What is GDPR?
General Data Protection Regulation
What is GDPR for?
Legal framework to set guidance for the collection & processing of data
When did GDPR become introduced?
May 25 2018
What is the UKs implementation of GDPR?
Data Protection Act 2018
What does the Data Protection Act 2018 do?
It gives everyone responsibility for using personal data and has to follow strict data principles
What are the data protection principles?
Lawful, fair and transparent
What is the punishment for breaching GDPR?
20 million euros (around £17million) or 4% global annual turnover, which ever is greater
What has changed from 1998 to 2018?
The definition of data is up to date to include new technologies, such biometric.
Breaches must be reported in 72 hours
Clear privacy notices must be given to consumers
Orginisations must provide staff training and internal audits
Any company with over 250 employees or process over 5,000 subject profiles must have a data protection officer
What is information governance?
An approach to managing the way information is handled by setting out rules and managing the processes.
What are the aims of information governance?
To comply with legislation
Have an effective and appropriate use of information
Managed process for reporting and recording data issues
Provide staff training and support
Encourage staff to work together for effective data use
How do the council apply information governance?
We have set processes for using and collecting data such as the databse which has certain rules in place to keep it secure and accurate, we use it for effective data use for example when raising repairs it is a secure method to share customers details so appointments can be raised and work can be done.
What PCC polices manage data handling?
We have five policies, Data in Transit, Data Processor, Data Protection & Data Sharing & Records Management
What is a ROPA?
Record of Processing Activity, which is a legal duty to under GDPR and DPA 2018. For the council we use the Information Asset Register which outlines what information we may have and why we use it.
What does PCCs Data Protection Policy do?
It ensures that all employees and all third party members who have access to any personal data are fully aware of and abide by their duties and responsibilities under DPA and GDPR
What is the Freedom of Information Act 2000?
A piece of legislation that allows the public to access information help by public authorities.
What are some key points of the FoI to remember?
Affects all staff regarding what information we create, hold and delete.
Anybody can ask for information and PCC must disclose information if it is necessary within 20 days (by law)
Must forward requests to the FoI team ASAP
Requests must be in writing
All information could be disclosed such as emails & documents
If anyone alters data after a request it is a criminal offence with a fine up to £5000
How do PCC adhere to secure information?
Fire walls, virus protection and spyware detection
Regular backups of data
Network access management
Email & website filtering
Provide advice and guidance
What are PCCs key aims of protection of information?
Confidentiality - controlled acess
Integrity - no unautherised changes
Availability - continuously available
Compliance - follow policies and laws
What is the Information Commissioners Office?
ICO is a third party individual organisation that upholds information rights for the public
They look at complaints for potential for breaching GDPR/DPA
Have PCC had any data breaches?
Over the last 5 years or so the council have reported 13 incidents and 12 of which the ICO decided no futher actioj was needed as we were following GDPR/DPA properly, the one undecided in Nov 2019 i couldnt find an asnwer.
What data do you collect in your day to day job?
For repairs, names & numbers.
Use the database to store the data securely into the correct boxes to allow for availability and for it to be deleted / redacted.
What could be consequences to you (me as an emplyee) for breaching GDPR?
Verbal or written discaplinary actions
Loss of job
When can a FoI request be denied?
When it takes too much time
When it costs too much
If it is a repeat request by the same person
If the request is vaxatious (cause annoyance/frustration)
What is a subject access request?
When you send a written request to an orginisation for any personal information they hold on you.