NCFPD Research & Resources in Food Protection March Webinar | NCFPD Tools 2014
Data Protection webinar: Data Protection & Human Resources 18 th March 2014 Welcome. Were just...
-
Upload
corey-clarke -
Category
Documents
-
view
216 -
download
0
Transcript of Data Protection webinar: Data Protection & Human Resources 18 th March 2014 Welcome. Were just...
Data Protection webinar: Data Protection & Human Resources
18th March 2014
Welcome. We’re just making the last few preparations for the webinar to start at 11.00.
Keep your speakers turned on and you will shortly hear a voice!
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
4
What Data Protection is about: 1
Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data
Protecting people
Protecting data
Employees VolunteersDonors Service usersMembers Professional contacts
5
What Data Protection is about: 2
Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide
things or go behind people’s back Offer people a reasonable choice over how
you use their data, and what for
Give us more
money! Support
our campaign!
We sold your details to someone
else
Comply with specific legal requirements, such as:
6
What Data Protection is about: 3
Right to opt out of direct marketing
Right of Subject Access
Notification
(And others)
Best practice with HR records External suppliers (e.g. payroll) The wider role of HR Contracts and staff handbooksBut first: The Data Protection Principles The definition of Personal data Confidentiality
7
The main topics for this webinar:
8
The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)
you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad
Personal data
Data Not data
Personal
Not personal
10
Personal data
The Act applies to information that is ‘personal’ and ‘data’The personal part means that it is about:
identifiable, living individualsThe data part means that it is recorded:
on a computer or automated system in a ‘relevant filing system’ with the intention of going into one of these
systems
11
Confidentiality
Clear boundaries
Data Protection and Confidentiality overlap
a lot, but they are not the same
Data Protection
How confidential is confidential?
Reasons for absence Sickness records Pregnancy Disability Disciplinaries Supervision notes Welfare/home circumstances
Taking confidentiality seriously
Passwords
Gossip
Scams
14
You could be breaking the law if you don’t respect
confidentiality
It is a Criminal offence ‘knowingly or recklessly’ to:
access data you are not authorised to access
allow another person unauthorised accessExamples: Criminal record and fine for operator who
looked to see if her friends were on the police database
Criminal record and fine (and no job) for bank clerk who looked up finances of partner’s ex-wife
15
HR records: Principle 1 Transparency & Choice
You must always ensure that Data Subjects are not in the dark about: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using
their data or check what you are doing You must give people a reasonable choice
over how their data is used – and in any case you must meet at least one of the ‘Schedule 2’ ConditionsFair Processing
16
‘Fair Processing’ conditions
With consent of the Data Subject (“specific, informed and freely given”)
For a contract involving the Data Subject To meet a legal obligation To protect the Subject’s ‘vital interests’ Government & judicial functions In your ‘legitimate interests’ provided the
Data Subject’s interests are respected
HR records: Principle 2Limited purposes
When you obtain information your purpose(s) must be clear
‘Staff administration’ is likely to cover almost all HR functions
You must use information only in ways that are ‘compatible’ with the original purpose(s)
HR records: Principles 3 & 4Data quality
The Data Protection Act says that data must be:
Adequate Relevant Not excessive Accurate Up to date (where necessary)
HR records: Principle 5Retention
Not longer than ‘necessary’ Refer to employment law book Take account of any regulations specific
to your organisation’s area of work Broad brush approach:
Short term (up to 6 months? current year?) Medium term (often 6 to 7 years) Long term (effectively indefinite)
HR records: Principle 6Data Subject rights (access)
Subject Access is important Can run alongside open files/self service The right is to access all their personal
data, this includes e-mails about them
There are exemptions: negotiations, planning …
You may have to ‘redact’ third party information Where someone else is the source Where the information is about someone else
HR records: Principle 6Data Subject rights
(references)
References you have given are exempt from subject access
References you have received should be shown unless they are confidential
When giving a reference: Is the information you have still accurate and
up to date? Make it clear whether the reference is
confidential or not
22
HR records: Principle 7Security
The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data
The security measures must be appropriate.They must also be technical and organisational.
The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security.
£500,000
Key security measures
Protect ‘data in transit’ Passwords & encryption on USB devices and
laptops extreme care when faxing, e-mailing & posting think about encryption on e-mails if
appropriate BYOD policy
Access controls, clear desks, locked filing cabinets
HR information held by line managers External contractors (‘Data Processors’) Secure destruction – shredding, etc.
24
Data Controller
A trading company is a separate Data Controller
Organisations can be joint Data Controllers Good practice to have a Data Protection
Officer
The ‘person’ legally responsible for complying with the Data
Protection Act
25
Data Processor
An organisation that work is outsourced to, which involves accessing Personal Data
The Data Controller remains responsible for what happens to the data
There must be a written contract with the Data Processor, setting out: what they are to do what the relationship is security others worth looking at (checklist)
The role of HR in promoting good Data Protection
practice I Job descriptions Employment contracts Staff handbook Behaviour/Code of conduct HR Policies and procedures Induction Training Monitoring Discipline (Don’t forget temps, interns, placements,
etc.)
The role of HR in promoting good Data Protection
practice II
Policies & procedures in operational areas: Service users Fundraising, membership & supporters Volunteers Safeguarding Complaints procedure
Repository of good practice Written in full collaboration with relevant
managers
28
Data Protection:the absolute basics
We are trying to: Prevent harm by
Keeping data only in the right hands (and being clear what ‘the right hands’ are)
Holding good quality data (accurate, up to date and adequate)
Reassure people so that they trust us Making sure people know enough about what we are
doing Giving people a choice where possible
Many thanks
Follow-up questions: [email protected]
To come by e-mail:* Link to evaluation questionnaire* Link to download the presentation, after you
have completed the questionnaire