Presentation is loading. Please wait.

Presentation is loading. Please wait.

8/9/20151 DATA PROTECTION OFFICE TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST?

Published byElfreda Patterson Modified over 9 years ago

Similar presentations

Presentation on theme: "8/9/20151 DATA PROTECTION OFFICE TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST?"— Presentation transcript:

1 8/9/20151 DATA PROTECTION OFFICE TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST? PRESENTED BY THE COMMISSIONER TO THE REPRESENTATIVES OF THE SIT ON 25.03.11

2 8/9/20152 DATA PROTECTION OFFICE A share registry would obviously contain shareholders’ personal data. It is the duty of any data controller to ensure that it complies first and foremost with the principles contained in section 22 of the DPA, that is collection of data is premised upon certain principles namely:- to inform the shareholders of the identity of the controller, the collection, the purpose, the

3 8/9/20153 DATA PROTECTION OFFICE beneficiaries of the data, the right of access of the shareholder to the data, the legal consequences for not cooperating and whether the supply of the data is voluntary or mandatory and if consent is required, to get the consent of the shareholders.

4 8/9/20154 DATA PROTECTION OFFICE There are certain exceptions where these duties may not have to be fulfilled by the controller for ex where compliance is not reasonably practicable and others as elaborated in section 22. In order to obtain the data, it is important to secure his express consent, preferably in writing in compliance with section 24 and 25 of the DPA.

5 8/9/20155 DATA PROTECTION OFFICE However, if the activity falls within the exceptions, for ex the performance of a contract between SIT and the shareholders, then the SIT may claim no consent required. But it is always safe wherever possible to include the consent of the shareholder except if a legal advisor certifies that the activity falls within the exception.

6 8/9/20156 DATA PROTECTION OFFICE In the same breadth, disclosure of the data to others should also be done with the prior consent of the shareholder. Appropriate security and organisational measures in agreement with the DPO must be implemented.

7 8/9/20157 DATA PROTECTION OFFICE Individuals should have control over their personal data. This is the message that this office wants to convey as the guiding principle for any organisation wishing to adopt the right approach to data protection. Thus, shareholders should retain control on their personal data. Organisations should consider data protection in a broader context such as assessing information risks from an

8 8/9/20158 DATA PROTECTION OFFICE individual’s perspective, by adopting transparency and data minimisation principles, and enhanced privacy practices.  For an organisation to demonstrate its willingness to meet expectations based on legal criteria and organisational promises, it must digest all aspects of data protection and information security.

9 8/9/20159 DATA PROTECTION OFFICE  This is reflected in the essential elements of accountability of the organisation:- Its commitment to accountability and adoption of internal policies consistent with data protection laws; Mechanisms to put privacy policies into effect, including privacy-enhancing tools. training, and education;

10 8/9/201510 DATA PROTECTION OFFICE Systems for internal ongoing oversight and assurance reviews and external verification; Transparency and mechanisms for individual participation; The means for remediation and external enforcement.

11 8/9/201511 DATA PROTECTION OFFICE There are virtually infinite ways by which organisations can creatively “build privacy in“ to their operations and products, to earn confidence and trust of customers, business partners and oversight bodies alike and to be leaders in the global marketplace. Innovative and adaptive tools may even be designed with the cooperation of the DPO officers.

12 8/9/201512 DATA PROTECTION OFFICE Thus, the most important consideration is to devise and create tools responsive to the eight principles of data protection which are fair and lawful processing of personal data, the purpose for which the data were obtained should be lawful and further processing should be compatible with that purpose, the data must be adequate, relevant, accurate, up to date and not excessive.

13 8/9/201513 DATA PROTECTION OFFICE They must not be kept for an indefinite period of time and must be destroyed as soon as is practicable. They must not be transferred abroad without authorisation from Commissioner. Appropriate security and organisational measures must be taken to protect the data from unlawful processing.

14 8/9/201514 DATA PROTECTION OFFICE  PETs may be categorised, according to their main functions, as either privacy management or protection tools.  Privacy Management Tools:-  They enable the user to understand the consequences of the processing of the personal information. There are a number of tools today that cater for the enterprise or the end-user market.

15 8/9/201515 DATA PROTECTION OFFICE  Privacy Protection Tools:-  They aim to hide the user’s identity, minimise the personal data revealed and camouflage network connections, for example, the originating IP address is not revealed.  They may also authenticate transactions such as payments whilst making it impossible to trace a connection back to the user.

16 8/9/201516 DATA PROTECTION OFFICE How to organise yourself to ensure the protection of data within your organisation? The right of access is the most important right that an individual has and you need to organise yourself for handling access requests. Dealing with access requests is not your only obligation. Staff should also be made aware of the obligations imposed by the Data Protection Act.

17 8/9/201517 DATA PROTECTION OFFICE To comply you should: –Ensure that the basic principles of data protection are explained to staff; –Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is a “living” process aligned to the way the organisation conducts its business; –Document procedures, for example with regard to accuracy and have regular security reviews; –Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are not followed;

18 8/9/201518 DATA PROTECTION OFFICE –Set out the circumstances in which personal data may be disclosed to third parties in compliance with the DPA. Obligations on retention and security need to be addressed Adhere to the ‘need to know principle’ – only personal data necessary for the purpose should be collected and staff should only be able to access the personal data that they need to carry out their functions; Have adequate access controls, firewalls and virus protection and do not forget manual files;

19 8/9/201519 DATA PROTECTION OFFICE There should be retention policies for the various categories of data. Dealing with Subject Access Requests The key right for the individual is the right of access. Essentially this means that you have to supply to the individual the personal data that you hold if a valid request is made under Section 41. The time limit for complying with an access request is 28 days. In order to ensure your compliance with the time limit and your other access obligations the following organisational and procedural steps may be effected:

20 8/9/201520 DATA PROTECTION OFFICE Appoint a Co-ordinator or a Data Protection Officer who will be responsible for the response to the access request. A description of the functions and responsibilities of the Co-ordinator should be circulated within the organisation and staff should be advised of the necessity for co-operation with the Co-ordinator. All subject access matters should be submitted to the Co-ordinator. Check the validity of the access request. Ensure that it is in writing, that the appropriate fee is included.

21 8/9/201521 DATA PROTECTION OFFICE Check that sufficient material has been supplied to definitively identify the individual. This is most important as a third party may provide false material to lodge a false access request. Check that sufficient information to locate the data has been supplied. If it is not clear what kind of data is being requested you should ask the data subject for more information. This could involve identifying the databases, locations or files to be searched or giving a description of the interactions the individual has had with the organisation. Log the date of receipt of the valid request.

22 8/9/201522 DATA PROTECTION OFFICE Keep note of all steps taken to locate and collate data – if different divisions of the organisation are involved, have the steps “signed off” by the appropriate person. Check each item of data to establish whether any of the restrictions on or denial of access provided by section 43 will apply. If data relating to a third party is involved, do not disclose without the consent of the third party such data. An opinion given by a third party may be disclosed unless it is an opinion which was given in confidence on the clear understanding that it would be treated as confidential.

23 8/9/201523 DATA PROTECTION OFFICE Monitor process of responding to the request – observing time limit of 28 days. Supply the data in an intelligible form (include an explanation of terms if necessary). Also provide description of purposes, disclosees and source of data (unless revealing the source would be contrary to the public interest). Number the documents supplied. Have the response “signed-off” by an appropriate person. Regularly review your procedures and processes.

24 8/9/201524 DATA PROTECTION OFFICE Every individual about whom a data controller keeps personal information on computer or in a relevant filing system, has a number of other rights under the Act, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner.

25 8/9/201525 DATA PROTECTION OFFICE An individual making an access request must:- Apply to the data controller in writing by filling in the request for access to data form available on the website or at the Data Protection Office, Give any details which might be needed to help the data controller identify him or her and locate all the information the data controller may keep about him/her. The individual must also pay the data controller the access fee of RS 75.

26 8/9/201526 DATA PROTECTION OFFICE Are there exceptions or limitations on the right of access to personal data ? Yes, there are. Section 43 of the Data Protection Act provides that the right of access does not apply in a number of cases. The restrictions upon the right of access fall into five groups: T he obligation to comply with an access request does not apply where the data controller is not supplied with the information he reasonably requires in order to satisfy himself as to the identity of the person making the request and to locate the in formation which the person seeks;

27 8/9/201527 DATA PROTECTION OFFICE W here compliance with the request would be in contravention of the confidentiality obligation of the data controller under the Mauritian law; T he right of access does not include a right to see personal data about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was given in confidence;

28 8/9/201528 DATA PROTECTION OFFICE The right of access does not include the revelation of evidence of the commission of a criminal offence other than an offence under the Act. W here the data controller cannot comply with the request without disclosing personal data relating to another person, he may refuse the request unless the other individual has consented to the disclosure of his personal data to the person making the request or he obtains the written approval of the Commissioner;

29 8/9/201529 DATA PROTECTION OFFICE The right of access does not include information given in confidence to the data controller for the purposes of the education, training or employment, or prospective education, of the data subject, the appointment or prospective appointment of the data subject to any office, the provision or prospective provision by the data subject of any service, the personal data requested consist of information recorded by candidates during an academic, professional or other examination.

30 8/9/201530 DATA PROTECTION OFFICE Basic Data Protection Checklist Are the individuals whose data you collect aware of your identity? Have you told the data subject what use you make of his/her data? Are the disclosures you make of that data legitimate ones?

31 8/9/201531 DATA PROTECTION OFFICE Do you have appropriate security measures in place? Do you have appropriate procedures in place to ensure that each data item is kept up-to-date? Do you have a defined policy on retention periods for all items of personal data? Do you have a data protection policy in place?

32 8/9/201532 DATA PROTECTION OFFICE Do you have procedures for handling access requests from individuals? Are you clear on whether or not you should be registered? Are your staff appropriately trained in data protection? Do you regularly review and audit the data which you hold and th e manner in which they are processed?

33 8/9/201533 DATA PROTECTION OFFICE

Download ppt "8/9/20151 DATA PROTECTION OFFICE TITLE:- HOW TO INCORPORATE DATA PROTECTION RULES TO SAFEGUARD SHAREHOLDERS’ PERSONAL DATA OF THE SUGAR INVESTMENT TRUST?"

Similar presentations

MONITORING OF SUBGRANTEES

MONITORING OF SUBGRANTEES
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
Data Protection and Records Management

Data Protection and Records Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Training at Ministry of Industry, Commerce and Consumer Protection Presented By: Mrs Dodah Pravina Mr Dookee Padaruth Date : 11 September 2014 Explaining.

Training at Ministry of Industry, Commerce and Consumer Protection Presented By: Mrs Dodah Pravina Mr Dookee Padaruth Date : 11 September 2014 Explaining.
TITLE:- “How To Ensure Effective compliance with the Data Protection Act” PRESENTED BY:- The Commissioner, {Mrs D. Madhub} TO:- Lamco Insurance Ltd ON.

TITLE:- “How To Ensure Effective compliance with the Data Protection Act” PRESENTED BY:- The Commissioner, {Mrs D. Madhub} TO:- Lamco Insurance Ltd ON.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
4 TH FLOOR, E MMANUEL A NQUETIL B UILDING, P ORT L OUIS TEL:-201 36 04 FAX:-201 39 76 mail.gov.mu 8/12/2015 1.

4 TH FLOOR, E MMANUEL A NQUETIL B UILDING, P ORT L OUIS TEL: FAX: mail.gov.mu 8/12/
Data Protection Recruitment Process

Data Protection Recruitment Process
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
DATA PROTECTION OFFICE

DATA PROTECTION OFFICE
Implementation of Security and Confidentiality in GP Practices.

Implementation of Security and Confidentiality in GP Practices.

Similar presentations

Ads by Google