1 / 48

Councillors Data Protection Briefing

Councillors Data Protection Briefing. 12 th February 2018. David Taylor, Data Protection Officer. Agenda. A round up of the key changes the GDPR will bring, including any specific changes members will need to consider.

sadams
Télécharger la présentation

Councillors Data Protection Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Councillors Data Protection Briefing 12th February 2018 David Taylor, Data Protection Officer

  2. Agenda • A round up of the key changes the GDPR will bring, including any specific changes members will need to consider. • ICO notification and some general data protection obligations including data security • Councillor case management system overview and proposed implementation timetable • Round table question and answer session • Councillor Processing Notice

  3. The Journey - DPA 1984 to GDPR 2016 • Data Protection Act 1984 • Directive 95/46/EC • Data Protection Act 1998 • General Data Protection Regulations (GDPR) • First conceived April 2011 – first draft Dec 2012 • Adopted by the EU member states April 2016 • Comes into effect on 25th May 2018 across the whole of Europe • 178 regulation statements • 99 Articles • Everything we do now… plus much muchmore

  4. GDPR – the UK’s adoption path To be implemented 25th May 2018… across the whole of European Union The UK will comply post Brexit, no if’s or buts RtHon Matt Hancock MP Minister of State for Digital) Statement of intent 7/8/17 Draft Data Protection Bill https://publications.parliament.uk/pa/bills/lbill/2017-2019/0066/lbill_2017-20190066_en_1.htm

  5. Article 4 definitions (x26)

  6. Article 5 - Principles From 8 to 6 • Lawfulness, fairness and transparency • Purpose limitation – (‘Collected for specified, explicit and legitimate purposes’) • Data minimisation - (‘Adequate, relevant and necessary’) • Data accuracy - (‘Accurate and up-to-date’) • Storage limitation - (‘Permit identification for no longer than necessary’) • Integrity and confidentiality - (‘Appropriate security & protection against unauthorised or unlawful processing and against accidental loss, destruction or damage’) (2) The controller must be able to demonstrate corporate compliance NBC must have a data protection programme to provide evidence of how we will comply with the requirements of the GDPR

  7. Major changes • Principles • Lawful Processing • Consent • Special Categories (Sensitive Personal Data) • Rights (E.g. forgotten and portability) • New General obligations include: • Personal Data Impact Assessments • Data Processing (and Sharing) Agreements • Data Breach reporting • Fines

  8. A12-22 & A34 – Data Subjects Rights The GDPR provides the following rights for individuals: • A12 - The right to be informed in respect of any of the rights Articles below; • A13 - The right to be informed [Fair Processing Notice]; • A13 - The right to be informed of the use of 3rd party data; • A15 - The right of access; • A16 - The right to rectification; • A17 - The right to erasure [forgotten]; • A18 - The right to restrict processing; • A19 - The right to be notified [of change or erasure]; • A20 - The right to data portability; • A21 - The right to object; • A22 - The right to be toldin of automated decision making and profiling; • A34 - The right to be informed in respect of a data breach.

  9. The Main Articles – A whistle-stop tour A6 – *Lawful Processing A7 – *Conditions for consent A12-22 – *Data Subjects Rights A25 – *Design by default A28 – DPA’s and DSA’s A30 – *Records of Processing A32 – *Security of Processing A33 – *Breach Notification A35 – *[Privacy] Impact Assessments A39 – Data Protection Officer * = Data Controllers responsibility

  10. Article 6 -Lawful Processing • the data subject has given consent to the processing of his or her personal data for one or more specific purposes; • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; • processing is necessary for compliance with a legal obligation to which the controller is subject; • processing is necessary in order to protect the vital interests of the data subject or of another natural person; • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

  11. a) Article 7 - Consent Article 7 of the GDPR provides that where consent is used as the grounds for the lawful processing of personal data, the Data Controller should be able to demonstrate consent. The evidence of that consent needs to comply with the following rules: • It should be clearly distinguishable from any other matters; • It should be in an intelligible and easily accessible form using clear and plain language; • It should be clear that the Data Subject has the right to withdraw their consent at any time; and • It must be freely given (and should not be a condition for the performance of a contract where it is not actually necessary for the performance of that contract). Pre-ticked ‘opt-in’ boxes (which are common place in on-line applications) and inserting consent as a standard term of an employment contract are not going to be valid indications of consent going forward.

  12. Consent: Getting the wording right The wording should include: • A clear written declaration that the processing of the defined/specific personal data is agreed or is agreed for specific defined purposes; • A clear description of the data which is covered by the consent; • Explicit acknowledgement that the individual has the right to withdraw their consent to this processing at any time. There should be notification that, if they do so, this will not affect the lawfulness of the processing which occurred before the withdrawal of their consent; • An explanation of who exactly they should inform to withdraw their consent; and • A clear provision for signing and agreeing (with the date when agreed).

  13. b) Contract • You can rely on this lawful basis if you need to process someone’s personal data: • to fulfil your contractual obligations to them; or • because they have asked you to do something before entering into a contract (eg provide a quote). • The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply. • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning. You have a lawful basis for processing if: • you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract. • you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (eg provide a quote) and you need to process their personal data to do what they ask.

  14. c) Legal Obligation • You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. • This does not apply to contractual obligations. • The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply. • You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning. • You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.

  15. d) Vital Interests • You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life. • The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply. • You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. • You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning.

  16. e) public task • You can rely on this lawful basis if you need to process personal data: • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or • to perform a specific task in the public interest that is set out in law. • It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest. • You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law. • The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply. • Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.

  17. f) Legitimate interests Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority. • There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to: • identify a legitimate interest; • show that the processing is necessary to achieve it; and • balance it against the individual’s interests, rights and freedoms. • The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits. • The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply. • You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. • Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required. • You must include details of your legitimate interests in your privacy notice.

  18. Article 35 – Impact Assessments PIA’s are to be a mandatory requirement across all Europe Any change to a system holding or processing personal data. All new systems and processes must be assessed for privacy, security, integrity and full GDPR compliance. Systematic monitoring of a publicly accessible area (e.g. CCTV) (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

  19. ICO guidance The ICO guidance specifically on GDPR can be found at…. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ This is being regularly updated as new guidance is produced

  20. ICO 12 point plan 8 – DSA Project to review all current data sharing agreements and gap analysis 12 – Training A programme to update everyone’s knowledge on GDPR in April & May 2018

  21. Challenges ahead We’ll come back to this in the Q&A session

  22. caseworker.gov Your new Councillor Case Management System

  23. Managing communication & correspondence • Important role within the community • Act as a conduit between residents and the Council to • Highlight concerns such as poor service, fly tipping, etc. • Seek assistance on local issues such as planning & ASB • Represent views at public meetings and forums • Champion improvements on constituents behalf • Chase Council complaints, missed appointments, etc. • Respond to local residents issues and concerns

  24. The issues All this correspondence take a considerable amount to time to manage and takes time away from the real role of representing constituents. • How do you currently manage this information? • Do you know where it all is? • Can you access it on the street or in a meeting? • How easy is it for you to update someone on their issue? • How can you ensure that the information is being managed in compliance with DPA now?.... And going forward with GDPR?

  25. Caseworker.gov • Cloud based Software as a Service (SaaS) solution • Built for local councillors from Caseworker.mp • Built on a “Resident” – “Case” – “Action” model • Each resident has a file. New cases go into a sub folder with a URN inside that residents file • Fully searchable by case, name, number, issue, address, phone No. • User level control to restrict access where necessaery • Share settings allowing political assistants to view and update (or not) • Reporting tools

  26. Automation of many mundane tasks • Updates cases automatically • Files correspondence by reading the reference number • Uses your ward electoral register to autofill personal data • Built in email tools to send one or bulk mailing…individually • Template letters and emails • Allocate keywords to enable overview reports to drill down • Campaign function • Contact list, address book and case management all in one

  27. ICO Notification AKA Data Protection Registration

  28. 3 areas of Councillor work • Party It is your party’s responsibility to Notify the ICO of any and all personal data held and processed. This will cover you for all work you do with your ‘party hat’ on. • Committee The Council’s Notification cover you for al work you do with the Council. Covers personal data at meeting such as Licensing and planning committees. • Constituent This is your responsibility. Covers all your interactions with constituents including enquiries, election door knocking, use of ward electoral registration data…

  29. Councillor Registration • All data processors must be registered • House of commons booklet • Includes MP’s and Local Councillors (though not Parish Councillors atm!!!) • £35 per year x 35 Cllrs (minus 10 NCC registered) £1225 • Reasons/purposes for processing information (Andrew Lewer MP Reg No. ZA259737) • We process personal information to enable us to carry out casework on behalf of constituents; • issues and campaigns we are involved with locally; • maintaining our own accounts and records; • supporting and managing our employees and agents

  30. Why do Councillors need to Notify? • Always been a requirement of the 98 Act • NCC have registered their Cllr’s since 2005 • NBC has left it to Cllr’s to notify…until now This is changing – Why? • NBC is providing Caseworker.gov • This is a cloud based system accessible 24/7 • You MUST notify if you process constituents data electronically • NBC have therefore agreed to manage the notification process • The ICO have reminded all unregistered Councillors in the Country of their duty to Notify

  31. So what does Notification mean? • You will be the Data Controller 3 key roles Covers PD you use or is used in your name such as by a support worker, admin or canvasser • Ensure constituents PD is secure (held, accessed, processed and destroyed) • Uphold Data Subjects Rights (access, rectification, erasure) • Breach reporting (loss, theft, misuse, cyber attack) You will need to have a processing statement advising anyone who asks: • How and why you collect the PD • How and who will use the PD • Where and for how long the PD will be retained • How to contact you in respect of any of their GDPR rights • Show you will be securely destroying or deleting the PD

  32. Questions • Q&A session

  33. Processing Notice - CHAPSTEAD • Collect • Hold • Access • Process • Store • Share • Transmission / Transportation • Encryption • Assess • Destruction

  34. C = Collect & Consent A7 – Consent • In the majority of cases you do not need explicit consent from individuals to hold and process their issue? • You will however need written consent from them to access or view any personal data the Council holds on them (such as for an update on a Housing Benefit claim) Requirements for this are tightened significantly • Personal data consent must be ‘unambiguous’ and ‘Informed’ • Must be intelligible, easily accessible with clear and plain language • Right to withdraw consent Exemptions for statutory processing such as • Housing Benefit • Council Tax • Homelessness • Temporary Accommodation • Housing application

  35. H = Hold • How is the data received? • Who handles the data? • Where is it kept before its filed? • Where is the data stored? • How is it indexed? • Is sensitive PD held separately? • Is there a specified retention period? • Who has access to the data? • What ongoing security measures are in place?

  36. A = Access • Who has access to the data? • What access controls are in place? • Is the data password protected?

  37. P = Processing • Who processes the data? • How is the data processed? • Manually or automated? • Is the decision verified? • Is the DS notified? How? • If SPD is process is this with different procedures? • Is the data processed by a 3rd party? • How is the data passed to the 3rd party? • Is there a DPA in place? NAIG comment – Processing is DPA The cornerstone of the legislation – everything is processing !

  38. S = Security • What security measures are employed? Case study • May 2017 – WannaCry ransomware • Exploited a known vulnerability in the NHS computer systems • Windows XP was non longer being updated so open to attack • Warned by Department of Health and the Cabinet Office • No data loss so no report

  39. S = Share Data Sharing Agreements • Is the data as collected shared with another data controller? • Is the data shared internally? • Is the data shared after processing? • Is the data share after pseudonymisation? • If data is shared is there a DSA in place?

  40. T = Transmit and/or Transport Transmit • Is the data emailed? What controls are used? • Is the data moved using FTP or SFTP? • Is the data published? Transport • Is the data posted? What control measure prevent interception, the wrong data to the wrong person? • Is the data put onto removable media? • Remote working controls. Note… These are the 2 biggest risk areas

  41. E = Encryption • Is encryption mandatory? • Is data zipped securely? • Are all personal data files password protected to open? • Is secure email software used? • Are SFTP sites used to share PD over the web? • Do you use secure VDR’s?

  42. A = Assess Is the personal data to kept internally long term? • How is the data secured long term? • What technology resilience is employed? • What security is given to ICT archived material? • Will the data be anonymised before long term retention? Historical significance • Is the personal data to be considered for permanent preservation? • Where will the data be held? • On site • Externally • County Archives Change to Assessment - PIA

  43. D = Destruction • How is the personal data destroyed? • What controls are in place for the destruction of removable media? • ISO 27001: 2005 (The International Information Security Standard) • ISO 9001 (The Quality Standard) • ISO 14001 (The Environmental Standard)

  44. Think about • What you collect • How you collect it • Why you collect it Check • Where data is held • Who has access • Its accuracy Share data only if • Your allowed to • Relevant agreements • Security measures Types of Personal Data Constituents contact details Complaint correspondence Campaign mailing lists Resident Associations Case work ? ? ?

More Related