General Data Protection
RegulationPRESENTATION BY PETER RAFTERY, INTERIM DATA PROTECTION OFFICER,
DEPARTMENT OF EDUCATION AND SKILLS – SEPTEMBER 2017
Disclaimer
This presentation is intended as a brief summary of the principal points on
the General Data Protection Regulation and contains general information
only. The following materials do not constitute legal advice on any
particular or general matter and are provided for general information
purposes only. You should always obtain specific legal advice or other
professional advice in relation to data protection law for each specific
matter. No responsibility is taken by the Department of Education and Skills
or the presenter for any errors or omissions.
Department of Education and Skills
September 2017
2
Privacy & Data Protection law
Current
Data Protection Act 1988
Data Protection (Amendment) Act
2003
Irish Constitution – McGee, Norris
ECHR – Art 8 Right to respect for private and family life
Lisbon Treaty – Art 16 Everyone has the right to the
protection of personal data concerning them
Common law/equity
May 2018
General Data Protection Regulation
Data Protection Bill 2017
Law enforcement directive 680/2016
Department of Education and Skills
September 2017
3
Personal data
Information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to
one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person;
Article 4(1) of the General Data Protection Regulation
Department of Education and Skills
September 2017
4
Data Protection terms
Data Controller – the person or organisation which alone or jointly with
others, determines the purposes and means of processing of personal data
Data Processor – a person or organisation which processes personal data
on behalf of the controller.
Data processing means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
Department of Education and Skills
September 2017
5
Special category data including health data
Sensitive Personal Data (DP Act ‘88 & ‘03) broadly equals Special Category Data (GDPR)
Special categories – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; or trade union membership, and the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
Health data is personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Processing of special category data is prohibited unless explicit consent to process for a specific purpose/s is obtained from the data subject or processing is provided for by law - Art 9.2. GDPR
Department of Education and Skills
September 2017
6
GDPR – Why?
Current Data Protection standards set out in 1995 directive needs to be updated to take account of technological advances (internet, social networking, big data) and new business models (cloud computing) i.e. the digital economy.
Rapidly developing case law of EU Court of Justice on data protection
Need for more consistent application of data protection law in the single digital market
Digital economy present opportunities for innovation, job creation and economic growth
Rights and freedoms of individuals; their right to control the uses to which their personal data are put and their freedom not to be subjected to unnecessary monitoring or observation
Consumer trust and confidence in the digital economy and in the provision of public services
Department of Education and Skills
September 2017
7
General Data Protection Regulation
GDPR is the law - it is not optional
GDPR will take immediate effect from 25th May 2018
GDPR raises the bar for data protection compliance significantly
However, if you have been compliant with the Data Protection Acts 1988 and 2003, the GDPR is only an incremental step
Data protection principles and rights
Legal basis for processing personal data
Data Controllers must be able to demonstrate ACCOUNTABILITY
There is a requirement for greater TRANSPARENCY in how you process data
There are CONSEQUENCES for infringement of the GDPR
Department of Education and Skills
September 2017
8
Data Protection Principles now and
with the GDPR
Current – 8 rules Obtain and process the information fairly
Keep it only for one or more specified and lawful purposes
Process it only in ways compatible with the purposes for which it was given to you initially
Keeps it safe and secure
Keep it accurate and up-to-date
Ensure that it adequate, relevant and not excessive
Retain it no longer than is necessary for the specified purpose or purposes
Give a copy of his/her personal data to any individual on request
GDPR – 6/7 principles – Art 5 Lawfulness, fairness and transparency
Purpose limitation
Data minimisation – adequate, relevant and limited to what is necessary
Accuracy
Storage Limitation
Integrity and confidentiality
Accountability
Department of Education and Skills
September 2017
9
GDPR – legal basis for processing – Art. 6
Consent
Contract
Compliance with legal obligation
Necessary to protect the vital interests of the data subject or another
natural person
Necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller
Legitimate interest (cannot be used where performing a public function)
Department of Education and Skills
September 2017
10
GDPR – Conditions for Consent – Arts 7 & 9
Freely given, specific, informed and unambiguous
Controller needs to be able to demonstrate that consent was freely given
When processing has multiple purposes consent should be given for all of them
Use clear and plain language
Informed – controller needs to be identified and the purposes of the processing for which the personal data are intended
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specified cases where there is a clear imbalance between the data subject and the controller – recital 43
Special category data (e.g. health data) – explicit consent or processing is necessary for reasons of substantial public interest on the basis of national or EU law which is proportionate to the aim pursued, respects essence of rights and safeguards in place – Art 9.2(g)
Right to withdraw consent at any time
Department of Education and Skills
September 2017
11
Data sharing in the public service
Have a legal basis
Transparency
Proportionate
Necessary - Clear justification
Data minimisation – shared the minimum to meet the objective for sharing
Strict access and security controls
Ensure secure disposal
Use Data Sharing Agreement
Department of Education and Skills
September 2017
12
GDPR and Accountability
Accountability - A controller shall be responsible for and be able to
demonstrate compliance with the principles for processing personal data
(Art 5.2.)
Data Protection policies - revise
Codes of conduct - revise
Inventory of data collections and processing
Requirement to keep a record of processing activities – Art 30
Data Protection Impact Assessments (aka Privacy Impact Assessments)
Data Protection Officer
Department of Education and Skills
September 2017
13
GDPR Accountability – Inventories
What data?
Who are your data subjects?
Why are you processing their data?
How did you obtain it?
How long will you retain it?
What are the risks to data protection principles or rights?
Do you share the data with anybody?
Who has access?
How secure is it?
Department of Education and Skills
September 2017
14
GDPR Accountability - DPIA
Risk assessment
Data protection impact assessments can be used to identify and mitigate against any data protection related risks arising from a new project which may affect your organisation or individuals it engages with.
The DPIA will allow you to make informed decisions about the acceptability of data protection risks, and communicate effectively with the individuals affected
Not all risks can be eliminated, but a DPIA can allow you to identify and mitigate against data protection risks, plan for the implementation of any solutions to those risks, and assess the viability of a project at an early stage.
If a DPIA does not identify mitigating safeguards against residual high risks, the Data Protection Commissioner must be consulted
Good record keeping during the DPIA process can allow you to demonstrate compliance with the GDPR and minimise risk of a new project creating legal difficulties
Department of Education and Skills
September 2017
15
GDPR – ACCOUNTABILITY - DPO
Data Protection Officer (DPO) is the cornerstone of the GDPR’s accountability-based compliance framework
DPO role is supporting an organisation’s compliance with the GDPR.
DPO will act as an intermediary between stakeholders – ODPC, data subjects and units within the organisation.
DPO will have professional standing, independence, expert knowledge of data protection
DPO will be “involved properly and in a timely manner” in all issues relating to protection
of personal data
DPO shall report directly to the highest management level e.g. Secretary General, Chief Executive
DPO will be of pivotal importance to an organisation’s preparations for the GDPR.
All public bodies are required to have a DPO i.e. bodies governed by public law
DPO may be a member of staff, an external DPO (by contract) or one shared by a group of organisations
Department of Education and Skills
September 2017
16
GDPR Transparency – Arts 12 to 14
Personal data must be processed lawfully, fairly and in a transparent manner – Art 5.1(a)
Provide information “in an intelligible and accessible form, using clear and plain language” – Art 12
Layered approach – basic notice, FAQ, detailed technical Fair Processing Notice
Inform when first processing data e.g. on an application form
Privacy notice
Purpose/s and legal basis
Controller’s details & DPO’s details where relevant
Data shared?
Retention period
Details of data protection rights
Right to lodge a complaint with Data Protection Commissioner
Consent used – right to withdraw consent
Use of automated decision-making or profiling
Department of Education and Skills
September 2017
17
GDPR - Consequences
There are significant consequences where an organisation is found to have infringed the provisions of the GDPR
A controller could be directed to cease processing which infringe the GDPR
The DPC may impose administrative fines in respect of infringements of the GDPR
Administrative fines up to €10m or €20m (or in the case of an undertaking, up to 2% or 4% of total worldwide annual turnover)
National governments may lay down rules on whether admin fines may be imposed on public bodies – some restrictions to imposition of fines on public bodies included in DP Bill 2017
A data subject who has suffered material or non-material damage as a result of an infringement shall have the to right to receive compensation from the controller or processor
Department of Education and Skills
September 2017
18
GDPR and Children – Art 8
No age threshold set to give consent under data protection, except
Government decision for age of consent to access information society services
e.g. facebook, – to be set at age 13 in the Data Protection Bill 2017
Does the child have an understanding as to what he/he is consenting to?
May need parental consent
Vulnerable persons deserving of specific protection
Emphasis on adapting privacy notices for children
Controllers need to take account of level of comprehension of the age
groups involved
Department of Education and Skills
September 2017
19
GDPR – Personal data relating to criminal
convictions and offences Art 10
Processing under control of official authority
Or when authorised in national or EU law
Provided appropriate safeguards for the rights and freedoms of data
subjects are in place
Department of Education and Skills
September 2017
20
Date Protection Rights – Arts 15 to 22
Currently Information on how personal data is
processed
Access to personal data
To object
To have the data corrected
To restrict processing
To freedom from automated decision making
GDPR all current plus the
following new rights
To erasure (“right to be forgotten”)
To data portability
Automated decision-making including
profiling
Department of Education and Skills
September 2017
21
GDPR – Restriction of data protection rights – Art 23
National governments may restrict by way of legislation data protection
rights where it is a necessary and proportionate measure in order to
achieve a significant public objective
Rights cannot be extinguished
Safeguards to prevent abuse
Department of Education and Skills
September 2017
22
GDPR and Data Access Requests – Art 15
Data subject seeking information as to what personal data belonging to them is processed by the controller
The ability to charge a fee has been removed
The time period for dealing with access requests is one month (was 40 days)
Time counts from when the request is first received in writing by any person in the organisation
Data access may be restricted by national law where necessary for a significant public objective and with appropriate safeguards – Art 23
Restrictions to access to health data in certain circumstances where it would be likely to cause serious harm to the physical or mental head of the data subject – Data Protection Bill Head 20.4
See S4 and S5 of Data Protection Act 1988 and 2003 restrictions to access
The information provided on foot of a request must be
Concise, transparent, intelligible and easily accessible
Written in clear and plain language, particularly if addressed to a child
Department of Education and Skills
September 2017
23
GDPR and security – Art 32
Personal data must be processed in a way that ensures appropriate security of the personal data – Art 5
Implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk – Art 32
Duty on controller to ensure that staff are aware and comply with security measures e.g. clearly defined security policy subject to regular review and update
Technical security – encryption, anti-virus software, back-ups, disaster recovery
Access control – passwords, swipe cards, need-to-know basis, access logs, audit trails
Regular testing, assessing and evaluating effectiveness of technical and organisational measures for ensuring security of the processing
Document & record
Department of Education and Skills
September 2017
24
GDPR and Data Breaches – Art 34
Mandatory reporting to Data Protection Commissioner unless a breach is unlikely to result in a risk for rights and freedoms of individuals
Without undue delay and where feasible not later than 72 hours after becoming aware
Identify likely consequences, measures taken to mitigate possible adverse effects for data subjects
Facts of breach, its effects and remedial action taken must be documented to verify compliance
DPC may require notification of data subjects where a breach is likely to result in a high risk for rights and freedoms
Procedures which organisations put in place should encourage staff to report breaches
Department of Education and Skills
September 2017
25
GDPR what your organisation can do
Prepare for GDPR
IT Unit, HR, Business Units, legal, DPO need to identify issues and risks to be addressed
GAP analysis i.e. between organisations policies and procedures and what is necessary to comply with the GDPR
Statutory body identify legal basis for functions
Identify data inventories – where, who, what, how, when
Check all data processing agreements for compliance GDPR
Disclosures
Devise action plan
Assign responsibilities
Policies – data breach, data access requests etc.
Staff training
Department of Education and Skills
September 2017
26
GDPR what you can do (1)
Increase your Awareness
www.GDPRandYou.ie
www.dataprotection.ie
Identify the personal data/information you process
Best practices
Store special category data in a secure filing system, e.g. lockable cabinet
Operate a clean desk policy
Department of Education and Skills
September 2017
27
GDPR What you can do (2)
Stop and think before
Sending personal data in e-mails
Cc e-mails containing personal data
Opening e-mails and attachments or selecting embedded links from unknown or suspicious e-mail accounts
Using memory sticks that have not been pre-checked by you organisation’s IT security
Providing personal data over the telephone
Familiarize yourself with your organisations
Data Protection Policy
Data Protection policy for portable devices
Code of conduct
Data Access Request Policy
Data Breach policy
Department of Education and Skills
September 2017
28