The Data Protection Act   What You Need To Know
Upcoming SlideShare
Loading in...5
×
 

The Data Protection Act What You Need To Know

on

  • 3,355 views

The Data Protection Act - Key Points

The Data Protection Act - Key Points

Statistics

Views

Total Views
3,355
Views on SlideShare
3,351
Embed Views
4

Actions

Likes
1
Downloads
57
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

The Data Protection Act   What You Need To Know The Data Protection Act What You Need To Know Document Transcript

  • The Data Protection Act – What you need to know  © Eamonn O’Raghallaigh 2010  TABLE OF CONTENTS INTRODUCTION .......................................................................................................................... 2 THE RIGHT TO PRIVACY ........................................................................................................... 2 THE DATA PROTECTION ACTS, 1998 AND 2003 .................................................................... 3 Key Definitions of the Act.......................................................................................................... 3 Obligations under the Act ......................................................................................................... 5 Principles Relating to Obtaining and Processing Personal Data .............................................. 6 RIGHTS OF DATA SUBJECTS ................................................................................................... 7 Right to Access ......................................................................................................................... 7 Case Study: Failure to comply with an access request ........................................................ 8 Right ot be Informed of Data Being Kept .................................................................................. 9 Right to prevent data being used for the purposes of direct marketing .................................. 10 Right of blocking or erasure .................................................................................................... 10 Right to prevent processing where it might cause damage or distress .................................. 10 DATA PROTECTION AND ELECTRONIC COMMUNICATIONS ............................................. 10 Case Study: Opera Telecom: Forced to delete database ....................................................... 11 DATA PROTECTION AND CCTV.............................................................................................. 12 Case Study: Gresham Hotel breaches DP law in regard to use of covert CCTV footage ...... 13 REMEDIES ................................................................................................................................. 14 REFERENCES ........................................................................................................................... 14
  • INTRODUCTION The securitisation of personal data and the protection of the rights of individuals whose personal data is stored has become an important issue in the current knowledge-based society. The storage of personal data is now ubiquitous, whether it is by service companies, governmental agencies and departments, telecoms providers, internet service providers or retail organizations. The potential for abuse and misuse of personal data is significant, hence the existence of legislation in Ireland to protect this data and the rights of individuals whose data is stored by third parties. Two acts of the Oireachtas were enacted for the purpose of protection, namely the Data Protection Act 1988, and the Data Protection (Amendment) Act 2003. The Data Protection Act 1988 is “an act to give effect to the convention for the protection of individuals with regard to automatic processing of personal data done at Strasbourg on the 28th day of January, 1981, and for that purpose to regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically.” The 1998 Act was amended in 2003 to bring it in line with EU Directive 95/46/EC and it is “an act to give effect to directive 95/46/EC of the European parliament and of the council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, for that purpose to amend the data protection act 1988 and to provide for related matters.” (www.irishstatutebook.ie) THE RIGHT TO PRIVACY Data Protection relates to every citizen’s fundamental right to privacy. Although this right was not set out in the Irish Constitution of 1937, it has been recognized by the courts. The right to privacy was discovered in an Irish context in McGee v Attorney General [1974] IR 284 and most notably recognized by the High Court in Kennedy & Arnold v Ireland [1987] IR 587. The former case was argued with the Unenumerated Rights Doctrine, and although the constitution does not specifically set out a specific right to privacy, it is a right that was
  • established by the Christian and democratic nature of the state. The court stated that “The right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State… The nature of the right to privacy is such that it must ensure the dignity and freedom of the individual in a democratic society. This cannot be insured if his private communications, whether written or telephonic, are deliberately and unjustifiably interfered with.” The right to privacy was enacted into Irish Domestic law in The European Convention on Human Rights Act 2003 which incorporated the European Convention on Human Rights. Article 8 of the European Convention on Human Rights provides that: “Everyone has the right to respect for his private and family life, his home and correspondence.” THE DATA PROTECTION ACTS, 1998 AND 2003 Key Definitions of the Act a. Automated Data means information that is processed by means of equipment operating automatically in response to instructions given for that purpose or is recorded with the intention that is should be processed by means of such equipment. b. Manual data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system. c. Relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible; d. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other
  • information that is in, or is likely to come into, the possession of the data controller. e. Sensitive personal data means personal data as to – i. the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, ii. whether the data subject is a member of a trade union, iii. the physical or mental health or condition or sexual life of the data subject, iv. the commission or alleged commission of any offence by the data subject, or v. any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. f. Data subject is an individual who is the subject of personal data. g. Data controller is a person who (either alone or with others) controls the contents and use of personal data. h. Data processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. i. Disclosure – in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed. j. Processing, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including – i. obtaining, recording or keeping the information or data
  • ii. collecting, organizing, storing, altering or adapting the information or data, iii. retrieving, consulting or using the information or data, iv. disclosing the information or data by transmitting, disseminating or otherwise making it available, or, v. aligning, combining, blocking, erasing or destroying the information or data, and, cognate words shall be construed accordingly; (www.irishstatutebook.ie) Obligations under the Act The purpose of the Data Protection Act (DPA) is to protect against the invasion of privacy of personal information. The Data Controller (i.e. the person who controls the content and use of personal data) holds the responsibilities under the Act. A data processor is distinct; they are a person who possesses data on behalf of a data controller, but does not include an employee of the data controller. The DPA does not apply to data: a. Which in the opinion of the Minister is kept for safeguarding the security of the State b. Information which must legally be made public c. Information which is kept only for the purpose of managing personal or household affairs d. Information kept for recreational purposes e. Information kept solely for historical research, e.g. archives Jurisdiction: A data controller will be subject to this legislation only if the data controller is established in the State and the data is processed in the context of that establishment. There are special provisions for the telecommunication of data within the European Union and the European Economic Area. However, the Act will apply outside of that area if the establishment uses equipment in the state for processing other than for the purpose of transit
  • through the territory of the state. Establishments deemed to be established in the State include: a. individuals normally resident in the State b. a body incorporated under the law of the State c. a partnership or other unincorporated association formed under the law of the State, and d. a person who does not fall within subparagraphs a, b and c of this paragraph, but maintains in the State – i. an office, branch or agency through which he or she carries on any activity, or ii. a regular practice (www.irishstatutebook.ie) Principles Relating to Obtaining and Processing Personal Data The DPA represents a code of practice and ethics which relates to the collection, processing and storage of personal data in a fair and just manner. The main principles are as follows: a. Data must be obtained and processed fairly – A certain degree of transparency is required with relation the data’s collection and processing. Where the data is obtained from the subject directly then the data controller must make his identity known, as far as is practicable. b. Data must not be disclosed or processed in a manner for which the data is not intended for – There is an onus on the Data Controller to ensure that no unlawful processing occurs c. Data must be only kept for one or more specified lawful purpose - the data obtained should be relevant but must also be adequate although not excessive for the purpose for which it was obtained d. Data must be kept safe and secure – This is an onus on the data controller to prevent unauthorised access to subject’s personal data. e. Data must be kept up to date and accurate – There is a clear duty to ensure the data is complete, accurate and up-to-date; this is intended to prevent misleading information being held or misrepresentation of the data subject.
  • f. Data must be only kept for as long as is necessary g. A copy of the personal data must be given to the individual it pertains to on request There are special provisions made under the Act with regard to the processing of Sensitive Personal Data; this data is subject to tighter control and all Data Controllers of such data must be registered with the data commissioner. This is a particularly high duty to maintain the privacy and security of data relating to: a. the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject b. whether the data subject is a member of a trade union, c. the physical or mental health or condition or sexual life of the data subject, d. the commission or alleged commission of any offence by the data subject, or e. any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings (www.irishstatutebook.ie) RIGHTS OF DATA SUBJECTS Right to Access One of the most practicable implications of the DPA is the right to access of personal data by data subjects which is held by data controllers. The time limit for compliance with the access request by the data subject is 40 days, after which the subject can lodge a complaint with the Data Commissioner, who may or may not investigate the case, based upon the facts of the matter. With appropriate notice in writing, and the payment of a nominal fee of €6 to cover costs associate with complying with the access request the data subject can: i. Description of the categories of data which are being processed ii. Be informed of the purpose of the processing
  • iii. Be informed of the recipients or categories of recipients to whom the data is or may be disclosed to iv. Be provided with an intelligible copy or explanation of the information held by the controller Exceptions to the Right of Access do exist as follows: a. An employer is not obliged to disclose information kept for the purpose of preventing, detecting or investigating offences or apprehending or prosecuting purported offenders b. Information may be kept undisclosed if this is for the purpose of assessing or collecting taxes or duties or for the calculation of damages or compensation in a claim against the data controller c. Data relating to an individual should not be made available to an individual in response to a DPA access request if it would be likely to cause serious harm to the physical or mental health of the data subject (www.irishstatutebook.ie) Case Study: Failure to comply with an access request The Data Commissioner received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child's personal data. The Commissioner commenced an investigation and established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child's family in August 2005. Prior to the complaint being submitted to the Commissioner, Caredoc's solicitors informed the legal representative for the child's family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply. In correspondence, the Commissioner was told that the access request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a
  • further letter, Caredoc's solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. After lengthy correspondence back and forth the Data Commissioner gave Caredoc's solicitors a final opportunity to respond to the key questions raised with them. They failed to respond and the Data Commissioner subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts. The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child's family with the personal data relating to the attendance of the child at Caredoc's facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought. This case is a perfect example of the effectiveness of Data Protection legislation as it allows for members of the public, regardless of their status or access to legal advice, to request personal information for a maximum of €6.35 and to receive it. If they do not receive the information they have sought, they can complain to the Data Commissioner at no cost and they will pursue the matter on their behalf (www.dataprotection.ie). Right ot be Informed of Data Being Kept The DPA also make provision for the right to be informed of data being kept. If a person suspects that another is keeping personal data, he or she may write to that person requesting that he or she be informed as to whether any such data is being kept. If it is, then the individual must be given a description of the data and of the purpose for which it is kept, within 21 days of the request being made.
  • Right to prevent data being used for the purposes of direct marketing The DPA also makes provisions regarding the use of personal data for direct marketing purposes. It provides that where personal data is kept for the purpose of direct marketing and the relevant data subject requests in writing that the relevant data controller cease processing the data for that purpose, the data controller has 40 days to accede to such request. The DPA also makes the provision that the data controller informs data subjects who are being targeted for direct marketing purposes of their rights to object to such use of their personal data. Right of blocking or erasure The DPA also gives the data subject a right to have his or her personal data in the data controller’s possession rectified, erased or blocked if the data controller fails to comply with its duties under the Acts and the data controller has 40 days to accede to such request. Right to prevent processing where it might cause damage or distress The DPA also entitles an individual, by notice in writing served on a data controller to request the data controller to cease or not to commence processing of that individuals’ personal data where such processing is likely to cause substantial damage or distress which is or would be unwarranted. DATA PROTECTION AND ELECTRONIC COMMUNICATIONS The Electronic Communications Regulations 2003, enacted by the Oireachtas to fulfill obligations under EU Directive 2002/58/EC, makes provisions regarding direct marketing and unsolicited email (spam). Other issues provisioned for under the Act include the retention of telephone records and the storage access to information held on personal computers and terminals, for example ‘cookies’. The regulations also restricts the ability of entities to use publicily available electronic communications services to send unsolicited communications or to make unsolicited calls for the purpose of direct marketing.
  • These regulations should prove particularly useful in desisting entities from sending unsolicitated marketing communications via SMS or email. The regulations prohibit: (a) the use of automatic dialling machines, fax, email or SMS text messaging for direct marketing to individuals is prohibited, unless the subscriber’s consent has been obtained in advance; and (b) the use of email, SMS text messaging, automatic dialling machines or fax for direct marketing to non-natural persons or businesses is prohibited, if the subscriber has recorded its objection in the National Directory Database or has informed the sender that it does not consent to such messages; and (c) the making of telephone calls for direct marketing to the line of a subscriber is prohibited if the subscriber has recorded its objection in the National Directory Database or has informed the sender that it does not consent to such messages. Case Study: Opera Telecom: Forced to delete database The Data Commissioner received a complaint from an individual regarding the receipt of an unsolicited SMS message in November 2005. The message, sent by Opera Telecom, was a promotional message for a subscription service. When the Commissioner investigated the matter it was discovered that the complainant had attended a major music concert in Croke Park in June 2005. During the concert, those attending were encouraged to text support for the Global Call Against Poverty Campaign. The complainant did so. The information collected from these texts was stored in a database held by Opera Telecom and was subsequently used by the company for the purpose of sending unsolicited direct marketing SMS messages. During the investigation, the Commissioner discovered that 16,000 concert goers had used their mobile phones to text support for the Global Call Against Poverty Campaign. Conscious of the potential risk of misuse for direct marketing, the Commissioner initially requested in a letter to Opera Telecom that they delete the related Database. When it did not comply with this request, the Commissioner used powers under Section 10 of the Data Protection Act and issued an Enforcement Notice. Opera Telecom complied with the
  • Enforcement Notice and deleted the database. This case demonstrates clearly that information collected for one purpose must not be used for another purpose unless the data subject was informed at the time of collection of such an intended use and given an opportunity to object (www.dataprotection.ie). DATA PROTECTION AND CCTV CCTV has become ubiquitous in society and it is difficult, especially in urban areas to go anywhere without being captured on CCTV. To satisfy the right to access and disclosure of purpose, it is necessary for data controllers who use CCTV to inform those individuals captured on CCTV the purpose for the collection of the data and the identity of the Data controller. In practice, a sign detailing the presence of CCTV cameras for security, together with a contact number for the data controller will satisfy the requirements of the Act. In relation to the use of CCTV to identify disciplinary or other issues pertaining to employees, the Data Controller must inform the data subjects that the cameras are being used for these purposes. Cameras must be positioned only in public or sensitive areas, the placement of cameras in private staff areas may be seen as an excessive invasion of privacy. In general, data from CCTV is stored for no longer than 28 days, after which it is recorded over or deleted. This is in line with the provisions of the DPA which states that data "shall not be kept for longer than is necessary for the purposes for which it was obtained.” Data should be stored in a secure environment and access to the data should only be by authorized individuals. Any individual whose image has been captured and recorded has a right to be given a copy of the information recorded. To access a copy of the information held by the data controller in such an instance an application in writing must be made to the data controller, and in a practicable sense, with the location, date and time of the recording specified. The data controller may charge a nominal fee up to €6.35 for responding to such a request and within
  • 40 days of application. It is important to note that the data controller is obliged to obscure any identifiable data of other subject who may be in the same recording. Case Study: Gresham Hotel breaches DP law in regard to use of covert CCTV footage The Data Commissioner received a complaint in October 2006 from a data subject regarding the unfair obtaining by her employer of her personal information and its subsequent use as evidence to terminate her employment. The data subject had been employed in a supervisory capacity at the Gresham Hotel in Dublin for a number of years. In January 2005 she was called to a meeting by hotel management, at which she was informed that covert cameras had been installed some time previously in the hotel for the purposes of an investigation. The investigation was initiated on foot of a complaint received by the hotel regarding cash handling at the bar. The data subject was not the subject of the investigation, she was not made aware of the investigation nor was she informed of the covert CCTV recordings. At the meeting, the data subject was confronted with a series of questions and was asked to explain some of her actions which had been recorded by the covert cameras. Later in 2005, she was dismissed from her employment with the hotel. Evidence taken from the covert CCTV recordings was used in the decision to terminate the data subject’s employment. No criminal prosecution took place following the hotel’s investigation nor was the data subject interviewed by An Garda Síochána. Covert CCTV cameras had been installed to investigate specific incidents. The data subject was not the subject matter of this investigation. The personal data of the persons captured on the footage was obtained for one purpose - the investigation of specific incidents in the hotel. In the case of this data subject, her personal data was further processed in a manner incompatible with the original purpose. Furthermore, the data subject’s personal data was not processed in accordance with the requirements of ‘fair processing’ as she had not been informed by the data controller, at the time when the data controller first processed her data, of the purpose for which it intended to process her personal data. This constituted a breach of the Act. The Data Commissioner asked both parties concerned to consider an amicable resolution to the matter. Within a few weeks, a settlement was agreed between the parties. (www.dataprotection.ie)
  • REMEDIES Remedies for data subjects under the DPA are limited – there is no legal remedy for the data subject if a data controller infringes section 2(1) of the Act, which pertains to the collection, processing and storage of the act in a fair manner. If the Data Commissioner upholds that an infringement occurs, the Commissioner may require the data controller to take remedial action. In theory, there is the possibility of criminal sanction – if the data controller fails to take remedial action a fine of €100,000 may be imposed. However in a practicable sense this is unlikely as no notable prosecutions have occurred under the Act to date and the Act is more an instrument of threat rather than action. REFERENCES The Data Protection Act 1988, 2003 | Retrieved online: 6.4.2010 | www.irishstatutebook.ie | http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html The Office of the Data Commissioner | www.dataprotection.ie | Retrieved online 6.4.2010 | http://www.dataprotection.ie/docs/Home/4.htm McGee v Attorney General [1974] IR 284 | Supreme Court of Ireland Decisions (1974) | www.bailii.org Retrieved online: 6.4.2010 | http://www.bailii.org/ie/cases/IESC/1973/2.html