Upload
magnus-turner
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
INTRODUCTION TO DATA PROTECTION
An overview of the IrishData Protection legislation
AGENDA
• Context• The Legislation• Definitions• The Data Life Cycle• The Data Subject Rights• The Data Protection Commissioner• Enforcement
WHY COMPLY WITH THE ACTS?
• ‘It’s the law of the land!’• Protection of Brand• Avoid risk to Reputation• Protection of trust
– Employees– Suppliers– Customers
• Enables good decision-making• Makes good business sense
CONTEXT
• Social• Technological• Historical• Commercial
DATA PROTECTION AND ‘THE BRAND’
IRISH DATA PROTECTION LEGISLATION
• Data Protection Act (1988)– Only for automated processing– Only for certain data management activities
• Data Protection (Amendment) Act (2003)– Applies to manual as well as electronic data
• Electronic Communications Regulations (2011)– Specifically for online/electronic marketing
DEFINED TERMS
• Automated data• Manual data• Relevant Filing System• Personal data• Sensitive Personal data• Processing
CHARACTERS IN THE ACTS
• Data Subject• Data Controller• Data Processor
THE DATA PROTECTION RULES
The DP Characters
1. AcquireFairly
2. Specified Purpose
3. Compatible Processing
4. Keep Safe
5. Keep Accurate
6. Adequate Processing
7. Retain / Destroy
8. Allow Access
RULE 1 – FAIRLY OBTAINING DATA
• Setting Data Subject Expectations• The Fair Processing Notice
– Verbal– Electronic– Graphic
• Lawful processing conditions– Section 2(a) – ‘Ordinary Data’– Section 2(b) – ‘ Sensitive Personal Data’
• On-going fair processing
CONSENT / EXPLICIT CONSENT
• Should be…– Unambiguous– Freely given– Informed– An active indication
CONSENT FOR DIRECT MARKETING
• Default ‘opt out’• Active ‘opt in’• Indication of interest• Prior purchase of product or service• A reasonable expectation of interest• Prior consent for calls to mobiles• Identification and provision of contact details• Message must include option to opt out• Must use contact data at least once in a
twelve-month period
LAWFUL USE OF DATA
• Rule 2 – Specific purpose or purposes– Consider minimum data requirements
• Rule 3 – Compatible processing– Only process in line with specified purpose(s)
• Rule 6 – Adequate, relevant, but not excessive use– Only process the minimum necessary to satisfy
purpose
RULE 4 – KEEPING DATA SAFE
• Proportionality• Acceptable use of available technology• Applies equally to automated and manual data• Importance of staff awareness• Due diligence towards third parties
– Contract must be in place!– Negotiation of contract clauses
RULE 5 – DATA ACCURACY
• “Data are inaccurate if they are incorrect or misleading as to any matter of fact”
• Data Controller obligation
• Frequency of checks
• Data quality criteria– Completeness– Consistency– Correct representation of reality– Fitness for Use
RULE 7 – DATA RETENTION AND DESTRUCTION
• Retention schedule– No specific guidelines within the legislation– UK National Archive guidelines– HIQA Recommendations
• Destruction policy– Constructive, verifiable method
• Rule applies equally to automated and manual data
RULE 8 – RIGHT OF ACCESS TO DATA
• Entitles the Data Subject to a copy of their own data
• Formal request process– Request in writing– Adequate identification– Payment of fee
• Controller’s Obligation to respond• Opportunity to decline the request• Exemptions
ROLE OF THE DP COMMISSIONER
• Helen Dixon – Irish DP Commissioner
• Role enshrined in the legislation• Responsible for dissemination of legislation• Interpretation of legislation in various
circumstances• Enforcement of lawful processing• Investigation on request• Prosecution in the event of a breach
DATA PROTECTION OFFICER (PROPOSED)
The Controller or Processor processing more than 5000 records must designate a Data Protection Officer ('DPO') • Governance of organisation’s data management• Drafting, deployment and compliant with data policies• Influencing system and functional changes• Being the ‘go to’ person for DP issues
• Currently an optional role within organisations• May soon be mandatory in certain circumstances
ENFORCEMENT OF LEGISLATION
• ‘Triable either way’ legislation• Summary Prosecution – capped at €3,000 / €5,000• Indictment prosecution – capped at €100,000 / €250,000
• Formal notices• Information• Enforcement• Prohibition
• Mandatory breach notification• Reputational damage of a breach• Cost of recovery of market share, good will, trust
SO WHY COMPLY WITH THE ACTS?
• ‘It’s the law of the land!’• Protection of Brand• Avoid risk to Reputation• Protection of trust
– Employees– Suppliers– Customers
• Enables good decision-making• Makes good business sense
SYTORUS LTD. – WHO WE ARE
• Data Protection Consultancy• Training
• Introductory• DPO Certification• Tailored to sector
• Data Management Assessments• Interim Data Protection Officer• Liaison with Office of the DP Commissioner
• Visit www.sytorus.com