Data protection Archives - Support Cambridgeshire

What You Need To Know
What You Need To Do
Writing a Privacy Notice

Data Protection Part 1: What You Need To Know

Welcome.

This is a short training video from Support Cambridgeshire, the first in a series on data protection.

We’re looking at the essentials of data protection law. In other words, what you need to know.

Let’s see what we’re going to cover. We’ll begin with a short look at why privacy matters, and then we’ll move to the principles behind data protection which are set out in law. Then we’ll look at the lawful reasons for which you can process personal data. Finally, we’ll finish off this video with a look at individual data protection rights.

But before we begin, let’s remind ourselves what we mean by personal data.

What we mean by personal data

Personal data is any piece of information, including a photograph, from which an individual can be identified. So name, address, payroll number, or bank account number, for example, are all forms of personal data. But things like hair colour, shoe size, town of birth are not personal data because on their own, none of these things can identify a single individual.

Of course, when you combine certain data, such as a person’s race with their name, for example, then both would be classed as personal data.

Learn more about Key Data Protection Terms.

Why privacy matters

Okay, so why should we be bothered about privacy? Isn’t it just common sense?

Well, it’s much more than that. We all have a right to privacy, and if that right is broken, then the consequences can be severe. For example, the release of personal data about health conditions or perhaps trade union membership could result in discrimination or even dismissal by an employer. Of course, criminals use personal data for identity theft and fraud, blackmail, ransom, and other threats.

But failing to respect privacy can damage voluntary organisations as well. For a charity, it can lead to bad publicity, damage to reputation, loss of support and funding, fines, and the extra costs of putting things right.

That’s why we have data protection laws, namely the UK GDPR, which is how it’s known following Brexit, and the 2018 Data Protection Act. But what do these laws say?

The principles behind data protection

Helpfully, the UK GDPR sets out a number of principles by which personal data must be processed. Follow these, and you shouldn’t get into trouble with the law.

The first principle is that you must have a lawful reason or basis for your processing. There are six of these which we shall look at later.

Next, you can only use the data for the purpose it was collected. For example, you can’t use someone’s details for sending them funding requests if you’ve only said you will use it to provide a particular service.

The third principle says you must only collect and process data that is necessary, so no asking for a postal address if you only ever intend to email someone.

The fourth principle is that the data you process must be accurate. This means you must take reasonable steps to keep it up to date.

Fifth, it should be kept for no longer than is actually necessary. Once it’s not needed, it should be deleted.

And six, it must be secure. This means you need good cyber and physical security for the data.

Finally, the seventh principle says you are accountable for how you handle data, so you need to make sure you can demonstrate compliance with the law.

Now, as we’ve seen, the first principle of data protection is that you can only process data for a lawful reason.

Lawful reasons on which data can be processed

Let’s just look at the six lawful reasons, sometimes called bases, on which data can be processed.

The first reason or lawful basis for processing personal data is consent. To be valid, this consent must be freely given by clear, affirmative action for each processing reason.

There can be no generic or bundled up consents and no pre-tick boxes for someone to untick. Finally, it must be easy to opt out, withdrawing or revoking consent at any time.

The next lawful reason for processing is contractual. This is where we process data with a view to entering into or operating a contract. Processing personal details, such as in a quote for some work is a contractual reason for data processing.

We now come to legitimate interest. This is a useful reason to have for data processing because it’s so flexible. However, the small print says that your interest must not override the privacy interests of the individual, so the processing has to be something transparent that the data subject would expect. A business interest, for example, can be a legitimate interest if it is clear and expected. A good example might be processing the names of individuals who have applied to attend a training course. Clearly, you can’t process applications without collecting names. Anyone who signs up would expect you to do this, so there is no hidden processing or undermining of an individual’s privacy.

The fourth of our six reasons is legal obligation. This is where you are required to process the data by law. For example, an employer has a legal duty to collect income tax through Pay As You Earn, which clearly requires the processing of personal data.

The next reason is vital interest. It applies in very limited circumstances, specifically when there is a risk to life.

The sixth and final lawful reason applies to public authorities and elected officials, such as a councillor or member of parliament. Here, personal data can be processed lawfully, specifically in order to provide a service or to perform a public task.

Individual legal rights

The next part of this video involves looking at the individual legal rights people have on how their data is processed, all of which are enforced by a regulator, the ICO, (Information Commissioner’s Office).

So what are these rights?

Top of the list is the right to be informed about how and why your data is processed. This is usually set out in a privacy notice which must be provided at the point that personal data is collected. We cover privacy notices in the third video in this series.

You also have a right to access your personal data that an organisation is processing. This is enacted through a “subject access request”.

Next, you have a right to have errors rectified once the organisation has been made aware of the error.

And you have a right to restrict processing. This limits how data can be used and usually applies when the accuracy of data is contested or while an objection to data processing is being considered, which leads nicely into your specific right to object to processing in certain circumstances. For example, if you object to your data being used for direct marketing, or if you question why an organisation is relying upon their legitimate interest as the lawful reason for the data processing.

You also have a right to be forgotten, that is to have data erased when data is no longer needed. For example, if the data is historical or if you have withdrawn consent for processing.

Perhaps not used quite so often is a right to data portability, which allows you to reuse your data for your own purposes across different services. This is how, for example, insurance comparison sites work.

Finally, you have certain rights in relation to high volume automated processing and profiling. This is something used to evaluate an individual based on their personal data and decide, for example, what products they may like to buy.

Okay, that’s all we’re covering in this video, so let’s quickly recap.

To protect privacy, you should comply with the seven data protection principles, which includes processing data securely and being accountable for what you do. You should always have a lawful basis for every data processing operation. Finally, you should uphold the data protection rights of individuals, which, among other things, means providing privacy information.

For practical advice on compliance with the law, please look out for the other titles in this Data Protection Series.

And to learn more about the areas we have covered in this video, please refer to the ICO website.

Guidance links:

Data Protection Part 2: What You Need To Do

Welcome.

This is the second short training video produced by Support Cambridgeshire in a series on data protection. In this one, we’ll be looking in particular at the key steps you should take to comply with data protection law.

But first, here is a very short recap on what we covered in video one.

Video one highlighted the seven principles of data protection that underpin the law. One of these is that you must have a lawful reason to carry out your processing. There are six lawful reasons, including consent, entering into a contract and legitimate interest. We ended the first video explaining that individuals have a range of legal rights, including the right to be informed and to have access to the data you hold on them.

With these things in mind, what are we going to cover in this video? Firstly, we’ll begin with what you’re allowed to do with other people’s personal data. Then we’ll look at what steps you must take to comply with the law and so meet your legal duties. This will include looking at data audits, privacy notices, data protection policies, and staying accountable. Finally, we’ll finish with a look at the vital subject of data security.

Other people’s personal data

Let’s look at what you’re allowed to do with personal data. The answer may surprise you. If you stick to certain requirements, in other words, the data protection principles and respecting an individual’s data protection rights, you can do almost anything with someone’s personal data.

This includes processing their data without consent, because consent is just one of six legal reasons for processing data. Profile someone and target specific individuals. Share data, including that of a personal nature such as to do with health, criminal records or a protected characteristic. Sell data, refuse someone a job or even prescribe someone (in other words, bar or prohibit someone from something).

Remember, though, the data protection principles are strict, and they include having a legal reason for processing data and only processing data for the purpose it is collected.

Complying with the law

This looks at what you must do as an organisation to comply with the law.

The place to start is with a data audit. To make sure you comply with the law, you first need to understand all the different types of data you are collecting. So carry out a data audit to find out what is collected, how, why and when you do this. Also, look at what you actually do with the data, including who, if anyone, it is shared with and how it is stored.

The importance of auditing your processing operations cannot be understated because it will inform your future data processing arrangements. For example, the audit allows you to decide the legal reason for each of your processing operations and to identify any associated privacy risks.

Once the audit is complete, you can also use it to produce a privacy notice. This is used to tell people whose data you are processing, why you need their data, and what you’re doing with it. In this way, you’ll be meeting an individual’s right to be informed.

Your privacy notice must include certain required information as set out by the Information Commissioner’s Office, the Data Protection Regulator. One of these is the lawful reasons by which you are processing data, but others include how your data is stored and who has overall responsibility for data protection in the organisation. Privacy information must also be made available at the time data is collected. You will need to think about your data collection methods and how your privacy notice can be made available to individuals. Again, your data audit should help with this.

Given the importance of privacy notices, we have devoted the third video of our data protection series to this topic. Please view the video to find out how you write a privacy notice for the data you process.

General data protection policy

Alongside your privacy notice, you also need to have a general data protection policy.

This will explain how you meet other aspects of data protection law and good practice. It’s all about showing that you are accountable, trustworthy, and transparent.

So what does a data protection policy look like? It should start by setting out your commitment to protecting privacy and the levels of responsibility for data protection within your organisation. This includes stating who is in overall charge of data processing. It should then go on to cover all your arrangements for compliance with the law. The arrangements should cover things like your data processing audit, your data security, your data sharing arrangements, and clear procedures for dealing with data breaches, requests, or complaints connected to individual rights.

To help you develop a suitable policy, a template is available from Support Cambridgeshire. In addition, the NCVO have produced some guidelines for writing a data protection policy, and the link to the relevant page on their website cab be found in the guidance links below.

You need to account for your actions when you process personal data and show that you are complying with the law. Indeed, this is one of the seven principles of data protection. Keep good records, make sure your data protection policy is fit for purpose, and that the arrangements it describes are working properly. Make sure your team is fully trained on how to process data securely and that they know how to recognise cyber attacks like phishing.

As I explained in the first video of this series, consent, when used as a lawful reason for processing, must be given freely and it must be possible to withdraw the consent at any time, something that must be made clear when consent is given. When it comes to email marketing circulars and e-newsletters, obtaining consent is the only legal route you have.

Indeed, an individual must consent to be placed on the marketing mailing list, and they must be able to withdraw that consent at any time. This means including an “unsubscribe” notice, or preferably an “unsubscribe” button on every email or newsletter.

However, an upcoming change in the law will allow charities and voluntary groups to apply what is called the soft opt-in in certain circumstances. This means that direct consent will not necessarily be required. More information can be found in the guidance links below.

Data security

Keeping your data safe, both physically and electronically, is absolutely essential, so you must train your staff and/or volunteers in data security. In fact, you can be fined quite heavily if you fail to protect your data from hackers and thieves, even though you, as an organisation, will have been the victim of a crime.

So make sure that you: one, control access to data who and where with robust passwords and two-factor authentication of users. Two, regularly back up your data. Three, ensure physical security… The doors, locks, lighting, CCTV, etc. Four, ensure safe disposal of data waste. Five, control the use of laptops and other mobile devices with encryption, passwords, antivirus software, etc. Six, keep software and operating systems up to date. And seven, develop a cyber incident plan so you are ready to deal with any problems if they arise.

Summary

Okay, we’re almost at the end of this video, so let me sum up.

As long as you have a lawful reason for your processing and can meet all the other data processing principles, then you can process data for all sorts of reasons. But to stay within these principles, you must comply with the law. To do this, you need to know what data you are processing and why, and what exactly you will do with it.

This is where a data audit helps. You should also have policies and procedures setting out who is responsible for what aspects of data protection and the different arrangements you have in place for legal compliance. Key among these is the need to provide privacy information at the time data is collected.

So use the videos and other resources from Support Cambridgeshire and then complete a data audit. Do this and you’ll find that data protection compliance becomes straightforward.

For further information, please refer to the Information Commission’s website and see guidance links below for information on: key data protection terms, who needs to register with the Information Commission’s office, dealing with freedom of information and subject access requests, and the soft opt-in for sending out marketing emails.

That is the end of this video, so thank you for watching..

Guidance Links:

Key Data Protection Terms

Who needs to register with the ICO

Freedom of Information

Subject Access Requests

The soft “opt-in”

Guidance on direct marketing using electronic mail

Privacy notice generator tool

Writing a data protection policy and procedures

Guidance on AI and data protection

AI risk toolkit

Data Protection Part 3: Writing a Privacy Notice

This is part three of a series produced by Support Cambridgeshire on Data Protection. In this video, we are looking at writing your privacy notice.

Let’s see what we’re going to cover.

We will start by looking at why you need a privacy notice. Then consider where to start. Next, we’ll look at the very important content of a privacy notice. Lastly, we’ll look at making your privacy notice available to people.

Why you need a privacy notice

So why is it needed? A privacy notice is a statement that tells someone how and why you will be using their personal data. Essentially, it’s a tool to help you comply with the transparency obligations of the UK General Data Protection Regulation, commonly known as the UK GDPR. Because of this law, individuals have a right to be informed, and to comply, you must provide privacy information that tells individuals about your data processing in a way that is easily accessible and easy to understand.

Where do you start?

To provide individuals with privacy information, begin by checking your data audit. If you don’t have a data audit, then carry one out to find out about your processing activities. This means looking at each data processing operation in your organisation and deciding what you are processing, why you’re doing it, where and when, the lawful reason that allows your processing to go ahead and who the data is shared with, how it is stored, and so on.

By doing the data audit, you will have all the information you need to get started on a privacy notice.

What about the content?

Exactly what should go into a privacy notice is set out by the Information Commissioner’s office. This is the UK regulator responsible for data protection.

Your privacy notice should include the following: what personal data you use such as name, address, telephone number, and email addresses; why you use it, in other words, what you need it for; how you use it; who, if anyone, it is shared with, such as another organisation or agency; How long you will keep it. It should also provide the lawful basis for your processing, for example, this might be consent; the name and contact details of your organisation; the rights of individuals, and how to complain.

There may also be some other things that should be included, but only if they apply to your processing. These are, if not obtained from the individual, then the source of someone’s personal data; your legitimate interests for the processing. This only applies if you rely on legitimate interest as a lawful basis. The right to withdraw consent. Again, this only applies if consent is your lawful basis for processing.

Making your privacy notice available

But how should you go about providing privacy information? How and when do you make your privacy notice available?

Firstly, it must be provided at the time personal data is collected. This means it can be provided in person or if a link is given, then to a website. But remember, putting your privacy notice on a website is only going to reach those people who look at that particular website. It must also be in a concise accessible format using plain language, so keep it short and jargon free. Remember also that you don’t have to overwhelm someone with privacy information, so you can make it available in layers or parts to suit your audience. You can also use handouts, clearly visible footnotes, dashboards, icons, and banners as as needed.

Summary

A privacy notice is essential to meet your transparency obligations and should provide information about how and why you process someone’s data. There are certain pieces of information that you are required to provide, and it must be given at the time that personal data is collected. Finally, it must be clear, accessible, and free of jargon.

For further information, please refer to the Information Commissioner’s website. This includes under the section on “advice for small organisations”, a privacy notice generator tool. And a sample of a privacy notice generated by this tool is also available from Support Cambridgeshire.

Finally, there is a transcript that accompanies this video with links to additional information on key data protection terms, who needs to register with the Information Commissioner’s office, dealing with freedom of information and subject access requests, and the soft opt-in for email marketing newsletters.