data protection and records management. key responsibilities - record management keep information...
TRANSCRIPT
Data Protection and Records Management
Key Responsibilities - Record Management• Keep Information Accurate• Disclose only if compatible with purpose for
which given• Keep secure • Have a retention policy• Dispose and retain in line with retention
policy
1. Accurate
• Good business practice• Best achieved at point of collection• Ongoing requirement if intended to
be used.• Ask the data subject if needed
2. Non-Disclosure• General rule – no
disclosure for different purpose
• Exceptions made, to balance other interests of society
• Stricter conditions for sensitive data
• Main exceptions: Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law Intl Relations Consent
2. Non-Disclosure• The Data Controller should have a
policy in place to determine how requests for data from third parties are handled.
• This policy should be consulted by appropriate staff members
3. Keep secure• Internal Access controls– physical,technical, • Tracking of activity on files– to see if
appropriate• Internet Connectivity/networks -anti-virus
software/firewalls/encryption• Access- need to know and relevant to
purpose• Third party interception
3. Keep secure• Accidental disclosure to third parties, PC
in public area, non-secure fax• External-robust encryption, online forms,
technical measures• Audit trails, reviews, logs, unusual events• Manual Files !• Individual is the biggest risk- NB Training
4. Retention Policy• Legal obligations to hold data?• Customer files
Do you need to hold all that data?
• Personnel files Revenue requirement?
• Must have policy thought through Defend retention as necessary for
purpose.
4. Retention Policy – Public Bodies• Overlap between data protection rights of
identifiable persons and obligation to keep data for passing to the National Archives in 30 years
• Balance between rights of the person and public interest.
• Option of Regulations under the DP Acts specifying the appropriate period that such records may be held
5. Follow Retention Policy• A method appropriate to each
organisation to review files• Assign Responsibility• Reporting structure• Delete personal data that is outside
terms of policy.• Keep a record of deletions
Key Information Points
• Right of Access• Right of Correction/Erasure• Manual Data Exemption
Right of Access
• A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency
• Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
Right of Access• Every person has the right to access their
data held by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts
• Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights
Right of correction/erasure• Section 6 of the Act• Data Subject makes a written request• Personal data must be:
Corrected, if inaccurate; or Deleted, if should not be held.
• Data Controller has 40 days to respond• No fee
Manual Data -Process Fairly One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function
(Justice) necessary for ‘legitimate interests’
Manual Data - Process Sensitive Data fairlyOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of
non-profit orgs. Legal advice For Medical Purposes Statutory function