Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Transcription

1 PROFESSIONAL INDEPENDENT ADVISERS LTD DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Training Manual Data Protection Officer is Mike Bandurak GDPR introduction

2 The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, came in to force from 25 May It is also a requirement of the FCA for you to keep records of all the training you have undertaken. This is a work-based training programme and will count towards your Continuing Professional Development so don t forget to keep a record of the time spent reading or sitting the questionnaire. The Information Commissioners Office (ICO) The Information Commissioners Office (ICO) is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest. The legislation they have oversight for includes: - The Data Protection Act 1998 (pre-25 th May 2018) The Data protection Act 2018 (from 25 th May 2018) General Data Protection Regulation (post-25 th May 2018) The Privacy and Electronic Communication (EU Directive) Regulations 2003 Freedom of Information Act 2000 The Environmental Information Regulations 2004 ICO's mission statement is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them. Under the GDPR the ICO, as the UK's data protection authority (Supervisory Authority), will have a similar role as before when it comes to oversight, enforcement and responding to complaints with regards to the GDPR and those firms located solely in the UK. However, where an organisation is based in more than one Member State and/or where cross border processing takes place, a lead Supervisory Authority will enforce the GDPR requirements in consultation with any associated Supervisory Authority. Under the GDPR, the 'lead' is determined by the location of the 'main establishment'. 1 P a g e

3 Data Protection Why have Data Protection? - Basically the Data Protection Act has been set up to protect the interests of each individual to ensure that their information cannot be used for any reason other than that they have given permission for. What does the Data Protection Act class as Data? The Data Protection Act applies to personal data this is data that can identify living individuals. The companies/individuals who decide how and why personal data is to be processed must comply with the rules of the Data Protection Act, namely the Data Protection Principles and any other requirements of the Act. As there is so much data held on individuals now the government has recognised the need to offer individuals protection against mis-use of their data. This is to ensure that individuals do not get unsolicited mail, s, phone calls which could be at all hours of the night and day, offering you information, products and services that you have no use for. It is designed to protect each individual even your spouse should not be able to get information on you without your permission. If your data is mis-used, or out of date, you could not only receive all the unsolicited mail mentioned above, but you could be refused such things as housing, benefits, jobs, credit, even a place at college. It is therefore important that you understand the basic principles of the Data Protection Act from a personal point of view as well as a professional one. All companies/individuals that hold personal information on computer even if that information only relates to their employees need to be registered with the Information Commissioners Office (ICO). These rules apply to all companies and individuals who hold data on individuals. These companies/individuals are known as data controllers or data processors and the person the information is held on is known as the data subject. data controllers and data processors. The definitions are broadly the same as under the previous Data Protection Act 1998 (DPA), i.e. the controller says how and why personal data is processed and the processor acts on the controller s behalf. You are likely to be a controller where you process you customer s personal data, e.g. the data you collect and record in your client file during the advice process. For data that only we have control over and access to, for example filing cabinets kept in our offices or on hard drives, we as the sole data controller are responsible for compliance with the DPA 2018 and GDPR. For some client data we may have joint responsibility and therefore are considered joint data controllers. For example, data stored on the back office system. However, we are still solely responsible for our own DPA and GDPR compliance when using our IT systems. This would include, for example, the customer information we store/upload to the system and ensuring the security of your access details. 2 P a g e

4 The Data Protection Principles The Data Protection Act 2018 is based on 6 principles. These principles form the basis of the Act and must be adhered to by all those who hold personal data whether they are registered with the Data Protection Commissioner or not! These principles are : Processed lawfully, fairly and in a transparent manner this means having a lawful basis (reason) for processing data, handling the data honestly, and being unambiguous about how you intend to use this data. Collected for specified, explicit and legitimate purposes - this means being open and clear about why personal data is being collected, and outlining the exact legal purpose for processing. Adequate, relevant and limited to what is necessary in relation to the purposes of processing - this means only holding the amount of information sufficiently necessary for the purpose(s) intended. Accurate and where necessary, kept up-to-date - this means taking reasonable steps to ensure accuracy of information, and verifying and rectifying/updating information without delay as required. Kept in a form which allows the identification of an individual for no longer than is necessary - taking into account the purpose(s) for which information is held, this means reviewing the length of time information is kept, and making sure information is not kept for longer than necessary. Processed in a manner that ensures appropriate security - this means preventing data breaches by having suitable security measures in place to fit the type of data processed (for example, physical security measures such as locks on manual filing systems, and electronic security measures such as passwords on computer terminals). These six data protection principles highlight the clear need for robust organisational policies and procedures to be in place within our firm. Every organisation is responsible for demonstrating compliance with these six principles listed above. This responsibility links to the accountability principle, which will be covered in further detail later within this section. The GDPR enables a standardised approach to data protection principles to be implemented across the EU. As a result, additional laws/interpretation by each country is generally not required. The GDPR is applicable to organisations processing data if either or both are met: The organisation is located in the EU The individual is based in the EU 3 P a g e

5 What is personal data? 4 P a g e

6 Personal data is defined in a more detailed manner under the GDPR compared to existing DPA. Under the GDPR, personal data is defined as any information relating to an identified or identifiable natural person' this means if an individual can be identified directly/indirectly by information held, this is considered personal data. Personal data includes information held in manual filing systems, through to pseudonymised personal data (coded information which can lead to the identification of an individual for example, the NHS number. The GDPR outlines that even information, such as an IP address, is considered personal data. This expanded definition of personal data under the GDPR reflects the advances in today s technology, and the many methods by which information about individuals is collected by various organisations. Under the GDPR, sensitive personal data is referred to as special categories of personal data. Processing of special categories of personal data is subject to stricter conditions under the GDPR. These special categories consist of personal data that reveals: Health and medical details Sex life and sexual orientation Genetic data Biometric data for the purpose of uniquely identifying a natural person Racial or ethnic origin Political opinions Religious and philosophical beliefs Trade union membership 5 P a g e

7 You need be aware of the six lawful bases for processing an individual s personal data under the GDPR (listed below). 1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes. 2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. 3. Processing is necessary for compliance with a legal obligation to which the controller is subject. 4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person. 5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child* shall not apply to processing carried out by public authorities in the performance of their tasks. 6 P a g e

8 The Rights of the Data Subject The data subject has a number of rights under the Data Protection Act. These rights allow the data subject to gain access to his/her data to ensure that records are correct. The rights of individuals under the GDPR are similar to those in the previous DPA; however, there are notable enhancements. The following eight rights for individuals are provided under the DPA 2018 /GDPR: 1 The right to be informed This relates to the need for transparency over how organisations use personal data. Organisations are required to provide fair processing information (usually presented in the form of a privacy notice, as previously mentioned). This information is usually provided at the point of obtaining an individual s personal data. This must be: Concise, transparent, intelligible and easily accessible Written in clear and plain language, particularly if addressed to a child; Provided free of charge 2 The right of access This gives individuals the right to access to their personal data and other supplementary information. The information requested must be supplied free of charge by the organisation within one month of receiving the request. The right of access is commonly referred to as a subject access request (SAR). When a subject access request is received, it is important to check that the request is genuine this may mean using reasonable means to verify identity to confirm the data subject is the same person making the request. 3 The right to rectification Individuals can have inaccurate or incomplete personal data rectified in certain circumstances. Where an individual exercises this right, an organisation must action within one month of receiving the request. Where an organisation has supplied the inaccurate/incomplete data to a third party, they are responsible for ensuring this data is also rectified. The individual should additionally be informed about the third parties to whom your organisation has supplied data to. 4 The right to erasure This also known as the right to be forgotten. Individuals can request your organisation to delete or remove all personal data, where there is no convincing reason to continue processing it. You need to be aware that an organisation can refuse to comply with an individual s request for erasure if at least one of the following applies: Exercising the right of freedom of expression and information Establishment, exercise or defence of legal claims 7 P a g e

9 5 The right to restrict processing This permits organisations to store personal data, but not to further process it, for example, where the individual questions the accuracy of the data, processing should be restricted until its accuracy can be verified. If the individual s personal data has been disclosed to third parties, the individual and the third party must be informed of the restriction request unless it is not possible to do so, or requires disproportionate effort. 6 The right to data portability This allows individuals to obtain their personal data from organisations and reuse it (move, copy or transfer) easily for their own purposes across different IT systems in a safe and secure manner. Individuals have the right to data portability if all of the following apply: The personal data has been provided by the individual to the organisation s controller If the lawful basis for processing of personal data is based on the individual s consent, or for the performance of a contract If the processing of the individual s data is carried out by automated means 7 The right to object Individuals can object to having their personal data processed for direct marketing and some other types of processing. Individuals must be made aware of their right to object at the time of the first communication in a clear and explicit manner this must be presented separately from any other information. Furthermore, the individual s right to object must be highlighted in the organisation s privacy notice. 8 Rights in relation to automated decision making and profiling Individuals have the right to not be subject to decision making based on automated processing/profiling. This right protects an individual against the risk of a potentially damaging decision that could be made without human intervention. Complying with an individual s request to exercise their right When responding to an individual s request to exercise their right, the organisation must: Take reasonable steps to verify the identity of the individual who exercises their individual right Comply with the individual s request(s) without undue delay and at least within one month of the request An extension of a further two months can be requested for complicated/numerous requests we must inform the individual within one month of the request and provide details on why an extension is required 8 P a g e

10 Provide the information electronically if the individual makes the request using electronic means, and if this is requested by the individual (where technically possible) Provide the requested information to the individual free of charge If the request is manifestly excessive, repetitive and/or unfounded, we can either charge a reasonable fee based on the administrative costs to comply with the request, or alternatively, refuse to respond A reasonable fee can be charged if future requests of a similar nature are made by the same individual Where we do not take action to an individual s request/refuses to comply with an individual s request, we must explain to the individual the reasons why, and inform the individual of their right to lodge a complaint with a supervisory authority (the ICO) - This must be done within one month of the request at the latest. 9 P a g e

11 Data Breaches Data breaches are one of the areas of the GDPR which the ICO can investigate and enforce. Changes to data breaches are discussed next. Data breaches will be strictly regulated under the GDPR there will be a duty on all organisations to report certain types of data breaches to the ICO, as well as to the affected individual(s), in certain circumstances. The GDPR outlines that a data breach covers any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Failure to notify a data breach under the GDPR can result in substantial fines and potentially result in legal repercussions for organisations. You need to be aware that a data breach is not just about the loss/theft of personal data. The ICO must be notified where the data breach is likely to risk the freedoms and rights of an individual such breaches may cause a significant negative effect if not addressed. 10 P a g e

12 Enforcement Greater regulation and enforcement From 25 May 2018, there will be greater regulation and enforcement relating to data protection. The ICO is the UK s independent authority set up to enforce the GDPR. The ICO has the power to ensure that both individuals and organisations comply with data protection laws. One of the ICO s primary functions is to uphold data protection rights in the best interests of the public. Under the GDPR, the ICO will have greater regulatory powers. In previous years, the ICO has brought media attention to organisations have breached data protection regulations. Naming and shaming through the media is one way the ICO display their regulatory powers. The administrative fines imposed on an organisation if they fail to comply with the GDPR requirements will be dependent on the circumstances. The ICO s decision of whether to impose a fine, and the amount, will be assessed on a case-by-case basis. Fines can apply to both data controllers as well as data processors. The ICO has outlined a fine system as summarised below: Fines of up to 4% of an organisation s annual global turnover or 20 million (whichever is greater) can be imposed for serious infringements including non-compliance of orders from the ICO and failure to follow the basic principles of the GDPR Fines of up to 2% of an organisation s annual global turnover or 10 million (whichever is greater) can be imposed for less serious infringements including failure to notify a data breach and failure to follow data controller or processor obligations 11 P a g e

13 Notes: ICO Fee s The annual fee for the ICO is between 40 and 2,9000, depending on how many people the business employs and the annual turnover. It's 40 to 60 for most organisations, including charities and small and medium-sized businesses. Tier 1 micro organisations You have a maximum turnover of 632,000 for your financial year Or no more than 10 members of staff. The fee for tier 1 is 40. Tier 2 small and medium organisations You have a maximum turnover of 36 million for your financial year Or no more than 250 members of staff. The fee for tier 2 is 60. Tier 3 large organisations If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of 2,900. Direct debit discount - If a firm choose to pay your fee by direct debit, they will receive an automatic discount of 5 at the point of payment. We are on the Tier 2 fee structure. 12 P a g e

14 Definitions Personal data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Data subject means an individual who is the subject of personal data Data controller means, the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Data processor, means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Third Party means a natural or legal person, public authority, agency or body other than the data subject, under our direct authority Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. Cross Border Processing means processing of personal data which: - o takes place in more than one Member State; or o which substantially affects or is likely to affect data subjects in more than one Member State Representative means a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation. Supervisory Authority means an independent public authority which is established by a Member State 13 P a g e