Dutch DPA Fines Company 750,000 Euros for Unlawful Employee Fingerprint Processing - Lexology
https://www.lexology.com/library/detail.aspx?g=ca76ed73-1bbf-4704-97f7-4911e784d796
Some guidance that might be useful albeit that it is from China, but if the Chinese feel this is unacceptabe then more liberal EU Regulators are likely to take a much tougher stance.
Collection of Employee Fingerprint Data for Attendance Purposes Raises Privacy Concerns
Key Points: When fingerprint data is collected merely for attendance recording purposes, the privacy risk will likely exceed the benefits Before installing biometric devices, employers must assess whether they are able to comply with data protection principles
Many companies have adopted advanced technologies in the workplace that have brought remarkable changes to practices and routines, but these changes also bring new concerns and potential legal problems.
For example, there is a growing trend of replacing the traditional time clock and basic electronic access cards with security systems that collect and store personal biometric data. These include fingerprint scanners, facial recognition systems and devices capable of identifying an individual’s voice or iris. When collecting this kind of data, companies must be careful to comply with China’s Personal Data (Privacy) Ordinance (PDPO).
A recent investigative report published by the Privacy Commissioner for Personal Data (the Commissioner) found that collecting an employee’s fingerprint to record attendance at work breached the PDPO. The complaint was brought by an employee of a furniture installation company. On the first day he reported for duty the company collected and recorded his fingerprint. The complaint alleged that the company had not informed him that it would collect his fingerprint when he accepted the employment offer.
The company had adopted a fingerprint recognition system (the System) to record staff attendance. The company’s explanation was that the use of the time clock could not prevent staff from punching time cards for one another, so it decided to use the System.
The company had collected the fingerprints of approximately 400 employees, and none had refused to cooperate. Apart from the System, no alternative for recording attendance was provided to the employees. The System only recorded the minimum data necessary to identify the staff member and record the time. After it was recorded, the fingerprint was converted into numerical codes that were then encrypted and recorded. Only the time records could be downloaded when the System was connected to the server. There was no output port, and the Company could not directly access or transfer fingerprint records from the System.
Although the company said that all staff had given their consent and provided fingerprints willingly, the Commissioner disagreed. The reasons were that, first, there was a disparity in bargaining power between the company and its employees, raising a presumption of undue influence. Second, the staff had not been given a choice about providing fingerprint data or offered an alternative. And third, the company had not presented a clear, balanced explanation enabling employees to make an informed decision.
The Commissioner also found that the System could ascertain the identity of staff from the fingerprint. Therefore, the fingerprint data collected satisfied the definition of personal data under the PDPO. The Commissioner commented that given its uniqueness and unchangeable nature, fingerprint data is sensitive personal data requiring extra care.
Data Protection Principle (DPP) 1 provides that personal data shall not be collected unless the data is collected for a lawful purpose directly related to a function or activity of the data user and the collection is necessary for or directly related to that purpose. DPP 2 provides that personal data shall be collected by means that are lawful and fair in the circumstances of the case.
These principles were tested, and the Commissioner found the steps taken were unnecessary and excessive. Consequently, a warning letter was issued, and the Commissioner ordered the company to stop collecting staffers’ fingerprints and destroy all existing fingerprint data immediately. As remedial action, the company has stopped collecting fingerprints, deleted existing data, installed a less intrusive password-based system and voluntarily destroyed all fingerprint data.
There may be cases in which similar systems or devices are appropriate – for instance, in jewelry shops that need to restrict access to certain areas for security reasons. Even so, the employer should explain the reasons for collecting this data and the issues relating to personal data privacy. Staff would still have to give genuine, informed and unambiguous consent before providing their fingerprints and should do so in line with a clear procedure. In all cases, the employee’s decision should be respected.
However, given that fingerprints and other biometric data are unique, there may be additional concerns, such as the risk of identity theft. Before deciding to install these devices, employers should carefully assess whether they are able to comply with data protection principles. In particular, they should note the limitation principle set out in the PDPO, which states that personal data must be collected for a lawful purpose directly related to a function or activity of the data user. Any data requested should be necessary but not excessive.
Employers should carefully assess whether the advantages of collecting fingerprint data exceed the disadvantages. The following, though not an exhaustive list, are some relevant factors for consideration:
1. The number of employees affected;
2. The period of retention of staff fingerprint data;
3. The scope and extensiveness of the collection of fingerprint data (e.g., whether only applicable to high-security areas);
4. The intended use of the data collected;
5. The impact of the collection of fingerprint data on the employer-employee relationship;
6. Whether current security measures are adequate to protect staff’s fingerprint data from loss or theft; and
7. The extent of harm caused to staff in the event of data loss or improper handling.
Even if the collection can be legitimately justified, employers should implement sufficient privacy protective measures against potential loss of or unauthorized access to fingerprint data. When fingerprint data is collected merely for attendance recording purposes, the privacy risk will likely exceed the benefits. To act prudently, employers should consider less intrusive options.
According to the Privacy Commissioner, systems that do not collect personal data such as fingerprints are not within the jurisdiction of the PDPO or the Commissioner. One example is a fingerprint recognition system that converts certain features of the fingerprint into a unique value and stores it in a smart card held by the employee. For verification, the employee puts his finger and the smart card on the recognition system. In this way, the employer has not collected employees’
ingerprint data or the value, and therefore has not collected any personal data as defined in the PDPO.
– Deborah Y. Cheng
VISION MISSION STRATEGY GOALS (DATA)
VISION MISSION STRATEGY GOALS (DATA)
| Vision | To be an confident and capable in Records Management, compliant with GDPR Compliance and Cyber Security with the ability to control data > information > knowledge > decisions to inform our development of products and services and protect our colleagues, customers and commercial data. |
| Mission | To have an integrated approach to Information Governance which drives the business, providing insights for Strategy and measures for operations which improve what we do, how we do it, and the value we provide to our colleagues, customers and commercial partners. |
| Strategy | To work collaboratively across projects and operations co-ordinating the themes outlined below. |
| Area | GDPR Legal Compliance | Cyber Security | Records Management |
| Leader | |||
| Work--Stream Participants | |||
| Aim | What are our key goals All policies updated and communicated All roles updated and communicated All processes mapped All necessary DPIAs complete All necessary DSA CPA complete All privacy notices complete Retention agreed Classification agreed | What are our key goals All policies updated and communicated All roles updated and communicated All systems / contracts / SLAs reviewed CyberEss Certification for Pharmacy CyberEss Certification for Medical CyberEss Certification for Funeral CyberEss Certification for Travel | What are our key goals Policy of what gets stored where agreed All roles updated and communicated Move to Level 3 on Maturity Model Document Management System Set-up H:\ & L:\drive moth-balled Retention agreed & applied Classification agreed & applied Archive /Destruction Policy |
| Critical Success Factors (What is Important?) | Critical Success Factors (What is will make the difference, what is key to success?) Having necessary engagement of people Having the time/priority Having the funding Having the knowledge/expertise | Critical Success Factors (What is will make the difference, what is key to success?) Having necessary engagement of people Having the time/priority Having the funding Having the knowledge/expertise | Critical Success Factors (What is will make the difference, what is key to success?) Having necessary engagement of people Having the time/priority Having the funding Having the knowledge/expertise |
| Key Performance Indicators (How do we measure?) | Key Performance Indicators (How do we measure?) Number of Breaches Number of D-SARS Number of DPIAs complete Number of DSA/CPA contracts Number of people trained GDPR Dashboard Scores Governance and Accountability x pct Training and Awareness x pct Records Management x pct Security of Personal Data x pct Subject Access Requests and Individual Rights x pct Data Sharing x pct Information Risk Assessment (DPIA) and Management x pct Direct Marketing x pct | Key Performance Indicators (How do we measure?) Number of people trained C2M2 Metrics Dashboard Scores Risk Management x pct Asset, Change, and Configuration Management x pct Identity and Access Management x pct Threat and Vulnerability Management x pct Situational Awareness x pct Information Sharing and Communications x pct Event and Incident Response, Continuity of Operations x pct Supply Chain and External Dependencies Management x pct Workforce Management x pct Cybersecurity Program Management x pct | Key Performance Indicators (How do we measure?) Number of people trained Records Management Maturity Scores Management Control Level 1 Benefits Management Level 1 Financial Management Level 1 Stakeholder Engagement Level 1 Risk Management Level 1 Organisational Governance Level 1 Resource Management Level 1 |
| In 3 Months | All Data Owners identified and trained All processes mapped in Data Asset Inventory Newsletters on-going SMT/EMT Dashboard reporting All CCTV DPIAs complete Templates for DPIAs DSA/CPA contracts all agreed GDPR Dashboard Scores above x pct | All Data Owners identified and trained USBs “blocked” (as necessary) Newsletters on-going SMT/EMT Dashboard reporting x pct on CE Dashboard Tool Templates for IT/Supplier due diligence all agreed C2M2 Metrics Dashboard Scores above x pct | Policy of what gets stored where agreed All roles updated and communicated All physical cabinets reviewed Clear Desk Policy Applied Newsletters on-going SMT/EMT Dashboard reporting Archive /Destruction Policy Suppliers/Procurement Processes Agreed (eg contracts) |
| In 6 Months | All necessary DPIAs complete All necessary DSA CPA complete All PII forms note T&C/Privacy GDPR Dashboard Scores above x pct | x pct on CE Dashboard Tool All systems have a “users list” which is reviewed by the Data Owner for RBAC C2M2 Metrics Dashboard Scores above x pct | Move to Level 1 on Maturity Model Archive /Destruction In Practice (eg outsourced Suppliers) Contracts Database complete |
| In 12 Months | Audit/Compliance Checks in-place GDPR Dashboard Scores above xpct | Audit/Compliance Checks in-place x pct on CE Dashboard Tool C2M2 Metrics Dashboard Scores above x pct | Document Management System Set-up Audit/Compliance Checks in-place Records Management Maturity Scores = 2 |
| In 24 Months | Audit/Compliance Checks identify 100pct compliance | Audit/Compliance Checks identify 100pct compliance | Audit/Compliance Checks identify 100pct compliance |
USEFUL HEADINGS FOR A BOARD REPORT
USEFUL HEADINGS FOR A BOARD REPORT
EDUCATION AND AWARENESS
DATA MAPPING
RISK ASSESSMENT
A RECORDS MANAGEMENT & RETENTION POLICY
SUBJECT ACCESS REQUEST
DATA BEACHES AND REPORTING
A DATA PROTECTION POLICY
AN INFORMATION SECURITY POLICY
PROCESSOR/CONTROLLER AGREEMENTS
A PRIVACY NOTICE
DATA PROTECTION OFFICER
EDUCATION AND AWARENESS
| Education and Awareness: Use posters, team huddles, reminders and staff handbook to remind people about their obligations (eg the stuff in your Data Protection Policy and Information Security Policy). |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA MAPPING
| Data Mapping: Understanding what data you hold, where and why. This is good to help identify trip hazards that need addressing around people, process or technology, making sure there are roles and controls to keep data private, safe and secure. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
RISK ASSESSMENT
| Risk Assessment: Understanding and agreeing key risks and measures over people, process and technology). There is a lot you could do on risk and there is some guidance on data-processing impact assessments [DPIA]. As a minimum Id suggest that the Directors (or Audit) have a meeting to discuss training, measures and paperwork and the minutes of that meeting (together with any actions) can constitute a reasonable risk assessment. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
A RECORDS MANAGEMENT & RETENTION POLICY
| A Records Management & Retention Policy: To help you to classify/categorise data and treat it accordingly with some being held for 1 year, 3 years, 10 years (or what-ever) and some being restricted to authorised people only. Generally this is also a good housekeeping exercise. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
SUBJECT ACCESS REQUEST
| Subject access request: Have a standard process and perhaps template response for dealing with requests which may be from staff, customers or other types of people for whom you hold or share data. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA BEACHES AND REPORTING
| Data beaches and reporting: Have a standard process and perhaps template response for dealing with Data beaches and reporting, include any that are as a consequence of a supplier, third-party or any other person holding your data. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
A DATA PROTECTION POLICY
| A Data Protection Policy: About data, confidentiality, security, privacy etc. You probably already have this covered in your staff handbook |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
AN INFORMATION SECURITY POLICY
| An Information Security Policy: About emails, login, passwords, clear desk-policy, cabinets and keys. You probably already have this covered in your staff handbook too |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
PROCESSOR/CONTROLLER AGREEMENTS
| Processor/Controller Agreements: Have a standard letter to send to supplier, third-party or any other person holding, sharing or processing your data. Make sure that letter (or contract) sets out your expectations and their obligations (eg the stuff in your Data Protection Policy and Information Security Policy) |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
A PRIVACY NOTICE
| A Privacy Notice: About what data you hold, why and key controls taken to keep confidential, accurate and secure. Some of this may be on your website, some may be written into your contracts, or possibly on a leaflet or brochures. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA PROTECTION OFFICER
| Data Protection Officer: Only mandated for a public authority or where carrying out large scale systematic monitoring or carry out large scale processing of special categories of data (eg health or medical). Nonetheless there is value in having someone to help with co-ordination of policy, procedures and processes and to take-charge and co-ordinate matters in the event of a subject-access-request or need to progress a breach-notification. |
| Summary Red/Amber/Green Description of action taken so far Description of next steps and dates |
DATA PROCESSING BREACH MANAGEMENT
DATA PROCESSING BREACH MANAGEMENT
Inevitably there may be some data-processing and personal data implications to any security incident, either minor or major.
Therefore personal data considerations are a component of both Incident Management and Major Incident Management, as well as Disaster Recovery and Business Continuity Planning.
This should apply to the [Organisation name]and any supplier who hold or process personal data (necessarily under a data-processor agreement)
DATA BREACH GUIDANCE
Being Prepared
You should ensure you have robust breach detection, investigation and internal reporting procedures in place.
For example
Some IT systems can send warnings or alerts if data is being deleted or emailed outside the organisation, or if someone is attempting to login but is guessing the password.
If you have an IT helpdesk or service desk you might use that team to investigate and report on issues that risk personal data.
If you share data with others, you may require as part of their contract that they notify you about any potential breach detection, investigation and reporting.
Talk with your team and IT professionals about breach detection, investigation and internal reporting tools. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
NOTIFYING THE INFORMATION COMMISSION OFFICER
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
When reporting a breach, the GDPR says you must provide:
Item a) a description of the nature of the personal data breach including, where possible:
Item b) the categories and approximate number of individuals concerned and
Item c) the categories and approximate number of personal data records concerned
Item d) the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained
Item f) a description of the likely consequences of the personal data breach and
Item e) a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Failing to notify a breach when required to do so can result in a fine. The fine can be combined with the ICOs other corrective powers.
NOTIFYING THE DATA SUBJECTS
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
Item 1) the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained
Item 2) a description of the likely consequences of the personal data breach and
Item 3) a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
You do not need to notify the Data Subjects if
Item a) There are proportionate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
Item b) subsequent measures have been taken which ensure that the high risk to the rights and freedoms of data subjects are no longer likely to materialize
Item c) it would involve disproportionate effort, in which case there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
DATA BREACH PROCEDURES
The procedure outlined below is designed to satisfy the requirements of the ICO
Item a) Know how to recognise a personal data breach. (A personal data breach isnt only about loss or theft of personal data.)
Item b) Staff knowledge of how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Item c) Supplier knowledge of how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Item d) Allocated responsibility for managing breaches to a dedicated person or team.
Item f) A prepared response plan for addressing any personal data breaches that occur.
RECOGNISING A PERSONAL DATA BREACH
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
STAFF KNOWLEDGE HOW TO ESCALATE A SECURITY INCIDENT
All staff are aware of how to escalate a security incident by virtue of regular training and GDPR Awareness.
SUPPLIER KNOWLEDGE HOW TO ESCALATE A SECURITY INCIDENT
All suppliers are aware of how to escalate a security incident by virtue of the data controller-processor agreement that exists between [Organisation name] and the supplier and which sets out the responsibilities of each party.
RESPONSIBILITY FOR MANAGING BREACHES
All aspects of breaches to be managed, controlled and co-ordinated by the nominated Data Protection Representative.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to peoples rights and freedoms. If it is likely that there will be a risk, then you must notify the ICO If it is unlikely then you do not have to report it. However, if you decide you do not need to report the breach, you need to be able to justify this decision, so you should document it.
Example: The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.
Within [Organisation name] the Data Protection Representative may have regard to the data-processing-impact assessments and data classification when considering the risk and impact and need to notify ICO.
Note the data-processing-impact assessments and data classification are in other documents.
A RESPONSE PLAN
Inevitably there may be some data-processing and personal data implications to any security incident, either minor or major.
Therefore the Data Protection Representative and personal data considerations are a component of both incident management, as well as disaster recovery and business continuity planning.
REGULATORY GUIDANCE (JERSEY)
The initial notification (within 72 hours) should ordinarily include the following summary information:
Item a) The name of the data controller
Item b) The name and contact details of the DPO or other point of contact where more information can be obtained
Item c) Whether it is a first or subsequent notification
Item d) The date and time of the breach (or best estimate)
Item f) The date and time of the controller becoming aware of the breach
Item e) The nature and content of the personal data concerned
Item g) Technical and organisational measures applied (or that will be applied) to the affected personal data
Item h) The name of the organisation affected by the data breach (if different from the data controller)
If possible, the initial notification should also include the more detailed information set out below. Otherwise, this should be included in any second notification:
Item 1) A summary of the incident that caused the breach, including the physical location of the breach
Item 2) The number and category of data subjects concerned
Item 3) The number and category of personal data records concerned
Item 4) The likely consequences of the personal data breach and potential adverse effects on the data subjects
Item 5) The technical and organisational measures taken or proposed to be taken to mitigate those potential adverse effects
Item 6) The content of any notification provided to affected data subjects
Item 7) The means of communication used to notify the affected data subjects
Item 8) The number of data subjects notified
Item 9) Whether the breach affects data subjects in any jurisdiction other than Jersey
Item 10) Details relating the notification with any other data protection authorities
Item 11) If these details cannot be included in any second notification, a reasoned justification for the further delay
The Regulator has a secure notification web form for data controllers. Additional documentation or information can be emailed separately using breach
notification email address: breach@OICJersey.org.
TEMPLATE FOR NOTIFYING DATA SUBJECTS
Dear {Customer Name}
Urgent Message re Information Security
It has been brought to our attention that your data may have been compromised in a security incident. We are writing to alert you to this and explain the implications and actions that we recommend that you take immediately.
What data is affected
The following data may be affected
What actions that we are taking
We take information security seriously and we have launched an immediate investigation which is on-going. We will announce updates on-line on our website here: [website name]..
What actions that we recommend that you take immediately.
Pending the outcome of our investigation and further guidance we recommend that you immediately
Change your password for all systems that use this password
Alert your bank and check your account
Alert your credit card provider and check your account
How to find out more
We will announce updates on-line on our website here:
Website address [website name].
You can also contact our Data Protection Representative, [Data Processing Representative] Telephone 123456789
Inevitably there may be some data-processing and personal data implications to any security incident, either minor or major.
Therefore personal data considerations are a component of both Incident Management and Major Incident Management, as well as Disaster Recovery and Business Continuity Planning.
This should apply to the [Organisation name]and any supplier who hold or process personal data (necessarily under a data-processor agreement)
DATA BREACH GUIDANCE
Being Prepared
You should ensure you have robust breach detection, investigation and internal reporting procedures in place.
For example
Some IT systems can send warnings or alerts if data is being deleted or emailed outside the organisation, or if someone is attempting to login but is guessing the password.
If you have an IT helpdesk or service desk you might use that team to investigate and report on issues that risk personal data.
If you share data with others, you may require as part of their contract that they notify you about any potential breach detection, investigation and reporting.
Talk with your team and IT professionals about breach detection, investigation and internal reporting tools. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
NOTIFYING THE INFORMATION COMMISSION OFFICER
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
When reporting a breach, the GDPR says you must provide:
Item a) a description of the nature of the personal data breach including, where possible:
Item b) the categories and approximate number of individuals concerned and
Item c) the categories and approximate number of personal data records concerned
Item d) the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained
Item f) a description of the likely consequences of the personal data breach and
Item e) a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Failing to notify a breach when required to do so can result in a fine. The fine can be combined with the ICOs other corrective powers.
NOTIFYING THE DATA SUBJECTS
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
Item 1) the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained
Item 2) a description of the likely consequences of the personal data breach and
Item 3) a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
You do not need to notify the Data Subjects if
Item a) There are proportionate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
Item b) subsequent measures have been taken which ensure that the high risk to the rights and freedoms of data subjects are no longer likely to materialize
Item c) it would involve disproportionate effort, in which case there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
DATA BREACH PROCEDURES
The procedure outlined below is designed to satisfy the requirements of the ICO
Item a) Know how to recognise a personal data breach. (A personal data breach isnt only about loss or theft of personal data.)
Item b) Staff knowledge of how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Item c) Supplier knowledge of how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Item d) Allocated responsibility for managing breaches to a dedicated person or team.
Item f) A prepared response plan for addressing any personal data breaches that occur.
RECOGNISING A PERSONAL DATA BREACH
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
STAFF KNOWLEDGE HOW TO ESCALATE A SECURITY INCIDENT
All staff are aware of how to escalate a security incident by virtue of regular training and GDPR Awareness.
SUPPLIER KNOWLEDGE HOW TO ESCALATE A SECURITY INCIDENT
All suppliers are aware of how to escalate a security incident by virtue of the data controller-processor agreement that exists between [Organisation name] and the supplier and which sets out the responsibilities of each party.
RESPONSIBILITY FOR MANAGING BREACHES
All aspects of breaches to be managed, controlled and co-ordinated by the nominated Data Protection Representative.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to peoples rights and freedoms. If it is likely that there will be a risk, then you must notify the ICO If it is unlikely then you do not have to report it. However, if you decide you do not need to report the breach, you need to be able to justify this decision, so you should document it.
Example: The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.
Within [Organisation name] the Data Protection Representative may have regard to the data-processing-impact assessments and data classification when considering the risk and impact and need to notify ICO.
Note the data-processing-impact assessments and data classification are in other documents.
A RESPONSE PLAN
Inevitably there may be some data-processing and personal data implications to any security incident, either minor or major.
Therefore the Data Protection Representative and personal data considerations are a component of both incident management, as well as disaster recovery and business continuity planning.
REGULATORY GUIDANCE (JERSEY)
The initial notification (within 72 hours) should ordinarily include the following summary information:
Item a) The name of the data controller
Item b) The name and contact details of the DPO or other point of contact where more information can be obtained
Item c) Whether it is a first or subsequent notification
Item d) The date and time of the breach (or best estimate)
Item f) The date and time of the controller becoming aware of the breach
Item e) The nature and content of the personal data concerned
Item g) Technical and organisational measures applied (or that will be applied) to the affected personal data
Item h) The name of the organisation affected by the data breach (if different from the data controller)
If possible, the initial notification should also include the more detailed information set out below. Otherwise, this should be included in any second notification:
Item 1) A summary of the incident that caused the breach, including the physical location of the breach
Item 2) The number and category of data subjects concerned
Item 3) The number and category of personal data records concerned
Item 4) The likely consequences of the personal data breach and potential adverse effects on the data subjects
Item 5) The technical and organisational measures taken or proposed to be taken to mitigate those potential adverse effects
Item 6) The content of any notification provided to affected data subjects
Item 7) The means of communication used to notify the affected data subjects
Item 8) The number of data subjects notified
Item 9) Whether the breach affects data subjects in any jurisdiction other than Jersey
Item 10) Details relating the notification with any other data protection authorities
Item 11) If these details cannot be included in any second notification, a reasoned justification for the further delay
The Regulator has a secure notification web form for data controllers. Additional documentation or information can be emailed separately using breach
notification email address: breach@OICJersey.org.
TEMPLATE FOR NOTIFYING DATA SUBJECTS
Dear {Customer Name}
Urgent Message re Information Security
It has been brought to our attention that your data may have been compromised in a security incident. We are writing to alert you to this and explain the implications and actions that we recommend that you take immediately.
What data is affected
The following data may be affected
What actions that we are taking
We take information security seriously and we have launched an immediate investigation which is on-going. We will announce updates on-line on our website here: [website name]..
What actions that we recommend that you take immediately.
Pending the outcome of our investigation and further guidance we recommend that you immediately
Change your password for all systems that use this password
Alert your bank and check your account
Alert your credit card provider and check your account
How to find out more
We will announce updates on-line on our website here:
Website address [website name].
You can also contact our Data Protection Representative, [Data Processing Representative] Telephone 123456789
DATA PORTABILITY POLICY
DATA PORTABILITY POLICY
[Organisation name] respects the Right to data portability in accordance with GDPR
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
The right to data portability only applies:
to personal data an individual has provided to a controller
where the processing is based on the individuals consent or for the performance of a contract and
when processing is carried out by automated means.
[Organisation name] will respond to any request without undue delay, and within one month.
This can be extended by two months where the request is complex or [Organisation name] receive a number of requests. [Organisation name] will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Where [Organisation name] is not taking action in response to a request, [Organisation name] will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
DATA PORTABILITY PROCEDURE
[Organisation name] will provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information must be provided free of charge.
[Organisation name] will use secure encryption and necessary authentication to ensure that data is private, safe and secure and only transmitted to the authorised person(s).
If the personal data concerns more than one individual, [Organisation name] will consider whether providing the information would prejudice the rights of any other individual.
SOME THOUGHTS ON ENCRYPTION
What follows is a discussion on data encryption, and notably encrypted email. This is not guidance, but hopefully may help inform your judgement and your decision about what is right for your data privacy, your organisation and peoples needs.
If I send you an email inviting you to the pub for a drink on Friday I personally think that can be in a plain text email. There is nothing secret or sensitive about that.
If I send you details of my bank account and sort-code, and perhaps a photo of my passport and driving licence then maybe I should password protect the document or put in a .PDF or .Zip file and password protect that.
The email can be plain text, but the attachment is in a protected file. However the password protection in word, excel and powerpoint are weak so whilst better than a plain text email this will not deter a serious hacker.
I could choose to use proper professional encryption like egress or galaxkey. Indeed, some government departments insist that you communicate with them using tools like these. There are certainly advantages. But there are disadvantages too.
There is no point in encrypting a message if the person at the other end cannot decrypt the message and using specialist tools may limit who you can send messages too. This can be a good thing!
Some proper professional encryption tools are expensive and confusing for some users.
In some cases, you can send a link to a file or record and require the person to log-in to see it. This allows you to control who can login and see data.
Sending special category data in a plain text email is high risk. Consider carefully what is the best approach in your circumstances. Use a Data Processing Impact Assessment DPIA to guide and record your decision.
FORM
| HEADING | CONTENT |
| CONFIRMED ADDRESEE The person to whom the data is being sent must be authorised and validated (eg photo-ID or similar) | |
| CONFIRMED DESTINATION The email address, postal address to which the data is being sent must be authorised and validated (eg registered office address) | |
| CONFIRMED DATA The data must be correct without error or omission, or inclusion of other data (eg other peoples data) Unless the person to whom the data is being sent specifically asks in writing- for it to be unencrypted any electronic data should be in encrypted format with the password sent be different means. |
| HEADING | CONTENT |
| DELETION OR DESTRUCTION Where data is being moved there may be a requirement to delete the data once the data-subject has their copy. Deletion outside of normal retention policies should only happen when the person to whom the data is being sent specifically confirms in writing- that they have received their data and that it is OK to delete. |
Signed
Data Protection Officer or Equivalent
Signed
Director or Equivalent
INTERNATIONAL DATA TRANSFER
INTERNATIONAL DATA TRANSFER
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
[Organisation name] may transfer personal data where the organisation receiving the personal data has provided adequate safeguards. Individuals rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
Adequate safeguards may be provided for by:
Item 1) a legally binding agreement between public authorities or bodies
Item 2) binding corporate rules (agreements governing transfers made between organisations within a corporate group)
Item 3) standard data protection clauses in the form of template transfer clauses adopted by the Commission
Item 4) standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the Commission
Item 5) compliance with an approved code of conduct approved by a supervisory authority
Item 6) certification under an approved certification mechanism as provided for in the GDPR
Item 7) contractual clauses agreed authorised by the competent supervisory authority or
Item 8) provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority.
The GDPR limits [Organisation name] ability to transfer personal data outside the EU where this is based only on [Organisation name] own assessment of the adequacy of the protection afforded to the personal data.
A transfer, or set of transfers, may be made where the transfer is:
Item a) made with the individuals informed consent
Item b) necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individuals request
Item c) necessary for the performance of a contract made in the interests of the individual between the controller and another person
Item d) necessary for important reasons of public interest
Item f) necessary for the establishment, exercise or defence of legal claims
Item e) necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent or
Item g) made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).
The first three derogations are not available for the activities of public authorities in the exercise of their public powers.
INTERNATIONAL DATA TRANSFER PROCEDURE
To comply with the above Policy [Organisation name] will
Item a) Ensure that any transfer is made with the individuals informed consent (eg via opt-in, contract or other transparent notice)
Item b) Ensure that it is necessary for the purposes of the compelling legitimate interests of the organisation, provided such interests are not overridden by the interests of the individual.(eg there is no other practicable or cost effective solution / service available.)
Item c) Ensure that any suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data.
Item d) Ensure that there is assessment of the adequacy of the protection afforded to the personal data. (eg by reference to certification, audit, inspection or similar)
If you have a DPO, you must seek their advice. The DPO should provide advice on the above. You should record your DPOs advice on the DPIA.
FORM
| PROPOSED INTERNATIONAL TRANSFER Summary notes, plus attached supporting documentation | |
| DATA PROCESSING IMPACT ASSESSMENT Summary notes, plus attached DPIA | |
| SAFEGUARDS Summary notes, plus attached Review, Report and Recommendation (that any suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data) | |
| SUMMARY RECOMMENDATION Summary notes, plus attached Review, Report and Recommendation (that it is necessary for the purposes of the compelling legitimate interests of the organisation, provided such interests are not overridden by the interests of the individual. (eg there is no other practicable or cost effective solution / service available.)) |
Signed
Data Protection Officer or Equivalent
Signed
Director or Equivalent
SUBJECT ACCESS FORM
SUBJECT ACCESS FORM
Subject Access Request Guidance
Please read before filling in the Subject Access Request Form
Which sections should I complete?
Sections 1, 2, 3, 4 and 5 should be completed for all applications.
Sections 6, 7 and 8 (Representative Details and Authority to Release Information to a Representative) should only be completed if the application is being made by a representative (i.e. someone other than the data subject themselves).
Section 3 (Proof of the applicants identity) - If you do not have any of the forms of identity listed, we may in exceptional circumstances accept alternatives for consideration.
This form is designed to assist the process of making a subject access request and, as a consequence, may speed the process up but it is not mandatory, all subject access requests made in other formats will also be processed.
What information will help with the processing of my subject access request?
Identification of relevant records will be easier if you can provide any references issued by [Organisation Name]relating to applications you may have made or action taken against you.
If you cannot provide us with satisfactory proof of identity, your application will be rejected.
What information does [Organisation Name] hold?
[Organisation Name]holds information relevant to the conduct of its functions which will include, but not be restricted to, personal information about applications you have made and any services you have used. However, some data may have been reviewed and destroyed where appropriate in accordance with our information retention policies.
[Organisation Name]is also the data controller for certain information held by other bodies which are contracted by [Organisation Name]in connection with the conduct of specific activities.
How long will it take to get my data?
Once we are satisfied that you meet the criteria for disclosure of data under the Data Protection Legislation, and have provided sufficient information, you should receive a response within 4 weeks from the date that we accept your application for processing.
Records may be held in several different locations in paper and electronic formats. If you only require specific information and you clearly state what that is for example a specific document or IT-only data then you are likely to get a quicker disclosure.
The form includes a section for giving details if you need a disclosure by a certain date. No guarantee can be given that a disclosure will be completed by that date but we will endeavour to comply with reasonable requests for expedited action.
GENERAL NOTES
We will acknowledge your application in writing and we will provide you with a reference number when we write to you.
When we process information requests for children aged 13 or over and spouses, we require their signature of authority before disclosing data. A separate application form should be completed for each individual. Sections, 4 and 5 should be completed by a parent/guardian for a child under 13.
The documents that you receive may have data redacted (blacked-out) or contain rough notes that may lack clarity. This is because we aim to supply copies of the original records whenever possible. However, as [Organisation Name] records also include third party information that we cannot release to you under the Data Protection Act, e.g. another persons data, this is removed.
We will not disclose information by fax or telephone. Disclosure by post is usually made by secure courier post to the address you provide in section 2 or, if appropriate, to your representative named in section 6.
CHECKLIST
Please send your completed form, proof of identity and fee to:
The Data Protection Officer
Address
Address
Address
PLEASE NOTE that [Organisation Name]only holds information relevant to [Organisation Name] services. For more details please refer to [Organisation Name] Privacy Notice or any specific contract between you and [Organisation Name](where relevant)
SECTION 1 APPLICANT DETAILS
SECTION 2 APPLICANT DETAILS
SECTION 3 PROOF OF THE APPLICANTS IDENTITY
For a child under 13 years of age please provide photocopies of all Court/Legal Orders. Please state if there are none
Any original documents you send to us will be returned by secure courier.
SECTION 4 DETAILS OF INFORMATION REQUIRED
Please use this space to give us any details about the information you are requesting, for example by stating specific documents you require (use extra sheets if necessary):
Please note in the case of CCTV images [Organisation Name] are only able to retrieve images that are less than [??] days old.
SECTION 5 DECLARATION
The information which I have supplied in this application is correct, and I am the person to whom it relates or a representative acting on his/her behalf. I understand that the [Organisation Name]may need to obtain further information from me/my representative in order to comply with this request.
SECTION 6 REPRESENTATIVE DETAILS
(If completed [Organisation Name]will reply to the address you provide in this section)
SECTION 7 PROOF OF THE REPRESENTATIVES IDENTITY
SECTION 8 AUTHORITY TO RELEASE INFORMATION TO A REPRESENTATIVE
A representative needs to obtain authority from the applicant before personal data can be released. The representative should obtain the applicants signature below, or provide a separate note of authority.
This must be an original signature, not a photocopy (tip: using blue ink often helps verification).
If the applicant is signing as the guardian of a child under 13, proof of legal guardianship must also be provided.
SECTION 9 TIMESCALE
If you have specific reasons for requiring data by a specific date please give details below:
| This form is for any person who wishes to apply for access to personal data held by [Organisation Name]. Please read the Subject Access Request Guidance Notes below before completing this form. A separate form should be completed for each individual. |
| NOTE: This is not a mandatory form Subject Access requests made in other formats will also be accepted but this form is designed to speed up the process. |
Subject Access Request Guidance
Please read before filling in the Subject Access Request Form
Which sections should I complete?
Sections 1, 2, 3, 4 and 5 should be completed for all applications.
Sections 6, 7 and 8 (Representative Details and Authority to Release Information to a Representative) should only be completed if the application is being made by a representative (i.e. someone other than the data subject themselves).
Section 3 (Proof of the applicants identity) - If you do not have any of the forms of identity listed, we may in exceptional circumstances accept alternatives for consideration.
This form is designed to assist the process of making a subject access request and, as a consequence, may speed the process up but it is not mandatory, all subject access requests made in other formats will also be processed.
What information will help with the processing of my subject access request?
Identification of relevant records will be easier if you can provide any references issued by [Organisation Name]relating to applications you may have made or action taken against you.
If you cannot provide us with satisfactory proof of identity, your application will be rejected.
What information does [Organisation Name] hold?
[Organisation Name]holds information relevant to the conduct of its functions which will include, but not be restricted to, personal information about applications you have made and any services you have used. However, some data may have been reviewed and destroyed where appropriate in accordance with our information retention policies.
[Organisation Name]is also the data controller for certain information held by other bodies which are contracted by [Organisation Name]in connection with the conduct of specific activities.
How long will it take to get my data?
Once we are satisfied that you meet the criteria for disclosure of data under the Data Protection Legislation, and have provided sufficient information, you should receive a response within 4 weeks from the date that we accept your application for processing.
Records may be held in several different locations in paper and electronic formats. If you only require specific information and you clearly state what that is for example a specific document or IT-only data then you are likely to get a quicker disclosure.
The form includes a section for giving details if you need a disclosure by a certain date. No guarantee can be given that a disclosure will be completed by that date but we will endeavour to comply with reasonable requests for expedited action.
GENERAL NOTES
We will acknowledge your application in writing and we will provide you with a reference number when we write to you.
When we process information requests for children aged 13 or over and spouses, we require their signature of authority before disclosing data. A separate application form should be completed for each individual. Sections, 4 and 5 should be completed by a parent/guardian for a child under 13.
The documents that you receive may have data redacted (blacked-out) or contain rough notes that may lack clarity. This is because we aim to supply copies of the original records whenever possible. However, as [Organisation Name] records also include third party information that we cannot release to you under the Data Protection Act, e.g. another persons data, this is removed.
We will not disclose information by fax or telephone. Disclosure by post is usually made by secure courier post to the address you provide in section 2 or, if appropriate, to your representative named in section 6.
CHECKLIST
| Have you completed all relevant sections of the form? | |
| If you are a representative, has your client signed the authority in Section 8 or provided a separate signed note of authority? | |
| If you are submitting the form yourself, have you signed the form at Section5? | |
| If you are signing as a parent or guardian of a child under 13, have you provided a photocopy of their full birth certificate, photocopies of any court orders and proof of your parental responsibility? | |
| Have you enclosed two pieces of identification from the lists in Section 3 (one from each of A and B)? | |
| Have you signed the declaration in Section 5? | |
| Have you provided as much information as possible to enable us to find the data you require? |
Please send your completed form, proof of identity and fee to:
The Data Protection Officer
Address
Address
Address
PLEASE NOTE that [Organisation Name]only holds information relevant to [Organisation Name] services. For more details please refer to [Organisation Name] Privacy Notice or any specific contract between you and [Organisation Name](where relevant)
SECTION 1 APPLICANT DETAILS
| Title (please tick one): | Mr [ ] Mr [ ] Miss [ ] Ms [ ] Title (please state): |
| Forename(s): | |
| Family Name: | |
| Previous Family Name: | |
| Other name(s) known by: | |
| Date of Birth (dd/mm/yyyy): | .././. Male [ ] or Female [ ] |
| Nationality: | |
| Place of Birth: | |
| [Organisation Name]Reference Number: | Reference: .. |
SECTION 2 APPLICANT DETAILS
| Current Address: | |
| Postcode | |
| Daytime Telephone No: | |
| Email Address: | |
| Previous Address: | |
| Postcode: |
SECTION 3 PROOF OF THE APPLICANTS IDENTITY
| List A (photocopy of one from below) | List B (plus one original from below) | ||
| Passport/Travel Document | A letter sent to you by the Passport Office | ||
| Photo driving licence | Utility bill showing current home address | ||
| Foreign National Identity Card | Bank statement or Building Society Book | ||
| Child under 13 : Full birth certificate | |||
| Child under 13 : Court Order(s) |
For a child under 13 years of age please provide photocopies of all Court/Legal Orders. Please state if there are none
Any original documents you send to us will be returned by secure courier.
SECTION 4 DETAILS OF INFORMATION REQUIRED
Please use this space to give us any details about the information you are requesting, for example by stating specific documents you require (use extra sheets if necessary):
Please note in the case of CCTV images [Organisation Name] are only able to retrieve images that are less than [??] days old.
SECTION 5 DECLARATION
The information which I have supplied in this application is correct, and I am the person to whom it relates or a representative acting on his/her behalf. I understand that the [Organisation Name]may need to obtain further information from me/my representative in order to comply with this request.
| Signature of Applicant: | Date: |
SECTION 6 REPRESENTATIVE DETAILS
(If completed [Organisation Name]will reply to the address you provide in this section)
| Name of Representative: | |
| Company Name: | |
| Address & Postcode: | |
| Daytime Telephone No: | |
| Email Address: |
SECTION 7 PROOF OF THE REPRESENTATIVES IDENTITY
| Please provide copies of two pieces of identification, one from list A and one from list B below and indicate which ones you are supplying. Please DO NOT send an original passport, driving licence or identity card |
| List A (photocopy of one from below) | List B (plus one original from below) | ||
| Passport/Travel Document | A letter sent to you by the Passport Office | ||
| Photo driving licence | Utility bill showing current home address | ||
| Foreign National Identity Card | Bank statement or Building Society Book |
SECTION 8 AUTHORITY TO RELEASE INFORMATION TO A REPRESENTATIVE
A representative needs to obtain authority from the applicant before personal data can be released. The representative should obtain the applicants signature below, or provide a separate note of authority.
This must be an original signature, not a photocopy (tip: using blue ink often helps verification).
If the applicant is signing as the guardian of a child under 13, proof of legal guardianship must also be provided.
| I hereby give my authority for the representative named in Section 3 of this form to make a Subject Access Request on my behalf under the Data Protection Legislation. |
| Signature of Applicant: | Date: |
| Signature of Representative: | Date: |
SECTION 9 TIMESCALE
If you have specific reasons for requiring data by a specific date please give details below:
| (a) Date required: |
| (b) Reason (please state and supply supporting evidence): |
Subscribe to:
Posts (Atom)