Data Protection

1
Data Protection Law Enforcement

• Seán Sweeney
• Assistant Commissioner
• Office of the Data Protection Commissioner
• Ireland

Gibraltar January 27th 2006
2
Presentation Outline

• Background Human Rights
• Data Protection Principles
• Rights of data subjects
• Some FAQs

3
Why Data Protection?

• Post-Word War II emphasis on human rights
  Police States
• George Orwell, 1984 (published in 1949)
• International Agreements on Human Rights
• Development of computer power

4
Privacy Legal development
Background

• Universal Declaration on Human Rights (1948)
• European Convention on Human Rights (1950)
• Convention 108 (Council of Europe, 1981)

5
UN Universal Declaration on Human Rights, 1948

• Article 12 No one shall be subjected to
  arbitrary interference with his privacy, family,
  home or correspondence ... Everyone has the
  right to the protection of the law against such
  interference .

6
European Convention on Human Rights, 1950
Background
Article 8 Everyone has the right to respect for
his private and family life, his home and his
correspondence There shall be no
interference by a public authority with this
right except such as is necessary in a democratic
society
7
Key concept

• Privacy is a
• Human Right

8
Council of Europe Convention, 1981

• Also called Convention 108
• Deals specifically with data protection
• Irelands Data Protection Act 1988 gives effect
  to this Convention

9
Directive 95/46/EC

• Harmonisation across EU.
• Free movement of data across EU
• Extends DP to manual records.

10
Key concept

• Data Protection Laws
• are one method of
• protecting privacy rights.

11
Essential points

• People have a fundamental right to privacy
• You are legally obliged to recognise this right
• Showing that you recognise and protect that right
  makes good sense
• Increased confidence/trust of customers
• Better cooperation/support

12
How DP legislation work

• By imposing obligations on those who process
  personal data
• By providing rights to individuals regarding how
  their data are processed.

13
Limited exemptions

• Data exempt on National Security grounds.
• Data that is processed for personal domestic or
  recreational purposes

14
Data Protection Principles.

• Fair obtaining
• consent
• Accurate
• Specified purpose
• No further processing
• Unless compatible

1. Relevant, not excessive
2. Retention period
3. Safe secure
4. Comply with access request

15
Obtain Process Fairly I
1st Principle

• Data controller must give full information about
• identity
• purposes
• disclosees
• any other data necessary for fairness
• Third party data controllers
• must contact data subject to provide these
  details
• must give name of original data controller

16
Obtain Process Fairly II
1st Principle

• One of these conditions required
• Consent
• Legal obligation
• Contract with individual
• Necessary to protect vital interests
• Necessary for a public function (Justice)
• necessary for legitimate interests

17
Processing Sensitive Data (1)
1st Principle

• One of these additional conditions is required
• Explicit consent
• Necessary under employment law
• To prevent injury or protect vital interests
• Legal advice
• For Medical Purposes
• Statutory function

18
What are sensitive data?

• Physical or mental health
• Racial origin
• Political opinions
• Religious or other beliefs
• Sexual life
• Criminal convictions
• Alleged commission of offence
• Trade Union membership

19
Fair Obtaining - practical

• Transparency is the key issue
• Generally, a person should know
• who is processing his/her data
• and for what purpose

20
Fair Obtaining - practical

• Exemption means police may covertly collect data
• Police may process data without consent if
  necessary for the investigation detection of
  offences

21
Accurate, Complete, up to date
2nd Principle

• Often a reactive rather than proactive task

22
Accurate - practical

• If a person gives false identity details when
  questioned, police must correct details when
  become aware of true identity.

23
Accurate case study

• Terrorist suspect has minor conviction
• Appeals outcome, change of penalty
• Police record incorrectly identifies Court
  location and penalty imposed
• Subject Access Request makes complaint
• Police obliged to correct record and review
  recording procedures

24
Specified Purpose
3rd Principle

• Part of obligations when obtaining to specify
  purpose
• Cannot expand purpose without reverting to
  individual

25
Purpose - practical

• Police purpose is defined in law and cannot be
  expanded with new role assigned to police by
  Government

26
Purpose case study

• Victim Support body collects data from victims to
  offer support
• Police hold data for law enforcement purpose
• Police want to use data to assist Victim Support
  in referrals
• This is a new purpose and requires consent of
  victims

27
Disclosing personal data
4th Principle

• Further processing not generally permitted
  compatibility test
• section 19 lifts the restrictions on
  disclosure
• crime tax State security
• required urgently to protect life and limb
• required by law or court order
• with consent of, or on behalf of, data subject

28
Disclosure Policy

• The Data Controller should have a policy in place
  to determine how requests for data from third
  parties are handled.
• This policy should be consulted by appropriate
  staff members

29
Disclosure - practical

• Any DC can give data to police where necessary to
  investigate crime
• DC must be satisfied that is genuine
  investigation may contact superior officer
• Specific procedures should be in place for access
  to data such as telephone records

30
Relevant and not excessive
5th Principle

• Police forces require information in order to
  operate
• Accept it is difficult to judge relevance
• DPAs reluctant to second guess police forces

31
Relevant case study
5th Principle

• Female teacher involved in public order offences
  when drunk
• Friendly with police officers
• Computer record contains racy comments about her
• She is aware of nature of record
• Information not relevant is deleted

32
Retention of data
6th Principle

• Legal obligations to hold data?
• Can older reports be anonymised where no action
  was taken?
• Provision for spent convictions may result in
  files being culled over time

33
Security Procedures
7th Principle

• Security measures
• Appropriate security measures
• Appropriate to the harm that might result..
• Appropriate to the nature of the data
• May have regard to cost of implementation
• May have regard to the current state of
  technology
• Staff must know and comply with measures
• Internal review of security measures-part of
  Internal Audit function ?

34
Data Protection Training.

• Obligation on employer to ensure staff are aware
  of data protection security obligations
  (especially access).
• Training
• Can be satisfied by a simple circular in some
  cases, by a formal course in others

35
Data Processors

• Agents and sub-contractors
• There must be a written contract in place
• Data Controller must take reasonable steps to
  ensure compliance with security measures

36
Security - practical

• Security standard should be reviewed
• - if the types of data being processed are
  changed
• - if the organisations resources increase
• - at least on an annual basis to see if new
  measures may be employed
• - state sector cant plead poverty must be at
  leading edge

37
Security - practical

• Access to data should be on a need to know basis
• Access controls should be known about, enforced
  and reviewed

38
Security case study

• Police officer checks vehicle file on behalf of
  friend
• Friend wants to know identity of ex-partners new
  boyfriend
• Improper access identified from examination of
  access log
• New audit policy to identify misuse

39
Rights of Individuals
8th Principle

• To have data processed in accordance with
  principles
• To get a copy of personal information
• To correct information if it is wrong
• To opt out of direct marketing
• To complain to the Data Protection Commissioner

40
Access Requests

• Section 14 exceptions section 19.
• Availability of material subject to receipt of an
  Access Request
• May question
• Relevance
• Excessive nature
• Retention, etc

41
Scope of Access Request

• Applies to all manual and electronic records in
  existence at the time of receipt of an access
  request regardless of when the record was
  created.

42
Opinion given in confidence

• Exempt from an access request if the expression
  of an opinion was given in confidence or under
  the understanding it would be treated as
  confidential.
• This is useful when giving references

43
Exempt from Access Requests

• Data relating to a criminal investigation
• If release would prejudice investigation
• Exemption does not apply once investigation
  complete (unless would influence another
  investigation)

44
Access Requests - Practical

• Staff should be able to identify a subject access
  request when one is received
• Necessary because of deadline
• Ideally, have an identified point of contact
  within force to handle requests

45
Structured files

• Must be able to search files
• By name of data subject?
• By other reasonable identifier?
• By date/file reference supplied by data subject
• Electronic records easier to search than manual
  records

46
Enforced subject access

• An employer cannot ask an employee to use his/her
  access right to obtain data in order to
  gain/retain employment
• Police records cannot be accessed unless by law
  (vetting of child care workers)
• Provision not yet in place in Ireland so police
  end up dealing with 10,000 SAR per annum

47
Empowerment

• The Right of Access empowers individuals by
  enabling them to supervise the processing of
  their personal data.

48
Right to correct/erase

• Personal data must be
• Corrected, if inaccurate or
• Deleted, if should not be held (very rare).
• Should not be a significant issue if organisation
  well run
• May get DS complaining about data being held

49
Public Register

• Describe Data handling practices
• Purpose Transfers abroad
• Type of data Disclosures
• Public transparency and openness
• Will involve careful thought initially, but
  little ongoing resources

50
Why Register?

• Is a legal obligation
• But also a very useful way for Data Protection
  Commissioner to interact with Data Controllers
• Helps Data Controllers focus on Data Protection
  at time of registration

51
Frequently Asked Questions
52
How must an Access Request be handled?

• Quickly, within 21 days
• Ensure you are dealing with correct DS
• Identity documents
• Can ask DS to restrict search
• Criminal record firearm license.
• Can ask DS if he/she would be satisfied with
  viewing file (esp. CCTV)

53
What about covert surveillance?

• Not generally permitted
• However, if investigating serious matter,
  limited, focused short term covert monitoring may
  be allowed
• Exceptional circumstances only

54
Can I get a copy of my personnel file?

• You have a right to a copy of any record relating
  to you including personnel files, assessments,
  evaluations and interview notes.
• Opinions given in confidence may be withheld.

55
Can I respond to a request for data from abroad?

• Difficult to justify in absence of Mutual
  Assistance Treaty or other legal instrument
• May use compatibility test when cooperating with
  other police forces
• Controllee exchange via Europol or Schengen
  Information Systems

56
Thank you for listening