Data Protection: Your Duties as a Data Controller

1
Data Protection Your Duties as a Data Controller
2
The Data Protection Rules

• Fair obtaining processing
• Consent
• Specified purpose
• No disclosure
• unless compatible
• Safe and secure

1. Accurate, up-to-date
2. Relevant, not excessive
3. Retention period
4. Right of access

3
Data Protection Acts, 1988 2003
Background
The Acts create
RIGHTS for individuals RESPONSIBILITIES for users of personal data
4
Rights and Obligations

• Rights of data subject ( identifiable, living
  individual) to control the use of their personal
  data
• Obligations on data controllers (a person who
  controls the contents and use of personal data)
  and data processors (A person who processes
  personal data on behalf of a data controller)

5
Definitions(1)

• Personal Data
• Any Data relating to a living identifiable
  individual
• Data
• Automated data or structured manual data
• Manual Data
• Structured by reference to individuals in a way
  that makes data readily accessible

6
Definitions(2)

• Data Controller
• a person who controls the contents and use of
  personal data
• Data Processor
• A person who processes personal data on behalf of
  a data controller

7
Definitions(3)

• Data Subject
• an individual who is the subject of personal data
• Processing
• Anything done with personal data, from collection
  to disposal

8
Sensitive Data (special protection)

• Physical or mental health
• Racial origin
• Political opinions
• Religious or other beliefs
• Sexual life
• Criminal convictions
• Alleged commission of offence
• Trade Union membership

9
Rights of Individuals

• to fairness when giving information
• to get a copy of their personal information
  includes both computer and certain manual files
• to have wrong information corrected
• to opt out of marketing - includes mail phone
• to complain to the Data Commissioner

10
Obtain Process Fairly I
Rule 1

• Data controller must give full information about
• identity
• purposes
• disclosees
• any other data necessary for fairness
• Third party data controllers
• must contact data subject to provide these
  details
• must give name of original data controller

11
Obtain Process Fairly II
Rule 1

• One of these conditions required
• Consent
• Legal obligation
• Contract with individual
• Necessary to protect vital interests
• Necessary for a public function (Justice)
• necessary for legitimate interests

12
Processing Sensitive Data
Rule 1

• One of these additional conditions is required
• Explicit consent
• Necessary under employment law
• To prevent injury or protect vital interests
• Process the data of members/clients of non-profit
  orgs.
• Legal advice
• For Medical Purposes
• Statutory function

13
Fair obtaining - practical

• Do people know you process their data?
• did you get data directly from them?
• Do they know all data types you process?
• Do they know why you process their data?
• administering training/exams providing
  newsletters

14
Specified Purpose
Rule 2

• Part of obligations when obtaining to specify
  purpose
• Cannot expand purpose without reverting to
  individual

15
Disclose only if compatible
Rule 3

• General rule no disclosure for different
  purpose
• Exceptions made, to balance other interests of
  society

• Section 8 exceptions
• Investigation of crime
• Collection of taxes
• Security of the State
• Protect life limb
• Law or court order
• Legal advice and legal proceedings
• No general public interest test

16
Disclosure Policy

• The Data Controller should have a policy in place
  to determine how requests for data from third
  parties are handled.
• This policy should be consulted by appropriate
  staff members

17
Disclosure - practical

• Use of bcc rather than cc fields on e-mails might
  be preferable.
• Informing an employer about an employees
  training results might be a disclosure where the
  employee had personally arranged and paid for
  course.

18
Keep Safe and Secure
Rule 4

• Appropriate security measures
• Appropriate to the harm that might result..
• Appropriate to the nature of the data
• May have regard to cost of implementation
• May have regard to the current state of
  technology
• Staff must know and comply with measures
• Internal review of security measures-part of
  Internal Audit function ?

19
Security - practical

• Care must also be taken regarding paper records,
  especially sensitive or financial data.
• Ideally data not left in a way that non-relevant
  staff can access files.
• Attention paid to how visitors move around an
  office.

20
Data Protection Training.

• Obligation on employer to ensure staff are aware
  of data protection obligations.
• Training
• Policy.
• A Code of Practice.
• Person in charge

21
Accurate, Complete and Up-to-Date
Rule 5

• Longer personal data is held, more likely it
  will be inaccurate and out-of-date
• Right to have errors rectified (see later)

22
Relevant and not Excessive
Rule 6

• No right to ask for, or hold, information not
  relevant to service etc being provided
• Challenge who do you need all this personal
  data ?

23
Retain no longer than necessary
Rule 7

• Legal obligations to hold data?
• Customer files
• Do you need to hold all that data?
• Payment records might have one retention period
• Exam results might have longer retention period
• Credit card details retained with consent
• Must have policy thought through
• Defend retention as necessary for purpose.

24
Right of Access Empowerment
Rule 8

• The Right of Access empowers individuals by
  enabling them to supervise the processing of
  their personal data.

25
Scope of Access Request

• Applies to all manual and electronic records in
  existence at the time of receipt of an access
  request regardless of when the record was
  created.
• Copy of information must be provided in permanent
  form unless data subject agrees otherwise or this
  is impossible or involves disproportionate effort

26
What must be disclosed in an access request

• Personal data held
• purposes for processing data
• persons to whom data are disclosed
• the source of the data
• subject to confidentiality safeguards
• logic involved in automated decisions

27
Access Request - Procedure

• Shall be in writing
• Data Subject shall provide sufficient information
  to identify oneself
• Data Controller shall comply within 40 days
• May charge a fee up to 6.35

28
Opinions

• Exempt from an access request only if the
  expression of an opinion was given in confidence
  or under the understanding it would be treated as
  confidential.
• References are not exempt in general
• High threshold required
• Work performance reports on colleagues are
  accessible
• Interview notes-accessible

29
Exempt from Access Requests

• Data relating to a claim of liability
• Data covered by legal privilege
• Data relating to a criminal investigation
• Certain research data
• Back-up data

30
Access Exemptions (S.5)

• Right of Access does not apply if likely to
  prejudice
• Preventing, detecting or investigating offences,
  apprehending or prosecuting offenders
• Security in a place of detention
• Other (international relations, privileged
  information etc)

31
Restricted Right of Access

• Right does not apply where it would impair
• the investigation of a crime, or assessment /
  collection of tax
• Subject to case-by-case prejudice test
• International relations of the State
• Legal professional privilege
• Medical and social work data special rules
• Statistical or research
• Back up data

32
Other Access Exemptions

• Financial, Anti-fraud investigators
• National Consumer Agency
• Examiners, Receivers, Liquidators, Court
  inspectors
• Recognised accountants, auditors
• Company law inspections
• Central Bank/Financial Regulator

33
Right to correct/erase/block

• Section 6 of the Act
• Data Subject makes a written request
• Personal data must be
• Corrected, if inaccurate or
• Deleted, if should not be held.
• Data Controller has 40 days to respond
• No fee

34
Correction or deletion

• Personal data must be
• Corrected, if inaccurate or
• Deleted, if should not be held.
• Note difference of opinion
• Inform those who got wrong or inaccurate data

35
Right of erasure

• Doesnt apply if you have a lawful purpose in
  retaining data
• Such as auditing or accreditation purposes

36
Automated decisions

• Key decisions cannot be made solely based on
  automated processing of personal data
• creditworthiness
• work performance
• reliability
• Exceptions
• consent legal necessity contractual reasons

37
Right to object

• Section 6A(1) allows the data subject to object
  to the processing of data
• Is likely to cause substantial damage or
  distress to him or her, or to another person, and
• The damage or distress is or would be unwarranted

38
DP/FOI Access to Personal Information

• DP and FOI Acts reinforce one another in relation
  to personal access in the public sector
• Defending access to personal information as
  human (DP) and citizen (FOI) right
• 3rd Party Access restricted under both Acts
• FOI access to personal information should
  sometimes prevail in the public interest

39
Right to opt out of direct marketing

• Section 2(7) of the Act
• Data subject may opt out of direct marketing
  database (e.g. a mailing list)
• Data controller must delete the data subjects
  details (or stop using them for direct marketing)
  
• Data controller must reply within 40 days

40
What is Direct Marketing?

• "Direct marketing is a series of marketing
  strategies, using various delivery techniques
  designed to provide the receiver (consumers and
  companies) with information at a distance...
  (using) different means of approach e.g.
  broadcasting, printed press, mail, telephone,
  on-line-services). It is used to sell
  products, to deliver information, public
  announcements, and for sales after-service,
  customer care services, charity and political
  appeals". (FEDMA)

41
Electronic Communications

• Right to opt-out of all unsolicited direct
  marketing calls
• Ex-Directory customers (and most mobiles)
  automatically opted-out
• If not ex-directory, Contact your phone line
  provider and ask to be put on the National
  Directory Database opt-out list
• SMS and e-mail unsolicited marketing banned

42
Using Sensitive Data

• EXTRA conditions S.2B (one only is needed)
• explicit consent
• necessary under employment law
• non-profit body (political, philosophical,
  religious, trade-union) its members / clients
• necessary for medical purposes (contd)

43
Using Sensitive Data

• EXTRA conditions (one only is needed)
• necessary to protect vital interests
• necessary for legal advice / legal claim
• for electoral purposes
• for substantial public interest
• as prescribed by Minister

44
Data Processors

• Agents and sub-contractors
• There must be a written contract in place
• Data Controller must take reasonable steps to
  ensure compliance with security measures

45
Responsibilities on Data Controllers at the
different stages
Beginning Getting the Data
Middle While you have the data
End Disposing of data
46
Keep accurate
Have a retention policy
Inform and get consent
Justification to process
Beginning Getting the Data
Middle While you have the data
End Disposing of data
Specify purpose
Keep secure and dispose securely
Disclose only if compatible or allowable
exception
Respond to access requests
Only gather what is required
47
Keep accurate
Have a retention policy
Inform and get consent
Justification to process
Beginning Getting the Data
Middle While you have the data
End Disposing of data
Specify purpose
Keep secure and dispose securely
Disclose only if compatible or allowable
exception
Respond to access requests
Only gather what is required
48
Keep accurate
Have a retention policy
Inform and get consent
Justification to process
Beginning Getting the Data
Middle While you have the data
End Disposing of data
Specify purpose
Keep secure and dispose securely
Disclose only if compatible or allowable
exception
Respond to access requests
Only gather what is required
49
Electronic Communications

• General DP Principles apply
• Telecom-specific
• Cookies on PCs
• Caller ID (phones)
• Location Data (mobiles)
• Directories
• SPAM
• Data Retention
• Cold Calling opt-out

50
Good Practice (1)

• Explain the basic principles to staff
• Document procedures
• Allocate responsibility for compliance and what
  sanctions may arise if not enforced
• Adhere to the need to know principle
• Audit checks and reviews

51
Good Practice (2)

• Have a procedure for complaints handling
• Remedial steps when things go wrong
• Privacy Notice on website and at point of contact
  with customers?
• Build DP in early in systems and policy proposals
• DPC free and friendly consultancy service

52
Further Guidance

• www.dataprotection.ie