1. Data Protection & Government Departments Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 2006

2. Presentation Outline  Background – Human Rights  Data Protection Principles  Rights of data subjects  Some FAQs

3. Why Data Protection? Post-Word War II emphasis on human rights George Orwell, “1984” (published in 1949) International Agreements on Human Rights Development of computer power

4. Privacy: Legal development Universal Declaration on Human Rights (1948) European Convention on Human Rights (1950) Convention 108 (Council of Europe, 1981) Background

5. UN Universal Declaration on Human Rights, 1948 Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence... Everyone has the right to the protection of the law against such interference ….

6. European Convention on Human Rights, 1950 Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society Background

7. Key concept Privacy is a Human Right

8. Council of Europe Convention, 1981 Also called “Convention 108” Deals specifically with data protection Ireland’s Data Protection Act 1988 gives effect to this Convention

9. Directive 95/46/EC Harmonisation across EU. –Free movement of data across EU Extends DP to manual records.

10. Key concept Data Protection Laws are one method of protecting privacy rights.

11. Essential points People have a fundamental right to privacy –You are legally obliged to recognise this right Showing that you recognise and protect that right makes good sense –Increased confidence/trust of customers

12. How DP legislation work By imposing obligations on those who process personal data; By providing rights to individuals regarding how their data are processed.

13. Limited exemptions: Data exempt on National Security grounds. Data that is processed for personal domestic or recreational purposes

14. Data Protection Principles. 1. Fair obtaining  consent 2. Accurate 3. Specified purpose 4. No further processing  Unless compatible 5.Relevant, not excessive 6.Retention period 7.Safe & secure 8.Comply with access request

15. Obtain & Process Fairly I Data controller must give full information about –identity –purposes –disclosees –any other data necessary for “fairness” Third party data controllers –must contact data subject to provide these details –must give name of original data controller 1 st Principle

16. Obtain & Process Fairly II One of these conditions required:  Consent  Legal obligation  Contract with individual  Necessary to protect vital interests  Necessary for a public function (Justice)  necessary for ‘legitimate interests’ 1 st Principle

17. Processing Sensitive Data (1) One of these additional conditions is required  Explicit consent  Necessary under employment law  To prevent injury or protect vital interests  Legal advice  For Medical Purposes  Statutory function 1 st Principle

18. Processing Sensitive Data (2) Specific Government sector provisions  Administration of benefit or pension by Crown  Tax collection 1 st Principle

19. What are sensitive data?  Physical or mental health  Racial origin  Political opinions  Religious or other beliefs  Sexual life  Criminal convictions  Alleged commission of offence  Trade Union membership

20. Fair Obtaining - practical Transparency is the key issue Generally, a person should know –who is processing his/her data –and for what purpose

21. Fair Obtaining - practical Consent is easiest to rely upon –If from 3 rd party, is their responsibility to demonstrate legitimacy to you Consent has to be freely given Statutory provisions allow Govt Depts to process data without consent – in certain circumstances

22. Fair Obtaining - practical CCTV – well placed signage meets transparency requirement Consent not required if CCTV for security –Legitimate interest Consent not required if for health & safety –Legal obligation Though consent not required, transparency requires information is supplied (sign)

23. Fair Obtaining - practical If relying on consent for data obtained on a form –Require any consent clause to be at least as big a font size as the data collection element of form –If on-line, require a privacy statement that covers transparency & fair obtaining requirements

24. Accurate, Complete, up to date Often a reactive rather than proactive task 2 nd Principle

25. Accurate - practical If you change your address and do not tell a Government Department, it is not at fault for sending mail to your old address. However, if mail is returned to the sender as undeliverable, the sender must act by at least not sending any more mail to that address.

26. Specified Purpose Part of obligations when obtaining to specify purpose Cannot expand purpose without reverting to individual 3 rd Principle

27. Purpose - practical Purpose might be implied from transaction - such as for administration of benefit. Otherwise, should be clearly referred to

28. Purpose – case study Teacher strike action Dept Education access payroll database to identify teachers paying subs to particular union Use information to deduct pay of all union members Data not obtained for that purpose, Dept has to repay teachers

29. Disclosing personal data Further processing not generally permitted – compatibility test section 19 – lifts the restrictions on disclosure: –crime; tax; State security; –required urgently to protect life and limb –required by law or court order –with consent of, or on behalf of, data subject 4 th Principle

30. Disclosure Policy The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

31. Disclosure - practical An example of a compatible disclosure is where you supply data to an organisation in order to get a product/service. If that organisation must supply your data to a third party in order to get that product/service delivered, it is a compatible disclosure.

32. Disclosure - practical Army deafness claims Dept Defence supplied list of claimants to Dept Social Welfare to check if also claimed there Disclosure as not one Data Controller Not lawful, as anti-fraud exemption is case- by-case

33. Disclosure – case study Local Authority published planning applications on line (incl identity documents) Motivated by drive for more e-Government Legislation allowed files to be consulted by any member of public On-line publication went beyond legal requirement

34. Relevant and not excessive Do you need all this data? - look a form and see if you need all data - can data collected be culled over time? Different policies for different types of file 5 th Principle

35. Retention of data Legal obligations to hold data? Customer files –Do you need to hold all that data? Personnel files –Revenue requirement? Must have policy thought through –Defend retention as necessary for purpose. 6 th Principle

36. Retention – HR files When employees leaves/retires, employer might have long term need to hold onto certain data –Dates of employment –Positions held –Tax record –Injuries But other data has no purpose beyond the time an ex-employee might seek a reference –Assessments & evaluations 6 th Principle

37. Retention – Query files Inquiries may be logged and retained for short period in case they develop into substantive files But if issue doesn’t develop, file should be reviewed –If no purpose, delete file –May retain anonymised details for statistical purposes 6 th Principle

38. Retention – Financial record E-government may result in credit card details being collected and retained May make future transactions easier and more secure Can only be retained with customer consent! 6 th Principle

39. Security Procedures Security measures  Appropriate security measures Appropriate to the harm that might result.. Appropriate to the nature of the data  May have regard to cost of implementation  May have regard to the current state of technology  Staff must know and comply with measures  Internal review of security measures-part of Internal Audit function ? 7 th Principle

40. Data Protection Training. Obligation on employer to ensure staff are aware of data protection security obligations (especially access). –Training –Can be satisfied by a simple circular in some cases, by a formal course in others

41. Data Processors Agents and sub-contractors There must be a written contract in place Data Controller must take reasonable steps to ensure compliance with security measures

42. Security - practical Security standard should be reviewed - if the types of data being processed are changed; - if the organisation’s resources increase; - at least on an annual basis to see if new measures may be employed - state sector can’t plead poverty – must be at leading edge

43. Security - practical Access to data should be on a need to know basis Access controls should be known about, enforced and reviewed

44. Security – case study Lottery winner wins €100million+ Her file in Dept of Social & Family Affairs is viewed by large number of Dept’s staff shortly after win Dept immediately identify unusual traffic and identify staff involved

45. Rights of Individuals o To have data processed in accordance with principles o To get a copy of personal information o To correct information if it is wrong o To opt out of direct marketing o To complain to the Data Protection Commissioner 8 th Principle

46. Access Requests Section 14 –exceptions section 19. Availability of material subject to receipt of an Access Request May question: –Relevance –Excessive nature –Retention, etc

47. Scope of Access Request Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

48. Opinion given in confidence Exempt from an access request if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. This is useful when giving references

49. Exempt from Access Requests  Data relating to a criminal investigation  Includes disciplinary investigations  a claim of liability  Data covered by legal privilege

50. Access – Disciplinary Investigation  Exempt if access would prejudice investigation  No longer exempt after investigation has concluded

51. Employee Access Rights  Same rights as any data subject  Not all documents with employee name are personal data  Authoring document in work capacity does not mean that document is personal.

52. Access Requests - Resources  Should not require significant resources  Low rate of requests in general  Retention principle should encourage deletion of data on a regular basis, thus limiting the amount of data to be searched

53. Access Requests - Practical  Staff should be able to identify a subject access request when one is received  Necessary because of deadline  Ideally, have an identified point of contact within Dept to handle requests

54. Structured files  Must be able to search files  By name of data subject?  By other reasonable identifier?  By date/file reference supplied by data subject  Electronic records easier to search than manual records

55. Enforced subject access  An employer cannot ask an employee to use his/her access right to obtain data in order to gain/retain employment  Police and credit records cannot be accessed unless by law

56. Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

57. Right to correct/erase Personal data must be: –Corrected, if inaccurate; or –Deleted, if should not be held (very rare). Should not be a significant issue if organisation well run –May get DS complaining about data being held

58. Direct Marketing Commonest topic for complaints –So expect people will complain Must be able to administer a “do not mail” list/suppression file Must tell DS source of data Government Information campaigns are direct marketing

59. Public Register Describe Data handling practices –PurposeTransfers abroad –Type of data Disclosures Public: transparency and openness Will involve careful thought initially, but little ongoing resources

60. Why Register?  Is a legal obligation  But also a very useful way for Data Protection Commissioner to interact with Data Controllers  Helps Data Controllers focus on Data Protection at time of registration

61. Frequently Asked Questions

62. How must an Access Request be handled? Quickly, within 21 days Ensure you are dealing with correct DS – Identity documents Can ask DS to restrict search Can ask DS if he/she would be satisfied with viewing file

63. Can an employer monitor staff? Yes, depending on the conditions of any in- house policy document. Monitoring should be proportionate and as least intrusive as possible. Examination of e-mail content, web profiles should be done in context of disciplinary inquiry.

64. Can monitoring occur without employee consent? Whilst transparency is fundamental to the fair obtaining principle, consent is not always required. Where the employer can rely on the legitimate interest provision, consent is not required.

65. What about covert surveillance? Not generally permitted However, if investigating serious matter, limited, focused short term covert monitoring may be allowed Exceptional circumstances only

66. Can I get a copy of my personnel file? You have a right to a copy of any record relating to you – including personnel files, assessments, evaluations and interview notes. Opinions given in confidence may be withheld.

67. Can I outsource data? No difficulty if you use a contract with your data processor. If you transfer data outside the EEA, will have to meet certain conditions. So, may have to review current and planned use of data processors. You should also be aware of your role in insuring agents behave appropriately.

68. Can I put employee details on website? Certain details may be appropriate – Name, position, contact details, special training Other details are not necessary – Photographs, salary, family details

69. Thank you for listening