Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Data Misconceptions Explored

Published byMagdalena Marta Moravcová Modified over 6 years ago

Similar presentations

Presentation on theme: "Personal Data Misconceptions Explored"— Presentation transcript:

1 Personal Data Misconceptions Explored

2 Specialist Law Firm Dr Fred Logue Dr TJ McIntyre Sandra Conway

3 About Us

4 Agenda What is personal data? Access to mixed personal data
Criminal data/Law enforcement Biometric data Joint controllership

5 What is Personal Data? ‘personal data’ means any information relating to an identified or identifiable natural person an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

6 Exam Scripts

7 Mr Nowak makes a request …
2010 asks for all personal data held by CAI Releases 17 documents but refuses access to exam script Data Protection Commissioner refuses to accept complaint since “exam scripts .. do not generally constitute personal data” Mr Nowak loses in Circuit Court, High Court and Court of Appeal Supreme Court says, hang on he has a point – refers to CJEU

8 CJEU examines concept of personal data
For information to be treated as ‘personal data’ within the meaning of Article 2(a) of Directive 95/46, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person Contrary to what the Data Protection Commissioner appears to argue, it is of no relevance, in that context, whether the examiner can or cannot identify the candidate at the time when he/she is correcting and marking the examination script. The scope of [data protection law] is very wide and the personal data covered […] is varied The use of the expression ‘any information’ in the definition of the concept of ‘personal data’ […] reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.

9 Exam scripts/Examiner’s comments
As regards the latter condition [i.e. relates to], it is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person. Exam scripts/Examiner’s comments Content – reflects extent of the candidate’s knowledge Purpose – evaluate candidate’s knowledge and professional suitability Result – may determine whether he can enter the profession Examiner’s comments The finding that the comments of the examiner with respect to the answers submitted by the candidate at the examination constitute information which, by reason of its content, purpose or effect, is linked to that candidate is not called into question by the fact that those comments also constitute information relating to the examiner. The same information may relate to a number of individuals and may constitute for each of them, provided that those persons are identified or identifiable, personal data, within the meaning of Article 2(a) of Directive 95/46.

10 Further, the question whether written answers submitted by a candidate at a professional examination and any comments made by the examiner with respect to those answers should be classified as personal data cannot be affected, contrary to what is argued by the Data Protection Commissioner and the Irish government, by the fact that the consequence of that classification is, in principle, that the candidate has rights of access and rectification

11 Purpose of the Right of Access
“Recital 41 does indeed describe the purpose of access as being that the data subject may verify in particular the accuracy of the data and the lawfulness of the processing. By using ‘in particular’ in most language versions, however, the legislature has indicated that the purpose goes further. For even irrespective of rectification, erasure or blocking, data subjects generally have a legitimate interest in finding out what information about them is processed by the controller.” AG Kokott Opinion in Case C-434/16 Peter Nowak v Data Protection Commissioner

12 Purpose of Right of Access- CJEU
In that context, it must be recalled that the protection of the fundamental right to respect for private life means, inter alia, that any individual may be certain that the personal data relating to him is correct and that it is processed in a lawful manner.

13 Access to “mixed” personal data
Recall in Nowak – information may be personal data of more than one person There is no prohibition per se on a data subject accessing mixed personal data There is no presumption that this data cannot be accessed Right of access is subject only to requirement that access may not adversely affect the rights and freedoms of others and the restriction of rights adopted by Member States

14 B v General Medical Council [2018] EWCA Civ 1497
Expert report in context of fitness to practice investigation in relation to treatment of a patient “P” by “Dr B.” P requested access to the expert report GMC decided to grant access despite Dr B’s objections Court found (Sales and Arden JJ) No presumption in favour of third party data subject’s privacy rights Motive or other ways of obtaining information not relevant Data controller conducts a balancing exercise between competing rights and has a wide margin of discretion Caveat: This was under specific transposing provisions in the UK Data Protection Act 1998 that we have not adopted but the same principles should apply in this jurisdiction. Note there is a dissenting judgment (Irwin J)

15 Guidelines Irish DPC: UK ICO
The GDPR states that the right to obtain a copy of your personal data must not adversely affect the rights and freedoms of others. This means that the right cannot be used to access the personal data of other persons, i.e. third parties. UK ICO So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.

16 Criminal data/Law enforcement
GDPR places data relating to criminal convictions and offences into a separate category. No longer included in “special category” May only be processed: Under the control of official authority; or Where authorised by national law with appropriate safeguards Official authority includes processing required for the administration of justice; the exercise of a regulatory, authorising or licensing function or determination of eligibility for benefits or services; protection of the public against harm arising from dishonesty, malpractice, breaches of ethics or other improper conduct by, or the unfitness or incompetence of, persons who are or were authorised to carry on a profession or other activity; enforcement actions aimed at preventing, detecting or investigating breaches of the law of the European Union or the law of the State that are subject to civil or administrative sanctions; archiving in the public interest, scientific or historical research purposes or statistical purposes where the processing is carried out in accordance with section 42 for those purposes by or on behalf of a public authority or public body. National law – section 55 of the Data Protection Act 2018 Explicit consent Necessary for the performance of a contract Legal advice/claims etc Prevent injury/damage Permitted in regulations made under section 55 Knowingly/recklessly breaching section 55 is a criminal offence

17 Law Enforcement Directive
Transposed as Part 5 of the Data Protection Act 2018 Sections 69 to 104 Scope of application – section 70 Don’t fall into the trap of applying Part 5 unless you are within scope of section 70 Part 5 makes specific provisions for aspects that are directly applicable under GDPR and so are not specifically given effect under the Act Tempting section Section 91 – subject access requests

18 Biometric personal data
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; Fingerprints, facial scans, hand print, voice, gate analysis, iris scan, automatic handwriting analysis etc. Includes data derived from these that can be used in the same way, e.g. templates etc Included in special category personal data in GDPR – old guidelines are now out of date Explicit consent or necessity under article 9 Explicit consent requires genuine choice and possibility of withdrawing consent without prejudice to data subject – doesn’t work in employment context Doesn’t matter that original image is not stored Don’t believe marketing materials provided by biometric system vendors

19 Joint controllership Relationship not necessarily controller/processor even where a contract – e.g. solicitor/client ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data Concept of controller is really about allocation of responsibility, the controller must be able to demonstrate compliance. The concept of controller ensures those responsible are motivated to comply. Purpose Why – what is the desired outcome Degree of manoeuvre Means How – what way, what data, which data subjects, who has access Technical and organisational questions

20 Controller/Joint Controller
Functional rather than formal analysis Contractual clauses not determinative Not necessary for each controller to have full access Joint control = joint responsibility != equal responsibility Data sharing arrangement is not necessarily joint control if separate purposes Sharing processing means may imply joint control Article 28 imposes responsibilities on joint controllers to have an “arrangement” and to make the essence of the arrangement available to data subjects Data subjects can exercise their rights against any one joint controller Responsibilities/Arrangement driven by objective of protecting data subjects

21 Wirtschaftsakademie Schleswig-Holstien Case C-210/16
Facebook fan page feature Administrator selects categories of individuals to target Facebook also uses personal data associated with fan page for advertising purposes CJEU found this was a joint controllership arrangement between Facebook and the fan page administrator

22 Fashion ID C-470/17 AG Opinion (Bobek) so not binding
Facebook “like” button embedded on a website Examines question of responsibility of controllers – are joint controllers jointly and severally liable? Each controller only responsible for stages of processing that it controls or jointly controls. Judgment due shortly

23 @FPLogueLaw (01)

Download ppt "Personal Data Misconceptions Explored"

Similar presentations

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.

Convention for the protection of individual with regard to automatic processing of personal data “The purpose of this convention is to secure in the territory.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Data Protection Overview

Data Protection Overview
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.

Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
1 Workshop on the Directive 96/61/EC concerning (IPPC) Integrated pollution prevention and control INFRA 32645 Public participation & access to environmental.

1 Workshop on the Directive 96/61/EC concerning (IPPC) Integrated pollution prevention and control INFRA Public participation & access to environmental.
STATE OF ARIZONA BOARD OF CHIROPRACTIC EXAMINERS Mission Statement The mission of the Board of Chiropractic Examiners is to protect the health, welfare,

STATE OF ARIZONA BOARD OF CHIROPRACTIC EXAMINERS Mission Statement The mission of the Board of Chiropractic Examiners is to protect the health, welfare,
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.

Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The application of certain restrictions on access to environmental information in accordance with AC Personal Data www.iidma.org Ana Barreira Instituto.

The application of certain restrictions on access to environmental information in accordance with AC Personal Data Ana Barreira Instituto.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.

IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
The EU and Access to Environmental Information Unit D4 European Commission, Directorate General for the Environment 1.

The EU and Access to Environmental Information Unit D4 European Commission, Directorate General for the Environment 1.
DATA PROTECTION ACT 1998. INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March 2000. It is more far reaching than its predecessor,

DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,

Similar presentations

Ads by Google