Written and recorded by Robert Edwards, Law Hound
Hello and welcome to this GDP. Our session from Data Law. My name is Robert Edwards. I'm retired Counterintelligence Andi I t security specialist with h m g Andi. After that, I moved on to delivering legal training on lecturing GDP. All the main changes to personal data. The General Data Protection Regulation GDP are is designed to update the Data Protection Act 1998 d p. A. To provide greater transparency, enhanced rights for citizens and increased accountability. This is an opportunity for businesses to increase customer trust when individuals rights are respected and complied with overhaul their current data protection processes and documentation. Andi to ensure that their in line with the GDP our requirements which are in force from May 2018. In this session, we're going to examine the changes The GDP are makes to the definitions and handling off personal data on sensitive personal data or special categories of data protecting data Recital one of GDP are advises us that the protection of natural persons in relation to the processing of personal data is a fundamental right. It also reminds us that Article eight warn of the Charter of Fundamental Rights of the European Union The charter on Article 16 1 of the Treaty on the Functioning of the European Union TF. You both provide that everyone has the right to the protection of personal data concerning him or her recital to reminds us that the principles off and rules on the protection of natural persons with regard to the processing of their personal data should whatever their nationality or residents, respect the fundamental rights and freedoms in particular there, right to the protection of personal data. So what is data well? Data is information on din clued, static images, video on Gaudio recordings. It also includes paper on computer records and, according to Article two, is information that is or is intended to be wholly or partly processed by any automated means or automatically, including by any type of I T or equipment, all computer records, such as a data base sales record or account system. It's also part of any type of what is referred to as a relevant filing system. This means any non automated, structured information which allows you ready access to information about individuals, for example, personnel records or client or customer records. The system may be separate paper files, the sort of agent said you might associate with a filing cabinet. Alternatively, if a mobile therapist has one cardboard folder where she stores individual A four sheets of paper, each of which containing a client's name, address and telephone number and details connected to their treatments than that folder will be a system for data protection purposes as well. It includes data that is found in other accessible records, such as health records, which include information about an individual recorded by or on behalf off a health professional who is caring for the individual on recorded information held by a public authority, including local authority, housing, social services and education records. The definition of data under GDP are is wider than the DPS definition, but still applies to both automated personal data on day two manual filing systems where personal data are accessible according to specific criteria. It therefore also includes chronologically ordered sets of manual records containing personal data. We also know from Article two that the GDP are does not apply to processing personal data in the course of any activity which falls outside the scope of union law by the member states. When carrying out activities which fall within the scope of Chapter two of Title five of the T. U by a natural person in the course off a purely personal or household activity by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against on the prevention of threats to public security. Personal data Under the DP, A personal data is information which can identify a natural living person who is known as a data subject. This might identify a living individual directly from the data in isolation, for example, a person's name and address, or indirectly when that data is combined with other data that you hold or likely to hold. So, for example, your electricity consumption reading How much Alatriste do you use is not personal data by itself, but combined with the other details that your energy supplier has, such as who pays the bill. Your name and address makes it personal data so personal data might be obvious, as in the case of the name and address, or sometimes something not quite so obvious. Let's consider some examples. You can identify someone without knowing their name. If you have a detailed physical description of someone taken from a small group of data subjects such as their height, age, weight, hair and eye color, then even without their name, they may be identifiable. And so this becomes personal data. If you are an employer, you might hold data which relates to the accounts manager without including the name or personal details. You may think this is not personal because it doesn't identify an individual. However, if you only have one accounts manager, then the data will be personal data because it's easy to identify who the accounts manager is in your organization. Personal data under data protection even includes recorded opinions about or intentions regarding a person. For example, on apprentices, progress reports and employee review reports. Indirect identification may occur as a result of data in context. Having data that someone is female apparent on the home address would not immediately identify them as a particular natural living person. Introducing a separate set of data, which includes addresses and documents names, we'll still make direct identification impossible. 1/3 set of data identifying addresses on the year in which each occupant was born. We'll also obviate any direct identification to be made 1/4 data set, which identifies only Children by name on their home address. But no other data relating to other occupants will enable the mother to be identified as an individual by a process of elimination using all four sets of data. The key change under Article four personal data means any information relating to an identified or identifiable natural person, the data subject. This is a clear broadening of the data to be regarded as personal data. The new definition also modernizes matters to take into account advances in technology and how we work and do business today. It also sets a low bar as to what is identifiable. If anyone can identify a natural person directly or indirectly using, according to Recital 26 all means reasonably likely to be used, then the information is personal data. It means that the data, maybe personal data, even if the organization holding the data cannot itself identify a natural person. Therefore, taking into account Article four, the term personal data now includes a name on identification number, location data, something specific to that person's physical physiological, genetic, mental, economic, cultural or social identity online identifies Recycle, 30 discusses online identifies, which are provided by their devices, applications, tools and protocols. Online identifies such as I P addresses into that protocol addresses cookie identifies or other identifies, such as radio frequency identification tags or R F tags. These, according to Recital 30 may leave traces, which in particular when combined with unique identifies and other information received by the servers, may be used to create profiles of the natural persons and identify them. Personal data may also in Q. It include pseudonym Eyes data. This is personal data, which is being sued anonymized that is key coded, depending on how easy it is to recognize a particular individual from the pseudonym Article 26. However, as Recital 26 confirms, it doesn't apply to anonymous data or information, which is described as information which does not relate toe on identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or is no longer identifiable. Recital 26 specifically excludes anonymous data for statistical on research purposes. It's a note that Elektronik loyalty cards provide point of use, location data and that these air currently being adopted by smaller businesses, both to entice customers to return by offering rewards on to more accurately monitor and analyze shopping habits so that they can streamline stock levels. The GDP are also provides more help than the DP A about deciding whether a natural person is identifiable from data Recital 26. The GDP are tells us that you need to take into account all the means reasonably likely to be used directly or indirectly to identify an individual. That means objective factors such as the time required and the costs associated with identification, but also taking into account the technology available, particularly given the speed at which complex and expensive enterprise level technology becomes less expensive and falls within the reasonable reach off the individual. As an aside, it may be notable that the GDP are repeatedly refers to information that relates to an identifiable living person, as opposed to information from which a living person might be identified. This means that despite the spirit of the legislature isolation, it's particularly interesting to see that Article four and Recital 26 avoid declaring any direct link between the personal information on the identity off the individual, it's difficult to tell whether or not this is deft use of language for the purposes of future proofing The legislation in light of the speed of technological development, special categories of data sensitive personal data is more private personal data which could be used in a discriminatory way, including data. As Recital 51 reminds us. Sensitive personal data merits specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Article nine of GDP are refers to special categories of data, which is similar to the sensitive personal data under DP A with two additions. GDP. All special categories of personal data include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data on biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person, sex life or sexual orientation. Criminal records, including data about criminal proceedings and sentence or other conclusion any alleged offenses or offenses admitted to or convicted off are included. A sensitive personal data under the D. P. A. And have safeguards under GDP are as they are under the control of official authority. According to Article 10 the key changes here are that's sensitive or special. Data now specifically includes genetic data. Andi Biometric data were processed to uniquely identify a person. It's interesting to note that Recital 51 specifically states that the processing of photographs should not systematically be considered to be processing of special categories of personal data as they're covered by the definition of biometric data. Only when processed through a specific technical means allowing the unique identification or authentication off a natural person everyday biometrics. This is part of the reason why biometric data has been included. The exception means that MasterCard has been able to introduce what has been dubbed selfie pay. Having a photograph of the customer on file the account holder is prompted to take a photograph of him or herself was part of the transaction verification process. As an alternative to fingerprint authorization, it can be used by mobile users without fingerprint pads as an alternative to typing in a password, it's much more convenient. Maurice A Terek is the system of facial recognition offered by Face first on American Company, which has developed systems that are available to military on law enforcement organizations and airports, but also casinos, retired retail outlets Andi, even for use at events. The purpose is to flag up potential problems before they happen by automatically identifying known criminals Onda overly frequent visitors to different branches of the same chain of stores for the purposes of assessing security, effectiveness and efficiency. Of course, the visits, not the recognition. It's true that data controls in the US and markedly different to those in the U. But we should remember that post Brexit UK citizens will no longer be EU citizens. Automated facial recognition for public places will undoubtedly be of interest to the security services as a tool to help combat terrorism. And it isn't that difficult to imagine the arguments regarding legality and expedience for employing these systems. And that concludes this session for Data Law. Thank you for joining me, Robert Edwards, on this session
00:17:35