Presentation on theme: "Data Protection: Your Duties as a Data Controller"— Presentation transcript:
1 Data Protection: Your Duties as a Data Controller
2 The Data Protection Rules Fair obtaining & processingConsentSpecified purposeNo disclosureunless “compatible”Safe and secureAccurate, up-to-dateRelevant, not excessiveRetention periodRight of access
3 The Acts create: Background Data Protection Acts, 1988 & 2003 RIGHTS forindividualsRESPONSIBILITIESusers of personal data
4 Rights and Obligations Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
5 Definitions(1) Personal Data Data Manual Data Any Data relating to a living identifiable individualDataAutomated data or structured manual dataManual DataStructured by reference to individuals in a way that makes data readily accessible
6 Definitions(2) Data Controller Data Processor a person who controls the contents and use of personal dataData ProcessorA person who processes personal data on behalf of a data controller
7 Definitions(3) Data Subject Processing an individual who is the subject of personal dataProcessingAnything done with personal data, from collection to disposal
8 Sensitive Data (special protection) Physical or mental healthRacial originPolitical opinionsReligious or other beliefsSexual lifeCriminal convictionsAlleged commission of offenceTrade Union membership
9 Rights of Individuals to fairness when giving information to get a copy of their personal information – includes both computer and certain manual filesto have wrong information correctedto opt out of marketing - includes mail & phoneto complain to the Data Commissioner
10 Obtain & Process Fairly I Rule 1Obtain & Process Fairly IData controller must give full information aboutidentitypurposesdiscloseesany other data necessary for “fairness”Third party data controllersmust contact data subject to provide these detailsmust give name of original data controller
11 Obtain & Process Fairly II Rule 1Obtain & Process Fairly IIOne of these conditions required:ConsentLegal obligationContract with individualNecessary to protect vital interestsNecessary for a public function (Justice)necessary for ‘legitimate interests’
12 Processing Sensitive Data Rule 1Processing Sensitive DataOne of these additional conditions is requiredExplicit consentNecessary under employment lawTo prevent injury or protect vital interestsProcess the data of members/clients of non-profit orgs.Legal adviceFor Medical PurposesStatutory function
13 Fair obtaining - practical Do people know you process their data?did you get data directly from them?Do they know all data types you process?Do they know why you process their data?administering training/exams; providing newsletters…
14 Rule 2Specified PurposePart of obligations when obtaining to specify purposeCannot expand purpose without reverting to individual
15 Disclose only if compatible Rule 3Disclose only if compatibleGeneral rule – no disclosure for different purposeExceptions made, to balance other interests of societySection 8 exceptionsInvestigation of crimeCollection of taxesSecurity of the StateProtect life & limbLaw or court orderLegal advice and legal proceedingsNo general “public interest” test
16 Disclosure PolicyThe Data Controller should have a policy in place to determine how requests for data from third parties are handled.This policy should be consulted by appropriate staff members
17 Disclosure - practical Use of bcc rather than cc fields on s might be preferable.Informing an employer about an employee’s training results might be a disclosure where the employee had personally arranged and paid for course.
18 Keep Safe and Secure Rule 4 Appropriate security measures Appropriate to the harm that might result..Appropriate to the nature of the dataMay have regard to cost of implementationMay have regard to the current state of technologyStaff must know and comply with measuresInternal review of security measures-part of Internal Audit function ?
19 Security - practicalCare must also be taken regarding paper records, especially sensitive or financial data.Ideally data not left in a way that non-relevant staff can access files.Attention paid to how visitors move around an office.
20 Data Protection Training. Obligation on employer to ensure staff are aware of data protection obligations.TrainingPolicy.A Code of Practice.Person in charge
21 Accurate, Complete and Up-to-Date Rule 5Accurate, Complete and Up-to-DateLonger personal data is held, more likely it will be inaccurate and out-of-dateRight to have errors rectified (see later)
22 Relevant and not Excessive Rule 6Relevant and not ExcessiveNo right to ask for, or hold, information not relevant to service etc being providedChallenge: who do you need all this personal data ?
23 Retain no longer than necessary Rule 7Retain no longer than necessaryLegal obligations to hold data?Customer filesDo you need to hold all that data?Payment records might have one retention periodExam results might have longer retention periodCredit card details retained with consentMust have policy thought throughDefend retention as necessary for purpose.
24 Right of Access: Empowerment Rule 8Right of Access: EmpowermentThe Right of Access empowers individuals by enabling them to supervise the processing of their personal data.
25 Scope of Access Request Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort
26 What must be disclosed in an access request Personal data heldpurposes for processing datapersons to whom data are disclosedthe source of the datasubject to confidentiality safeguardslogic involved in automated decisions
27 Access Request - Procedure Shall be in writingData Subject shall provide sufficient information to identify oneselfData Controller shall comply within 40 daysMay charge a fee up to €6.35
28 OpinionsExempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential.References are not exempt in generalHigh threshold requiredWork performance reports on colleagues are accessibleInterview notes-accessible
29 Exempt from Access Requests Data relating to a claim of liabilityData covered by legal privilegeData relating to a criminal investigationCertain research dataBack-up data
30 Access: Exemptions (S.5) Right of Access does not apply if likely to prejudice:Preventing, detecting or investigating offences, apprehending or prosecuting offendersSecurity in a place of detentionOther (international relations, privileged information etc)
31 Restricted Right of Access Right does not apply where it would impair –the investigation of a crime, or assessment / collection of taxSubject to case-by-case “prejudice” testInternational relations of the StateLegal professional privilegeMedical and social work data – special rulesStatistical or researchBack up data
32 Other Access Exemptions Financial, Anti-fraud investigatorsNational Consumer AgencyExaminers, Receivers, Liquidators, Court inspectorsRecognised accountants, auditorsCompany law inspectionsCentral Bank/Financial Regulator
33 Right to correct/erase/block Section 6 of the ActData Subject makes a written requestPersonal data must be:Corrected, if inaccurate; orDeleted, if should not be held.Data Controller has 40 days to respondNo fee
34 Correction or deletion Personal data must be:Corrected, if inaccurate; orDeleted, if should not be held.Note difference of opinionInform those who got wrong or inaccurate data
35 Right of erasureDoesn’t apply if you have a lawful purpose in retaining dataSuch as auditing or accreditation purposes
36 Automated decisionsKey decisions cannot be made solely based on automated processing of personal datacreditworthinesswork performancereliabilityExceptionsconsent; legal necessity; contractual reasons
37 Right to objectSection 6A(1) allows the data subject to object to the processing of dataIs “likely to cause substantial damage or distress to him or her, or to another person, andThe damage or distress is or would be unwarranted”
38 DP/FOI Access to Personal Information DP and FOI Acts reinforce one another in relation to personal access in the public sectorDefending access to personal information as human (DP) and citizen (FOI) right3rd Party Access restricted under both ActsFOI access to personal information should sometimes prevail in the public interest
39 Right to opt out of direct marketing Section 2(7) of the ActData subject may opt out of direct marketing database (e.g. a mailing list)Data controller must delete the data subject’s details (or stop using them for direct marketing)Data controller must reply within 40 days
40 What is Direct Marketing? "Direct marketing is a series of marketing strategies, using various delivery techniques designed to provide the receiver (consumers and companies) with information at a distance... (using) different means of approach e.g. broadcasting, printed press, mail, telephone, on-line-services). It is used to sell products, to deliver information, public announcements, and for sales after-service, customer care services, charity and political appeals". (FEDMA)
41 Electronic Communications Right to “opt-out” of all unsolicited direct marketing callsEx-Directory customers (and most mobiles) automatically ‘opted-out’If not ex-directory, Contact your phone line provider and ask to be put on the National Directory Database ‘opt-out’ listSMS and unsolicited marketing banned
42 Using Sensitive Data EXTRA conditions: S.2B (one only is needed) explicit consentnecessary under employment lawnon-profit body (political, philosophical, religious, trade-union) – its members / clientsnecessary for medical purposes (contd)
43 Using Sensitive Data EXTRA conditions: (one only is needed) necessary to protect vital interestsnecessary for legal advice / legal claimfor electoral purposesfor substantial public interestas prescribed by Minister
44 Data Processors Agents and sub-contractors There must be a written contract in placeData Controller must take reasonable steps to ensure compliance with security measures
45 Responsibilities on Data Controllers at the different stages BeginningGetting the DataMiddleWhile you have the dataEndDisposing of data
46 Keep accurateHave a retention policyInform and get consentJustification to processBeginningGetting the DataMiddleWhile you have the dataEndDisposing of dataSpecify purposeDisclose only if compatible or allowable exceptionKeep secure and dispose securelyRespond to access requestsOnly gather what is required
47 Keep accurateHave a retention policyInform and get consentJustification to processBeginningGetting the DataMiddleWhile you have the dataEndDisposing of dataSpecify purposeDisclose only if compatible or allowable exceptionKeep secure and dispose securelyRespond to access requestsOnly gather what is required
48 Keep accurateHave a retention policyInform and get consentJustification to processBeginningGetting the DataMiddleWhile you have the dataEndDisposing of dataSpecify purposeDisclose only if compatible or allowable exceptionKeep secure and dispose securelyRespond to access requestsOnly gather what is required
49 Electronic Communications General DP Principles applyTelecom-specific:‘Cookies’ on PCsCaller ID (phones)Location Data (mobiles)Directories‘SPAM’Data Retention‘Cold Calling’ opt-out
50 Good Practice (1) Explain the basic principles to staff Document proceduresAllocate responsibility for compliance and what sanctions may arise if not enforcedAdhere to the ‘need to know principle’Audit checks and reviews
51 Good Practice (2) Have a procedure for complaints handling Remedial steps when things go wrongPrivacy Notice on website and at point of contact with customers?Build DP in early in systems and policy proposalsDPC “free and friendly” consultancy service
Your consent to our cookies if you continue to use this website.