1 / 56

Data Protection & Law Enforcement

This presentation provides an overview of data protection principles and rights of data subjects in the context of law enforcement. It highlights the importance of data protection in upholding human rights and emphasizes the need to respect privacy rights. The presentation covers topics such as fair obtaining of consent, accurate data processing, specified purposes, and the disclosure of personal data.

edwink
Download Presentation

Data Protection & Law Enforcement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Data Protection &Law Enforcement Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 27th 2006

  2. Presentation Outline • Background – Human Rights • Data Protection Principles • Rights of data subjects • Some FAQs

  3. Why Data Protection? • Post-Word War II emphasis on human rights – Police States • George Orwell, “1984” (published in 1949) • International Agreements on Human Rights • Development of computer power

  4. Privacy: Legal development Background • Universal Declaration on Human Rights (1948) • European Convention on Human Rights (1950) • Convention 108 (Council of Europe, 1981)

  5. UN Universal Declaration on Human Rights, 1948 Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ... Everyone has the right to the protection of the law against such interference ….

  6. European Convention on Human Rights, 1950 Background Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society

  7. Key concept Privacy is a Human Right

  8. Council of Europe Convention, 1981 • Also called “Convention 108” • Deals specifically with data protection • Ireland’s Data Protection Act 1988 gives effect to this Convention

  9. Directive 95/46/EC • Harmonisation across EU. • Free movement of data across EU • Extends DP to manual records.

  10. Key concept Data Protection Laws are one method of protecting privacy rights.

  11. Essential points • People have a fundamental right to privacy • You are legally obliged to recognise this right • Showing that you recognise and protect that right makes good sense • Increased confidence/trust of customers • Better cooperation/support

  12. How DP legislation work • By imposing obligations on those who process personal data; • By providing rights to individuals regarding how their data are processed.

  13. Limited exemptions: • Data exempt on National Security grounds. • Data that is processed for personal domestic or recreational purposes

  14. Fair obtaining consent Accurate Specified purpose No further processing Unless compatible Relevant, not excessive Retention period Safe & secure Comply with access request Data Protection Principles.

  15. Obtain & Process Fairly I 1st Principle • Data controller must give full information about • identity • purposes • disclosees • any other data necessary for “fairness” • Third party data controllers • must contact data subject to provide these details • must give name of original data controller

  16. Obtain & Process Fairly II 1st Principle One of these conditions required: • Consent • Legal obligation • Contract with individual • Necessary to protect vital interests • Necessary for a public function (Justice) • necessary for ‘legitimate interests’

  17. Processing Sensitive Data (1) 1st Principle One of these additional conditions is required • Explicit consent • Necessary under employment law • To prevent injury or protect vital interests • Legal advice • For Medical Purposes • Statutory function

  18. What are sensitive data? • Physical or mental health • Racial origin • Political opinions • Religious or other beliefs • Sexual life • Criminal convictions • Alleged commission of offence • Trade Union membership

  19. Fair Obtaining - practical • Transparency is the key issue • Generally, a person should know • who is processing his/her data • and for what purpose

  20. Fair Obtaining - practical • Exemption means police may covertly collect data • Police may process data without consent if necessary for the investigation & detection of offences

  21. Accurate, Complete, up to date 2nd Principle Often a reactive rather than proactive task

  22. Accurate - practical • If a person gives false identity details when questioned, police must correct details when become aware of true identity.

  23. Accurate – case study • Terrorist suspect has minor conviction • Appeals outcome, change of penalty • Police record incorrectly identifies Court location and penalty imposed • Subject Access Request & makes complaint • Police obliged to correct record and review recording procedures

  24. Specified Purpose 3rd Principle • Part of obligations when obtaining to specify purpose • Cannot expand purpose without reverting to individual

  25. Purpose - practical • Police purpose is defined in law and cannot be expanded with new role assigned to police by Government

  26. Purpose – case study • Victim Support body collects data from victims to offer support • Police hold data for law enforcement purpose • Police want to use data to assist Victim Support in referrals • This is a new purpose and requires consent of victims

  27. Disclosing personal data 4th Principle • Further processing not generally permitted – compatibility test • section 19 – lifts the restrictions on disclosure: • crime; tax; State security; • required urgently to protect life and limb • required by law or court order • with consent of, or on behalf of, data subject

  28. Disclosure Policy The Data Controller should have a policy in place to determine how requests for data from third parties are handled. This policy should be consulted by appropriate staff members

  29. Disclosure - practical • Any DC can give data to police where necessary to investigate crime • DC must be satisfied that is genuine investigation – may contact superior officer • Specific procedures should be in place for access to data such as telephone records

  30. Relevant and not excessive 5th Principle • Police forces require information in order to operate • Accept it is difficult to judge relevance • DPAs reluctant to second guess police forces

  31. Relevant – case study 5th Principle • Female teacher involved in public order offences when drunk • “Friendly” with police officers • Computer record contains racy comments about her • She is aware of nature of record • Information not relevant & is deleted

  32. Retention of data 6th Principle • Legal obligations to hold data? • Can older reports be anonymised where no action was taken? • Provision for spent convictions may result in files being culled over time

  33. Security Procedures 7th Principle Security measures • Appropriate security measures • Appropriate to the harm that might result.. • Appropriate to the nature of the data • May have regard to cost of implementation • May have regard to the current state of technology • Staff must know and comply with measures • Internal review of security measures-part of Internal Audit function ?

  34. Data Protection Training. • Obligation on employer to ensure staff are aware of data protection security obligations (especially access). • Training • Can be satisfied by a simple circular in some cases, by a formal course in others

  35. Data Processors Agents and sub-contractors There must be a written contract in place Data Controller must take reasonable steps to ensure compliance with security measures

  36. Security - practical • Security standard should be reviewed - if the types of data being processed are changed; - if the organisation’s resources increase; - at least on an annual basis to see if new measures may be employed - state sector can’t plead poverty – must be at leading edge

  37. Security - practical • Access to data should be on a need to know basis • Access controls should be known about, enforced and reviewed

  38. Security – case study • Police officer checks vehicle file on behalf of friend • Friend wants to know identity of ex-partner’s new boyfriend • Improper access identified from examination of access log • New audit policy to identify misuse

  39. Rights of Individuals 8th Principle • To have data processed in accordance with principles • To get a copy of personal information • To correct information if it is wrong • To opt out of direct marketing • To complain to the Data Protection Commissioner

  40. Access Requests • Section 14 –exceptions section 19. • Availability of material subject to receipt of an Access Request • May question: • Relevance • Excessive nature • Retention, etc

  41. Scope of Access Request • Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

  42. Opinion given in confidence • Exempt from an access request if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. • This is useful when giving references

  43. Exempt from Access Requests • Data relating to a criminal investigation • If release would prejudice investigation • Exemption does not apply once investigation complete (unless would influence another investigation)

  44. Access Requests - Practical • Staff should be able to identify a subject access request when one is received • Necessary because of deadline • Ideally, have an identified point of contact within force to handle requests

  45. Structured files • Must be able to search files • By name of data subject? • By other reasonable identifier? • By date/file reference supplied by data subject • Electronic records easier to search than manual records

  46. Enforced subject access • An employer cannot ask an employee to use his/her access right to obtain data in order to gain/retain employment • Police records cannot be accessed unless by law (vetting of child care workers) • Provision not yet in place in Ireland so police end up dealing with ~10,000 SAR per annum

  47. Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

  48. Right to correct/erase • Personal data must be: • Corrected, if inaccurate; or • Deleted, if should not be held (very rare). • Should not be a significant issue if organisation well run • May get DS complaining about data being held

  49. Public Register • Describe Data handling practices • Purpose Transfers abroad • Type of data Disclosures • Public: transparency and openness • Will involve careful thought initially, but little ongoing resources

  50. Is a legal obligation But also a very useful way for Data Protection Commissioner to interact with Data Controllers Helps Data Controllers focus on Data Protection at time of registration Why Register?

More Related