Introduction to Data Protection

1
Introduction to Data Protection

• Mary Dezille

2
In the Beginning...

• The European directive 1995
• Harmonise legislation regarding the
• Processing of personal data

3
Object of the Directive

• 1 protect the fundamental rights and freedoms
  of natural persons, and in particular their right
  to privacy with respect to the processing of
  personal data

4
The Data Protection Act 1998

• An act to make new provision for the regulation
  of processing of information relating to
  individuals, including the obtaining, holding,
  use or disclosure of
• such information

5
Does the 1998 Act apply to you?Do you process
this personal data?? Is it automated data,
manual records, or accessible records?
? YES?
ACT APPLIES TO YOU
6
NOTIFICATIONRegister with the Information
Commissioner
7
Personal Data

• Relate to
• Living
• Identifiable
• Individuals
• Including.opinions and future intentions

8
Durant on Personal Data

• Does the data directly relate to the individual?
• Not all information retrieved from a search of
  name or identifier is personal data
• Mere mention of the data subject in a document
  does not necessarily amount to personal data

9
Durant on Personal Data (2)

• biographical in a significant sense
• Linked to an individual-about activities
• Personal data had to have the putative data
  subject as its focus rather than some other
  personor some transaction or event...
• Obviously about
• Be something that affects his privacy, whether
  in his personal or family life, business or
  professional capacity

10
Automated Data

• On Computer
• Automatically processed
• Document Image processing
• Audio/video
• Digitised images/CCTV

11
Accessible Records

• Medical Records
• Social Work Records
• Housing Records
• Education Records

12
The 8 Principles
13
First Principle

• Personal data shall be processed
• fairly and lawfully
• Schedule 2
• Schedule 3

14
Schedule 2 Conditions

• Consent
• Contractual purposes
• Legal obligation
• Protect vital interests
• Public functions - justice, public duty etc.
• Legitimate interests

15
Schedule 3 Conditions Sensitive Data

• Explicit consent
• Employment rights/obligations
• Vital interests
• Legitimate club use
• In public domain
• Public functions
• Legal proceedings/advice
• Medical purposes
• Equality Monitoring

16
Fair Processing Code

• The data controller should ensure that the data
• subject is provided with at least -
• the identity of the data controller
  representative
• the purpose(s) for which data are to be processed
• any further information necessary

17
When?

• At the point of collection
• or soon as is practically
• possible after that.

18
The Second Principle

• Personal data shall be obtained only for
• one or more specified and lawful
• purposes, and shall not be further
• processed in any manner incompatible
• with that purpose or those purposes

19
The Third Principle

• Personal data shall be adequate, relevant
• and not excessive.

20
The Fourth Principle

• Personal data shall be accurate and,
• where necessary, kept up to date.

21
The Fifth Principle

• Personal data processed for any
• purpose or purposes shall not be kept
• for longer than is necessary for that
• purpose or those purposes.

22
The Sixth Principle

• Personal data shall be processed in
• accordance with the rights of data
• subjects under this Act

23
The Seventh Principle

• Appropriate technical and organisational
• measures shall be taken against
• unauthorised or unlawful processing of
• personal data and against accidental loss
• or destruction of, or damage to, personal
• data.

24
Employees and Personal Data

• 7th Principle reasonable steps to ensure
  reliability of employees
• Training
• Employment contracts

25
Contracts with Data Processors

• Made or evidenced in writing
• Processor to act only on Controllers
  instructions
• Mirror Controllers obligations
• Security
• Employees

26
The Eight Principle

• Personal data shall not be transferred to
• a country or territory outside the
• European Economic Area unless that
• country or territory ensure adequate
• level of protection for the rights and
• freedoms of data subjects in relation to
• the processing of personal data.

27
Transfer Outside Europe

• Consent of the individual
• To fulfil a contract
• Substantial public interest
• Legal proceedings or advice
• Protect vital interests of data subject
• Public Register
• With approval of the Commissioner

28
HOW IT AFFECTS YOU?
29
1) Information Audit2) Good record
keeping3) Review built in system to
keep data accurate and up-to-
date4) Destruction policy5) Do not use for
other purposes
30
Individual Rights

• 1. Subject Access
• 2. Prevent Processing
• 3. Direct Marketing
• 4. Automated Decisions
• 5. Compensation/Rectification
• Court may order Compliance

31
SUBJECTACCESSREQUESTS(SARS)
32
Subject Access - What is disclosed?

• 1. Whether personal data is being processed
• 2. Description of data
• 3. Purpose of processing
• 4. Recipients/classes of recipients
• 5. Personal information itself
• 6. Source of information
• 7. Logic behind automated decision

33
Individual must provide

• Application in Writing
• Proof of identity
• Fee (if requested) Max 10
• Location information - must give some direction,
  be specific

34
Time Limit

• Controller must respond Promptly
• In any event within 40 days
• Starting on the relevant day

35
Third Party Data

• Is it really personal data - Durant
• Consent of the individual
• Reasonable in all the circumstances
• to comply without consent

36
Exemptions

• S.28 - National security
• S.29 - Crime and taxation
• S.30 - Health, education social work
• S.31 - Regulatory activity
• S.32 - Journalism, literature art
• S.33 - Research, history statistics
• S.34 - Publicly available by any enactment
• S.35 - Required by law/proceedings
• S.36 - Domestic purposes

37
DIFFERENCES BETWEEN DP AND FOI

• DP FOI
• Everyone Public bodies
• Privacy Transparency
• Individuals Individuals and groups
• Personal Structural
• 40 days 20 working days
• Standard fee (10) No Fee 450,no ID
• and ID