the general data protection regulation: STAFF GUIDE
1 | Managing Procedures | WIRELESS NETWORK CONNECTIONS
Contents Introduction
3
Why the Change?
3
What’s not changed
3
What’s new?
4
What will be the benefit
4
What is personal data?
5
The Principles
5
Processing personal data
6
Consent
7
Special Category Personal Data
7
Processing special category data
8
Privacy Notices
9
Individual Rights
9
Privacy by Design and Data Protection Impact Impact Assessments
10
Information Sharing
11
Data Breaches
12
Enforcement
12
Advice & Assistance
13
Introduction The Data Protection Act 1998 is being reformed and as of May 2018 it will be replaced by the General Data Protection Regulation 2018 (GDPR). This guide has been created to help you understand what is changing and what this means when you handle personal data in the course of carrying out your role within the Council.
Why the Change? The Data Protection Act 1998 (DPA 98) was introduced twenty years ago and its purpose was to protect personal data from misuse by placing rules on organisations on how personal data is handled and processed. Two decades on and the Act requires to be updated to reflect the digital practices of today. This reform comes in the form of the GDPR which takes into account the advances in new technologies and media by introducing new rules on how personal data is collected and processed. Although the GDPR is European legislation, a Bill on Data Protection incorporating the new requirements laid out within the GDPR, is presently being considered by the UK Parliament and once approved will become the Data Protection Act 2018. This means that the GDPR requirements will still apply once the UK leaves the EU.
What’s not changed? Many aspects of the DPA 1998 have been incorporated into the GDPR. There will still be principles and conditions that require to be met before personal data can be processed; the UK Information Commissioner (ICO) will continue to be the regulator; individuals still have rights over how and when their personal data is processed; we are still required to provide privacy notices and have appropriate data sharing agreements in place.
the general data protection regulation | STAFF GUIDE | 3
What’s new? The GDPR requires certain organisations, such as local authorities to appoint a Data Protection Officer (DPO). This is a senior role with responsibility for understanding Data Protection legislation and overseeing how an organisation handles personal data. The GDPR places more emphasis on accountability and organisations must be able to demonstrate that they comply with the legislation. This means that we will need to record how we handle personal data by having appropriate procedures and policies in place and we will need to demonstrate that these are adhered to. We will also need to keep records of data breach management, information management practices and privacy impact assessments. Individuals have been given more power and control over their personal data and how it is used. We will be required to make more information available to individuals about what we do with their data. At present, if there is a breach of Data Protection it is the Council that is responsible for that breach, regardless of whether the processing was carried out by a supplier on its behalf. The GDPR changes this as it will hold both parties responsible and each will be subject to fines or enforcement action. Therefore, we will need to monitor and ensure that our suppliers are adhering to Data Protection rules.
What will be the benefit? Many aspects of the DPA 1998 have been incorporated into the GDPR. There will still be principles and conditions that require to be met before personal data can be processed; the UK Information Commissioner (ICO) will continue to be the regulator; individuals still have rights over how and when their personal data is processed; we are still required to provide privacy notices and have appropriate data sharing agreements in place. 4 | the general data protection regulation | STAFF GUIDE
What is personal data? Personal data is defined as ‘any information relating to an identified or identifiable natural person’ (a data subject). An identifiable natural person is defined as one who ‘can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’ This means that data protection applies to information that directly or indirectly identifies an individual either on its own or by linking it with any other information. This can be a person’s name, address, contact number, online profile or record (HR, school, social work). The information can be held in any format i.e. paper, electronic, photos, CCTV. The term ‘processing’ means the collecting, using, sharing, storing and deleting of personal data.
The Principles The GDPR has six principles to ensure that personal data is collected and used appropriately. These state that personal data shall be: 1. Processed lawfully, fairly and in a transparent manner. This means that we must have a lawful basis for processing the data and we must inform individuals what we will do with their personal data. 2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This means that we are not free to use personal data for a purpose different from the one communicated to the individual in a privacy notice. the general data protection regulation | STAFF GUIDE | 5
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means we should only collect the information needed for the purpose. 4. Accurate and, where necessary, kept up to date. Every reasonable step should be taken to ensure that personal data, where inaccurate, is erased or rectified without delay. This means that we must ensure that personal data is regularly reviewed and inaccurate data is rectified, where appropriate. 5. Kept in a form which permits the identification of individuals for no longer than necessary. This means that we should have a time limit in place for the retention of all data, and ensure that it is applied. 6. Processed in a manner that ensures appropriate security of personal data. This means that we must ensure that personal data is protected from unauthorised access, unauthorised or unlawful processing, accidental loss, destruction or damage using physical and technical measures.
Processing personal data For processing of personal data to be lawful, it must meet one of the following conditions: • Necessary for the performance of a contract. This applies when the individual has entered a contract with us, for example an employment contract. • Necessary to enable the Council to comply with a legal obligation. This would enable the processing of a planning application or a licensing application. • Necessary to protect someone’s vital interest. This can only be applied in ‘life or death’ situations such as passing on health information to a first responder or NHS. • Necessary for the performance of a task which is carried out by the Council in the public interest or in its official authority. This condition is likely to cover the majority of the processing carried out by Council services such as social work, education, homelessness etc.
6 | the general data protection regulation | STAFF GUIDE
Consent The GDPR states that consent must be ‘freely given’ and, as a local authority and employer, we are considered to have an unfair balance of power over individuals. This means that for the majority of our processing activities we will be unable to rely on consent as a lawful basis for processing personal data. This will be the case where an individual wishing to access a service has no choice in whether to provide personal information or not. It is artificial to seek consent when the individual is not free to refuse. This means a big change in our approach to customer’s data and we will need to rely on another condition or legal basis in order to process the data. However, there may well be circumstances where seeking consent would be appropriate for activities that fall out-with our core and statutory functions. The GDPR has tightened the rules around consent and states that consent must be ‘informed’. Therefore silence/inactivity or tick boxes are no longer considered appropriate. Individuals must be able to withdraw consent as easily as they gave it.
Special Category Personal Data As with the Data Protection Act 1998, the GDPR states that certain categories of personal data require heightened protection and we must meet a specific ‘special category’ condition before it can be processed. Special category personal data is an individual’s race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; health; genetic/ biometric data; sexual orientation or sex life. These categories were once referred to as sensitive personal data under the Data Protection Act 1998 but are now referred to as special category data under the GDPR.
the general data protection regulation | STAFF GUIDE | 7 7 | Managing Procedures | WIRELESS NETWORK CONNECTIONS
Processing special category data Special category data has a different set of conditions and for processing to be lawful it must meet one of the following conditions: • Necessary to carry out a specific obligation or exercise a right in the field of employment, social security and social protection such as pensions. • Necessary to protect an individual’s vital interest. This can only be applied in ‘life or death’ situations such as passing information on to paramedics. • Necessary to establish, exercise or defend legal claims. This would apply to sharing council tax information to pursue an outstanding debt. • Necessary for reasons of substantial public interest. This would apply to a school retaining a copy of a pupil’s medical history. • Necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care services. This would apply to the provision of occupational health services, health and social care services. • Necessary for reasons of public interest in the area of public health. This would apply to the sharing of personal data to clear contaminated land. • Necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. This applies to permanent preservation of documents. • The personal data has been made public by the individual. It has to be obvious that the individual has made the information public.
8 | the general data protection regulation | STAFF GUIDE
Privacy Notices We currently provide privacy notices (or statements on forms) in respect of any processing of personal data that we undertake. However, the GDPR has significantly enhanced what is required to be provided to the individual and therefore much more information will need to be included. Individuals must be informed as to why we need their personal data and how it will be used. This will mean individuals are less likely to feel that we are processing their data inappropriately or unfairly. The GDPR requires the following information to be provided in a clear and concise manner and must be easily available: • • • • • •
Who the data controller is and how to contact them Why the data is needed, and how it will be used What condition of processing is being relied upon Whether the information will be shared and with whom How the data will be kept Whether the data will be used for profiling or to make any automated decisions (decisions made without human intervention) • How to make a complaint There will be a webpage and hardcopy created detailing the generic information such as the data controller, contact details of the ICO and how to raise a concern. This will help reduce the amount of information detailed on forms and websites. Further guidance on privacy notices will be available on the intranet. The ICO code of practice on privacy notices is available here.
Individual Rights As mentioned previously, existing individual rights have been enhanced and new ones have been introduced. These rights are: • To be informed how their data will be used through privacy notices • To have access to their personal data within 30 days (previously 40 days, please note that if the information requested is voluminous and complex this timeframe can be extended up to 3 months) • Have inaccurate data amended • Object to certain types of processing the general data protection regulation | STAFF GUIDE | 9
• Restrict processing that involves automated decision making and profiling • Have data deleted in certain circumstances • Data transferred to another organisation in certain circumstances Although some of these rights described above can only be applied in certain circumstances, we are still required to respond to the individual within 30 days even if it does not apply. Staff should pass any request on as quickly as possible to the Information Management Team, dataprotection@scotborders. gov.uk who will log the request, liaise with staff concerned to ensure that it is properly considered and that the individual receives a response within the statutory timeframe.
Privacy by Design and Data Protection Impact Assessments Privacy Impact Assessments (PIA) are undertaken to ensure that, when introducing new systems or processes, various controls for processing personal data are considered. These assessments look at what data is required and if it is appropriate, who will have access to the data, what security measures are needed, when and how to inform data subjects etc. Presently, PIAs are considered to be best practice and usually conducted as part of the project process. However, under the GDPR, Data Protection Impact Assessments (DPIA), will be mandatory as part of the ‘Privacy by Design’ approach. This is a framework that organisations must put in place to ensure that any new or revised process/system (handling personal data) does not capture more personal data than is required and should identify the steps needed to ensure that it is kept safe and secure and not retained for longer than required. Crucially we must be able to demonstrate that our processes meet the requirements of Data Protection and that the rights of individuals were considered appropriately. DPIAs will evidence that we have considered the data protection principles and that we tried to do the right thing. We are required to inform and seek authorisation from the ICO before any processing which is deemed to be high risk, can take place. Staff should inform the Information Management Team conducting a DPIA. The team can also provide advice and assistance. Further guidance on DPAIs is available on the Intranet and the ICO website. 10 10||the Managing generalProcedures data protection | WIRELESS regulation NETWORK | STAFF CONNECTIONS GUIDE
Information Sharing To provide services, we are routinely required to share personal information with other organisations such as the Police and the NHS as well as internally. However, before information can be shared we must ensure that it complies with data protection principles. Therefore we must ensure that: • • • •
The data subject has been informed The processing meets a condition The data shared is kept to the minimum required A record is kept of what data was shared and why
Information shared on a regular basis should have a data sharing agreement in place and should have been properly assessed and documented by the completion of a Data Protection Impact Assessment (DPIA). A signed copy of data sharing agreements should be emailed to the Information Management Team, where it will be recorded in the central register of data sharing. For more guidance on data sharing, please refer to the Information Sharing Code of Practice available on the intranet.
the general data protection regulation | STAFF GUIDE | 11
Data Breaches A data breach is when an organisation in its handling of personal data fails to comply with the data protection principles resulting in the loss, destruction or unauthorised access of personal data. They can be a result of human error, failure to follow procedure or by not having appropriate procedures or controls in place. All staff must complete the mandatory training on SB Learn to increase their knowledge, to mitigate the risk of data breaches occurring through ignorance. Under GDPR, it will be mandatory to report some serious breaches to the ICO within 72 hours of identification and failure to do so could result in the Council being fined. The individuals affected may also need to be notified. All potential data protection breaches must be reported to the Information Management Team immediately so they can be investigated and documented appropriately. The Security Incident Reporting and Management procedure is available on the intranet.
Enforcement The Information Commissioner will continue to be the Regulator for Data Protection. As the Regulator, the ICO has investigative and corrective powers to ensure that Data Protection legislation is adhered to by organisations. Under the GDPR, fines the ICO can issue for breaches of Data Protection have significantly increased to 10,000,000 euros or 2% of annual turnover for breaches that concern failure to report a breach, carry out a DPIA or to keep appropriate records of processing. This increases significantly to 17,000,000 euros or 4% of annual turnover for breaches that concern individual rights, the principles or non-compliance with an enforcement notice. As a Public Authority, we are unlikely to be issued a fine of this amount; however it should be noted the current threshold of £500,000 set for public authorities is likely to increase. The ICO has stated that it views fines as a last resort and will normally issue enforcement notices. An enforcement notice will inform an organisation what remedial actions it must undertake within a set timeframe. These notices are published on the ICO website and can significantly damage an organisation’s reputation. 12 generalProcedures data protection regulation | STAFF GUIDE 12| |the Managing | WIRELESS NETWORK CONNECTIONS
Advice & Assistance Back in 2016, the Information Management Team carried out an information audit and resulting in Information Asset Register. This provides a record of what information the Council holds and describes how it is looked after, where it is stored, who has access, how long it is kept and so on. Services were recently asked to review the register for their area and to provide any missing information. They were also asked to complete an exercise surrounding the personal data they use and the legal basis for its processing in preparation for the GDPR. Once complete, this piece of work will help services revise their privacy notices and ensure that the required information is provided. The Information Management Team along with the Legal Team will offer advice and support, in particular to those services with complex areas of processing to help identify the purpose and legal basis for their processing activities shortly. Over the coming weeks, more guidance and training on Data Protection will be made available to staff and this will be communicated by email and the intranet. In the meantime, we would ask staff to: 1. Complete their Information Asset Registers and ensure that all personal data being processed is captured. 2. Follow the Council’s record management policy, ensuring that personal data has a retention schedule in place and is adhered to. 3. Ensure that there are documented processes in place for staff handling personal data for your area. 4. Understand the Council controls in place, and when to use them: • Data Protection Impact Assessments • Privacy notices • Data Protection Breach process • Information Sharing arrangements 5. Complete mandatory eLearning The Information Management Team can provide advice on Data Protection and other Information Management matters. Please email INFOTEAM@scotborders.gov.uk
the general data protection regulation | STAFF GUIDE | 13 13 | Managing Procedures | WIRELESS NETWORK CONNECTIONS
You can get this document on tape, in large print, and various other formats by contacting us at the address below. In addition, contact the address below for information on language translations, additional copies, or to arrange for an officer to meet with you to explain any areas of the publication that you would like clarified. CHIEF EXECUTIVES Scottish Borders Council | Newtown St Boswells | MELROSE | TD6 0SA tel: 01835 824000
Printed in the Scottish Borders. Designed by Scottish Borders Council Graphic Design Section. GS20.02.18 - February 2018.