Data protection legal jungle or common sense Susan Healy Religious Archives Group 22 Mar 2010
In this presentation Things you need to know Things you need to do and not do Particular issues?
Things you need to know
Data protection is A statutory regime that: Allows personal data to be collected and used ( processed ) BUT Sets rules for how it should be done Gives responsibilities to people collecting and using personal data (data controllers) Gives rights to the people the personal data is about (data subjects) Gives monitoring and enforcement powers to the Information Commissioner
Personal data is Information about a living person: Factual information e.g. name, address, date of birth, NI number Subjective information e.g. their feelings, opinions about them It includes: Anything on a computer (cat (a) and (b)) Anything in paper files or on index cards with a structure that enables particular information about someone to be found (cat (c)) accessible record health, education, social work and housing (cat (d)) But not unstructured manual records unless held by a public body that is subject to FOI (cat (e))
And sensitive personal data is about Racial or ethnic origin Political or religious opinions or beliefs Trade union membership Physical or mental health or condition Sex life Commission of offences and related proceedings
8 Data Protection Principles Processing must be fair and lawful and satisfy a condition in Sched 2 or, for sensitive personal data, Sched 3 (DPP 1) Processing must be for a declared reason only, with any later processing being compatible with the original reason (DPP 2) Personal data must be adequate, relevant and not excessive (DPP 3), accurate and up-to-date (DPP 4) and not kept for longer than necessary (DPP 5) Data subject rights must be respected (DPP 6) Personal data must be kept and handled securely (DPP 7) Limits on sending it to other countries (DPP 8)
Things you need to do and not do
Fair and lawful processing Obtain information fairly and openly Tell data subjects how their information will be used If any further use is envisaged let them opt in or out Keep records of consent Keep data subjects expectations, interests, and any possible damage from processing, in mind always Find Schedule 2 3 conditions for processing
Data quantity and quality Collect what you need for your stated purpose no more, no less Don t collect more than you need just in case it will be useful one day Keep data up to date as far as possible Dispose of it securely when no longer needed (to an archives service if worth preserving permanently as archives)
Secure processing Culture protecting personal data is a must Limit access to those with a need to have access Prevent unauthorised access, loss or damage: Electronic data protect using technology such as antivirus software, firewalls, back-ups, password access, lock-down of pcs, encryption for transmission Paper files - lock away when not in use, transmit personally or in a sealed envelope Don t give out information over the phone without checking identity Have a procedure for handling security breaches Ensure contracts with suppliers provide for compliance
Data subject rights To be told how their data is being used To be given access to or copies of the data To ask for processing to be stopped To prevent direct marketing To have their data corrected To get their data destroyed but only through court order
Notification Annual declaration to ICO under standard or non-standard headings e.g. Staff administration Pastoral care Realising the objectives of a charitable organisation or voluntary body Fundraising Register of data controllers http://www.ico.gov.uk/tools_and_resources/register_of_datacontr ollers.aspx
Disclosing and sharing personal data Don t share unless: The law allows it, or You have consent Don t disclose unless The requester is the data subject You have consent Someone else has a statutory right of access, e.g. Police, or The data is innocuous and disclosure seems fair and lawful
And for the archives Keep records containing personal data as archives if they are worth preserving Deal with access requests from data subjects unless exemption applies Be careful about what information about living people in archives or catalogues - is released Always consider the interests and expectations of the data subject and possible damage or distress from 3 rd party access Redact identifying details if necessary
Particular issues?