Title: Data protection is relevant to every individual, business or organisation today, not just Local Gove
1Introduction
- Data protection is relevant to every individual,
business or organisation today, not just Local
Government. - As well as protecting privacy, data protection is
concerned with sharing information, in a secure
managed way. - DP gives us rights as subjects, but this
presentation is about DP and Rother in
particular the role of Elected Members.
2Freedom of Information v DP
- The Freedom of Information Act 2000 (FOI) gives
people access to information which is held by/on
behalf of public authorities subject to various
exemptions and so generally excludes personal
information about individuals. - The Data Protection Act 1998 gives individuals
access to information of which they are the
subject, e.g. someones own file, or electronic
records, etc. and requires it to be kept secure
from others.
3Data Protection Principles
- Data must be
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- accurate
- not kept for longer than is necessary
- processed in line with subjects rights
- secure and,
- not transferred to countries without adequate
protection.
4What is data?
- Under the Data Protection Act 1984 only
electronic data was covered - Now any data is covered, whether electronic,
paper or however stored.
5Rights under the Act
- 1. The right to subject access
- 2. The right to prevent processing if
- substantial unwarranted damage or distress
- 3. The right to prevent direct marketing
- 4. Objection to automated decision-taking
- 5. The right to compensation for breach of the
law - 6. The right to rectification, blocking, erasure
and destruction - 7. The right to involve the Commissioner
6Notification
- The Information Commissioner maintains a public
register of data controllers, e.g. Rother. - Each register entry includes the name and address
of the data controller and a description of the
processing of data. - Individuals can consult the register to find out
what processing of personal data is being carried
out by a particular data controller. - Notification is the process of adding a data
controllers details to the register.
7Elected membersmust decide in which capacity
they process personal data
- Working Councillor
- Political Role
- Personal Role
8Working Councillor
- Members may have access to and process personal
data in the same way as employees. - The data controller is the Council rather than
the elected member. - An example is of a member of the Licensing
Committee who has access to financial information
for the purpose of considering whether or not the
Council should grant a rate relief. In this case
the elected member is not required to notify. - Data given for one purpose cannot be used for
another purpose.
9Political Role
- When acting on behalf of a political party,
for instance as an office holder or as an
official candidate, Members are entitled rely
upon the data protection notification made by the
party. This could include details of party
supporters and workers. - You can seek support from local residents whom
you have assisted in the past as a Councillor.
But you cannot disclose the details of those
local residents to the party without consent.
10Personal Role
- When Councillors act on their own behalf, they
are likely to have to notify in their own right.
Examples include - Processing personal data on a computer in order
to timetable surgery appointments or progress
complaints made by local residents. - Campaigning within your own political parties for
adoption as a prospective candidate you can only
rely upon the notification of your parties if the
parties control the processing of personal data
for the purpose of individual campaigns.
11Non-automated records
- There is an important exemption from notification
where the only personal data, which are
processed, take the form of non-automated or
manual records. - However, even if this is the case and there is no
notification requirement, elected members must
comply with the other requirements of the Data
Protection Act, in particular the 8 data
protection principles
12Registration Number Z529954X Date Registered
02-MAY-01 Registration expires 01-MAY-06 Data
Controller ROTHER DISTRICT COUNCIL This
register entry describes, in very general terms,
the personal data being processed and held for 12
purposes Staff Administration Accounts
Records Property Management Leisure and
Cultural ServicesCouncil Tax Benefits
Environmental Health, Planning, Licensing,
Registration and Regulation Crime Prevention and
Prosecution of Offenders Corporate Functions
Other non - commercial activities Other
Commercial Services Advertising, Marketing,
Public Relations, Advice etc.
13Data Collection
- "in determining whether personal data are
processed fairly, regard is to be had to the
method by which they are obtained, including in
particular whether any person from whom they are
obtained is deceived or misled as to the purpose
or purposes for which they are to be processed
DPA 98 Schedule 1 - The padlock symbol alerts people
- that their information is
- being collected and explains
- where they can find out how
- it is to be used.
14Subject Access
- A request by someone for a copy of information
held about them is known as a Subject Access
Request. - Requests must be made to the person or
organisation data controller who holds and/or
uses the information. - Requests must be in writing and accompanied by
the fee of 10. - Proof of identity may be necessary.
- Within 40 days they must be told if any personal
data are held about them and given a copy.
15Some Exemptions from access
- Information for taxation purposes
- Prevention and detection of crime
- Regulatory activity, such as protecting the
public - Journalism, literature or art or for research,
etc. - Information available to the public under an
enactment - Required by law or for legal proceedings
- Confidential references
- Prevent prejudice to negotiations
- Legal professional privilege
16Data Processing
- The definition in the Act is wide. This
definition incorporates, amongst other things,
the concepts of obtaining, holding and
disclosing. - The second Data Protection Principle states
- Personal data shall be obtained only for one or
more specified and lawful purposes, and shall not
be further processed in a manner incompatible
with that purpose or those purposes. -
17Requirements for Data Processing (at least one
must apply)
- Consent of data subject
- Contract with data subject
- Legal obligation (not by contract)
- Protecting vital interests of data subject
- Public functions, administration of justice
- Specific statutory power
- Legitimate interests of controller unless
prejudicial to data subject
18Statutory Powers to process data without consent
- Prevention or detection of crime,
- Apprehension or prosecution of offenders,
- Assessment or collection of any tax or duty or of
any imposition of a similar nature, - Authorised data sharing
19Sensitive Personal Data-special care needed
- Racial or ethnic origin
- Political opinions
- Trade union membership
- Religion or beliefs
- Health or sexual life
- Criminal offences
20Fair Processing by Members
- Information, which is held by the local
authority, may not be used for political or
representational purposes unless all the
individuals to whom it relates (the data
subjects) have agreed. - You cannot use a list of users of a Council
service for electioneering purposes without the
consent of those individuals. - You cannot use personal data about someone to
which you had access in an official capacity, say
as a member of a Committee, to help someone else
unless all the individuals concerned have
consented.
21Political Activity
- Officers should not normally disclose information
to elected members for political purposes.
Exceptions would be - Consent of the data subject
- Data which the Council is required to make public
(for instance lists of some types of licence
holder) - Information which does not identify any living
individuals (for instance Council Tax band
information or statistical information).
22Officers duties to Members
- Members should only be given access to as much
information as is necessary to carry out their
duties. - Officers should specify the purposes for which
that information may be used or disclosed. This
may be clear in the circumstances or through
general procedures and guidelines. - Where the member takes a copy of the information
away from Council premises whether in paper or
electronic form, steps must be taken to ensure
the security of the information.
23Offences
- Where processing is being undertaken and the
Information Commissioner has not been notified. - Obtaining or disclosing personal information
without the consent of the data controller. This
covers unauthorised access to and disclosure of
personal information. - Bringing office into disrepute.
24Points to Remember
- The need to keep personal data secure.
- How we deal with requests for information about
people. - People who say they are the person concerned may
not be telling the truth. - Beware family members of data subject.
- Even within the Council, personal data should
only be passed on to colleagues who have a
legitimate need for it - Disposal of paper which includes any personal
information.