440 likes | 764 Views
Data Protection: Your Rights as a Data Subject. Data Protection: a Human Right. Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)
E N D
Data Protection: a Human Right • Part of Right to Personal Privacy • Personal Privacy : necessary in a Democratic Society • Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others) • Right protected by Irish Constitution and European Law
Fair obtaining & processing Consent Specified purpose No disclosure unless “compatible” Safe and secure Accurate, up-to-date Relevant, not excessive Retention period Right of access The Data Protection Rules
Background Data Protection Acts, 1988 & 2003 The Acts create:
Rights and Obligations • Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data” • Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
Definitions(1) • Personal Data • Any Data relating to a livingidentifiable individual • Data • Automated data or structured manual data • Manual Data • Structured by reference to individuals in a way that makes data readily accessible
Definitions(2) • Data Controller • a person who controls the contents and use of personal data • Data Processor • A person who processes personal data on behalf of a data controller
Definitions(3) • Data Subject • an individual who is the subject of personal data • Processing • Anything done with personal data, from collection to disposal
Sensitive Data (special protection) • Physical or mental health • Racial origin • Political opinions • Religious or other beliefs • Sexual life • Criminal convictions • Alleged commission of offence • Trade Union membership
Rights of Individuals • to fairness when giving information • to get a copy of their personal information – includes both computer and certain manual files • to have wrong information corrected • to opt out of marketing - includes mail & phone • to complain to the Data Commissioner
Rule 1 Obtain & Process Fairly I • Data controller must give full information about • identity • purposes • disclosees • any other data necessary for “fairness” • Third party data controllers • must contact data subject to provide these details • must give name of original data controller
Rule 1 Obtain & Process Fairly II One of these conditions required: • Consent • Legal obligation • Contract with individual • Necessary to protect vital interests • Necessary for a public function (Justice) • necessary for ‘legitimate interests’
Rule 1 Processing Sensitive Data One of these additional conditions is required • Explicit consent • Necessary under employment law • To prevent injury or protect vital interests • Process the data of members/clients of non-profit orgs. • Legal advice • For Medical Purposes • Statutory function
Rule 2 Specified Purpose • Part of obligations when obtaining to specify purpose • Cannot expand purpose without reverting to individual
General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Section 8 exceptions Investigation of crime Collection of taxes Security of the State Protect life & limb Law or court order Legal advice and legal proceedings No general “public interest” test Rule 3 Disclose only if compatible
Rule 4 Keep Safe and Secure • Appropriate security measures • Appropriate to the harm that might result.. • Appropriate to the nature of the data • May have regard to cost of implementation • May have regard to the current state of technology • Staff must know and comply with measures • Internal review of security measures-part of Internal Audit function ?
Rule 5 Accurate, Complete and Up-to-Date • Longer personal data is held, more likely it will be inaccurate and out-of-date • Right to have errors rectified (see later)
Rule 6 Relevant and not Excessive • No right to ask for, or hold, information not relevant to service etc being provided • Challenge: who do you need all this personal data ?
Rule 7 Retain no longer than necessary • Legal obligations to hold data? • Customer files • Do you need to hold all that data? • Payment records might have one retention period • Exam results might have longer retention period • Credit card details retained with consent • Must have policy thought through • Defend retention as necessary for purpose.
Rule 8 Right of Access • applies to manual as well as computer files • data subjects are also entitled to know • purposes for which data is processed • persons to whom data are disclosed • the source of the data
Right of Access: Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.
Scope of Access Request • Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created. • Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort
What must be disclosed in an access request • Personal data held • purposes for processing data • persons to whom data are disclosed • the source of the data • subject to confidentiality safeguards • logic involved in automated decisions
Access Request - Procedure • Shall be in writing • Data Subject shall provide sufficient information to identify oneself • Data Controller shall comply within 40 days • May charge a fee up to €6.35
Opinions • Exempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. • References are not exempt in general • High threshold required • Work performance reports on colleagues are accessible • Interview notes-accessible
Exempt from Access Requests • Data relating to a claim of liability • Data covered by legal privilege • Data relating to a criminal investigation • Certain research data • Back-up data
Access: Exemptions (S.5) • Right of Access does not apply if likely to prejudice: • Preventing, detecting or investigating offences, apprehending or prosecuting offenders • Security in a place of detention • Other (international relations, privileged information etc)
Right to correct/erase/block • Section 6 of the Act • Data Subject makes a written request • Personal data must be: • Corrected, if inaccurate; or • Deleted, if should not be held. • Data Controller has 40 days to respond • No fee
Right of erasure • Doesn’t apply if you have a lawful purpose in retaining data • Such as auditing or accreditation purposes
Automated decisions • Key decisions cannot be made solely based on automated processing of personal data • creditworthiness • work performance • reliability • Exceptions • consent; legal necessity; contractual reasons
Right to object Section 6A(1) allows the data subject to object to the processing of data • Is “likely to cause substantial damage or distress to him or her, or to another person, and • The damage or distress is or would be unwarranted”
DP/FOI Access to Personal Information • DP and FOI Acts reinforce one another in relation to personal access in the public sector • Defending access to personal information as human (DP) and citizen (FOI) right • 3rd Party Access restricted under both Acts • FOI access to personal information should sometimes prevail in the public interest
Right to opt out of direct marketing • Data subject may opt out of direct marketing database (e.g. a mailing list) • Data controller must delete the data subject’s details (or stop using them for direct marketing) • Data controller must reply within 40 days
Electronic Communications • Right to “opt-out” of all unsolicited direct marketing calls • Ex-Directory customers (and most mobiles) automatically ‘opted-out’ • If not ex-directory, Contact your phone line provider and ask to be put on the National Directory Database ‘opt-out’ list • SMS and e-mail unsolicited marketing banned
Can my employer monitor me? • Yes, depending on the conditions of any in-house policy document. • Employees should be made fully aware of Office policy in relation to e-mail content, and acceptable usage • Monitoring should be proportionate and not unduly intrusive.
Can monitoring occur without my consent? • Where a criminal offence is being investigated, covert monitoring may be legitimate. • Whilst transparency is fundamental to the fair obtaining principle, consent is not always required.
Can I get a copy of my personnel file? • You have a right to a copy of any records relating to you – including personnel files, assessments, evaluations and interview notes. Note – this may be subject to restriction, for instance re statements of opinion or third party .
How can I check my credit rating? • Contact the Irish Credit Bureau at 01-2600388 (www.icb.ie) • Your credit rating can be checked by member institutions (banks, etc.) when you apply for credit.
How do I stop unwanted phone marketing? • You should contact your telephone line provider – e.g. Eircom, BT – and ask to have your details included in the National Directory Database (the NDD) ‘opt-out list’ • After about one month, marketing calls from Ireland should cease. • More info: www.askcomreg.ie and www.dataprotection.ie
How do I stop Junk Mail? • You can write to the organisation sending the mail, instructing them to stop. They are obliged to comply. • Or you can use the Mail Preference Service operated by the Irish Direct Marketing Association (www.idma.ie).
Further Guidance • www.dataprotection.ie