The Data Protection Bill: A Summary

canstockphoto11598539

By Lynn Wyeth

The text of the new Data Protection Bill has finally been published by the Government and at 218 pages, 194 clauses, 18 schedules and 112 pages of explanatory notes, it is a huge chunk of legalese spaghetti. You can find the main Bill in pdf form here.

As with the 1998 Data Protection Act (DPA98), the Bill is cumbersome and repeatedly refers to clauses within itself. This is compounded this time by references also to the General Data Protection Regulation (GDPR) and other pieces of European legislation. To translate all this and join all the dots you need to flick between many texts and screens, but here’s a quick summary of some of the key issues and where to find them in the Bill:

Structure of the Bill

There’s nothing hugely unexpected in the Bill, as long as you are familiar with the DPA98, additional orders added to the DPA98 over the years, the GPDR and the Law Enforcement Directive (EU) 2016/680! This has all been merged into one large Bill to try and keep what we have now plus any new requirements of GDPR and the Directive. The Bill is set out in Parts, some of which may not be relevant to all organisations.

Part 1 & 2 – Definitions and General Processing

Part 3 – Law Enforcement

Part 4 – Intelligence Services

Part 5 – Information Commissioner’s Office

Part 6 – Enforcement

Part 7 – Miscellaneous!

Law Enforcement 

Part 3 of the Bill deals exclusively with Law Enforcement under Clauses 27 -79. Organisations will only be subject to these clauses if they are

  • a Competent Authority, or
  • processing for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Schedule 7 lists the Competent Authorities and this includes organisations such as Government departments, Police, Fraud Office, Probation, Youth Offending Teams etc. If you don’t meet the criteria above, you don’t need to worry about this large part of the Bill.

There are some differences in Part 3 that organisations do need to be aware of if they fall into the law enforcement category. The Data Protection Officer (DPO) has extra specified tasks in clause 69, namely the ability to assign responsibilities, promote policies, undertake audits and deliver training. There is also an additional requirement to have specific audit trails (clause 60 – logging) on automated processing ensuring a log of who collected, altered, erased and transferred data amongst other things.

Public Authorities

The Bill confirms in clause 6 that where it refers to public authorities or public bodies, it means those organisations that are currently subject to Freedom of Information Act provisions. Interestingly it means any organisations brought under FOI in the future may need to consider issues such as DPOs and use of legitimate interests in future too. Housing associations and companies delivering public contracts may need to watch the FoI Private Member’s Bill going through parliament next year or the ICO’s push for extending FOI through its reports to Parliament.

Data Protection Officers

For those organisations not involved in law enforcement, their DPO will only have to undertake the tasks set out in GDPR, not the additional ones set out in clause 69. There are no extra surprises here and the Article 29 Working Party guidance on this is comprehensive about when one is required by law, the tasks it carries out and on the issue of conflict of interest. Senior managers, SIROs, Caldicott Guardians, Heads of IT or HR… none of them can be the DPO.

 Data Breaches

As expected in order to implement the GDPR requirements, any personal data breaches must be reported to the Information Commissioner’s Office (ICO), where there is a risk to an individual, within 72 hours unless there is reasoned justification (breach notification). The potential derogation for public authorities has not been taken advantage of and they, like all other organisations, could face Civil Monetary Penalties (CMPs) of up to £17m or 4% of the equivalent of annual global turnover (although the ICO can change this – perhaps due to currency fluctuation or after Brexit). The reality is that the ICO, as stated in its myth busting blog, will continue to use CMPs as a last resort and they will be proportionate.

 Children

The Bill also confirms that in the UK the child’s age in relation to information society services will apply if the child is under 13 years old rather than 16 years old. Providers of such services will have to take reasonable steps to get the consent of a parent or guardian to offer a child under 13 years the service. The definition of information society services can be found in the E-Commerce Directive and it should be noted this specific age of consent is only for this type of service. For all other data protection issues, children can make their own decisions if they have capacity or Gillick competency. Data Protection practitioners in Scotland have the added complexity in clause 187 of separate rules for age of consent for Scottish children to reflect the existing provision there now that “a person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown”.

 Fees

As previously discussed on this blog, GDPR removes the obligation for data controllers to notify with the ICO. The ICO had expressed concerns about this and the loss of income if they could not continue with notification fees (currently £500 per annum for large organisations, £35 per annum for smaller data controllers). The Data Protection Bill therefore makes provision for the ICO to continue to require a form of notification fees under clause 129. In fact, the Bill looks like it allows the ICO to charge fees for other services too. The ICO will have to publish these fees and have them agreed by the Secretary of State. The DCMS is currently consulting on a 3-tier system with the top tier (businesses with over 250 staff) having to pay up to £1000 (with a direct marketing top up of £20).

 Conditions for processing

 The ICO has already stressed in its myth busting blog that consent is not the only condition for processing despite misleading stories elsewhere. As before, the Bill lists several conditions for processing non-sensitive personal data and sensitive (now called special category in GDPR) personal data. As we already knew from GDPR, Public Authorities can no longer rely on legitimate interests but all of the other conditions from the existing DPA98 have been brought across e.g. counselling, insurance. There’s even one explicitly for anti-doping in sport. Schedule 1 lists all of these conditions for processing special category data.

 Complaints and compensation

Clause 157 sets out what individuals can expect if they submit a complaint to the ICO and the ICO fails to address it adequately, and how the Tribunal can then become involved. Clause 159 provides for compensation claims for ‘damage’ and that can include financial loss, distress and other adverse effects. Consumer support groups are disappointed that they are not able take class actions and seek redress without the data subject’s consent, as the Government has decided against the use of that derogation.

 New Criminal Offences

There will be a new criminal offence under the Bill where anyone uses anonymised data “knowingly or recklessly to re-identify information that is de-identified personal data”. Researchers and IT testers will need to be careful that they can demonstrate anything accidently re-identified or deliberately tested is done in the public interest and doesn’t trigger this offence. Data theft will also be a recordable offence on the national police computer, as will unlawfully obtaining personal data and altering personal data in a way to prevent it being disclosed.

 Certification

Clause 16 allows for the accreditation of certification providers. The only organisations that can award certification are the ICO and the National Accreditation Body (which looks set to be UKAS). No organisation has been awarded certification yet so beware of organisations claiming they can make you a ‘certified’ GDPR practitioner at this time!

 Exemptions

 All of the familiar exemptions have been brought across from the current DPA98 e.g. crime and taxation, journalism, references, examination marks, honours, parliamentary privilege, management forecasts, legal professional privilege and negotiations. Also added is immigration, and clarity is given on archiving and research. They can all be found in Schedules 2-4, with Schedule 3 focussing on detail on health and social care, and schedule 4 on education, child abuse and adoption.

Subject Access Requests

The Bill confirms the requirements in the GDPR. You cannot charge for a Subject Access Request unless repeated or manifestly unfounded or excessive, and you must answer in one month (unless it’s excessive and it can be extended for another two months).

 What happens next?

The 2nd reading of the Bill will take place in the House of Lords on October 10th 2017. Its passage through Parliament can be tracked here. There may be some amendments made as it works its way through the parliamentary process. Several Regulations will also need to be made by the Secretary of State to implement some parts of the Bill.

Want to know more? Attend our new Data Protection Bill workshop.

Lynn Wyeth is the Head of the Information Governance function of a large unitary public authority and has over 10 years’ experience as a Data Protection and FOI practitioner. She also delivers some of our external GDPR and GDPR Practitioner Certificate courses.

Posted in Brexit, Data Protection, DP Bill, EU DP Regulation, GDPR | Leave a comment

The Data Protection Bill: It’s not what you think it is!

canstockphoto16666262

Yesterday the DCMS published the long awaited Data Protection Bill 2017. Accompanying the 203 pages of the Bill there are 112 pages of explanatory notes, a 4-page factsheet and a 5-page impact assessment. With detailed cross referencing to the provisions of the General Data Protection Regulation (GDPR), this Bill is a gift to purveyors of highlighters and sticky notes!

The Bill has many aims (see below). It does not though, contrary to popular belief, incorporate the GDPR into UK law. GDPR is a Regulation and so directly applicable when it comes into force on 25th May 2018. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit the GDPR will still be the law because of the provisions of the European Union (Withdrawal) Bill (previously the Great Repeal Bill.) Paragraph 6 of the explanatory notes confirms this:

“While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.”

So why do we need a Data Protection Bill? Section 1 explains:

To fill in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules. The Bill mirrors the Government’s Statement of Intent which was published a few weeks ago. Amongst many other things, we are now clearer on the minimum age at which a child can consent to certain types of data processing, the definition of a public authority/public body, new offences, rules on automated decision making and exemptions (including for research and freedom of expression in the media.)

To make provision for a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Article 2(2)) including the processing of unstructured, manual data held by an FOI public authority.

To implement Directive (EU) 2016/680 (the Law Enforcement Directive) on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Unlike the GDPR, the Law Enforcement Directive is not directly applicable EU law; accordingly Part 3 of the Bill, amongst other things, transposes the provisions of the Directive into UK law.

To make provision for the processing of personal data by the Intelligence Services

To make provisions about the role of the Information Commissioner

To make provisions for the enforcement of data protection legislation

The second reading of the Bill will be on 10th October. Its passage through Parliament can be tracked here.

Want to know more? Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate courses are filling up fast.

We also offer a GDPR health check service.

Posted in Brexit, Data Protection, DP Bill, EU DP Regulation, GDPR | Tagged , , | 1 Comment

What impact will GDPR have on your CCTV systems?

559f1a3ebd2f22fd7a728654a05a8a92

There are now less that nine months to go before the General Data Protection Regulation (GDPR) comes into force replacing the Data Protection Act 1998 (DPA).

So what should operators and controllers of CCTV and video systems be doing now? The short answer is, ensure you are complying with the current law and don’t believe the doom merchants:

“The GDPR will require a wholesale reassessment of data protection for the UK’s millions of CCTV cameras, which so far have gained from relatively light touch regulation.”

The ICO CCTV Code

Overt CCTV camera systems are regulated by the DPA. The Information Commissioner’s Office (ICO) revised its CCTV Code of Practice in 2015 to:

  • reflect the developments in existing technologies that have taken place in the last six years,
  • discuss the emergence of new surveillance technologies and the issues they present (e.g. drones and body worn cameras etc.)
  • reflect further policy development in areas such as privacy impact assessments,
  • explain the impact that new case law has had on the area of surveillance systems
  • reflect the wider regulatory environment that exists when using surveillance systems.

The ICO has produced a CCTV self-assessment tool that will help you assess your compliance with its code.

Jonathan Bamford, then the Head of Strategic Liaison at the ICO, emphasised in his blog post at the time of the consultation in to the new CCTV code that the that the underlying principles remain the same.  And the same can be said about GDPR’s impact on CCTV systems. All the familiar provisions found in the DPA are there in the GDPR including the need for transparency, security, respect for individuals’ rights etc.

Data Protection Impact Assessment

One area, which needs particular consideration, is whether a Data Protection Impact Assessment (DPIA) needs to be undertaken before setting up a new CCTV system. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise occur.

A DPIA is required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1) of GDPR). Such processing, according to Article 35(3)), includes “large scale, systematic monitoring of public areas (CCTV)”.

Even where your CCTV does fall into this category it may still be deemed to be “high risk.” The Article 29 Working Party’s data protection impact assessment guidelines set out the criteria for assessing whether processing is high risk. This includes systematic monitoring of individuals.

For its part the CCTV code emphasises the importance of conducting a privacy impact assessment before undertaking surveillance using CCTV, especially when fitted to drones e.g. broadcasters seeking to gather footage for production purposes, police forces conducting surveillance on suspects, or construction companies monitoring job progress.

For more on DPIAs including how it should be conducted and by whom, please read our DPIA blog post. Other points to consider in relation to CCTV systems include:

If a CCTV system is being used for employee monitoring, then other aspects of GDPR will come into play as well as, in some cases, Part 2 of the Regulation of Investigatory Powers Act (RIPA). For more on this topic see our blog post and forthcoming webinar.

The PoFA Surveillance Camera Code

Just to complicate things a bit more, some organisations also have to comply the Surveillance Camera Code (PoFA code). Made in 2013, pursuant to the Protection of Freedoms Act 2012 (PoFA), this code governs the use of CCTV and ANPR systems by local authorities and policing authorities in England and Wales.

The Surveillance Camera Commissioner (in charge of the PoFA code) has set up a voluntary certification scheme. He says on his website:

“Over the coming weeks and months we will look at what else will be useful or necessary to support those using surveillance cameras on their journey to compliance. At the same time I can reassure you that we are working hard with certification bodies to adjust our independent third party certification scheme to ensure that if you or your organisation acquire that standard it is very likely that you will measure up to the new requirements under GDPR. Many police forces, local authorities, large retailers and transport networks sit within that category and I aim to broaden that base – outward reassurance to the public concerning inward compliance!”

GDPR will have an impact on CCTV and other video recording systems. But there is not going to be a revolution. If time is spent on complying with the current law by making use of existing resources (as explained above), there will be no need for a big jump into GDPR land.

Learn more about GDPR on our full day workshop. We also offer a GDPR health check service. 5 out of our next 7 GDPR Practitioner Certificate courses are fully booked. Be prepared and book your place now. 

Posted in CCTV, Data Protection, EU DP Regulation, GDPR | Leave a comment

GDPR and the Data Protection Bill: Myths and Misunderstandings

Man Reading Book and Sitting on Bookshelf in Library

On Monday, the Government published a Statement of Intent about the forthcoming Data Protection Bill. The idea behind the Bill is to fill in some of the gaps in the General Data Protection Regulation (GDPR), which will come into force on 25th May 2018. The full text of the Bill is likely to be published in September.

The Bill follows a consultation exercise run by the DCMS earlier this year calling for views on implementation of the “derogations” under GDPR. These are areas where EU member states are left to produce their own laws to fit their circumstances while keeping within the GDPR framework. Notable derogations, amongst others, include the minimum age at which a child can consent to data processing, when data about criminal convictions and offences can be processed and exemptions (including for freedom of expression in the media.)

That’s the real background to Monday’s statement. But this did not stop the media from peddling myths and misunderstandings. Upon reading the headlines, a layman or woman would get the impression that:

The Bill gives people new rights (No it does not, the GDPR does.)

The Bill is designed to sign European privacy rules into British law

(GDPR is a Regulation and so directly applicable. It does not need to be “signed into British law” whilst we remain members of the EU. Post Brexit it will still be applicable because of the provisions of the Great Repeal Bill (More here.))

The BBC even reported that “the new law was drafted by Digital Minister, Matt Hancock.” Yesterday the story was changed to state that it was “drafted under Digital Minister, Matt Hancock.” (I have asked them about this.)

Then again the media is not entirely at fault. The Government’s statement is drafted (or spun) in such a way as to give the impression that GDPR is all their idea rather than the EU’s. Mr. Hancock, in his foreword, even suggests that the Bill is part of the Government’s grand Brexit plan (if there is a plan!):

“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”

All this myth peddling has led to some official myth bashing too. (See the ICO’s latest blog post.)

So what have we actually learnt about the Government’s GDPR intentions? Much of the statement explains the provisions of the GDPR or states the obvious. For example that the Data Protection Act 1998 (DPA) will be repealed. As if there was any choice!

The DCMS has today published (HT Bainsey1969 and the Open Rights Group) a list of derogation in the Bill and there proposed stance (Read here). The following stand out:

  • Children and Consent – The UK will legislate to allow a child aged 13 years or older to consent to their personal data being processed (rather than 16 which is GDPR’s default position).
  • Exemptions – The GDPR allows the UK to introduce exemptions from the transparency obligations and individuals’ rights. The Government will make the same exemptions available under GDPR as currently under the Data Protection Act (see S.29-35 and schedule 7 of the DPA).
  • New Offences – The Bill will create a number of new criminal offences:

Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and knowingly handling or processing such data

Altering records with intent to prevent disclosure following a Subject Access Request (just like under S.77 of FOI)

Retaining data against the wishes of the Data Controller, even where the data was originally obtained lawfully (this would constitute a widening of the current offences provided for in s. 55 DPA)

  • Journalism – There will be a journalistic exemption in GDPR similar to S.32 of the DPA (balancing data protection rights with journalistic freedoms). The Information Commissioner’s Office (ICO) will have wider powers to take enforcement action in media cases.
  • Automated Decisions – There will be an exemption from the general rules in GDPR about automated decision making and profiling where such processing is in the legitimate interests of the Data Controller.
  • Research – There will be exemptions to the general rules in GDPR about Data Subjects’ rights. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with Data Subjects’ rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.

Data Controllers should not wait for the Data Protection Bill to be published before starting their GDPR preparations. There is so much to do now:

  1. Raise awareness about GDPR at all levels. (Check out our full day workshop and our GDPR poster).
  2. Consider whether you need a Data Protection Officer and if so who is going to do the job.
  3. Review compliance with the existing law as well as the six new DP Principles.
  4. Review how you address records management and information risk in your organisation.
  5. Revise your privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  6. Review your information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  7. Write polices and procedures to deal with new and revised Data Subject rights including Data Portability and Subject Access.
  8. Consider when you will need to do a Data Protection Impact Assessment

STOP PRESS – the Bill has now been published.  Attend our Data Protection Bill workshop.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service.

Posted in Brexit, Data Protection, DP Bill, EU DP Regulation, GDPR | Tagged , , , | 1 Comment

GDPR and Employee Surveillance

canstockphoto18907084

The regulatory framework around employee surveillance is complex and easy to fall foul of. A few years ago, West Yorkshire Fire Service faced criticism when a 999 operator, who was on sick leave, found a GPS tracker planted on her car by a private detective hired by her bosses.

At present all employers have to comply with the Data Protection Act 1998 (DPA) when conducting surveillance, as they will be gathering and using personal data about living identifiable individuals. Part 3 of the Information Commissioner’s Data Protection Employment Practices Code (Employment Code) is an important document to follow to avoid DPA breaches. It covers all types of employee surveillance from video monitoring and vehicle tracking to email and Internet monitoring.

When the General Data Protection Regulation (GDPR) comes into force (25th May 2018) it will replace the DPA. The general rules applicable to employee monitoring as espoused by the DPA and the Employment Code will remain the same.  However there will be more for employers to do to demonstrate GDPR compliance.

Data Protection Impact Assessment

One of the main recommendations of the Employment Code is that employers should undertake an impact assessment before undertaking surveillance. This is best done in writing and should, amongst other things, consider whether the surveillance is necessary and proportionate to what is sought to be achieved.

Article 35 of GDPR introduces the concept of a Data Protection Impact Assessment (DPIA) (also known as a Privacy Impact Assessment) as a tool, which can help Data Controllers (in this case employers) identify the most effective way to comply with their GDPR obligations. A DPIA is required when the data processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)). Employee surveillance is likely to be high risk according to the criteria set out by the Article 29 Working Party in its recently published draft data protection impact assessment guidelines.

The GDPR sets out the minimum features which must be included in a DPIA:

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

Before doing a DPIA, the Data Protection Officer’s advice, if one has been designated, must be sought as well as the views (if appropriate) of Data Subjects or their representatives. In some cases the views of the Information Commissioner’s Office (ICO) may have to be sought as well. In all cases the Data Controller is obliged to retain a record of the DPIA.

Failure to carry out a DPIA when one is required can result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Our recent blog post and forthcoming DPIA webinar will be useful for those conducting DPIAs.

Article 6 – Lawfulness

All forms of processing of personal data (including employee surveillance) has to be lawful by reference to the conditions set out in Article 6 of GDPR (equivalent to Schedule 2 of the DPA). One of these conditions is consent. Article 4(11) states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

As discussed in our previous blog post, consent will be more difficult to achieve under GDPR. This is especially so for employers conducting employee surveillance. According to the Information Commissioner’s draft guidance on consent under GDPR:

“consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.”

Employers (and public authorities) may well need to look for another condition in Article 6 to justify the surveillance. This could include where processing is necessary:

  • for compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c));
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (Article 6(1)(e)); or
  • for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6(1)(f)).

Legitimate interests (Article 6(1)(f)) will be a favourite condition amongst employers as usually the surveillance will be done to prevent or detect crime or to detect or stop abuse of the employers’ resources e.g. vehicles, internet and email facilities etc.

Public Authorities

Article 6 states that the legitimate interests condition shall not apply to processing carried out by public authorities in the performance of their tasks. Herein lies a potential problem for, amongst others, local authorities, government departments, and quangos.

Such organisations will have to consider the applicability of the legal obligation and public interests/official authority conditions (Article 6(1)(c) and Article 6(1)(e)) respectively). We can expect lots of arguments about what surveillance is in the public interest and when official authority is involved. If the surveillance involves a public authority using covert techniques or equipment to conduct the surveillance, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies and so the latter condition is met. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H),).

More detail on the RIPA and human rights angle to employee surveillance can be found in our blog post here. More on the DPA angle here.

We also have a specific blog post on the legal implications of social media monitoring as well as a forthcoming webinar.

Transparency

All Data Controllers, including employers, have an obligation to ensure that they are transparent in terms of the how they use employee’s information. Consideration will also have to be given to as to what extent general information will have to be supplied to employees in respect for the employer’s surveillance activities (See our blog post on Privacy Notices).

Surveillance of employees can be a legal minefield. Our forthcoming webinar on GDPR and employee surveillance will be useful for personnel officers, lawyers, IT staff and auditors who may be conducting or advising on employee surveillance.

 

Act Now can help with your GDPR preparations. We offer a GDPR health check service and our workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast.

Posted in Data Protection, dpia, EU DP Regulation, GDPR, Security | 1 Comment

Data Protection Impact Assessments under GDPR

CJgbrkzUwAAJSZA

The General Data Protection Regulation (GDPR) will come into force in about 10 months. There is plenty to learn and do before then including:

  1. Raising awareness about GDPR at all levels
  2. Reviewing how you address records management and information risk in your organisation.
  3. Reviewing compliance with the existing law as well as the six new DP Principles.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements.
  5. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  6. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  7. Considering whether you need a Data Protection Officer and if so who is going to do the job.
    As well as:
  8. Considering when you will need to do a Data Protection Impact Assessment (DPIA).

Article 35 of GDPR introduces this concept. DPIAs (also known as Privacy Impact Assessments) are a tool which can help Data Controllers identify the most effective way to comply with their GDPR obligations and reduce the risks of harm to individuals through the misuse of their personal information. A well-managed DPIA will allow Data Controllers to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur.

DPIAs are important tools for accountability, as they help Data Controllers not only to comply with requirements of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance (see Article 24)4.)

When is a DPIA needed?

Carrying out a DPIA is not mandatory for every processing operation. A DPIA is only required when the processing is “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1)).

Such processing, according to Article 35(3)), includes (but is not limited to):

  • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals.
  • large scale processing of special categories of data or personal data relating to criminal convictions or offences.
  • large scale, systematic monitoring of public areas (CCTV).

So what other cases will involve “high risk” processing that may require a DPIA? In May, the Article 29 Working Party published its data protection impact assessment guidelines for comments. We are still waiting for the final version but I don’t think its is going to change much. It sets out the criteria for assessing whether processing is high risk. This includes processing involving:

  1. Evaluation or scoring, including profiling and predicting especially from aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements
  2. Automated decision-making with legal or similar significant effects
  3. Systematic monitoring of individuals
  4. Sensitive data
  5. Personal Data on a large scale
  6. Datasets that have been matched or combined
  7. Data concerning vulnerable Data Subjects
  8. Innovative use or application of technological or organisational solutions
  9. Data transfers across borders outside the European Union
  10. Data that Prevents Data Subjects from exercising a right or using a service or a contract

What information should the DPIA contain?

The GDPR sets out the minimum features of a DPIA (Article 35(7), and Recitals 84 and 90):

  • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the Data Controller.
  • An assessment of the necessity and proportionality of the processing in relation to the purpose.
  • An assessment of the risks to individuals.
  • The measures in place to address risk, including security, and to demonstrate that the Data Controller is complying with GDPR.

A DPIA can address more than one project.

The ICO’s Code of Practice on Privacy Impact Assessments will assist as well as the Irish Data Protection Commissioner’s Guidance.

When should a DPIA be conducted?

DPIA’s should be conducted prior to the processing operation commencing. DPIAs are an integral part of taking a Privacy by Design approach which is emphasised in Article 25. The DPIA should be treated as a continual process, not a one-time exercise. Data Controllers should start it early and update it throughout the lifecycle of the project.

The GDPR comes into force on 25th May 2018, and DPIAs are legally mandatory only for processing operations that are initiated after this date. Nevertheless, the Article 29 Working Party strongly recommends carrying out DPIAs for all high-risk operations prior to this date.

Who should conduct the DPIA?

A DPIA may be conducted by the Data Controller’s own staff or an external consultant. Of course the Data Controller remains liable for ensuring it is done correctly. The Data Protection Officer’s advice, if one has been designated, must also be sought as well as the views (if appropriate) of Data Subjects or their representatives.

If the DPIA suggests that any identified risks cannot be managed and the residual risk remains high, the Data Controller must consult with the Information Commissioner before moving forward with the project. Regardless of whether or not consultation with the ICO is required, the Data Controller’s obligations of retaining a record of the DPIA and updating the DPIA in due course remain.

Even if ICO consultation is not required, the DPIA may be reviewed by the ICO at a later date in the event of an audit or investigation arising from the Data Controller’s use of personal data.

What are the risks of non-compliance?

Failure to carry out a DPIA when the processing is subject to a DPIA (Article 35(1) and (3)), carrying out a DPIA in an incorrect way (Article 35(2) and (7) to (9)), or failing to consult the ICO where required (Article 36(3)(e)), can each result in an administrative fine of up to 10 million Euros, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

More about Data Protection Impact Assesments in our forthcoming webinar.

Let Act Now help with your GDPR preparations. Our full day workshops and GDPR Practitioner Certificate (GDPR.Cert) courses are filling up fast. We also offer a GDPR health check service in which we can come carry out an audit and help you prepare and fill any weaknesses.

 

Image credits: https://privacy.org.nz/blog/toolkit-helps-assess-your-privacy-impact/

 

Posted in Data Protection, EU DP Regulation, GDPR, information risk, personal data, PIA's, Privacy | Tagged , , | 3 Comments

Ghost in the machine

By Paul Simpkins

Like any normal UK male I like to watch sport on TV. As the season all over Europe comes to a conclusion the titles and cups are being decided. Exactly the wrong time to take a holiday. Why?

Because despite Sky Go and BT allowing you to watch their products on your laptop or other device while you’re away from home things stop working when you leave the UK. It’s nothing to do with Brexit. Your device works out that you’ve left and suddenly many services that you use frequently start to deny you access for the simple reason that you’re away from home. If you want to watch the destination of the titles and cups you have to hope that you can find a friendly bar with a TV and hope the locals aren’t supporting the team that is playing your team.  You may have to consume alcohol and even sing sporting anthems badly but that’s part of the fun.

If you prefer to sit in the safety of your hotel room or rural gite or caravan there is another solution. Buy a wifi session. Your venue will probably sell you one for a few euros and you can watch in peace with a steaming cappuccino. Trouble is your device may still not allow you to connect to UK channels as it will still think you’re away from home as your IP address identifies your location.

But there’s a solution for that as well. Buy an app that masks your IP address. I’ve used this one.

blg paul 1

And it’s worked well. For free it will tell your computer sitting in Bordeaux that it’s really in Manchester so it will be able to watch iPlayer, Sky & BT without a problem. Yabba dabba doo!

Until recently when I purchased a month’s wifi from the site where I am currently staying. The company concerned is called Ozmosis.

blg paul 2

It’s full of lovely pictures of people enjoying themselves on holiday (the sunglasses give it away) using their wifi on holiday parks throughout Europe. 8 million users no less. So I bought a month’s wifi from them.

When it came to Champions league semi finals I thought I’d watch. It took a while. You have to run Cyberghost and find out that only 2000 free places exist and they count down at about ten a second until wow you’re sorted and watch the IP address emigrating from south west France to Manchester via a slow moving graphic then eventually log on to BT sport. Even then it often doesn’t work.

No problem. It was worth the effort. Until the following morning when you try to log on to the internet as usual. It doesn’t work. Suddenly it dawns on you via series of messages from Ozmosis they’ve identified a streaming service on your computer which violates their terms and conditions and they have terminated your wifi (after 6 of 31 days).

You ring the help line and you have to admit that you’ve been a naughty boy using an IP masking routine; apologise, delete it from your machine and they restore your wifi.

But then you think…

Who are they to say what I can do with their product? I buy it. It connects me to the internet. Can I watch porn channels with it? Can I hack health services all over Europe with it?  If I buy product A that enables me to do many things can the provider of Product A stop  me from doing B, C and D, E and F with their enabling product? 

If I bought a Kindle and loaded it with racist literature could Amazon stop me reading it?

If I bought a car and was told by the salesman that I couldn’t drive to Chipping Sodbury because they didn’t like the name.

If I bought a mobile phone but was limited in the numbers I could call?

(other off the wall examples sought by the author)

So there you are. I can buy wifi and perform normal functions like check my email or look at my bank account or whatsapp my auntie but not watch Atletico Madrid fail to beat Real Madrid without being penalised by a faceless sysadmin near Montpellier who cuts off a service I’ve paid for because I’m doing something they don’t like.  I have no other option on my campsite. Ozmosis have a monopoly.

OK millions of people streaming a major football match might use a lot of bandwidth but that’s what most European males on a campsite want to do. Saying in the T & C that you can’t do it makes buying the wifi worthless. Increase your capability Ozmosis or get out of the sector (

but they’re making zillions of euros so they won’t do that).

I expect a torrent of abuse from normal people who live without watching big sporting events but living in France for several weeks eating quality food and drinking cheap quality wine and beer while enjoying temperatures 10 degrees higher than the UK needs some mitigation otherwise it would be Paradise Lost – buts that’s another story.

Posted in Data Protection, Security | Leave a comment