GDPR Training ( Awareness - ensure all staff are aware and complete…
GDPR approved on 27th April 2016 by the EU and a 2 year transitional period introduced to allow compliance. Enforceable from 25th May 18
Previous Data Protection legislation was a Directive and so there was room for interpretaion at nation level
Personal Data - Information relating to an identifiable person who can be directly or indirectly identified through an identifier
Sensitive Personal Data - GDPR refers to special categories of personal data.
- Racial or Ethnic Origin
- Political Opinion
- Philosophical belief
- Trade Union Membership
- Processing of genetic data
- Biometric data
- Sex life
- Sexual orientation
Data processing - any operation performed on personal data, whether or not by automated means.Could include:
- Disclosure by transmission
- Dissemination or otherwise making available
Data Controller - determines the purposes and means of processing personal data.
Must ensure that contracts with processors comply with GDPR
Data Processor - Responsible for processing personal data on behalf of the Data Controller.
Has an obligation to maintain records of personal data and processing activities
Data Subject - an identifiable person that personal data relates to.
Able to exercise various rights over their personal data under GDPR
the ICO - independent authority set up to uphold information rights in the public interest.Covers and enforces legislation. Also registers orgs that process personal information in line with the DPA
Awareness - familiarise all staff
- Accountability - Ensure transparency
- Recording DP activities to ensure compliance
DPO - where appropriate, appoint a DPO for the ORG
- Impact assessments - Ensure that a DPIA is undertaken if a new tech is used or if there is a high risk
- Data Subject Rights - make subjects aware of their rights regarding personal data and empower them to take control
- Awareness - ensure all staff are aware and complete training
- What Data do we hold? - best to hold a data audit to identify what personal data has been collected, stored, how its processed and to whom it is disclosed
- Accountability principle - Although the principles are similar, there is a greater focus on evidence based compliance. GDPR has set out specific requiremnents and greatly increased subject rights and penalties
Accountability is one of the key changes. Orgs have to demo that they are compliant.
Article 5 of GDPR requires that personal data be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified explicit and legitimate purposes, not further processed in amanner that is incompativle with the purposes. Further processing for archiving purposes in public interest, scientific or historical or statistical prposues are not considered incompatible
- Adequate, relevant and limited to what is necessary only
- accurate and where necessary, kept up to date with great care taken to ensure that inaccurate or out of date info is correctred or erased asap
- Kept in a form which permits identification of data subjects for no longer than is necessary for purpose. Personal data may be kept for longer periods solely for archiving, scientific or historical research or statistical purposes subject to safeguards
- Processed in a manner which ensures appropriate security of the personal data - including adequate protection against unlawful processing and accidental loss, destruction or damage, using appropriate tech or org measures
Controller responsibilities: Data controller determines the purposes and means of processing personal data. Should implement appropriate tech and org measures to ensure and demonstrate that it is in accordance with GDPR. If processing needs to be delegated to a processor, there needs to be a contract or other legal act.
- Subject matter of the processing
- duration of the processing
- type of personal data
- categories of data subjects
- obligations and rights of the controller
Processor responsibilities: Only act on instruction of controllers.
The contract must set out that the processor:
Contracts must ensure international transfers of data
- Must only process personal data on a documented instruction from the controller
- Must ensure that any person authorised to process has committed to a duty of confidence
- Must take appropriate security measures
- Must only engage a sub-processor with the prior consent of the controller in writing
- Must assist the controller in facilitating SAR and other rights of the subject
- Must assist controller in comnpliance, notification of data breaches and impact assessments
- Must delete or return all personal data at the end of the contract
- Must provide and cooperate with all audit and inspections to ensure compliance
Transfers may be made where the European Commission has decided that a third country, an area within a country or an international organisation ensures adequate levels of protection.The European Commission has so far recognised Andorra, Argentina, Canada (commercial industries), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, US (limited to Privacy Shield framework). You can view an up to date list by clicking the following link: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Appropriate SafeguardsTransfers may be made where the organisation receiving the personal data has provided appropriate safeguards. Individuals' rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Transfers can be made without these:
- Where the individual has given informed consent
- the transfer is necessary for contract
- important reasons of public interest
- Is necessary to protect the vital interests of the data subject, where the subject is physically or legally incapable of giving consent
The ICO has published guidance for these contracts between controllers and processors. In future standard clauses may be included
Information on processing must be documented if
The following info should be documented:
- the org has 250 employees or more, or for smaller orgs
- Are not occasional
- Could result in high risks
- Processing special categories of data or criminal
- Name and contact details of the contrller/processor and DPO
- Purposes of processing
- desc of the categories of subjects and personal data
- categories of recipients of personal data
- retention schedules
a desc of tech and org security measures
- details of transfers abroad along with safeguard info
( There are templates for these oin the ICO website)
DPO A DPO must be designated if the org:
- Carries out regular and systematic monitoring of individuals
- Carries out large scale processing of special cats of data, such as health records
The primary role of the DPO will be to ensure that the processing of the personal data of staff, customers, providers and any other individuals, processed by the organisation, is performed by the organisation in compliance with the relevant data protection rules.
Responsibilities of a DPO:
- Informing and advising staff on their requirements under with the new regulations.
- Monitoring compliance - providing training for staff involved with data processing, undertaking internal data audits and manage internal data protection activities.
- Providing advice in relation to DPIAs (Data Protection Impact Assessments).
- Cooperating with the supervisory authority.
- Being the first point of contact for individuals whose data is processed within your organisation.
A privacy notice should include:
For GO Surgery:
- how an individual’s personal data is held confidentially and securely
- an explanation on the primary purpose/purposes for processing personal data
- any other reasons an individual’s personal data may be used.
Should also include contact details for DPO and Data Controller etc
- how medical records are held confidentially and securely
- how medical records are primarily used for the safe and effective delivery of care
- how parts of medical records may sometimes be used for other purposes such as
Efficient management of the NHS
The GDPR states that:Processing shall be lawful only if and to the extent that at least one of the following applies:
- Consent is given by the subject
- Contract in place with third parties
- Legal obligations
- Vital interests of the subject
- Public task or official authority
- Legitimate interests
Data breaches must be reported without undue delay and within 72 hours of first becoming aware of the breach.