Data Protection the public Seán Sweeney Assistant

Data Protection & the public Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 25 th 2006

Presentation Outline Background – Human Rights Ø Data Protection Principles Ø Rights of data subjects Ø Some FAQs Ø

Why Data Protection? Post-Word War II emphasis on human rights l George Orwell, “ 1984” (published in 1949) l International Agreements on Human Rights l Development of computer power l

Background Privacy: Legal development l Universal Declaration on Human Rights (1948) l European Convention on Human Rights (1950) l Convention 108 (Council of Europe, 1981)

UN Universal Declaration on Human Rights, 1948 Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. . . Everyone has the right to the protection of the law against such interference ….

Background European Convention on Human Rights, 1950 Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society

Key concept Privacy is a Human Right

Council of Europe Convention, 1981 l Also called “Convention 108” l Deals specifically with data protection l Ireland’s Data Protection Act 1988 gives effect to this Convention

Directive 95/46/EC l Harmonisation across EU. – Free movement of data across EU l Extends DP to manual records.

Key concept Data Protection Laws are one method of protecting privacy rights.

Essential points l People have a fundamental right to privacy l Rights granted in data protection legislation can be exercised against both private and public sector bodies

How DP legislation work l By imposing obligations on those who process personal data; l By providing rights to individuals regarding how their data are processed.

Limited exemptions: l Data exempt on National Security grounds. l Data that is processed for personal domestic or recreational purposes – DP isn’t a snoopers’ charter

Data Protection Principles. Fair obtaining Ø consent 2. Accurate 3. Specified purpose 4. No further processing 1. Ø Unless compatible 5. 6. 7. 8. Relevant, not excessive Retention period Safe & secure Comply with access request

1 st Principle Obtain & Process Fairly I l Data controller must give full information about – – l identity purposes disclosees any other data necessary for “fairness” Third party data controllers – must contact data subject to provide these details – must give name of original data controller

1 st Principle Obtain & Process Fairly II One of these conditions required: Ø Consent Ø Legal obligation Ø Contract with individual Ø Necessary to protect vital interests Ø Necessary for a public function (Justice) Ø necessary for ‘legitimate interests’

1 st Principle Processing Sensitive Data One of these additional conditions is required Ø Explicit consent Ø Necessary under employment law Ø To prevent injury or protect vital interests Ø Process the data of members/clients of nonprofit orgs. Ø Legal advice Ø For Medical Purposes Ø Statutory function

What are sensitive data? q q q q Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

Fair Obtaining - practical l Transparency is the key issue l Generally, a person should know – who is processing his/her data – and for what purpose

Fair Obtaining - practical l Consent is easiest to rely upon – If from 3 rd party, is their responsibility to demonstrate legitimacy to you l Consent has to be freely given – Not freely given in employment context – Rely upon contractual or statutory obligations l “Legitimate interest” is often applied

Fair Obtaining - practical l CCTV – well placed signage meets transparency requirement l Consent not required if CCTV for security – Legitimate interest l Consent not required – Legal obligation l Though if for health & safety consent not required, transparency requires information is supplied (sign)

Fair Obtaining - practical l If relying on consent for data obtained on a form – Require any consent clause to be at least as big a font size as the data collection element of form – If on-line, require a privacy statement that covers transparency & fair obtaining requirements

2 nd Principle Accurate, Complete, up to date Often a reactive rather than proactive task

Accurate - practical l If you change your address and do not tell your bank, they are not at fault for sending mail to your old address. l However, if mail is returned to the bank as undeliverable, the bank must act by at least not sending any more mail to that address.

3 rd Principle Specified Purpose l Part of obligations when obtaining to specify purpose l Cannot expand purpose without reverting to individual

Purpose - practical l Purpose might be implied from transaction - such as for administration of an account. l Otherwise, should be clearly referred to

Purpose – case study l. A phone company published electronic telephone directory l Directory allowed search by address l This was a new purpose, as original directory only allowed search by name l Publication unlawful, directory withdrawn until issue resolved

4 th Principle Disclosing personal data Further processing not generally permitted – compatibility test l section 19 – lifts the restrictions on disclosure: l – crime; tax; State security; – required urgently to protect life and limb – required by law or court order – with consent of, or on behalf of, data subject

Disclosure - practical l An example of a compatible disclosure is where you supply data to an organisation in order to get a product/service. If that organisation must supply your data to a third party in order to get that product/service delivered, it is a compatible disclosure.

5 th Principle Relevant and not excessive Do you need all this data? - look a form and see if you need all data - can data collected be culled over time? Different policies for different sectors If you can’t see relevance –ASK!

6 th Principle Retention of data Legal obligations to hold data? l Customer files l – Do you need to hold all that data? l Personnel files – Revenue requirement? l Must have policy thought through – Defend retention as necessary for purpose.

6 th Principle Retention – HR files l When employees leaves/retires, employer might have long term need to hold onto certain data – Dates of employment – Positions held – Tax record – Injuries l But other data has no purpose beyond the time an ex-employee might seek a reference – Assessments & evaluations

6 th Principle Retention – Quotations Insurance company may offer household or motor insurance quote l If “customer” does not take up offer within reasonable period (one month? ) then that person is not a customer and details must be deleted – unless company has consent. l

6 th Principle Retention – Financial record Leisure & on-line sector often retain credit card details l May make future transactions easier and more secure l Can only be retained with customer consent! l

7 th Principle Security Procedures Must have adequate security measures in place to prevent unauthorised access Measures vary depending of size of company, type of data

Data Processors Agents and sub-contractors There must be a written contract in place Data Controller must take reasonable steps to ensure compliance with security measures

Security - practical l Security standard should be reviewed - if the type of data being processed are changed; - if the organisation’s resources increase; - at least on an annual basis to see if new measures may be employed

Security - practical l Access to data should be on a need to know basis l Access controls should be known about, enforced and reviewed

Security – case study Insurance company employee resigns but takes laptop with him l Laptop contains client list l Employee contacts clients on behalf of new employer l Original employer at fault for not taking measures to prevent this – not covered in employment contract. l

8 th Principle Rights of Individuals o o o To have data processed in accordance with principles To get a copy of personal information To correct information if it is wrong To opt out of direct marketing To complain to the Data Protection Commissioner

Access Requests Section 14 –exceptions section 19. l Availability of material subject to receipt of an Access Request l May question: l – – – Relevance Excessive nature Retention, etc

Scope of Access Request l Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

Opinion given in confidence l Exempt from an access request if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential. l This is useful when giving references

Exempt from Access Requests Ø Data relating to a criminal investigation Ø a claim of liability Ø Data covered by legal privilege

Access – Disciplinary Investigation Ø Exempt if access would prejudice investigation Ø No longer exempt after investigation has concluded

Employee Access Rights Ø Same rights as any data subject Ø Not all documents with employee name are personal data Ø Authoring document in work capacity does not mean that document is personal.

Access Requests - Resources Ø Should not require significant resources Ø Retention principle should encourage deletion of data on a regular basis, thus limiting the amount of data to be searched

Structured files Ø Must be able to search files Ø By name of data subject? Ø By other reasonable identifier? Ø By date/file reference supplied by data subject Ø Electronic records easier to search than manual records

Enforced subject access Ø An employer cannot ask an employee to use his/her access right to obtain data in order to gain/retain employment Ø Police and credit records cannot be accessed unless by law

Empowerment The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

Right to correct/erase l Personal data must be: – Corrected, if inaccurate; or – Deleted, if should not be held. l No fee may be charged as there is an identified problem

Right to complain to DPC l Identify contravention l Irish DPC tends to try to informally resolve matters l More serious issues result in formal investigation & decision l Gib DPC may award compensation?

Direct Marketing l Have a right to opt-out of receiving direct marketing l People you do business with may still send information about critical events – such as power supply interruption.

Public Register l Describe Data handling practices – Purpose – Type of data l Public: Transfers abroad Disclosures transparency and openness – Policing by the public

Frequently Asked Questions

Can I access my police records? • Yes • You do not have to give a reason • Fully identify yourself (all previous addresses? ) • All or part of record may be withheld if compromises on-going investigation

Can I access my health records? • Yes • Identify the data controller (doctor/hospital/health trust) • Applies to both public and private health

If Police or Gov Dept ask for information about a customer, should It be supplied? l Not automatically, must assess situation l Is disclosure compatible with purpose? l Is there a statutory requirement? l Is it needed for investigation of crime? l Is it to protect life or limb?

Can an employer monitor staff? Yes, depending on the conditions of any inhouse policy document. l Monitoring should be proportionate and as least intrusive as possible. l Examination of e-mail content, web profiles should be done in context of disciplinary inquiry. l

Can monitoring occur without employee consent? l Whilst transparency is fundamental to the fair obtaining principle, consent is not always required. l Where the employer can rely on the legitimate interest provision, consent is not required.

What about covert surveillance? l Not generally permitted l However, if investigating serious matter, limited, focused short term covert monitoring may be allowed l Exceptional circumstances only

Can I get a copy of my personnel file? l You have a right to a copy of any record relating to you – including personnel files, assessments, evaluations and interview notes. l Opinions given in confidence may be withheld.

Can I put employee details on website? l Certain details may be appropriate – Name, position, contact details, special training l Other details are not necessary – Photographs, salary, family details

Thank you for listening