8/9/20151 DATA PROTECTION OFFICE TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST?

Slides:



Advertisements
Similar presentations
MONITORING OF SUBGRANTEES
Advertisements

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Data Protection Information Management / Jody McKenzie.
The Data Protection (Jersey) Law 2005.
Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management
Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Training at Ministry of Industry, Commerce and Consumer Protection Presented By: Mrs Dodah Pravina Mr Dookee Padaruth Date : 11 September 2014 Explaining.
TITLE:- “How To Ensure Effective compliance with the Data Protection Act” PRESENTED BY:- The Commissioner, {Mrs D. Madhub} TO:- Lamco Insurance Ltd ON.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
4 TH FLOOR, E MMANUEL A NQUETIL B UILDING, P ORT L OUIS TEL: FAX: mail.gov.mu 8/12/
Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Data Protection for Church of Scotland Congregations
DATA PROTECTION OFFICE
Implementation of Security and Confidentiality in GP Practices.
13 July 2006Susan Joseph Health Privacy It’s My Business Health Records Act 2001 (Vic) eReferral Service Co-ordination System.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
DATA PROTECTION OFFICE {PMO} “OVERVIEW OF THE FUNDAMENTAL ASPECTS OF THE RIGHT OF ACCESS“ Presented by The Commissioner Mrs D. Madhub To Mutual Aid Association.
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection STFC Presentation to PPD Senior Staff 26/11/2009 FoI/DP team.
Data Protection Act AS Module Heathcote Ch. 12.
Data protection office (PMO) Title:- An overview of the Data Protection Act and its implications as regards registration and data subject access requests.
DATA PROTECTION & FREEDOM OF INFORMATION. What is the difference between Data Protection & Freedom of Information? The Data Protection Act allows you.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
DATA PROTECTION ACT 1998 Became law on 1 March 2000 Only applies to the use of personal data, that is data which relates to an identifiable living individual,
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
Data Protection and Records Management. Key Responsibilities - Record Management Keep Information Accurate Disclose only if compatible with purpose for.
Drs. Krishna and Webb October 31,  6  6.1  6.2  6.3  6.4  7.1, 7.2, 7.3, 7.4  7  7.3  7.4  LUNCH ANSI Training 2013: Webb/Krishna.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
The EU General Data Protection Regulation Frank Rankin.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Protection of Personal Information Act An Analysis on the impact.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.
Every employer must ensure, as far as is reasonable practicable, the health, safety and welfare of all his employees More specifically, employers must.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
General Data Protection Regulation (EU 2016/679)
Accountability & Structured Privacy Management
Privacy principles Individual written policies
General Data Protection Regulation
Data protection issues in regulatory investigations
APP entities (organisations)
Data Protection Legislation
GENERAL DATA PROTECTION REGULATION (GDPR)
6 Principles of the GDPR and SQL Provision
Move this to online module slides 11-56
G.D.P.R General Data Protection Regulations
General Data Protection Regulation
Data Protection principles
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
General Data Protection Regulations 2018
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Presentation transcript:

8/9/20151 DATA PROTECTION OFFICE TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST? PRESENTED BY THE COMMISSIONER TO THE REPRESENTATIVES OF THE SIT ON

8/9/20152 DATA PROTECTION OFFICE A share registry would obviously contain shareholders’ personal data. It is the duty of any data controller to ensure that it complies first and foremost with the principles contained in section 22 of the DPA, that is collection of data is premised upon certain principles namely:- to inform the shareholders of the identity of the controller, the collection, the purpose, the

8/9/20153 DATA PROTECTION OFFICE beneficiaries of the data, the right of access of the shareholder to the data, the legal consequences for not cooperating and whether the supply of the data is voluntary or mandatory and if consent is required, to get the consent of the shareholders.

8/9/20154 DATA PROTECTION OFFICE There are certain exceptions where these duties may not have to be fulfilled by the controller for ex where compliance is not reasonably practicable and others as elaborated in section 22. In order to obtain the data, it is important to secure his express consent, preferably in writing in compliance with section 24 and 25 of the DPA.

8/9/20155 DATA PROTECTION OFFICE However, if the activity falls within the exceptions, for ex the performance of a contract between SIT and the shareholders, then the SIT may claim no consent required. But it is always safe wherever possible to include the consent of the shareholder except if a legal advisor certifies that the activity falls within the exception.

8/9/20156 DATA PROTECTION OFFICE In the same breadth, disclosure of the data to others should also be done with the prior consent of the shareholder. Appropriate security and organisational measures in agreement with the DPO must be implemented.

8/9/20157 DATA PROTECTION OFFICE Individuals should have control over their personal data. This is the message that this office wants to convey as the guiding principle for any organisation wishing to adopt the right approach to data protection. Thus, shareholders should retain control on their personal data. Organisations should consider data protection in a broader context such as assessing information risks from an

8/9/20158 DATA PROTECTION OFFICE individual’s perspective, by adopting transparency and data minimisation principles, and enhanced privacy practices.  For an organisation to demonstrate its willingness to meet expectations based on legal criteria and organisational promises, it must digest all aspects of data protection and information security.

8/9/20159 DATA PROTECTION OFFICE  This is reflected in the essential elements of accountability of the organisation:- Its commitment to accountability and adoption of internal policies consistent with data protection laws; Mechanisms to put privacy policies into effect, including privacy-enhancing tools. training, and education;

8/9/ DATA PROTECTION OFFICE Systems for internal ongoing oversight and assurance reviews and external verification; Transparency and mechanisms for individual participation; The means for remediation and external enforcement.

8/9/ DATA PROTECTION OFFICE There are virtually infinite ways by which organisations can creatively “build privacy in“ to their operations and products, to earn confidence and trust of customers, business partners and oversight bodies alike and to be leaders in the global marketplace. Innovative and adaptive tools may even be designed with the cooperation of the DPO officers.

8/9/ DATA PROTECTION OFFICE Thus, the most important consideration is to devise and create tools responsive to the eight principles of data protection which are fair and lawful processing of personal data, the purpose for which the data were obtained should be lawful and further processing should be compatible with that purpose, the data must be adequate, relevant, accurate, up to date and not excessive.

8/9/ DATA PROTECTION OFFICE They must not be kept for an indefinite period of time and must be destroyed as soon as is practicable. They must not be transferred abroad without authorisation from Commissioner. Appropriate security and organisational measures must be taken to protect the data from unlawful processing.

8/9/ DATA PROTECTION OFFICE  PETs may be categorised, according to their main functions, as either privacy management or protection tools.  Privacy Management Tools:-  They enable the user to understand the consequences of the processing of the personal information. There are a number of tools today that cater for the enterprise or the end-user market.

8/9/ DATA PROTECTION OFFICE  Privacy Protection Tools:-  They aim to hide the user’s identity, minimise the personal data revealed and camouflage network connections, for example, the originating IP address is not revealed.  They may also authenticate transactions such as payments whilst making it impossible to trace a connection back to the user.

8/9/ DATA PROTECTION OFFICE How to organise yourself to ensure the protection of data within your organisation? The right of access is the most important right that an individual has and you need to organise yourself for handling access requests. Dealing with access requests is not your only obligation. Staff should also be made aware of the obligations imposed by the Data Protection Act.

8/9/ DATA PROTECTION OFFICE To comply you should: –Ensure that the basic principles of data protection are explained to staff; –Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is a “living” process aligned to the way the organisation conducts its business; –Document procedures, for example with regard to accuracy and have regular security reviews; –Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are not followed;

8/9/ DATA PROTECTION OFFICE –Set out the circumstances in which personal data may be disclosed to third parties in compliance with the DPA. Obligations on retention and security need to be addressed Adhere to the ‘need to know principle’ – only personal data necessary for the purpose should be collected and staff should only be able to access the personal data that they need to carry out their functions; Have adequate access controls, firewalls and virus protection and do not forget manual files;

8/9/ DATA PROTECTION OFFICE There should be retention policies for the various categories of data. Dealing with Subject Access Requests The key right for the individual is the right of access. Essentially this means that you have to supply to the individual the personal data that you hold if a valid request is made under Section 41. The time limit for complying with an access request is 28 days. In order to ensure your compliance with the time limit and your other access obligations the following organisational and procedural steps may be effected:

8/9/ DATA PROTECTION OFFICE Appoint a Co-ordinator or a Data Protection Officer who will be responsible for the response to the access request. A description of the functions and responsibilities of the Co-ordinator should be circulated within the organisation and staff should be advised of the necessity for co-operation with the Co-ordinator. All subject access matters should be submitted to the Co-ordinator. Check the validity of the access request. Ensure that it is in writing, that the appropriate fee is included.

8/9/ DATA PROTECTION OFFICE Check that sufficient material has been supplied to definitively identify the individual. This is most important as a third party may provide false material to lodge a false access request. Check that sufficient information to locate the data has been supplied. If it is not clear what kind of data is being requested you should ask the data subject for more information. This could involve identifying the databases, locations or files to be searched or giving a description of the interactions the individual has had with the organisation. Log the date of receipt of the valid request.

8/9/ DATA PROTECTION OFFICE Keep note of all steps taken to locate and collate data – if different divisions of the organisation are involved, have the steps “signed off” by the appropriate person. Check each item of data to establish whether any of the restrictions on or denial of access provided by section 43 will apply. If data relating to a third party is involved, do not disclose without the consent of the third party such data. An opinion given by a third party may be disclosed unless it is an opinion which was given in confidence on the clear understanding that it would be treated as confidential.

8/9/ DATA PROTECTION OFFICE Monitor process of responding to the request – observing time limit of 28 days. Supply the data in an intelligible form (include an explanation of terms if necessary). Also provide description of purposes, disclosees and source of data (unless revealing the source would be contrary to the public interest). Number the documents supplied. Have the response “signed-off” by an appropriate person. Regularly review your procedures and processes.

8/9/ DATA PROTECTION OFFICE Every individual about whom a data controller keeps personal information on computer or in a relevant filing system, has a number of other rights under the Act, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner.

8/9/ DATA PROTECTION OFFICE An individual making an access request must:- Apply to the data controller in writing by filling in the request for access to data form available on the website or at the Data Protection Office, Give any details which might be needed to help the data controller identify him or her and locate all the information the data controller may keep about him/her. The individual must also pay the data controller the access fee of RS 75.

8/9/ DATA PROTECTION OFFICE Are there exceptions or limitations on the right of access to personal data ? Yes, there are. Section 43 of the Data Protection Act provides that the right of access does not apply in a number of cases. The restrictions upon the right of access fall into five groups: T he obligation to comply with an access request does not apply where the data controller is not supplied with the information he reasonably requires in order to satisfy himself as to the identity of the person making the request and to locate the in formation which the person seeks;

8/9/ DATA PROTECTION OFFICE W here compliance with the request would be in contravention of the confidentiality obligation of the data controller under the Mauritian law; T he right of access does not include a right to see personal data about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was given in confidence;

8/9/ DATA PROTECTION OFFICE The right of access does not include the revelation of evidence of the commission of a criminal offence other than an offence under the Act. W here the data controller cannot comply with the request without disclosing personal data relating to another person, he may refuse the request unless the other individual has consented to the disclosure of his personal data to the person making the request or he obtains the written approval of the Commissioner;

8/9/ DATA PROTECTION OFFICE The right of access does not include information given in confidence to the data controller for the purposes of the education, training or employment, or prospective education, of the data subject, the appointment or prospective appointment of the data subject to any office, the provision or prospective provision by the data subject of any service, the personal data requested consist of information recorded by candidates during an academic, professional or other examination.

8/9/ DATA PROTECTION OFFICE Basic Data Protection Checklist Are the individuals whose data you collect aware of your identity? Have you told the data subject what use you make of his/her data? Are the disclosures you make of that data legitimate ones?

8/9/ DATA PROTECTION OFFICE Do you have appropriate security measures in place? Do you have appropriate procedures in place to ensure that each data item is kept up-to-date? Do you have a defined policy on retention periods for all items of personal data? Do you have a data protection policy in place?

8/9/ DATA PROTECTION OFFICE Do you have procedures for handling access requests from individuals? Are you clear on whether or not you should be registered? Are your staff appropriately trained in data protection? Do you regularly review and audit the data which you hold and th e manner in which they are processed?

8/9/ DATA PROTECTION OFFICE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.