1. Data Protection & Law Enforcement Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 27 th 2006

2. Presentation Outline  Background – Human Rights  Data Protection Principles  Rights of data subjects  Some FAQs

3. Why Data Protection? Post-Word War II emphasis on human rights – Police States George Orwell, “1984” (published in 1949) International Agreements on Human Rights Development of computer power

4. Privacy: Legal development Universal Declaration on Human Rights (1948) European Convention on Human Rights (1950) Convention 108 (Council of Europe, 1981) Background

5. UN Universal Declaration on Human Rights, 1948 Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence... Everyone has the right to the protection of the law against such interference ….

6. European Convention on Human Rights, 1950 Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society Background

7. Key concept Privacy is a Human Right

8. Council of Europe Convention, 1981 Also called “Convention 108” Deals specifically with data protection Ireland’s Data Protection Act 1988 gives effect to this Convention

9. Directive 95/46/EC Harmonisation across EU. –Free movement of data across EU Extends DP to manual records.

10. Key concept Data Protection Laws are one method of protecting privacy rights.

11. Essential points People have a fundamental right to privacy –You are legally obliged to recognise this right Showing that you recognise and protect that right makes good sense –Increased confidence/trust of customers –Better cooperation/support

12. How DP legislation work By imposing obligations on those who process personal data; By providing rights to individuals regarding how their data are processed.

13. Limited exemptions: Data exempt on National Security grounds. Data that is processed for personal domestic or recreational purposes

14. Data Protection Principles. 1. Fair obtaining  consent 2. Accurate 3. Specified purpose 4. No further processing  Unless compatible 5.Relevant, not excessive 6.Retention period 7.Safe & secure 8.Comply with access request

15. Obtain & Process Fairly I Data controller must give full information about –identity –purposes –disclosees –any other data necessary for “fairness” Third party data controllers –must contact data subject to provide these details –must give name of original data controller 1 st Principle

16. Obtain & Process Fairly II One of these conditions required:  Consent  Legal obligation  Contract with individual  Necessary to protect vital interests  Necessary for a public function (Justice)  necessary for ‘legitimate interests’ 1 st Principle

17. Processing Sensitive Data (1) One of these additional conditions is required  Explicit consent  Necessary under employment law  To prevent injury or protect vital interests  Legal advice  For Medical Purposes  Statutory function 1 st Principle

18. What are sensitive data?  Physical or mental health  Racial origin  Political opinions  Religious or other beliefs  Sexual life  Criminal convictions  Alleged commission of offence  Trade Union membership

19. Fair Obtaining - practical Transparency is the key issue Generally, a person should know –who is processing his/her data –and for what purpose

20. Fair Obtaining - practical Exemption means police may covertly collect data Police may process data without consent if necessary for the investigation & detection of offences

21. Accurate, Complete, up to date Often a reactive rather than proactive task 2 nd Principle

22. Accurate - practical If a person gives false identity details when questioned, police must correct details when become aware of true identity.

23. Accurate – case study Terrorist suspect has minor conviction Appeals outcome, change of penalty Police record incorrectly identifies Court location and penalty imposed Subject Access Request & makes complaint Police obliged to correct record and review recording procedures

24. Specified Purpose Part of obligations when obtaining to specify purpose Cannot expand purpose without reverting to individual 3 rd Principle

25. Purpose - practical Police purpose is defined in law and cannot be expanded with new role assigned to police by Government

26. Purpose – case study Victim Support body collects data from victims to offer support Police hold data for law enforcement purpose Police want to use data to assist Victim Support in referrals This is a new purpose and requires consent of victims

27. Disclosing personal data Further processing not generally permitted – compatibility test section 19 – lifts the restrictions on disclosure: –crime; tax; State security; –required urgently to protect life and limb –required by law or court order –with consent of, or on behalf of, data subject 4 th Principle

28. Disclosure Policy The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

29. Disclosure - practical Any DC can give data to police where necessary to investigate crime DC must be satisfied that is genuine investigation – may contact superior officer Specific procedures should be in place for access to data such as telephone records

30. Relevant and not excessive Police forces require information in order to operate Accept it is difficult to judge relevance DPAs reluctant to second guess police forces 5 th Principle

31. Relevant – case study Female teacher involved in public order offences when drunk “Friendly” with police officers Computer record contains racy comments about her She is aware of nature of record Information not relevant & is deleted 5 th Principle

32. Retention of data Legal obligations to hold data? Can older reports be anonymised where no action was taken? Provision for spent convictions may result in files being culled over time 6 th Principle

33. Security Procedures Security measures  Appropriate security measures Appropriate to the harm that might result.. Appropriate to the nature of the data  May have regard to cost of implementation  May have regard to the current state of technology  Staff must know and comply with measures  Internal review of security measures-part of Internal Audit function ? 7 th Principle

34. Data Protection Training. Obligation on employer to ensure staff are aware of data protection security obligations (especially access). –Training –Can be satisfied by a simple circular in some cases, by a formal course in others

35. Data Processors Agents and sub-contractors There must be a written contract in place Data Controller must take reasonable steps to ensure compliance with security measures

36. Security - practical Security standard should be reviewed - if the types of data being processed are changed; - if the organisation’s resources increase; - at least on an annual basis to see if new measures may be employed - state sector can’t plead poverty – must be at leading edge

37. Security - practical Access to data should be on a need to know basis Access controls should be known about, enforced and reviewed

38. Security – case study Police officer checks vehicle file on behalf of friend Friend wants to know identity of ex- partner’s new boyfriend Improper access identified from examination of access log New audit policy to identify misuse

39. Rights of Individuals o To have data processed in accordance with principles o To get a copy of personal information o To correct information if it is wrong o To opt out of direct marketing o To complain to the Data Protection Commissioner 8 th Principle

40. Access Requests Section 14 –exceptions section 19. Availability of material subject to receipt of an Access Request May question: –Relevance –Excessive nature –Retention, etc

41. Scope of Access Request Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

42. Opinion given in confidence Exempt from an access request if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. This is useful when giving references

43. Exempt from Access Requests  Data relating to a criminal investigation  If release would prejudice investigation  Exemption does not apply once investigation complete (unless would influence another investigation)

44. Access Requests - Practical  Staff should be able to identify a subject access request when one is received  Necessary because of deadline  Ideally, have an identified point of contact within force to handle requests

45. Structured files  Must be able to search files  By name of data subject?  By other reasonable identifier?  By date/file reference supplied by data subject  Electronic records easier to search than manual records

46. Enforced subject access  An employer cannot ask an employee to use his/her access right to obtain data in order to gain/retain employment  Police records cannot be accessed unless by law (vetting of child care workers)  Provision not yet in place in Ireland so police end up dealing with ~10,000 SAR per annum

47. Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

48. Right to correct/erase Personal data must be: –Corrected, if inaccurate; or –Deleted, if should not be held (very rare). Should not be a significant issue if organisation well run –May get DS complaining about data being held

49. Public Register Describe Data handling practices –PurposeTransfers abroad –Type of data Disclosures Public: transparency and openness Will involve careful thought initially, but little ongoing resources

50. Why Register?  Is a legal obligation  But also a very useful way for Data Protection Commissioner to interact with Data Controllers  Helps Data Controllers focus on Data Protection at time of registration

51. Frequently Asked Questions

52. How must an Access Request be handled? Quickly, within 21 days Ensure you are dealing with correct DS – Identity documents Can ask DS to restrict search – Criminal record; firearm license. Can ask DS if he/she would be satisfied with viewing file (esp. CCTV)

53. What about covert surveillance? Not generally permitted However, if investigating serious matter, limited, focused short term covert monitoring may be allowed Exceptional circumstances only

54. Can I get a copy of my personnel file? You have a right to a copy of any record relating to you – including personnel files, assessments, evaluations and interview notes. Opinions given in confidence may be withheld.

55. Can I respond to a request for data from abroad? Difficult to justify in absence of Mutual Assistance Treaty or other legal instrument May use compatibility test when cooperating with other police forces Controllee exchange via Europol or Schengen Information Systems

56. Thank you for listening