Jump to content

Data Protection Act 2018


Lisa

Recommended Posts

Hi All,

I'm a new member so I hope I have posted this in the right place....

I spoke to the ICO a couple of times yesterday to clarify a few points regarding consent for sensitive personal data. During our discussion, the ICO lady referred to the Data Protection Act 2018 published on 24th May, specifically Schedule 1 - Part 2 -paragraph 20 (p139). This refers to processing of sensitive personal data for insurance purposes, with the lawful basis being "substantial public interest".

 

https://ico.org.uk/for-organisations/data-protection-act-2018/ 

 

I have interpreted this as we don't need consent and don't need to record anything for collecting health info and criminal offence data (there's another "insurance Extension" in Schedule 1, Part 3 (p146) referring to criminal offence data). Please correct me if I'm wrong. I'd love to know what you think!

 

Btw- the page numbers are the document page numbers, not the pdf page numbers.

 

Lisa 

Link to comment

Hi Lisa - thanks for the question

 

Looks like this has not gained much response !! Always a tricky area

 

I'm no compliance advisor - so you will need to take better advice. However as a minimum (DPA or GDPR ) you have to prove you have a lawful basis - and that you have a process for those wishing to opt out - even if there are consequences given you are holding their Insurance

 

And when you are no longer holding their (current) policy - then what? What is your documented process for removal of their data you no longer "need"? How can they access it? How can they port it elsewhere?

 

Maybe someone can give a more lucid / generic answer from the coalface - but you really need to take good advice from a good source.

 

Are you a network member and / or do you have a compliance point of reference (other than ICO)?

Link to comment

Hi Mark,

 

Thanks for your reply. Everyone must be busy reading hundreds of pages of legislation! 

 

We’re just finalising our procedures now. Good advice has been hard to find. Even the data privacy lawyers are reluctant. I have documented the phone call with the ICO so if we’re doing something wrong we can say they told us to (that was the compliance consultant’s advice). 

 

Thanks,

 

Lisa

  • Like 1
Link to comment
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • Partnership deals that are in the interests of Open-GI's profits and not the best infrastructure for their clients. HP - (30% returns from printers to servers when I worked for a HP partner. Haven't been pleasantly surprised with 6 more years of dealing with their hardware). Microsoft - Oh ook another 60 security holes and a zero-day (mean nothing anyone other than Microsoft can do to fix it) that has been actively exploited for over two months now. Sophos - Tavis Ormandy of Google's top security team, charitably wrote a 30 page paper, which concludes that the company was "working with good intentions" but is "ill-equipped to handle the output of one co-operative security researcher working in his spare time". Recently, they forced through Multi-Factor Authentication for their "cloud" management site (which has a really useless, coutnerintuitve and uninformative interface), that is completely useless in a ransomware take over, you could easily be left without access to your "cloud". They should implement physical keys if they are going to push for this, not software methods that can be taken over as part of an attack. 
    • The real question for Open GI is why is only 1 browser supported?   Why do you think that is?   10 points for each correct answer …
    • Open Attach hasn't changed. It should be a database, more secure, better control over user access, find and retrieve files more quickly, et cetera.   Now everyone is being pushed to use MS Edge. I thought I saw a notice that you could use Firefox or Chrome, that seems to have been retracted and no one in support knows anything about it. Not sure I want to trust payments to a web browser, which is made by the some company that produces Windows, which has 50-100 vulnerabilites each month with 1-6 of them being zero days.
    • A year later, it doesn't seem to be any better. Still getting frequent news flashes of it being down, having problems and one case of a whole afternoon and evening of it being unvailable.    Core seems to be having problems, the level 2 and 3 staff appear to have been lumped into level 1, so their time is being wasted with donkey work and it seems that when people leave, they are not being replaced. Support turn around times are growing and bugs in the code are increasing.
    • So #BIBA for Real is back! Anyone else going?    Handy Tip - "Speak to more people you don't know, than those you do know"   You can thank me later - with flowers 🌻 💖
×
×
  • Create New...