DATA PROTECTION

DATA PROTECTIONDATA PROTECTION

and Researchand Research

University Research Ethics Committee – 08.05.2006 University Research Ethics Committee – 08.05.2006

David Cauchi David Cauchi

Office of the Data Protection CommissionerOffice of the Data Protection Commissioner

DATA PROTECTION

Data Protection Act Data Protection Act

General Provisions

Processing for Research Purposes

Procedure agreed with UREC

Practical Problems

DATA PROTECTIONORIGINORIGIN

Council of Europe – ETS 108 Convention on the protection of individuals with regard to automatic processing of personal data

Data Protection Act

CAP. 440Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

DATA PROTECTION

WHAT IS DATA PROTECTION ACT?WHAT IS DATA PROTECTION ACT?

An Act that makes provision for the protection of individuals against the violation of their privacy rights by the processing of personal data.

DATA PROTECTION

Key TermsKey Terms inin

Data ProtectionData Protection

DATA PROTECTION

“…any information relating to an identified or

identifiable natural person; an identifiable person

is one who can be identified, directly or indirectly,

in particular by reference to an identification

number or to one or more factors specific to his

physical, physiological, mental, economic, cultural

or social identity;”

DPA Art. 2

PERSONAL DATAPERSONAL DATA

DATA PROTECTION

“…personal data that reveals race or ethnic

origin, political opinions, religious or

philosophical beliefs, membership of a trade

union, health, or sex life;”

DPA Art. 2

SENSITIVE PERSONAL DATASENSITIVE PERSONAL DATA

DATA PROTECTION

“…includes the collection, recording, organisation,

storage, adaptation, alteration, retrieval,

gathering, use, disclosure by transmission,

dissemination or otherwise making information

available, alignment or combination, blocking,

erasure or destruction of such data”

DPA Art. 2

PROCESSINGPROCESSING

DATA PROTECTION

“…any freely given, specific and informed

indication of the wishes of the data subject by

which he signifies his agreement to personal

data relating to him being processed”

DPA Art. 2

CONSENTCONSENT

DATA PROTECTION

Criteria for Criteria for

ProcessingProcessing

DATA PROTECTION

PERSONAL DATA

DPA Article 9

1. Unambiguous consent or2. Contract performance or 3. Legal obligation or4. Vital interests of data subject or5. Public Interest / Official Authority or6. Legitimate interest

SENSITIVE PERSONAL DATA

DPA Articles 12 & 13

1. Explicit Consent2. Subject made data public3. Conditions of employment4. Vital Interests & data subject incapable of giving consent5. Legal claims

DATA PROTECTION

Data ProtectionData Protection

PrinciplesPrinciples

DATA PROTECTION

Personal Data to be:

1. processed fairly and lawfully

2. processed in accordance with good practice

3. collected for specific, explicitly stated & legitimate purposes

4. processed for reasons compatible with the purpose it was collected

5. adequate and relevant to the processing purpose

6. not more than required for the processing purpose

7. correct and, if necessary, up to date

8. rectified

9. not kept for longer than necessary for the processing purpose

DPA Art. 7

THE NINE PRINCIPLES THE NINE PRINCIPLES for ‘good information for ‘good information handling’handling’

DATA PROTECTION

Rights of Rights of

Data SubjectsData Subjects

DATA PROTECTION

INFORMATION

The controller must provide the data subject with at least the following:

a) identity and habitual residence or principal place of business of controller;

b) purposes of processing;

c) any further information such as:i) recipients or categories of recipients of dataii) whether reply to any questions is obligatory or voluntary, and possible consequence of failure to replyiii) existence of right of access, right to rectify and where applicable right to erase data.

DPA Art. 19

RIGHTS RIGHTS OFOFDATA DATA SUBJECTS SUBJECTS ((1)1)

DATA PROTECTION

Request of Data Subject must be:

at reasonable intervals in writing signed by data subject

Data Controller to provide:

without excessive delay without expense written information in an intelligible form

DPA Art. 21

RIGHRIGHTS OFTS OFDATA SDATA SUBJECTSUBJECTS ( (22))

ACCESS

DATA PROTECTION

The Data Subject shall have the right to request and

The Data Controller shall have the obligation:

to rectify, block or erase personal data

Where the law so requires.

Data Controller also to notify third parties about such rectification, blocking or erasure;

DPA Art. 22

RIGHTRIGHTS OFS OFDATA DATA SUBJECTSUBJECTS (S (33))

RECTIFICATION

DATA PROTECTION

Processing For Processing For

Research PurposesResearch Purposes

DATA PROTECTION

THE DATA PROTECTION ACT APPLIES WHEN:

Research is about individuals

Research involves personal data

Individuals are identifiable

DATA PROTECTION IN RESEARCHDATA PROTECTION IN RESEARCH

DATA PROTECTION

Sensitive Personal Data may be processed for Research Purposes:

On Public Interest grounds

With the approval of the Commissioner, on the advice of a Research Ethics Committee

DPA Art 16

PROCESSING CONCERNING PROCESSING CONCERNING RESEARCHRESEARCH

DATA PROTECTION

Procedure agreed Procedure agreed

with URECwith UREC

DATA PROTECTION

Proposal Form for ethical approval is filled by the researcher

Research Proposals are examined by the Faculty Research Ethics Committee and by the UREC

Approval is given if proposals are satisfactory

Approval from the UREC is deemed to be an adequate advice for the approval by the Commissioner

Researcher may proceed with the project once it is approved by the UREC

RESEARCH INVOLVING SENSITIVE PERSONAL DATA

PROCEDURE (1) PROCEDURE (1)

DATA PROTECTION

A list of approved projects are periodically forwarded to the Commissioner for final approval

The UREC may always consult the Commissioner in case of problems with particular projects

PROCEDURE (2) PROCEDURE (2)

OBJECTIVE

Allow the researcher ample time to proceed with the study

The Researcher is not required to obtain an approval directly from the Commissioner

DATA PROTECTION

Data Protection Principles

Rights of Data Subjects

INCLUDES:

PROPOSAL FORMPROPOSAL FORM

OBJECTIVES:

Inform researchers and ensure that these principles and rights are respected

It is important that all faculties include the same conditions so that all students are properly informed

DATA PROTECTION

Practical Practical

ProblemsProblems

DATA PROTECTION

In cases where research is not only for academic purposes but also considers other factors (e.g. administrative matters in Hospital)

Is the UREC still responsible for the approval??

PRACTICAL PROBLEMSPRACTICAL PROBLEMS

What data is the researcher entitled to use once the project is approved?

Is the researcher allowed to use personal details accessed to contact individuals?

Does an approval oblige the Data Controller (e.g. Hospital, school) to give access to the researcher?

DATA PROTECTION

Further InformationFurther Information

Office of the Data Protection CommissionerOffice of the Data Protection Commissioner

E-Mail:E-Mail: commissioner.dataprotection@gov.mt

Website: Website: www.dataprotection.gov.mt www.dataprotection.gov.mt

DATA PROTECTION

THANK YOU!

Floor is open for discussion