8/9/20151 data protection office title:- how to incorporate data protection rules to safeguard...

04/19/23 1

DATA PROTECTION OFFICE

• TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST?

• PRESENTED BY THE COMMISSIONER TO THE REPRESENTATIVES OF THE SIT

• ON 25.03.11

04/19/23 2


• A share registry would obviously contain shareholders’ personal data. It is the duty of any data controller to ensure that it complies first and foremost with the principles contained in section 22 of the DPA, that is collection of data is premised upon certain principles namely:- to inform the shareholders of the identity of the controller, the collection, the purpose, the

04/19/23 3

DATA PROTECTION OFFICE• beneficiaries of the data, the right of

access of the shareholder to the data, the legal consequences for not cooperating and whether the supply of the data is voluntary or mandatory and if consent is required, to get the consent of the shareholders.

04/19/23 4

DATA PROTECTION OFFICE• There are certain exceptions where these

duties may not have to be fulfilled by the controller for ex where compliance is not reasonably practicable and others as elaborated in section 22.

• In order to obtain the data, it is important to secure his express consent, preferably in writing in compliance with section 24 and 25 of the DPA.

04/19/23 5

DATA PROTECTION OFFICE• However, if the activity falls within the

exceptions, for ex the performance of a contract between SIT and the shareholders, then the SIT may claim no consent required. But it is always safe wherever possible to include the consent of the shareholder except if a legal advisor certifies that the activity falls within the exception.

04/19/23 6

DATA PROTECTION OFFICE• In the same breadth, disclosure of the data

to others should also be done with the prior consent of the shareholder.

• Appropriate security and organisational measures in agreement with the DPO must be implemented.

04/19/23 7


• Individuals should have control over their personal data. This is the message that this office wants to convey as the guiding principle for any organisation wishing to adopt the right approach to data protection. Thus, shareholders should retain control on their personal data.

• Organisations should consider data protection in a broader context such as assessing information risks from an

04/19/23 8


• individual’s perspective, by adopting transparency and data minimisation principles, and enhanced privacy practices.

For an organisation to demonstrate its willingness to meet expectations based on legal criteria and organisational promises, it must digest all aspects of data protection and information security .

04/19/23 9


This is reflected in the essential elements of accountability of the organisation:-

Its commitment to accountability and adoption of internal policies consistent with data protection laws;

Mechanisms to put privacy policies into effect, including privacy-enhancing tools. training , and education;

04/19/23 10


Systems for internal ongoing oversight and assurance reviews and external verification;

Transparency and mechanisms for individual participation;

The means for remediation and external enforcement.

04/19/23 11


• There are virtually infinite ways by which organisations can creatively “build privacy in“ to their operations and products , to earn confidence and trust of customers, business partners and oversight bodies alike and to be leaders in the global marketplace. Innovative and adaptive tools may even be designed with the cooperation of the DPO officers.

04/19/23 12

DATA PROTECTION OFFICE• Thus, the most important consideration is

to devise and create tools responsive to the eight principles of data protection which are fair and lawful processing of personal data, the purpose for which the data were obtained should be lawful and further processing should be compatible with that purpose, the data must be adequate, relevant, accurate, up to date and not excessive.

04/19/23 13

DATA PROTECTION OFFICE• They must not be kept for an indefinite

period of time and must be destroyed as soon as is practicable.

• They must not be transferred abroad without authorisation from Commissioner.

• Appropriate security and organisational measures must be taken to protect the data from unlawful processing.

04/19/23 14

DATA PROTECTION OFFICE PETs may be categorised, according to

their main functions, as either privacy management or protection tools.

Privacy Management Tools:- They enable the user to understand the

consequences of the processing of the personal information. There are a number of tools today that cater for the enterprise or the end-user market.

04/19/23 15

DATA PROTECTION OFFICE Privacy Protection Tools:- They aim to hide the user’s identity, minimise

the personal data revealed and camouflage network connections, for example, the originating IP address is not revealed.

They may also authenticate transactions such as payments whilst making it impossible to trace a connection back to the user.

04/19/23 16


How to organise yourself to ensure the protection of data within your organisation?

• The right of access is the most important right that an individual has and you need to organise yourself for handling access requests. Dealing with access requests is not your only obligation. Staff should also be made aware of the obligations imposed by the Data Protection Act.

04/19/23 17

DATA PROTECTION OFFICETo comply you should:

– Ensure that the basic principles of data protection are explained to staff;

– Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is a “living” process aligned to the way the organisation conducts its business;

– Document procedures, for example with regard to accuracy and have regular security reviews;

– Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are not followed;

04/19/23 18


– Set out the circumstances in which personal data may be disclosed to third parties in compliance with the DPA.

• Obligations on retention and security need to be addressed

• Adhere to the ‘need to know principle’ – only personal data necessary for the purpose should be collected and staff should only be able to access the personal data that they need to carry out their functions;

• Have adequate access controls, firewalls and virus protection and do not forget manual files;

04/19/23 19


• There should be retention policies for the various categories of data.

• Dealing with Subject Access Requests• The key right for the individual is the right of access.

Essentially this means that you have to supply to the individual the personal data that you hold if a valid request is made under Section 41. The time limit for complying with an access request is 28 days. In order to ensure your compliance with the time limit and your other access obligations the following organisational and procedural steps may be effected:

04/19/23 20


• Appoint a Co-ordinator or a Data Protection Officer who will be responsible for the response to the access request. A description of the functions and responsibilities of the Co-ordinator should be circulated within the organisation and staff should be advised of the necessity for co-operation with the Co-ordinator.

• All subject access matters should be submitted to the Co-ordinator.

• Check the validity of the access request. Ensure that it is in writing, that the appropriate fee is included.

04/19/23 21


• Check that sufficient material has been supplied to definitively identify the individual. This is most important as a third party may provide false material to lodge a false access request.

• Check that sufficient information to locate the data has been supplied. If it is not clear what kind of data is being requested you should ask the data subject for more information. This could involve identifying the databases, locations or files to be searched or giving a description of the interactions the individual has had with the organisation.

• Log the date of receipt of the valid request.

04/19/23 22


• Keep note of all steps taken to locate and collate data – if different divisions of the organisation are involved, have the steps “signed off” by the appropriate person.

• Check each item of data to establish whether any of the restrictions on or denial of access provided by section 43 will apply.

• If data relating to a third party is involved, do not disclose without the consent of the third party such data. An opinion given by a third party may be disclosed unless it is an opinion which was given in confidence on the clear understanding that it would be treated as confidential.

04/19/23 23

DATA PROTECTION OFFICE• Monitor process of responding to the request –

observing time limit of 28 days.

• Supply the data in an intelligible form (include an explanation of terms if necessary). Also provide description of purposes, disclosees and source of data (unless revealing the source would be contrary to the public interest). Number the documents supplied. Have the response “signed-off” by an appropriate person.

• Regularly review your procedures and processes.

04/19/23 24


Every individual about whom a data controller keeps personal information on computer or in a relevant

filing system, has a number of other rights under the Act, in addition to the Right of Access.

These include the right to have any inaccurate information rectified or erased, to have personal

data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection

Commissioner.

04/19/23 25

DATA PROTECTION OFFICEAn individual making an access request must:-

Apply to the data controller in writing by filling in the request for access to data form available on the website or at the Data Protection Office ,

Give any details which might be needed to help the data controller identify him or her and locate all the information the data controller may keep about him/her.

The individual must also pay the data controller the access fee of RS 75.

04/19/23 26

DATA PROTECTION OFFICEAre there exceptions or limitations on the right of

access to personal data?

Yes, there are. Section 43 of the Data Protection Act provides that the right of access does not apply in a

number of cases.

The restrictions upon the right of access fall into five groups:

The obligation to comply with an access request does not apply where the data controller is not supplied with the information he reasonably requires in order to satisfy himself as to the identity of the person making the request and to locate the information which the person seeks;

04/19/23 27


Where compliance with the request would be in contravention of the confidentiality obligation of the data controller under the Mauritian law;

The right of access does not include a right to see personal data about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was given in confidence;

04/19/23 28


The right of access does not include the revelation of evidence of the commission of a criminal offence other than an offence under the Act.

Where the data controller cannot comply with the request without disclosing personal data relating to another person, he may refuse the request unless the other individual has consented to the disclosure of his personal data to the person making the request or he obtains the written approval of the Commissioner;

04/19/23 29


The right of access does not include information given in confidence to the data controller for the purposes of the education, training or employment, or prospective education, of the data subject, the appointment or prospective appointment of the data subject to any office, the provision or prospective provision by the data subject of any service, the personal data requested consist of information recorded by candidates during an academic, professional or other examination.

04/19/23 30


Basic Data Protection Checklist• Are the individuals whose data you collect

aware of your identity?

• Have you told the data subject what use you make of his/her data?

• Are the disclosures you make of that data legitimate ones?

04/19/23 31


• Do you have appropriate security measures in place?

• Do you have appropriate procedures in place to ensure that each data item is kept up-to-date?

• Do you have a defined policy on retention periods for all items of personal data?

• Do you have a data protection policy in place?

04/19/23 32


• Do you have procedures for handling access requests from individuals?

• Are you clear on whether or not you should be registered?

• Are your staff appropriately trained in data protection?

• Do you regularly review and audit the data which you hold and the manner in which they are processed?

04/19/23 33


8/9/20151 data protection office title:- how to incorporate data protection rules to safeguard...

Documents

data controller

collection of data

aspects of data protection

data protection rules

data protection office

data protection office

shareholders personal

data minimisation principles