Data Protection ConsiderationsGary DavisDeputy Data Protection CommissionerRealising the Opportunities of Digital Humanities,24 October, 2012
Data Protection – aFundamental Human Right• Implicit Right to Personal Privacy under Irish Constitution – Article 40.3.1• Explicit Right to Personal Privacy under Article 8 of 1950 European Convention for the Protection of Human Rights & Fundamental Freedoms [ECHR] ECHR now indirectly part of Irish law due to ECHR Act 2003• Explicit Right to Data Protection under EU Treaties – Lisbon Treaty and EU Charter
EU Charter of FundamentalRights: Article 8• Protection of personal data• 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
Lisbon TreatyArticle 16 Treaty on the Functioning of the Union• 1. Everyone has the right to the protection of personal data concerning them.• 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data.• Compliance with these rules shall be subject to the control of independent authorities.
EU & Irish Legislation• Data Protection Directive • Data Protection Acts 95/46/EC Being updated 1988 & 2003• Electronic Privacy Directive 2002/58/EC • EC Electronic (as amended by Privacy Regulations 2006/24/EC + 2009/136/EC) 2011 (SI 336/2011)
Definitions: Personal Data “Data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller “ (DP Act, Section 1) Applies to any data that is processed (includes hosting) using any medium by a legal entity. Therefore paper, computer, network, web, phone, CCTV etc.
Definitions - Sensitive PersonalData• Sensitive Personal Data (more protection) Racial/ethnic origin; political opinions; religious/philosophical beliefs; trade union membership; health; sexual life; criminal record
Definitions• Data Controller a person who controls the contents and use of personal data• Data Processor A person who processes personal data on behalf of a data controller
1. Accurate• Good business practice• Best achieved at point of collection• Ongoing requirement if intended to be used.• Ask the data subject if needed
2. Non-Disclosure• General rule – no • Main exceptions: disclosure for different Investigation of crime purpose Collection of taxes Security of the State• Exceptions made, to Protect life & limb balance other interests Required by Law of society Intl Relations• Stricter conditions Consent for sensitive data
2. Non-Disclosure• The Data Controller should have a policy in place to determine how requests for data from third parties are handled.• This policy should be consulted by appropriate staff members
DP/FOI Access to PersonalInformation• DP and FOI Acts reinforce one another in relation to personal access in the public sector• Defending access to personal information as human (DP) and citizen (FOI) right• 3rd Party Access restricted under both Acts• FOI access to personal information should sometimes prevail in the public interest
DP and FOI• A right conferred by the Data Protection Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997.• The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other (DP Act 2003)
3. Keep secure• Accidental disclosure to third parties, PC in public area, non-secure fax• External-robust encryption, online forms, technical measures• Audit trails, reviews, logs, unusual events• Manual Files
4. Retention Policy• Legal obligations to hold data?• Customer files Do you need to hold all that data?• Personnel files Revenue requirement?• Must have policy thought through Defend retention as necessary for purpose.
4. Retention Policy –Public Bodies• Data protection rights of identifiable persons and obligation to retain data under National Archives Act 1986 Authorisation to dispose of records (s. 7)• Balance between rights of the person and public interest
Historical Research (1)• Section 2 and sections 2A and 2B of this Act shall not apply to— (a) data kept solely for the purpose of historical research, or (b) other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986),• and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects
Historical Research (2)• Draft Archives Regulations 2010 Followed public consultation Security, access as per Data Protection Acts • Departmental records as per National Archives Act 100-year rule
5. Follow RetentionPolicy• A method appropriate to each organisation to review files• Assign Responsibility• Reporting structure• Delete personal data that is outside terms of policy.• Keep a record of deletions
Right of Access• A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency• Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
Right of correction/erasure• Section 6 of the Act• Data Subject makes a written request• Personal data must be: Corrected, if inaccurate; or Deleted, if should not be held.• Data Controller has 40 days to respond• No fee
Thank YouOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlingtonCo LaoisPhone: LoCall 1890 252231 057 8684800Fax: 057 8684757Email: firstname.lastname@example.orgWebsite: www.dataprotection.ie