Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland &...
-
Upload
emma-osborne -
Category
Documents
-
view
216 -
download
1
Transcript of Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland &...
Local Government Reformand Compliance with the DPA
Ken MacdonaldAssistant Commissioner (Scotland & Northern Ireland)Information Commissioner’s Office2 December 2014
Contents
• Local Government Reorganisation
• Data Protection Principles
• Meeting the Principles
Local Government Reorganisation
Existing powers
New organisation
Local Government Reorganisation
Transferred powers
New organisation
Data Protection Principles
The DPA is underpinned by a set of eight straightforward, common sense principles that organisations should follow. They state that personal data should be:
1) Processed fairly and lawfully2) Processed for specified purposes3) Adequate, relevant and not excessive 4) Accurate and up to date 5) Held for no longer than is necessary 6) Processed in accordance with the rights of individuals 7) Kept secure 8) Transferred outside the EEA only with adequate protection
Principle 1 – Fair and LawfulProcessingPersonal data shall be processed fairly and lawfully
• Register with the ICO
• Inform service users of forthcoming change…….…………..and again after reorganisation
• Have Retention and Disposal Schedules approved
Principle 2 – Processing for Specified PurposesPersonal data shall be obtained only for one or more specified
and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
• Review Privacy Policies
• Integrate where appropriate
• Ensure any new uses for the information are fair
Principle 3 –Adequate, Relevant and Not ExcessivePersonal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
•Undertake a data audit
•Review need
•Dip sample, where appropriate
Principle 4 –Accurate and Up to DatePersonal data shall be accurate and, where necessary, kept up to date.
•Take appropriate steps to ensure accuracy
•Test new integrated systems with dummy data
•Ensure records are up-to-date where necessary
•Dip sample
Principle 5 – Hold for no longer
than is necessaryPersonal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
• Use the opportunity to weed systems
• Consider statutory and business requirements
• Prepare revised and extended Retention & Disposal Schedules
Principle 6 – Process in Accordancewith the Data Subject’s RightsPersonal data shall be processed in accordance with the rights of
data subjects under this Act.
•Be aware of what information is held
•Consider issues around processing likely to cause damage or distress
•Stop direct marketing if requested. Abide by PECR for electronic marketing
•Put policies and procedures in place
Principle 7 - Security
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
•Secure disposal and/or transfer to new authority
•Data/system compatibility
•Encryption of all mobile devices
•Home/mobile working policies
Principle 8 -Transfer outside of EEA
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
•If using cloud computing ensure the server is located within the EEA
All Principles:
Learn from others(what not to do)
Department of Justice (NI)£185,000A monetary penalty notice of £185,000 was served on the
Department of Justice (NI) after a cabinet containing details of a terrorist incident was sold at auction.
London Borough of Lewisham £70,000 CMP A CMP of £70,000 was imposed on the Council after a social worker left sensitive documents in a plastic shopping bag on a train, after taking them home to work on. The files, which were later recovered from the rail company’s lost property office, included GP and police reports and allegations of sexual abuse and neglect.
Aberdeen City Council£100,000 CMP A council employee inadvertently uploaded four documents containing sensitive personal information about children and families on to the internet whilst home-working using an infected second-hand PC. A home working and data protection policy was in place at the time of the breach but the technical measures to assist staff to adhere to it were not provided. The Council was fined £100k.