Presentation on theme: "International Telecommunication Union HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, TRAINING /DATA PROTECTION LAW."— Presentation transcript:
International Telecommunication Union HIPSSA Project Support for Harmonization of the ICT Policies in Sub-Sahara Africa, TRAINING /DATA PROTECTION LAW Case Studies on Data Protection Violations Zambia, August 2013 Gertrude Mukuwa National Expert on Data Protection
Summary of the Content International case studies on data protection law violations Reveals the approach of the Data Protection Commissioner/ Authority Reveals how the Data Protection Act and the principles are interpreted
Allianz requesting excessive personal information at quotation stage (Ireland) The insurance agent asked the potential provide her date of birth and her mother's maiden name for a quote for pet insurance. The data protection law in Ireland provide that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed Following intervention, Allianz confirmed its intention to cease using its ID verification screen and request for mothers maiden name at quotation stage.
Unlawful use of CCTV to remotely monitor an employee (Ireland) Complaint to Commissioner - personal privacy was affected in workplace - inappropriate use of CCTV. Phone calls from the employer allegedly described to him what he had been doing at a particular time. Employee said that the CCTV system was installed without prior staff notification as to the reason for its installation or its purpose. Commissioner noted rule that CCTV be proportionate response to risk taking into account of the legitimate privacy and other interests of workers. Furthermore requirement of meeting transparency staff must be informed – Employer ordered to cease use of CCTV.
Credit card transaction – use of details from previous transaction without consent (Ireland) A customer of a car rental company alleged that the company had used his credit card data – obtained in a previous transaction – to process a disputed charge without his consent, and in spite of his objections to the charge The specific data protection issue in this case was whether the rental firm obtained and processed the complainant's credit card details fairly, with the appropriate level of consent from the individual. Commissioner “credit card data obtained for a particular transaction cannot be used subsequently for other transactions without express consent, without violating the ‘fair obtaining’ rule. The principle of transparency and fairness, which are key tenets of data protection law and practice, apply in this area just as in any other”
Bank of Scotland – appropriate and effective security measures (UK) 5 August 2013 A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details. 75 000 pounds monetary penalty http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/ban k-of-scotland-monetary-penalty-notice.pdf
NHS Surrey - appropriate and effective security measures (UK) 12 July 2013 A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health. A member of the public informed the data controller that he had purchased a PC with confidential medical information from a third party company (the “third party company”) via an online auction site. Files contained confidential sensitive personal data and HR records including patient records relating to approximately 900 adults and 2000 children 200 000 pounds monetary penalty http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/nhs- surrey-monetary-penalty-notice.pdf
Glasgow City Council - appropriate and effective security measures – encryption of laptops (UK) 7 June 2013 A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people. 150 000 pounds penalty http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/Gla sgow-city-council-monetary-penalty-notice.ashx
Concluding Thoughts Case studies reveal the approach of the Data Protection Commissioner/ Authority Reveals how the Data Protection Act and the principles are interpreted Private and public sector, as data controllers, must assess their practices against the requirements of the Act A transition period must be applied in the Bill for organisations to conform their practices Ultimately, it is important that an Authority is established to enforce the Bill and realise data protection safeguards in Zambia
Thank You Questions? Gertrude M. Imbwae National Legal Expert on Data Protection