Welcome, Guest
Username: Password: Remember me

TOPIC: Data Protection Law Changes May 2018 Providers look Out!

Data Protection Law Changes May 2018 Providers look Out! 17 Apr 2018 12:48 #7075

  • jobber
  • jobber's Avatar
  • Platinum Member
  • Posts: 642
  • Thank you received: 1003
I see the data protection laws are changing with regard to who and how data is held and with whom is shred always an interest to me as my experience while on the Joke Programme was a real circus they hadn't a bloody clue what to do with the security of people's data.

This part may be helpful when anyone has to wants to take up a nice polite conversation with a provider company as i expect all their systems to be fully in place before sheep are sent head first into the new circus.

4 Individuals’ rights :) Oh deary me, we actually have some :cheer:
You should check your procedures to ensure they cover all the rights
individuals have, including how you would delete personal data or provide
data electronically and in a commonly used format.
The GDPR includes the following rights for individuals:
the right to be informed;
 the right of access;
 the right to rectification;
the right to erasure; :)
the right to restrict processing;
 the right to data portability;
 the right to object; :) and
 the right not to be subject to automated decision-making including

Full details here:ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
The following user(s) said Thank You: comply or die, El-dudeareno, Dizzy, Warrior, KatiLB

Data Protection Law Changes May 2018 Providers look Out! 17 Apr 2018 13:37 #7080

  • Benefit Bolshie
  • Benefit Bolshie's Avatar
  • Platinum Member
  • Posts: 370
  • Thank you received: 628
Good job Jobber. Useful ammunition for the fight.
The following user(s) said Thank You: jobber

Data Protection Law Changes May 2018 Providers look Out! 17 Apr 2018 13:50 #7081

  • jobber
  • jobber's Avatar
  • Platinum Member
  • Posts: 642
  • Thank you received: 1003
Yes Benefits Bolshie, that info will hopefully come in quite useful and id put money on it the providers haven't a clue in regard to how they are suppose to be operating with all this new data protection compliance :cheer: .

It's good we can all help them out a little when it comes down to it ;) :)

now off to the shops.


Data Protection Law Changes May 2018 Providers look Out! 17 Apr 2018 15:41 #7090

  • moogle
  • moogle's Avatar
  • Premium Member
  • UM Refugee
  • Posts: 156
  • Thank you received: 137
the right not to be subject to automated decision-making including

Would that include the Russian Roulette of their inputting your NI number and automatic process says if you are on the WHP or not?
Toads - Philip Larkin
Why should I let the toad work, Squat on my life?
Can't I use my wit as a pitchfork And drive the brute off?
Six days of the week it soils,With its sickening poison -
Just for paying a few bills! That's out of proportion...

Data Protection Law Changes May 2018 Providers look Out! 18 Apr 2018 06:54 #7100

  • Paul-UB40
  • Paul-UB40's Avatar
  • Administrator
  • Posts: 1855
  • Thank you received: 1125
These New Laws are VERY Far Reaching, I See that FACEBOOK is trying to push thru even More Tracking of Personal Data ahead of May Deadline;
Facebook has started asking European and Canadian users to let it use facial recognition technology to identify them in photos and videos.

Facebook originally began face-matching users outside Canada in 2011, but stopped doing so for EU citizens the following year after protests from regulators and privacy campaigners.

The new request is one of several opt-in permissions being rolled out in advance of a new data privacy law.

The move is likely to be controversial.

The company is currently embroiled in a privacy scandal related to the use of its members' personal information by the political consultancy Cambridge Analytica.

The social network is also facing a class-action lawsuit in the US for deploying the facial recognition technology there without users' explicit consent.

"Biometric identification and tracking across the billions of photos on the platform exacerbates serious privacy risks to users," commented Silkie Carlo, director of UK civil liberties group Big Brother Watch.

"Facebook now has a duty to prove it has learned how to respect the law, not to prove it can take its surveillance capabilities to new depths."

YNWA: You'll Never Walk Alone

Data Protection Law Changes May 2018 Providers look Out! 18 Apr 2018 11:04 #7102

  • Benefit Bolshie
  • Benefit Bolshie's Avatar
  • Platinum Member
  • Posts: 370
  • Thank you received: 628
Experts at the leading technology & digital media law firm Kemp & Little defines the terms used in this legislation thus:

What is profiling?
Profiling consists of three aspects:
1. Automated processing (processing using computers);
2. of personal data
3. with the aim of evaluating personal aspects relating to a person or group of people (including analysis or prediction).

The guidelines make it clear that the definition is very broad and that the processing does not need to involve inference to be caught – “simply assessing or classifying individuals based on characteristics such as their age, sex, and height could be considered profiling, regardless of any predictive purpose”.

The guidelines describe profiling as having three distinct stages each of which fall within the GDPR definition of profiling:
(1) data collection;
(2) automated analysis to identify correlations; and
(3) applying the correlation to an individual to identify characteristics of present or future behaviour.

Examples of profiling include:
• Collection and analysis of data to gain insights into behaviours and characteristics (the guidelines include an example of a data broker collecting data from different public and private sources, compiling the data to develop profiles on the individuals, placing the individuals into segments and selling the output information to companies who wish to improve the targeting of their goods and services);

• Keeping a record of traffic violations to monitor driving habits of individuals over time to identify repeat offenders (which may have an impact on the sanction); and

• Considering an individual’s credit score before granting a mortgage.

What is meant by solely automated decision-making?
A decision based solely on automated processing is a decision with no human involvement in the decision process. The guidelines warn that involving a human in the process to circumvent the rules on solely automated decision making would not work, as the human involvement must be meaningful and not just a token gesture. The individual needs to have the authority to change the decision considering all the information available..

Decisions that have a legal effect are those that impact on an individual’s legal rights (including in contract).

Examples given in the guidelines include:

• entitlement or denial of a social benefit granted by law, such as child or housing benefit;

• increased surveillance by competent authorities; or

• being automatically disconnected from a mobile phone service because an individual forgot to pay his/her bill before going on holiday.

A decision that has a similarly significant effect “must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned. At its most extreme, the decision may lead to the exclusion or discrimination of individuals.”

The examples given in the GDPR are automatic refusal of an online credit application or e-recruiting practices without any human intervention. The guidelines explain that although online advertising will not generally meet the threshold of having a similarly significant effect, online advertising may meet the threshold depending on the intrusiveness of the profiling, the expectations and wishes of the individuals, the way the advert is delivered and the vulnerabilities of the individuals concerned. An example given is an advert for risky financial products targeted at vulnerable individuals.

What should organisations be doing now?
Take stock of profiling activities and any automated decision-making: It will be impossible to comply with GDPR requirements without first identifying the profiling activities and automated decisions taken by the organisation. Organisations are likely to find it helpful to think about the three stages of profiling to help identify profiling activities.

Where automated decisions are identified, assess whether they are solely automated and, if so, if they may produce a legal or similarly significant effect on individuals. Organisations should document their analysis as part of GDPR accountability requirements.

Comply with the data protection principles: Identify an appropriate legal basis for each of your profiling activities and automated decisions. Ensure your activities comply with the data protection principles.

Tell people about your profiling activities and automated decisions: Organisations need to provide information about profiling and automated decision-making in their privacy notices. The rights to object and, where consent is the legal basis for processing, the right to withdraw consent must be explicitly brought to the attention of individuals and presented clearly and separately from other information. [See section below for specific requirements for Article 22 solely automated decisions that have a legal or similarly significant effect (“Article 22 decisions”).]

Have processes to deal with individual’s rights in relation to profiling and automated decision making: Organisations need to have processes in place to deal with requests from individuals exercising their rights. Consider the right of access to data and what information to which individuals will be entitled to a copy.

Individuals have an absolute right to object to direct marketing including profiling related to direct marketing. Organisations will need to have a clear view on their profiling that is related to direct marketing in order to be able to fulfil the absolute right to object to direct marketing. Individuals also have a right to object to processing of personal data necessary for the purposes of the legitimate interests pursued by the controller. Such objections to processing will likely need to be considered on a case-by-case basis by the controller.

Special considerations for article 22 decisions:
There is debate about whether Article 22 is a prohibition (meaning organisations cannot take Article 22 decisions unless one of the exemptions applies) or just a right for individuals not to be subject to Article 22 decisions (meaning individuals only have the right to object to such decisions).

The guidelines clearly state that the controller can only carry out the processing if one of the three exceptions covered in Article 22(2) applies. Read as a prohibition, organisations are only permitted to take Article 22 decisions where:

1. The decision is necessary for entering into, or performance of, a contract between the individual and the controller;

2. the decision is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

3. the decision is based on the individual’s explicit consent; and

4. the controller has implemented suitable measures to safeguard the individual’s rights and freedoms and legitimate interests (which includes at least a means for the individual to obtain human intervention, express his or her point of view and/or contest the decision).

Note that Article 22 decisions must not be based on special categories of personal data unless the controller has the explicit consent of the individual or the automated decision-making is necessary for reasons of substantial public interest and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Regardless of the distinction, when taking Article 22 decisions, organisations must implement documented processes to ensure that:

• the decisions are lawful;

• information about the profiling and the Article 22 decisions is easily accessible for individuals and brought to their attention (which includes the rationale behind or the criteria relied on in reaching the decision and the consequences for the individual with tangible examples);

• details of Article 22 decisions are provided in response to data subject access requests, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual;

• suitable measures to safeguard individuals’ rights, freedoms and legitimate interests (including as a minimum, a way for the individuals to obtain human intervention, express their point of view, obtain an explanation of the decision reached and/or contest the decision) are implemented.

[b]Data Protection Act 1998[/b]
Part II Rights of data subjects and others

12 Rights in relation to automated decision-taking.
(1)An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

(2)Where, in a case where no notice under subsection (1) has effect, a decision which significantly affects an individual is based solely on such processing as is mentioned in subsection (1)—
(a)the data controller must as soon as reasonably practicable notify the individual that the decision was taken on that basis, and
(b)the individual is entitled, within twenty-one days of receiving that notification from the data controller, by notice in writing to require the data controller to reconsider the decision or to take a new decision otherwise than on that basis.

(3)The data controller must, within twenty-one days of receiving a notice under subsection (2)(b) (“the data subject notice”) give the individual a written notice specifying the steps that he intends to take to comply with the data subject notice.

(4)A notice under subsection (1) does not have effect in relation to an exempt decision; and nothing in subsection (2) applies to an exempt decision.

(5)In subsection (4) “exempt decision” means any decision—
(a)in respect of which the condition in subsection (6) and the condition in subsection (7) are met, or
(b)which is made in such other circumstances as may be prescribed by the [F1 Secretary of State] by order.

(6)The condition in this subsection is that the decision—
(a)is taken in the course of steps taken—
(i)for the purpose of considering whether to enter into a contract with the data subject,
(ii)with a view to entering into such a contract, or
(iii)in the course of performing such a contract, or
(b)is authorised or required by or under any enactment.

(7)The condition in this subsection is that either—
(a)the effect of the decision is to grant a request of the data subject, or
(b)steps have been taken to safeguard the legitimate interests of the data subject (for example, by allowing him to make representations).

(8)If a court is satisfied on the application of a data subject that a person taking a decision in respect of him (“the responsible person”) has failed to comply with subsection (1) or (2)(b), the court may order the responsible person to reconsider the decision, or to take a new decision which is not based solely on such processing as is mentioned in subsection (1).

(9)An order under subsection (8) shall not affect the rights of any person other than the data subject and the responsible person.

If true, and it’s widely believed that it is, one of the primary objects of Universal Jobmatch is to automatically generate sanction doubts on data subjects (the claimant in this case).

Section 12(1) clearly states the right of the data subject not to have any data held or gathered by a data controller concerning him/her to be used to automatically generate a decision.

By signing up to and using UJM the claimant is forsaking that right

If Universal Credit Account and Journal is capable of the same automatic generating of decisions as UJM then the claimant is forsaking their rights by signing up to and using it as well.

If the individual has the legal right set out in S.12(1) then no law on earth can penalise him/her from exercising it.

It follows then that exercising the right to refuse to sign up to Universal Credit Account and Journal has to be permissible and that payment of benefits must not be affected if the individual chooses to do so.

Those new changes will help to reinforce that premise.
The following user(s) said Thank You: Paul-UB40