Data Protection Training Session

Information Management Team

February 2014

2

Table of ContentsSection 1 Introduction: how the Act works

Section 2 Definitions

Section 3 The 8 Principles of the DPA

Section 4 Your responsibilities

Section 5 Additional information

Your take aways

• Know the 8 principles

• Know your role and responsibilities.

3

4

The Legal FrameworkOur use of information is governed by a range of laws principally:

• The Data Protection Act • The Freedom of

Information Act• Common Law Duty of

Confidence• Human Rights ActYou need to know how

these laws affect you!

5

What is the Data Protection Act?

6

7

How the Act Works

As a “data controller” , you have to follow the eight principles so you protect the rights of individuals also known as “data subjects”.

The principles cover how you work with personal data and sensitive personal data.

SECTION TWO: DEFINITIONS

8

9

What is personal Information?Personal information is defined broadly and has two criteria:

First. It must relate to a living person. The dead do not have data protection rights. The living relatives will have a right to privacy and confidentiality.

Second, the person must be identifiable – either from the information itself or from the information plus other information which the data controller either possesses or is likely to possess in the future

The definition of personal data includes any expression of opinion about the data subject.

10

What is Sensitive Personal Data? Sensitive personal information is defined by the Act. It covers the following areas:

Race ethnic originCriminal records (including CRB checks)Membership of a trade unionMedical records (such as sickness absence)Political opinionsReligious, or similar beliefs Sexual life, for example, a person’s sexual

orientation

In most cases explicit consent is needed before these can be used but other conditions may apply.

11

What is a Data Subject

A data subject is any living individual who is the subject of personal data. 

12

What is a data controllerAn organisation, or an individual, is a data controller if it has full authority to decide how and why personal data is to be “processed” . When an organisation uses personal data or shares it with another organisation, it is acting as a data controller.

Please note that an employee working for an organisation can never be a data controller.

13

What is processing?

SECTION 3 THE 8 PRINCIPLES

14

• If you learn nothing else on Data Protection, remember the following slide and you’ll probably be OK

15

16

The 8 Data Protection Principles

1. Fairly and lawfully processed2. Processed for limited purposes.3. Adequate, relevant and not excessive4. Accurate and up to date5. Not kept for longer than is necessary. 6. Processed in line with the rights of the

data subject. 7. Stored and processed securely.8. Not transferred to countries without

adequate protection.

17

Principle 1: Fair and Lawful

18

Principle 2. Processed for limited purposes

19

Principle 3. Adequate, relevant, not excessive

20

Principle 4 Accurate

21

Principle 5 Not kept for longer than is necessary.

Principle 6 Rights of Data Subjects

22

23

Principle 7 Secure

• VS

24

Principle 8

Video Breakhttp://www.youtube.com/watch?v=CdYWoLC7TNI&feature=youtu.be

25

SECTION 4 YOUR RESPONSIBILITIES

26

Responsibilities

• Subject Access Requests

• Security of information

• Records management

• Sharing information

27

Subject Access requests

• What is a SAR?

• What do you need to do?• Educational Record• Third Party Data• Confidentiality

28

Security of Paper records

29

Records management

30

Sharing information

31

SECTION 5 CONTACT INFORMATION

32

33

Who to contact?

Information Commissioner’s Office

0303 123 1113

Information Management Team

03000 268 035