34
27/06/22
| Date post: | 25-Dec-2015 |
| Category: |
Documents |
| Upload: | clement-wiggins |
| View: | 213 times |
| Download: | 0 times |
19/04/23
DATA PROTECTION OFFICE• WHAT IS DATA PROTECTION AND WHY
SHOULD MAURITIUS HAVE DATA PROTECTION LAWS?
• To put it in simple terms, data protection is the safeguarding of the processing of all personal information of living individuals. Processing stands for all the activities carried out manually or automatically on personal data.
• Data protection is a component of privacy. The right to privacy is normally defined as the right to be left alone and is legally provided for in our constitution. There is no overlapping of the right to privacy with data protection/privacy as explained but rather when we talk about privacy of personal data, we are also talking about data protection.
19/04/23 2
DATA PROTECTION OFFICE• Data protection laws are essential not
only in Mauritius but in all developing or developped countries which have an extensive use of personal data and are technology-driven.
• The justification for enacting such laws is not felt until personal information incidents do not crop up. For example, whensomebody’sname/address/emails/bank details/cv have been misused for a criminal purpose causing immense prejudice to the person concerned.
19/04/23 3
DATA PROTECTION OFFICE• The Data Protection Act is restricted
only to the protection of the privacy of the personal data of living individuals.
• The rights protected under this legislation are:-
• the right to access personal data;• the right to have inaccurate data
destroyed or corrected;• the right to lodge a complaint with
the Data Protection Commissioner;
19/04/23 4
DATA PROTECTION OFFICE• the right to appeal against the
decision of the Commissioner before the ICT tribunal;
• the right to have data processed for lawful and necessary purposes;
• the right to be informed of the processing or collection of data and the conditions under which the data would be used; and
• the right to object to direct marketing.
19/04/23 5
DATA PROTECTION OFFICE• What is personal data and sensitive
personal data?• Personal data is any information which
can be linked to an individual. The most obvious one is the name, address, or emails of the person. The less obvious ones are the genetic set up of the individual, his/her race or ethnic origin, political opinion, religious beliefs, trade union membership, sexual preferences, criminal records or proceedings in court.
19/04/23 6
DATA PROTECTION OFFICE• The less obvious ones are called
sensitive personal data in the DPA. By their nature, they require more protection.
• Both sensitive and non-sensitive data require the express consent of the individual as regards their processing subject to the exceptions provided in sections 24 and 25 of the DPA.
• The exceptions are quite wide-ranging for ex, the contractual relationship the individual may have with the data controller, i.e
19/04/23 7
DATA PROTECTION OFFICE• the employer/employee relationship
is a contractual one, consent is not required where the contract already exists, i.e where the processing of personal data is required for the performance of a contract to which the employee is a party,
• in order to take steps required by the employee prior to entering into the contract, for ex, the employee is required to fill in a questionnaire as part of the recruitment process, no
19/04/23 8
DATA PROTECTION OFFICE• consent is required. This situation is to
be distinguished from the information gathered during reference checks on potential candidates as it does not relate to information provided by the individual himself but by a third party. The legal nuances have to be grasped correctly for a proper understanding of the exceptions.
• the protection of the vital interests of the employee by the employer, for ex. the processing of the data is necessary
19/04/23 9
DATA PROTECTION OFFICE• to protect the reputation of the
employee,• to protect the vital interests of another
person (not the data controller or the individual) where the individual unreasonably withholds consent or consent cannot be given by him or the data controller cannot be expected to obtain the consent of the data subject;
• where the law requires the processing for ex. as may be contained in the labour laws,
19/04/23 10
DATA PROTECTION OFFICE• the administration of justice, • the public interest,• the sensitive information has been
made public by the individual concerned or the latter has provided his express consent, or
• the processing of sensitive information is being done by an entity of a political, philosophical, religious or trade union nature for its members only and does not involve disclosure to
19/04/23 11
DATA PROTECTION OFFICE• third parties without the consent of the
individual concerned.• These are the broad exceptions which
do not require express consent of the data subject.
• However, it would be prudent to tread intelligently on these exceptions which are so broad that the interpretation of their ambit may result into legal problematics especially in a court of law! Legal gymnastics is perhaps what is required by any lawyer to synthesize a sound understanding of these exceptions.
19/04/23 12
DATA PROTECTION OFFICE• What is express consent?• Express consent does not
automatically have to bear the same meaning as the civil law version of « consentement expresse » which refers to written consent. It suffices that it be explicit, i.e, that it is unambiguous, freely given, specific and informed, which does not literally translate to written consent. However, evidentially, it would be wise to secure proof of the agreement of the employee which can
19/04/23 13
DATA PROTECTION OFFICE• only be in written form. • This is the irony behind legal
interpretation and the praticalities of the law.
• Employers would be further ill-advised to rely solely on consent as proof other than in cases where, if consent is subsequently withdrawn, this has not caused or resulted into any problems.
• Reliance on consent should be confined to cases where the worker has a genuine free choice and is
19/04/23 14
DATA PROTECTION OFFICE• subsequently able to withdraw
the consent without detriment.• What is meant by the above is
that the use of the exceptions must be clearly justified in order for the employer to avail himself of them.
• Events may be considered personal data such as wedding, anniversary, and pregnancy dates. However, since the DPA relate only to the protection of living individuals, funeral dates may be excluded.
19/04/23 15
DATA PROTECTION OFFICE• Why do we need a Data Protection
Office?• The Data Protection Office has come
into existence specifically to cater for the principles found under the legislation.
• The legislator has deemed it fit to make Mauritius data-protection compliant in order to enhance the credibility of the country as one respecting international standards and protecting the personal data of its citizens.
19/04/23 16
DATA PROTECTION OFFICE• However, the task is indeed an
immense one to inculcate the culture of data protection into each citizen of this country.
• Let us not forget that even for those countries which have adopted data protection for 30 years, data protection was initially viewed as insignificant compared to other pressing agendas of the governement the more so as it is quite a complex field and it is still a challenge for these countries to instill data protection principles in the routine of each citizen.
19/04/23 17
DATA PROTECTION OFFICE• Time has shown that such a concept
is indeed the future guarantee for the individual of today and tomorrow.
• Other fundamental rights such as the right to live, freedom of expression, movement, freedom against torture, amongst many others have now gained so much recognition worldwide that they do not require further publicity. They are called the entrenched human rights in any constitution containing them.
19/04/23 18
DATA PROTECTION OFFICE• But what about the right to privacy?
Yes, it is also recognised as entrenched in our own constitution but the ambit of its protection is too restrictive. Data protection does not squarely fit into the rather obsolete definition privacy has in many constitutions just like ours. This is why many countries have amended it. We will also eventually have to do it. It is already on the agenda of the Law Reform Commission.
19/04/23 19
DATA PROTECTION OFFICE• But we should be proud or grateful
that Mauritius has deemed it fit to adopt data protection laws. Not only laws but has instituted a permanent office dedicated to protect personal data. We have shown that we are ahead in many fields.
• The multifacetted tasks the Commissioner is also called upon to perform also justifies the creation of a separate entity.
19/04/23 20
DATA PROTECTION OFFICE• When should personal data kept be
destroyed and if kept, for which specific purposes?
• According to sections 26 and 28 of the Data Protection Act, personal data must be kept for the purpose/s for which the data has been collected. Employee data collected for personnel administration cannot be used for marketing without the express consent of the employee.
• When the purpose for keeping the data has lapsed, for ex, employee is no19/04/23 21
DATA PROTECTION OFFICE• longer in service, the purpose for
keeping the data should be clearly justified. Otherwise, deletion is mandatory within a reasonable period of time.
• It is the duty of each data controller to develop a retention policy which elaborates the categories of data kept at the organisation, their purpose and the time required to keep them, depending on the requirements of the organisation.
19/04/23 22
DATA PROTECTION OFFICE• Monitoring of the DPA at the
organisation requires a department or an officer to take the lead. The legal and/or IT department/officer may be deputed the task to handle data protection issues. However, it remains the task of top management to ensure that compliance is being done in all departments.
• A data protection officer or coordinator may be appointed. However, there may not be the need
19/04/23 23
DATA PROTECTION OFFICE• to appoint a new officer but someone
from the IT or legal department.• It should be borne in mind that the
officer appointed should understand data protection issues and may follow a training from this office.
• A centralised CV database is to be handled with utmost care as the data controller has the obligation to keep data accurate and up to date, ascertaining whether consent whenever required has been collected,
19/04/23 24
DATA PROTECTION OFFICE• whether the appropriate security and
organisational measures have been taken to protect the data.
• For those CVs which do not relate to employees but potential candidates, the latter should be informed in accordance with section 22 of the DPA as to the purpose, the beneficiaries, the consent required, right to access the data kept by the data controller.
• Personal data provided during reference checks would have to be
19/04/23 25
DATA PROTECTION OFFICE• used with utmost care and the
potential candidate would have to be made aware prior to the collection by obtaining his consent except if a law provides that no consent required.
• Data protection clauses in employment documents are essential to ascertain whether required consent has been obtained for keeping the data.
19/04/23 26
DATA PROTECTION OFFICE• Privacy policy statements are also
essential to inform users of their data protection rights but in a fruitful way. It has to be very user-friendly and visible.
• Unlawful disclosure of personal data to somebody not entitled to receive it is an offence.
19/04/23 27
DATA PROTECTION OFFICE• As a conclusion, I would say:-• When processing workers' personal
data, employers should always bear in mind FUNDAMENTAL DATA PROTECTION PRINCIPLES SUCH AS THE FOLLOWING:
• FINALITY: Data must be collected for a specified, explicit and legitimate purpose; and not further processed in a way incompatible with those purposes.
• TRANSPARENCY: As a very minimum, workers need to know which data is
19/04/23 28
DATA PROTECTION OFFICE• the employer collecting about them
(directly or from other sources), which are the purposes of processing operations envisaged or carried out with these data presently or in the future. Transparency is also assured by granting the data subject the right to access to his/her personal data.
• LEGITIMACY: The processing of workers' personal data must be legitimate.
19/04/23 29
DATA PROTECTION OFFICE• PROPORTIONALITY: The personal
data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
• Assuming that workers have been informed about the processing operation and assuming that such processing activity is legitimate andproportionate, such a processing still needs to be fair with the worker.
19/04/23 30
DATA PROTECTION OFFICE• ACCURACY AND RETENTION OF
THE DATA: Employment records must be accurate and, where necessary, kept up to date. The employer must take every reasonable step to ensure that data inaccurate or incomplete, having regard to the purposes for which they were collected or further processed, are erased or rectified.
• Law and practice:- labour law and practice does not operate in isolation from data protection law.
19/04/23 31
DATA PROTECTION OFFICE• This interaction is necessary and
valuable and should assist the development of solutions that properly protect workers’ interests, and
• SECURITY: The employer must implement appropriate technical and organisational measures at the workplace to guarantee that the personal data of his workers is keptsecured. Particular protection should be granted as regards unauthorised disclosure or access.
19/04/23 32
DATA PROTECTION OFFICE• SURVEILLANCE ANDMONITORING.
Data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, Internet access, video cameras or location data.
• Any monitoring must be a proportionate. Any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible.
19/04/23 33
DATA PROTECTION OFFICE
19/04/23 34
