When it comes to privacy and KPIs I think it's important to remember that 'performance' often measures things beyond your control, and it can be as much about workload, but that data can be useful for identifying needs to increase efficiency & effectiveness. In the past I developed KPIs around rRead more
When it comes to privacy and KPIs I think it’s important to remember that ‘performance’ often measures things beyond your control, and it can be as much about workload, but that data can be useful for identifying needs to increase efficiency & effectiveness.
In the past I developed KPIs around responses to FOI and SARs (how many received, effort required per request, % completed in timeframe, % resulting in ICO complaints). Other indicators have included DSPT completion % targets, audit completion targets, number of ‘first’ DPIAs reviewed, number of ‘old’ DPIAs reviewed.
To add to Dominga and Hellen, you may also need to document that you've met the provisions in the Data Protection Act 2018. Section 10 of the DPA18 sets out conditions that need to be met to rely on special category lawful bases for employment, substantial public interest, health and social care, puRead more
To add to Dominga and Hellen, you may also need to document that you’ve met the provisions in the Data Protection Act 2018. Section 10 of the DPA18 sets out conditions that need to be met to rely on special category lawful bases for employment, substantial public interest, health and social care, public health, and research. https://www.legislation.gov.uk/ukpga/2018/12/section/10/enacted
As a general rule of thumb if a requestor would like the response via rightly.co.uk, and you've informed them of the risks having offered a more secure method (eg. encrypted file share) then that it their reasoned and informed choice. I don't think there would be a legal reason for failing to responRead more
As a general rule of thumb if a requestor would like the response via rightly.co.uk, and you’ve informed them of the risks having offered a more secure method (eg. encrypted file share) then that it their reasoned and informed choice.
I don’t think there would be a legal reason for failing to respond by the method the requester has chosen.
Brave has been doing this for longer. Having had time to mull this over and I think it's a step in the right direction but I feel that accepting this as the norm is accepting the comoditising fundamental rights and freedoms. I have no issue with an individual selling either their body or their rightRead more
Brave has been doing this for longer. Having had time to mull this over and I think it’s a step in the right direction but I feel that accepting this as the norm is accepting the comoditising fundamental rights and freedoms. I have no issue with an individual selling either their body or their rights, but no individual should feel compelled to because it is the done thing.
Yes, it can be used to indirectly identify someone by combining it with other data. If I were the LA I would only be publishing aggregate statistical data rather than individual household data.
Yes, it can be used to indirectly identify someone by combining it with other data. If I were the LA I would only be publishing aggregate statistical data rather than individual household data.
I'd argue you're a controller, you're determining the purpose for collecting the data (eg. not killing people by accidently inducing anaphylaxis*) and presumably a secure means of processing too. Commissioning a service does not simply make the commissioner a controller of the data collected for theRead more
I’d argue you’re a controller, you’re determining the purpose for collecting the data (eg. not killing people by accidently inducing anaphylaxis*) and presumably a secure means of processing too. Commissioning a service does not simply make the commissioner a controller of the data collected for the commissioned service. It does behove the commissioner to share data with you (which shouldn’t be an issue legally) for you to provide the service.
*presumably this even extends to the detergents used to laundry too.
Primarily when multiple requests are made within a short period of time and/or overlapping. The ICO's guidance sets out that excessive is unlikely to cover a request for a large amount of information. You could search by email addresses that the person is likely to have emailed/received emails from,Read more
Primarily when multiple requests are made within a short period of time and/or overlapping. The ICO’s guidance sets out that excessive is unlikely to cover a request for a large amount of information. You could search by email addresses that the person is likely to have emailed/received emails from, or email addresses from individuals who are likely to have emailed about her.
Potentially, yes. I would recommend that those individuals have zero involvement with the SAR other than as data subjects as necessary. You may need to find a new 'home' for the data you're redacting while processing the SAR. I would discuss it with them, and/or the level of seniority above them (evRead more
Potentially, yes. I would recommend that those individuals have zero involvement with the SAR other than as data subjects as necessary. You may need to find a new ‘home’ for the data you’re redacting while processing the SAR.
I would discuss it with them, and/or the level of seniority above them (even if that’s the CEO) and request another individual of equal seniority provides the sign-off. You may need to train that new person so they can make an informed decision.
You need to ensure that individuals doing the reviewing and disclosure are sufficiently equipped to make those decisions, as well as having processes for disclosure sign-off. Depending on the size of your organisation either model is possible.
You need to ensure that individuals doing the reviewing and disclosure are sufficiently equipped to make those decisions, as well as having processes for disclosure sign-off. Depending on the size of your organisation either model is possible.
Privacy program KPIs
Simon
When it comes to privacy and KPIs I think it's important to remember that 'performance' often measures things beyond your control, and it can be as much about workload, but that data can be useful for identifying needs to increase efficiency & effectiveness. In the past I developed KPIs around rRead more
When it comes to privacy and KPIs I think it’s important to remember that ‘performance’ often measures things beyond your control, and it can be as much about workload, but that data can be useful for identifying needs to increase efficiency & effectiveness.
In the past I developed KPIs around responses to FOI and SARs (how many received, effort required per request, % completed in timeframe, % resulting in ICO complaints). Other indicators have included DSPT completion % targets, audit completion targets, number of ‘first’ DPIAs reviewed, number of ‘old’ DPIAs reviewed.
See lessSpecial Category Data
Simon
To add to Dominga and Hellen, you may also need to document that you've met the provisions in the Data Protection Act 2018. Section 10 of the DPA18 sets out conditions that need to be met to rely on special category lawful bases for employment, substantial public interest, health and social care, puRead more
To add to Dominga and Hellen, you may also need to document that you’ve met the provisions in the Data Protection Act 2018. Section 10 of the DPA18 sets out conditions that need to be met to rely on special category lawful bases for employment, substantial public interest, health and social care, public health, and research. https://www.legislation.gov.uk/ukpga/2018/12/section/10/enacted
These are found in Schedule 1 of the DPA18. https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/enacted
See lessRightly.co.uk
Simon
As a general rule of thumb if a requestor would like the response via rightly.co.uk, and you've informed them of the risks having offered a more secure method (eg. encrypted file share) then that it their reasoned and informed choice. I don't think there would be a legal reason for failing to responRead more
As a general rule of thumb if a requestor would like the response via rightly.co.uk, and you’ve informed them of the risks having offered a more secure method (eg. encrypted file share) then that it their reasoned and informed choice.
I don’t think there would be a legal reason for failing to respond by the method the requester has chosen.
See lessGener8 Ads – Thoughts?
Simon
Brave has been doing this for longer. Having had time to mull this over and I think it's a step in the right direction but I feel that accepting this as the norm is accepting the comoditising fundamental rights and freedoms. I have no issue with an individual selling either their body or their rightRead more
Brave has been doing this for longer. Having had time to mull this over and I think it’s a step in the right direction but I feel that accepting this as the norm is accepting the comoditising fundamental rights and freedoms. I have no issue with an individual selling either their body or their rights, but no individual should feel compelled to because it is the done thing.
See lessHypothetical Scenario – Is this personal data?
Simon
Yes, it can be used to indirectly identify someone by combining it with other data. If I were the LA I would only be publishing aggregate statistical data rather than individual household data.
Yes, it can be used to indirectly identify someone by combining it with other data. If I were the LA I would only be publishing aggregate statistical data rather than individual household data.
See lessWeb Scraping for B2B contacts
Simon
Establish your lawful basis for processing, and a legitimate interests assessment if you need one?
Establish your lawful basis for processing, and a legitimate interests assessment if you need one?
See lessController or processor when a municipality outsource a task
Simon
I'd argue you're a controller, you're determining the purpose for collecting the data (eg. not killing people by accidently inducing anaphylaxis*) and presumably a secure means of processing too. Commissioning a service does not simply make the commissioner a controller of the data collected for theRead more
I’d argue you’re a controller, you’re determining the purpose for collecting the data (eg. not killing people by accidently inducing anaphylaxis*) and presumably a secure means of processing too. Commissioning a service does not simply make the commissioner a controller of the data collected for the commissioned service. It does behove the commissioner to share data with you (which shouldn’t be an issue legally) for you to provide the service.
*presumably this even extends to the detergents used to laundry too.
See lessWhen can you say a DSAR email search is excessive ?
Simon
Primarily when multiple requests are made within a short period of time and/or overlapping. The ICO's guidance sets out that excessive is unlikely to cover a request for a large amount of information. You could search by email addresses that the person is likely to have emailed/received emails from,Read more
Primarily when multiple requests are made within a short period of time and/or overlapping. The ICO’s guidance sets out that excessive is unlikely to cover a request for a large amount of information. You could search by email addresses that the person is likely to have emailed/received emails from, or email addresses from individuals who are likely to have emailed about her.
It’s worth using (or working with those with access) some of O365’s tools which can help narrow it down.
https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-manage-gdpr-data-subject-requests-with-the-dsr-case-tool
In the past I’ve used Adobe to compile emails into PDFs so that I can sift through the information more easily.
See lessSAR & Conflict of Interest
Simon
Potentially, yes. I would recommend that those individuals have zero involvement with the SAR other than as data subjects as necessary. You may need to find a new 'home' for the data you're redacting while processing the SAR. I would discuss it with them, and/or the level of seniority above them (evRead more
Potentially, yes. I would recommend that those individuals have zero involvement with the SAR other than as data subjects as necessary. You may need to find a new ‘home’ for the data you’re redacting while processing the SAR.
I would discuss it with them, and/or the level of seniority above them (even if that’s the CEO) and request another individual of equal seniority provides the sign-off. You may need to train that new person so they can make an informed decision.
See lessManaging CCTV requests
Simon
You need to ensure that individuals doing the reviewing and disclosure are sufficiently equipped to make those decisions, as well as having processes for disclosure sign-off. Depending on the size of your organisation either model is possible.
You need to ensure that individuals doing the reviewing and disclosure are sufficiently equipped to make those decisions, as well as having processes for disclosure sign-off. Depending on the size of your organisation either model is possible.
See less