Data Protection and Records Management

Key Responsibilities - Record Management• Keep Information Accurate• Disclose only if compatible with purpose for

which given• Keep secure • Have a retention policy• Dispose and retain in line with retention

policy

1. Accurate

• Good business practice• Best achieved at point of collection• Ongoing requirement if intended to

be used.• Ask the data subject if needed

2. Non-Disclosure• General rule – no

disclosure for different purpose

• Exceptions made, to balance other interests of society

• Stricter conditions for sensitive data

• Main exceptions: Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law Intl Relations Consent

2. Non-Disclosure• The Data Controller should have a

policy in place to determine how requests for data from third parties are handled.

• This policy should be consulted by appropriate staff members

3. Keep secure• Internal Access controls– physical,technical, • Tracking of activity on files– to see if

appropriate• Internet Connectivity/networks -anti-virus

software/firewalls/encryption• Access- need to know and relevant to

purpose• Third party interception

3. Keep secure• Accidental disclosure to third parties, PC

in public area, non-secure fax• External-robust encryption, online forms,

technical measures• Audit trails, reviews, logs, unusual events• Manual Files !• Individual is the biggest risk- NB Training

4. Retention Policy• Legal obligations to hold data?• Customer files

Do you need to hold all that data?

• Personnel files Revenue requirement?

• Must have policy thought through Defend retention as necessary for

purpose.

4. Retention Policy – Public Bodies• Overlap between data protection rights of

identifiable persons and obligation to keep data for passing to the National Archives in 30 years

• Balance between rights of the person and public interest.

• Option of Regulations under the DP Acts specifying the appropriate period that such records may be held

5. Follow Retention Policy• A method appropriate to each

organisation to review files• Assign Responsibility• Reporting structure• Delete personal data that is outside

terms of policy.• Keep a record of deletions

Key Information Points

• Right of Access• Right of Correction/Erasure• Manual Data Exemption

Right of Access

• A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency

• Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

Right of Access• Every person has the right to access their

data held by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts

• Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights

Right of correction/erasure• Section 6 of the Act• Data Subject makes a written request• Personal data must be:

Corrected, if inaccurate; or Deleted, if should not be held.

• Data Controller has 40 days to respond• No fee

Manual Data -Process Fairly One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function

(Justice) necessary for ‘legitimate interests’

Manual Data - Process Sensitive Data fairlyOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of

non-profit orgs. Legal advice For Medical Purposes Statutory function