Data Protection extra info

Back to Training:Data Protection          Declaration

Further information from the Data Protection Agency 

 

Here are the 8 rules from the Data Protection Agency

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purposes.
  3. Personal data shall be adequate, relevant and not excessive.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data must be processed in accordance with the rights of the individual.
  7. Personal data must be kept secure in order to prevent loss or unauthorised disclosure.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area.

The person who the data describes has the right to

  1. Access their own personal information.
  2. Request information about the reasoning behind any automated decisions, such as if computer software denies them access to a loan.
  3. Give written notice requesting businesses or individuals to not make any automated decisions using their personal data.

If a subject makes an access request then the are 40 calendar days from receiving it to respond.

QUIZ

https://www.highspeedtraining.co.uk/hub/data-protection-quiz/

 

The DPA specifies conditions that must be met when processing personal data, the lists below are not exhaustive..When processing Personal Data one of the following conditions must be met:

  • The individual has given consent.
  • The processing is necessary for the performance of a contract.
  • The processing is necessary for a legal obligation.
  • The processing is necessary for the protection of the data subject’s vital interests.
  • The processing in necessary for the exercise of any other functions of a public nature exercised in the public interest.
  • The processing is necessary for the purposes of legitimate interests pursued by the data controller.

 

 

 

Special data that requires explicit consent

 

  • Politics;
  • race;
  • ethnic origin;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.

Never list criminal offences/records

 

When processing this Sensitive Personal Data not only must one of the above apply, but there are additional conditions, at least one of which must be met:

 

  • The data subject has given his explicit consent.

 

  • The processing is necessary for compliance with legal obligations in connection with employment.
  • The processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given by or on behalf of the data subject, and the data controller cannot reasonably be expected to obtain consent
  • The processing is necessary to protect the vital interests of another person, in a case where consent of the data subject has been unreasonably withheld.
  • The personal data has been made public as a result of steps deliberately taken by the data subject.
  • The processing is necessary for the purpose of, or in connection with, any legal proceedings or for the purpose of obtaining legal advice.
  • The processing is of sensitive personal data consisting of information as to racial or ethnic origin, is for the purpose of identifying or reviewing the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and is carried out with appropriate safeguards for the rights and freedoms of data subjects.






Databases need to be registered annually. The following implies that not-for-profit membership records are exempt from registration, but still have to follow the laws.


Data protection Agency self test quiz says this:

"If your organisation was established for not-for-profit making purposes and does not make a profit. Also answer ‘yes’ if your organisation makes a profit for its own purposes, as long as the profit is not used to enrich others. You must: only process information

 

necessary to establish or maintain membership or support;

 

only process information necessary to provide or administer activities for people who are

members of the organisation or have regular contact with it;

 

only share the information with people and organisations necessary to carry out the organisation’s activities. Important - if individuals give you permission to share their information, this is OK (you can still answer ‘yes’); and

only keep the information while the individual is a member or supporter or as long as necessary for member/supporter administration."



What is personal data

 

If you can identify a living individual from the data, then any data related to that person, is personal data.

 

The detailed rules are:

 

  1. Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller? Yes Go to next question. No The data is not personal data
  2. Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession? Yes-It is personal data. No-continue with questions...
  3. Is the data ‘obviously about’ a particular individual? Yes The data is ‘personal data’ for the purposes of the DPA.
  4. Is the data ‘linked to’ an individual so that it provides particular information about that individual?
  5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual? Yes The data is ‘personal data’ for the purposes of the DPA.
  6. Does the data have any biographical significance in relation to the individual?
  7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
  8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?




Sources:


https://united-kingdom.taylorwessing.com/uploads/tx_siruplawyermanagement/NB_000168_Overview_UK_data_protection_law_WEB.pdf



https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/


Lawyer Summary

 

What is personal data

Back to Training:Data Protection          Declaration

Campaign priorities

Read about our national campaign priorities here

See our priorities

Become a member

For the forgotten majority. Register your details to become a For Britain member.

Join us today