data protection and research university research ethics committee – 30.05.2008 david cauchi david...
TRANSCRIPT
DATA PROTECTION
DATA PROTECTIONDATA PROTECTION
and Researchand Research
University Research Ethics Committee – 30.05.2008University Research Ethics Committee – 30.05.2008
David CauchiDavid Cauchi
Office of the Commissioner for Data ProtectionOffice of the Commissioner for Data Protection
DATA PROTECTION
Data Protection Act Data Protection Act
General Provisions
Processing for Research Purposes
Procedure agreed with UREC
DATA PROTECTIONORIGINORIGIN
Council of Europe – ETS 108 Convention on the protection of individuals with regard to automatic processing of personal data
Data Protection Act
CAP. 440Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
DATA PROTECTION
WHAT IS DATA PROTECTION ACT?WHAT IS DATA PROTECTION ACT?
An Act that makes provision for the protection of individuals against the violation of their privacy rights by the processing of personal data.
DATA PROTECTION
Key TermsKey Terms inin
Data ProtectionData Protection
DATA PROTECTION
“…any information relating to an identified or
identifiable natural person; an identifiable person
is one who can be identified, directly or indirectly,
in particular by reference to an identification
number or to one or more factors specific to his
physical, physiological, mental, economic, cultural
or social identity;”
DPA Art. 2
PERSONAL DATAPERSONAL DATA
DATA PROTECTION
“…personal data that reveals race or ethnic
origin, political opinions, religious or
philosophical beliefs, membership of a trade
union, health, or sex life;”
DPA Art. 2
SENSITIVE PERSONAL DATASENSITIVE PERSONAL DATA
DATA PROTECTION
“…includes the collection, recording, organisation,
storage, adaptation, alteration, retrieval,
gathering, use, disclosure by transmission,
dissemination or otherwise making information
available, alignment or combination, blocking,
erasure or destruction of such data”
DPA Art. 2
PROCESSINGPROCESSING
DATA PROTECTION
“…any freely given, specific and informed
indication of the wishes of the data subject by
which he signifies his agreement to personal
data relating to him being processed”
DPA Art. 2
CONSENTCONSENT
DATA PROTECTION
Criteria for Criteria for
ProcessingProcessing
DATA PROTECTION
CRITERIA FOR CRITERIA FOR PROCESSINGPROCESSING
PERSONAL DATA
DPA Article 9
1. Unambiguous consent or2. Contract performance or 3. Legal obligation or4. Vital interests of data subject or5. Public Interest / Official Authority or6. Legitimate interest
SENSITIVE PERSONAL DATA
DPA Articles 12 & 13
1. Explicit Consent2. Subject made data public3. Conditions of employment4. Vital Interests & data subject incapable of giving consent5. Legal claims
DATA PROTECTION
Data ProtectionData Protection
PrinciplesPrinciples
DATA PROTECTION
Personal Data to be:
1. processed fairly and lawfully
2. processed in accordance with good practice
3. collected for specific, explicitly stated & legitimate purposes
4. processed for reasons compatible with the purpose it was collected
5. adequate and relevant to the processing purpose
6. not more than required for the processing purpose
7. correct and, if necessary, up to date
8. rectified
9. not kept for longer than necessary for the processing purpose
DPA Art. 7
THE NINE PRINCIPLES THE NINE PRINCIPLES for ‘good information for ‘good information handling’handling’
DATA PROTECTION
Rights of Rights of
Data SubjectsData Subjects
DATA PROTECTION
INFORMATION TO DATA SUBJECT
The data subject should be informed with at least the following:
a) identity and habitual residence or principal place of business of controller;
b) purposes of processing;
c) any further information such as:i) recipients or categories of recipients of dataii) whether reply to any questions is obligatory or voluntary, and possible consequence of failure to replyiii) existence of right of access, right to rectify and where applicable right to erase data.
DPA Art. 19
RIGHTS OF DATA SUBJECTS (1)RIGHTS OF DATA SUBJECTS (1)
DATA PROTECTION
Request of Data Subject must be:
at reasonable intervals in writing signed by data subject
Data Controller to provide:
without excessive delay without expense written information in an intelligible form
DPA Art. 21
RIGHT OF ACCESS
RIGHTS OF DATA SUBJECTS (2)RIGHTS OF DATA SUBJECTS (2)
DATA PROTECTION
The Data Subject may request rectification, blocking or erasure of his personal data.
If the request is justified, the Data Controller shall
rectify, block or erase such personal data accordingly.
notify third parties about such an event, unless this involves a disproportionate effort.
DPA Art. 22
RECTIFICATION
RIGHTS OF DATA SUBJECTS (3)RIGHTS OF DATA SUBJECTS (3)
DATA PROTECTION
SecuritySecurity
MeasuresMeasures
DATA PROTECTION
APPROPRIATE SAFEGUARDSAPPROPRIATE SAFEGUARDS
These include:
Access controls to information
e.g. passwords, access rights/privileges, encryption etc.
Physical Security safeguards
e.g. locking of file cabinets, computers, offices etc.
Awareness
DATA PROTECTION
Processing For Processing For
Research PurposesResearch Purposes
DATA PROTECTION
THE DATA PROTECTION ACT APPLIES WHEN:
Research is about individuals
Research involves personal data
Individuals are identifiable
DATA PROTECTION IN RESEARCHDATA PROTECTION IN RESEARCH
DATA PROTECTION
Sensitive Personal Data may be processed for Research Purposes:
On Public Interest grounds
With the approval of the Commissioner, on the advice of a Research Ethics Committee
DPA Art 16
PROCESSING CONCERNING PROCESSING CONCERNING RESEARCHRESEARCH
DATA PROTECTION
Specific Data Protection matters in research include:
Personal and Sensitive Data
Identifiable VS Anonymous Data
Consent – When do I need consent??
Dealing with children and vulnerable persons
Retention of Data
DPA Art 16
PROCESSING CONCERNING PROCESSING CONCERNING RESEARCHRESEARCH
DATA PROTECTION
CREATING THE RIGHT BALANCECREATING THE RIGHT BALANCE
RIGHTS OF PRIVACY OF INDIVIDUAL
NEED TO CARRY OUT RESEARCH
BETWEEN:
DATA PROTECTION
Procedure agreed Procedure agreed
With URECWith UREC
DATA PROTECTION
Proposal Form for ethical approval is submitted by researcher
Research Proposals are examined by the Faculty Research Ethics Committee and by the UREC
Approval is given if proposals are satisfactory
Approval from the UREC is deemed to be an adequate advice for the approval by the Commissioner
Researcher may proceed with the project once this is approved by the UREC
RESEARCH INVOLVING SENSITIVE PERSONAL DATA
PROCEDURE (1)PROCEDURE (1)
DATA PROTECTION
A list of approved projects is periodically forwarded to the Commissioner for final approval
The UREC may always consult the Commissioner in case of problems with particular projects
OBJECTIVES
Allow the researcher ample time to proceed with the study
The Researcher is not required to obtain an approval directly from the Commissioner
PROCEDURE (2)PROCEDURE (2)
DATA PROTECTION
Data Protection Principles
Rights of Data Subjects
OBJECTIVES
Inform researchers and ensure that these principles and rights are respected
It is important that all faculties use the same form in order to provide the same conditions and information to students
INCLUDES
PROPOSAL FORM PROPOSAL FORM
DATA PROTECTION
Office of the Commissioner for Data Protection
E-Mail: [email protected]
Website: www.dataprotection.gov.mt
FURTHER INFORMATIONFURTHER INFORMATION
DATA PROTECTION
THANK YOU!
Floor is open for discussion