1. Data Protection and the Voluntary Sector: Respecting the Rights of the Individual Billy Hawkes Data Protection Commissioner Carmichael Centre Dublin, 2 November 2010

2. Presentation Outline Why Data Protection? What are our Responsibilities? Data Protection Commissioner Good Practice Voluntary Sector: Some Issues

3. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy: necessary in a Democratic Society (but not absolute) Data Protection: Fundament Right under EU Law EU and Irish law on Data Protection  Data Protection Acts 2008 & 2003; Electronic Privacy Regulations 2003 & 2008

4. EU Charter of Fundamental Rights: Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

5. Presentation Outline Why Data Protection? What are our Responsibilities? Data Protection Commissioner Good Practice Voluntary Sector: Some Issues

6. The Data Protection Rules 1.Fair obtaining & processing Consent 2.Specified purpose 3.No disclosure unless “compatible” 4.Safe and secure 5. Accurate, up-to-date 6. Relevant, not excessive 7. Retention period 8. Right of access

7. Rights and Obligations Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”  Data Subject: volunteers, employees, customers/clients  Personal Data: anything that can be linked to a living individual (databases, lists, CCTV) Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)  Usually a corporate entity e.g. Charitable Organisation – NOT individual employee or volunteer

8. Rights of Individuals to fairness when giving information to get a copy of their personal information – includes both computer and manual files to have wrong information corrected to opt out of marketing - includes mail & phone to complain to the Data Protection Commissioner

9. Obtain & Process Fairly One of these conditions required:  Consent (self or parent etc)  Legal obligation  Contract with individual  Necessary to protect vital interests of individual  Necessary for a public function (Justice)  necessary for ‘legitimate interests’ of organisation or third party  Balance with rights of individual Rule 1

10. Beginning Getting the Data Middle While you have the data End Disposing of data Responsibilities on Organisations (Data Controllers) at the different stages

11. Beginning Getting the Data Middle While you have the data End Disposing of data Inform and get consent Justification to process Respond to access requests Specify purpose Only gather what is required Keep accurate Keep secure and dispose securely Disclose only if compatible or allowable exception Have a retention policy

12. Beginning Getting the Data Middle While you have the data End Disposing of data Inform and get consent Justification to process Respond to access requests Specify purpose Only gather what is required Keep accurate Keep secure and dispose securely Disclose only if compatible or allowable exception Have a retention policy

13. Beginning Getting the Data Middle While you have the data End Disposing of data Inform and get consent Justification to process Respond to access requests Specify purpose Only gather what is required Keep accurate Keep secure and dispose securely Disclose only if compatible or allowable exception Have a retention policy

14. Sensitive Data (special protection) Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

15. Keep Safe and Secure  Appropriate security measures Appropriate to the harm that might result.. Appropriate to the nature of the data  May have regard to cost of implementation  May have regard to the current state of technology  Staff /volunteers must know and comply with measures Rule 4

16. Data Protection Training. Obligation on organisation to ensure staff are aware of data protection obligations.  Training

17. Retain no longer than necessary Legal obligations to hold data? Customer/Client files  Do you need to hold all that data?  Customers/?  Volunteers? Supporters? Employees? Must have policy thought through  Defend retention as necessary for purpose. Rule 7

18. Right of Access Every data subject has a right to request and receive a copy of All personal data in All forms relating to her/him (only) held by a data controller Maximum 40 days to respond Maximum charge of €6.35 (includes photocopying etc)

19. Right to opt out of direct marketing Data subject may opt out of direct marketing database (e.g. a mailing list) Data controller must delete the data subject’s details (or stop using them for direct marketing) Data controller must reply within 40 days

20. Electronic Marketing SMS and e-mail unsolicited marketing banned Phone Marketing banned if:  Customer on National Directory Database ‘opt-out’ list  Has specifically asked not to be contacted Non-compliance a criminal offence

21. Data Processors Agents and sub-contractors There must be a written contract in place Data Controller must take reasonable steps to ensure compliance with security measures

22. Presentation Outline Why Data Protection? What are our Responsibilities? Data Protection Commissioner Good Practice Voluntary Sector: Some Issues

23. Role of Data Protection Commissioner (standard throughout EU) Enforcer Role: compliance by data controllers & processors Ombudsman Role: resolution of disputes between data subjects and data controllers or processors Educational Role: Promotes DP rights and good practice Registration Authority: obligation on major holders of personal data to be placed on public register

24. How does (Irish) DPC fulfill role? Investigations/Audits  Arising from complaints  On own initiative Maintains public register Codes of Practice Guidance booklets, website, presentations, advice, Annual Report

25. General Approach of DPC Strong emphasis on Education Supportive of compliant data controllers Alert to issues arising from Complaints – Emphasis on Right of Access – Addressing the “big picture” Target problem data controllers – Use full powers Work with other Regulators

26. Complaints 2009 914 formal complaints Many more enquiries dealt with informally Most resolved amicably * Mainly electronic (SMS etc) TYPE% Direct Marketing*30 Access Rights29 Disclosure17 Unfair Obtaining5 Security4

27. Presentation Outline Why Data Protection? What are our Responsibilities? Data Protection Commissioner Good Practice Voluntary Sector: Some Issues

28. Good Practice: General Transparent and Balanced approach to collecting and using personal data Build DP in early in systems and policy proposals People informed about data collection and use (privacy notices on websites etc) Consult DPC guidance (www.dataprotection.ie)

29. Good Practice: Audit Do we know what types of personal data we hold?  Electronically (also CCTV images)  Paper Can we justify:  Why we collect it?  What it is used for?  Length of time we hold it?  Who has access to it?  Who it is disclosed to?

30. Good Practice: Access & Correction Requests Can we :  Provide a description of the personal data we hold on an individual within a max. of 20 days?  Provide copy of this data within a max. of 40 Days?  Correct or erase data within 40 days?

31. Good Practice: Security Access Controls  Internal  External  Audit Trails Vulnerabilities  Portable Devices Passwords AND encryption

32. Good Practice: Disposal Do not retain personal for any longer than can be objectively justified: clear policy Comply with legal retention obligations Orderly and secure disposal of old records

33. Good Practice : People Does everyone handling personal data know their responsibilities under Data Protection Law? Is this routinely included in training/induction? Are procedures for handling personal data properly documented? Are DP compliance responsibilities clearly allocated?

34. Good Practice: When things go wrong … Have a clear plan – what will you do if there is a security breach? Notify DPC and customers  Anticipate legislation Tell customers/clients how you intend to remedy any damage done to their interests

35. Presentation Outline Why Data Protection? What are our Responsibilities? Data Protection Commissioner Good Practice Voluntary Sector: Some Issues

36. Who is the “Data Controller”? “A person who, either alone or with others, controls the contents and use of personal data” Voluntary Organisation, national umbrella-body Not the individual employee or volunteer  Organisation accountable for how it handles personal data  Organisation needs to demonstrate it is taking this responsibility seriously: training, security measures

37. Membership Information Only collect Information you need  Explain how information will be used  Privacy Statement if via website  Extra care for sensitive information (e.g. health) Only for Organisation’s legitimate use  Any other use or disclosure (e.g. 3 rd party marketing) normally needs consent OK if legal obligation (e.g. Revenue Commissioners) Use BCC for membership e-mails Delete/Update as necessary

38. Fund-Raising (1) Subject to rules governing Marketing Post: OK to (i) businesses (ii) current members/supporters (iii) other individuals where information from public source (e.g. Edited Electoral Register) Individuals have right to say STOP

39. Fund-Raising (2) Phone/Fax  ILLEGAL if individual or business on NDD (need check) unless current member/supporter  ILLEGAL if individual or business has objected

40. Fund-Raising (3) E-Mail/SMS  OK to current members/supporters assuming they were provided with an opportunity to object to this use at the time their details were collected (message must still include STOP option)  OK to business (but must include STOP option)  Otherwise ILLEGAL

41. Help-Lines Recording/Monitoring  Need to justify and tell caller at beginning Noting Client Information  If for analysis/statistics, use general categories: anonymise  Avoid collecting identifying information unless follow-up essential - explain to caller  Do NOT seek PPSN

42. Data Security Responsibility of Organisation Law says level of security appropriate to the harm that might result from… loss etc and nature of the data  Higher security for e.g. financial and health data Try avoid storage on home PCs  Danger access by family etc members  Data should be encrypted  Option of secure central on-line database

43. Garda Vetting Sensitive data Done on basis individual consent Limit retention of “raw” data  Remember the Garda will be retaining the data

44. Child & Vulnerable Adult Protection Duty to report suspected abuse to Garda, HSE  Does not require individual consent  “Need to know” basis within organisation

45. Further Guidance www.dataprotection.ie