data protection & law enforcement seán sweeney assistant commissioner office of the data...
TRANSCRIPT
Data Protection &Data Protection &Law EnforcementLaw Enforcement
Seán SweeneyAssistant Commissioner
Office of the Data Protection CommissionerIreland
Gibraltar
January 27th 2006
Presentation OutlinePresentation Outline Background – Human Rights Data Protection Principles Rights of data subjects Some FAQs
Why Data Protection?Why Data Protection?
Post-Word War II emphasis on human rights – Police States
George Orwell, “1984” (published in 1949) International Agreements on Human Rights Development of computer power
Privacy: Legal developmentPrivacy: Legal developmentUniversal Declaration on Human Rights
(1948)European Convention on Human Rights
(1950)Convention 108 (Council of Europe, 1981)
Background
UN Universal Declaration UN Universal Declaration on Human Rights, 1948on Human Rights, 1948
Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ... Everyone has the right to the protection of the law against such interference ….
European Convention on European Convention on Human Rights, 1950Human Rights, 1950
Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society
Background
Council of Europe Council of Europe Convention, 1981Convention, 1981
Also called “Convention 108”Deals specifically with data protectionIreland’s Data Protection Act 1988 gives
effect to this Convention
Directive 95/46/ECDirective 95/46/ECHarmonisation across EU.
– Free movement of data across EU
Extends DP to manual records.
Essential pointsEssential pointsPeople have a fundamental right to privacy
– You are legally obliged to recognise this right
Showing that you recognise and protect that right makes good sense– Increased confidence/trust of customers– Better cooperation/support
How DP legislation workHow DP legislation work
By imposing obligations on those who process personal data;
By providing rights to individuals regarding how their data are processed.
Limited exemptions:Limited exemptions:
Data exempt on National Security grounds.
Data that is processed for personal domestic or recreational purposes
Data Protection Principles.Data Protection Principles.
1. Fair obtaining consent
2. Accurate
3. Specified purpose
4. No further processing Unless compatible
5. Relevant, not excessive
6. Retention period
7. Safe & secure
8. Comply with access request
Obtain & Process Fairly IObtain & Process Fairly I Data controller must give full information about
– identity– purposes– disclosees– any other data necessary for “fairness”
Third party data controllers– must contact data subject to provide these details– must give name of original data controller
1st Principle
Obtain & Process Fairly IIObtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function (Justice) necessary for ‘legitimate interests’
1st Principle
Processing Sensitive Data (1)Processing Sensitive Data (1)
One of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Legal advice For Medical Purposes Statutory function
1st Principle
What are sensitive data?What are sensitive data? Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership
Fair Obtaining - practicalFair Obtaining - practicalTransparency is the key issueGenerally, a person should know
– who is processing his/her data– and for what purpose
Fair Obtaining - practicalFair Obtaining - practicalExemption means police may covertly
collect dataPolice may process data without consent if
necessary for the investigation & detection of offences
Accurate, Complete, up to dateAccurate, Complete, up to date
Often a reactive rather than proactive task
2nd Principle
Accurate - practicalAccurate - practicalIf a person gives false identity details when
questioned, police must correct details when become aware of true identity.
Accurate – case studyAccurate – case study Terrorist suspect has minor conviction Appeals outcome, change of penalty Police record incorrectly identifies Court location
and penalty imposed Subject Access Request & makes complaint Police obliged to correct record and review
recording procedures
Specified PurposeSpecified Purpose
Part of obligations when obtaining to specify purpose
Cannot expand purpose without reverting to individual
3rd Principle
Purpose - practicalPurpose - practical
Police purpose is defined in law and cannot be expanded with new role assigned to police by Government
Purpose – case studyPurpose – case studyVictim Support body collects data from
victims to offer supportPolice hold data for law enforcement
purposePolice want to use data to assist Victim
Support in referralsThis is a new purpose and requires consent
of victims
Disclosing personal dataDisclosing personal data Further processing not generally permitted –
compatibility test section 19 – lifts the restrictions on disclosure:
– crime; tax; State security;– required urgently to protect life and limb– required by law or court order– with consent of, or on behalf of, data subject
4th Principle
Disclosure PolicyDisclosure PolicyThe Data Controller should have a policy
in place to determine how requests for data from third parties are handled.
This policy should be consulted by appropriate staff members
Disclosure - practicalDisclosure - practicalAny DC can give data to police where
necessary to investigate crimeDC must be satisfied that is genuine
investigation – may contact superior officerSpecific procedures should be in place for
access to data such as telephone records
Relevant and not excessiveRelevant and not excessive
• Police forces require information in order to operate
• Accept it is difficult to judge relevance• DPAs reluctant to second guess police
forces
5th Principle
Relevant – case studyRelevant – case study• Female teacher involved in public order
offences when drunk• “Friendly” with police officers• Computer record contains racy
comments about her• She is aware of nature of record• Information not relevant & is deleted
5th Principle
Retention of dataRetention of data Legal obligations to hold data? Can older reports be anonymised where no
action was taken? Provision for spent convictions may result in
files being culled over time
6th Principle
Security ProceduresSecurity ProceduresSecurity measures
Appropriate security measures• Appropriate to the harm that might result..• Appropriate to the nature of the data
May have regard to cost of implementation May have regard to the current state of technology Staff must know and comply with measures Internal review of security measures-part of
Internal Audit function ?
7th Principle
Data Protection Training.Data Protection Training.Obligation on employer to ensure staff
are aware of data protection security obligations (especially access).– Training– Can be satisfied by a simple circular in some
cases, by a formal course in others
Data ProcessorsData Processors
Agents and sub-contractors
There must be a written contract in place
Data Controller must take reasonable steps to ensure compliance with security measures
Security - practicalSecurity - practical Security standard should be reviewed
- if the types of data being processed are changed;- if the organisation’s resources increase;- at least on an annual basis to see if new measures may be employed- state sector can’t plead poverty – must be at leading edge
Security - practicalSecurity - practicalAccess to data should be on a need to know
basisAccess controls should be known about,
enforced and reviewed
Security – case studySecurity – case study
Police officer checks vehicle file on behalf of friend
Friend wants to know identity of ex-partner’s new boyfriend
Improper access identified from examination of access log
New audit policy to identify misuse
Rights of IndividualsRights of Individualso To have data processed in accordance
with principleso To get a copy of personal informationo To correct information if it is wrongo To opt out of direct marketingo To complain to the Data Protection
Commissioner
8th Principle
Access RequestsAccess Requests
Section 14 –exceptions section 19. Availability of material subject to receipt of an
Access Request May question:
– Relevance– Excessive nature– Retention, etc
Scope of Access RequestScope of Access Request
Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
Opinion given in confidenceOpinion given in confidenceExempt from an access request if the
expression of an opinion was given in confidence or under the understanding it would be treated as confidential.
This is useful when giving references
Exempt from Access RequestsExempt from Access Requests Data relating to a criminal investigation If release would prejudice investigation Exemption does not apply once
investigation complete (unless would influence another investigation)
Access Requests - PracticalAccess Requests - Practical Staff should be able to identify a subject
access request when one is receivedNecessary because of deadline
Ideally, have an identified point of contact within force to handle requests
Structured filesStructured files Must be able to search files
By name of data subject?By other reasonable identifier?By date/file reference supplied by data
subjectElectronic records easier to search than
manual records
Enforced subject accessEnforced subject access An employer cannot ask an employee to
use his/her access right to obtain data in order to gain/retain employmentPolice records cannot be accessed unless by
law (vetting of child care workers)Provision not yet in place in Ireland so police
end up dealing with ~10,000 SAR per annum
EmpowermentEmpowerment
The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.
Right to correct/eraseRight to correct/erase
Personal data must be:– Corrected, if inaccurate; or– Deleted, if should not be held (very rare).
Should not be a significant issue if organisation well run– May get DS complaining about data being held
Public RegisterPublic Register
Describe Data handling practices– Purpose Transfers abroad– Type of data Disclosures
Public: transparency and opennessWill involve careful thought initially, but
little ongoing resources
Why Register?Why Register? Is a legal obligation But also a very useful way for Data Protection
Commissioner to interact with Data Controllers Helps Data Controllers focus on Data Protection
at time of registration
How must an Access Request be How must an Access Request be handled?handled?
Quickly, within 21 days Ensure you are dealing with correct DS
– Identity documents Can ask DS to restrict search
– Criminal record; firearm license. Can ask DS if he/she would be satisfied with
viewing file (esp. CCTV)
What about covert What about covert surveillance?surveillance?
Not generally permittedHowever, if investigating serious matter,
limited, focused short term covert monitoring may be allowed
Exceptional circumstances only
Can I get a copy of Can I get a copy of my personnel file?my personnel file?
You have a right to a copy of any record relating to you – including personnel files, assessments, evaluations and interview notes.
Opinions given in confidence may be withheld.
Can I respond to a request for Can I respond to a request for data from abroad?data from abroad?
Difficult to justify in absence of Mutual Assistance Treaty or other legal instrument
May use compatibility test when cooperating with other police forces
Controllee exchange via Europol or Schengen Information Systems