Data Protection

The Data Protection Rules

1. Fair obtaining & processing• Consent

2. Specified purpose

3. No disclosure• unless

“compatible”

4. Safe and secure

5. Accurate, up-to-date6. Relevant, not

excessive7. Retention period8. Right of access

Data Protection Acts, 1998

RIGHTSfor

individuals

RESPONSIBILITIESfor

users of personal data

The Acts create:

Background

Rights and Obligations

• Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”

• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

Definitions(1)

• Personal Data– Any Data relating to a living identifiable

individual • Data

– Automated data or structured manual data• Manual Data

– Structured by reference to individuals in a way that makes data readily accessible

Definitions(2)

• Data Controller– a person who controls the contents and use of

personal data• Data Processor

– A person who processes personal data on behalf of a data controller

Definitions(3)

• Data Subject – an individual who is the subject of

personal data• Processing

– Anything done with personal data, from collection to disposal

Sensitive Data (special protection)

• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Criminal convictions• Alleged commission of offence• Trade Union membership

Rights of Individuals

• to fairness when giving information• to get a copy of their personal information –

includes both computer and certain manual files• to have wrong information corrected• to opt out of marketing - includes mail & phone • to complain to the Data Commissioner

Obtain & Process Fairly I• Data controller must give full information

about– identity– purposes– disclosees– any other data necessary for “fairness”

• Third party data controllers– must contact data subject to provide these

details– must give name of original data controller

Rule 1

Obtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function

(Justice) necessary for ‘legitimate interests’

Rule 1

Processing Sensitive DataOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of

non-profit orgs. Legal advice For Medical Purposes Statutory function

Rule 1

Disclosure Policy• The Data Controller should have a

policy in place to determine how requests for data from third parties are handled.

• This policy should be consulted by appropriate staff members

Keep Safe and SecureAppropriate security measures

• Appropriate to the harm that might result..

• Appropriate to the nature of the dataMay have regard to cost of implementationMay have regard to the current state of

technologyStaff must know and comply with measuresInternal review of security measures-part of

Internal Audit function ?

Rule 4

Security - practical• Care must also be taken regarding

paper records, especially sensitive or financial data.

• Ideally data not left in a way that non-relevant staff can access files.

• Attention paid to how visitors move around an office.

Data Protection Training.• Obligation on employer to ensure staff

are aware of data protection obligations.– Training

• Policy.– A Code of Practice.– Person in charge

Accurate, Complete and Up-to-Date

• Longer personal data is held, more likely it will be inaccurate and out-of-date

• Right to have errors rectified (see later)

Rule 5

Relevant and not Excessive• No right to ask for, or hold,

information not relevant to service etc being provided

• Challenge: who do you need all this personal data ?

Rule 6

Retain no longer than necessary

• Legal obligations to hold data?• Customer files

– Do you need to hold all that data?– Payment records might have one retention

period– Exam results might have longer retention

period– Credit card details retained with consent

• Must have policy thought through– Defend retention as necessary for purpose.

Rule 7

Right of Access: Empowerment

The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

Rule 8

Right of erasure

• Doesn’t apply if you have a lawful purpose in retaining data–Such as auditing or accreditation

purposes