Information Commissioner s Office

Similar documents
Data protection legal jungle or common sense Susan Healy. Religious Archives Group 22 Mar 2010

Data Protection Policy

St Bernard s Primary School Data Protection Policy

Data Subject Access Request

DATA PROTECTION IN RESEARCH

DCU Guide to Subject Access Requests. Under Irish Data Protection Legislation

The Durant Case and its impact on the interpretation of the Data Protection Act 1998

Subject: Kier Group plc Data Protection Policy

ETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies

Heavers Farm Primary School DATA PROTECTION AND INFORMATION MANAGEMENT POLICY Updated 2017

DATA PROTECTION POLICY

Subject Access Request Policy

Technical Requirements of the GDPR

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Data Protection Policy

FOUNDRY COLLEGE. General Data Protection Regulation (GDPR) Policy Incorporating Freedom of Information

Our Data Privacy Statement Scope Responsibilities

Office of John Howell MP Data Protection Policy

Data Protection Policy

Cayman Islands Data Protection Law Guide Book

Castle View Primary School Data Protection Policy

Subject Access Request Form Data Protection Act 1998

NCAS SUBJECT ACCESS REQUEST FORM (DATA PROTECTION ACT 1998)

CHANCERY EDUCATION TRUST PICKHURST ACADEMY SUBJECT ACCESS REQUEST (SAR) POLICY OCTOBER 2018

If you have any questions about this notice, please contact the Head Master.

PRIVACY POLICY. 3.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is an employee record.

The Data Protection Act 1998 and the Use of Personal Data for IT Administration

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

This policy also applies to personal information about you that the Federation collects from any other third party.

UWC International Data Protection Policy

1. Introduction and Overview 3

Data Protection. Guidance Notes

DATA PROTECTION POLICY THE HOLST GROUP

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

UWTSD Group Data Protection Policy

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

Data Protection Policy

UUEAS Privacy policy - Members

Policy on Privacy and Management of Personal Information

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Data Subject Access Request Procedure. Page 1 KubeNet Data Subject Access Request Procedure KN-SOP

Privacy and Data Protection Policy

Privacy Policy GENERAL

Access Rights and Responsibilities. A guide for Individuals and Organisations

INNOVENT LEASING LIMITED. Privacy Notice

Freedom of Information Act 2000 (FOIA) Decision notice

Request under the Freedom of Information Act 2000 (FOIA)

Data Protection Policy

Data Privacy Notice. Madsen Advisory Limited ("Madsen") is committed to protecting and respecting your privacy.

Request under the Freedom of Information Act 2000 (FOIA)

Breach Notification Form

Governance and Compliance Learning from the Private Sector. David Coverdale

Privacy Policy on the Responsibilities of Third Party Service Providers

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

TINOPOLIS PRIVACY NOTICE

Dentons Canada LLP. Understanding CASL. Presented to the Alberta Chambers of. Craig T. McDougall and Thomas A. Sides

Michael Robinson Associates Limited is committed to protecting your personal information. This policy

Buros Center for Testing. Standards for Accreditation of Testing Programs

University College Cork National University of Ireland, Cork Data Access Request Procedure

Motor Sports Association. Data Protection Policy

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

Privacy Notice Alumni

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

DATA PROTECTION POLICY

ICO Information Request Handling Procedures

Canadian Anti-Spam Legislation (CASL)

Request under the Freedom of Information Act 2000 (FOIA)

Information security guidance for schools

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Opinion 02/2012 on facial recognition in online and mobile services

DATA SUBJECT ACCESS REQUEST PROCEDURE

Calne Without Parish Council. IT Strategy

EU GDPR: The General Data Protection Regulation

Freedom of Information Act 2000 (FOIA)

Freedom of Information Act 2000 (FOIA) Decision notice

GDPR- the new General Data Protection Regulations. Staff PDM- 2 nd May 2018

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

4-H Youth Development Program Website Guidelines

The isalon GDPR Guide Helping you understand and prepare for the legislation

Request under the Freedom of Information Act 2000 (FOIA)

GEWISS S.p.A. IT CODE OF CONDUCT

Mobile Phones and Electronic Devices Policy

Made In Hackney Data Protection Policy Last Updated:

FERPA & Student Data Communication Systems

The Data Protection Act 1998

This information accompanies the online data sharing best practice guidance commissioned by ACE

Request under the Freedom of Information Act 2000 (FOIA)

GDPR. What is GDPR? GDPR is extraterritorial, meaning it applies to any company, processing EU resident data, irrespective of their location.

Request under the Freedom of Information Act 2000 (FOIA)

Data Controller or Data Processor? How to Interpret Two Core Definitions of Data Protection Legislation

Islam21c.com Data Protection and Privacy Policy

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Privacy and Spam Policy Ten Tigers Grain Marketing Pty Ltd

You can find a brief summary of this Privacy Policy in the chart below.

Acceptable Use Policy

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

Website and Marketing Privacy Policy

Maritime Union of Australia. Privacy Policy 2014

Acceptable Use Policy

Transcription:

The Act regulates the use of personal data. To understand what personal data means, we need to first look at how the Act defines the word data. Data means information which (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or (e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d) Paragraphs (a) and (b) make it clear that information that is held on computer, or is intended to be held on computer, is data. So data is also information recorded on paper if you intend to put it on computer. Relevant filing system (referred to in paragraph (c) of the definition) is defined in the Act as: any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

This is not an easy definition. Our view is that it is intended to cover nonautomated records that are structured in a way which allows ready access to information about individuals. As a broad rule, we consider that a relevant filing system exists where records relating to individuals (such as personnel records) are held in a sufficiently systematic, structured way as to allow ready access to specific information about those individuals. Accessible record" (referred to in paragraph (d) of the definition) means: a health record that consists of information about the physical or mental health or condition of an individual, made by or on behalf of a health professional (another term defined in the Act) in connection with the care of that individual; an educational record that consists of information about a pupil, which is held by a local education authority or special school (see Schedule 11 of the Act for full details); or an accessible public record that consists of information held by a local authority for housing or social services purposes (see Schedule 12 for full details). Accessible records were included in the definition of data because preexisting access rights to information were not restricted to automatically processed records, or records held in non-automated systems falling within the definition of relevant filing systems. So, to preserve all these preexisting access rights, the definition of data covers accessible records even if they do not fall in categories (a), (b), or (c).

The Freedom of Information Act 2000 created a new category of data which extended the definition of data in the Data Protection Act to include any information held by a public authority which would not otherwise be caught by the definition. Where information requested under the FOI Act includes information about identifiable individuals, public authorities must consider whether its release would breach the Data Protection Act. The new category of data (which is often referred to as category (e) data ) is designed to ensure that before releasing any personal information under the FOI Act, public authorities consider whether this would be fair. Processing category (e) data is exempt from most of the rights and duties created by the Data Protection Act. Personal data means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be personal data.

The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate. Please see Schedules 2 and 3 of the Act and the section of this guide on the conditions for processing. The categories of sensitive personal data are broadly drawn so that, for example, information that someone has a broken leg is classed as sensitive personal data, even though such information is relatively matter of fact and obvious to anyone seeing the individual concerned with their leg in plaster and using crutches. Clearly, details about an individual s mental health, for example, are generally much more sensitive than whether they have a broken leg. Many individuals choose to make their political allegiance public, for example by wearing badges or rosettes or by putting a sticker in their window. There is a condition for processing sensitive personal data that covers information made public by the individual concerned.

Religion or ethnicity, or both, can often be inferred with varying degrees of certainty from dress or name. For example, many surnames are associated with a particular ethnicity or religion, or both, and may indicate the ethnicity and religion of the individuals concerned. However, it would be absurd to treat all such names as sensitive personal data, which would mean that to hold such names on customer databases you had to satisfy a condition for processing sensitive personal data. Nevertheless, if you processed such names specifically because they indicated ethnicity or religion, for example to send marketing materials for products and services targeted at individuals of that ethnicity or religion, then you would be processing sensitive personal data. In any event, you must take care when making assumptions about individuals as you could be collecting inaccurate personal data. Full information on the ICO can be found at https://ico.org.uk/fororganisations/guide-to-data-protection/key-definitions/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback