Rick Parsons Information Governance Officer County Hall

Transcription

1 Rick Parsons Information Governance Officer County Hall

2 THE DATA PROTECTION ACT

3 Requirements of the Act Roles & Responsibilities Best Practice 3

4 The Act: The Data Protection Act 1998 Gives rights to those whose personal information is used Guidelines for those using the information to follow Means to resolve problems the courts 4

5 Personal Data is: Information on a living individual, and from which the subject can be identified and Where the information is held in a structured way Information can be held in any format, hardcopy, electronic, CCTV or audio 5

6 Sensitive Personal Data Racial or ethnic origin Political opinions Religious beliefs Trade union membership Physical and mental health Sexual life Criminal offences Proceedings of criminal offences 6

7 Data Controller A person or organisation who decides how and why personal data is used. Owns, and is responsible for, the data. Data Processor A person or organisation who uses the personal data on behalf of the data controller. Has no control over what data is used for 7

8 1. Data must be obtained and used lawfully 2. Data is only used for the purpose(s) provided for 3. Data is suitable to fulfill the task 4. Data is accurate and kept up to date 5. Data is not kept longer than required 6. Data use is in accordance with rights of the data subject 7. Data is kept securely and safely 8. Data is not sent to countries that do not recognise data subject rights 8

9 Principle Two Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 9

10 The information is only used for the purposes for which it was originally obtained or provided Required by both the Act and the contract 10

11 Principle Three Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed 11

12 Only information that is required in order to provide the service should be held But also need to ensure have enough information to get it right. 12

13 Principle Four Personal data shall be accurate and, where necessary, kept up to date 13

14 Do not guess or estimate missing information Take reasonable steps to keep information that may change up to date 14

15 Principle Five Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 15

16 Information should be disposed of securely after the agreed retention period has expired. Retention period and disposal process to be agreed by OCC 16

17 Principle Six Personal data shall be processed in accordance with the rights of data subjects under the Act 17

18 Data Subjects have the following rights To be told whether information is held To be consulted over sharing To be told why we information is held To have access to the information To have inaccurate information corrected To receive compensation for distress Advise OCC if you receive a request 18

19 Principle Seven Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 19

20 Reasonable steps to be taken to make sure that data is both secure and available. Business Continuity Information Security without endangering service provision 20

21 OCC Guidance Password protect data held electronically Change passwords regularly. Don t share Lock hard copy information away Portable devices must be encrypted. Don t allow staff to save information to personal equipment mobiles, PC s 21

22 Before sharing with anyone: 1. Confirm identity 2. Confirm need to know 3. Ensure method of sharing is secure 22

23 Moving sensitive data securely Password protected attachment if not used is a security breach! Fax but take care dialling the number Post but only for small volumes of data Telephone but only for discussions on individual cases Working on using secure internet pots 23

24 Taking sensitive data outside the office Only remove where no other option Keep under cover at all times Never leave unattended Don t let anyone see it who doesn t need to 24

25 Serious provider breaches since List of clients left at a railway station List of a carer s clients left in abandoned car Client s data left on view in a carer s car. Worker took data home on a personal PC and refused to return it. Information texted to carer s own phone that had been sold List of carer s clients left in car overnight - car stolen 25

26 Security Breaches Report immediately Take action to limit damage Investigate how it happened Learn lessons 26

27 Office of the Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire, SK9 5AF

28 Advises on details of the Act. Power to search and audit, serve enforcement notices, and take an organisation to Court (maximum 500,000 fine) Awarded over 1,000,000 in fines to public bodies in the last 2 years OCC are required to notify the ICO of any serious breach 28

29 Freedom of Information Act 2000 Most public bodies are subject to FoI. If we receive a request in connection with a contract we are obliged to provide requested data unless an exemption applies 29

30 Any questions? 30