1. Data Protection
Considerations
Gary Davis
Deputy Data Protection Commissioner
Realising the Opportunities of Digital Humanities,
24 October, 2012
2. Data Protection – a
Fundamental Human Right
• Implicit Right to Personal Privacy under Irish
Constitution – Article 40.3.1
• Explicit Right to Personal Privacy under
Article 8 of 1950 European Convention for the
Protection of Human Rights & Fundamental
Freedoms [ECHR]
ECHR now indirectly part of Irish law due to ECHR
Act 2003
• Explicit Right to Data Protection under EU
Treaties – Lisbon Treaty and EU Charter
3. EU Charter of Fundamental
Rights: Article 8
• Protection of personal data
• 1. Everyone has the right to the protection of
personal data concerning him or her.
2. Such data must be processed fairly for specified
purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid
down by law. Everyone has the right of access to
data which has been collected concerning him or
her, and the right to have it rectified.
3. Compliance with these rules shall be subject to
control by an independent authority.
4. Lisbon Treaty
Article 16 Treaty on the Functioning of the Union
• 1. Everyone has the right to the protection of personal data
concerning them.
• 2. The European Parliament and the Council, acting in accordance
with the ordinary legislative procedure, shall lay down the rules
relating to the protection of individuals with regard to the processing
of personal data by Union institutions, bodies, offices and agencies,
and by the Member States when carrying out activities which fall
within the scope of Union law, and the rules relating to the free
movement of such data.
• Compliance with these rules shall be subject to the control of
independent authorities.
5. EU & Irish Legislation
• Data Protection Directive • Data Protection Acts
95/46/EC
Being updated 1988 & 2003
• Electronic Privacy
Directive 2002/58/EC • EC Electronic
(as amended by Privacy Regulations
2006/24/EC +
2009/136/EC) 2011 (SI 336/2011)
6. Definitions: Personal Data
“Data relating to a living individual who is or can be
identified either from the data or from the data in
conjunction with other information that is in, or is
likely to come into, the possession of the data
controller “ (DP Act, Section 1)
Applies to any data that is processed (includes
hosting) using any medium by a legal entity.
Therefore paper, computer, network, web, phone,
CCTV etc.
7. Definitions - Sensitive Personal
Data
• Sensitive Personal Data (more
protection)
Racial/ethnic origin; political opinions;
religious/philosophical beliefs; trade union
membership; health; sexual life; criminal
record
8. Definitions
• Data Controller
a person who controls the contents and
use of personal data
• Data Processor
A person who processes personal data on
behalf of a data controller
9. 1. Accurate
• Good business practice
• Best achieved at point of collection
• Ongoing requirement if intended to be
used.
• Ask the data subject if needed
10. 2. Non-Disclosure
• General rule – no • Main exceptions:
disclosure for different Investigation of crime
purpose Collection of taxes
Security of the State
• Exceptions made, to Protect life & limb
balance other interests Required by Law
of society Intl Relations
• Stricter conditions Consent
for sensitive data
11. 2. Non-Disclosure
• The Data Controller should have a policy
in place to determine how requests for
data from third parties are handled.
• This policy should be consulted by
appropriate staff members
12. DP/FOI Access to Personal
Information
• DP and FOI Acts reinforce one another in
relation to personal access in the public sector
• Defending access to personal information as
human (DP) and citizen (FOI) right
• 3rd Party Access restricted under both Acts
• FOI access to personal information should
sometimes prevail in the public interest
13. DP and FOI
• A right conferred by the Data Protection Act
shall not prejudice the exercise of a right
conferred by the Freedom of Information Act
1997.
• The Commissioner and the Information
Commissioner shall, in the performance of their
functions, co-operate with and provide
assistance to each other (DP Act 2003)
14. 3. Keep secure
• Accidental disclosure to third parties, PC
in public area, non-secure fax
• External-robust encryption, online forms,
technical measures
• Audit trails, reviews, logs, unusual events
• Manual Files
15. 4. Retention Policy
• Legal obligations to hold data?
• Customer files
Do you need to hold all that data?
• Personnel files
Revenue requirement?
• Must have policy thought through
Defend retention as necessary for purpose.
16. 4. Retention Policy –
Public Bodies
• Data protection rights of identifiable persons
and obligation to retain data under National
Archives Act 1986
Authorisation to dispose of records (s. 7)
• Balance between rights of the person and
public interest
17. Historical Research (1)
• Section 2 and sections 2A and 2B of this Act shall not
apply to—
(a) data kept solely for the purpose of historical research, or
(b) other data consisting of archives or departmental records
(within the meaning in each case of the National Archives Act
1986),
• and the keeping of which complies with such
requirements (if any) as may be prescribed for
the purpose of safeguarding the fundamental rights
and freedoms of data subjects
18. Historical Research (2)
• Draft Archives Regulations 2010
Followed public consultation
Security, access as per Data Protection Acts
• Departmental records as per National Archives Act
100-year rule
19. 5. Follow Retention
Policy
• A method appropriate to each organisation to
review files
• Assign Responsibility
• Reporting structure
• Delete personal data that is outside terms of
policy.
• Keep a record of deletions
20. Right of Access
• A fundamental rights granted to individuals as
a means of granting them control over how
their data are processed – transparency
• Applies to all manual and electronic records in
existence at the time of receipt of an access
request – regardless of when the record was
created.
21. Right of correction/erasure
• Section 6 of the Act
• Data Subject makes a written request
• Personal data must be:
Corrected, if inaccurate; or
Deleted, if should not be held.
• Data Controller has 40 days to respond
• No fee
22. Thank You
Office of the Data Protection Commissioner
Canal House
Station Road
Portarlington
Co Laois
Phone: LoCall 1890 252231
057 8684800
Fax: 057 8684757
Email: info@dataprotection.ie
Website: www.dataprotection.ie