Book contents
- Frontmatter
- Dedication
- Contents
- Acknowledgements
- 1 Introduction to information rights law
- 2 Freedom of information
- 3 Freedom of information exemptions
- 4 Data protection: principles and main features
- 5 Data protection: rights of data subjects
- 6 Data protection: internal enquiries
- 7 Environmental Information Regulations
- 8 Other information-related laws
- 9 Fitting information and records management into information rights work
- 10 Resources
- Notes
- Index
6 - Data protection: internal enquiries
Published online by Cambridge University Press: 01 June 2019
- Frontmatter
- Dedication
- Contents
- Acknowledgements
- 1 Introduction to information rights law
- 2 Freedom of information
- 3 Freedom of information exemptions
- 4 Data protection: principles and main features
- 5 Data protection: rights of data subjects
- 6 Data protection: internal enquiries
- 7 Environmental Information Regulations
- 8 Other information-related laws
- 9 Fitting information and records management into information rights work
- 10 Resources
- Notes
- Index
Summary
Introduction
This chapter covers the sorts of enquiries that you are likely to receive from your colleagues about what they need to do when collecting, processing, sharing and otherwise using personal data. I have assumed that readers will be acting as Data Protection Officer (DPO) for their organization, but even if you are not officially in that position or your organization is not required to appoint a DPO, this chapter focuses on advising others within your organization on what their data protection responsibilities are. These are all likely to be internal, although you may need to get involved with contracts with third parties when sharing data. The following are examples of what you will need to advise your colleagues on:
• creating privacy notices and consent forms for collection of data;
• conducting privacy impact assessments – recognising when this is necessary, how to carry them out;
• sharing data with third parties – when you can make transfers to third parties, under what circumstances and how to do so securely;
• enquiries of the type ‘can I do this with personal data?’, which come in many varieties.
Privacy notices and consent forms
Privacy notices and consent forms have always been required under the Data Protection Act (DPA) when collecting information from data subjects. They are intended to let data subjects know why the data is required, who will see it and what will be done with it. Previously some organizations relied on the one privacy notice for all collections of data. Others created new notices with each collection carried out. The latter are in a better position under the General Data Protection Regulation (GDPR), which set out what details you need to provide to people for data that you collect directly and for data that you receive from third parties. A one-size-fits-all privacy notice will not be compliant with the GDPR.
Articles 13 and 14: Information to be provided to the data subject Both these articles cover what information a data subject has to be provided with when their data is being used. However, there are differences between when you are collecting the information yourself and when you are using personal data obtained from a third party.
- Type
- Chapter
- Information
- Information Rights for Records Managers , pp. 121 - 140Publisher: FacetPrint publication year: 2018