Webinar: Under Lock & Key; Theft Protection in Today's Utility Marketplace
Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making...
-
Upload
milo-brown -
Category
Documents
-
view
213 -
download
0
Transcript of Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making...
Data Protection webinar: Data Protection & Volunteers
19th June 2014
Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on
and you will shortly hear a voice!
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
The main topics for this webinar:
The roles volunteers play Quick overview of Data Protection The legal background Data Protection & Confidentiality Responsibilities The Data Protection Principles in practice
4
The roles volunteers play
Volunteers work in a range of settings, including: Running the whole organisation Working in the office alongside paid staff Delivering part or all of the organisation’s
service Running local branches Acting as trustees on the Board or
Management Committee
6
What Data Protection is about: 1
Prevent harm to the individuals whose data we hold, or other people Keep information in the right hands Hold good quality data
Protecting people
Protecting data
7
What Data Protection is about: 2
Reassure people that we use their information responsibly, so that they trust us Be transparent – open and honest, don’t hide
things or go behind people’s back Offer people a reasonable choice over how
you use their data, and what for
Give us more
money! Support
our campaign!
We sold your details to someone
else
Comply with specific legal requirements, such as:
8
What Data Protection is about: 3
Right to opt out of direct marketing
Right of Subject Access
(And others)
9
The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)
you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad
The legal background: 1
An organisation is “vicariously liable” for most actions of an employee
The situation with volunteers is not so clear cut, but measures can be put in place to emphasise their responsibilities in regard to Data Protection and Confidentiality without creating a contract of employment
The legal background: 2
Most information about people is “personal data” as soon as it is recorded somewhere
If the organisation fails to comply with the Data Protection Principles, it may face: A penalty from the Information Commissioner A claim for compensation from affected
individuals Reputational damage
The Principles on their own are not enough: policies and procedures must ensure compliance
12
Confidentiality
Clear boundaries
Data Protection and Confidentiality overlap
a lot, but they are not the same
Data Protection
Confidentiality
Define the boundaries: who has access to what information for what purposes
Employees have an implied duty of confidentiality
Volunteers are subject to the common law duty of confidentiality (as long as they know what information is confidential)
A signed confidentiality pledge should underpin all volunteers’ responsibilities
Ways of breaking confidentiality
Discussing confidential information with partner
Talking about confidential information in public
Working on confidential material in public Giving out information carelessly over the
phone Sharing or disclosing computer access
details Losing confidential documents/leaving them
around Sharing information about people who have
not given permission Disposing of information carelessly
Responsibilities: Internal
The organisation is responsible for Data Protection compliance
Where volunteers work alongside paid staff they should be following exactly the same procedures
Volunteers should also be subject to the same checks, supervision and monitoring as paid staff would be if they were in the same role(s)
Responsibilities: Branches
Branches are part of the parent organisation or they are autonomous; there is no half-way house
In a unified structure, full responsibility lies with the parent organisation: The volunteers running the branch must be
given clear procedures and instructions, and held to account
In a federal structure, full responsibility lies with each branch: The volunteers running the branch must know
this; they may be given guidance
17
Security (Principle 7)
The Data Protection Act says you must prevent: unauthorised access to personal data accidental loss or damage of personal data
The security measures must be appropriate.They must also be technical and organisational.
The Information Commissioner can impose a penalty of up to £??????? for gross breaches of security.
£500,000
Key security areas
Security in the office IT security (data at rest) IT security (data in transit) Website security Non-electronic data in transit Personnel
Data quality (Principles 3 & 4)
The Data Protection Act says that data must be:
Adequate Relevant Not excessive Accurate Up to date (where necessary)
Guidance volunteers might need
Use centrally-produced materials where possible
What information to collect, and in what format
How to design data collection forms How to ensure that the information they
record is as neutral and accurate as possible How to keep information up to date –
including how and when to offer people the chance to check that the information held about them is correct
21
‘Fair’ processing (Principles 1 & 2): Transparency &
Choice
People generally need to know: who is collecting their information what purposes you hold their data for who you might pass the data on to how to contact you if they want to stop you from using
their data or check what you are doing They also must be given a reasonable choice over
how their information is used, especially regarding Direct marketing
Guidance volunteers might need
Use centrally-produced materials wherever possible
Use standard wording provided by the organisation
Record people’s preferences carefully, and respect their preferences
Use the Information Commissioner’sPrivacy Notices Code of Practice ifdesigning own materials
Retention periods (Principle 5)
Data must not be held longer than ‘necessary’
Volunteers who hold data do so on behalf of the organisation
They must follow the organisation’s retention schedule
When their role ends they must not retain any confidential information Return it for archiving if required Otherwise destroy it securely
Data Subject Rights (Principle 6)
Volunteers must be aware of any restrictions on marketing, resulting from choices the Data Subject has made
Most volunteers (or other staff) should not normally handle Subject Access Requests; these should be referred to the organisation’s Data Protection Officer
Transfers abroad (Principle 8)
Most UK voluntary organisations do not transfer information outside Europe. However, transfer may take place if: cloud computing (online applications such as
Dropbox or SurveyMonkey) is used and the location of the data storage is outside Europe
information is published on a website that is designed to be accessible throughout the world
Volunteers should be given guidance on the risks
26
The Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the
purpose(s) you obtained it for3. Data must be adequate, relevant & not
excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad
()
()
()
()
27
Data Protection:the absolute basics
We are trying to: Prevent harm by
Keeping data only in the right hands (and being clear what ‘the right hands’ are)
Holding good quality data (accurate, up to date and adequate)
Reassure people so that they trust us Making sure people know enough about what we are
doing Giving people a choice where possible
Many thanks
Follow-up questions: [email protected]
To come by e-mail:* Link to evaluation questionnaire* Link to download the presentation, after you
have completed the questionnaire