Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Protection: Your Duties as a Data Controller

Published byLogan Timson Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Protection: Your Duties as a Data Controller"— Presentation transcript:

1 Data Protection: Your Duties as a Data Controller

2 The Data Protection Rules
Fair obtaining & processing Consent Specified purpose No disclosure unless “compatible” Safe and secure Accurate, up-to-date Relevant, not excessive Retention period Right of access

3 The Acts create: Background Data Protection Acts, 1988 & 2003 RIGHTS
for individuals RESPONSIBILITIES users of personal data

4 Rights and Obligations
Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data” Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

5 Definitions(1) Personal Data Data Manual Data
Any Data relating to a living identifiable individual Data Automated data or structured manual data Manual Data Structured by reference to individuals in a way that makes data readily accessible

6 Definitions(2) Data Controller Data Processor
a person who controls the contents and use of personal data Data Processor A person who processes personal data on behalf of a data controller

7 Definitions(3) Data Subject Processing
an individual who is the subject of personal data Processing Anything done with personal data, from collection to disposal

8 Sensitive Data (special protection)
Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

9 Rights of Individuals to fairness when giving information
to get a copy of their personal information – includes both computer and certain manual files to have wrong information corrected to opt out of marketing - includes mail & phone to complain to the Data Commissioner

10 Obtain & Process Fairly I
Rule 1 Obtain & Process Fairly I Data controller must give full information about identity purposes disclosees any other data necessary for “fairness” Third party data controllers must contact data subject to provide these details must give name of original data controller

11 Obtain & Process Fairly II
Rule 1 Obtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function (Justice) necessary for ‘legitimate interests’

12 Processing Sensitive Data
Rule 1 Processing Sensitive Data One of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of non-profit orgs. Legal advice For Medical Purposes Statutory function

13 Fair obtaining - practical
Do people know you process their data? did you get data directly from them? Do they know all data types you process? Do they know why you process their data? administering training/exams; providing newsletters…

14 Rule 2 Specified Purpose Part of obligations when obtaining to specify purpose Cannot expand purpose without reverting to individual

15 Disclose only if compatible
Rule 3 Disclose only if compatible General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions Investigation of crime Collection of taxes Security of the State Protect life & limb Law or court order Legal advice and legal proceedings No general “public interest” test

16 Disclosure Policy The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

17 Disclosure - practical
Use of bcc rather than cc fields on s might be preferable. Informing an employer about an employee’s training results might be a disclosure where the employee had personally arranged and paid for course.

18 Keep Safe and Secure Rule 4 Appropriate security measures
Appropriate to the harm that might result.. Appropriate to the nature of the data May have regard to cost of implementation May have regard to the current state of technology Staff must know and comply with measures Internal review of security measures-part of Internal Audit function ?

19 Security - practical Care must also be taken regarding paper records, especially sensitive or financial data. Ideally data not left in a way that non-relevant staff can access files. Attention paid to how visitors move around an office.

20 Data Protection Training.
Obligation on employer to ensure staff are aware of data protection obligations. Training Policy. A Code of Practice. Person in charge

21 Accurate, Complete and Up-to-Date
Rule 5 Accurate, Complete and Up-to-Date Longer personal data is held, more likely it will be inaccurate and out-of-date Right to have errors rectified (see later)

22 Relevant and not Excessive
Rule 6 Relevant and not Excessive No right to ask for, or hold, information not relevant to service etc being provided Challenge: who do you need all this personal data ?

23 Retain no longer than necessary
Rule 7 Retain no longer than necessary Legal obligations to hold data? Customer files Do you need to hold all that data? Payment records might have one retention period Exam results might have longer retention period Credit card details retained with consent Must have policy thought through Defend retention as necessary for purpose.

24 Right of Access: Empowerment
Rule 8 Right of Access: Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

25 Scope of Access Request
Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created. Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort

26 What must be disclosed in an access request
Personal data held purposes for processing data persons to whom data are disclosed the source of the data subject to confidentiality safeguards logic involved in automated decisions

27 Access Request - Procedure
Shall be in writing Data Subject shall provide sufficient information to identify oneself Data Controller shall comply within 40 days May charge a fee up to €6.35

28 Opinions Exempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. References are not exempt in general High threshold required Work performance reports on colleagues are accessible Interview notes-accessible

29 Exempt from Access Requests
Data relating to a claim of liability Data covered by legal privilege Data relating to a criminal investigation Certain research data Back-up data

30 Access: Exemptions (S.5)
Right of Access does not apply if likely to prejudice: Preventing, detecting or investigating offences, apprehending or prosecuting offenders Security in a place of detention Other (international relations, privileged information etc)

31 Restricted Right of Access
Right does not apply where it would impair – the investigation of a crime, or assessment / collection of tax Subject to case-by-case “prejudice” test International relations of the State Legal professional privilege Medical and social work data – special rules Statistical or research Back up data

32 Other Access Exemptions
Financial, Anti-fraud investigators National Consumer Agency Examiners, Receivers, Liquidators, Court inspectors Recognised accountants, auditors Company law inspections Central Bank/Financial Regulator

33 Right to correct/erase/block
Section 6 of the Act Data Subject makes a written request Personal data must be: Corrected, if inaccurate; or Deleted, if should not be held. Data Controller has 40 days to respond No fee

34 Correction or deletion
Personal data must be: Corrected, if inaccurate; or Deleted, if should not be held. Note difference of opinion Inform those who got wrong or inaccurate data

35 Right of erasure Doesn’t apply if you have a lawful purpose in retaining data Such as auditing or accreditation purposes

36 Automated decisions Key decisions cannot be made solely based on automated processing of personal data creditworthiness work performance reliability Exceptions consent; legal necessity; contractual reasons

37 Right to object Section 6A(1) allows the data subject to object to the processing of data Is “likely to cause substantial damage or distress to him or her, or to another person, and The damage or distress is or would be unwarranted”

38 DP/FOI Access to Personal Information
DP and FOI Acts reinforce one another in relation to personal access in the public sector Defending access to personal information as human (DP) and citizen (FOI) right 3rd Party Access restricted under both Acts FOI access to personal information should sometimes prevail in the public interest

39 Right to opt out of direct marketing
Section 2(7) of the Act Data subject may opt out of direct marketing database (e.g. a mailing list) Data controller must delete the data subject’s details (or stop using them for direct marketing) Data controller must reply within 40 days

40 What is Direct Marketing?
"Direct marketing is a series of marketing strategies, using various delivery techniques designed to provide the receiver (consumers and companies) with information at a distance... (using) different means of approach e.g. broadcasting, printed press, mail, telephone, on-line-services). It is used to sell products, to deliver information, public announcements, and for sales after-service, customer care services, charity and political appeals". (FEDMA)

41 Electronic Communications
Right to “opt-out” of all unsolicited direct marketing calls Ex-Directory customers (and most mobiles) automatically ‘opted-out’ If not ex-directory, Contact your phone line provider and ask to be put on the National Directory Database ‘opt-out’ list SMS and unsolicited marketing banned

42 Using Sensitive Data EXTRA conditions: S.2B (one only is needed)
explicit consent necessary under employment law non-profit body (political, philosophical, religious, trade-union) – its members / clients necessary for medical purposes (contd)

43 Using Sensitive Data EXTRA conditions: (one only is needed)
necessary to protect vital interests necessary for legal advice / legal claim for electoral purposes for substantial public interest as prescribed by Minister

44 Data Processors Agents and sub-contractors
There must be a written contract in place Data Controller must take reasonable steps to ensure compliance with security measures

45 Responsibilities on Data Controllers at the different stages
Beginning Getting the Data Middle While you have the data End Disposing of data

46 Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

47 Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

48 Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

49 Electronic Communications
General DP Principles apply Telecom-specific: ‘Cookies’ on PCs Caller ID (phones) Location Data (mobiles) Directories ‘SPAM’ Data Retention ‘Cold Calling’ opt-out

50 Good Practice (1) Explain the basic principles to staff
Document procedures Allocate responsibility for compliance and what sanctions may arise if not enforced Adhere to the ‘need to know principle’ Audit checks and reviews

51 Good Practice (2) Have a procedure for complaints handling
Remedial steps when things go wrong Privacy Notice on website and at point of contact with customers? Build DP in early in systems and policy proposals DPC “free and friendly” consultancy service

52 Further Guidance

Download ppt "Data Protection: Your Duties as a Data Controller"

Similar presentations

DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Data Protection: Health. Data Protection & Health Data Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with.

Data Protection: Health. Data Protection & Health Data Data on physical or mental health or condition or sexual life are ‘sensitive personal data’ with.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
The Data Protection Act

The Data Protection Act
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.

Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Data Protection & Law Enforcement Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 27 th 2006.

Data Protection & Law Enforcement Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 27 th 2006.
1 Freedom of Information (Scotland) Act 2002 A strategic view.

1 Freedom of Information (Scotland) Act 2002 A strategic view.

Similar presentations

Ads by Google