Data Protection and Confidentiality

Presenter: Paul Ticher [email protected] This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.

It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law. What Data Protection is about

 Protecting data Protecting people 

• Keeping information in the right hands (and Clientsknowing whatService the ‘right users hands’ are) Employees• Holding good Volunteers quality data Donors Members Supporters Professional contacts What Data Protection is about: 2 Give us more money! Support our campaign! But of course we told your social worker

• Give people good grounds to see that we use their information responsibly and they can trust us – Be transparent – open and honest, don’t hide things or go behind people’s back – Offer people a reasonable choice over how you use their data, and what for What Data Protection is about: 3

• Recognise individual rights, such as:

 Right of Subject Access

 Right to opt out of direct marketing 

 Right to compensation for harm The current legal basis

• EC Directive 95/46/EC  Data Protection Act 1998  Similar legislation in most other European countries • Privacy & Electronic Communications (EC Directive) Regulations 2003 • Codes of Practice and non-statutory Guidance: – Information Commissioner – Fundraising Regulator The General Data Protection Regulation (GDPR) • First draft January 2012 • Extensive negotiations over nearly four years • Final agreed draft December 2015 • Ratified May 2016 • Coming into force 25th May 2018 • It’s a Regulation, not a Directive • The UK government has already committed to keeping it, perhaps with minor changes GDPR themes

Data Protection built into the way you work – “by design and by default” Data Controller evidence of compliance Emphasis on reducing risk Limited extension of individual rights More control over online services and large commercial organisations, especially multinationals The Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & notlimited excessive to necessary 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects’ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad The main topics for today:

• Security • Accuracy & data quality • Transparency • Choice

But first: • The definition of Personal data • Confidentiality

10 Personal data

Data Not data

Personal

Not personal Personal data

The Act applies to information that is ‘personal’ and ‘data’ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded: – electronically or on an automated system – in a ‘relevant [manual] filing system’ – with the intention of going into one of these systems

12 Relevant filing system

This is defined as: • a set of information • [not held on computer] • structured so that • specific information • relating to a particular individual • is readily accessible

13 Data Protection and Confidentiality overlap a lot, but they are not the same

Data Protection

Confidentiality

Clear boundaries

14 Confidentiality

• Define the boundaries: who needs access to what information for what purposes • Be clear when it might not be maintained • How do you ensure your clients, etc, understand where the boundaries are? • How do you ensure your staff and volunteers respect the boundaries? Weak points on confidentiality • Discussing confidential information with partner or friend • Posting confidential information on social media • Talking about confidential information in public • Working on confidential material in public • Losing confidential documents/leaving them around • Giving out information over the phone without checking • Sharing information about people who have not given permission • Disposing of information carelessly Additional material

• Retention periods • Notification • Subject access • Redress • Freedom of Information • Sensitive data • Acting for others • Transfers abroad • Policies & roles • Future changes • Data Controller • Data Processor

17 Data Protection: the absolute basics We are trying to: • Prevent harm by – Keeping data only in the right hands (and being clear what ‘the right hands’ are) – Holding good quality data (accurate, up to date and adequate) • Allay concerns and show respect by – Making sure people know enough about what we are doing – Giving people a choice where possible

18 ‘Fair’ processing (Principle 1): Transparency • Being fair means that people should have no unpleasant surprises when you use data about them • You must always think, in particular, whether you need to tell them anything about: – who is collecting their information – what purposes you hold their data for – who you might pass the data on to – how to contact you if they want to stop you from using their data or check what you are doing

19 More transparency requirements under GDPR Data Subjects must usually be made aware of (Art. 13): • the identity and the contact details of the controller • the purposes as well as the legal basis of the processing • where relevant the legitimate interests • any recipient(s); any overseas transfers • the storage period or criteria for deletion • right of access to data and rectification or erasure • right to withdraw consent at any time • the right to lodge a complaint to a supervisory authority • whether the provision of personal data is [contractually] required [or] … possible consequences of failure to provide [it] ‘Fair’ processing (Principle 1): Choice • People must usually have a reasonable choice over how their information is used.. • Choice and consent are not the same thing • Choices can be: – Opt out (we’ll do it unless you say ‘no’) – may equal consent – Opt in (we’ll only do it if you say ‘yes’) – normally equals consent •Be clear about what choices are offered, record them carefully, and ensure that they are acted on. • Consent need not be in writing Conditions for fair processing

• With consent of the Data Subject (“specific, informed and freely given”) • For a contract involving the Data Subject • To meet a legal obligation • To protect the Subject’s ‘vital interests’ • Government & judicial functions • In your ‘legitimate interests’ provided the Data Subject’s interests are respected

22 Consent (GDPR)

Consent is “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed” (Article 4(11))

“Where processing is based on consent, the controller shall be able to demonstrate that consent was given by the data subject to the processing of their personal data.” (Article 7(1))

“Silence, pre‐ticked boxes or inactivity should … not constitute consent.” (Recital 32) When is consent not required under GDPR?

Similar conditions to now, including: Processing is lawful [if it is] “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. …” (Article 6(f) ) “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” (Recital 47) Direct Marketing (including fundraising)

• If you are going to use people’s information for Direct Marketing you must tell them – (because of Principle 2). • Anyone may ‘require’ you in writing to stop. If someone says ‘stop pestering me’ you must comply. • The question is: do you need consent? – and if so what counts as consent? Current practice under review, e.g:

Mail: • No objection = assumed consent Telephone: • ‘Admin calls’ with heavy fundraising content • “We know you are on TPS but …” Email • No consent, but prominent unsubscribe What RSPCA & British Heart Foundation got into trouble for

• Data sharing on a massive scale, through Reciprocate without the • Wealth screening and profiling Data Subjects’ their donors knowledge or • Data matching to amend or consent add to the contact data they held Legal framework • DPA right to prevent direct marketing – Good practice: opt out at point of data capture • Mailing Preference Service (voluntary) • No marketing to number on TPS without prior consent (PECR) • No marketing emails and texts without prior consent (PECR) • The “voluntary” Code of Fundraising Practice • EU Regulation will replace DPA but not PECR What counts as direct marketing/fundraising?

• DPA: the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. • ICO Guidance: All promotional material falls within this definition, including material promoting the aims of not- for-profit organisations. … It will also cover any messages which include some marketing elements, even if that is not their main purpose. So …

• Legally no consent required for direct mail • Probably should offer at least an opt out from: – mailings • Simplest, and probably best, to ask for opt in to: – phone or fax marketing (preference services) – e-mail or text message marketing (PECR) • Probably not a good idea: – sharing the data with other organisations for them to mail Implications

• Every organisation must decide who will be asked to consent to what, and how they will be asked/informed • Consent cannot be recorded just as a tick; it must show when consent was given and what for (and possibly when it expires) • Consent should be channel-specific • Suppression-based marketing and fundraising is unlikely to be sufficient, but suppression lists must still be an option ‘Sensitive data’

• Racial or ethnic origin • Political opinions • Religious or similar beliefs • Trade Union membership • Physical or mental health or condition • Sexual life • Offences, etc. Conditions for ‘sensitive data’ include: • ‘Explicit’ consent of the Data Subject • To protect vital interests of Data Subject or another person • Where deliberately publicised by the Data Subject • Equalities monitoring on race/ethnicity, disability, religion • Confidential counselling, advice, support, etc, where: – consent cannot be obtained, or – it is reasonable not to have consent, or – seeking consent would jeopardise the service • … and many others Data quality (Principles 3 & 4)

The Data Protection Act says that data must be: • Adequate • Relevant • Not excessive • Accurate • Up to date (where necessary)

34 Detailed records, e.g. clients

• Don’t record anything unless you can justify it as relevant and not excessive • Check your facts where possible – with the individual, – with a colleague – with an expert – via authoritative documents • Clarify when it is an opinion or concern, not a checked fact • Quote the source of information, or evidence on which opinions are based Less detailed records, e.g. members, donors, customers • Ask the right questions and/or explain why you are asking • Design your systems, wherever possible, to encourage accurate data entry • Give people plenty of opportunity to tell you when things change and to check that their records are up to date • Synchronise systems regularly (where it is unavoidable to have someone’s records on two different systems) Retention periods (Principle 5)

• Law or legal regulations (can be up to 50 years) • Information you might need in the event of a legal case (often six or seven years) • Information to prevent disagreements between you and the individual • Practical considerations (could be days, weeks, months or years) • Indefinite: for historical or research purposes, subject to restrictions Suggested approach to retention: • Broad brush, not fine detail • Short-term (up to 6 months) • Medium-term (six or seven years) – (Possibly intermediate term of three years) • Long-term (indefinite) Security (Principle 7)

Security is about ensuring that the boundaries set by your confidentiality policies are protected, so that information does not fall into the wrong hands. The Data Protection Act says you must prevent: – unauthorised access to personal data – accidental loss or damage of personal data The security measures must be appropriate. They must also be technical and organisational. The Information Commissioner can impose a penalty of up to £500,000 for breaches

39 Penalties for security breaches

• British Pregnancy Advisory Service website hacked into and nearly 10,000 highly confidential records accessed • Ealing & Hounslow councils were jointly responsible for the theft of an unencrypted laptop containing 1700 clients’ details from an employee’s house • London HIV support group disclosed email addresses when mailing out an e-newsletter, some of which identified the individuals • Powys County Council mixed up two child protection reports and posted part of one to someone who recognised the people involved • An Aberdeen social worker, working from home, inadvertently allowed her computer to upload confidential documents to an unprotected web site Key security measures • Protect ‘data in transit’ – passwords, encryption on USB devices, phones, tablets and laptops – extreme care when e-mailing (encryption?) – care of confidential documents • Network security – anti-virus, firewall, log-ons, etc. • Website/internet security • ‘Bring Your Own Device policy’ • Policy on use of cloud applications • Access to building, clear desks, locked filing cabinets • Secure destruction – shredding, etc. • Staff reliability: checks, supervision, monitoring • External contractors (‘Data Processors’) You could be breaking the law

It is a Criminal offence: • ‘Knowingly or recklessly’ accessing data you are not authorised to access. • ‘Knowingly or recklessly’ allowing another person unauthorised access. This means, for example: • Don’t share your computer access details. • Don’t poke around to look at personal information you know you are not supposed to see.

42 Transfers abroad (Principle 8)

• Try to maintain protection - by law: EEA (EU + Norway, Iceland, Liechtenstein) - by law where approved: (Andorra, Argentina, Canada (partly), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) - recipient in USA signs up to ‘Privacy Shield’ - by approved contract with recipient • Otherwise, get consent (except a few cases such as necessary for contract involving the Data Subject) • Personal data on a web site may need consent from Data Subject – and transparency essential

43 Data Controller • The ‘person’ legally responsible for complying with the Data Protection Act • Can be an individual, but usually the organisation. (Staff & volunteers are acting on behalf of the Data Controller.) • You cannot choose to be the Data Controller on behalf of another organisation • A trading company, even wholly owned, would be a separate Data Controller • Two or more organisations can be joint Data Controllers of the same data

44 Data Controller / Data Processor

• “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed. • “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. Data Processor

• An organisation that work is outsourced to, which involves accessing Personal Data • The Data Controller remains responsible for what happens to the data • There must be a written contract with the Data Processor, setting out: – what they are to do – what the relationship is – security – others worth looking at (checklist)

46 Examples of Data Processors

• Payroll service • Cloud provider • Tele-marketing company • Client database maintenance & development • Mailing house • Sub-contractor, delivering services

• But not individual staff or volunteers (they are part of the Data Controller) Possible policy & procedure framework • Top level (approved by Board) – Data Protection – Confidentiality – Security • Next level (responsibility of team/dept managers) Depends on the organisation, for example: – Case recording procedures – Marketing, including opt-ins and opt-outs – Detailed security arrangements Data Protection policy should cover, at least: • Introduction and general principles • Responsibilities of Data Protection officer, other managers and staff • Legal provisions: subject access, Notification, Data Processor contracts • References to relevant policies and procedures Responsibilities of a Data Protection officer: • Briefing the board on Data Protection responsibilities • Reviewing Data Protection and related policies • Advising other staff on tricky Data Protection issues • Ensuring that Data Protection induction and training takes place • Notification • Handling subject access requests • Approving unusual or controversial disclosures of personal data • Approving contracts with Data Processors Notification

• By the Data Controller, filling in a form and paying £35 a year to the Information Commissioner • No change in responsibilities: all Principles still apply • Manual systems not required to notify • ‘Core’ business purposes generally not required to notify: – personnel, including payroll & volunteers – accounts & customer/supplier records – your own marketing, promotion & PR – membership records of non-profit organisation • Voluntary Notification is allowed

51 Subject Access • The DataData ControllerController must provide a permanent, intelligible copy of pretty much all the personalPersonal Data held about that Data Subject • The DataData SubjectSubject may limit the request if they choose • The Data Controller may withhold thirdthird party party material, especially if a duty of confidentiality is owed • The Data Controller may charge up to £10£10 • The information must be provided within 4040 calendar days

52 Freedom of Information • Applies only to public authorities •Scotland has its own separate legislation • Gives the right of access by anyone to any information, subject to exemptions • Exemptions include personal data • Information supplied to public authorities by voluntary organisations is disclosable • Voluntary organisation may have to disclose information held on behalf of a public authority Acting for others

• Everyone has their own individual Data Protection rights, but may have someone else act on their behalf • To act on someone’s behalf you must be authorised: – through having parental responsibility – directly by the person (as long as they have the capacity) – under laws such as the Mental Capacity Act 2005 (or its Scottish equivalent) • Teenagers may be able to act for themselves: – In Scotland the presumption is from the age of 12 – In England and Wales it depends on the particular child’s capacity

54 Mental Capacity Act 2005

• Assume people have capacity until proved otherwise • Take all practicable steps to help people decide for themselves • People can make an unwise decision if they want to • Act or decide in people’s best interests • Minimise any restriction on people’s rights and freedom of action Redress if things go wrong

• An individual can ask for an ‘assessment’ by the Information Commissioner of whether Data Protection has been breached • They can go to court to get wrong information corrected, deleted or clarified • They can get compensation for any harm (and associated distress) • The court can also prevent processing that causes someone substantial harm • The court can enforce Subject Access

56