Local Government Reform and Compliance with the DPA Ken Macdonald Assistant Commissioner (Scotland & Northern Ireland) Information Commissioner’s Office.

Local Government Reformand Compliance with the DPA

Ken MacdonaldAssistant Commissioner (Scotland & Northern Ireland)Information Commissioner’s Office2 December 2014

Contents

• Local Government Reorganisation

• Data Protection Principles

• Meeting the Principles

Local Government Reorganisation

Existing powers

New organisation

Local Government Reorganisation

Transferred powers

New organisation

Data Protection Principles

The DPA is underpinned by a set of eight straightforward, common sense principles that organisations should follow. They state that personal data should be:

1) Processed fairly and lawfully2) Processed for specified purposes3) Adequate, relevant and not excessive 4) Accurate and up to date 5) Held for no longer than is necessary 6) Processed in accordance with the rights of individuals 7) Kept secure 8) Transferred outside the EEA only with adequate protection

Principle 1 – Fair and LawfulProcessingPersonal data shall be processed fairly and lawfully

• Register with the ICO

• Inform service users of forthcoming change…….…………..and again after reorganisation

• Have Retention and Disposal Schedules approved

Principle 2 – Processing for Specified PurposesPersonal data shall be obtained only for one or more specified

and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

• Review Privacy Policies

• Integrate where appropriate

• Ensure any new uses for the information are fair

Principle 3 –Adequate, Relevant and Not ExcessivePersonal data shall be adequate, relevant and not excessive in

relation to the purpose or purposes for which they are processed.

•Undertake a data audit

•Review need

•Dip sample, where appropriate

Principle 4 –Accurate and Up to DatePersonal data shall be accurate and, where necessary, kept up to date.

•Take appropriate steps to ensure accuracy

•Test new integrated systems with dummy data

•Ensure records are up-to-date where necessary

•Dip sample

Principle 5 – Hold for no longer

than is necessaryPersonal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

• Use the opportunity to weed systems

• Consider statutory and business requirements

• Prepare revised and extended Retention & Disposal Schedules

Principle 6 – Process in Accordancewith the Data Subject’s RightsPersonal data shall be processed in accordance with the rights of

data subjects under this Act.

•Be aware of what information is held

•Consider issues around processing likely to cause damage or distress

•Stop direct marketing if requested. Abide by PECR for electronic marketing

•Put policies and procedures in place

Principle 7 - Security

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

•Secure disposal and/or transfer to new authority

•Data/system compatibility

•Encryption of all mobile devices

•Home/mobile working policies

Principle 8 -Transfer outside of EEA

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

•If using cloud computing ensure the server is located within the EEA

All Principles:

Learn from others(what not to do)

Department of Justice (NI)£185,000A monetary penalty notice of £185,000 was served on the

Department of Justice (NI) after a cabinet containing details of a terrorist incident was sold at auction.

London Borough of Lewisham £70,000 CMP A CMP of £70,000 was imposed on the Council after a social worker left sensitive documents in a plastic shopping bag on a train, after taking them home to work on. The files, which were later recovered from the rail company’s lost property office, included GP and police reports and allegations of sexual abuse and neglect.

Aberdeen City Council£100,000 CMP A council employee inadvertently uploaded four documents containing sensitive personal information about children and families on to the internet whilst home-working using an infected second-hand PC. A home working and data protection policy was in place at the time of the breach but the technical measures to assist staff to adhere to it were not provided. The Council was fined £100k.

Contact us:

ICO 3rd Floor

14 Cromac PlaceBelfast BT7 2JB

0303 123 [email protected]

www.ico.org.uk