I agree with Hellen. Make sure you document your reason and rational of not reporting it. If questioned at a later date, you are not relying on memory for your decision. Also make sure you document lessons learnt and communicate to the relevant staff. The last point Hellen made is a good one. RevisiRead more
I agree with Hellen.
Make sure you document your reason and rational of not reporting it. If questioned at a later date, you are not relying on memory for your decision.
Also make sure you document lessons learnt and communicate to the relevant staff.
The last point Hellen made is a good one. Revisit your process, no matter how good you think it already is.
I had a request that turned out 17k emails. I went back to the requestor and asked if there are certain people who emails went to or from that might be of interest it dropped the number down to less than 400.
I had a request that turned out 17k emails. I went back to the requestor and asked if there are certain people who emails went to or from that might be of interest it dropped the number down to less than 400.
Sometimes its taking a pragmatic approach, which is what you are doing. You have a knowledge and experience of current legislation. You understand the workings of the organisation and the risks. As long as you can work independently in the role of DPO and not be instructed by the organisation, IMHORead more
Sometimes its taking a pragmatic approach, which is what you are doing.
You have a knowledge and experience of current legislation. You understand the workings of the organisation and the risks.
As long as you can work independently in the role of DPO and not be instructed by the organisation, IMHO I see no great issue.
Like with everything I would document the decision making and get the organisation to own any risk of ‘conflict of interest’ (if there is any)
I know if many organisations who have appointed less suitable persons to be the DPO.
Brave or foolish - Barry in answering this first You have raised some issues i have not been questioned about before (always a 1st time) I am not aware of anyone redacting voice recordings as both parties were part of the conversation. If you inform your clients the call is being recorded (you must)Read more
Brave or foolish – Barry in answering this first
You have raised some issues i have not been questioned about before (always a 1st time)
I am not aware of anyone redacting voice recordings as both parties were part of the conversation.
If you inform your clients the call is being recorded (you must), there is an expectation that the record would be available if requested. (what does your PN say?)
The request for the recording could be that they want to challenge/query something that has been said (advice/next steps). I would find it odd only to give one side of the conversation.
I'm not going to disagree with the replies already made. Just another way of looking at it. An organisation might allow a member of staff to work from home rather than coming into the office, or even coming in to attend a meeting for an hour (not everyone lives next door to work). If you are in a meRead more
I’m not going to disagree with the replies already made. Just another way of looking at it.
An organisation might allow a member of staff to work from home rather than coming into the office, or even coming in to attend a meeting for an hour (not everyone lives next door to work).
If you are in a meeting F2F you can see peoples response to discussions (like, dislike, approval, non approval). I would be disappointed if people sat with there backs to the discussion table or wore a paper bag over their heads. How rude.
Is it not about respect to those in the discussion (i know some will say respect those who don’t want their camera on).
I do a lot of virtual training and many don’t have their cameras on. i don’t know if they are listening or engaged. I do know of some who logged in never participated yet got the certificate of attendance… Naughty.
I wonder if it will come down to company policy – camera on or come in for the meeting.
Hi Hellen I love your last sentence definition, i'm going to use to use it if you don't mind, sums it up nicely. "I tend to qualify ‘other recipients’ as organisations that the business is legally obligated to disclose to rather than one they would choose to"
Hi Hellen
I love your last sentence definition, i’m going to use to use it if you don’t mind, sums it up nicely.
“I tend to qualify ‘other recipients’ as organisations that the business is legally obligated to disclose to rather than one they would choose to”
I suspect you will get a number of differing replies to this. Of course the standard reply is going to be 'it depends'. It depends what they are auditing. What will they have access to? how will they have access? In Health i have always treated auditors as 'data processors' and they only process theRead more
I suspect you will get a number of differing replies to this.
Of course the standard reply is going to be ‘it depends’. It depends what they are auditing.
What will they have access to? how will they have access?
In Health i have always treated auditors as ‘data processors’ and they only process the data as instructed in the contract.
Would you want a data processing agreement? I’ve been there when I felt the ‘contract’ was not specific enough of what they will be doing (or not doing) with the data and insisted on an agreement. (belt & braces)
Just think what could go wrong if its not clear 🙁
Thank you Dean The NDOO is to opt out for information being used for any other purpose than originally given (i.e unless its changed - research). Information being processed by the DSCROs and sent to the CCGs will be for management purposes (planning, invoicing etc) therefore the opt out would not aRead more
Thank you Dean
The NDOO is to opt out for information being used for any other purpose than originally given (i.e unless its changed – research). Information being processed by the DSCROs and sent to the CCGs will be for management purposes (planning, invoicing etc) therefore the opt out would not apply.
That sounds like a sensible idea. Its good to have eyes and ears across the organisation. The name does not matter, but in essence they could be your Information Asset Owners. They understand what systems are used, what information is processed and should report any issues to the IG/DP team..... IfRead more
That sounds like a sensible idea. Its good to have eyes and ears across the organisation.
The name does not matter, but in essence they could be your Information Asset Owners. They understand what systems are used, what information is processed and should report any issues to the IG/DP team…..
If you have IAO already, they may want to nominate a ‘champion’
DSAR disaster!
Barry Moult
I agree with Hellen. Make sure you document your reason and rational of not reporting it. If questioned at a later date, you are not relying on memory for your decision. Also make sure you document lessons learnt and communicate to the relevant staff. The last point Hellen made is a good one. RevisiRead more
I agree with Hellen.
Make sure you document your reason and rational of not reporting it. If questioned at a later date, you are not relying on memory for your decision.
Also make sure you document lessons learnt and communicate to the relevant staff.
The last point Hellen made is a good one. Revisit your process, no matter how good you think it already is.
See lessWhen can you say a DSAR email search is excessive ?
Barry Moult
I had a request that turned out 17k emails. I went back to the requestor and asked if there are certain people who emails went to or from that might be of interest it dropped the number down to less than 400.
I had a request that turned out 17k emails. I went back to the requestor and asked if there are certain people who emails went to or from that might be of interest it dropped the number down to less than 400.
See lessData mapping document
Barry Moult
Very little to add from what Dean has said. I would make sure everyone knows their responsibility to add to the RoPA as and when required.
Very little to add from what Dean has said.
See lessI would make sure everyone knows their responsibility to add to the RoPA as and when required.
Legal counsel as DPO – conflict of interest
Barry Moult
Sometimes its taking a pragmatic approach, which is what you are doing. You have a knowledge and experience of current legislation. You understand the workings of the organisation and the risks. As long as you can work independently in the role of DPO and not be instructed by the organisation, IMHORead more
Sometimes its taking a pragmatic approach, which is what you are doing.
See lessYou have a knowledge and experience of current legislation. You understand the workings of the organisation and the risks.
As long as you can work independently in the role of DPO and not be instructed by the organisation, IMHO I see no great issue.
Like with everything I would document the decision making and get the organisation to own any risk of ‘conflict of interest’ (if there is any)
I know if many organisations who have appointed less suitable persons to be the DPO.
Access requests for voice recordings . Is my voice alone personal data and covered by.a DSAR?
Barry Moult
Brave or foolish - Barry in answering this first You have raised some issues i have not been questioned about before (always a 1st time) I am not aware of anyone redacting voice recordings as both parties were part of the conversation. If you inform your clients the call is being recorded (you must)Read more
Brave or foolish – Barry in answering this first
You have raised some issues i have not been questioned about before (always a 1st time)
I am not aware of anyone redacting voice recordings as both parties were part of the conversation.
If you inform your clients the call is being recorded (you must), there is an expectation that the record would be available if requested. (what does your PN say?)
The request for the recording could be that they want to challenge/query something that has been said (advice/next steps). I would find it odd only to give one side of the conversation.
The ICO guidance (not in any detail)
https://ico.org.uk/for-organisations/guide-to-data-protection-1998/encryption/scenarios/audio-recordings/
Nice Guidance
https://www.nice.com/engage/blog/mcr-understanding-the-gdpr-call-recording-rules-2531/
Friends at iapp have commented
See lesshttps://iapp.org/news/a/how-do-the-rules-on-audio-recording-change-under-the-gdpr/
Videoconferencing calls
Barry Moult
I'm not going to disagree with the replies already made. Just another way of looking at it. An organisation might allow a member of staff to work from home rather than coming into the office, or even coming in to attend a meeting for an hour (not everyone lives next door to work). If you are in a meRead more
I’m not going to disagree with the replies already made. Just another way of looking at it.
An organisation might allow a member of staff to work from home rather than coming into the office, or even coming in to attend a meeting for an hour (not everyone lives next door to work).
If you are in a meeting F2F you can see peoples response to discussions (like, dislike, approval, non approval). I would be disappointed if people sat with there backs to the discussion table or wore a paper bag over their heads. How rude.
Is it not about respect to those in the discussion (i know some will say respect those who don’t want their camera on).
I do a lot of virtual training and many don’t have their cameras on. i don’t know if they are listening or engaged. I do know of some who logged in never participated yet got the certificate of attendance… Naughty.
I wonder if it will come down to company policy – camera on or come in for the meeting.
I will get my coat
See lessData Processor or Other Recipient
Barry Moult
Hi Hellen I love your last sentence definition, i'm going to use to use it if you don't mind, sums it up nicely. "I tend to qualify ‘other recipients’ as organisations that the business is legally obligated to disclose to rather than one they would choose to"
Hi Hellen
I love your last sentence definition, i’m going to use to use it if you don’t mind, sums it up nicely.
“I tend to qualify ‘other recipients’ as organisations that the business is legally obligated to disclose to rather than one they would choose to”
See lessData Processor or Other Recipient
Barry Moult
I suspect you will get a number of differing replies to this. Of course the standard reply is going to be 'it depends'. It depends what they are auditing. What will they have access to? how will they have access? In Health i have always treated auditors as 'data processors' and they only process theRead more
I suspect you will get a number of differing replies to this.
See lessOf course the standard reply is going to be ‘it depends’. It depends what they are auditing.
What will they have access to? how will they have access?
In Health i have always treated auditors as ‘data processors’ and they only process the data as instructed in the contract.
Would you want a data processing agreement? I’ve been there when I felt the ‘contract’ was not specific enough of what they will be doing (or not doing) with the data and insisted on an agreement. (belt & braces)
Just think what could go wrong if its not clear 🙁
National Data Opt Out – NHS. HELP!
Barry Moult
Thank you Dean The NDOO is to opt out for information being used for any other purpose than originally given (i.e unless its changed - research). Information being processed by the DSCROs and sent to the CCGs will be for management purposes (planning, invoicing etc) therefore the opt out would not aRead more
Thank you Dean
See lessThe NDOO is to opt out for information being used for any other purpose than originally given (i.e unless its changed – research). Information being processed by the DSCROs and sent to the CCGs will be for management purposes (planning, invoicing etc) therefore the opt out would not apply.
Data Protection Champions
Barry Moult
That sounds like a sensible idea. Its good to have eyes and ears across the organisation. The name does not matter, but in essence they could be your Information Asset Owners. They understand what systems are used, what information is processed and should report any issues to the IG/DP team..... IfRead more
That sounds like a sensible idea. Its good to have eyes and ears across the organisation.
See lessThe name does not matter, but in essence they could be your Information Asset Owners. They understand what systems are used, what information is processed and should report any issues to the IG/DP team…..
If you have IAO already, they may want to nominate a ‘champion’