1 an overview of data protection legislation consumer affairs department tel 061 483286 / 87 ©...

1

An Overview of Data Protection Legislation

Consumer Affairs DepartmentTel 061 483286 / 87

© Health Service Executive

2

Contents

• Introduction and background.

• Main definitions.

• Rules and responsibilities for all staff.

• Contact details.

3

What is Data Protection?• Safeguards the privacy rights of individuals in relation to the

processing of personal data by:

regulating computer use

giving individuals rights in relation to their personal information

imposing responsibilities on organisations in terms of compliance with the Data Protection rules and rights of access

• Data Protection Acts 1988 & 2003 create rights for individuals and responsibilities for computer and other users.

• When you create a record which contains personal data not only should it remain confidential but you are also obliged to keep it safe and secure and use it only for the purpose for which it was collected.

• Disciplinary action may follow a DP breach as each staff member has an individual responsibility under DP legislation and the more recent HSE policy

4

History

Council of Europe Convention of Data Protection, 1981 The purpose of this convention was to secure respect for a person’s

rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data relating to them ("data protection")

Data Protection Act 1988 (gives effect to 1981 convention) Data Protection Directive, Directive 95/46/EC

Manual Records Consent Transfer of Data

Data Protection (Amendment) Act 2003 Privacy Bill 2006

5

Corporate Responsibilities

• The HSE must comply with Data Protection legislation.• The HSE must nominate Data Controllers – four in total

being the Consumer Affairs Area Manager in each of the four regions.

• Each Data Controller must register all databases with the Data Protection Commissioner and ensure that this registration is kept up to date.

• The HSE must process all Data Protection Access requests.

• The HSE must ensure that all staff have received Data Protection training.

6

Definitions


•Personal information (even minimum information such as name, address or email address) about a living individual held either electronically or in paper files. It includes information in the form of photographs, fingerprints, audio recordings and text messages. Personal information can be stored in a number of ways such as in mobile phones, laptops, palm pilots, voicemail, fax machines and CCTV.

•Sensitive Personal DataRelates to specific categories of data which are defined as data relating to a person’s racial origin, political opinions or religious or other beliefs; physical or mental health; sexual life; criminal history; trade union membership

7

DataInformation in a form which can be processed (manual & electronic)

Data SubjectAn individual who is the subject of personal data

Data ControllerA person who, either alone or with others, controls content and use of personal data

Data ProcessorA person who processes personal information on behalf of the data controller


Definitions

8

DEFINITIONS

• Processing of Data or Information – performing any operation on data including:

– Obtaining, recording, keeping– Collecting, organising, storing, altering, adapting– Retrieving, consulting, using– Disclosing, transmitting, disseminating– Aligning, combining, blocking, erasing or destroying

9

The 8 Principles of Data Protection

10

Principle Number 1

Obtain and process information fairly• In order to obtain personal data fairly from people, we need to ensure

that they are made aware of:

– Why the data is being collected.

– What it will be used for.

– Persons/third parties to whom data may be disclosed.

– Right to access their data.

• To fairly process personal data it must have been fairly obtained and the data subject must have given consent to the processing.


11

Principle No 2

Keep it for one or more specified, explicit and lawful purposes

•An individual should know the purpose for which we collect and hold his/her data.

•He /she must also be aware of the different sets of data which we hold and the specific purpose of each set.


12

Principle No 3Use and disclose it only in ways compatible with these purposes

key tests of compatibility are

1.Do you use the data only in ways consistent with the purpose for which it was obtained

2.Do you disclose the data only in ways consistent with that purpose

What is Compatible Disclosure?

•Closely related to the specified purpose

•Consistent with the specified purpose

•Need to know basis

•The surprise test – would the subject be surprised to learn that the disclosure is taking place


13

Principle No 3Use and disclose it only in ways compatible

with these purposes

We as staff of the HSE must ensure that personal data is used only in ways consistent with the purpose for which it was obtained.

•Except where it is:– Required urgently to protect life and limb.– Required by law or court order.– With consent of/on behalf of data subject.– Crime; tax; State security; international relations.


14

Principle No 4

Keep it safe and secure

• Appropriate security measures must be taken against unauthorised access to, alteration, disclosure or destruction of, the data and against their accidental loss or destruction.


15

All staff should be aware of the Information Security Policies adopted by the HSE including:

– Information Security Policy

– Information Technology Acceptable Usage Policy

– Electronic Communications Policy

– Password Standards Policy

– Encryption Policy

– Mobile Phone Device Policy

Principle No 4

Keep it safe and secure

16

Principle No 5

Keep it accurate, complete and up to date


•We need to ensure that clerical and computer procedures are adequate to ensure high levels of data accuracy.

•We also need to ensure that appropriate procedures are in place, including periodic review and audit, to ensure that all records are kept up to date.

17

Principle No 6Ensure that it is adequate relevant and not excessive

We must ensure that information being held is:

• Adequate and relevant in relation to the purpose for which it is being held.

• Not excessive in relation to the purpose for which it is kept.

e.g. asking a job applicant about criminal convictions could be relevant but it would be irrelevant and excessive to ask the same question in an online booking form for theatre tickets!


18

Principle No 7Retain it for no longer than is necessary for the purpose. To comply with this you should have:

• Staff should be aware of: – the length of time data/records are held. – the reason why they are being retained. – The process for destruction when no longer required.

• Responsibility should be assigned to a specific individual within a department to ensure that files are reviewed on at least an annual basis to ensure that personal information is not retained any longer than necessary.

• All staff should be aware of:– NHO Code of Practice for Healthcare Records Management.– The National Policy for Health Boards on Record Retention Periods.


19

Principle No 8

Give a copy of personal data on request On making an access request any individual, about whom you keep personal data is entitled to:

•A copy of the data you are keeping about him/her•Know the purpose/s for processing the data•Know the identity of those to whom you disclose the data•Know the source of the data, unless it is contrary to public interest

•Know the logic involved in automated decisions•A copy of any data held in the form of opinions, except where such opinions were given in confidence


20

Right of correction or erasure

Section 6 of the Act

The data subject must make a written request Personal data must be corrected if inaccurate or

deleted. Data controller has 40 days to respond. No fee is required.

21

Manual Data

This information must be in a ‘relevant filing system’ which is structured by reference to individuals in such a way that specific information relating to a particular individual is readily accessible.

The data must be part of a set The set must be structured The data must be accessible Such access cannot be simply random but must be

according to specific criteria

22

Security Issues

Manual Files

Who has access? At what level is it authorised? Are they kept under lock and key? Are there designated staff to make additions

to the file? Who deals with requests for information from

the file? - Set procedures for this?

23

Faxing Information Confidential and personal information should not be transmitted by fax message except if all persons identified in the fax message have fully understood the risks and agreed or there are no other means available or in a medical emergency where a delay would cause harm to a patient.

Checking and confirming correct fax numbers Authorised access to fax only A phone call before fax is sent to ensure machine is

manned

Mailing Information Registered Post Check correct mailing address Sealed envelopes

24

What are Electronic Records?

The term electronic record is a generic description for a record held on, or produced by, a computerised system.

Records can be output as any media: text, images, sound or a combination of these and include electronic documents and electronic messages.

25

Information Security Policies : HSE• The aim of these policies is to help protect patient, client and staff

information.

• Each staff member who uses HSE ICT equipment or has HSE data stored on an electronic device needs to make themselves familiar with the policies.

Information Security Policy, Information Technology Acceptable Usage Policy, Electronic Communications Policy, Password Standards Policy, Encryption Policy, Mobile Phone Device Policy

• The full policies are available to download from the HSE intranet:

http://hsenet.hse.ie/HSE_Central/Commercial_and_Support_Services/ICT/Policies_and_Procedures/Policies/

• If you have any queries contact your local ICT Department Tel 061 483308

26

Keep it Safe and Secure • Personal laptops or other equipment (e.g. cameras, phones)

must NOT be used for HSE business.

• The storage of confidential or personal information on USB flash drives (i.e. memory stick/pen/keys) is strictly prohibited. Encrypted HSE approved USB memory sticks may only be used on an exceptional basis where it is essential to store or temporarily transfer confidential or personal data.

• Users must only use accounts and passwords that are assigned to them.

• All confidential and personal information transmitted to an email address outside the HSE Domain must be encrypted.

• All HSE laptop computer devices must be password protected, have up to date anti-virus software installed and have encryption software installed.

27

Keep it Safe and Secure

• Old and obsolete IT equipment must be securely recycled via the ICT

Directorate.

• Confidential and personal information must be securely deleted from your

PC when no longer required.

• All passwords must be a minimum of 8 characters and must contain a

combination of letters, numbers and at least one special character.

• Mobile phone devices should have PIN or password protection and those

with cameras must not be used inappropriately.

• Restrict access to records on a “need to know” basis & ensure

premises secure when unoccupied.

• Ensure there are back up procedures for computers including off-site back

up.

28

Keep it Safe and Secure

• PC should be locked when a person leaves their desk (ctrl; alt: delete).

• Staff should log out of their PC at the end of each working day.

• Confidential waste papers must be securely disposed of (shredded).

• Use screen savers and passwords

• Revoke Ids and passwords as soon as users resign or leave

• Use audit trails to track when a record is accessed and by whom

• Information on computer screens and manual files should be kept hidden

from callers and should be secured when office is unoccupied.

• Ensure there are contracts and confidentiality agreements in place with

data processors

29

Laptops – some basic precautions!

Do not leave the portable unattended

Do not position portables near exterior windows where they are subject to ‘smash & grab’ theft

Keep only the most necessary information on the portable

Back up files and store them in some other place other than the carry case

Pay attention to where you use the portable, be aware that someone could see the screen behind you

Be cautious about installing any software from unknown sources – may contain a virus

Ensure that sensitive files are password protected when stored on laptop

Ensure that anti-virus software has been installed

Ensure that the data held on your laptop is encrypted

30

Data Breach

• HSE Data Protection Breach Management Policy

• An incident report must be completed immediately by HSE employees and their line manager whenever confidential or personal data belonging to the HSE is accidentally disclosed, lost or stolen, or whenever a HSE mobile computer device or a mobile storage device is lost or stolen.

• The completed report must be forwarded immediately via fax or email (a scanned copy) to the employees local Consumer Affairs Office (for incident involving the accidental disclosure, loss or theft of manual (paper based) data) or ICT call centre / helpdesk (for incidents involving the accidental disclosure, loss or theft of electronic data or, the loss or theft of a HSE mobile computer or storage device).

31

Data Breach

What to do in the event of a breach

• Contact Line Manager

• Fill out incident form with Line Manager

• Contact the Gardaí (if items stolen etc)

• Contact Consumer Affairs / ICT Helpdesk

• Recommendations: Key aspect of report which are followed up by Consumer Affairs and DP Commissioner

• Disciplinary action may follow as each staff member has an individual responsibility under DP legislation and the more recent HSE policy

32

Data Protection Commissioner

33

DP Commissioner

Upholds rights of individualsEnforces obligations of data controllersInvestigates complaintsMaintains public registerEuropean functionsCodes of PracticeInvestigation to ensure compliance and identify contravention Pre registration checkName & PublishAnnual Report absolutely privileged

34

Commissioner’s Powers

Information notice (section 12)Enforcement notice (section 10)Prohibition notice (section 11)Powers of entry and inspection (section 24)

“authorised officers” Decision on complaints (section 10)Refusal to register (section 17)Auditing powers (section 10 (1) a)

35

Offences and Penalties

Failure to comply with a Notice Failure to registerFailure to comply with terms of register entryFine of up to E100,000Court may order erasure of data

36© Health Service Executive

Guidelines & Contact Details

Consumer Affairs Dept, H.S.E., 31/33 Catherine St. Limerick Tel: 061 483286/87

ICT Dept, H.S.E., 31/33 Catherine St. Limerick Tel: 061 4833308

HSE Website:http://hsenet.hse.ie/Intranet/HSE_Central/Consumer_Affairs/

The Data Protection Commissioner’s Website: http://www.dataprotection.ie Tel: 057 8684800

1 an overview of data protection legislation consumer affairs department tel 061 483286 / 87 ©...

Documents

data protection rules

data protection commissioner

data protection training

data controllers

sensitive personal data

personal data ndata

definitions processing

specific categories