Welcome to episode 33 of Continuous Quality Compliance
Today I am talking about… Data Protection
What do we mean by Data Protection?
The ICO The Information Commissioners Office describes it as;
- Data protection is about ensuring people can trust you to use their data fairly and responsibly.
- If you collect information about individuals for any reason other than your own personal, family or household purposes, you need to comply.
- The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.
- The ICO regulates data protection in the UK. We offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance, and take enforcement action where appropriate.
Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy
Does it apply to me?
Yes, if you have information about people for any business or other non-household purpose. The law applies to any ‘processing of personal data’, and will catch most businesses and organisations, whatever their size.
The ICO expect is not prescriptive in its approach because that would not be tenable.
Every organisation is different and there is no one-size fits-all answer. Data protection law doesn’t set many absolute rules. Instead it takes a risk-based approach, based on some key principles. This means it’s flexible and can be applied to a huge range of organisations and situations, and it doesn’t act as a barrier to doing new things in new ways.
However, this flexibility does mean that you need to think about – and take responsibility for – the specific ways you use personal data. Whether and how you comply depends on exactly why and how you use the data – and there is often more than one way to comply.
There are some terms used which it is useful to understand in this context.
What is ‘personal data’?
In short, personal data means information about a particular living individual. This might be anyone, including a customer, client, employee, partner, member, supporter, business contact, public official or member of the public.
It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
It doesn’t cover truly anonymous information – but if you could still identify someone from the details, or by combining it with other information, it will still count as personal data.
What is ‘processing’?
Almost anything you do with data counts as processing; including collecting, recording, storing, using, analysing, combining, disclosing or deleting it.
What is a ‘controller’?
A controller is the person that decides how and why to collect and use the data. This will usually be an organisation, but can be an individual (eg a sole trader). If you are an employee acting on behalf of your employer, the employer would be the controller. The controller must make sure that the processing of that data complies with data protection law.
In this guide, we generally use the term ‘organisation’ or ‘you’ to mean the controller.
What is a ‘processor’?
A processor is a separate person or organisation (not an employee) who processes data on behalf of the controller and in accordance with their instructions. Processors have some direct legal obligations, but these are more limited than the controller’s obligations.
What is a ‘data subject’?
This is the technical term for the individual whom particular personal data is about. In this guide we generally use the term ‘individuals’ instead.
the DPA 2018?
The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998, and came into effect on 25 May 2018.
It sits alongside the GDPR, and tailors how the GDPR applies in the UK
The GDPR is the General Data Protection Regulation (EU) 2016/679. It sets out the key principles, rights and obligations for most processing of personal data – but it does not apply to processing for law enforcement purposes, or to areas outside EU law such as national security or defence.
I recommend you visit the ICO website to get the latest information on the GDPR. If you’re a sole trader there is guide for you as well as if you’re a SME.
Please remember children need particulet protection when processing their Data . The ICO have a guide;
- Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
- If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind.
- Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data.
- You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
- If you are relying on consent as your lawful basis for processing, when offering an online service directly to a child, in the UK only children aged 13 or over are able to provide their own consent.
- For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service.
The ICO has detailed guidance on this so its important to read it, to make sure that you are meeting the Data protection guidance. if you have children which come to you .
They have checklists which you can use so you know if your meeting the criteria.
They have an assessment framework too
They have a useful guidance index
There is guidance for different sectors too which it is important to look at.
Of course you should have a GDPR policy.
It should include Privacy notice there is guidance for this. You should have a privacy notice for staff and clients.
Subject access Requests ; Your clients have a right to ask for information on their records, they can ask for it to be corrected and also to be deleted if they are no longer your client. Therefore it is important you know where their
You have to have legitimate interest to collect data.
You should have forms as well.
Part of data protection is to know what assets you have and where they are stored.
On the ICO website you will also be able to read about what clients rights are so it is important to read this too so you can do i a gap analysis .
If you use CCTV you must look at the guidance for this and the CQC guidance on their website too. You should be transparent that you use CCTV. You cannot record people without their knowledge.
Please remember that there is also the Guide to Privacy and Electronic Communications . Regulations known as the PECR. There is plenty of information on their website. This covers emails, email marketing. Cookies on your website.
If you have a personal data breach you have to inform the ICO. Most organisations will need to be registered with the ICO. You get a certificate which you can put on your website.
They have introduced the Accountability Framework which is really useful for organisation to do a gap analysis. It is particularly useful for a new business. It has 10 categories which are important for every organisation. Records Management is one which the CQC look at so it is useful to look at his resource. https://ico.org.uk/for-organisations/accountability-framework/
Accountability enables you to minimise the risks of what you do with personal data by putting in place appropriate and effective policies, procedures and measures. These must be proportionate to the risks, which can vary depending on the amount of data being handled or transferred, its sensitivity and the technology you use.
The ICO define records management as;
Good records management supports good data governance and data protection. Wider benefits include supporting information access, making sure that you can find information about past activities, and enabling the more effective use of resources. Some of the consequences of poor records management include poor decisions, failure to handle information securely and inefficiencies. Information security also supports good data governance, and is itself a legal data protection requirement. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – it may even endanger lives in some extreme cases.
I am a great believer in not re-inventing the wheel. The ICO has so much useful information. Where best to get it then the responsible entity.
Training staff on Data protection at appropriate level is important too.
It is a vast area so I can’t go into detail here but this should give you an idea of what you need to be aware of and that you must look on the ICO website for information.