Briefing on
Data Protection Law
Colin Rooney, Partner, Technology and Innovation
29 May 2014
Current law
– Irish Law
• Data Protection Acts 1988 & 2003
• European Communities (Electronic Communications
Networks And ...
Basic Terms
• Data Controller
• Data Processor
• Data Subject
• Processing
• Personal Data
• Sensitive Personal Data
8 Core Principles
 Obtain and process the information FAIRLY
 Keep it only for one or more specified and lawful purposes...
Processing Conditions
• The data subject’s consent has been obtained
• consent – can be verbal or written but must be free...
Data Lifecycle
• Data Capture – Collection of Data
• Data Use – Processing
• Data Disclosure / Sharing and Data
Transfer
•...
Data Processors
– General Rule:
• Where an agent/third party is processing personal
data, there should be a contractual ba...
Application to Data Processors
– Key requirements are as follows:
• must be a written contract between the parties;
• incl...
Sending Data Abroad
• When transferring, or making available, Personal Data
abroad, must have regard to the provisions of ...
Sending Data Abroad (cont.)
• Export of Personal Data outside the EEA
only if:
– consent is given to data exports; or
– th...
Sending Data Abroad (cont.)
Types of transfers approved
by the Commissioner
‘Safe Harbor’
Binding Corporate Rules
Model Co...
Compliance Steps
• Review existing data exports to check that either
information is not transferred outside the EEA, or
• ...
Security Requirements
• Basic Rule: data controllers and data processors must
take ‘appropriate security measures’ for per...
Data Security Considerations
• DPA does not detail the specific security measures that
an organisation must have in place....
What does this mean in practice?
– Obligations on security need to be actively
addressed
– Party should adhere to a “need ...
Security: Summary
• Presently high profile area
• Hence represents legal / compliance / reputational risk
• Be aware of na...
Obligation to Report a Breach?
 Despite Personal Data Security Breach
Code of Practice presently no explicit
obligation t...
Registration
• Depends on the nature of the Personal Data
held.
• Certain Data Controllers must register
• Data Processors...
Data Retention
• Personal Data must not be kept for longer than
necessary for the purpose for which it was
acquired.
• Con...
What rights does the Data Subject have?
• Right of access – 40 days to comply
• Right of rectification and/or erasure
• Ri...
Data Protection Commissioner
• Investigates complaints of non-compliance.
• Codes of good practice.
• DPC can obtain infor...
Consequences of Breach
• Criminal Offence – in certain circumstances -
under Acts:
• €3,000 (summary conviction)
• €100,00...
EU Member States: Table of Fines
Proposed Changes
• New Data Protection Regulation
• Unified EU Data Protection law
• Applicable from 2015/2016
• Nominate ...
A Final Thought!
| Using your new presentation template25
Colin.Rooney@arthurcox.com
Thank you for your
time today.
29 May 2014
Upcoming SlideShare
Loading in …5
×

20140529 Data Protection Law_Colin Rooney

350 views
295 views

Published on

Data Protection, processor, data controller, rights under Irish Law

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
350
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

20140529 Data Protection Law_Colin Rooney

  1. 1. Briefing on Data Protection Law Colin Rooney, Partner, Technology and Innovation 29 May 2014
  2. 2. Current law – Irish Law • Data Protection Acts 1988 & 2003 • European Communities (Electronic Communications Networks And Services) (Privacy And Electronic Communications) Regulations 2011 – Apply where a person/organisation is • established in Ireland and is processing in context of establishment; • has an office, branch or agency in Ireland; • uses the company or third party server to collect data which is located in Ireland – and is not merely in “transit” through Ireland.
  3. 3. Basic Terms • Data Controller • Data Processor • Data Subject • Processing • Personal Data • Sensitive Personal Data
  4. 4. 8 Core Principles  Obtain and process the information FAIRLY  Keep it only for one or more specified and lawful purposes  Use & disclose it only in a manner compatible with purposes  Ensure that it is adequate, relevant and non-excessive  Keep it accurate and up-to-date  Retain it no longer than is necessary for purposes  Ensure appropriate security measures are taken  Comply with individual access requests
  5. 5. Processing Conditions • The data subject’s consent has been obtained • consent – can be verbal or written but must be freely given! • The processing is necessary: – for the performance of a contract to which data subject is party; – compliance with a non-contractual legal obligation; – to prevent serious injury, loss or damage; or – for the legitimate purpose of a data controller, except where processing is unwarranted having regard to the fundamental rights of the data subject – Even more conditions for Sensitive Personal Data!
  6. 6. Data Lifecycle • Data Capture – Collection of Data • Data Use – Processing • Data Disclosure / Sharing and Data Transfer • Data Retention/Destruction
  7. 7. Data Processors – General Rule: • Where an agent/third party is processing personal data, there should be a contractual basis for this, with appropriate security safeguards in place. – In data protection terms: • Where a data controller engages the services of a data processor, it must take certain steps to ensure that data protection standards are maintained.
  8. 8. Application to Data Processors – Key requirements are as follows: • must be a written contract between the parties; • including appropriate security safeguards; • specifically providing that the data processor will process personal data only on the basis of the authorisation and instructions received from the data controller; • committing the data processor to apply appropriate security measures; and • the data controller must satisfy itself that the data processor has suitable technical security measures and organisational measures in place.
  9. 9. Sending Data Abroad • When transferring, or making available, Personal Data abroad, must have regard to the provisions of DPA which limit or restrict foreign transfers. • Section 11 DPA provides that: – “The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data.”
  10. 10. Sending Data Abroad (cont.) • Export of Personal Data outside the EEA only if: – consent is given to data exports; or – the personal data is exported for the purpose of fulfilling a contract; or – the personal data is exported to countries which are deemed by the EU Commission to have adequate data protection laws; or – the company has put adequate privacy safeguards in place for the transfer.
  11. 11. Sending Data Abroad (cont.) Types of transfers approved by the Commissioner ‘Safe Harbor’ Binding Corporate Rules Model Contracts Safe Countries Argentina Canada* Switzerland Guernsey The Isle of Man Jersey Faroe Islands Israel New Zealand Uruguay *restrictions apply
  12. 12. Compliance Steps • Review existing data exports to check that either information is not transferred outside the EEA, or • Does appropriate DPA exemption apply (e.g. consent, contractual necessity or vital interests)? • Put in place appropriate model form clauses for transfer. • Consideration could be given to self-certification (by the US body) under the ‘Safe Harbor’ rules on trans-Atlantic data exports – requires action from party in the US. • N.B. The other DPA Principles must still be adhered to.
  13. 13. Security Requirements • Basic Rule: data controllers and data processors must take ‘appropriate security measures’ for personal data, to guard against unauthorised access, loss, or disclosure. • Factors to be taken into account include: – State of technological development; – Cost of implementing measures; – Harm that might result from unauthorised unlawful processing; – Nature of the data concerned; and – Obligation for staff awareness and compliance with security.
  14. 14. Data Security Considerations • DPA does not detail the specific security measures that an organisation must have in place. • Adherence to technical security arrangements, both internal and external. – e.g. password protection, data encryption, etc. • Security should also be borne in mind when personal data are being destroyed. • Where personal data are being transferred out of/into company security of the transfer method is vital.
  15. 15. What does this mean in practice? – Obligations on security need to be actively addressed – Party should adhere to a “need to know” principle – Hence staff should only be able to access the personal data that they need to carry out their functions – seems this is the case! – Organisations must have adequate access controls, firewalls and virus protection – Don’t forget about manual files (and Relevant Filing System)!
  16. 16. Security: Summary • Presently high profile area • Hence represents legal / compliance / reputational risk • Be aware of nature of legal requirements: – Not IT specific – Principles based legislation • Appropriate security is judged by variety of factors including: – nature of information & cost of available technology. • Ongoing compliance review and staff training is crucial.
  17. 17. Obligation to Report a Breach?  Despite Personal Data Security Breach Code of Practice presently no explicit obligation to notify Commissioner’s Office or data subject if breach of information security.  Exception: ISPs and Telecos.  However may be advisable to do so.  First consult with your legal advisors.  Note: this position will change shortly on foot of EU law
  18. 18. Registration • Depends on the nature of the Personal Data held. • Certain Data Controllers must register • Data Processors must register if process on behalf of a Data Controller required to be registered.
  19. 19. Data Retention • Personal Data must not be kept for longer than necessary for the purpose for which it was acquired. • Consider the length of time that you will need to keep various types of data. • No specific retention periods are set by the data protection law.
  20. 20. What rights does the Data Subject have? • Right of access – 40 days to comply • Right of rectification and/or erasure • Right to complain to Data Protection Commissioner
  21. 21. Data Protection Commissioner • Investigates complaints of non-compliance. • Codes of good practice. • DPC can obtain information and issue enforcement notices requiring the company to take steps that include ceasing data capture or processing. • “Dawn Raids” • DPC can bring prosecutions and ask the Courts to impose criminal fines. • DPC’s office are far more active than ever before
  22. 22. Consequences of Breach • Criminal Offence – in certain circumstances - under Acts: • €3,000 (summary conviction) • €100,000 (indictment). • Damages - compensation • Information, Enforcement or Prohibition notice • Public shame – DPC’s Annual report • Erasure of database • Compliance cost
  23. 23. EU Member States: Table of Fines
  24. 24. Proposed Changes • New Data Protection Regulation • Unified EU Data Protection law • Applicable from 2015/2016 • Nominate Data Protection Officer • Put in place a Data Breach procedure • More obligations for Data Processors
  25. 25. A Final Thought! | Using your new presentation template25
  26. 26. Colin.Rooney@arthurcox.com Thank you for your time today. 29 May 2014

×