Data Protection and Records Management

Key Responsibilities - Record Management Keep Information Accurate Disclose only if compatible with purpose for which given Keep secure Have a retention policy Dispose and retain in line with retention policy

1.Accurate Good business practice Best achieved at point of collection Ongoing requirement if intended to be used. Ask the data subject if needed

2. Non-Disclosure General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Stricter conditions for sensitive data Main exceptions:  Investigation of crime  Collection of taxes  Security of the State  Protect life & limb  Required by Law  Intl Relations  Consent

2. Non-Disclosure The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

3. Keep secure Internal Access controls– physical,technical, Tracking of activity on files– to see if appropriate Internet Connectivity/networks -anti-virus software/firewalls/encryption Access- need to know and relevant to purpose Third party interception

3. Keep secure Accidental disclosure to third parties, PC in public area, non-secure fax External-robust encryption, online forms, technical measures Audit trails, reviews, logs, unusual events Manual Files ! Individual is the biggest risk- NB Training

4. Retention Policy Legal obligations to hold data? Customer files  Do you need to hold all that data? Personnel files  Revenue requirement? Must have policy thought through  Defend retention as necessary for purpose.

4. Retention Policy – Public Bodies Overlap between data protection rights of identifiable persons and obligation to keep data for passing to the National Archives in 30 years Balance between rights of the person and public interest. Option of Regulations under the DP Acts specifying the appropriate period that such records may be held

5.Follow Retention Policy A method appropriate to each organisation to review files Assign Responsibility Reporting structure Delete personal data that is outside terms of policy. Keep a record of deletions

Key Information Points Right of Access Right of Correction/Erasure Manual Data Exemption

Right of Access A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

Right of Access Every person has the right to access their data held by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights

Right of correction/erasure Section 6 of the Act Data Subject makes a written request Personal data must be:  Corrected, if inaccurate; or  Deleted, if should not be held. Data Controller has 40 days to respond No fee

Manual Data -Process Fairly One of these conditions required:  Consent  Legal obligation  Contract with individual  Necessary to protect vital interests  Necessary for a public function (Justice)  necessary for ‘legitimate interests’

Manual Data - Process Sensitive Data fairly One of these additional conditions is required  Explicit consent  Necessary under employment law  To prevent injury or protect vital interests  Process the data of members/clients of non- profit orgs.  Legal advice  For Medical Purposes  Statutory function