data protection and the voluntary sector: respecting the rights of the individual
DESCRIPTION
Data Protection and the Voluntary Sector: Respecting the Rights of the Individual. Billy Hawkes Data Protection Commissioner. Carmichael Centre Dublin, 2 November 2010. Presentation Outline. Why Data Protection? What are our Responsibilities? Data Protection Commissioner Good Practice - PowerPoint PPT PresentationTRANSCRIPT
Data Protection and the Voluntary Sector: Respecting the Rights of the Individual
Billy HawkesData Protection Commissioner
Carmichael CentreDublin, 2 November 2010
Presentation Outline
• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues
Data Protection: a Human Right
• Part of Right to Personal Privacy• Personal Privacy: necessary in a
Democratic Society (but not absolute)• Data Protection: Fundament Right
under EU Law • EU and Irish law on Data Protection
Data Protection Acts 2008 & 2003; Electronic Privacy Regulations 2003 & 2008
EU Charter of Fundamental Rights: Article 8• Protection of personal data• 1. Everyone has the right to the protection of personal data
concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.
Presentation Outline
• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues
The Data Protection Rules1. Fair obtaining &
processing• Consent
2. Specified purpose3. No disclosure
• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
Rights and Obligations• Rights of “data subject” (= identifiable, living
individual) to control the use of their “personal data”
Data Subject: volunteers, employees, customers/clients Personal Data: anything that can be linked to a living
individual (databases, lists, CCTV)
• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
Usually a corporate entity e.g. Charitable Organisation – NOT individual employee or volunteer
Rights of Individuals• to fairness when giving information• to get a copy of their personal information –
includes both computer and manual files• to have wrong information corrected• to opt out of marketing - includes mail & phone • to complain to the Data Protection
Commissioner
Obtain & Process Fairly One of these conditions required: Consent (self or parent etc) Legal obligation Contract with individual Necessary to protect vital
interests of individual Necessary for a public function
(Justice) necessary for ‘legitimate
interests’ of organisation or third party
Balance with rights of individual
Rule 1
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Responsibilities on Organisations (Data Controllers) at the different stages
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Sensitive Data (special protection)• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Sexual life• Criminal convictions• Alleged commission of offence• Trade Union membership
Keep Safe and SecureAppropriate security measures
•Appropriate to the harm that might result..
•Appropriate to the nature of the data
May have regard to cost of implementation
May have regard to the current state of technology
Staff /volunteers must know and comply with measures
Rule 4
Data Protection Training.
• Obligation on organisation to ensure staff are aware of data protection obligations. Training
Retain no longer than necessary
• Legal obligations to hold data?• Customer/Client files
Do you need to hold all that data? Customers/? Volunteers? Supporters? Employees?
• Must have policy thought through Defend retention as necessary for
purpose.
Rule 7
Right of Access
• Every data subject has a right to request and receive a copy of All personal data in All forms relating to her/him (only) held by a data controller
• Maximum 40 days to respond• Maximum charge of €6.35 (includes
photocopying etc)
Right to opt out of direct marketing• Data subject may opt out of direct
marketing database (e.g. a mailing list)• Data controller must delete the data
subject’s details (or stop using them for direct marketing)
• Data controller must reply within 40 days
Electronic Marketing• SMS and e-mail unsolicited marketing
banned • Phone Marketing banned if:
Customer on National Directory Database ‘opt-out’ list
Has specifically asked not to be contacted
• Non-compliance a criminal offence
Data Processors
• Agents and sub-contractors• There must be a written contract in
place• Data Controller must take
reasonable steps to ensure compliance with security measures
Presentation Outline
• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues
Role of Data Protection Commissioner (standard throughout EU) • Enforcer Role: compliance by data controllers &
processors • Ombudsman Role: resolution of disputes between
data subjects and data controllers or processors • Educational Role: Promotes DP rights and good
practice• Registration Authority: obligation on major
holders of personal data to be placed on public register
How does (Irish) DPC fulfill role?• Investigations/Audits
Arising from complaints On own initiative
• Maintains public register• Codes of Practice• Guidance booklets, website,
presentations, advice, Annual Report
General Approach of DPC • Strong emphasis on Education• Supportive of compliant data
controllers • Alert to issues arising from Complaints
– Emphasis on Right of Access– Addressing the “big picture”
• Target problem data controllers– Use full powers
• Work with other Regulators
Complaints 2009
• 914 formal complaints• Many more enquiries dealt with informally• Most resolved
amicably
* Mainly electronic (SMS etc)
TYPE %
Direct Marketing*
30
Access Rights 29
Disclosure 17
Unfair Obtaining
5
Security 4
Presentation Outline
• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues
Good Practice: General• Transparent and Balanced approach to
collecting and using personal data• Build DP in early in systems and policy
proposals• People informed about data collection and
use (privacy notices on websites etc)• Consult DPC guidance
(www.dataprotection.ie)
Good Practice: Audit• Do we know what types of personal data we
hold? Electronically (also CCTV images) Paper
• Can we justify: Why we collect it? What it is used for? Length of time we hold it? Who has access to it? Who it is disclosed to?
Good Practice: Access & Correction Requests• Can we :
Provide a description of the personal data we hold on an individual within a max. of 20 days?
Provide copy of this data within a max. of 40 Days?
Correct or erase data within 40 days?
Good Practice: Security• Access Controls
Internal External Audit Trails
• Vulnerabilities Portable Devices
• Passwords AND encryption
Good Practice: Disposal• Do not retain personal for any longer
than can be objectively justified: clear policy
• Comply with legal retention obligations • Orderly and secure disposal of old
records
Good Practice : People• Does everyone handling personal data
know their responsibilities under Data Protection Law? Is this routinely included in training/induction?
• Are procedures for handling personal data properly documented?
• Are DP compliance responsibilities clearly allocated?
Good Practice: When things go wrong …• Have a clear plan – what will you do if
there is a security breach? • Notify DPC and customers
Anticipate legislation
• Tell customers/clients how you intend to remedy any damage done to their interests
Presentation Outline
• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues
Who is the “Data Controller”?• “A person who, either alone or with others,
controls the contents and use of personal data”
• Voluntary Organisation, national umbrella-body
• Not the individual employee or volunteer Organisation accountable for how it handles
personal data Organisation needs to demonstrate it is taking this
responsibility seriously: training, security measures
Membership Information• Only collect Information you need
Explain how information will be used Privacy Statement if via website Extra care for sensitive information (e.g.
health)
• Only for Organisation’s legitimate use Any other use or disclosure (e.g. 3rd party
marketing) normally needs consent• OK if legal obligation (e.g. Revenue Commissioners)• Use BCC for membership e-mails
• Delete/Update as necessary
Fund-Raising (1) • Subject to rules governing Marketing• Post: OK to (i) businesses (ii) current
members/supporters (iii) other individuals where information from public source (e.g. Edited Electoral Register)
• Individuals have right to say STOP
Fund-Raising (2)
• Phone/Fax ILLEGAL if individual or business on
NDD (need check) unless current member/supporter
ILLEGAL if individual or business has objected
Fund-Raising (3)• E-Mail/SMS
OK to current members/supporters assuming they were provided with an opportunity to object to this use at the time their details were collected (message must still include STOP option)
OK to business (but must include STOP option) Otherwise ILLEGAL
Help-Lines• Recording/Monitoring
Need to justify and tell caller at beginning• Noting Client Information
If for analysis/statistics, use general categories: anonymise
Avoid collecting identifying information unless follow-up essential - explain to caller
Do NOT seek PPSN
Data Security• Responsibility of Organisation• Law says level of security appropriate to the
harm that might result from… loss etc and nature of the data Higher security for e.g. financial and health data
• Try avoid storage on home PCs Danger access by family etc members Data should be encrypted Option of secure central on-line database
Garda Vetting
• Sensitive data • Done on basis individual consent• Limit retention of “raw” data
Remember the Garda will be retaining the data
Child & Vulnerable Adult Protection• Duty to report suspected abuse to
Garda, HSE Does not require individual consent “Need to know” basis within
organisation
