Upload
cuthbert-barber
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
DATA PROTECTION ACT 1998
• Became law on 1 March 2000
• Only applies to the use of personal data, that is data which relates to an identifiable living individual, the data subject, and which
• Is being processed by computer or other automatic equipment;
or is recorded with the intention that it should be so processed;
• Forms part of a relevant filing system or accessible record.
• Based upon 8 Principles for processing personal data
DATA PROTECTION PRINCIPLES
Conditions for processing – Schedule 2• Consent.
• Contractual.
• Legal obligations.
• Person’s vital interests.
• Administration of justice.
• Functions of Crown or
Government Dept.
• In the public interest.
• Legitimate interests of the University.
1. PERSONAL DATA SHALL BE PROCESSED FAIRLY AND LAWFULLY.
Fair Processing Code
• Identity of the data controller
• Identity of any nominated representative
• Purposes for which the data are to be processed
• Any further information necessary to enable the processing to be fair;
e.g. likely recipients, retention period.
DATA PROTECTION PRINCIPLES
Sensitive Personal Data
• racial or ethnic origin
• political opinions,
• religious or other beliefs,
• trade union membership,
• physical or mental health,
• sexual life,
• offences, or alleged offences
• Criminal offences / previous convictions
Conditions for processing – Schedule 3
Explicit consent Employment law obligations Vital interests of the data subject Some not for profit organisations Information made public by the data subject Legal Rights of the data subject Public functions (admin of justice) Medical purposes Racial equality monitoring
1. PERSONAL DATA SHALL BE PROCESSED FAIRLY AND LAWFULLY.
DATA PROTECTION PRINCIPLES
2. Personal data shall be obtained only for specified and lawful purposes, and shall not be further processed in any manner incompatible with those purposes.
DATA PROTECTION PRINCIPLES
3. Personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed.
DATA PROTECTION PRINCIPLES
4. Personal data shall be accurate, and where necessary, kept up to date.
DATA PROTECTION PRINCIPLES
5. Personal data shall not be kept for longer than is necessary, for the purposes for which it is being processed.
DATA PROTECTION PRINCIPLES
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
DATA PROTECTION PRINCIPLES
7. Appropriate security measures shall be taken against the unauthorised or unlawful processing, accidental loss , destruction , or damage of personal data.
DATA PROTECTION PRINCIPLES
8. Personal data shall not be transferred outside the EEA unless that country / territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
INDIVIDUALS RIGHTS
1. Right of subject access
2. Right to prevent processing likely to cause damage or distress
3. Right to prevent processing for the purposes of direct marketing
4. Rights in relation to automated decision-taking
5. Right to take action for compensation if the individual suffers damage by any
contravention of the Act by the university
6. Right to take action to rectify, block, erase or destroy inaccurate data
7. Right to make a request to the Commissioner for an assessment to be made
as to whether any provision of the Act has been contravened
EXEMPTIONS
• Confidential references given by the University
• Management forecasts/management planning
• Negotiations
• Examination scripts
• Examination marks
• Research, History and Statistics
• Special purposes exemption
the purposes of journalism,
artistic purposes,
literary purposes
OFFENCES UNDER THE ACT
• Processing without notification
• Failure to notify Commissioner of changes to a register entry
• Failure to comply with written request for particulars
• Failure to comply with Commissioner Notices
• Making a false statement in compliance with a notice
• Intentional obstruction / failure to give reasonable assistance in the execution of
a warrant
• Unlawful obtaining of personal data
• Unlawful selling of personal data
• Enforced subject access
DISCLOSURE
Data may be legitimately disclosed only
i) where the individual has given their consent,
ii) where the disclosure is in the legitimate interests of the institution,
iii) where the institution is legally obliged to disclose the data,
iv) where the disclosure of data is required for the performance of a contract,
v) where specific exemptions for disclosure without consent apply
DISCLOSURE WITHOUT CONSENT
Certain disclosures are permitted under the Data Protection Act 1998 provided
one or more of the following criteria are met:
•For the purpose of safeguarding national security,
•For the purpose of preventing or detecting crime
•For the assessment or collection of tax or duty,
•To discharge regulatory functions,
•For the purpose of preventing serious harm to a third party
•For the purpose of protecting the vital interests of the individual
Requests relating to disclosure without consent (including enquiries from the
police) should be supported by the appropriate paperwork and referred to the
Data Protection Co-ordinator)
DISCLOSURE
• Telephone Requests.
• Requests for information from within the University.
• Requests for information from outside the University.
• Action when disclosure is refused.
• Siting of Computer Terminals
• Clear Desk Policy
DISCLOSURE - SUMMARY
•Treat all personal data with care
•Ensure consent has been provided, unless consent is not required
•If in doubt do not disclose , always ask for advice
•Do not provide information over the telephone
•Ask that requests for information are submitted in writing/by fax
•Keep notes of what has been disclosed and to whom
•Wilful disclosure of personal information will treated as a disciplinary offence
IMPLEMENTING THE DPA
Departmental Responsibilities
Departmental Responsibilities
• All personal data being processed within the department complies with the Data Protection Act 1998, the University’s Data Protection Policy and is included in the University’s official Data Protection Notification.
• An annual audit of the personal data within the department is carried out and recorded.
• All contractor’s, agents and other non-permanent university staff used by the department, are aware of and comply with, the Data Protection Act 1998 and the University’s Data Protection Policy.
Departmental Responsibilities
• That all forms and correspondence used by the department to request personal data, clearly state
– the purposes for which the information is to be used,
– the period of time it is to retained, and
– to whom it is likely to be disclosed.
• All personal data held within the department is kept securely and is disposed off in a safe and secure manner when no longer needed.
IMPLEMENTING THE DPA
Staff Responsibilities
Staff Responsibilities
• Personal data which they provide in connection with their employment is
accurate and up-to-date, and that they inform the University of any
errors, corrections or changes, for example, change of address, marital
status, etc.
• That personal data relating to living individuals is processed in
accordance with the Data Protection Act 1998 & the University’s data
protection policy.
• Personal data relating to living individuals is not disclosed either orally or
in writing, accidentally or otherwise, to any unauthorised third party.
Unauthorised disclosure may be considered a disciplinary matter.
• When supervising students who are processing personal data, that those
students are aware of the Data Protection Principles, and the University’s
Data Protection Policy.
UNIVERSITY’S RESPONSE
• Create post of Data Protection Co-ordinator
• Establish Taskforce
– Produce a personal information strategy
– Conduct an Audit of Personal Information Systems
– Create policies and procedures to ensure compliance with the 1998 Act
– Create a Data Protection Web Site
Queen’s University Draft Data Protection Policy
• Introduction
– Compliance Commitment / Policy Statement
– Data Protection Principles
– Definitions
• Notification
– Notification Process
– Subject access to the University’s official notification
– Updating of official notification
Queen’s University Draft Data Protection Policy
• Security– General Principles– Responsibilities
• School / Departmental Responsibilities• Staff Responsibilities• Student Responsibilities
– Disposal Policy For Personal Data
– Retention Policy For Personal Data
– Processing & Disclosure of Personal Data & Sensitive Data
– Incoming and Internal Mail
– Contractors, Short-Term And Voluntary Staff
– Transfer Of Data Overseas
Queen’s University Draft Data Protection Policy
• Data Subject Rights & Access To Personal Data
– How to make a subject access request, Subject Access Fee
• Transitional Provisions
– Implications of Transitional Provisions on access to personal data
• Good Practice
– Guidelines
• On Going Revision
– On going evaluation
– Staff training
– Web Site
Queen’s Draft Data Protection Policy
• Appendices1. Official University Data Protection Notification
2. University Key Post Holders
3. University Information Security Policy and Related Procedures
4. Disposal Policy – Required Procedures
5. Retention Policy – Retention Periods
6. Good Practice Guidelines
Research References
Exam Marks / Scripts Alumni
E-mails World Wide Web
FURTHER INFORMATION
www.qub.ac.uk/dataprot
University data protection web pages
www.legislation.hmso.gov.uk/acts/acts1998/19980029.htm
On line version of Data Protection Act 1998
www.dataprotection.gov.uk
Data Protection Commissioner’s web site
www.jisc.ac.uk/pub00/dp_code.html
Code of Practice for Higher Education
www.jisc.ac.uk/pub99/sm09_data_prot.htm
General Briefing Paper for Higher Education on 1998 Act
QUESTIONS