Data Protection and the GRA

1. Commentary on Data Protection

2. The GRA’s Role• The Register• Investigations, Mediation and

Compensation• Enforcement Notices • Information Notices • Codes of Practice • Authorised Officers

Presentation Overview

Data Protection -More than just Confidentiality

• Widespread misconception that DP exists only to ensure confidentiality

• In fact, confidentiality, although a key issue is only one of the reasons for DP legislation

• Advent of data-hungry systems and ability for instant transfer of large amounts of data make DP legislation more relevant now than many years ago

• Legislation exists to ensure personal data is processed in a manner which does not harm the individuals concerned

• Correct application of the principles will ensure this

The GRA’s Role

Supervisory Authority

21.(1) There shall be a Data Protection Commissioner (“the Commissioner”) who shall be independent in the exercise of his functions under this Ordinance.

(2) The Data Protection Commissioner shall be the Gibraltar Regulatory Authority who shall perform the functions conferred by this Ordinance and any regulations enacted under it.

Data Protection Ordinance 2004Part IV Supervisory Authority

1- The Register

22.(1) The Commissioner shall establish and maintain a register (“the Register”) of processing operations and shall make, as appropriate, an entry in the register in respect of each application for registration accepted by the Commissioner. “processing of personal data” (“processing”) means any operation or set of operations which is performed on personal data, whether or not by automatic means, including collecting, storing, recording, organising, consulting, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

Section 22(2) Members of the public may– 

(a) inspect the Register free of charge at all reasonable times and may take copies of, or of extracts from, any entry in the Register;(b) on payment to the Commissioner of any reasonable fee prescribed, obtain from the Commissioner a copy (certified by him or by a member of his staff to be a true copy) of, or of an extract from, any entry in the Register.

The Register cont’d

Application for Registration

1. Form DP1A (Notification of Data Controller)

2. ALL processing operations must be registered

3. online (preferable) or manually

4. DC’s need not wait for confirmation from GRA to continue with processing of data

5. In Gibraltar, all DC’s have an OBLIGATION to register (apart from some exceptions written into the Ordinance)

2 - Investigations, Mediation and Compensation

• Powers granted by virtue of s25 DPO

• Commissioner may choose to investigate or may cause an investigation following a complaint from an individual

• Commissioner is to act as mediator in determining whether an individual has suffered damages due to DC acting in contravention of the DPO

• Aggrieved individuals are due compensation and the amount determined by the Commissioner

• Appeal on compensation to the Supreme Court

3 - Enforcement Notices

• Powers granted by virtue of s26 DPO

• Commissioner may issue Enforcement Notice if he believes a person has contravened the DPO

• May ask person involved to block, rectify, erase or destroy any of the data concerned

• “Urgent” Enforcement Notices are provided for and may be enforced by Commissioner if he deems fit

4 - Information Notices

• Powers granted by virtue of s27 DPO

• Commissioner may issue Information Notice in order to obtain information required to perform his function under the DPO

• “Urgent” Information Notices are provided for and may be enforced by Commissioner if he deems fit

5 - Codes of Practice

• Powers granted by virtue of s28 DPO

• Commissioner may promote the following of good practices in order that the DPO is complied with

• The Commissioner shall arrange for the effective dissemination of Community findings, decisions of the European Commission or any other relevant information as regards transfer of personal data to non EEA states

• The Commissioner shall encourage trade associations to devise codes of practice

• The Commissioner’s advice may be sought by bodies who prepare codes of practice

Codes of Practice (cont.)

• The Commissioner will encourage approved Codes of Conduct to be disseminated to data controllers concerned

• However, Commissioner may disapprove a Code in which case his decision will be communicated to parties involved

• Codes of practice written by or approved by, the Commissioner will be taken into consideration in any court proceedings

6 - Authorised Officers

• Powers granted by virtue of s29 DPO

• The Commissioner may, in writing, authorise persons to exercise the powers conferred to him under s25-29 of the DPO