Data Protection: Your Rights as a Data Subject

Slides:



Advertisements
Similar presentations
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Advertisements

Data Protection: Your Duties as a Data Controller
Data Protection Information Management / Jody McKenzie.
The Data Protection (Jersey) Law 2005.
Data Protection.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Data Protection & Government Departments Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 2006.
Respecting the Consumer – the Data Protection Perspective Billy Hawkes Data Protection Commissioner Association of Advertisers in Ireland 3 June 2009.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Data Protection & Law Enforcement Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 27 th 2006.
Elma Graham. To understand what data protection is To reflect on how data protection affects you To consider how you would safeguard the data of others.
The Freedom of Information and Data Protection Legislation An Overview Ann McKeon November 2014.
Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection and the Voluntary Sector: Respecting the Rights of the Individual Billy Hawkes Data Protection Commissioner Carmichael Centre Dublin, 2.
Data Protection & FOI Data Protection: Background Human Right to Privacy Unenumerated right under Irish Constitution Explicit right under European Convention.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection and Records Management. Key Responsibilities - Record Management Keep Information Accurate Disclose only if compatible with purpose for.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Introduction Data protection is relevant to every individual, business or organisation today, not just Local Government. As well as protecting privacy,
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.
DATA PROTECTION ACT (DPA). WHAT IS THE DATA PROTECTION ACT?  The Data Protection Act The Data Protection Act (DPA) gives individuals the right.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Data protection—training materials [Name and details of speaker]
Sharing Information Legally Lindsay Ould London Borough of Lewisham.
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust.
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.
The Freedom of Information and Data Protection Legislation An Overview
Learning Intention Legislations impact on security of information
Data Protection: The Law
Issues of personal data protection in scientific research
Data Protection: EU & International
Data Protection The Current Regime
Data protection issues in regulatory investigations
Data Protection Act 1988 and Data Protection (Amendment) Act 2003
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
New Data Protection Legislation
G.D.P.R General Data Protection Regulations
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
Data Protection Act 1988 and Data Protection (Amendment) Act 2003
Data protection & FOIA considerations
Presentation transcript:

Data Protection: Your Rights as a Data Subject

Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others) Right protected by Irish Constitution and European Law

The Data Protection Rules Fair obtaining & processing Consent Specified purpose No disclosure unless “compatible” Safe and secure Accurate, up-to-date Relevant, not excessive Retention period Right of access

The Acts create: Background Data Protection Acts, 1988 & 2003 RIGHTS for individuals RESPONSIBILITIES users of personal data

Rights and Obligations Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data” Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

Definitions(1) Personal Data Data Manual Data Any Data relating to a living identifiable individual Data Automated data or structured manual data Manual Data Structured by reference to individuals in a way that makes data readily accessible

Definitions(2) Data Controller Data Processor a person who controls the contents and use of personal data Data Processor A person who processes personal data on behalf of a data controller

Definitions(3) Data Subject Processing an individual who is the subject of personal data Processing Anything done with personal data, from collection to disposal

Sensitive Data (special protection) Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

Rights of Individuals to fairness when giving information to get a copy of their personal information – includes both computer and certain manual files to have wrong information corrected to opt out of marketing - includes mail & phone to complain to the Data Commissioner

Obtain & Process Fairly I Rule 1 Obtain & Process Fairly I Data controller must give full information about identity purposes disclosees any other data necessary for “fairness” Third party data controllers must contact data subject to provide these details must give name of original data controller

Obtain & Process Fairly II Rule 1 Obtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function (Justice) necessary for ‘legitimate interests’

Processing Sensitive Data Rule 1 Processing Sensitive Data One of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of non-profit orgs. Legal advice For Medical Purposes Statutory function

Specified Purpose Rule 2 Part of obligations when obtaining to specify purpose Cannot expand purpose without reverting to individual

Disclose only if compatible Rule 3 Disclose only if compatible General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions Investigation of crime Collection of taxes Security of the State Protect life & limb Law or court order Legal advice and legal proceedings No general “public interest” test

Keep Safe and Secure Rule 4 Appropriate security measures Appropriate to the harm that might result.. Appropriate to the nature of the data May have regard to cost of implementation May have regard to the current state of technology Staff must know and comply with measures Internal review of security measures-part of Internal Audit function ?

Accurate, Complete and Up-to-Date Rule 5 Accurate, Complete and Up-to-Date Longer personal data is held, more likely it will be inaccurate and out-of-date Right to have errors rectified (see later)

Relevant and not Excessive Rule 6 Relevant and not Excessive No right to ask for, or hold, information not relevant to service etc being provided Challenge: who do you need all this personal data ?

Retain no longer than necessary Rule 7 Retain no longer than necessary Legal obligations to hold data? Customer files Do you need to hold all that data? Payment records might have one retention period Exam results might have longer retention period Credit card details retained with consent Must have policy thought through Defend retention as necessary for purpose.

Right of Access Rule 8 applies to manual as well as computer files data subjects are also entitled to know purposes for which data is processed persons to whom data are disclosed the source of the data

Right of Access: Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

Scope of Access Request Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created. Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort

What must be disclosed in an access request Personal data held purposes for processing data persons to whom data are disclosed the source of the data subject to confidentiality safeguards logic involved in automated decisions

Access Request - Procedure Shall be in writing Data Subject shall provide sufficient information to identify oneself Data Controller shall comply within 40 days May charge a fee up to €6.35

Opinions Exempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. References are not exempt in general High threshold required Work performance reports on colleagues are accessible Interview notes-accessible

Exempt from Access Requests Data relating to a claim of liability Data covered by legal privilege Data relating to a criminal investigation Certain research data Back-up data

Access: Exemptions (S.5) Right of Access does not apply if likely to prejudice: Preventing, detecting or investigating offences, apprehending or prosecuting offenders Security in a place of detention Other (international relations, privileged information etc)

Right to correct/erase/block Section 6 of the Act Data Subject makes a written request Personal data must be: Corrected, if inaccurate; or Deleted, if should not be held. Data Controller has 40 days to respond No fee

Right of erasure Doesn’t apply if you have a lawful purpose in retaining data Such as auditing or accreditation purposes

Automated decisions Key decisions cannot be made solely based on automated processing of personal data creditworthiness work performance reliability Exceptions consent; legal necessity; contractual reasons

Right to object Section 6A(1) allows the data subject to object to the processing of data Is “likely to cause substantial damage or distress to him or her, or to another person, and The damage or distress is or would be unwarranted”

DP/FOI Access to Personal Information DP and FOI Acts reinforce one another in relation to personal access in the public sector Defending access to personal information as human (DP) and citizen (FOI) right 3rd Party Access restricted under both Acts FOI access to personal information should sometimes prevail in the public interest

Right to opt out of direct marketing Data subject may opt out of direct marketing database (e.g. a mailing list) Data controller must delete the data subject’s details (or stop using them for direct marketing) Data controller must reply within 40 days

Electronic Communications Right to “opt-out” of all unsolicited direct marketing calls Ex-Directory customers (and most mobiles) automatically ‘opted-out’ If not ex-directory, Contact your phone line provider and ask to be put on the National Directory Database ‘opt-out’ list SMS and e-mail unsolicited marketing banned

Frequently Asked Questions

Can my employer monitor me? Yes, depending on the conditions of any in-house policy document. Employees should be made fully aware of Office policy in relation to e-mail content, and acceptable usage Monitoring should be proportionate and not unduly intrusive.

Can monitoring occur without my consent? Where a criminal offence is being investigated, covert monitoring may be legitimate. Whilst transparency is fundamental to the fair obtaining principle, consent is not always required.

Can I get a copy of my personnel file? You have a right to a copy of any records relating to you – including personnel files, assessments, evaluations and interview notes. Note – this may be subject to restriction, for instance re statements of opinion or third party .

How can I check my credit rating? Contact the Irish Credit Bureau at 01-2600388 (www.icb.ie) Your credit rating can be checked by member institutions (banks, etc.) when you apply for credit.

How do I stop unwanted phone marketing? You should contact your telephone line provider – e.g. Eircom, BT – and ask to have your details included in the National Directory Database (the NDD) ‘opt-out list’ After about one month, marketing calls from Ireland should cease. More info: www.askcomreg.ie and www.dataprotection.ie

How do I stop Junk Mail? You can write to the organisation sending the mail, instructing them to stop. They are obliged to comply. Or you can use the Mail Preference Service operated by the Irish Direct Marketing Association (www.idma.ie).

Further Guidance www.dataprotection.ie