340 likes | 491 Views
« DATA PROTECTION FROM AN EMPLOYMENT PERSPECTIVE » PRESENTED BY THE COMMISSIONER ON 5 .07.11 To GROUPE MON LOISIR LTD . This template has been chosen in the context of the promotion of the ‘ maurice ile durable’ project . DATA PROTECTION OFFICE.
E N D
« DATA PROTECTION FROM AN EMPLOYMENT PERSPECTIVE » PRESENTED BY THE COMMISSIONER ON 5.07.11To GROUPE MON LOISIR LTD This template has been chosenin the context of the promotion of the ‘mauriceile durable’ project.
DATA PROTECTION OFFICE • WHAT IS DATA PROTECTION AND WHY SHOULD MAURITIUS HAVE DATA PROTECTION LAWS? • To put it in simple terms, data protection is the safeguarding of the processing of all personal information of living individuals. Processing stands for all the activitiescarried out manually or automatically on personal data. • Data protection is a component of privacy. The right to privacyisnormallydefined as the right to beleftalone and islegallyprovided for in our constitution. There is no overlapping of the right to privacywith data protection/privacy as explained but ratherwhenwe talk about privacy of personal data, we are alsotalking about data protection.
DATA PROTECTION OFFICE • Data protection laws are essential not only in Mauritius but in all developing or developped countries which have an extensive use of personal data and are technology-driven. • The justification for enactingsuchlawsis not feltuntilpersonal information incidents do not cropup. For example, whensomebody’sname/address/emails/bankdetails/cv have been misused for a criminalpurposecausing immense prejudice to the personconcerned.
DATA PROTECTION OFFICE • The Data Protection Actisrestrictedonly to the protection of the privacy of the personal data of living individuals. • The rightsprotectedunderthislegislation are:- • the right to accesspersonal data; • the right to have inaccurate data destroyed or corrected; • the right to lodge a complaint with the Data Protection Commissioner;
DATA PROTECTION OFFICE • the right to appealagainst the decision of the Commissionerbefore the ICT tribunal; • the right to have data processed for lawful and necessarypurposes; • the right to beinformed of the processing or collection of data and the conditions underwhich the data wouldbeused; and • the right to object to direct marketing.
DATA PROTECTION OFFICE • Whatispersonal data and sensitive personal data? • Personal data isany information whichcanbelinked to an individual. The mostobvious one is the name,address, or emails of the person. The lessobviousones are the genetic set up of the individual, his/her race or ethnicorigin, political opinion, religiousbeliefs, trade union membership, sexualpreferences, criminal records or proceedings in court.
DATA PROTECTION OFFICE • The lessobviousones are called sensitive personal data in the DPA. By their nature, theyrequire more protection. • Both sensitive and non-sensitive data require the express consent of the individual as regards theirprocessingsubject to the exceptions provided in sections 24 and 25 of the DPA. • The exceptions are quitewide-ranging for ex, the contractualrelationship the individualmay have with the data controller, i.e
DATA PROTECTION OFFICE • the employer/employeerelationshipis a contractual one, consent is not requiredwhere the contractalreadyexists, i.ewhere the processing of personal data isrequired for the performance of a contract to which the employeeis a party, • in order to takestepsrequired by the employeeprior to enteringinto the contract, for ex, the employeeisrequired to fill in a questionnaire as part of the recruitmentprocess, no
DATA PROTECTION OFFICE • consent isrequired. This situation is to bedistinguishedfrom the information gatheredduringreferencechecks on potential candidates as itdoes not relate to information provided by the individualhimself but by a third party. The legal nuances have to begraspedcorrectly for a properunderstanding of the exceptions. • the protection of the vital interests of the employee by the employer, for ex. the processing of the data isnecessary
DATA PROTECTION OFFICE • to protect the reputation of the employee, • to protect the vital interests of anotherperson (not the data controller or the individual) where the individualunreasonablywithholds consent or consent cannotbegiven by him or the data controllercannotbeexpected to obtain the consent of the data subject; • wherethe lawrequiresthe processing for ex. as maybecontained in the labour laws,
DATA PROTECTION OFFICE • the administration of justice, • the public interest, • the sensitive information has been made public by the individualconcerned or the latter has providedhis express consent, or • the processing of sensitive informationisbeingdone by an entity of a political, philosophical, religious or tradeunion nature for itsmembersonly and does not involvedisclosureto
DATA PROTECTION OFFICE • third parties without the consent of the individualconcerned. • These are the broad exceptions which do not require express consent of the data subject. • However, itwouldbe prudent to treadintelligently on these exceptions which are sobroadthat the interpretation of theirambitmayresultintolegalproblematicsespecially in a court of law! Legalgymnasticsisperhapswhatisrequired by anylawyer to synthesize a soundunderstanding of these exceptions.
DATA PROTECTION OFFICE • Whatis express consent? • Express consent doesnot automatically have to bear the samemeaning as the civil law version of « consentement expresse » whichrefers to written consent. It sufficesthatitbe explicit, i.e, thatitisunambiguous, freelygiven, specific and informed, whichdoes not literally translate to written consent. However, evidentially, itwouldbewise to secure proof of the agreement of the employeewhichcan
DATA PROTECTION OFFICE • onlybe in writtenform. • This is the ironybehindlegalinterpretation and the praticalities of the law. • Employers would be further ill-advised to rely solely on consent as proof other than in cases where, if consent is subsequently withdrawn, this has not caused or resulted into any problems. • Reliance on consent should be confined to cases where the worker has a genuine free choice and is
DATA PROTECTION OFFICE • subsequently able to withdraw the consent without detriment. • What is meant by the above is that the use of the exceptions must be clearly justified in order for the employer to avail himself of them. • Eventsmaybeconsideredpersonal data such as wedding, anniversary, and pregnancy dates. However, since the DPA relate only to the protection of living individuals, funeral dates maybeexcluded.
DATA PROTECTION OFFICE • Whydo weneed a Data Protection Office? • The Data Protection Office has come into existence specifically to cater for the principlesfoundunder the legislation. • The legislator has deemedit fit to makeMauritius data-protection compliant in order to enhance the credibility of the country as one respecting international standards and protecting the personal data of itscitizens.
DATA PROTECTION OFFICE • However, the taskisindeed an immense one to inculcate the culture of data protection intoeachcitizen of this country. • Let us not forgetthateven for those countries which have adopted data protection for 30 years, data protection wasinitiallyviewed as insignificantcompared to other pressing agendas of the governement the more so as itisquite a complexfieldand itisstill a challenge for these countries to instill data protection principles in the routine of eachcitizen.
DATA PROTECTION OFFICE • Time has shownthatsuch a concept isindeed the future guarantee for the individual of today and tomorrow. • Otherfundamentalrightssuch as the right to live, freedom of expression, movement, freedomagainst torture, amongstmanyothers have nowgainedsomuch recognition worldwidethatthey do not requirefurtherpublicity. They are called the entrenchedhumanrights in any constitution containingthem.
DATA PROTECTION OFFICE • But what about the right to privacy? Yes, itisalsorecognised as entrenched in ourown constitution but the ambit of its protection istoo restrictive. Data protection does not squarely fit into the ratherobsoletedefinitionprivacy has in many constitutions justlike ours. This iswhymany countries have amendedit. Wewillalsoeventually have to do it. It isalready on the agenda of the Law Reform Commission.
DATA PROTECTION OFFICE • But weshouldbeproud or gratefulthatMauritius has deemedit fit to adopt data protection laws. Not onlylaws but has instituted a permanent office dedicated to protectpersonal data. We have shownthatwe are ahead in manyfields. • The multifacettedtasksthe Commissionerisalsocalledupon to performalso justifies the creation of a separateentity.
DATA PROTECTION OFFICE • Whenshouldpersonal data keptbedestroyed and if kept, for whichspecificpurposes? • According to sections 26 and 28 of the Data Protection Act, personal data must bekept for the purpose/s for which the data has been collected. Employee data collected for personnel administration cannotbeused for marketing without the express consent of the employee. • When the purpose for keeping the data has lapsed, for ex, employeeis no
DATA PROTECTION OFFICE • longer in service, the purpose for keeping the data shouldbeclearlyjustified. Otherwise, deletionismandatorywithin a reasonableperiod of time. • It is the duty of each data controller to develop a retentionpolicywhichelaborates the categories of data keptat the organisation, theirpurpose and the time required to keepthem, depending on the requirements of the organisation.
DATA PROTECTION OFFICE • Monitoring of the DPA at the organisation requires a department or an officerto take the lead. The legal and/or IT department/officermaybedeputed the task to handle data protection issues. However, itremains the task of top management to ensurethatcomplianceisbeingdone in all departments. • A data protection officer or coordinatormaybeappointed. However, theremay not be the need
DATA PROTECTION OFFICE • to appoint a new officer but someonefrom the IT or legaldepartment. • It shouldbe borne in mindthat the officerappointedshouldunderstand data protection issues and mayfollow a training fromthis office. • A centralised CV databaseis to behandledwithutmost care as the data controller has the obligation to keep data accurate and up to date, ascertainingwhether consent wheneverrequired has been collected,
DATA PROTECTION OFFICE • whether the appropriatesecurity and organisationalmeasures have been taken to protect the data. • For thoseCVswhich do not relate to employees but potential candidates, the latter shouldbeinformed in accordance with section 22 of the DPA as to the purpose, the beneficiaries, the consent required, right to access the data keptby the data controller. • Personal data providedduringreferencecheckswould have to be
DATA PROTECTION OFFICE • usedwithutmost care and the potential candidate would have to be made awareprior to the collection by obtaininghis consent except if a lawprovidesthat no consent required. • Data protection clauses in employmentdocuments are essential to ascertainwhetherrequired consent has been obtained for keeping the data.
DATA PROTECTION OFFICE • Privacypolicystatements are also essential to informusers of their data protection rightsbut in a fruitfulway. It has to bevery user-friendly and visible. • Unlawfuldisclosure of personal data to somebody not entitled to receiveitis an offence.
DATA PROTECTION OFFICE • As a conclusion, I would say:- • When processing workers' personal data, employers should always bear in mind FUNDAMENTAL DATA PROTECTION PRINCIPLES SUCH AS THE FOLLOWING: • FINALITY: Data must be collected for a specified, explicit and legitimate purpose; and not further processed in a way incompatible with those purposes. • TRANSPARENCY: As a very minimum, workers need to know which data is
DATA PROTECTION OFFICE • the employer collecting about them (directly or from other sources), which are the purposes of processing operations envisaged or carried out with these data presently or in the future. Transparency is also assured by granting the data subject the right to access to his/her personal data. • LEGITIMACY: The processing of workers' personal data must be legitimate.
DATA PROTECTION OFFICE • PROPORTIONALITY: The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. • Assuming that workers have been informed about the processing operation and assuming that such processing activity is legitimate andproportionate, such a processing still needs to be fair with the worker.
DATA PROTECTION OFFICE • ACCURACY AND RETENTION OF THE DATA: Employment records must be accurate and, where necessary, kept up to date. The employer must take every reasonable step to ensure that data inaccurate or incomplete, having regard to the purposes for which they were collected or further processed, are erased or rectified. • Law and practice:-labour law and practice does not operate in isolation from data protection law.
DATA PROTECTION OFFICE • This interaction is necessary and valuable and should assist the development of solutions that properly protect workers’ interests, and • SECURITY: The employer must implement appropriate technical and organisational measures at the workplace to guarantee that the personal data of his workers is keptsecured. Particular protection should be granted as regards unauthorised disclosure or access.
DATA PROTECTION OFFICE • SURVEILLANCE ANDMONITORING. Data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, Internet access, video cameras or location data. • Any monitoring must be a proportionate. Any personal data held or used in the course of monitoring must be adequate, relevant and not excessive for the purpose for which the monitoring is justified. Any monitoring must be carried out in the least intrusive way possible.