3rd Annual
Data Protection in the Public Sector Conference

Workshops

On the second day, delegates can choose two of the four half-day workshops to work through real life scenarios and focus on a particular topic.

Morning Workshops - 9.30 am - 12.45 pm

A. Using Data Protection Policies to Your Advantage
Hazel Grant - Partner, Bristows
Data protection policies have become essential tools to control personal information, whether it is information about employees or customers/citizens. Organisations need data protection policies for general data protection responsibilities, access control, website privacy issues, acceptable use and employee monitoring, rights of subject access, CCTV usage, portable devices and security of personal information. This Workshop shows how organisations can use internal and external policies to make information management more efficient and effective. Using sample policy documents (which delegates can keep), this Workshop covers:

• the ICO guidance on drafting policies
• using policies to educate employees and customers, to control the release of information and to keep information secure
• the “organic” model: keeping policies up to date
• when and how to make policies enforceable
• relying on your policies in disputes

B. Managing an ICO Audit
Stewart Room - Partner, Field Fisher Waterhouse
The Information Commissioner’s Office is now able to do unannounced audits of public sector bodies, to check for data protection compliance. It is important for the data protection team to be able to adequately prepare for an audit, and in this Workshop Stewart Room discusses:

• ICO’s legal powers to conduct an audit
• ICO’s auditing style and preferences
• understanding systems-based regulation
• what happens on the day
• controller’s legal rights and privilege
• potential outcomes

Afternoon Workshops - 2.00 pm - 5.15 pm

C. Privacy Impact Assessments in Data Sharing
Damien Welfare - Barrister, 2-3 Gray’s Inn Square
The Government is keen to promote data sharing, and Privacy Impact Assessments (PIAs) are the main first step before sharing. They are considered particularly appropriate when there is a genuine risk to the privacy of the individual from sharing data, and recommended in certain cases (eg where new and intrusive technology will be used, or where private or sensitive information will be re-used). At the same time, there has been uncertainty over the proper scope of PIAs and how to apply them. The Commissioner produced a revised PIA Handbook in June 2009. This Workshop examines the issues and the practicalities in lawful data sharing as a whole, and the role of PIAs in that process, including:

• when PIAs should be used in data sharing, and how they fit into the wider process
• how extensive a PIA needs to be in different cases
• the revised PIA Handbook
• achieving the right balance of outcome, and taking the results properly into account
• the likely future role of PIAs

D. Data Breaches - What to do When They Happen
Andrew Dyson, Partner, DLA Piper
It's no longer a question of 'if' but 'when' any organisation will experience a data breach. Using case studies of recent enforcement actions, as well as the direct experience of the tutor, delegates will work through the practical implications of a breach, including:

• mitigating any immediate damage and distress
• liaising effectively with regulators including the ICO
• determining whether affected individuals should be contacted
• taking appropriate remedial action
• restoring confidence for the future
• avoiding adverse publicity