Managing Data Protection

Slides:



Advertisements
Similar presentations
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Advertisements

MAKING SENSE OF IT:- WHAT IS DATA PROTECTION? Presented by the Data Protection Commissioner (Mrs D. Madhub) To the Truth and Justice Commission on
BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date:
The Data Protection (Jersey) Law 2005.
Data Protection.
Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management
Training at Ministry of Industry, Commerce and Consumer Protection Presented By: Mrs Dodah Pravina Mr Dookee Padaruth Date : 11 September 2014 Explaining.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
4 TH FLOOR, E MMANUEL A NQUETIL B UILDING, P ORT L OUIS TEL: FAX: mail.gov.mu 8/12/
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations
DATA PROTECTION OFFICE
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Computer Laws Data Protection Act 1998 Computer Misuse Act 1990.
DATA PROTECTION ACT (DPA). WHAT IS THE DATA PROTECTION ACT?  The Data Protection Act The Data Protection Act (DPA) gives individuals the right.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Data protection—training materials [Name and details of speaker]
Privacy and Personal Information. WHAT YOU WILL LEARN: What personal information is. General guidelines for the collection of personal information. Your.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Data protection act. During the second half of the 20th century, businesses, organisations and the government began using computers to store information.
D ATA P ROTECTION A T T HE W ORKPLACE Presented by: 1)Mrs Pravina Dodah (Data Protection Officer/ Senior Data Protection Officer) 2)Mrs Rushda Goburdhun.
Understanding Privacy An Overview of our Responsibilities.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
The Data Protection Act 1998
Data Protection GCSE ICT Mrs N Steventon-2005.
Data Protection At The Workplace
Data Protection and Confidentiality
Issues of personal data protection in scientific research
FUNCTIONS OF THE Data Protection OFFICE
Data Protection in AN organisation
Data Protection The Current Regime
General Data Protection Regulation
The Data Protection Act 1998
Threats and Challenges to Data Protection and Privacy :-
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
Data Protection principles
Relocation CARNIVAL come one…come all
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR Workshop MEU Symposium Prague 2018
General Data Protection Regulations 2018
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
DATA PROTECTION OFFICE{PMO}
Presentation transcript:

Managing Data Protection By Mrs Pravina Dodah (Data Protection Officer/Senior Data Protection Officer) Mrs Rushda Goburdhun(Data Protection Officer/ Senior Data Protection Officer) 5th April 2017

DATA PROTECTION OFFICE (DPO) The DPO, under the aegis of the Ministry of Technology, Communication and Innovation enforces the Data Protection Act. Mission of DPO Safeguard the privacy rights of all individuals with regard to the processing of their personal data.

DATA PROTECTION ACT (DPA) 2004 AN ACT To provide for the protection of the privacy rights of individuals in view of the developments in the techniques used to capture, transmit, manipulate, record or store data relating to individuals.

THE MAIN ELEMENTS OF THE ACT The Data Protection Act contains 8 parts namely: Preliminary – Definitions etc Data Protection Office Powers of Commissioner Obligation on Data Controllers The Data Protection Register Rights of Data Subjects Exemptions Miscellaneous

DEFINITIONS Personal Data means – data which relate to an individual who can be identified from those data; data or other information, including an opinion forming part of a database, whether or not recorded in a material form, about an individual whose identity is apparent or can reasonably be ascertained from the data, information or opinion;

EXAMPLES OF PERSONAL DATA Employee Non – Employee Name Surname Residential Address Telephone Number ID Card Bank Account Number Clients  Name, Address, Contact Details, ID Card Suppliers  Address, Email, Phone Contractors Phone, Email, Contact Person

DEFINITIONS (cont.) Sensitive Personal Data: Sensitive Personal Data Racial / Ethnic Origin Political Opinion / Adherence Religious / Similar Belief Membership to Trade Union Physical / Mental Health Sexual Preferences / Practices Criminal Convictions

DEFINITIONS (cont.) Processing means any operation or set of operations which is performed on the data wholly or partly by automatic means, or otherwise than by automatic means, and includes – collecting, organising or altering the data; retrieving, consulting, using, storing or adapting the data; disclosing the data by transmitting, disseminating or otherwise making it available; or aligning, combining, blocking, erasing or destroying the data;

DEFINITIONS (cont.) Data Controller means a person who, either alone or jointly with any other person, makes a decision with regard to the purposes for which and in the manner in which any personal data are, or are to be, processed. e.g. Mammouth Trading CO Ltd is a data controller since it processes employee and non employee data.

FUNCTIONS OF THE DPO Registration of data controllers in Mauritius II Investigation of complaints III Conduct periodical compliance audits IV Sensitisation V Exercise control on all data protection issues VI Research on data processing and computer technology

8 DATA PROTECTION PRINCIPLES Principle 1: Fairness Personal data must be collected and used fairly and lawfully. Principle 2: Transparency Personal data must be obtained only for any specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose. Principle 3: Quantity Personal data must be adequate, relevant, and not excessive in relation to the purpose for which they are processed. Principle 4: Accuracy Personal data must be accurate and, where necessary, up to date.

8 DATA PROTECTION PRINCIPLES Principle 5: Time limit Personal data must not be kept for longer than necessary. Principle 6: Individuals’ rights Personal data shall be processed in accordance with the rights of data subjects. Principle 7: Security Appropriate security measures must be implemented to prevent personal data being accidentally or deliberately compromised. Principle 8: International transfers Personal data shall not be transferred to another country unless that country ensures an adequate level of protection for the rights of data subjects in relation to processing of personal data.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Identify a data protection lead It is good practice to identify a person or department responsible for developing, implementing and monitoring the data protection policy.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Awareness of security measures Section 27(2) of DPA An organisation must take all reasonable steps to ensure that any person employed by him is aware of and complies with the relevant security measures.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Registration/Renewal as Data Controller Section 33(2) & Section (34) - A data controller must register with the Data Protection Office for all personal data being processed. Section 38 - Registration should be renewed annually.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Data Quality and Accuracy An organisation should regularly review information to identify when to correct inaccurate records and remove irrelevant ones.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Privacy notices To ensure that the processing of data is fair, it is a good practice to include privacy notices on an organisation’s website and any other forms that is used to collect data. These notices should clearly explain the reasons for using the data, including any disclosures. Example: All details provided on this form will remain strictly confidential and will be kept and processed only for [purpose/s] as specified by the company and in accordance with Data Protection Act 2004. Your information may be shared with [list of parties] for the following purposes [list of purposes].

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Privacy notices It is good to mention here that in case an organisation wants to use personal data in a manner different to its privacy notice, then prior consent to use or disclose personal data is required from the data subject unless the exceptions listed under section 24(2) of the DPA applies where an organisation can proceed without prior consent.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Exceptions from Consent Section 24(2) of DPA (2)     ……. personal data may be processed without obtaining the express consent of the data subject where the processing is necessary - (a)   for the performance of a contract to which the data subject is a party; (b)   in order to take steps required by the data subject prior to entering into a contract; (c)   in order to protect the vital interests of the data subject; (d)   for compliance with any legal obligation to which the data controller is subject; (da) for the purpose of making use of a unique identification number to facilitate sharing information and avoid multiple registrations among public sector agencies; (e)    for the administration of justice; or (f)     in the public interest.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Retention and Disposal The fifth principle of the DPA requires that personal data should not be kept for longer than necessary. It is important to note that the DPA does not set any time limit to retain data. The onus lies on the data controller to determine the time retention based on the purpose for which data is being kept and in accordance with other laws such as Employment Rights Act, Income Tax Act, Banking Act, National Archives Act etc..

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Access Request Rights The sixth principle of the DPA requires that personal data is processed in accordance with individual rights. Under section 41 of the DPA, a data subject has the right of access to information that the organisation holds about him/her. An individual can make a written request to see and obtain a copy of his/her information being held upon payment of the prescribed fee to the organisation. You should therefore have a process in place to recognise and respond to requests within statutory timescales.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Exemptions from Data Access Request There are ‘exemptions’ within the DPA (S43) which may allow a data controller to refuse to comply with a data subject’s access request in certain circumstances. For example: - if there is not enough evidence to identify the individual. - if it is an offence under any other enactment to provide the personal information. - if the information is confidential and concerns the data subject’s health, education and work. - if it concerns data for another individual

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Security Policy The seventh principle of the DPA requires that personal data is protected by appropriate security measures. Before you can decide what level of security is right for your business, you will need to assess the risks to the personal data you hold and choose the security measures that are appropriate to your needs.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Transfer of Data Abroad As per section 31(1) of the DPA, no data controller shall, except with the written authorisation of the Commissioner, transfer personal data to another country. Organisation must fill and submit to the Data Protection Office the ‘Transfer of Personal Data Form’ available on http://dataprotection.govmu.org.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Privacy Impact Assessments Build in privacy considerations at the start of projects or initiatives that involve the processing of personal data. Thinking about privacy early on will reduce risks and avoid costly changes at a later date. DPO web application to assess your organisation's compliance status with the Data Protection Act 2004: http://dataprotection.govmu.org/English/Publications/Pages/Privacy-Compliance-Assessment.aspx Guideline: http://dataprotection.govmu.org/English/Documents/Publications/Guidelines/DPO_Vol6_PrivacyImpactAssessment.pdf

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Disclosure of Information An organisation must ensure that personal information in its possession is not disclosed in any manner incompatible with the purposes for which such data has been collected, which is an offence under section 29 of the Data Protection Act. The principle is that the prior consent from the concerned data subject should be obtained before any disclosure is made, unless you fall under the exceptions of section 24(2) of the DPA.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Data Sharing ‘Data sharing’ refers to sharing of data within an organisation or sharing of data from one or more organisation to other organisation(s) If you are sharing client data, the DPA will apply. Consent of client is required before any data sharing takes place unless you fall under the exceptions of 24(2) or 25(2) of the DPA.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? CCTV at Work Data collected by the CCTV cameras is under the responsibility of the data controller and therefore the data controller is required to comply with the Data Protection Act for the collection of personal data. CCTV Images should be captured only within the premises of the company. A sign at all entrances should be displayed to specify: the purpose/s for which the surveillance is being carried out, the identity of the organisation, the contact details of the organisation

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? CCTV at Work (cntd.) A Guide titled ‘Vol 5 –Guidelines to regulate The Processing of Personal Data by Video Surveillance Systems’ is available on the Data Protection Office website (http://dataprotection.govmu.org/English/Documents/Publications/Guidelines/Guidvol5v3.pdf) under publications.

HOW CAN AN ORGANISATION MANAGE DATA PROTECTION? Fingerprint for attendance purposes Requires consent of workers. However, under sections 24 and 25 of the DPA, consent is not required where the data controller is able to show that it falls under the exemptions of section 24(2) or 25(2). In case consent is obtained, the organisation can continue using the Fingerprint system. In case no consent is received, alternative (less intrusive)methods for recording attendance must be provided.

OFFENCES AND PENALTIES Subject to Section 61 of the DPA, any person who contravenes this ACT shall commit an offence. Where no specific penalty is provided for an offence, the person shall, on conviction, be liable to a fine not exceeding 200,000 rupees and to imprisonment for a term not exceeding 5 years.

Resources The Data Protection Act 2004 The Data Protection website http://dataprotection.govmu.org/English/Legislation/Pages/Data-Protection-Act-2004.aspx The Data Protection website http://dataprotection.govmu.org/English/Pages/default.asp Guidelines http://dataprotection.govmu.org/English/Pages/Guidelines/Publications---Guidelines.aspx

THANK YOU!