Embed Size (px)
DESCRIPTION
Blake Lapthorn's Commercial Litigation team held a forum on Data Protection, on 12 September 2013 at Blake Lapthorn's Southampton office.
Citation preview
In-house lawyer and decision makers’ forum
Data Protection Breakfast
Thursday, 12 September 2013
Data Protection seminar
Recognising personal data and anonymisationOverseas transfers of personal data and the cloudElectronic marketing and cookiesApps, social media and BYODThe new Data Protection RegulationShort case studies
Recognising ‘Personal Data’
Why is this relevant?
The Data Protection Act 1998 (Act) will not be engaged if you are not processing personal data
What is personal data?
First, establish if the information is ‘data’. There are four categories of data:
– Automatically processed data or data recorded with the intention that it will be so processed
– Data forming part of a ‘relevant filing system’– Data forming part of an ‘accessible record’– Data recorded by a public authority
Recognising Personal Data (2)
Secondly, establish if the data is ‘personal data’:
– Defined in s1 (1) of the Act as:
“Data which relate to a living individual who can be identified:(a) from those data; or(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”.
– “Living Individual”
– “Individual”
Recognising ‘Personal Data’ (3)
Examples of personal data include:
– Addresses, telephone numbers, job titles and dates of birth
– Expressions of opinions about an individual
– Indications of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data
Anonymised data is not personal data……
Recognising ‘Personal Data’ (4)
Anonymisation
Why are we talking about anonymised data?Release of anonymised data can have:– Commercial benefit– Public benefit– Academic research benefits
DPA does not apply to the anonymised data but DOES apply to processing the source data to anonymise it
Anonymisation (2)
What is it?Anonymised data is data that does not relate to any individual and is unlikely to allow any individual to be identified through its combination with other data at the point of transfer to another party
Generally applied to large datasets rather than pseudonymising individual pieces of information
Anonymisation (3)How do we go about creating it?
Wide number of anonymisation techniquesConsent generally not requiredDocument your process – aim for transparencyMust address risk of re-identification Have an on-going governance structure
Public authorities need to remember:Application of FOIAHuman rights
What happens if re-identification happens?You will become a data controllerICO likely to take enforcement action against person re-identifying
Overseas Transfers of Personal Data
Due to the continued globalisation of trade and ever increasingly connected world, record amounts of customer and employee data now are transferred overseas from the UK
Growth in cloud computing has also had a large impact (often unknown to those who utilise its benefits)
As usual, the Act has something to say - 8th Principle:
“Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Is there a transfer? Two questions to consider:
1. Is the country of the transferee of personal data outside the EEA?
2. Does the transmission in question actually amounts to a transfer?
What is a ‘transfer’? Transfer or Transit?
Examples from ICO:
– (1) A company in the UK uses a centralised human resources system in the US belonging to its parent company to store information about its employees – TRANSFER
– (2) Personal data is transferred from the UK to Germany via a server in Switzerland, which does not access or manipulate the information while it is in Switzerland – TRANSIT
Overseas Transfers of Personal Data (2)
A five step “good practice” approach should be considered:
1. Is there is a transfer of personal data to a third country?2. Is the transfer necessary?3. Does the third country ensure an adequate level of
protection to data being transferred?4. Consider whether the parties have, or can put in place,
adequate safeguards to protect the data 5. Consider if any of the other derogations to the 8th principle
apply
Overseas Transfers of Personal Data (3)
Adequacy
If there will be a transfer to a third country, you need to consider whether the third country ensures an adequate level of protection. Finding of adequacy normally based on a Community finding or a positive outcome when applying the adequacy test:– “Community finding”: where the European Commission makes
a finding that a country outside the EEA has an adequate level of protection. A list can be found on the ICO website.
– “Adequacy test”: where there is no Commission finding, a data exporter can assess the general adequacy itself.
Overseas Transfers of Personal Data (4)
Model clausesYou can use model contractual clauses to transfer data which have been approved by the European CommissionVarious sets available – controller to controller and controller to processor
Binding Corporate RulesOnly available to multinational corporations looking to transfer data around worldOne data protection authority takes the lead and coordinates input from others
Overseas Transfers of Personal Data (5)
What is the cloud?The provision of a range of IT technologies and service models on demand via a network usually delivered via the internet:– Software as a service– Platform as a service– Infrastructure as a service
Generally provided by a third party or parties hosting resourcesand data across a number of servers and/or for a number of customers
Causes lot of concern from a data protection perspective as:– the servers are often based overseas outside of the EEA– there can be difficulty working out who is responsible for what
security controls– data can be stored across a number of servers on a
continually changing basis
The Cloud
The Cloud (2)If you are the data controller using a cloud provisioned
service:You must check where any data is going to be stored and, if not in the EEA, ensure that you meet one or more of the conditions requiredbefore data can be transferred outside of the EEA
You will be responsible for assessing risks, informing data subjects, putting written controls in place, monitoring, protecting and retrieving data
Not easy when dealing with cloud providers and commonly you will also be offered standard terms that are non-negotiable
A checklist for data protection compliance by cloud clients and cloud providers has been issued by ICO – see Guidance on the use of cloud computing 2012). Consider also a privacy impact assessment before moving to the cloud.
See also ICO Personal Information Online Code of Practice (July 2012)
Electronic MarketingTo collect and use personal data for email and SMS marketing (“electronic marketing”) there are certain steps you should follow at the time you collect it and when you send out messages
Collect and process the personal data fairly
Comply with the Privacy and Electronic Communications Regulations 2003 (PECR) (as amended). In particular you must:– Obtain prior consent – you cannot send unsolicited electronic
marketing messages unless you have the individual’s prior consent to do so. This strict ‘opt-in’ rule is only relaxed if three exemption criteria are satisfied.
– Identify the sender, nature of communication etc (see (E Commerce Regs 2002 Regs 7 & 8)) and give details of how to revoke consent/opt out).
Exemption criteria
– You have obtained the individual’s details as part of the sale or negotiations for sale of a product or service to that person;
– The marketing material concerns only a similar product or service; and
– The individual must have simple means of refusing unsolicited marketing at the time their details are collected and, if they do not opt-out, you must give a simple way of doing so in every future message e.g. unsubscribe option.
Electronic Marketing (2)
Advice:
– Recommend marketing campaigns are always permission-based.
– Be very careful if using bought-in email lists.
– Explain clearly what a person’s details will be used for when collecting data through an appropriate privacy policy and seek opt-in consent when data collected.
– Provide a simple way for them to opt-out of marketing messages.
– Have a system in place to deal with complaints.
Electronic Marketing (3)
What are they?– From 2011 under the amended PECR you now need to (i) tell
users about them and (ii) obtain “consent” before setting most types of cookies.
– Only set strictly necessary cookies without consent.
– But what is meant by consent?Opt-in? e.g. pop up – “For this site to work correctly…we need to store a small file (called a cookie) on your computer….If you click on “OK” below we will store cookies and you can continue using this site with full functionality….For more information read our cookie policy” (FCA website)Implied? e.g. pop up - “We have placed cookies on your computer to help make this website better. You can change your cookie settings at any time. Otherwise we’ll assume you’re OK to continue.” (ICO website)
– ICO Guidance (May 2012 and onwards)
Cookies
BYOD – “bring your own device”– Lots of legal issues (case study explores some of these not
just data protection)– From a data protection perspective security is the biggest
issue – 7th Principle (and other principles too).
What happens if device lost, hacked or stolen?Steps taken must relate to risks e.g. is sensitive personal data available for access or storage on a “BYOD”
– Prevent unauthorised access (e.g. password on device, encryption on device, lock out/delete data if too many failed attempts, separate business from personal data)
– Encrypt data in transit– Right to monitor and automatically delete data– Employees leave
Apps, Social Media and BYOD
ICO Guidance on BYOD (March 2013)
– Carry out an internal assessment leading to implementing BYOD policy (include an acceptable use policy and also a social media policy if BYOD policy leads to increased use of social media by employees)
– Need to cross refer to Employment Practices Code (e.g. re monitoring and acceptable use policy)
Apps, Social Media and BYOD (2)
Social Media – social networking and online forums
– Growth in organisations setting up own blogs/social media web pages/online forums
Customer reviews/feed backSchool/university alumni/ae eventsCharity fund-raising and volunteer sites
– If you are processing personal data for non-domestic purposes then you will be subject to the DPA and won’t benefit from domestic purposes (s 36) exemption
Apps, Social Media and BYOD (3)
– Need to assess in particularWho is data controllerEnsure data accurate (4th Principle)“Solicitors from Hell” case
– ICO Guidance (May 2013)
– Have accurate acceptable use policy
– Be clear how complaints dealt with
Apps, Social Media and BYOD (4)
Apps
– Collect personal data (location, stored data, sensor data…)8
– Process personal data
– EU’s Article 29 Working Party issued opinion WP 202 on apps on smart devices (27 February 2013). If you are developing or using Apps in your business you must address the privacy issues.
Apps, Social Media and BYOD (5)
– Key privacy issues highlighted by EU
Lack of transparency on types of processingLack of meaningful (i.e. free and informed) consentPoor security measuresDisregard of any purpose limitation and lack of data minimisation (e.g. “market research” that doesn’t relate to App at all)
– Take away: ensure privacy issues are addressed in App development
Privacy policyUse of cookiesTransborder issuesSecurityApps for children raise specific issues
Apps, Social Media and BYOD (6)
The New Data Protection Regulation On 25 January 2012, the European Commission published a proposal for a new EU Regulation. This will repeal the existing1995 EU Data Protection Directive. In the UK this will mean allor part of the DPA 1998 (tbd by Parliament) will be superseded by a directly effective Regulation.
The European Commission has called for:
– An effective new data protection framework
– Clear, effective rights for individuals
– Clear responsibility and accountability
– Obligations to be focussed on processing that poses genuine risks to individuals or societies
– Data protection authorities that are independent – with a clearer role.
Potential changes:
– Higher fines
– Stronger data subject rights including “right to be forgotten”
– Consent (specific Article on this e.g. placing burden of proof on data controller where consent relied on)
– More responsibility on data controllers (including those outside the EU) including requiring data protection officers in organisations and obligation to notify the regulator if a data breach and then potentially tell data subjects too
The New Data Protection Regulation (2)
The Regulation should essentially be a harmonised EU regime.
The draft Regulation will need to be approved by EU member states and ratified by the European Parliament.
Originally to be adopted in 2014 and in effect in 2016.
But delay in legislative process due to contentious nature of the Regulation.
The New Data Protection Regulation (3)
Note: other recent and proposed EU laws
– Regulation 611/2013 on the notification of personal data breaches (not general - only applies to ISPs/telcos – in force from 29 August 2013 and see also amended PECRs)
– Proposed Network and Information Security Directive (February 2013) (potentially applies to a wide range of companies and organisations in energy, transport, banking and finance, health care plus e-commerce platforms, social networks, search engines, clouder services, application stores, payment gateways plus “public administrations”) –obligations to guarantee security appropriate to the risk and to tell regulator about cyber security incidents
The New Data Protection Regulation (4)
Case Study (1) (Recognising Personal Data)A potential member of a gym meets with a sales manager of a local gym to discuss membership options. The sales manager asks the prospective member for certain information (name, address, age) and records these details manually on a ‘new membership application form’. These details will subsequently be added to the gym’s computer system.
Is this data? Does it matter if the information is never added to the computer system?
Case Study (2) (Overseas Transfer of Data/Cloud)
UK Gadgets is one of the leading suppliers of gadgets in the UK. It has recently been bought out by a US multinational, US Gadgets.
As part of its new reporting obligations, UK Gadgets has been asked to send copies of all of its employee records to a third party cloud provider (CloudCo) based in the US appointed by US Gadget’s head office in New York to manage the multinational’s global HR database. The UK Co will have direct access to the cloud service through web browser and password access. In due course it will also upload updated data direct to CloudCo. The UK data will be available for access andprocessing by both the UK and US parent.
The HR director is a little concerned that if he does this, he could be in breach of the DPA, but head office is adamant that they must be sent.
What are his options?NB: This case study assumes that the other Data Protection principles have been complied with and that the data does not consist of 'sensitive' personal data where consent to transfer may need to be obtained.
Case Study (3) (Electronic Marketing)
Please tick here if you do not want us to contact you by electronic means (e-mail or SMS) with information about goods and services which we feel may be of interest to you.
Is this acceptable?
Case Study (4) (Apps/BYOD/Social Media)
After considerable internal debate amongst the IT director, HR director and head of sales and marketing at Way Ahead law firm, the Board decide to allow legal staff to utilise their own smart phones and tablets for work purposes.
What should Way Ahead do to minimise risks?
Contact Details
Sheilah Mackie, Partner, Commercial/IT02380 [email protected]
Simon Stokes, Partner, Commercial/IT0207 814 [email protected]
