Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection and Records Management

Similar presentations


Presentation on theme: "Data Protection and Records Management"— Presentation transcript:

1 Data Protection and Records Management

2 Layout of Presentation
Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection Key Responsibilities of Record Managers Key information Points

3 Data Protection: Background
Human Right to Privacy Unenumerated right under Irish Constitution Explicit right under European Convention on Human Rights ECHR Act 2003 EU Data Protection Directives

4 EU & Irish Legislation Data Protection Directive 95/46/EC
Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) Corresponding Acts Good Friday Agreement Disability Act 2005

5 Definitions: Personal Data
“Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1) Applies to any data that is processed (includes hosting) using any medium by a legal entity. Therefore paper, computer, network, web, phone etc.

6 Definitions - Sensitive Personal Data
Sensitive Personal Data (more protection) Racial/ethnic origin; political opinions; religious/philosophical beliefs; trade union membership; health; sexual life; criminal record

7 Definitions Data Controller
a person who controls the contents and use of personal data Data Processor A person who processes personal data on behalf of a data controller

8 Layout of Presentation
Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection Key Responsibilities of Record Managers Key information Points

9 Role of the Data Protection Commissioner
Ombudsman Role: resolution of disputes between data subjects and data controllers or processors Enforcer Role: compliance by data controllers & processors Educational Role: Promotes DP rights and good practice Registration Authority: obligation on major holders of personal data to be placed on public register

10 How does DPC fulfill role?
Investigations/Audits Arising from complaints On own initiative Maintains public register Codes of Practice Guidance booklets, website, presentations, advice, Annual Report

11 Penalties Fine of up to €100,000 Court may order deletion
Enforcement notice prohibiting processing Data subject could pursue civil action for damages under section 7 of the Act

12 Layout of Presentation
Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection Key Responsibilities of Record Managers Key information Points

13 The Data Protection Rules
Fair obtaining & processing Consent Specified purpose No disclosure unless “compatible” Safe and secure Accurate, up-to-date Relevant, not excessive Retention period Right of access

14 Responsibilities on Data Controllers –record managers - at the different stages
Beginning Getting the Data Middle While you have the data End Disposing of data

15 Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

16 Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

17 Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

18 Layout of Presentation
Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection Key Responsibilities of Record Managers Key information Points

19 Key Responsibilities - Record Management
Keep Information Accurate Disclose only if compatible with purpose for which given Keep secure Have a retention policy Dispose and retain in line with retention policy

20 1. Accurate Good business practice
Best achieved at point of collection Ongoing requirement if intended to be used. Ask the data subject if needed

21 2. Non-Disclosure General rule – no disclosure for different purpose
Exceptions made, to balance other interests of society Stricter conditions for sensitive data Main exceptions: Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law Intl Relations Consent

22 2. Non-Disclosure The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

23 3. Keep secure Internal Access controls– physical,technical,
Tracking of activity on files– to see if appropriate Internet Connectivity/networks -anti-virus software/firewalls/encryption Access- need to know and relevant to purpose Third party interception

24 3. Keep secure Accidental disclosure to third parties, PC in public area, non-secure fax External-robust encryption, online forms, technical measures Audit trails, reviews, logs, unusual events Manual Files ! Individual is the biggest risk- NB Training

25 4. Retention Policy Legal obligations to hold data? Customer files
Do you need to hold all that data? Personnel files Revenue requirement? Must have policy thought through Defend retention as necessary for purpose.

26 4. Retention Policy – Public Bodies
Overlap between data protection rights of identifiable persons and obligation to keep data for passing to the National Archives in 30 years Balance between rights of the person and public interest. In discussion with National Archives and D/Education Option of Regulations under the DP Acts specifying the appropriate period that such records may be held

27 5. Follow Retention Policy
A method appropriate to each organisation to review files Assign Responsibility Reporting structure Delete personal data that is outside terms of policy. Keep a record of deletions

28 Layout of Presentation
Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection Key Responsibilities of Record Managers Key information Points

29 Key Information Points
Right of Access Right of Correction/Erasure Manual Data Exemption

30 Right of Access A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

31 Right of Access Every person has the right to access their data held by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights

32 Right of correction/erasure
Section 6 of the Act Data Subject makes a written request Personal data must be: Corrected, if inaccurate; or Deleted, if should not be held. Data Controller has 40 days to respond No fee

33 Manual data Manual data on file on October 2003 has been exempt from some rules until 24 October 2007 section 2 (identity of Data Controller, purposes of processing, any disclosees) sections 2A (legitimate processing) and 2B (sensitive data) – see over All other provisions – including right of access and correction – apply already

34 Manual Data -Process Fairly
One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function (Justice) necessary for ‘legitimate interests’

35 Manual Data - Process Sensitive Data fairly
One of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of non-profit orgs. Legal advice For Medical Purposes Statutory function


Download ppt "Data Protection and Records Management"

Similar presentations


Ads by Google