DATA PROTECTION

DATA PROTECTIONDATA PROTECTION

and Researchand Research

University Research Ethics Committee – 30.05.2008University Research Ethics Committee – 30.05.2008

David CauchiDavid Cauchi

Office of the Commissioner for Data ProtectionOffice of the Commissioner for Data Protection

DATA PROTECTION

Data Protection Act Data Protection Act

General Provisions

Processing for Research Purposes

Procedure agreed with UREC

DATA PROTECTIONORIGINORIGIN

Council of Europe – ETS 108 Convention on the protection of individuals with regard to automatic processing of personal data

Data Protection Act

CAP. 440Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

DATA PROTECTION

WHAT IS DATA PROTECTION ACT?WHAT IS DATA PROTECTION ACT?

An Act that makes provision for the protection of individuals against the violation of their privacy rights by the processing of personal data.

DATA PROTECTION

Key TermsKey Terms inin

Data ProtectionData Protection

DATA PROTECTION

“…any information relating to an identified or

identifiable natural person; an identifiable person

is one who can be identified, directly or indirectly,

in particular by reference to an identification

number or to one or more factors specific to his

physical, physiological, mental, economic, cultural

or social identity;”

DPA Art. 2

PERSONAL DATAPERSONAL DATA

DATA PROTECTION

“…personal data that reveals race or ethnic

origin, political opinions, religious or

philosophical beliefs, membership of a trade

union, health, or sex life;”

DPA Art. 2

SENSITIVE PERSONAL DATASENSITIVE PERSONAL DATA

DATA PROTECTION

“…includes the collection, recording, organisation,

storage, adaptation, alteration, retrieval,

gathering, use, disclosure by transmission,

dissemination or otherwise making information

available, alignment or combination, blocking,

erasure or destruction of such data”

DPA Art. 2

PROCESSINGPROCESSING

DATA PROTECTION

“…any freely given, specific and informed

indication of the wishes of the data subject by

which he signifies his agreement to personal

data relating to him being processed”

DPA Art. 2

CONSENTCONSENT

DATA PROTECTION

Criteria for Criteria for

ProcessingProcessing

DATA PROTECTION

CRITERIA FOR CRITERIA FOR PROCESSINGPROCESSING

PERSONAL DATA

DPA Article 9

1. Unambiguous consent or2. Contract performance or 3. Legal obligation or4. Vital interests of data subject or5. Public Interest / Official Authority or6. Legitimate interest

SENSITIVE PERSONAL DATA

DPA Articles 12 & 13

1. Explicit Consent2. Subject made data public3. Conditions of employment4. Vital Interests & data subject incapable of giving consent5. Legal claims

DATA PROTECTION

Data ProtectionData Protection

PrinciplesPrinciples

DATA PROTECTION

Personal Data to be:

1. processed fairly and lawfully

2. processed in accordance with good practice

3. collected for specific, explicitly stated & legitimate purposes

4. processed for reasons compatible with the purpose it was collected

5. adequate and relevant to the processing purpose

6. not more than required for the processing purpose

7. correct and, if necessary, up to date

8. rectified

9. not kept for longer than necessary for the processing purpose

DPA Art. 7

THE NINE PRINCIPLES THE NINE PRINCIPLES for ‘good information for ‘good information handling’handling’

DATA PROTECTION

Rights of Rights of

Data SubjectsData Subjects

DATA PROTECTION

INFORMATION TO DATA SUBJECT

The data subject should be informed with at least the following:

a) identity and habitual residence or principal place of business of controller;

b) purposes of processing;

c) any further information such as:i) recipients or categories of recipients of dataii) whether reply to any questions is obligatory or voluntary, and possible consequence of failure to replyiii) existence of right of access, right to rectify and where applicable right to erase data.

DPA Art. 19

RIGHTS OF DATA SUBJECTS (1)RIGHTS OF DATA SUBJECTS (1)

DATA PROTECTION

Request of Data Subject must be:

at reasonable intervals in writing signed by data subject

Data Controller to provide:

without excessive delay without expense written information in an intelligible form

DPA Art. 21

RIGHT OF ACCESS

RIGHTS OF DATA SUBJECTS (2)RIGHTS OF DATA SUBJECTS (2)

DATA PROTECTION

The Data Subject may request rectification, blocking or erasure of his personal data.

If the request is justified, the Data Controller shall

rectify, block or erase such personal data accordingly.

notify third parties about such an event, unless this involves a disproportionate effort.

DPA Art. 22

RECTIFICATION

RIGHTS OF DATA SUBJECTS (3)RIGHTS OF DATA SUBJECTS (3)

DATA PROTECTION

SecuritySecurity

MeasuresMeasures

DATA PROTECTION

APPROPRIATE SAFEGUARDSAPPROPRIATE SAFEGUARDS

These include:

Access controls to information

e.g. passwords, access rights/privileges, encryption etc.

Physical Security safeguards

e.g. locking of file cabinets, computers, offices etc.

Awareness

DATA PROTECTION

Processing For Processing For

Research PurposesResearch Purposes

DATA PROTECTION

THE DATA PROTECTION ACT APPLIES WHEN:

Research is about individuals

Research involves personal data

Individuals are identifiable

DATA PROTECTION IN RESEARCHDATA PROTECTION IN RESEARCH

DATA PROTECTION

Sensitive Personal Data may be processed for Research Purposes:

On Public Interest grounds

With the approval of the Commissioner, on the advice of a Research Ethics Committee

DPA Art 16

PROCESSING CONCERNING PROCESSING CONCERNING RESEARCHRESEARCH

DATA PROTECTION

Specific Data Protection matters in research include:

Personal and Sensitive Data

Identifiable VS Anonymous Data

Consent – When do I need consent??

Dealing with children and vulnerable persons

Retention of Data

DPA Art 16

PROCESSING CONCERNING PROCESSING CONCERNING RESEARCHRESEARCH

DATA PROTECTION

CREATING THE RIGHT BALANCECREATING THE RIGHT BALANCE

RIGHTS OF PRIVACY OF INDIVIDUAL

NEED TO CARRY OUT RESEARCH

BETWEEN:

DATA PROTECTION

Procedure agreed Procedure agreed

With URECWith UREC

DATA PROTECTION

Proposal Form for ethical approval is submitted by researcher

Research Proposals are examined by the Faculty Research Ethics Committee and by the UREC

Approval is given if proposals are satisfactory

Approval from the UREC is deemed to be an adequate advice for the approval by the Commissioner

Researcher may proceed with the project once this is approved by the UREC

RESEARCH INVOLVING SENSITIVE PERSONAL DATA

PROCEDURE (1)PROCEDURE (1)

DATA PROTECTION

A list of approved projects is periodically forwarded to the Commissioner for final approval

The UREC may always consult the Commissioner in case of problems with particular projects

OBJECTIVES

Allow the researcher ample time to proceed with the study

The Researcher is not required to obtain an approval directly from the Commissioner

PROCEDURE (2)PROCEDURE (2)

DATA PROTECTION

Data Protection Principles

Rights of Data Subjects

OBJECTIVES

Inform researchers and ensure that these principles and rights are respected

It is important that all faculties use the same form in order to provide the same conditions and information to students

INCLUDES

PROPOSAL FORM PROPOSAL FORM

DATA PROTECTION

Office of the Commissioner for Data Protection

E-Mail: commissioner.dataprotection@gov.mt

Website: www.dataprotection.gov.mt

FURTHER INFORMATIONFURTHER INFORMATION

DATA PROTECTION

THANK YOU!

Floor is open for discussion