data Protection in schools and colleges: Questions from the Governing Board/Trustees/Directors This document, produced by SWGfL is designed to support governors/trustees/directors of schools / colleges

More information

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER Contents 1 Introduction 2 2 Key messages 3 3 The requirement to appoint a Data Protection Officer 4 3.1 Public

More information

DATA PROTECTION POLICY VERSION 1.0

DATA PROTECTION POLICY VERSION 1.0 VERSION 1.0 1 Department of Education and Skills Last updated 21 May 2018 Table of Contents 1. Introduction... 4 2. Scope & purpose... 4 3. Responsibility for this policy... 5 4. Data protection principles...

More information

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools SCHOOLS DATA PROTECTION POLICY Guidance Notes for Schools Please read this policy carefully and ensure that all spaces highlighted in the document are completed prior to publication. Please ensure that

More information

Foundation trust membership and GDPR

Foundation trust membership and GDPR 05 April 2018 Foundation trust membership and GDPR In the last few weeks, we have received a number of enquiries from foundation trusts concerned about the implications of the new General Data Protection

More information

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents Company Name: Document DP3 Topic: ( the Company ) Data Protection Policy Data Protection Date: April 2018 Version: 001 Contents Introduction Definitions Data processing under the Data Protection Laws 1.

More information

The General Data Protection Regulation: What does it mean for you?

The General Data Protection Regulation: What does it mean for you? The General Data Protection Regulation: What does it mean for you? We are here to help The changes being introduced in the EU General Data Protection Regulation 2016 (GDPR) will be the biggest shake-up

More information

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak PROFESSIONAL INDEPENDENT ADVISERS LTD DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Training Manual Data Protection Officer is Mike Bandurak GDPR introduction

More information

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY Member of staff responsible Head teacher Governor responsible Chair of LGB & DPO Date

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Contents 1. Purpose and scope... 2 2. Background... 2 3. Principles... 2 4. Aims and commitments... 3 5. Roles and responsibilities... 3 6. Breaches of data privacy legislation...

More information

GDPR: What Every MSP Needs to Know

GDPR: What Every MSP Needs to Know Robert J. Scott GDPR: What Every MSP Needs to Know Speaker Robert J. Scott Agenda Purpose GDPR Intent & Obligations Applicability Subject-matter and objectives Material scope Territorial scope New Rights

More information

Introduction. Summary

Introduction. Summary The Information Commissioner s response to the Department for Digital, Culture, Media & Sport consultation on the Security of Network and Information Systems. Introduction 1. The Information Commissioner

More information

Baptist Union of Scotland DATA PROTECTION POLICY

Baptist Union of Scotland DATA PROTECTION POLICY Baptist Union of Scotland DATA PROTECTION POLICY Adopted: May 2018 1 1.The Baptist Union of Scotland 48, Speirs Wharf, Glasgow G4 9TH (Charity Registration SC004960) is committed to protecting all information

More information

CHANNING SCHOOL DATA PROTECTION POLICY

CHANNING SCHOOL DATA PROTECTION POLICY CHANNING SCHOOL DATA PROTECTION POLICY The School may amend/change/update this Policy from time to time. 1. Background Data protection is an important legal compliance issue for Channing School. During

More information

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance

Introduction. Key points of the recent ODPC guidance, and the Article 29 working group guidance The Role of the Data Protection Officer Key points of the recent ODPC guidance and the Article 29 Working Group Guidance September 2017 00 Introduction Key points of the recent ODPC guidance, and the Article

More information

THE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC

THE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC THE LEGAL CONVERGENCE CRITERION AND THE CZECH REPUBLIC ZOLTÁN ANGYAL Faculty of Law, University of Miskolc Abstract The Maastricht criteria are to ensure the convergence of economic performance as a basis

More information

DATA PROTECTION POLICY 2018

DATA PROTECTION POLICY 2018 DATA PROTECTION POLICY 2018 Amesbury Baptist Church is committed to protecting all information that we handle about people we support and work with, and to respecting people s rights around how their information

More information

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES

GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES GDPR-CERTIFIED ASSURANCE REPORT BASED PROCESSING ACTIVITIES CERTIFICATION CRITERIA Working draft for public consultation - 29 May 2018 Abstract Document to the attention of organizations that want to obtain

More information

VBI VACCINES INC. BOARD OF DIRECTORS MANDATE. Adopted September 23, 2016

VBI VACCINES INC. BOARD OF DIRECTORS MANDATE. Adopted September 23, 2016 BOARD OF DIRECTORS MANDATE Adopted September 23, 2016 1. Purpose The members of the Board of Directors (the Board ) have the duty to supervise the management of the business and affairs of SciVac Therapeutics

More information

How employers should comply with GDPR

How employers should comply with GDPR 02 Mind your business Prepare for GDPR How employers should comply with GDPR Recommendations for employer compliance with GDPR The scope of the impact of the GDPR cannot be overstated. The GDPR will impact

More information

General Personal Data Protection Policy

General Personal Data Protection Policy General Personal Data Protection Policy Contents 1. Scope, Purpose and Users...4 2. Reference Documents...4 3. Definitions...5 4. Basic Principles Regarding Personal Data Processing...6 4.1 Lawfulness,

More information

Board and Committee Charters. The Gruden Group Limited

Board and Committee Charters. The Gruden Group Limited Board and Committee Charters The Gruden Group Limited The Gruden Group Limited (Gruden) ABN 56 125 943 240 Approved by the Board on 26 May 2016 Board Charter In carrying out the responsibilities and powers

More information

The template uses the terms students / pupils to refer to the children or young people at the institution.

The template uses the terms students / pupils to refer to the children or young people at the institution. This document is for advice and guidance purposes only. It is anticipated that schools / colleges will use this advice alongside their own data protection policy. This document is not intended to provide

More information

St Michael s CE Primary School Data Protection Policy

St Michael s CE Primary School Data Protection Policy St Michael s CE Primary School Data Protection Policy We will prepare the children at St. Michael's school for life, by giving them the opportunity to fulfil their potential within a happy caring Christian

More information

ECIIA Comments on the EBA consultation: Guidelines on Internal Governance (EBA/CP/2016/16)

ECIIA Comments on the EBA consultation: Guidelines on Internal Governance (EBA/CP/2016/16) page para Wording Amendments / Additions suggested Rationale 7 20 The independent internal audit function as the third line of defence, conducts risk-based and general audits and reviews that the internal

More information

The Charities Property Association. The impact of the GDPR (including its affect on your direct marketing and fundraising activities)

The Charities Property Association. The impact of the GDPR (including its affect on your direct marketing and fundraising activities) The Charities Property Association The impact of the GDPR (including its affect on your direct marketing and fundraising activities) Mark Harvey, Consultant Jonathan McDonald, Senior Associate charlesrussellspeechlys.com

More information

The Gym Group plc. (the Company ) Audit and Risk Committee - Terms of Reference. Adopted by the board on 14 October 2015 (conditional on Admission)

The Gym Group plc. (the Company ) Audit and Risk Committee - Terms of Reference. Adopted by the board on 14 October 2015 (conditional on Admission) The Gym Group plc (the Company ) Audit and Risk Committee - Terms of Reference Adopted by the board on 14 October 2015 (conditional on Admission) 1. BACKGROUND The board of directors of the Company (the

More information

OFFICIAL. Date 18 April 2018 Pacific Quay, Glasgow General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.

OFFICIAL. Date 18 April 2018 Pacific Quay, Glasgow General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11. Meeting Date Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.2 Presented By ACC Alan Speirs Recommendation to Members

More information

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY

Scottish Charity Number SC Dingwall Baptist Church DATA PROTECTION POLICY Dingwall Baptist Church DATA PROTECTION POLICY Adopted: By Trustees Dingwall Baptist Church May 2018 1 Dingwall Baptist Church is committed to protecting all information that we handle about people we

More information

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General Data Protection Document Detail Type of Document (Stat Policy/Policy/Procedure) Policy Category of Document (Trust HR-Fin-FM-Gen/Academy) General Index reference number Approved 26/04/18 Approved by Trust

More information

Department for Culture, Media and Sport Call for Views: GDPR Derogations

Department for Culture, Media and Sport Call for Views: GDPR Derogations Sense About Science Department for Culture, Media and Sport Call for Views: GDPR Derogations Response by health and research organisations 10 May 2017 KEY MESSAGES The Department of Culture, Media and

More information

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY

LEICESTER HIGH SCHOOL DATA PROTECTION POLICY LEICESTER HIGH SCHOOL DATA PROTECTION POLICY 1. Background Data protection is an important legal compliance issue for Leicester High School. During the course of the School's activities it collects, stores

More information

Preparing for the GDPR

Preparing for the GDPR Preparing for the GDPR Note: These slides and the accompanying presentation contain a general summary and are not legal advice. Niall Rooney 03/11/2017 (1) Data Protection The Right to Data Protection

More information

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT

INTERNATIONAL WHAT GDPR MEANS FOR RECORDS MANAGEMENT WHAT GDPR MEANS FOR RECORDS MANAGEMENT Presented by: Sabrina Guenther Frigo Overview Background Basic Principles Scope Lawful Processing Data Subjects Rights Accountability & Governance Data Transfers

More information

ARTICLE 29 Data Protection Working Party

ARTICLE 29 Data Protection Working Party ARTICLE 29 Data Protection Working Party 17/EN WP264 rev.01 Recommendation on the Standard Application for Approval of Controller Binding Corporate Rules for the Transfer of Personal Data Adopted on 11

More information

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3 Norwich Central Baptist Church DATA PROTECTION POLICY Adopted: May.2018 Norwich Central Baptist Church (NCBC) is committed to protecting all information that we handle about people we support and work

More information

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations Page 1 of 22 Your business and the new data protection laws Data protection and privacy

More information

Introduction to the General Data Protection Regulation (GDPR)

Introduction to the General Data Protection Regulation (GDPR) Introduction to the General Data Protection Regulation (GDPR) #CIPR / @CIPR_UK This guide is worth 5 CPD points Introduction to the General Data Protection Regulation (GDPR) / 2 Contents 1 Introduction

More information

NOT PROTECTIVELY MARKED

NOT PROTECTIVELY MARKED Meeting Audit Committee Public Session Date and Time Location Pacific Quay, Glasgow Title of Paper General Data Protection Regulation (GDPR) SPA Preparedness Item Number 9.4 Presented By Catherine Topley

More information

BOARD OF DIRECTORS CHARTER AMENDED MARCH 2016

BOARD OF DIRECTORS CHARTER AMENDED MARCH 2016 BOARD OF DIRECTORS CHARTER AMENDED MARCH 2016 BOARD OF DIRECTORS CHARTER OF WSP GLOBAL INC. (THE "CORPORATION") AMENDED MARCH 2016 A. PURPOSE The role of the board of directors of the Corporation (the

More information

ERO COPPER CORP. BOARD OF DIRECTORS MANDATE. As of May 15, 2017

ERO COPPER CORP. BOARD OF DIRECTORS MANDATE. As of May 15, 2017 ERO COPPER CORP. BOARD OF DIRECTORS MANDATE As of May 15, 2017 1. Purpose The members of the Board of Directors (the Board ) have the duty to supervise the management of the business and affairs of Ero

More information

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make.

We reserve the right to update this privacy notice at any time. Please check our website from time to time for any changes we may make. What is the purpose of this document? NORTHERN IRELAND SCREEN COMMISSION (Company Number NI031997) whose registered office is at 3 rd Floor Alfred House, 21 Alfred Street, Belfast, BT2 8ED is committed

More information

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018 A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018 1 PURPOSE OF THIS DOCUMENT 2 This document is to be used as a guide for advertisers on how they should work with their agencies,

More information

Proposed Public Sector and MPP Accountability and Transparency Act, 2014: Implications for Toronto's Ombudsman Function

Proposed Public Sector and MPP Accountability and Transparency Act, 2014: Implications for Toronto's Ombudsman Function STAFF REPORT ACTION REQUIRED Proposed Public Sector and MPP Accountability and Transparency Act, 2014: Implications for Toronto's Ombudsman Function Date: March 25, 2014 To: From: Wards: City Council City

More information

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents Company Name: Document: Topic: System People ( the Company ) Data Protection Policy Data protection Date: 28/4/2018 Version: 1 Contents Introduction Definitions Data processing under the Data Protection

More information

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY

EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY EARLS HALL BAPTIST CHURCH DATA PROTECTION POLICY Adopted: 5 June 2018 1 Earls Hall Baptist Church is committed to protecting all information that we handle about people we support and work with, and to

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version Date Revision Author Summary of Changes 1.0 21 st May 2018 Ashleigh Morrow EXECUTIVE STATEMENT At CASTLEREAGH NURSERY SCHOOL (the School ), we believe privacy is important.

More information

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing Introduction 1. The Information Commissioner has responsibility in the UK for promoting and enforcing the Data Protection

More information

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds

The General Data Protection Regulation in health & social care. 6 October 2016 Leeds The General Data Protection Regulation in health & social care 6 October 2016 Leeds Session outline 09.05am: Roadmap of the GDPR 10.15am: Coffee break 10.30: GDPR impact: Streetview Employment Rights of

More information

Preparing Your Vendor Agreements for the General Data Protection Regulation

Preparing Your Vendor Agreements for the General Data Protection Regulation Preparing Your Vendor Agreements for the General Data Protection Regulation Oliver Yaros Partner - London +44 (0)203 130 3698 oyaros@mayerbrown.com Lei Shen Senior Associate - Chicago +1 312 701 8852 lshen@mayerbrown.com

More information

Data Protection Practitioners Conference 2018 #DPPC2018. Lawful basis myths

Data Protection Practitioners Conference 2018 #DPPC2018. Lawful basis myths Data Protection Practitioners Conference 2018 #DPPC2018 Myth #1 This lawful basis stuff is all new. Reality It s not new. The six lawful bases for processing are very similar to the old conditions for

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP265 Recommendation on the Standard Application form for Approval of Processor Binding Corporate Rules for the Transfer of Personal Data Adopted on 11 April

More information

Audit and Risk Management Committee Charter

Audit and Risk Management Committee Charter Audit and Risk Management Committee Charter Qube Holdings Limited ACN 149 723 053 Audit and Risk Management Committee Charter (revised June 2018 ) Page 1 of 8 1. Introduction 1.1 Objectives The objectives

More information

GENERAL DATA PROTECTION REGULATION Guidance Notes

GENERAL DATA PROTECTION REGULATION Guidance Notes GENERAL DATA PROTECTION REGULATION Guidance Notes What is the GDPR? Currently, the law on data protection requiring the handling of data which identifies people to be done in a fair way, is contained in

More information

Sample Data Management Policy Structure

Sample Data Management Policy Structure Sample Data Management Policy Structure This document has been produced by The Audience Agency. You are free to edit and use this document in your business. You may not use this document for commercial

More information

CHARTER AUDIT COMMITTEE

CHARTER AUDIT COMMITTEE CHARTER AUDIT COMMITTEE Article 1. Tasks and powers 1.1 The Audit Committee shall supervise the activities of the Management Board with respect to: a) the operation of the internal risk management and

More information

Brasenose College Data Protection Policy Statement v1.2

Brasenose College Data Protection Policy Statement v1.2 Brasenose College Data Protection Policy Statement v1.2 1. Introduction All documents referred to in this policy can be found online at the address below: https://www.bnc.ox.ac.uk/privacypolicies 1.1 Background

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy will be reviewed by the Trust Board three yearly or amended if there are any changes in legislation before that time. Date of last review: Autumn 2018 Date of next review:

More information

GDPR in schools and academies. Dai Durbridge, Partner Browne Jacobson LLP

GDPR in schools and academies. Dai Durbridge, Partner Browne Jacobson LLP GDPR in schools and academies Dai Durbridge, Partner Browne Jacobson LLP Welcome Partner in the Education team at Browne Jacobson Lead the Manchester Education team Expert information management lawyers

More information

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company )

RSD Technology Limited - Data protection policy: RSD Technology Limited ( the Company ) RSD Technology Limited - Data protection policy: Introduction Company Name: Document DP3 Topic: RSD Technology Limited ( the Company ) Data Protection Policy Data protection Date: 25 th May 2018 Version:

More information

Data Protection (internal) Audit prior to May (In preparation for that date)

Data Protection (internal) Audit prior to May (In preparation for that date) Data Protection (internal) Audit prior to May 2018. (In preparation for that date) For employers without a dedicated data protection or compliance function, a Data Protection Audit can seem like an overwhelming

More information

RULES FOR THE SUPERVISORY BOARD

RULES FOR THE SUPERVISORY BOARD RULES FOR THE SUPERVISORY BOARD OF B&S GROUP S.A. These Rules were adopted by the Supervisory Board on 9 March 2018 CONTENTS 1. Definitions 3 2. Status and contents of the rules 3 3. Responsibilities of

More information

Sandwell Metropolitan Borough Council

Sandwell Metropolitan Borough Council Sandwell Metropolitan Borough Council 17 April 2018 Agenda Item 12 Subject: Director: Contribution towards Vision 2030: Contact Officer(s): Appointment of Statutory Officers: Senior Information Risk Owner,

More information

EDPS Opinion on the proposed common framework for European statistics relating to persons and households

EDPS Opinion on the proposed common framework for European statistics relating to persons and households Opinion 2/2017 EDPS Opinion on the proposed common framework for European statistics relating to persons and households 1 March 2017 1 P a g e The European Data Protection Supervisor (EDPS) is an independent

More information

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions.

The current version (July 2018) is derived from, and supersedes, the version published in February 2017 and earlier versions. Page 2 of 10 Data Protection Policy Chief Information Officer Chief Information Officer Data Protection Officer The current version (July 2018) is derived from, and supersedes, the version published in

More information

Supervisory Board Charter of the Audit Committee

Supervisory Board Charter of the Audit Committee Adopted by the Supervisory Board on September 8, 2004 Amendment approved by the Supervisory Board December 8, 2009 Amendment approved by the Supervisory Board June 18, 2014 CONTENT 0. INTRODUCTION... 3

More information

Identifying data controllers and data processors Data Protection Act 1998

Identifying data controllers and data processors Data Protection Act 1998 ICO lo Identifying data controllers and data processors Data Protection Act 1998 Contents Overview... 2 What the DPA says... 2 Key consideration in determining who is a data controller - Degree of latitude/discretion/independence

More information

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017

DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017 DATA PROTECTION OFFICER (DPO) Maria Maxim Partner Bucharest October 25, 2017 TOPICS GDPR overview Concept of the DPO Recruitment process Job description Liability Your to do s: GDPR Responsibility and

More information

GDPR factsheet Key provisions and steps for compliance

GDPR factsheet Key provisions and steps for compliance GDPR factsheet Key provisions and steps for compliance Organisations hold vast amounts of personal data relating to customers, employees, and suppliers as well as within marketing databases. Compliance

More information

Terms of Reference Audit Committee. Adyen N.V.

Terms of Reference Audit Committee. Adyen N.V. Terms of Reference Audit Committee Adyen N.V. 4 June 2018 Contents Contents... 2 Introduction... 2 1 Composition... 2 2 Duties and Powers... 2 3 Duties regarding the External Auditor... 4 4 Meetings...

More information

Audit and Risk Committee Charter

Audit and Risk Committee Charter Audit and Risk Committee Charter Magellan Financial Group Limited ACN 108 437 592 Approved and with effect from 20 June 2018 Audit and Risk Committee Charter 1. Introduction 1.1 Magellan Financial Group

More information

Memorandum of understanding between the Competition and Markets Authority and NHS Improvement

Memorandum of understanding between the Competition and Markets Authority and NHS Improvement 1 April 2016 Memorandum of understanding between the Competition and Markets Authority and NHS Improvement Contents Page Foreword... 2 Summary points of the MoU... 3 Memorandum of understanding between

More information

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017

Whitepaper. What are the changes regarding data protection. in the future. General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017 Whitepaper What are the changes regarding data protection in the future General Data Protection Regulation? eprivacy GmbH, Hamburg, April 2017 Authors: Prof. Dr. Christoph Bauer, Dr Frank Eickmeier, Dr

More information

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021

NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY. Adopted: 20 June 2018 To be reviewed: June 2021 NEW LIFE BAPTIST CHURCH NORTHALLERTON DATA PROTECTION POLICY Adopted: 20 June 2018 To be reviewed: June 2021 NEW LIFE BAPTIST CHURCH, NORTHALLERTON (referred to in this policy as NLBC) is committed to

More information

COUNCIL APPOINTMENT OF EXTERNAL AUDITOR

COUNCIL APPOINTMENT OF EXTERNAL AUDITOR Report No: 7/2017 PUBLIC REPORT COUNCIL 9 January 2017 APPOINTMENT OF EXTERNAL AUDITOR Report of the Director for Resources Strategic Aim: All Exempt Information Cabinet Member(s) Responsible: No Councillor

More information

MINISTRY OF THE ENVIRONMENT BILL, 2017

MINISTRY OF THE ENVIRONMENT BILL, 2017 MINISTRY OF THE ENVIRONMENT BILL, 2017 Arrangement of Sections Section PART I - PRELIMINARY 2 1. Short title and commencement...2 2. Interpretation...2 PART II MINISTRY OF THE ENVIRONMENT 3 3. Establishment

More information

CORPORATE GOVERNANCE GUIDELINES

CORPORATE GOVERNANCE GUIDELINES CORPORATE GOVERNANCE GUIDELINES Alcoa Corporation ( Alcoa or the Company ) is a values-based company. Our Values guide our behavior at every level and apply across the Company on a global basis. We expect

More information

closer look at Definitions The General Data Protection Regulation

closer look at Definitions The General Data Protection Regulation A closer look at Definitions The General Data Protection Regulation September 2017 V1 www.inforights.im Important This document is part of a series, produced purely for guidance, and does not constitute

More information

A data processor is responsible for processing personal data on behalf of a data controller.

A data processor is responsible for processing personal data on behalf of a data controller. AfrAsia Bank Limited (we, us, our) is committed to safeguarding the privacy of your personal data. We understand that the protection of your personal data is an essential requirement for you and that you

More information

The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis.

The Information Commissioner s Office, the Information Governance Alliance and several other organisations are issuing guidance on an on-going basis. MARCH 2017 GENERAL DATA PROTECTION REGULATION ROTHERHAM CCG ACTION PLAN Themes of the GDPR: Refining/tightening up of existing concepts Standardised law across the EU New concepts in regulation; accountability,

More information

GDPR: AN OVERVIEW.

GDPR: AN OVERVIEW. GDPR: AN OVERVIEW www.amicuslegalconsultants.com AN OVERVIEW OF GDPR AND THE ROLE OF THE DATA PROTECTION OFFICER 1 INTRODUCTION The GDPR comes into effect across EU States on 25 May 2018, creating a level

More information

Briefing No. 2 GDPR. 1 mccann fitzgerald

Briefing No. 2 GDPR. 1 mccann fitzgerald Briefing No. 2 GDPR This briefing was produced by the Institute of Directors in association with McCann FitzGerald for use in Ireland. McCann FitzGerald is one of Ireland s premier law firms, providing

More information

Department for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017

Department for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017 Department for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017 The CBI welcomes the opportunity to respond to the Department for Culture

More information

COMMISSION DECISION. of

COMMISSION DECISION. of EUROPEAN COMMISSION Brussels, 16.10.2017 C(2017) 6760 final COMMISSION DECISION of 16.10.2017 on the general provisions for implementing Article 79(2) of the Conditions of Employment of Other Servants

More information

Comply or explain manual Dutch Corporate Governance Code as of December 2018

Comply or explain manual Dutch Corporate Governance Code as of December 2018 Comply or explain manual Dutch Corporate Governance Code as of December 2018 Comply or explain The Dutch Corporate Governance Code (the "Code") provides that the company must explicitly state in a separate

More information

The Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION

The Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION The Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION Scheme for the Delegation of Board Powers and Executive Limitations 1. Context This Scheme forms part

More information

RULES OF PROCEDURE AUDIT COMMITTEE SUPERVISORY BOARD RABOBANK 1

RULES OF PROCEDURE AUDIT COMMITTEE SUPERVISORY BOARD RABOBANK 1 RULES OF PROCEDURE AUDIT COMMITTEE SUPERVISORY BOARD RABOBANK 1 1 Adopted by the Supervisory Board on 11 August 2017 with effective date 1 September 2017 1 1. Introduction 1.1. These rules of procedure

More information

Paul Jordan Thursday 12 October,

Paul Jordan Thursday 12 October, GDPR Readiness: Role of the DPO OXS 17 Brussels Paul Jordan Thursday 12 October, 2017 Overview General DPO requirements under the GDPR: legitimacy of the DPO role International Research findings in Data

More information

EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics

EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics Opinion 10/2017 EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics 20 November 2017 1 P a g e The European Data

More information

Audit Committee Charter

Audit Committee Charter Commonwealth Bank of Australia ACN 123 123 124 Audit Committee Charter 1. Purpose and Duties of the Audit Committee 1.1. It is the policy of the Group to have an Audit Committee of the Board at all times.

More information

Supervisory Board Charter of the Audit Committee

Supervisory Board Charter of the Audit Committee Adopted by the Supervisory Board on September 8, 2004 Amendment approved by the Supervisory Board December 8, 2009 Amendment approved by the Supervisory Board June 18, 2014 Amendment approved by the Supervisory

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 17/EN WP 256 Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (updated) Adopted on 29 November 2017 INTRODUCTION

More information

What do companies need to do?

What do companies need to do? Briefing GDPR The General Data Protection Regulation ( GDPR ) will come into effect on 25 May 2018. The GDPR will replace the existing data protection laws in all EU member states and is designed to result

More information

ScottishPower Data Protection Policy

ScottishPower Data Protection Policy SCOTTISHPOWER CORPORATE SECURITY Nov / 2017 ScottishPower Data Protection Policy In accordance with the Scottish Data Protection Policy ( the policy ) and the Global Personal Data Protection Framework

More information

Delegations under Section 41 of the State Sector Act 1988

Delegations under Section 41 of the State Sector Act 1988 SSC Guidance Delegations under Section 41 of the State Sector Act 1988 Introduction Effective April 2014 1 The State Sector Act 1988, Public Finance Act 1989, and Crown Entities Act 2004 were amended in

More information

Scottish Parliament Edinburgh EH99 1SP. Dear Convener

Scottish Parliament Edinburgh EH99 1SP. Dear Convener Minister for UK Negotiations on Scotland s Place in Europe Michael Russell MSP T: 0300 244 4000 E: scottish.ministers@gov.scot Bruce Crawford MSP, Convener of the Finance and Constitution Committee & Graham

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Mission Statement WeST holds a deep seated belief in education and lifelong learning. Effective collaboration, mutual support and professional challenge will underpin our quest to

More information

***I REPORT. EN United in diversity EN. European Parliament A8-0226/

***I REPORT. EN United in diversity EN. European Parliament A8-0226/ European Parliament 2014-2019 Plenary sitting A8-0226/2018 27.6.2018 ***I REPORT on the proposal for a regulation of the European Parliament and of the Council on the European citizens initiative (COM(2017)0482

More information