data protection & commercial sector seán sweeney assistant commissioner office of the data...
TRANSCRIPT
![Page 1: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/1.jpg)
Data Protection &Data Protection &Commercial SectorCommercial Sector
Seán SweeneyAssistant Commissioner
Office of the Data Protection CommissionerIreland
Gibraltar
January 24th 2006
![Page 2: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/2.jpg)
Presentation OutlinePresentation Outline Background – Human Rights Data Protection Principles Rights of data subjects Some FAQs
![Page 3: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/3.jpg)
Why Data Protection?Why Data Protection?
Post-Word War II emphasis on human rights
George Orwell, “1984” (published in 1949) International Agreements on Human Rights Development of computer power
![Page 4: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/4.jpg)
Privacy: Legal developmentPrivacy: Legal developmentUniversal Declaration on Human Rights
(1948)European Convention on Human Rights
(1950)Convention 108 (Council of Europe, 1981)
Background
![Page 5: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/5.jpg)
UN Universal Declaration UN Universal Declaration on Human Rights, 1948on Human Rights, 1948
Article 12: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence ... Everyone has the right to the protection of the law against such interference ….
![Page 6: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/6.jpg)
European Convention on European Convention on Human Rights, 1950Human Rights, 1950
Article 8: Everyone has the right to respect for his private and family life, his home and his correspondence … There shall be no interference by a public authority with this right except such as is necessary in a democratic society
Background
![Page 7: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/7.jpg)
Key conceptKey concept
Privacy is a
Human Right
![Page 8: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/8.jpg)
Council of Europe Council of Europe Convention, 1981Convention, 1981
Also called “Convention 108”Deals specifically with data protectionIreland’s Data Protection Act 1988 gives
effect to this Convention
![Page 9: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/9.jpg)
Directive 95/46/ECDirective 95/46/ECHarmonisation across EU.
– Free movement of data across EU
Extends DP to manual records.
![Page 10: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/10.jpg)
Key conceptKey concept
Data Protection Laws
are one method of
protecting privacy rights.
![Page 11: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/11.jpg)
Essential pointsEssential pointsPeople have a fundamental right to privacy
– You are legally obliged to recognise this right
Showing that you recognise and protect that right makes good business sense– Necessary for trade with EU Member States– Can be a used as a selling point
![Page 12: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/12.jpg)
How DP legislation workHow DP legislation work
By imposing obligations on those who process personal data;
By providing rights to individuals regarding how their data are processed.
![Page 13: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/13.jpg)
Limited exemptions:Limited exemptions:
Data exempt on National Security grounds.
Data that is processed for personal domestic or recreational purposes
![Page 14: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/14.jpg)
Data Protection Principles.Data Protection Principles.
1. Fair obtaining consent
2. Accurate
3. Specified purpose
4. No further processing Unless compatible
5. Relevant, not excessive
6. Retention period
7. Safe & secure
8. Comply with access request
![Page 15: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/15.jpg)
Obtain & Process Fairly IObtain & Process Fairly I Data controller must give full information about
– identity– purposes– disclosees– any other data necessary for “fairness”
Third party data controllers– must contact data subject to provide these details– must give name of original data controller
1st Principle
![Page 16: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/16.jpg)
Obtain & Process Fairly IIObtain & Process Fairly II One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function (Justice) necessary for ‘legitimate interests’
1st Principle
![Page 17: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/17.jpg)
Processing Sensitive DataProcessing Sensitive DataOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of non-
profit orgs. Legal advice For Medical Purposes Statutory function
1st Principle
![Page 18: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/18.jpg)
What are sensitive data?What are sensitive data? Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership
![Page 19: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/19.jpg)
Fair Obtaining - practicalFair Obtaining - practicalTransparency is the key issueGenerally, a person should know
– who is processing his/her data– and for what purpose
![Page 20: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/20.jpg)
Fair Obtaining - practicalFair Obtaining - practicalConsent is easiest to rely upon
– If from 3rd party, is their responsibility to demonstrate legitimacy to you
Consent has to be freely given– Not freely given in employment context– Rely upon contractual or statutory obligations
“Legitimate interest” is often applied
![Page 21: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/21.jpg)
Fair Obtaining - practicalFair Obtaining - practicalCCTV – well placed signage meets
transparency requirementConsent not required if CCTV for security
– Legitimate interestConsent not required if for health & safety
– Legal obligationThough consent not required, transparency
requires information is supplied (sign)
![Page 22: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/22.jpg)
Fair Obtaining - practicalFair Obtaining - practicalIf relying on consent for data obtained on a
form– Require any consent clause to be at least as big
a font size as the data collection element of form
– If on-line, require a privacy statement that covers transparency & fair obtaining requirements
![Page 23: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/23.jpg)
Accurate, Complete, up to dateAccurate, Complete, up to date
Often a reactive rather than proactive task
2nd Principle
![Page 24: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/24.jpg)
Accurate - practicalAccurate - practicalIf you change your address and do not tell
your bank, they are not at fault for sending mail to your old address.
However, if mail is returned to the bank as undeliverable, the bank must act by at least not sending any more mail to that address.
![Page 25: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/25.jpg)
Specified PurposeSpecified Purpose
Part of obligations when obtaining to specify purpose
Cannot expand purpose without reverting to individual
3rd Principle
![Page 26: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/26.jpg)
Purpose - practicalPurpose - practical
Purpose might be implied from transaction
- such as for administration of an account.Otherwise, should be clearly referred to
![Page 27: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/27.jpg)
Purpose – case studyPurpose – case studyA phone company published electronic
telephone directoryDirectory allowed search by addressThis was a new purpose, as original
directory only allowed search by namePublication unlawful, directory withdrawn
until issue resolved
![Page 28: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/28.jpg)
Disclosing personal dataDisclosing personal data Further processing not generally permitted –
compatibility test section 19 – lifts the restrictions on disclosure:
– crime; tax; State security;– required urgently to protect life and limb– required by law or court order– with consent of, or on behalf of, data subject
4th Principle
![Page 29: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/29.jpg)
Disclosure PolicyDisclosure PolicyThe Data Controller should have a policy
in place to determine how requests for data from third parties are handled.
This policy should be consulted by appropriate staff members
![Page 30: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/30.jpg)
Disclosure - practicalDisclosure - practicalAn example of a compatible disclosure is
where you supply data to an organisation in order to get a product/service. If that organisation must supply your data to a third party in order to get that product/service delivered, it is a compatible disclosure.
![Page 31: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/31.jpg)
Relevant and not excessiveRelevant and not excessive
Do you need all this data?
- look a form and see if you need all data
- can data collected be culled over time?
Different policies for different sectors
5th Principle
![Page 32: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/32.jpg)
Retention of dataRetention of data Legal obligations to hold data? Customer files
– Do you need to hold all that data?
Personnel files– Revenue requirement?
Must have policy thought through– Defend retention as necessary for purpose.
6th Principle
![Page 33: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/33.jpg)
Retention – HR filesRetention – HR files When employees leaves/retires, employer might
have long term need to hold onto certain data– Dates of employment– Positions held– Tax record– Injuries
But other data has no purpose beyond the time an ex-employee might seek a reference– Assessments & evaluations
6th Principle
![Page 34: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/34.jpg)
Retention – QuotationsRetention – Quotations
Insurance company may offer household or motor insurance quote
If “customer” does not take up offer within reasonable period (one month?) then that person is not a customer and details must be deleted – unless company has consent.
6th Principle
![Page 35: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/35.jpg)
Retention – Financial recordRetention – Financial record
Leisure & on-line sector often retain credit card details
May make future transactions easier and more secure
Can only be retained with customer consent!
6th Principle
![Page 36: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/36.jpg)
Security ProceduresSecurity ProceduresSecurity measures
Appropriate security measures• Appropriate to the harm that might result..• Appropriate to the nature of the data
May have regard to cost of implementation May have regard to the current state of technology Staff must know and comply with measures Internal review of security measures-part of
Internal Audit function ?
7th Principle
![Page 37: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/37.jpg)
Data Protection Training.Data Protection Training.Obligation on employer to ensure staff
are aware of data protection security obligations (especially access).– Training
![Page 38: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/38.jpg)
Data ProcessorsData Processors
Agents and sub-contractors
There must be a written contract in place
Data Controller must take reasonable steps to ensure compliance with security measures
![Page 39: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/39.jpg)
Security - practicalSecurity - practical Security standard should be reviewed
- if the type of data being processed are changed;
- if the organisation’s resources increase;
- at least on an annual basis to see if new measures may be employed
![Page 40: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/40.jpg)
Security - practicalSecurity - practicalAccess to data should be on a need to know
basisAccess controls should be known about,
enforced and reviewed
![Page 41: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/41.jpg)
Security – case studySecurity – case study Insurance company employee resigns but takes
laptop with him Laptop contains client list Employee contacts clients on behalf of new
employer Original employer at fault for not taking measures
to prevent this – not covered in employment contract.
![Page 42: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/42.jpg)
Rights of IndividualsRights of Individualso To have data processed in accordance
with principleso To get a copy of personal informationo To correct information if it is wrongo To opt out of direct marketingo To complain to the Data Protection
Commissioner
8th Principle
![Page 43: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/43.jpg)
Access RequestsAccess Requests
Section 14 –exceptions section 19. Availability of material subject to receipt of an
Access Request May question:
– Relevance– Excessive nature– Retention, etc
![Page 44: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/44.jpg)
Scope of Access RequestScope of Access Request
Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
![Page 45: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/45.jpg)
Opinion given in confidenceOpinion given in confidenceExempt from an access request if the
expression of an opinion was given in confidence or under the understanding it would be treated as confidential.
This is useful when giving references
![Page 46: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/46.jpg)
Exempt from Access RequestsExempt from Access Requests Data relating to a criminal investigation a claim of liability Data covered by legal privilege
![Page 47: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/47.jpg)
Access – Disciplinary Access – Disciplinary InvestigationInvestigation
Exempt if access would prejudice investigation
No longer exempt after investigation has concluded
![Page 48: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/48.jpg)
Employee Access RightsEmployee Access Rights
Same rights as any data subject Not all documents with employee name
are personal dataAuthoring document in work capacity does
not mean that document is personal.
![Page 49: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/49.jpg)
Access Requests - ResourcesAccess Requests - Resources Should not require significant resources Retention principle should encourage
deletion of data on a regular basis, thus limiting the amount of data to be searched
![Page 50: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/50.jpg)
Structured filesStructured files Must be able to search files
By name of data subject?By other reasonable identifier?By date/file reference supplied by data
subjectElectronic records easier to search than
manual records
![Page 51: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/51.jpg)
Enforced subject accessEnforced subject access An employer cannot ask an employee to
use his/her access right to obtain data in order to gain/retain employmentPolice and credit records cannot be accessed
unless by law
![Page 52: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/52.jpg)
EmpowermentEmpowerment
The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.
![Page 53: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/53.jpg)
Right to correct/eraseRight to correct/erase
Personal data must be:– Corrected, if inaccurate; or– Deleted, if should not be held.
Should not be a significant issue if organisation well run– May get DS complaining about data being held
![Page 54: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/54.jpg)
Direct MarketingDirect MarketingCommonest topic for complaints
– So expect people will complain
Must be able to administer a “do not mail” list/suppression file
Must tell DS source of data
![Page 55: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/55.jpg)
Public RegisterPublic Register
Describe Data handling practices– Purpose Transfers abroad– Type of data Disclosures
Public: transparency and opennessWill involve careful thought initially, but
little ongoing resources
![Page 56: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/56.jpg)
Why Register?Why Register? Is a legal obligation But also a very useful way for Data Protection
Commissioner to interact with Data Controllers Helps Data Controllers focus on Data Protection
at time of registration
![Page 57: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/57.jpg)
Frequently Frequently Asked QuestionsAsked Questions
![Page 58: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/58.jpg)
If Police or Gov Dept ask for information If Police or Gov Dept ask for information about a customer, should It be supplied?about a customer, should It be supplied?
Not automatically, must assess situationIs disclosure compatible with purpose?Is there a statutory requirement?Is it needed for investigation of crime?Is it to protect life or limb?
![Page 59: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/59.jpg)
Can an employer Can an employer monitor staff?monitor staff?
Yes, depending on the conditions of any in-house policy document.
Monitoring should be proportionate and as least intrusive as possible.
Examination of e-mail content, web profiles should be done in context of disciplinary inquiry.
![Page 60: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/60.jpg)
Can monitoring occur Can monitoring occur without employee consent?without employee consent?Whilst transparency is fundamental to
the fair obtaining principle, consent is not always required.
Where the employer can rely on the legitimate interest provision, consent is not required.
![Page 61: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/61.jpg)
What about covert What about covert surveillance?surveillance?
Not generally permittedHowever, if investigating serious matter,
limited, focused short term covert monitoring may be allowed
Exceptional circumstances only
![Page 62: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/62.jpg)
Can I get a copy of Can I get a copy of my personnel file?my personnel file?
You have a right to a copy of any record relating to you – including personnel files, assessments, evaluations and interview notes.
Opinions given in confidence may be withheld.
![Page 63: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/63.jpg)
Can I outsource data?Can I outsource data?No difficulty if you use a contract with
your data processor.If you transfer data outside the EEA, will
have to meet certain conditions.So, may have to review current and
planned use of data processors.You should also be aware of your role in
insuring agents behave appropriately.
![Page 64: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/64.jpg)
Can I put employee details Can I put employee details on website?on website?
Certain details may be appropriate– Name, position, contact details, special
trainingOther details are not necessary
– Photographs, salary, family details
![Page 65: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/65.jpg)
Can I rent marketing lists?Can I rent marketing lists?
Yes, but make sure that the list broker states if there are any restrictions attached to the list– Is it for certain products/sectors only?– How recently was it cleaned/updated?
![Page 66: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/66.jpg)
Can I market my sister Can I market my sister firm’s clients?firm’s clients?
Your sister firm may be able to market its clients o your behalf, but not give you a client list to use.
Need to check consent issue or compatibility – would clients be aware of relationship?
![Page 67: Data Protection & Commercial Sector Seán Sweeney Assistant Commissioner Office of the Data Protection Commissioner Ireland Gibraltar January 24 th 2006](https://reader030.vdocuments.site/reader030/viewer/2022032612/56649ea45503460f94ba89de/html5/thumbnails/67.jpg)
ThankThankYouYou
Thank you for listening
Any questions?