Data protection is relevant to every individual, business or organisation today, not just Local Gove

1
Introduction

• Data protection is relevant to every individual,
  business or organisation today, not just Local
  Government.
• As well as protecting privacy, data protection is
  concerned with sharing information, in a secure
  managed way.
• DP gives us rights as subjects, but this
  presentation is about DP and Rother in
  particular the role of Elected Members.

2
Freedom of Information v DP

• The Freedom of Information Act 2000 (FOI) gives
  people access to information which is held by/on
  behalf of public authorities subject to various
  exemptions and so generally excludes personal
  information about individuals.
• The Data Protection Act 1998 gives individuals
  access to information of which they are the
  subject, e.g. someones own file, or electronic
  records, etc. and requires it to be kept secure
  from others.

3
Data Protection Principles

• Data must be
• fairly and lawfully processed
• processed for limited purposes
• adequate, relevant and not excessive
• accurate
• not kept for longer than is necessary
• processed in line with subjects rights
• secure and,
• not transferred to countries without adequate
  protection.

4
What is data?

• Under the Data Protection Act 1984 only
  electronic data was covered
• Now any data is covered, whether electronic,
  paper or however stored.

5
Rights under the Act

• 1. The right to subject access
• 2. The right to prevent processing if
• substantial unwarranted damage or distress
• 3. The right to prevent direct marketing
• 4. Objection to automated decision-taking
• 5. The right to compensation for breach of the
  law
• 6. The right to rectification, blocking, erasure
  and destruction
• 7. The right to involve the Commissioner

6
Notification

• The Information Commissioner maintains a public
  register of data controllers, e.g. Rother.
• Each register entry includes the name and address
  of the data controller and a description of the
  processing of data.
• Individuals can consult the register to find out
  what processing of personal data is being carried
  out by a particular data controller.
• Notification is the process of adding a data
  controllers details to the register.

7
Elected membersmust decide in which capacity
they process personal data

• Working Councillor
• Political Role
• Personal Role

8
Working Councillor

• Members may have access to and process personal
  data in the same way as employees.
• The data controller is the Council rather than
  the elected member.
• An example is of a member of the Licensing
  Committee who has access to financial information
  for the purpose of considering whether or not the
  Council should grant a rate relief. In this case
  the elected member is not required to notify.
• Data given for one purpose cannot be used for
  another purpose.

9
Political Role

• When acting on behalf of a political party,
  for instance as an office holder or as an
  official candidate, Members are entitled rely
  upon the data protection notification made by the
  party. This could include details of party
  supporters and workers.
• You can seek support from local residents whom
  you have assisted in the past as a Councillor.
  But you cannot disclose the details of those
  local residents to the party without consent.

10
Personal Role

• When Councillors act on their own behalf, they
  are likely to have to notify in their own right.
  Examples include
• Processing personal data on a computer in order
  to timetable surgery appointments or progress
  complaints made by local residents.
• Campaigning within your own political parties for
  adoption as a prospective candidate you can only
  rely upon the notification of your parties if the
  parties control the processing of personal data
  for the purpose of individual campaigns.

11
Non-automated records

• There is an important exemption from notification
  where the only personal data, which are
  processed, take the form of non-automated or
  manual records.
• However, even if this is the case and there is no
  notification requirement, elected members must
  comply with the other requirements of the Data
  Protection Act, in particular the 8 data
  protection principles

12
Registration Number Z529954X Date Registered
02-MAY-01 Registration expires 01-MAY-06 Data
Controller ROTHER DISTRICT COUNCIL This
register entry describes, in very general terms,
the personal data being processed and held for 12
purposes Staff Administration Accounts
Records Property Management Leisure and
Cultural ServicesCouncil Tax Benefits
Environmental Health, Planning, Licensing,
Registration and Regulation Crime Prevention and
Prosecution of Offenders Corporate Functions
Other non - commercial activities Other
Commercial Services Advertising, Marketing,
Public Relations, Advice etc.
13
Data Collection

• "in determining whether personal data are
  processed fairly, regard is to be had to the
  method by which they are obtained, including in
  particular whether any person from whom they are
  obtained is deceived or misled as to the purpose
  or purposes for which they are to be processed
  DPA 98 Schedule 1
• The padlock symbol alerts people
• that their information is
• being collected and explains
• where they can find out how
• it is to be used.

14
Subject Access

• A request by someone for a copy of information
  held about them is known as a Subject Access
  Request.
• Requests must be made to the person or
  organisation data controller who holds and/or
  uses the information.
• Requests must be in writing and accompanied by
  the fee of 10.
• Proof of identity may be necessary.
• Within 40 days they must be told if any personal
  data are held about them and given a copy.

15
Some Exemptions from access

• Information for taxation purposes
• Prevention and detection of crime
• Regulatory activity, such as protecting the
  public
• Journalism, literature or art or for research,
  etc.
• Information available to the public under an
  enactment
• Required by law or for legal proceedings
• Confidential references
• Prevent prejudice to negotiations
• Legal professional privilege

16
Data Processing

• The definition in the Act is wide. This
  definition incorporates, amongst other things,
  the concepts of obtaining, holding and
  disclosing.
• The second Data Protection Principle states
• Personal data shall be obtained only for one or
  more specified and lawful purposes, and shall not
  be further processed in a manner incompatible
  with that purpose or those purposes.

17
Requirements for Data Processing (at least one
must apply)

• Consent of data subject
• Contract with data subject
• Legal obligation (not by contract)
• Protecting vital interests of data subject
• Public functions, administration of justice
• Specific statutory power
• Legitimate interests of controller unless
  prejudicial to data subject

18
Statutory Powers to process data without consent

• Prevention or detection of crime,
• Apprehension or prosecution of offenders,
• Assessment or collection of any tax or duty or of
  any imposition of a similar nature,
• Authorised data sharing

19
Sensitive Personal Data-special care needed

• Racial or ethnic origin
• Political opinions
• Trade union membership
• Religion or beliefs
• Health or sexual life
• Criminal offences

20
Fair Processing by Members

• Information, which is held by the local
  authority, may not be used for political or
  representational purposes unless all the
  individuals to whom it relates (the data
  subjects) have agreed.
• You cannot use a list of users of a Council
  service for electioneering purposes without the
  consent of those individuals.
• You cannot use personal data about someone to
  which you had access in an official capacity, say
  as a member of a Committee, to help someone else
  unless all the individuals concerned have
  consented.

21
Political Activity

• Officers should not normally disclose information
  to elected members for political purposes.
  Exceptions would be
• Consent of the data subject
• Data which the Council is required to make public
  (for instance lists of some types of licence
  holder)
• Information which does not identify any living
  individuals (for instance Council Tax band
  information or statistical information).

22
Officers duties to Members

• Members should only be given access to as much
  information as is necessary to carry out their
  duties.
• Officers should specify the purposes for which
  that information may be used or disclosed. This
  may be clear in the circumstances or through
  general procedures and guidelines.
• Where the member takes a copy of the information
  away from Council premises whether in paper or
  electronic form, steps must be taken to ensure
  the security of the information.

23
Offences

• Where processing is being undertaken and the
  Information Commissioner has not been notified.
• Obtaining or disclosing personal information
  without the consent of the data controller. This
  covers unauthorised access to and disclosure of
  personal information.
• Bringing office into disrepute.

24
Points to Remember

• The need to keep personal data secure. 
• How we deal with requests for information about
  people. 
• People who say they are the person concerned may
  not be telling the truth.
• Beware family members of data subject.
• Even within the Council, personal data should
  only be passed on to colleagues who have a
  legitimate need for it 
• Disposal of paper which includes any personal
  information.