Professional Documents
Culture Documents
Irq0804734 Disclosure 1 GDPR Module 1 Intro PDF
Irq0804734 Disclosure 1 GDPR Module 1 Intro PDF
Resources :
1. Powerpoint facilities
2. Spare lined paper
3. Namecards and pens
1. Delegate notes
2. Handout - contents list for GDPR
3. Activity 2 - identifying the principle
4. Activity2- answers
5. Activity 3 - delegate sheet - 1 each (not laminated)
6. Evaluation form
The course is suitable for: Any new staff to the ICO who are going to
be working with the GDPR, DPA2018 and PECR
It is a European Regulation which means that all countries in the EU have the
same basis for their data protection laws.
The Data Protection Act 2018 (DPA2018) provides UK-specific provisions and
exemptions.
PECR overlaps with GDPR, and specifically covers electronic marketing - phone
calls, emails, texts. It will be replaced by the ePrivacy regulation.
1
So the GDPR and the DPA201B need to be read together. They are not complete
as standalone documents.
Key points:
4, Kev definitions
data subject the person who is the subject of the personal data. If an
-
organisation holds data about you, you are the data subject.
controller - the organisation responsible for the processing of the data about
the data subject. The ICO is a controller for our data.
Failing to comply with a principle is not a criminal offence, but can lead to
enforcement action from the ICO (including a monetary penalty),
(a) processed lawfully, fairly and in a transparent manner in relation to the data
subject (lawfulness, fairness and transparency);
(b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes (purpose
limitation);
2
(c) adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed (data minimisation);
(e) kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed
(storage limitation);
(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures (integrity and confidentiality)'
There is a final principle at Article 5(2) which states that the controller shall be
responsible for, and be able to demonstrate compliance with, paragraph 1(a) to
(f) - referred to as accountability.
6. Lawfulness of processing (Article 6)
There must be a lawful basis for processing (a) to (f):
a) the data subject has given consent to the processing of his or her personal
data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the
data subject is party or in order to take steps at the request of the data
subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the
controller is subject;
d) processing is necessary in order to protect the vital interests of the data
subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller;
f) processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such interests
are overridden by the interests or fundamental rights and freedoms of the
data subject which require protection of personal data, in particular where
the data subject is a child. (Not applicable to Public Authorities).
3
Be aware that processing special category data is prohibited unless certain
conditions apply (there are 10 listed in Article 9).
Eg (a) explicit consent, (f) processing necessary for the establishment, exercise
or defence of legal claims or whenever courts are acting in their judicial capacity
etc
Not that 5 out of the 10 conditions refer to Member State law and require UK
authorisation or a basis in UK law. In the UK this is the DPA201B.
The UK conditions for processing special category data are in Schedule 1 of the
DPA2018 (will cover in a later module).
A controller must still also have an Article 6 lawful basis for processing - special
category data is by its nature more sensitive and needs more protection.
The GDPR also accords the individual specific rights with respect to their
personal data held about them. The right to:
. be informed;
. be given access;
. rectification;
. erasure (to be forgotten);
o restriction of processing;
. data portability;
. object to processing (including direct marketing);
o Íìot be subject to a decision based solely on automated processing
including profiling, which produces legal effects concerning him or her or
similarly affects him or her.
4
1O. Exemptions
The GDPR generally requires that controllers tell individuals when their data is
being processed, and limits the sharing of data with third parties.
However there are exemptions for circumstances where this would be
undesirable.
As most exemptions relate to the law of each member state, the GDPR allows
them to provide their own exemptions. Ours are therefore covered in the DPA1B
If an exemption applies a controller may not have to comply with all of the usual
GDPR rights and obligations,
Also, you would expect the organisation to share information with the
investigators - so for example, an employer might tell the police a suspect's
address, (This information would normally be kept confidential but there is an
exemption to allow disclosure in these circumstances).
So for example there are exemptions in the DPA2018 which cover crime,
information required to be disclosed by law etc or in connection with legal
proceedings and journalism.
Note the GDPR states in its scope (Article 2) that it does not apply to the
processing of personal data: by a natural person in the course of a purely
personal or household activity, This is not strictly an exemption but means
domestic processing does not fall under the GDPR.
The UK therefore:
5
For example, article 23 of the GDPR states that a member state may
legislate to restrict the scope of data subject's rights in order to
safeguard:
o national security;
o defence;
o public security;
o the prevention, investigation, detection or prosecution of criminal
offences; or
o the execution of criminal penalties, including the safeguarding
against, and prevention of, threats to public security.
Exampte 2: The GDPR allows a child under 16 to give their own consent for the
processing of their personal data when they are accessing the internet (an
information society service) (Article B). However it also states that a member
state may provide by law for a lower age for those purposes provided that such
lower age is not below 13 years.
The GDPR states that processing for law enforcement purposes (eg. criminal
convictions and offences or related security measures) does not fall under the
GDPR but is governed by Directive (EU) 2OL6/6BO of the European Parliament
and of the Council. This is the Law Enforcement Directive (the LED),
The LED outlines the specific requirements for controllers who have responsibility
for data protection for criminal law enforcement:
. the processing of personal data for criminal law enforcement purposes by
competent authorities; and
. the free movement of such data - international transfers for criminal law
enforcement purposes.
Tasks and powers are laid out in the GDPR and given specific detail in the Data
Protection Act 2018:
6
Examples of tasks:
. Monitor and enforce the application of the GDPR.
. Promote public awareness and understanding of the risks, safeguards and
rights in relation to processing.
. Advise the national parliament.
. Promote awareness of controllers and proces3ors of their GDPR
obligations.
. Handle complaints lodged by a data subject and investigate to the extent
appropriate, the subject matter of the complaint.
. Cooperate with other supervisory authorities with a view to ensuring the
consistency of application and enforcement of the GDPR.
. Encourage the drawing up of codes of conduct by accredited data
controllers.
. Encourage the establishment of data protection certification mechanisms
(which demonstrate compliance with the GDPR).
Examples of powers:
1. Investigative powers
. to order the controller and processor to provide information for the
performance of its tasks.
. to carry out audits.
2. Corrective powers
. to issue warnings to the controller or processor that intended processing
operations are likely to infringe provisions of the GDPR.
. to order the controller or processor to comply with the data subject's
requests to exercise his or her rights under the GDPR.
. to order a controller or processor to bring processing operations into
compliance with the provisions of the GDPR.
. to impose an administrative fine.
3. Authorisation and advisory powers
. to approve draft codes of conduct
. to accredit certification bodies.
4. International role - liaison with other supervisory bodies, the EU Commission,
to ensure consistency across member states.
Part 5 includes:
7
. Confidentiality of information; and
. Fees she may charge.
Schedule 12 includes:
B
Eg. - March 2015 the ICO raided a call centre in Hove thought to be responsible
for making millions of nuisance calls (4 to 6 million recorded telephone calls a
day about debt management or payment protection insurance). Documents and
computer equipment were removed for further examination. The calls were
made anonymously, without consent and it was impossible to opt out of
receiving them.
Warrants often issued in relation to PECR cases. Lots of examples on our website
and ICON in press releases,
Offences
The Commissioner has the power to prosecute for criminal offences. These
include:
9
Data Protection
Module r
Introduction
a
lco.
1ñJffi iìbn Côñtìlr11slÈ Clila.
1
Objectives
The session gives a quick overview of the ICO's data protection role.
Looking at how data protection works 'in the real world' - not too focused on
technical/legal terms.
Others who need more detailed training will be able to go on to do the ICO data
protection training (12 modules!)
2
Course structure
and DPA2018
Commissioner
a
lco.
Emphasise that the detail will be at the level of an overview - this is intended to
introduce the GDPR / DPA}OLS and the key concepts - the detail will be provided
in future modules.
3
Why does our data need protecting?
What kinds of organisations hold your personal data?
a
lco.
Can break delegates into small groups per table, or have a big group discussion
Without knowing the technical legal background - how do data protection issues
apply in practice?
See questions on slide.
Any examples people have experienced - when their information been used in a
4
Key data protection legislation
k*
Kev points
The GDPR is the main legislation we use in our data protection work.
It is a European Regulation which means that all countries in the EU have the same
basis for their data protection laws. lt also means that companies can transfer
information between European countries easily, because they know the data will
always have a high level of protection.
The Data Protection Act 2018 provides UK-specific provisions and exemptions.
PECR overlaps with GDPR, and specifically covers electronic marketing - phone
calls, emails, texts. lt will be replaced bythe ePrivacy regulation.
5
BACKGROUND if needed:
Have general application, are binding in their entirety and directly applicable in
all EU member states
Do not have to be transposed into national law
Confer rights or impose obligations on citizens and organisations in the same
way as national law
Drafted in such a way that the addressees have no doubts as to the rights and
obligations resulting from the provisions
a
Dual objective - securing the necessary uniformity of EU law whilst respecting
the diversity of nationaltraditions and structures
a
Do not supersede national laws but places Member States under an obligation
to adapt their national law in line with EU legal provisions
Directives are addressed to the Member States; must be transposed into
national law. EU criteria are used to assess whether they have done so in
accordance with EU law.
a
Directives do not as a rule directly confer rights or impose obligations. The
national transposing law does that. ln practice, makes no difference to an
ordinary citizen or organisation.
5
Aims of the GDPR
free flow of
data for developm ents
trade and
ico.
The second half of the twentieth century saw the development of ideas about data
protection - various reports in the 1970s identified the need for:
1984 Data Protection Act - first act focused on computerised data and applied
only to organisations which needed to register.
2018 General Data Protection Regulation - intended to build upon the DPA 1998
but impose consistency - see further aims on slide (click for each).
6
Slide bullet points
(click) Harmonisation of the legislation is a key aim of the GDPR and is closely
linked to the free flow of data for trade.
(click)Technology has changed at a pace which has far outstripped the scope of
DPA 1998 and has transformed economies and the social lives of individuals. The
GDPR is intended to address these challenges and ensure our personal data is
protected.
(click) Consistency is a key aim - to provide legal certainty and transparency The
requirement for transparency underpins the GDPR.
6
Structure of the GDPR
t
lco.
Structure
Give out copy of the contents of the GDPR and briefly go through structure -
chapters, articles and recitals.
Pick out one or two of the chaPters.
Explain the definitions data subject, controller and processor for clarity'
7
The GDPR and the DPAzorB
General Data
Protection ReguÏation
Data Protection Act 2018
T;,IJ'¿tss{= I *f *
Íco"
Structure of the DPA2018 - we will look at this in detail in other modules but for
now, using the tabs on the side of the legislation, just note:
L. The DPA2018 is divided into Parts wh¡ch cover different types of processing
eg. Part 3 and 4 (law enforcement / intelligence services processing)
ln UK law, Schedules follow the main body of an Act. They tend to set out, in more
detail, how the provisions of the Act work.
B
lf a UK exemption applies, a controller may not have to comply with all of the
usualGDPR rights and obligations.
We will discuss how the two pieces of legislation link to each other in future
modules.
B
Key definitions
a
lco.
(These definitions are discussed in later modules but some people won't be going
on to do these modules so it's important they understand the meaning of these
terms).
9
The data protection principles
1 1 !-il.J 1 Ì i.l¡ I 1 1 t-ii.l',l u:-iili-1litr
!r ltiJlÚ11.1 1? ll.jr-r1Ù"ïfiì
Lr-.- - .il'-r!:.'l I l1 ,1-i.
iji]1(,' . tiiiiülr,ì1'rl I 1l-ii-ji:i,l
, u1 I i,Jri1 ¡ liitl I t,jÙl 1
¡ 1{:iaJlIifiïfil I 1;11 1 1rJ1 1
I
lco.
Accountability
Article 5 of the GDPR gives 6 principles (a)to (f) (will be covered in later modules)
(al (click) processed lawfully, fairly and in a transparent manner in relation to the
data subject ('lawfulness, fairness and transparency');
(b) (click) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; ('purpose
limitation');
(c) (cl¡ck) adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed ('data minimisation') (click to shrink);
10
(d) (cl¡ck) accurate and, where necessary, kept up to date; every reasonable step
must be taken to ensure that personal data that are inaccurate, having regard to
the purposes for which they are processed, are erased or rectified without delay
('accuracy');
(e) (cl¡ck) kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed;
('storage limitation');
(f) (cl¡ck) processed in a manner that ensures appropriate security of the personal
data, including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures ('integrity and confidentiality').
The principles are worded in quite general terms - this means that organisations
are responsible for deciding how they will comply.
(click) there is a final principle at Article 5(2) which states that the controller shall
be responsible for; and be able to demonstrate compliance with paragraph 1(a) to
(f)- referred to as 'accountability'
10
Exercise - principles
For each scenario:
l*cL
Activity 2
See handouts with scenarios
Also handouts with answers.
The purpose of the exercise is to help delegates link the legal requirements of the
principles to the practical implementation.
lf there has been a lot of discussion of examples when explaining the principles,
this exercise might not be necessary.
1,I
Lawfulness of processing
lco.
Lawfulness of processing
Article 6 - There must be a lawful basis for processing (a) to (f) (click for each one)
(a) the data subject has given consent to the processing of his or her personaldata
for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior
to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the
controller is subject;
(d) processing is necessary in order to protect the vital interests of the data
subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by
the controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particularwhere the data subject is a
child. (Not applicable to PAs).
12
Special categories of data
ico.
Not that 5 out of the L0 conditions refer to Member State law and require UK
authorisation or a basis in UK law. ln the UK this is the DP42018. The UK conditions
forprocessingspecial categorydataareinScheduleLoftheDPA2O1B (will coverin
a later module).
A controller must still also have an Article 6lawful basis for processing - special
category data is by its nature more sensitive & needs more protection.
13
Personal data relating to
criminal convictions and offences,
or related" security measures
I
lco.
Look at Article L0 - This Article sets out separate safeguards for personal data
relatingto criminal convictions and offences, or related security measures. This
includes allegations concerning offences.
May be carried out under the control of official authority (not actually defined in
the uK)
Or
When it is authorised by member state law - ie when certain conditions in the
DPA20L8 are met. (We will look at this in another module)
NOTE
Processing for law enforcement purposes by competent authorities (eg the Police)
is separate to this and falls under Part 3 of the DPA2018 (covered in module 10)
So for example, a shopkeeper who has CCTV footage showing a crime might pass
this data to the Police and would disclose the personaldata underArticle 10 of the
GDPR and with an Article 6 basis for processing. Will be covered in more detail in
later modules.
L4
The rights of the indivi,Cual
$q& "sry;i
'ø , :*;
,&,,
**l
';ö\"
i-Þ #
ANEA
cL0
IFg,
The GDPR also accords the individual specific rights with respect to their personal
data held about them:
L. be informed (what data is held aboutthem and the purpose ofthe processing,
the recipients of the data, how long it will be stored for, etc.)
2. be given access
3. rectification
4. erasure (to be forgotten)
5. restriction of processing
6. data portability
7. object to processing (including direct marketing)
8. not be subject to a decision based solely on automated processing including
profiling, which produces legal effects concerning him or her or similarly affects
him or her.
The ICO receives complaints where the individual considers they have been denied
their rights.
15
Exemptions
The GDPR general
I ndividuals when t
ico.
As most exemptions relate to the law of each member state, the GDPR allows
them to provide their own exemptions. Ours are therefore covered in the DPALB.
lf an exemption applies a controller may not haveto complywith all of the usual
GDPR rights and obligations,
Also, you would expect the organisation to share information with the investigators
- so for example, an employer might tell the police a suspect's address. (This
information would normally be kept confidential but there is an exemption to allow
disclosure in these circumstances).
T6
So for example there are exemptions in the DPA20L8 which cover crime,
information required to be disclosed by law etc or in connection with legal
proceedings and journalism .
Note the GDPR states in its scope (Article 2) that it does not apply to the
processing of personal data: by a natural person in the course of a purely personal
or household activity. This is not strictly an exemption but means domestic
processing does not fall under the GDPR. For example:
16
The Data Protection Act zorB
Sorememberthe GDPR and the DPA2018 need to be read together. They are not
complete as standalone documents.
The GDPR explicitly refers to the need for member states to pass further
legislation to suit the requirements of their country.
The DPA20L8 is divided into these sections and each adds to the provisions of the
GDPR with UK-specific exemptions and legislation which is unique to the UK.
The UK therefore:
T7
3. Makes its own arrangements where appropriate eg
. for Enforcement.
. regarding the lnformation Commissioner.
Example 2: The GDPR allows a child under 1-6 to give their own consent for the
processing of their personal data when they are accessing the internet (an
information society service) (Article 8). However it also states that a member state
may provide by law for a lower age for those purposes provided that such lower
age is not below 1-3 years.
T7
Law Enforcement Processing (Part g)
Ities
on of
rÇ9_,
The GDPR states that processing for law enforcement purposes (eg criminal
convictions and offences or related security measures) does not fall under the
GDpR but is governed by Directive (EU) 2OL6l680 of the European Parliament and
of the Council.
The LED outlines the specific requirements for controllers who have responsibility
for data protection for criminal law enforcement:
It applies to all EU Member States including the UK who transposed it into their
national law in May 2018 - hence the DPA201B which makes these requirements
UK-specific (eg principles and rights, bases for processing for LE purposes).
1B
a
The Supervisory Authority lco.
¡trñ¡ú6Cdñdffi¡Orta
me m be 5 ta te m U s t
haVe
a 5u rv so ry th on ty to b
on5 b e for m on to n a nd
ng the application of the
0 1 B co R fi rm s rh
formation Commissioner is the
lÇ9*
Tasks and powers are laid out in the GDPR and given specific detail in the Data
Protection Act 2018:
1. lnvestigative powers
. to order the controller and processor to provide information for the
performance of its tasks
. to carry out audits
19
2. Corrective powers
. to issue warnings to the controller or processor that intended processing
operations are likely to infringe provisions of the GDPR
. to order the controller or processor to comply with the data subject's requests
to exercise his or her rights underthe GDPR.
. to order a controller or processor to bring processing operations into
compliance with the provisions of the GDPR
. to impose an administrative fine
3. Authorisation and advisory powers
' to approve draft codes of conduct
. to accredit certification bodies
19
Information Commissioner
Corporation sole
Appointed by Queen
7 year term
a Independent - the
Commissioner and her
staff are not civil
servants
lÇ9'
A corporation aggregate (which we're more familiar with) is a separate legal entity
formed by several individual persons.
Part 5 includes:
. UK functions (eg report to Parliament),
. her international role (cooperation and mutual assistance)
. Codes of practice she must prepare (eg data sharing, direct marketing)
. Powers of audit
. Confidentiality of information
. Fees she may charge
20
Enforcement powers
DecÜon
onetary
Offen
a
lco.
There are different ways for us to promote compliance with the GDPR:
. Educating organisations by publishing guidance and providing advice
. Dealing with complaints informally by getting organisations to change their
behaviour
. Taking formal enforcement action in more serious cases
The slide lists the Commissioner's enforcement powers - (Part 6 of the DPA2018).
lnformation notices - require a controller or processor to provide the
Commissioner with information when we are investigatingtheir compliance.
Assessment notices - require a controller or processor to permit the Commissioner
to carry out an assessment (compulsory audit) of whether it has complied with or
is complying with the data protection legislation'
Enforcement notice - the Commissioner can order steps to be taken by a
controller or processor where it has failed to (chose 2 examples):
. comply with the GDPR PrinciPles;
. confer rights on data subjects;
. meet their GDPR obligations;
. communicate a breach to the ICO or the data subject
. comply with the principles of data transfer to third countries (outside the EU)
Breach reporting will be made to the personal data breach (PDB) team. Most will
be closed with no further action. Will be passed to Enforcement where they are
more serious and there is a potential for action.
2I
Powers of entry and inspection - ability to apply to a court for the issue of
warrants - for above failures or for an offence under GDPR
Eg -June 2017 the ICO executed two search warrants in private homes (in Gatley
and Wilmslow) - and seized computers and phones. Part of an investigation which
linked the theft of data from car repair centres to nuisance calls encouraging
people to make personal injury claims about road traffic accidents.
Eg- March 2015 the ICO raided a call centre in Hove thought to be responsible for
making millions of nuisance calls (4 to 6 million recorded telephone calls a day
about debt management or payment protection insurance). Documents and
computer equipment were removed for further examination. The calls were made
anonymously, without consent and it was impossible to opt out of receiving them.
Warrants often issued in relation to PECR cases. Lots of examples on our website
and ICON in press releases.
Administrative fines (Monetary Penalty Notices) - for serious failures (fines set by
the GDPR - will discuss in later module).
Offences - the Commissioner has the power to prosecute for criminal offences:
2T
Exercise
Example; a
a
lco.
Activity 3
On the next slide (and on a handout - give this out now) there are L2 boxes each
containing a definition.
They must then take the first letter of each word and rearrange them to form a key
requirement of the GDPR - a new L2-letter word'
When they have the new word, they should put up their hand to let you know, but
wait untilthe other groups have finished before they give the answer away.
(some boxes have a few possible answers to they will have to think about what the
letter could be to fit the finished word)
The winners must have all L2 words and the final key word.
22
TRANSPARENCY
lÇg*
Delegates may use their notes - they may need some help if they are struggling... !
23
Review of
Objectives
You should now be able to:
Review of objectives
24
The End.
tçgL
25
{-J
r r-{
o l-{
P
O
I
0
U
I t
Introduction to data protection - identifying the GDPR principle
Activitv 2 - Answers
For each example think about how the principles might be applied in
practice. What would you expect an organisation to do in each case, and
how does that fit with the principles in the GDPR?
Example one
When you sign up with an online shop they ask for some personal
information. They need this information to process your order, and they
might also want to contact you with marketing information in the future.
. What kind of data would be appropriate or inappropriate to collect?
. What would a customer expect the ínformation to be used for?
if you are buying clothes, they should not send you medical
information (unless they asked specifically for consent for this)
time.
Example two
Credit reference agencies share information with lenders about what
debts people have. They also collect information recording where people
live. This is used to confirm people's addresses and identities, and to
decide whether a bank will lend money.
address is correct
disposal.
Example four
An IT helpline wants to start recording the calls it receives from members
of the public. It wants to do this so that it can monitor the quality of help
given by staff, and use good and bad calls in training exercises.
it be requested?
be used for training?
place to provide this data? Is it clear to callers how long the data
will be kept?
Introduction - 15 Powerpoint
objectives and minutes presentation
course structure
Handout - delegate
notes for reference
Group exercise - 1O mins Exercise 1 - Delegates to start to think about data protection
why does our Discussion only in their own lives and to consider what the
data need 5 mins issues might be.
protecting? to
discuss
in small
9roups
and then
5 mins
asa
class
Introduction to 10 Explain the principles Powerpoint Also ensure they have a basic understanding of
the key concepts minutes and their significance presentation the terms data subject, controllers and
underpinning the processors.
GDPR: key
definitions and Delegates to have a good basic awareness of
data protection these key concepts and to understand why they
principles are impoftant.
Activity 2 15 Exercise in small Powerpoint slide Delegates to link the principles to practical
minutes groups or pairs - with the principles examples.
delegates to link the for reference
principles to practical
examples. Activity 2 -
Identifying the
Discuss answers as a principle
whole group
Plus answer sheet
I
Introduction to 15 mins Outline the rights ot Powerpoint Delegates to have a good basic awareness of
lawfulness of individuals presentation these key concepts and to understand why they
processing, are important.
special
categories of
data, criminal
offence data and
the rights of
individuals
Exemptions, the 15 mins Discussion of the Powerpoint Delegates to understand what an exemption is
Data Protection nature of exemptions presentation and why they are necessary.
Act 2O18 and the and where they can be
Law Enforcement found.
Directive
The Information 15 mins Introduction to the Powerpoint Delegates to have a basic understanding
Commissioner idea of compliance presentation
and promoting and enforcement
compliance with
the GDPR
Activity 3 30 mins Key points of the Powerpoint slide To reinforce learning
(with coffee module - delegates to with keywords
break?) work in pairs to
discover the keyword Delegate sheet
on the board. with definitions
from slide
Review answers
altogether and recap
kev ooints
Review objectives 5 mins Powerpoint To ensure objectives have been met.
and complete presentation
feedback form.
Chapter 2 - Principles
5 Principles relation to processing of personal data
6 Lawfu lness of processing
7 Conditions for consent
B Conditions app licable to child's consent in relation to info society services
9 Processing of special categories of personal data
10 Processing relating to criminal convictions & offences
LT Processing which doesn't re uire identification
Example one
When you sign up with an online shop they ask for some personal
information. They need this information to process your order, and they
might also want to contact you with marketing information in the future
a What kind of information would be appropriate or inappropriate to
collect?
a What would a customer expect the information to be used for?
Example two
Credit reference agencies share information with lenders about what
debts people have. They also collect information recording where people
live. This is used to confirm people's addresses and identities, and to
decide whether a bank will lend money.
Example four
An IT helpline wants to start recording the calls it receives from members
of the public. It wants to do this so that it can monitor the quality of help
given by staff, and use good and bad calls in training exercises.