![Page 1: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/1.jpg)
Data Protection: Your Duties as a Data Controller
![Page 2: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/2.jpg)
The Data Protection Rules
1. Fair obtaining & processing• Consent
2. Specified purpose
3. No disclosure• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
![Page 3: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/3.jpg)
Data Protection Acts, 1988 & 2003
RIGHTS
for
individuals
RESPONSIBILITIES
for
users of personal data
The Acts create:
Background
![Page 4: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/4.jpg)
Rights and Obligations
• Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”
• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
![Page 5: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/5.jpg)
Definitions(1)
• Personal Data– Any Data relating to a livingliving identifiableidentifiable
individual • Data
– Automated data or structured manual datamanual data• Manual Data
– Structured by reference to individuals in a way that makes data readily accessible
![Page 6: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/6.jpg)
Definitions(2)
• Data Controller– a person who controls the contents and use of
personal data
• Data Processor – A person who processes personal data on
behalf of a data controller
![Page 7: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/7.jpg)
Definitions(3)
• Data Subject – an individual who is the subject of
personal data
• Processing – Anything done with personal data, from
collection to disposal
![Page 8: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/8.jpg)
Sensitive Data (special protection)
• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Sexual life• Criminal convictions• Alleged commission of offence• Trade Union membership
![Page 9: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/9.jpg)
Rights of Individuals
• to fairness when giving information• to get a copy of their personal information –
includes both computer and certain manual files• to have wrong information corrected• to opt out of marketing - includes mail & phone • to complain to the Data Commissioner
![Page 10: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/10.jpg)
Obtain & Process Fairly I• Data controller must give full information
about– identity– purposes– disclosees– any other data necessary for “fairness”
• Third party data controllers– must contact data subject to provide these
details– must give name of original data controller
Rule 1
![Page 11: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/11.jpg)
Obtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function
(Justice) necessary for ‘legitimate interests’
Rule 1
![Page 12: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/12.jpg)
Processing Sensitive DataOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of
non-profit orgs. Legal advice For Medical Purposes Statutory function
Rule 1
![Page 13: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/13.jpg)
Fair obtaining - practical• Do people know you process their
data?– did you get data directly from them?
• Do they know all data types you process?
• Do they know why you process their data?– administering training/exams; providing
newsletters…
![Page 14: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/14.jpg)
Specified Purpose
• Part of obligations when obtaining to specify purpose
• Cannot expand purpose without reverting to individual
Rule 2
![Page 15: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/15.jpg)
Disclose only if compatible
• General rule – no disclosure for different purpose
• Exceptions made, to balance other interests of society
• Section 8 exceptions– Investigation of crime– Collection of taxes– Security of the State– Protect life & limb– Law or court order– Legal advice and legal
proceedings
• No general “public interest” test
Rule 3
![Page 16: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/16.jpg)
Disclosure Policy• The Data Controller should have a policy
in place to determine how requests for data from third parties are handled.
• This policy should be consulted by appropriate staff members
![Page 17: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/17.jpg)
Disclosure - practical
• Use of bcc rather than cc fields on e-mails might be preferable.
• Informing an employer about an employee’s training results might be a disclosure where the employee had personally arranged and paid for course.
![Page 18: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/18.jpg)
Keep Safe and SecureAppropriate security measures
• Appropriate to the harm that might result..
• Appropriate to the nature of the dataMay have regard to cost of implementationMay have regard to the current state of
technologyStaff must know and comply with measuresInternal review of security measures-part of
Internal Audit function ?
Rule 4
![Page 19: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/19.jpg)
Security - practical• Care must also be taken regarding
paper records, especially sensitive or financial data.
• Ideally data not left in a way that non-relevant staff can access files.
• Attention paid to how visitors move around an office.
![Page 20: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/20.jpg)
Data Protection Training.• Obligation on employer to ensure staff are
aware of data protection obligations.– Training
• Policy.– A Code of Practice.– Person in charge
![Page 21: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/21.jpg)
Accurate, Complete and Up-to-Date
• Longer personal data is held, more likely it will be inaccurate and out-of-date
• Right to have errors rectified (see later)
Rule 5
![Page 22: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/22.jpg)
Relevant and not Excessive• No right to ask for, or hold,
information not relevant to service etc being provided
• Challenge: who do you need all this personal data ?
Rule 6
![Page 23: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/23.jpg)
Retain no longer than necessary
• Legal obligations to hold data?• Customer files
– Do you need to hold all that data?– Payment records might have one retention period– Exam results might have longer retention period– Credit card details retained with consent
• Must have policy thought through– Defend retention as necessary for purpose.
Rule 7
![Page 24: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/24.jpg)
Right of Access: Empowerment
The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.
Rule 8
![Page 25: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/25.jpg)
Scope of Access Request
• Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
• Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort
![Page 26: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/26.jpg)
What must be disclosed in an access request
• Personal data held• purposes for processing data• persons to whom data are disclosed• the source of the data
– subject to confidentiality safeguards
• logic involved in automated decisions
![Page 27: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/27.jpg)
Access Request - Procedure
• Shall be in writing• Data Subject shall provide sufficient
information to identify oneself• Data Controller shall comply within 40
days• May charge a fee up to €6.35
![Page 28: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/28.jpg)
Opinions
• Exempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential.
• References are not exempt in general• High threshold required• Work performance reports on colleagues are
accessible• Interview notes-accessible
![Page 29: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/29.jpg)
Exempt from Access Requests
Data relating to a claim of liability Data covered by legal privilege Data relating to a criminal investigation Certain research data Back-up data
![Page 30: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/30.jpg)
Access: Exemptions (S.5)
• Right of Access does not apply if likely to prejudice:– Preventing, detecting or investigating offences,
apprehending or prosecuting offenders– Security in a place of detention
• Other (international relations, privileged information etc)
![Page 31: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/31.jpg)
Restricted Right of Access
Right does not apply where it would impair – • the investigation of a crime, or assessment / collection of
taxSubject to case-by-case “prejudice” test
• International relations of the State• Legal professional privilege• Medical and social work data – special rules• Statistical or research• Back up data
![Page 32: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/32.jpg)
Other Access Exemptions
Financial, Anti-fraud investigators• National Consumer Agency• Examiners, Receivers, Liquidators, Court
inspectors • Recognised accountants, auditors• Company law inspections• Central Bank/Financial Regulator
![Page 33: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/33.jpg)
Right to correct/erase/block
• Section 6 of the Act• Data Subject makes a written request• Personal data must be:
– Corrected, if inaccurate; or– Deleted, if should not be held.
• Data Controller has 40 days to respond• No fee
![Page 34: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/34.jpg)
Correction or deletion
Personal data must be:– Corrected, if inaccurate; or– Deleted, if should not be held.– Note difference of opinion– Inform those who got wrong or inaccurate
data
![Page 35: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/35.jpg)
Right of erasure
• Doesn’t apply if you have a lawful purpose in retaining data
– Such as auditing or accreditation purposes
![Page 36: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/36.jpg)
Automated decisions
• Key decisions cannot be made solely based on automated processing of personal data– creditworthiness– work performance– reliability
• Exceptions– consent; legal necessity; contractual reasons
![Page 37: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/37.jpg)
Right to objectSection 6A(1) allows the data subject to
object to the processing of data
(a) Is “likely to cause substantial damage or distress to him or her, or to another person, and
(b) The damage or distress is or would be unwarranted”
![Page 38: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/38.jpg)
DP/FOI Access to Personal Information
• DP and FOI Acts reinforce one another in relation to personal access in the public sector
• Defending access to personal information as human (DP) and citizen (FOI) right
• 3rd Party Access restricted under both Acts• FOI access to personal information should
sometimes prevail in the public interest
![Page 39: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/39.jpg)
Right to opt out of direct marketing
• Section 2(7) of the Act • Data subject may opt out of direct marketing
database (e.g. a mailing list)• Data controller must delete the data subject’s
details (or stop using them for direct marketing) • Data controller must reply within 40 days
![Page 40: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/40.jpg)
What is Direct Marketing?• "Direct marketing is a series of marketing
strategies, using various delivery techniques designed to provide the receiver (consumers and companies) with information at a distance... (using) different means of approach e.g. broadcasting, printed press, mail, telephone, on-line-services). It is used to sell products, to deliver information, public announcements, and for sales after-service, customer care services, charity and political appeals". (FEDMA)
![Page 41: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/41.jpg)
Electronic Communications
• Right to “opt-out” of all unsolicited direct marketing calls– Ex-Directory customers (and most mobiles)
automatically ‘opted-out’ – If not ex-directory, Contact your phone line
provider and ask to be put on the National Directory Database ‘opt-out’ list
– SMS and e-mail unsolicited marketing banned
![Page 42: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/42.jpg)
Using Sensitive Data
EXTRA conditions: S.2B (one only is needed)
1. explicit consent2. necessary under employment law3. non-profit body (political, philosophical,
religious, trade-union) – its members / clients4. necessary for medical purposes (contd)
![Page 43: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/43.jpg)
Using Sensitive Data
EXTRA conditions: (one only is needed)
5. necessary to protect vital interests6. necessary for legal advice / legal claim7. for electoral purposes8. for substantial public interest
1. as prescribed by Minister
![Page 44: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/44.jpg)
Data Processors
• Agents and sub-contractors
• There must be a written contract in place
• Data Controller must take reasonable steps to ensure compliance with security measures
![Page 45: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/45.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Responsibilities on Data Controllers at the different stages
![Page 46: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/46.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
![Page 47: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/47.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
![Page 48: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/48.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
![Page 49: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/49.jpg)
Electronic Communications
• General DP Principles apply• Telecom-specific:
– ‘Cookies’ on PCs– Caller ID (phones)– Location Data (mobiles)– Directories– ‘SPAM’– Data Retention– ‘Cold Calling’ opt-out
![Page 50: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/50.jpg)
Good Practice (1)
• Explain the basic principles to staff • Document procedures • Allocate responsibility for compliance and
what sanctions may arise if not enforced• Adhere to the ‘need to know principle’• Audit checks and reviews
![Page 51: Data Protection: Your Duties as a Data Controller](https://reader036.vdocument.in/reader036/viewer/2022081513/551a681e550346545e8b5db4/html5/thumbnails/51.jpg)
Good Practice (2)
• Have a procedure for complaints handling• Remedial steps when things go wrong• Privacy Notice on website and at point of contact
with customers?• Build DP in early in systems and policy
proposals• DPC “free and friendly” consultancy service