This page contains a Flash digital edition of a book.
DRIVING SECURITY


Data Protection and Security - What you need to know


Community Pharmacy businesses are now well prepared for any new changes to the Data Protection Regulations after Shauna Dunlop, Northern Ireland Group Manager for the Information Commissioners Office (ICO) gave an overview of data protection and security.


C


ommunity Pharmacy businesses are now well prepared for any new changes


to the Data Protection Regulations after Shauna Dunlop, Northern Ireland Group Manager for the Information Commissioners Office (ICO) gave an overview of data protection and security.


The ICO's office in Belfast provides a local point of contact for members of the public and organisations based in Northern Ireland.


As well as operating an advice service to address general enquiries on data protection and freedom of information, it promotes good practice in information rights by raising awareness of organisational responsibilities across all sectors.


It also influences policy in related areas by working closely with the departments of the Northern Ireland civil service and the wider public sector.


Back in February, I said we’re not even in the home straight, let alone close to the finishing line. But there is real progress. There’s still some way to go, but that home straight does seem closer.


The big news is that the Council of the European Union, which is where the governments of members’ states are represented, has agreed its position. ICO have published a commentary on this text, including the areas where we consider that there is the greatest need for improvement as the trilogue progresses.


There’s no doubt it includes a certain amount of papering over of cracks between different governments’ views, but the ‘general approach’ agreed in June means, at long last, the Council has its own version of the text of the Regulation to bring to the negotiating table.


This negotiating table is known as the trilogue or, more correctly, a series of trilogues. Technically it’s not a formal part of the decision making process, so there’s no rule book that it follows, but it’s where representatives of the Council, the European Parliament


(which adopted its version of the Regulation back in March 2014) and the European Commission (which put forward the original proposal for a Regulation as long ago as January 2012) come together to thrash out a final text.


Encouragingly, but perhaps not surprisingly, the reports that have emerged of the two trilogue sessions held so far are positive and suggest that there has been a real effort to find a workable compromise between the texts, rather than just looking for the lowest common denominator.


Here’s a few areas to look out for:


• The devil is in the detail. The trilogue is all about compromise, but there’ll be plenty of interest in the specifics of any arrangements. For example, it will be interesting to see, when the detail emerges, whether there really is any consensus around Article 43(a) of the Parliament’s text which, in the post Snowden era, attempts to regulate situations where there is a conflict between, on the one hand, a legal requirement of a non-EU country that requires the disclosure of personal data held in the EU to that country and, on the other hand, EU data protection law which restricts such disclosure.


• September not April may turn out to be the cruellest month. That’s when it is likely the going will start to get tougher, as the trilogue will be looking at key principles including the extent to which the processing of personal data can be based on a data controller’s ‘legitimate interests’, and how far ‘incompatible processing’ is permissible. There’s been much criticism of the Council’s text in this area, but the Parliament’s text has its problems too, so it would be foolish to try to predict just what will emerge.


• Times they are a changing. Even without the full detail, it is clear from the early session discussing international transfers that we can expect to see more detailed supervision of these in the UK than we have been used to up to now. We also know there will be compulsory breach notification, both to affected individuals and to data protection


Shauna Dunlop, NI Group Manager, Information Commissioners Office


authorities, though we don’t know yet whether all breaches or only high risk ones will have to be notified, nor whether notification will have to be within 24 hours, 72 hours or simply “without undue delay”.


Simplicity is key. Our input throughout has been to stress the importance of the final text being clear, simple and easy to understand if it is to have the desired effect of improving privacy protection for individuals in practice as well as on paper.


Our colleagues at the European Data Protection Supervisor (EDPS) have echoed our pleas in their recent opinion 3/2015 on what they call “Europe’s big opportunity”.


They have accompanied this opinion with a side by side comparison of the three proposed texts and what the EDPS would like to see in the final version.


Although strictly for students of the process, running to over 500 pages, this is a very useful analysis. We don’t necessarily agree with all the EDPS’s ideas, particularly around the regulation of international transfers, but we commend them for their work and for producing their analysis in the form of an app.


Finally, a word on the proposed Directive on data protection in the law


enforcement and justice sectors, which sits alongside the Commission’s general Regulation. The Council is still discussing its position on this, with the aim of having something to take to trilogue in the autumn.


The Directive would then enter discussions alongside the Regulation, with the assumption that most of the difficult questions will already have been answered in the context of the negotiations on the Regulation.


This might work but there are some big differences between the Parliament’s position and the Council’s position that will need to be overcome so it could end up actually delaying the conclusion of the trilogue.


Not least amongst these differences is the question of precisely where the boundary should be drawn between the Regulation and the Directive when applied to the processing of personal data in the field of “public security”.


So there’s much hard work to be done yet. At the ICO we’re continuing to work in the expectation that by the fourth anniversary of the Commission’s proposals – in January 2016 – we really will be into the home straight – even if reaching the winning post might still require a final push. n


pharmacyinfocus.co.uk 41


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64