Date post: | 18-Dec-2015 |
Category: |
Documents |
View: | 219 times |
Download: | 0 times |
Layout of Presentation
• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Record Managers• Key information Points
Data Protection: Background
• Human Right to Privacy• Unenumerated right under Irish
Constitution• Explicit right under European
Convention on Human Rights ECHR Act 2003
• EU Data Protection Directives
EU & Irish Legislation• Data Protection
Directive 95/46/EC• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Data Protection Acts 1988 & 2003
• EC Electronic Privacy Regulations 2003 (SI 535/2003)
• Corresponding Acts• Good Friday
Agreement• Disability Act 2005
Definitions: Personal Data “Data relating to a living individual who is or can
be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1)
Applies to any data that is processed (includes hosting) using any medium by a legal entity. Therefore paper, computer, network, web, phone etc.
Definitions - Sensitive Personal Data
• Sensitive Personal Data (more protection) Racial/ethnic origin; political opinions;
religious/philosophical beliefs; trade union membership; health; sexual life; criminal record
Definitions• Data Controller
a person who controls the contents and use of personal data
• Data Processor A person who processes personal
data on behalf of a data controller
Layout of Presentation• Background to Data Protection• Role of Data Protection
Commissioner• Principles of Data Protection• Key Responsibilities of Record
Managers• Key information Points
Role of the Data Protection Commissioner • Ombudsman Role: resolution of disputes between
data subjects and data controllers or processors • Enforcer Role: compliance by data controllers &
processors• Educational Role: Promotes DP rights and good
practice• Registration Authority: obligation on major
holders of personal data to be placed on public register
How does DPC fulfill role?• Investigations/Audits
Arising from complaints On own initiative
• Maintains public register• Codes of Practice• Guidance booklets, website,
presentations, advice, Annual Report
Penalties• Fine of up to €100,000• Court may order deletion• Enforcement notice prohibiting
processing• Data subject could pursue civil action
for damages under section 7 of the Act
Layout of Presentation
• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Record Managers• Key information Points
The Data Protection Rules1. Fair obtaining &
processing• Consent
2. Specified purpose3. No disclosure
• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Responsibilities on Data Controllers –record managers - at the different stages
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Layout of Presentation• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Record
Managers• Key information Points
Key Responsibilities - Record Management• Keep Information Accurate• Disclose only if compatible with purpose for
which given• Keep secure • Have a retention policy• Dispose and retain in line with retention
policy
1. Accurate
• Good business practice• Best achieved at point of collection• Ongoing requirement if intended to
be used.• Ask the data subject if needed
2. Non-Disclosure• General rule – no
disclosure for different purpose
• Exceptions made, to balance other interests of society
• Stricter conditions for sensitive data
• Main exceptions: Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law Intl Relations Consent
2. Non-Disclosure• The Data Controller should have a
policy in place to determine how requests for data from third parties are handled.
• This policy should be consulted by appropriate staff members
3. Keep secure• Internal Access controls– physical,technical, • Tracking of activity on files– to see if
appropriate• Internet Connectivity/networks -anti-virus
software/firewalls/encryption• Access- need to know and relevant to
purpose• Third party interception
3. Keep secure• Accidental disclosure to third parties, PC
in public area, non-secure fax• External-robust encryption, online forms,
technical measures• Audit trails, reviews, logs, unusual events• Manual Files !• Individual is the biggest risk- NB Training
4. Retention Policy• Legal obligations to hold data?• Customer files
Do you need to hold all that data?
• Personnel files Revenue requirement?
• Must have policy thought through Defend retention as necessary for
purpose.
4. Retention Policy – Public Bodies• Overlap between data protection rights of
identifiable persons and obligation to keep data for passing to the National Archives in 30 years
• Balance between rights of the person and public interest. In discussion with National Archives and D/Education
• Option of Regulations under the DP Acts specifying the appropriate period that such records may be held
5. Follow Retention Policy• A method appropriate to each
organisation to review files• Assign Responsibility• Reporting structure• Delete personal data that is outside
terms of policy.• Keep a record of deletions
Layout of Presentation
• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Record Managers• Key information Points
Right of Access
• A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency
• Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
Right of Access• Every person has the right to access their
data held by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts
• Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights
Right of correction/erasure• Section 6 of the Act• Data Subject makes a written request• Personal data must be:
Corrected, if inaccurate; or Deleted, if should not be held.
• Data Controller has 40 days to respond• No fee
Manual data • Manual data on file on October 2003
has been exempt from some rules until 24 October 2007 section 2 (identity of Data Controller,
purposes of processing, any disclosees) sections 2A (legitimate processing) and
2B (sensitive data) – see over All other provisions – including right of
access and correction – apply already
Manual Data -Process Fairly One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function
(Justice) necessary for ‘legitimate interests’