Data Protection for heads ofData Protection for heads ofGovernment DepartmentsGovernment Departments

Seán SweeneyAssistant Commissioner

Office of the Data Protection CommissionerIreland

Gibraltar

January 27th 2006

Presentation OutlinePresentation Outline Background – Human Rights Data Protection Principles Rights of data subjects Some FAQs

Why Data Protection?Why Data Protection?

Post-Word War II emphasis on human rights

George Orwell, “1984” (published in 1949) International Agreements on Human Rights Development of computer power

Privacy: Legal developmentPrivacy: Legal developmentUniversal Declaration on Human Rights

(1948)European Convention on Human Rights

(1950)Convention 108 (Council of Europe, 1981)

Background

UN Universal Declaration UN Universal Declaration on Human Rights, 1948on Human Rights, 1948

Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ... Everyone has the right to the protection of the law against such interference ….

European Convention on European Convention on Human Rights, 1950Human Rights, 1950

Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society

Background

Key conceptKey concept

Privacy is a

Human Right

Council of Europe Council of Europe Convention, 1981Convention, 1981

Also called “Convention 108”Deals specifically with data protectionIreland’s Data Protection Act 1988 gives

effect to this Convention

Directive 95/46/ECDirective 95/46/ECHarmonisation across EU.

– Free movement of data across EU

Extends DP to manual records.

Key conceptKey concept

Data Protection Laws

are one method of

protecting privacy rights.

Essential pointsEssential pointsPeople have a fundamental right to privacy

– You are legally obliged to recognise this right

Showing that you recognise and protect that right makes good sense– Increased confidence/trust of customers

How DP legislation workHow DP legislation work

By imposing obligations on those who process personal data;

By providing rights to individuals regarding how their data are processed.

Limited exemptions:Limited exemptions:

Data exempt on National Security grounds.

Data that is processed for personal domestic or recreational purposes

Data Protection Principles.Data Protection Principles.

1. Fair obtaining consent

2. Accurate

3. Specified purpose

4. No further processing Unless compatible

5. Relevant, not excessive

6. Retention period

7. Safe & secure

8. Comply with access request

Obtain & Process Fairly IObtain & Process Fairly I Data controller must give full information about

– identity– purposes– disclosees– any other data necessary for “fairness”

Third party data controllers– must contact data subject to provide these details– must give name of original data controller

1st Principle

Obtain & Process Fairly IIObtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function (Justice) necessary for ‘legitimate interests’

1st Principle

Processing Sensitive Data (1)Processing Sensitive Data (1)

One of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Legal advice For Medical Purposes Statutory function

1st Principle

Processing Sensitive Data (2)Processing Sensitive Data (2)

Specific Government sector provisions Administration of benefit or pension by

Crown Tax collection

1st Principle

What are sensitive data?What are sensitive data? Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

Fair Obtaining - practicalFair Obtaining - practicalTransparency is the key issueGenerally, a person should know

– who is processing his/her data– and for what purpose

Fair Obtaining - practicalFair Obtaining - practicalConsent is easiest to rely upon

– If from 3rd party, is their responsibility to demonstrate legitimacy to you

Consent has to be freely givenStatutory provisions allow Govt Depts to

process data without consent – in certain circumstances

Fair Obtaining - practicalFair Obtaining - practicalCCTV – well placed signage meets

transparency requirementConsent not required if CCTV for security

– Legitimate interestConsent not required if for health & safety

– Legal obligationThough consent not required, transparency

requires information is supplied (sign)

Fair Obtaining - practicalFair Obtaining - practicalIf relying on consent for data obtained on a

form– Require any consent clause to be at least as big

a font size as the data collection element of form

– If on-line, require a privacy statement that covers transparency & fair obtaining requirements

Accurate, Complete, up to dateAccurate, Complete, up to date

Often a reactive rather than proactive task

2nd Principle

Accurate - practicalAccurate - practical If you change your address and do not tell a

Government Department, it is not at fault for sending mail to your old address.

However, if mail is returned to the sender as undeliverable, the sender must act by at least not sending any more mail to that address.

Specified PurposeSpecified Purpose

Part of obligations when obtaining to specify purpose

Cannot expand purpose without reverting to individual

3rd Principle

Purpose - practicalPurpose - practical

Purpose might be implied from transaction

- such as for administration of benefit.Otherwise, should be clearly referred to

Purpose – case studyPurpose – case study Teacher strike action Dept Education access payroll database to identify

teachers paying subs to particular union Use information to deduct pay of all union

members Data not obtained for that purpose, Dept has to repay teachers

Disclosing personal dataDisclosing personal data Further processing not generally permitted –

compatibility test section 19 – lifts the restrictions on disclosure:

– crime; tax; State security;– required urgently to protect life and limb– required by law or court order– with consent of, or on behalf of, data subject

4th Principle

Disclosure PolicyDisclosure PolicyThe Data Controller should have a policy

in place to determine how requests for data from third parties are handled.

This policy should be consulted by appropriate staff members

Disclosure - practicalDisclosure - practicalAn example of a compatible disclosure is

where you supply data to an organisation in order to get a product/service. If that organisation must supply your data to a third party in order to get that product/service delivered, it is a compatible disclosure.

Disclosure - practicalDisclosure - practicalArmy deafness claimsDept Defence supplied list of claimants to

Dept Social Welfare to check if also claimed there

Disclosure as not one Data ControllerNot lawful, as anti-fraud exemption is case-

by-case

Disclosure – case studyDisclosure – case studyLocal Authority published planning

applications on line (incl identity documents)

Motivated by drive for more e-GovernmentLegislation allowed files to be consulted by

any member of publicOn-line publication went beyond legal

requirement

Relevant and not excessiveRelevant and not excessive

Do you need all this data?

- look a form and see if you need all data

- can data collected be culled over time?

Different policies for different types of file

5th Principle

Retention of dataRetention of data Legal obligations to hold data? Customer files

– Do you need to hold all that data?

Personnel files– Revenue requirement?

Must have policy thought through– Defend retention as necessary for purpose.

6th Principle

Retention – HR filesRetention – HR files When employees leaves/retires, employer might

have long term need to hold onto certain data– Dates of employment– Positions held– Tax record– Injuries

But other data has no purpose beyond the time an ex-employee might seek a reference– Assessments & evaluations

6th Principle

Retention – Query filesRetention – Query files

Inquiries may be logged and retained for short period in case they develop into substantive files

But if issue doesn’t develop, file should be reviewed– If no purpose, delete file– May retain anonymised details for statistical

purposes

6th Principle

Retention – Financial recordRetention – Financial record

E-government may result in credit card details being collected and retained

May make future transactions easier and more secure

Can only be retained with customer consent!

6th Principle

Security ProceduresSecurity ProceduresSecurity measures

Appropriate security measures• Appropriate to the harm that might result..• Appropriate to the nature of the data

May have regard to cost of implementation May have regard to the current state of technology Staff must know and comply with measures Internal review of security measures-part of

Internal Audit function ?

7th Principle

Data Protection Training.Data Protection Training.Obligation on employer to ensure staff

are aware of data protection security obligations (especially access).– Training– Can be satisfied by a simple circular in some

cases, by a formal course in others

Data ProcessorsData Processors

Agents and sub-contractors

There must be a written contract in place

Data Controller must take reasonable steps to ensure compliance with security measures

Security - practicalSecurity - practical Security standard should be reviewed

- if the types of data being processed are changed;- if the organisation’s resources increase;- at least on an annual basis to see if new measures may be employed- state sector can’t plead poverty – must be at leading edge

Security - practicalSecurity - practicalAccess to data should be on a need to know

basisAccess controls should be known about,

enforced and reviewed

Security – case studySecurity – case study

Lottery winner wins €100million+Her file in Dept of Social & Family Affairs

is viewed by large number of Dept’s staff shortly after win

Dept immediately identify unusual traffic and identify staff involved

Rights of IndividualsRights of Individualso To have data processed in accordance

with principleso To get a copy of personal informationo To correct information if it is wrongo To opt out of direct marketingo To complain to the Data Protection

Commissioner

8th Principle

Access RequestsAccess Requests

Section 14 –exceptions section 19. Availability of material subject to receipt of an

Access Request May question:

– Relevance– Excessive nature– Retention, etc

Scope of Access RequestScope of Access Request

Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

Opinion given in confidenceOpinion given in confidenceExempt from an access request if the

expression of an opinion was given in confidence or under the understanding it would be treated as confidential.

This is useful when giving references

Exempt from Access RequestsExempt from Access Requests Data relating to a criminal investigation

Includes disciplinary investigations

a claim of liability Data covered by legal privilege

Access – Disciplinary Access – Disciplinary InvestigationInvestigation

Exempt if access would prejudice investigation

No longer exempt after investigation has concluded

Employee Access RightsEmployee Access Rights

Same rights as any data subject Not all documents with employee name

are personal dataAuthoring document in work capacity does

not mean that document is personal.

Access Requests - ResourcesAccess Requests - Resources Should not require significant resources

Low rate of requests in general

Retention principle should encourage deletion of data on a regular basis, thus limiting the amount of data to be searched

Access Requests - PracticalAccess Requests - Practical Staff should be able to identify a subject

access request when one is receivedNecessary because of deadline

Ideally, have an identified point of contact within Dept to handle requests

Structured filesStructured files Must be able to search files

By name of data subject?By other reasonable identifier?By date/file reference supplied by data

subjectElectronic records easier to search than

manual records

Enforced subject accessEnforced subject access An employer cannot ask an employee to

use his/her access right to obtain data in order to gain/retain employmentPolice and credit records cannot be accessed

unless by law

EmpowermentEmpowerment

The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

Right to correct/eraseRight to correct/erase

Personal data must be:– Corrected, if inaccurate; or– Deleted, if should not be held (very rare).

Should not be a significant issue if organisation well run– May get DS complaining about data being held

Direct MarketingDirect MarketingCommonest topic for complaints

– So expect people will complainMust be able to administer a “do not mail”

list/suppression fileMust tell DS source of data Government Information campaigns are

direct marketing

Public RegisterPublic Register

Describe Data handling practices– Purpose Transfers abroad– Type of data Disclosures

Public: transparency and opennessWill involve careful thought initially, but

little ongoing resources

Why Register?Why Register? Is a legal obligation But also a very useful way for Data Protection

Commissioner to interact with Data Controllers Helps Data Controllers focus on Data Protection

at time of registration

Who is responsible?Who is responsible? DP is a management issue HR or IT sections may have role in

administration of DP regime Managers responsible to ensure DP regime is

correct Must consider DP aspect of all initiatives

involving personal data Privacy Impact Assessments?

Frequently Frequently Asked QuestionsAsked Questions

How must an Access Request be How must an Access Request be handled?handled?

Quickly, within 21 daysEnsure you are dealing with correct DS

– Identity documentsCan ask DS to restrict searchCan ask DS if he/she would be satisfied

with viewing file

Can an employer Can an employer monitor staff?monitor staff?

Yes, depending on the conditions of any in-house policy document.

Monitoring should be proportionate and as least intrusive as possible.

Examination of e-mail content, web profiles should be done in context of disciplinary inquiry.

Can monitoring occur Can monitoring occur without employee consent?without employee consent?Whilst transparency is fundamental to

the fair obtaining principle, consent is not always required.

Where the employer can rely on the legitimate interest provision, consent is not required.

What about covert What about covert surveillance?surveillance?

Not generally permittedHowever, if investigating serious matter,

limited, focused short term covert monitoring may be allowed

Exceptional circumstances only

Can I get a copy of Can I get a copy of my personnel file?my personnel file?

You have a right to a copy of any record relating to you – including personnel files, assessments, evaluations and interview notes.

Opinions given in confidence may be withheld.

Can I outsource data?Can I outsource data?No difficulty if you use a contract with

your data processor.If you transfer data outside the EEA, will

have to meet certain conditions.So, may have to review current and

planned use of data processors.You should also be aware of your role in

insuring agents behave appropriately.

Can I put employee details Can I put employee details on website?on website?

Certain details may be appropriate– Name, position, contact details, special

trainingOther details are not necessary

– Photographs, salary, family details

Thank you for Thank you for listeninglistening