Jump to content

Data Protection Act 2018


Lisa

Recommended Posts

Hi All,

I'm a new member so I hope I have posted this in the right place....

I spoke to the ICO a couple of times yesterday to clarify a few points regarding consent for sensitive personal data. During our discussion, the ICO lady referred to the Data Protection Act 2018 published on 24th May, specifically Schedule 1 - Part 2 -paragraph 20 (p139). This refers to processing of sensitive personal data for insurance purposes, with the lawful basis being "substantial public interest".

 

https://ico.org.uk/for-organisations/data-protection-act-2018/ 

 

I have interpreted this as we don't need consent and don't need to record anything for collecting health info and criminal offence data (there's another "insurance Extension" in Schedule 1, Part 3 (p146) referring to criminal offence data). Please correct me if I'm wrong. I'd love to know what you think!

 

Btw- the page numbers are the document page numbers, not the pdf page numbers.

 

Lisa 

Link to post

Hi Lisa - thanks for the question

 

Looks like this has not gained much response !! Always a tricky area

 

I'm no compliance advisor - so you will need to take better advice. However as a minimum (DPA or GDPR ) you have to prove you have a lawful basis - and that you have a process for those wishing to opt out - even if there are consequences given you are holding their Insurance

 

And when you are no longer holding their (current) policy - then what? What is your documented process for removal of their data you no longer "need"? How can they access it? How can they port it elsewhere?

 

Maybe someone can give a more lucid / generic answer from the coalface - but you really need to take good advice from a good source.

 

Are you a network member and / or do you have a compliance point of reference (other than ICO)?

Link to post

Hi Mark,

 

Thanks for your reply. Everyone must be busy reading hundreds of pages of legislation! 

 

We’re just finalising our procedures now. Good advice has been hard to find. Even the data privacy lawyers are reluctant. I have documented the phone call with the ICO so if we’re doing something wrong we can say they told us to (that was the compliance consultant’s advice). 

 

Thanks,

 

Lisa

  • Like 1
Link to post
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Posts

    • There will be issues whichever way - so you need to pick the right way for you at get it right first time.   In short - and from experience  on both sides - I'd say transfer now to your server, as separate branches. This may involve some logistics for connectivity (I don't know your set-up) but on the face of it - is better than running multiple servers and multiple business processes. You'll thank yourself in the long run   Moving / migrating / transferring / consolidating to one branch - on the same server - is far, far easier to manage once the data is on one platform. Trust me on this.
    • We were thinking to merge on our system but can well foresee a few issues 🙂  
    • not to any great extent so this shouldn't be a problem but thanks again  
    • Sorry Sandra - Are you planning to merge the branches on THEIR system - or merge and migrate to your server?   The first is as everyone has said above - the latter is potentially a whole new world of complexity - x 10!
    • Just thought, do you/they use Open Attach?
×
×
  • Create New...