Subtitle goes here - PowerPoint PPT Presentation

Loading...

PPT – Subtitle goes here PowerPoint presentation | free to view - id: 710f51-Y2Q4N



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Subtitle goes here

Description:

Data Protection Compliance Title goes here Subtitle goes here 5 March 2012 Name Surname One Sue Pawar-Price, Barrister Name Surname Two ... – PowerPoint PPT presentation

Number of Views:70
Avg rating:3.0/5.0
Slides: 84
Provided by: RayC56
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Subtitle goes here


1
Data Protection Compliance
Title goes here
Subtitle goes here
5 March 2012
Name Surname One
Sue Pawar-Price, Barrister
Name Surname Two
2
INTRODUCTION
  • Background
  • Definitions
  • 8 Data Protection Principles
  • Data Sharing
  • Data Protection Reform

3
BACKGROUND (1)
  • Eu Data Protection Directive (Directive 95/46/Ec)
  • Directive 95/46/EC addressed to all 27 member
    states.
  • Requirement on each member state to transpose the
    Directive into internal law.
  • Directive 95/46/EC had to be transposed by end of
    1998.
  • Each member state enacted its own Data
    Protection Legislation.
  • UK enacted Data Protection Act 1998 (DPA)
  • Similarly, Malta enacted its own Data Protection
    Act Finland enacted the Finish Data
    Protection Act Norway enacted the Personal Data
    Act 2000 etc

4
BACKGROUND (2)
  • UK DATA PROTECTION ACT 1998
  • UK also used this as an opportunity to review
    existing legislation and 1984 Act was repealed by
    the 1998 Act.
  • Main piece of legislation that governs the
    protection of personal data in the UK.
  • The Act itself does not refer to PRIVACY.
  • Intended to balance the interests of data
    subjects with data controllers.
  • Freedom to process data Vs. Privacy of
    individuals.

5
BACKGROUND (3)
  • UK DPA is large!
  • It has a reputation of being a very complex piece
    of legislation!
  • The new legal framework is also very complex
    (more later)!

6
TERRITORIAL SCOPE OF THE ACT s5 DPA 1988
  • The Act applies to any Data Controller (DC) in
    respect of any Data where
  • Data Controller is established in UK data
    processed in context of that establishment
  • Data Controller is not established in UK or any
    other EEA state but uses equipment in UK for
    processing data o/w than for the purposes of
    transit through UK.

7
DEFINITIONS.
  • S1(1) s2 DPA contain all the relevant
    definitions
  • Data
  • Personal Data
  • Sensitive Personal Data
  • Processing
  • Data Controller/Data Processor
  • Relevant Filing System
  • Information Commissioner
  • Data Sharing
  • Once you understand the terminology you can
    begin to understand the law and the compliance
    obligations on you.

8
DATA
  • Data means information which
  • Is being processed by means of equipment
    operating automatically in response to
    instructions given for that purpose i.e.,
    computer based data.
  • Is recorded with the intention that it should be
    processed by means of such equipment
  • Is recorded as part of a relevant filing system
    or with the intention that it should form part of
    a relevant filing system, or
  • Does not fall within paragraphs (a), (b) or (c)
    but forms part of an accessible record as defined
    by s68.

9
PERSONAL DATA (1)
  • Personal data means data which relates to a
    living individual who can be identified
  • From those data, or
  • From those data and other information which is
    in the possession of, or is likely to come into
    the possession of the data controller.

10
PERSONAL DATA (2)
  • It includes any expression of opinion or fact
    such as
  • date of birth, postal address, e-mail address,
    telephone number, NI number, bank a/c number,
    credit card number, photos, video footage etc
  • Whether the data relates to the particular
    individual in each case will be a question of
    fact in each case.

11
SENSITIVE PERSONAL DATA
  • S2 DPA states sensitive personal data means
    personal data consisting of information as to
  • Racial or ethnic origin
  • Political opinions
  • Religious/similar beliefs
  • Trade Union Membership
  • Physical or mental health or condition
  • Sexual Life
  • Offences
  • Proceedings for any offence committed or alleged
    to have been committed, the disposal of
    proceedings or sentence passed.
  • Sensitive personal data very often root cause
    for privacy issues.

12
PROCESSING
  • Processing information or data includes
  • Organising, adapting or altering information or
    data
  • Retrieving, consulting or using information or
    data
  • Disclosing through transmission, dissemination or
    otherwise making available
  • Alignment, combination, blocking, erasure or
    destruction of the information or data.
  • This means that just about any use, or non-use,
    of data is covered, including simply keeping it!

13
DATA CONTROLLER? (1)
  • Data Controller (DC) means a person who (alone or
    jointly with other persons) determines the manner
    in which and the purpose for which personal data
    are to be processed.
  • Data processor (DP) is any person (other than an
    employee of a Data Controller) who processes data
    on behalf of the Data Controller e.g. third party
    mailing house.

14
DATA CONTROLLER (2)
  • Posting data on HIFID
  • The Company that holds the information will be
    the DC will be processing that data.
  • Following transfer, IMTRC Solutions Ltd is also
    the DC.
  • The Company which then accesses that information
    by retrieving it will at that point also become
    DC.

15
DATA CONTROLLER (3)
  • This means that all of you are DCs
  • Members that use HIFID are DCs
  • IMTRC Ltd is DC.
  • Para 6 User Agreement IMTRC Solutions will act
    as DC and third party manager of the data
    logged.

16
DATA CONTROLLER (4)
  • Being a DC carries with it serious legal
    responsibilities.
  • Including ensuring compliance.
  • A DP has no responsibilities under DPA for
    personal data processed by it.
  • DC is responsible for the actions of the DP under
    DPA.
  • DP have very limited obligations.

17
INFORMATION COMISSIONER
  • New name for Data Protection Registrar.
  • UKs Independent authority set up to uphold
    information rights in public interest, promote
    openness data privacy for individuals.
  • Sponsored by the Ministry of Justice.
  • Based in Wilmslow, Cheshire.

18
DATA SHARING (1)
  • ICO Data Sharing Code of Practice, May 2011.
  • Published under s52 DPA (so its the statutory
    Code of Practice)
  • The disclosure of data from one or more
    organisations to a third party organisation or
    organisations or the sharing of data between
    different parts of an organisation
  • If you are going to share data make sure it is
    covered in your Register entry.

19
DATA SHARING (2)
  • ICO Data Sharing Code of Practice, May 2011.
  • Does not impose additional legal obligations.
  • Not an authoritive statement of law.
  • If there has been a breach of Code ICO cannot
    take action unless there is also a breach of DPA.
  • But Code can be used as evidence in any legal
    proceedings (not just proceedings under DPA).

20
DATA SHARING AGREEMENT
  • Does not provide you with immunity from action
    under DPA.
  • It helps you to justify your data sharing
    demonstrate that you have thought about
    compliance issues and documented them.

21
Data Sharing Agreements
  • Data Sharing Code of Practice recommends the
    Agreement covers the following issues
  • Purpose of the data sharing initiative
  • Data items to be shared
  • Legal basis for data sharing
  • Access and individual rights under DPA and FOIA
  • Information governance
  • Which data sets are shared
  • Provisions to ensure accuracy e.g periodic
    sampling
  • Compatibility of data sets and how data is
    recorded
  • Rules for retention and deletion of data
  • Technical and organisational security measures,
    including procedures for transmission of data and
    breaching agreement
  • Procedures for DPA/FOI access
  • Timescales for review of data sharing
    arrangements and the agreement
  • Procedures for dealing with termination and
    consequences.

22
STARTING POINT (1)
  • DOES THE SHARING COMPLY WITH LAW?
  • The organisations in the Data Sharing Agreement
    must have the power to share information with
    each other.

23
STARTING POINT (2)
  • You need to ensure that the data sharing complies
    with the 8 Data Protection Principles.
  • At the outset when the data is first
    shared/provided
  • On an on-going basis for the duration of the data
    sharing agreement.

24
STARTING POINT (3)
  • What data is to be shared?
  • Personal Data?
  • Sensitive Personal Data?
  • Both?

25
8 DATA PROTECTION PRINCIPLES
  • It is your responsibility as DCs to ensure that
    data is
  • Processed fairly legally
  • Processed for limited purposes in an appropriate
    way.
  • Relevant sufficient for the purpose
  • Accurate
  • Kept for no longer than is necessary
  • Processed in line with individuals rights
  • Secure
  • Only transferred to countries that have suitable
    data protection controls.

26
PRINCIPLE 1 (1)
  • Non sensitive personal data must be processed
    fairly lawfully shall not be processed unless
    one of the below is met (Sch.2)
  • Consent the most important
  • Contract
  • Legal obligation
  • Vital interests of the subject (life or death)
  • Public functions
  • Balance of interests
  • What has the individual(s) been told about who
    processes their data, how it will be used and who
    it will be shared with?
  • What are their expectations regarding use of
    their data?
  • Do any exemptions apply (s29 Crime taxation)

27
PRINCIPLE 1 (2)
  • SENSITIVE PERSONAL DATA
  • Sensitive personal data can only be held if one
    of the following is met
  • Explicit informed consent
  • Employment law
  • Vital interests of subject (life or death)
  • Legal proceedings
  • Medical purposes (by medical professionals)
  • Equal opportunities monitoring

28
PRINCIPLE 1 (3)
  • DATA POSTED ON HIFID (PERSONAL OR SENSITIVE
    PERSONAL DATA?)
  • Data posted on HIFID is personal data
  • E.g. name, date of birth, fraud type, region.
  • No evidence is posted here e.g., no medical
    records.
  • No sensitive personal data.
  • Privacy Notice warning members that the
    information is provided in accordance with Data
    Protection and Privacy legislation in country of
    issue.

29
PRINCIPLE 1 (4)
  • CONSENT
  • Must be freely given, specific
    informed.
  • Cannot use implied consent.
  • Cannot use blanket consent.
  • Note you are unlikely to get consent from a
    person under investigation for fraud!
  • Note If you tip off individual it would allow
    them to destroy evidence, dissipate funds and is
    highly likely to prejudice a prosecution.

30
PRINCIPLE 1 (5)
  • EXEMPTION
  • s29(3) DPA 1988 states that personal data
    processed for
  • the prevention or detection of a crime,
  • the apprehension or prosecution of offenders
  • the assessment or collection of any tax or duty
    or of any imposition of a similar nature
  • is exempt from the first data protection
    principle but only to the extent that it causes
    prejudice.
  • This is the crucial section.
  • No consent is necessary no obligation to
    process data fairly or disclose it to the data
    subject.
  • It has very wide general application.
  • Covers the activities of HICFG.

31
PRINCIPLE 1 (6)
  • What is meant by a Crime?
  • F word rarely used commercial and/or
    tactical reasons.
  • Beyond the legal definition of Fraud (contained
    in s1 Fraud Act 2006), there is no UK statutory
    definition of Health care fraud (other than the
    various categories/baskets which have evolved
    over time such as Upcoding, Unbundling, phantom
    billing, double billing, unnecessary services,
    misrepresenting etc).
  • The reality is that you process personal data
    in order to detect prevent crime/fraud.
  • It is also done with a possible prosecution in
    mind. The prosecution can be a public
    prosecution or a private prosecution.

32
PRINCIPLE 1 (7)
  • What is meant by a crime?
  • Defrauding insurance companies usually involves
    an element of DISHONESTY.
  • Where there is dishonesty, there is usually an
    associated crime.
  • Examples include
  • Fraud by false representation s2 Fraud Act 2006
  • Fraud by failure to disclose information when
    there is a legal duty to do so s3 Fraud Act 2006
  • Obtaining services by deception s11 Fraud Act
    2006
  • Theft Theft Act 1968

33
PRINCIPLE 1 (8)
  • What about those cases with no dishonesty?
  • If a claim has been made honestly but mistakenly
    then this is not a crime.
  • So investigating these sorts of cases cannot
    amount to investigation of a crime.
  • However, these sorts of cases will probably start
    out as an investigation into potential criminal
    activity then may stop short of discovery of a
    criminal act.
  • Strong argument investigating honestly made but
    mistaken claims which bear all the hall marks of
    a fraud (but ultimately turn out not to be a
    fraud) is also investigation of a criminal
    activity.

34
PRINCIPLE 1 (9)
  • PARA 6 USER AGREEMENT States
  • Use of the health fraud hub and HIFID database
    is done under the exemption section within the
    Data Protection or Privacy Act from the country
    in which you operate for the purpose of fraud
    detection, fraud prevention, fraud management the
    apprehension or prosecution of offenders.
  • Data will be used for the exclusive objective of
    detecting and preventing fraud within Private
    Medical Insurance.

35
PRINCIPLE 2
  • Data must be obtained only for one or more
    specified lawful purposes.
  • For what purpose does the sharing organisation
    obtain data?
  • Will the sharing of information with the
    receiving organisation be for a new purpose?
  • Are the old and new purposes compatible?

36
PRINCIPLES 3 4
  • Personal Data must be adequate, relevant not
    excessive
  • You must not stock up on data unnecessarily!
  • Which datasets will it be necessary to share with
    the receiving organisation to meet its
    particular purpose?
  • Will it be necessary to restrict some datasets to
    use only for particular purposes?
  • Personal Data shall be accurate up to date.
  • This is an on-going requirement means data
    needs to be kept under constant review.

37
PRINCIPLE 5 (1)
  • How long should the data be kept on HIFID?
  • Principle 5 says that data should not be kept for
    longer than necessary for the purposes of the
    primary processing.
  • 1995 Directive does not set any time limits.

38
PRINCIPLE 5 (2)
  • Para 13 User Agreement states that information
    will be destroyed automatically after 7 years.
  • This follows guidance from ICO.
  • Key to look at limitation period.
  • In UK the Limitation period for dishonesty cases
    is 6 years from the date the cause of action
    arises.
  • Time does not begin to run until the fraud has,
    or with reasonable diligence would have been
    discovered if the defendant deliberately conceals
    any act relevant to the cause of action (s32
    Limitation Act).
  • Arguably no reason for information to be
    destroyed at all.
  • But 7 years is reasonable.

39
PRINCIPLE 7 (1)
  • Technical or organisational measures must be
    taken to prevent unauthorised or unlawful
    processing of data, accidental loss, damage or
    destruction of data.
  • Firstly, it relates to IT Systems in place
    (access, backups, password security etc) for all
    the Users and IMTRC Ltd?
  • Secondly, it relates to the individuals using the
    system (adopt need to know principles).
  • See ICO Checklist on Data Sharing

40
PRINCIPLE 7 (2)
  • Build a culture within your organisation where
    employees know and understand good practice in
    respect of
  • Your own data
  • Data received from other organisations.

41
PRINCIPLE 7 (3)
  • What security measures have been built around
    HIFID?
  • User agreement contains an agreed set of security
    standards.

42
PRINCIPLE 7 (4)
  • USER AGREEMENT states
  • Health Fraud Hub and HIFID Software is registered
    with the ICO Para 3
  • It adheres to best practice of Office of European
    Commission Para 3
  • The System is hosted by IMT RC Solutions Ltd on a
    secure Rack space server located in UK Para 4.
  • It adheres to strictest of security information
    standards, has undertaken bust testing and has
    been scrutinised on site by a consortium of
    technology security experts provided by its
    members Para 4.
  • IMTRC Solutions Ltd agrees to sign up to a Non
    Disclosure Agreement Para 7.

43
PRINCIPLE 7 (5)
  • USER AGREEMENT also states
  • The Principles and Practices of sound data
    management must be adhered to Para 2.
  • Ensure that only authorised individuals have
    access Para 2(g)
  • Information shared amongst users must be treated
    as highly confidential not to be disclosed to
    TP w/o prior written consent of IMTRC Para 2(f).
  • The number of users having access to the
    information is restricted, exclusive relevant
    Para 3.
  • Ensure system users are trained made aware of
    principles of data protection Para 3.
  • Ensure that their systems are registered with
    the ICO in UK and that registration is up to
    date Para 3.
  • Changes in employment status of company employees
    with access to Health Fraud Hub and HIFID Para
    5.
  • Ensure that if a TP is given access then they too
    are contractually bound Para 6
  • All members agree not to disclose (Non Disclosure
    agreement) data outside the controlled user
    group Para 7.

44
PRINCIPLE 8 (1)
  • INTERNATIONAL DATA TRANSFER
  • Putting things on a website is tantamount to
    transfer of data.
  • The transfer takes place at the point when
    someone accesses the website.
  • If Data is accessed in a country outside EEA then
    there will be a transfer outside EEA.
  • The Law says that you may transfer personal data
    to countries within EEA on the same basis you
    transfer data in UK (no restrictions).

45
PRINCIPLE 8 (2)
  • EEA
  • Austria Greece Netherlands
  • Belgium Hungary Norway
  • Bulgaria Iceland Poland
  • Cyprus Ireland Portugal
  • Czech Republic Italy Romania
  • Denmark Latvia Slovakia
  • Estonia Lichtenstein Slovenia
  • Finland Lithuania Spain
  • France Luxemburg Sweden
  • Germany Malta United Kingdom
  • EEA comprises 27 EU member states with the
    addition of Iceland, Lichtenstein and Norway.

46
PRINCIPLE 8 (3)
  • Transferring data to countries outside EEA
  • You can only send personal data to a country
    outside EEA if
  • that country or territory ensures an adequate
    level of protection for it or
  • (b) one of the exemptions apply.

47
PRINCIPLE 8 (4)
  • EXEMPTIONS
  • Data can be transferred to any country outside
    EEA where at least one of the following applies
  • The data subject has given his or her consent to
    the transfer
  • Transfer necessary for the performance of a
    contract between data controller and data
    subject or a contract between data controller
    and TP entered into at request of data subject
    or is in interests of data subject
  • Transfer is necessary for legal proceedings or
    defending legal rights
  • The transfer is necessary for reasons of
    substantial public interest
  • Transfer necessary to protect vital interests of
    the data subject (life or death)
  • Transfer is part of the personal data on a public
    register.

48
PRINCIPLE 8 (5)
  • COUNTRIES OUTSIDE EEA WITH ADEQUATE PROTECTION
  • The European Commission has decided that the
    following countries outside EEA also have
    adequate level of protection for personal data.
  • Andorra Faroe Islands Jersey
  • Argentina Guernsey New Zealand
  • Australia Isle of Man Switzerland
  • Canada Israel Uruguay

49
PRINCIPLE 8 (6)
  • USA
  • USA has no national-level data protection
    legislation.
  • USA is not included in the European Commission
    list.
  • However, companies that sign up to the Safe
    Harbor scheme have an adequate level of
    protection.
  • These companies effectively agree to
  • Voluntary self certification scheme
  • Follow the 7 principles of information handling
  • Be held responsible for keeping to those
    principles by the Federal Trade Commission or
    other oversight schemes
  • There are some types of institutions that cannot
    sign up to the Safe Harbor Scheme (e.g., Higher
    education research institutions).

50
PRINCIPLE 8 (7)
  • What about countries that are
  • Not in EEA
  • Not on list.
  • Not signed up to Safe Harbor
  • Does not come within one of the exceptions
  • Then you need to assess adequacy yourself
  • Is the level of protection in that country
    adequate?
  • If not, can you put in place adequate safeguards?
  • Model Contract clauses (standard contractual
    clauses approved by EC)
  • Binding Corporate Rules (applies to multi
    national organisations transferring out of EEA
    but within their group of companies)
  • Or other contractual arrangements
  • Transfer unlikely to be adequate if
  • Transfer is to an unstable country
  • Nature of information means it is at particular
    risk.

51
PRINCIPLE 8 (8)
  • Persian Gulf - 6 new members of HICFG.
  • Share data through Health Fraud Hub.
  • Risk assessments have been carried out
  • Adequacy test satisfied
  • Transfer of Data to these countries has been
    registered with ICO.
  • Notification to EC
  • Para 3 User Agreement Health Fraud Hub complies
    with UAE DIFC Law No.1 of 2007

52
(No Transcript)
53
WHO OWNS THE DATA POSTED ON HIFID?
  • This is not a matter of Data Protection.
  • It is a contractual issue between HICFG and its
    members.
  • Paragraph 9 User agreement All data input by
    the companies is the property of the inputting
    company.
  • One can only own information if it is
    confidential.
  • Soif it is not confidential nobody owns it in
    the sense of being able to control its
    dissemination (rather than manner of its
    representation).
  • What about the Data Subject?
  • The Data subject has some rights but only if the
    data has been processed in breach of the 8 data
    protection principles.
  • It follows that if the data is processed in
    accordance with the 8 data protection principles
    then the data subject has no recourse.

54
CONSEQUENCES OF NOT COMPLYING WITH DATA
LEGISLATION
  • Inconsistent powers and enforcement throughout
    EU.
  • Some DPAs use fines, some audit, some use
    undertakings, information notices and some also
    use criminal sanctions.

55
PENALTIES (UK)
  • Maximum financial penalty used to be 5k!
  • From 06.April.2010 ICO granted the power to
    impose monetary penalties of up to 500k on DC
    where there has been a serious contravention of 8
    data protection principles.

56
UK EXPERIENCE
  • Undertakings 44 (2010 2011)
  • Monetary penalties to date up to 325,000 (all
    fines from 2010 are in the public sector)

57
TRAIN YOUR STAFF
  • Train your staff in the following areas
  • Relevant law surrounding data sharing.
  • Relevant professional guidance or ethical rules.
  • Data sharing agreement the need to review them.
  • How different information systems work together.
  • Security and authorising access to systems
    holding data.
  • How to conduct data quality checks
  • Retention periods.
  • Note Para 3 User Agreement (training)

58
THE FUTURE
59
DIFFICULTIES WITH CURRENT LAW (1)
  • Currently 27 different data protection laws.
  • Can prevent the free flow of data within EU
    offer different levels of protection for personal
    data
  • Few adequacy findings made under Art 25(6)
  • Technology is not restricted by geographical
    boundaries.
  • Doesnt reflect the realities of globalised data
    processing.
  • Restricts international transfers

60
DIFFICULTIES WITH CURRENT LAW (2)
  • Problems with Safe Harbor
  • Only covers transfers to US
  • Some DPAs have questioned its legitimacy and
    still require authorisations for relying on safe
    harbour
  • Limitations on onward transfers from US parent
    company.
  • Problems with Model Clauses
  • Problems with BCRs
  • Derogations are limited.

61
MOUNTING CRITICISM
  • 2007 2009 mounting criticisms of 1995 Data
    Protection Directive (inc. UK Rand Report)
  • 25/01/2012 extensive legislative reform package
    launched.
  • Changes likely to be implemented 2 years after
    publication (01/2014).
  • Watch this space!

62
DATA PROTECTION REFORMS
  • Contained in the EU Data Protection Regulation.
  • Fact that it is a Regulation (and not a
    directive) means that it will automatically apply
    to all EU member states without need to implement
    legislation at a national level.
  • No room for each member state interpreting it in
    a different way.
  • One size fits all.

63
KEY PROPOSALS
  • Remember
  • It is not a complete overhaul of existing
    Directive and exemption contained in s29(3)
    remains.

64
NEW DEFINITIONS (1)
  • Data Subject
  • Re-ordering of substantive elements of personal
    data definition to be inside data subject
    definition.
  • Now include location data and online identifiers
    e.g. IP addresses, cookie identifiers etc
  • Recital 24 draft Regulation states such
    information does not necessarily constitute
    personal information unhelpful.
  • Child
  • Regulation definition - under 18.
  • Art 8 however refers to parental consent if child
    under 13 accessing online services.
  • N.B commission may lay down standard forms for
    identifying verifiable consent.

65
NEW DEFINITIONS (2)
  • Special Data
  • Includes genetic data, health data, criminal
    convictions.
  • Special data processing prohibited subject to
    exemptions
  • Biometric Data
  • Need for PIA if personal data in large scale
    filing systems on children, genetic data or
    biometric data.

66
CONSENT
  • Wherever consent is required for data to be
    processed it must be explicit and not implied
    or assumed.
  • In other words only one type of consent.

67
DC V DP DISTINCTION (1)
  • CURRENT POSITION
  • DP regulated by contract only.
  • DPAs cant audit or fine (usually).
  • Significant personal data processing in the hands
    of processor providers and cloud service
    providers.
  • Blurring of responsibilities between DC/DP
  • Difficulties in compliance with data transfers.

68
DC V DP DISTINCTION (2)
  • DP BROUGHT WITHIN THE SCOPE OF DP LAW.
  • DP subject to enforcement regime Art 53
  • DP may be subject to orders
  • DP may be warned or admonished
  • DP must grant access to all personal data,
    information premises.
  • DP have new rights
  • Right to Judicial Review Art 75
  • Right to compensation liability Art 77
  • Requirements for processor contracts
    strengthened.
  • Obligation to keep internal documentation
  • Obligation to appoint a DPO
  • Compliance with data transfer obligations e.g.
    model clauses and BCRs.

69
DATA BREACHES
  • NOTIFY BREACHES ACROSS EUROPE WITHIN 24 HOURS
  • If there is a personal data breach
  • DC must notify the Regulator
  • In many cases this means going public with the
    bad news and fast.
  • You will need incident management plans and agile
    support to ensure compliance.
  • If there is a delay then the reasons for the
    delay must be provided when reporting.
  • DP must alert the DC immediately after
    establishment of personal data breach.

70
FINE RISK
  • Different levels of fines.
  • Maximum - up to 1mn/or up to 2 of annual
    worldwide turnover e.g. unauthorised
    international transfer or failure to appoint DPO.
  • Aim for data protection to grab the attention
    of board level executives
  • DPOs will need to be empowered so that they have
    board influence they will be ensuring existing
    Rules are enforced appropriately.

71
APPOINTMENT OF DPO
  • All companies will be required to appoint DPO
  • No requirement for DPO on SMEs (up to 250
    employees)
  • Good idea?

72
EU COUNTRIES WITH MANDATORY DPO OBLIGATION
  • Belgium
  • By decree of the King
  • 7 laws require the appointment of DPO
  • Germany
  • Public bodies
  • Private bodies
  • Hungary (for DC or DP)
  • National Authorities, National Labour or Criminal
    Data files
  • Financial institutions
  • Telecoms services and Public Utility Services
    providers
  • Netherlands
  • 2 public sector organisations concerned with
  • Education inspection
  • Social service number
  • Slovakia
  • More than 5 employees

73
EU COUNTRIES WITH OPTIONAL DPO OBLIGATIONS
  • Estonia
  • France
  • Germany
  • Private bodies with 9 employees or less where the
    processing is automated
  • Private bodies with less than 20 employees where
    processing is not automated.
  • Latvia
  • Lithuania
  • Luxemburg
  • Malta
  • Netherlands
  • Except for 2 public sector organisations
  • Slovakia
  • Less than 6 employees
  • Spain
  • Sweden

74
DATA TRANSFERS (OUT OF EEA)
  • CURRENT POSITION
  • DC considers whether protection is adequate
    (Article 25).
  • DC adduces adequate safeguards (EU Model
    Clauses, BCRs etc).
  • Exception applies consent, performance of
    contract, etc
  • NEW POSITION
  • Commission decides whether protection adequate.
  • DC or DP adduces appropriate safeguards in a
    legally binding instrument
  • Exception applies consent, performance of
    contract, etc
  • NEW EXCEPTION
  • Transfer is necessary
  • For legitimate interests of DC or DP, and
  • Adduced appropriate safeguards.

75
ESTABLISHMENT OF NATIONAL DATA PROTECTION
AUTHORITY
  • Establishes each national Data Protection
    Authority one stop shop for business citizens
  • KEY OBJECTIVE
  • To introduce clear Rules for data transfers
    across borders (within multi national
    corporations)
  • A much more streamlined process
  • Once approved by one data authority it will be
    accepted by all the others.
  • Organisations will only have to deal with one
    single national data protection authority in the
    EU country where they have their main
    establishment.
  • Similarly individuals can refer to the data
    protection authority in their country, even where
    their data is being processed outside the EU.
  • EU Rules must apply if personal data is handled
    abroad by companies that are active in the EU
    market and offer their services to EU citizens.

76
APPLICABLE LAW JURISDICTION
  • THE POSITION TODAY
  • EU established DC regulated globally.
  • Non-EU DC regulated if they use equipment in
    EU.
  • In both cases multiple national laws may apply
    and may conflict.
  • WHAT IS PROPOSED
  • EU established DC and DP to be regulated
    globally.
  • If non-EU DC process data in EU to offer
    goods/services to EU Residents or to monitor
    behaviour must appoint representative.
  • DPA one stop shop for EU DC based on main
    establishment.

77
ONE STOP SHOP
  • Distributed business no longer need to comply
    with different data protection laws in each of
    the EU states where it operates.
  • It can comply with the data protection law of
    its main establishment.

78
PRIOR AUTHORISATION
  • There are no prior authorisation mechanism in UK.
  • Regulation does contain prior authorisation
    provisions.
  • Disproportionately burdensome beaurocratic?

79
NEW RIGHTS CREATED (1)
  • RIGHT TO BE FORGOTTEN ERASURE
  • Very controversial.
  • Means people will be able to delete their data
    unless there are legitimate reasons for keeping
    it.
  • Limited practical application.
  • There are derogations qualifications
  • Technical difficulties around online erasure.

80
NEW RIGHTS CREATED (2)
  • RIGHT TO OBJECT
  • Individuals have the right to object to
    processing.
  • DC to demonstrate why the objection is invalid.
  • Compelling legitimate grounds exception should
    assist.

81
HARMONISATION? CLARIFICATION? SIMPLIFICATION?
  • Too soon to tell.
  • Some improvements, especially (supposed) one stop
    shop reduced red tape such as notifications.
  • Benefits likely to be outweighed by additional
    burdens relating to record keeping, breach
    notification processes, DPOs, PIAs, prior
    authorisations consultation, etc

82
Questions?
83
(No Transcript)
About PowerShow.com