BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date: 09.07.14.

Slides:



Advertisements
Similar presentations
Administrative Systems and the Law What you need to know to produce an oral presentation for Unit 7 When the presentations will take place Resources you.
Advertisements

Data Protection Information Management / Jody McKenzie.
Confidentiality & Records Management. What is Information Governance? What is Records Management?
The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
University of Sunderland Professionalism and Personal Skills Unit 11 Professionalism and Personal Skills Computer Legislation.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Data Protection Act.
Data Protection Act Description The Data Protection Act controls how your personal information can be used and protects from the misuse of your.
Information Commissioner’s Office: data protection Judith Jones Senior Policy Officer Strategic Liaison – public security 16 November 2011.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.
Data Protection Overview
The Data Protection Act
Data Protection Act. Lesson Objectives To understand the data protection act.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
The Information Commissioner’s Office David Evans.
Health & Social Care Apprenticeships & Diploma
The Data Protection Act 1998 The Eight Principles.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection: An enabler? David Freeland, Senior Policy Officer 23 October 2014.
Data Protection Act AS Module Heathcote Ch. 12.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
Processing personal health data: the regulator’s perspective Ken Macdonald Assistant Commissioner Information Commissioner’s Office.
What is personal data? Personal data is data about an individual which they consider to be private.
The Data Protection Act - Confidentiality and Associated Problems.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection Act (1984, 1998). 2 Data Protection Act There are many organisations which hold personal information about individuals Examples: Loyalty.
Legal issues The Data Protection Act Legal issues What the Act covers The misuse of personal data By organizations and businesses.
The Data Protection Act What the Act covers The misuse of personal data by organisations and businesses.
Twelve Guiding Principles for the Regulation of Surveillance Camera Systems Presented by: Alastair Thomas Date: 23 rd October 2013.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
Data Protection - Rights & Responsibilities Information Commissioner’s Office Orkney Practice Forum 4 th July 2007.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Data Protection Act (1998).
Breakaway Session 2: Data Protection and The Role of the Data Protection Supervisor Michael Mingle Director, NTSS Solutions (UK) D ATA P ROTECTION C ONFERENCE.
DATA PROTECTION ACT DATA PROTECTION ACT  Gives rights to data subjects (i.e. people who have data stored about them on a computer)  Information.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office.
Security of, privacy of and access to personal/confidential information/data.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Getting data sharing right for every child Maureen H Falconer Senior Policy Officer Information Commissioner’s Office.
Data protection—training materials [Name and details of speaker]
Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
The Data Protection Act 1998
The Data Protection Act 1998
UNHCR‘s Policy on the Protection of Personal Data of Persons of Concern - An introduction (October 2016)
Data Protection At The Workplace
Handout 2: Data Protection and Copyright
Data Protection Act.
Managing Data Protection
General Data Protection Regulation
The Data Protection Act 1998
Data Protection Legislation
Data Protection & Freedom of Information- An Introduction
Privacy & Access to Information
New Data Protection Legislation
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
General Data Protection Regulations 2018
New Data Innovation Projects: Data Privacy and Data Protection
Welcome IITA Inbound Insider Webinar: An Introduction to GDPR
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Presentation transcript:

BIOMETRICS, CCTV & DATA PROTECTION By Drudeisha Madhub Data Protection Commissioner Date:

Biometric Data of a Person All biometric data pertaining to a living individual are “personal data” within the DPA. They include fingerprint, retina, iris, dna, amongst others. The Data Protection Act applies when use or processing of all personal data are being made.

Applicability of DPA (relevant sections) Section 22 : Processing for lawful and necessary purpose Section 23 : Accuracy of data has to be ensured Section 24 : The express consent of the data subject is required for processing personal data Section 25: Processing of sensitive data Section 26 : Keeping for specified purpose(s) & ensuring that the data is adequate, relevant and not excessive

Applicability of DPA (relevant sections) Section 27 : The organisation as data controller has the responsibility to ensure that the data is safe and secure Section 28: Data is kept only for a justified duration Section 29: Unlawful disclosure is not allowed Section 32: Data Matching

Exemption from DPA Section 45 : Exemption from DPA application allowed for national security Section 46 : Exemption to certain sections of the DPA allowed for the prevention or detection of crime by relevant authorities

Biometric fingerprint for attendance purposes Requires consent of individuals unless explicitly provided in the contract of employment and the employee is agreeable, or is required by law or relates to information made public by the employee. In case no consent is received, alternative methods for recording attendance must be provided. Appropriate security and organisational measures must be implemented to secure the data and counteract the 3 main risks associated with the use of fingerprints namely identity fraud, purpose diversion and data breach occurrence. Appropriate retention policies must be established e.g what will happen to the data when an employee leaves the organisation?

CCTV at work Images outside the organisation’s premises should not be captured. Visible and legible signs should be displayed to inform any individual that an area is being covered by CCTV cameras. Such signs should contain:  the purpose/s for which the surveillance is being carried out  the identity and contact details of the organisation. Images captured must remain secure at all times.

MNIC THE NATIONAL IDENTITY CARD ACT 2013 Section 12. Collection and processing of data to be subject to Data Protection Act The collection and processing of personal data, including biometric information, under this Act shall be subject to the provisions of the Data Protection Act. However, under sections 24 and 25 of the DPA, consent is not required where the data controller is able to show that the processing is required by law or falls under any other exception applicable under these sections.

Best Practices – The Four Part Test Case to case analysis using the following principles to show that collection is required: Necessity Is the measure demonstrably necessary to meet a specific need? Effectiveness Is it likely to be effective in meeting that need? Proportionality Would the loss of privacy be proportionate to the benefit gained? Alternatives Is there a less privacy-invasive way of achieving the same end?

Best Practices - Privacy Impact Assessments A Privacy Impact Assessment is a process intended to help organisations consider the impact that a new or substantially modified initiative can have on people’s privacy, especially when personal information is being collected. The process is useful for any organisation. Guideline titled Vol. 6 - Guidelines on Privacy Impact Assessments on

Thank You