A Guide for. Data Controllers

Transcription

1 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers Data Prtectin Acts 1988 and 2003 A Guide fr Data Cntrllers This bklet is intended as an intrductry guide t thse persns/bdies wh are data cntrllers, in that they cntrl the cntents and use f persnal data. It utlines the eight fundamental rules f data prtectin and presents them in a user friendly frmat. It is nt an authritative r definitive interpretatin f the law, it is intended as a nn-technical guide fr data cntrllers. If, after reading this bklet, yu require further infrmatin, please cnsult the Data Prtectin Cmmissiner s website r cntact the ffice by the varius means detailed n the back f this bklet. If in particular dubt in relatin t yur legal respnsibilities please take legal advice as apprpriate. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

2 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers DEFINITIONS As with any legislatin, certain terms have particular meaning. The fllwing are sme useful definitins: Data means infrmatin in a frm which can be prcessed. It includes bth autmated data and manual data. Autmated data means, bradly speaking, any infrmatin n cmputer, r infrmatin recrded with the intentin f putting it n cmputer. Manual data means infrmatin that is kept as part f a relevant filing system, r with the intentin that it shuld frm part f a relevant filing system. Relevant filing system means any set f infrmatin that, while nt cmputerised, is structured by reference t individuals, r by reference t criteria relating t individuals, s that specific infrmatin is accessible. Persnal data means data relating t a living individual wh is r can be identified either frm the data r frm the data in cnjunctin with ther infrmatin that is in, r is likely t cme int, the pssessin f the data cntrller. This can be a very wide definitin depending n the circumstances. Prcessing means perfrming any peratin r set f peratins n data, including: btaining, recrding r keeping data, cllecting, rganising, string, altering r adapting the data, retrieving, cnsulting r using the data, disclsing the infrmatin r data by transmitting, disseminating r therwise making it available, aligning, cmbining, blcking, erasing r destrying the data. Data Subject is an individual wh is the subject f persnal data. Data Cntrllers are thse wh, either alne r with thers, cntrl the cntents and use f persnal data. Data Cntrllers can be either legal entities such as cmpanies, Gvernment Departments r vluntary rganisatins, r they can be individuals such as G.P. s, pharmacists r sle traders. Data Prcessr is a persn wh prcesses persnal data n behalf f a data cntrller, but des nt include an emplyee f a data cntrller wh prcesses such data in the curse f his/her emplyment. Again individuals such as G.P. s, pharmacists r sle traders are cnsidered t be legal entities. Sensitive persnal data relates t specific categries f data which are defined as data relating t a persn s racial rigin; plitical pinins r religius r ther beliefs; physical r mental health; sexual life; criminal cnvictins r the alleged cmmissin f an ffence; trade unin membership. Yu have additinal rights in relatin t the prcessing f any such data. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

3 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers What is data prtectin? It is the means by which the privacy rights f individuals are safeguarded in relatin t the prcessing f their persnal data. The Data Prtectin Acts 1988 and 2003 cnfer rights n individuals as well as placing respnsibilities n thse persns prcessing persnal data. Are yu a data cntrller? If yu, as an individual r an rganisatin, cllect, stre r prcess any data abut living peple n any type f cmputer r in a structured filing system, then yu are a data cntrller. In practice, t establish whether r nt yu are a data cntrller, yu shuld ask, d yu decide what infrmatin is t be cllected, stred, t what use it is put and when it shuld be deleted r altered. Because f the serius legal respnsibilities attached t a data cntrller under the Acts, yu shuld seek the advice f the Cmmissiner if yu have any dubts as t whether r nt yu are a data cntrller in any particular case. What are yur respnsibilities as a data cntrller? Yu have certain key respnsibilities in relatin t the infrmatin which yu prcess. These may be summarised in terms f eight fundamental rules which yu must fllw. These rules which are detailed in this guide apply t all data cntrllers. Certain categries f data cntrllers are als bliged t register with the Data Prtectin Cmmissiner. This is a separate legal requirement and in n way bviates the need t cmply with the requirements f the Acts having s registered. There are sme specific requirements n which mre details can be fund n ur website, in varius annual reprts f the Data Prtectin Cmmissiner r by cntacting this Office directly. These include: the bligatry requirement n certain categries f data cntrllers (and Data Prcessrs) t register with the Data Prtectin Cmmissiner. Guidance ntes f Registratin fr Data Cntrllers are als available frm this Office. If yu are required t register and are nt it is illegal t prcess persnal data. the specific requirements fr marketing by phne, , fax r ther electrnic means, including text message, which are cntained in separate Regulatins. the prcessing f publicly available infrmatin fr ther purpses including direct marketing. Hw d yu as a data cntrller ensure cmpliance with the law? Yu must make yurself aware f yur data prtectin respnsibilities, in particular, t prcess persnal data fairly. Yu shuld ensure that yur staff are made aware f their respnsibilities thrugh apprpriate inductin training with refresher training as necessary and the availability f an internal data prtectin plicy that is relevant t the persnal data held by yu. An internal plicy which reflects the eight fundamental data prtectin rules and applies them t yur rganisatin, which is enfrced thrugh supervisin and regular review and audit, is a valuable cmpliance tl. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

4 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers Hw are the Acts enfrced? The Cmmissiner s rle is t ensure that thse wh keep persnal data cmply with the prvisins f the Acts. He has a wide range f enfrcement pwers t assist him in ensuring that the principles f data prtectin are being bserved. These pwers include the serving f legal ntices cmpelling data cntrllers t prvide infrmatin needed t assist his enquiries, and cmpelling a data cntrller t implement ne r mre prvisins f the Acts in a particular prescribed manner. He may investigate cmplaints made by the general public r carry ut investigatins practively. He may, fr example, authrise fficers t enter premises and t inspect the type f persnal infrmatin kept, hw it is prcessed and the security measures in place. Yu and yur staff are required t c-perate fully with such fficers. A data cntrller fund guilty f an ffence under the Acts can be fined amunts up t 100,000, n cnvictin n indictment and/r may be rdered t delete all r part f the database. The Cmmissiner als publishes an annual reprt which names, in certain cases, thse data cntrllers that were the subject f investigatin r actin by his Office. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

5 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers The Eight Rules f Data Prtectin Yu must Obtain and prcess infrmatin fairly 2. Keep it nly fr ne r mre specified, explicit and lawful purpses 3. Use and disclse it nly in ways cmpatible with these purpses 4. Keep it safe and secure 5. Keep it accurate, cmplete and up-t-date 6. Ensure that it is adequate, relevant and nt excessive 7. Retain it fr n lnger than is necessary fr the purpse r purpses 8. Give a cpy f his/her persnal data t an individual, n request An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

6 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers 1. Obtain and prcess infrmatin fairly T fairly btain data the data subject must, at the time the persnal data is being cllected, be made aware f: the name f the data cntrller; the purpse in cllecting the data; the identity f any representative nminated fr the purpses f the Acts; the persns r categries f persns t whm the data may be disclsed; whether replies t questins asked are bligatry and the cnsequences f nt prviding replies t thse questins; the existence f the right f access t their persnal data; the right t rectify their data if inaccurate r prcessed unfairly; any ther infrmatin which is necessary s that prcessing may be fair and t ensure the data subject has all the infrmatin that is necessary s as t be aware as t hw their data will be prcessed. In additin, where the persnal data is nt btained frm the data subject, either at the time their data is first prcessed r at the time f disclsure t a third party, all the abve infrmatin must be prvided t the data subject and they must als be infrmed f the identity f the riginal data cntrller frm whm the infrmatin was btained and the categries f data cncerned. T fairly prcess persnal data it must have been fairly btained, and: g the data subject must have given cnsent t the prcessing; r g the prcessing must be necessary fr ne f the fllwing reasns - the perfrmance f a cntract t which the data subject is a party; in rder t take steps at the request f the data subject prir t entering int a cntract; cmpliance with a legal bligatin, ther than that impsed by cntract; t prevent injury r ther damage t the health f the data subject; t prevent serius lss r damage t prperty f the data subject; t prtect the vital interests f the data subject where the seeking f the cnsent f the data subject is likely t result in thse interests being damaged; fr the administratin f justice; fr the perfrmance f a functin cnferred n a persn by r under an enactment; fr the perfrmance f a functin f the Gvernment r a Minister f the Gvernment; fr the perfrmance f any ther functin f a public nature perfrmed in the public interest by a persn; An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

7 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers fr the purpse f the legitimate interests pursued by a data cntrller except where the prcessing is unwarranted in any particular case by reasn f prejudice t the fundamental rights and freedms r legitimate interests f the data subject. T fairly prcess sensitive data (see definitins panel at the beginning f this bklet) it must have been fairly btained and there are additinal special cnditins (ne f the cnditins utlined abve must als be met) f which at least ne f the fllwing must be met: g the data subject has given explicit cnsent (r where they are unable t d s, fr reasns f incapacity f age, explicit cnsent must be given by a parent r legal guardian) t the prcessing, i.e. the data subject has been infrmed f the purpse/s in prcessing the data and has supplied his/her data with that understanding; r g the prcessing must be necessary fr ne f the fllwing reasns - fr the purpse f exercising r perfrming any right r bligatin which is cnferred r impsed by law n the data cntrller in cnnectin with emplyment; t prevent injury r ther damage t the health f the data subject r anther persn, r serius lss in respect f, r damage t, prperty r therwise t prtect the vital interests f the data subject r f anther persn in a case where, cnsent cannt be given, r the data cntrller cannt reasnably be expected t btain such cnsent; t prevent injury t, r damage t the health f, anther persn, r serius lss in respect f, r damage t, the prperty f anther persn, in a case where such cnsent has been unreasnably withheld; it is carried ut by a nt fr prfit rganisatin in respect f its members r ther persns in regular cntact with the rganisatin; the infrmatin being prcessed has been made public as a result f steps deliberately taken by the data subject; fr the purpse f btaining legal advice, r in cnnectin with legal prceedings, r is necessary fr the purpses f establishing, exercising r defending legal rights; fr medical purpses (mre extensive advice as t what cnstitutes medical purpses is available frm r yu can cntact the ffice directly); it is carried ut by plitical parties r candidates fr electin in the cntext f an electin; fr the purpse f the assessment r payment f a tax liability; in relatin t the administratin f a Scial Welfare scheme. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

8 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers 2. Keep it nly fr ne r mre specified, explicit and lawful purpses Yu may nly keep data fr a purpse(s) that are specific, lawful and clearly stated and the data shuld nly be prcessed in a manner cmpatible with that purpse(s). An individual has a right t questin the purpse fr which yu hld his/her data and yu must be able t identify that purpse. T cmply with this rule: g g g In general a persn shuld knw the reasn/s why yu are cllecting and retaining their data. the purpse fr which the data is being cllected shuld be a lawful ne yu shuld be aware f the different sets f data which yu keep and specific purpse f each 3. Use and disclse it nly in ways cmpatible with these purpses Any use r disclsure must be necessary fr the purpse(s) r cmpatible with the purpse(s) fr which yu cllect and keep the data. Yu shuld ask yurself whether the data subject wuld be surprised t learn that a particular use f r disclsure f their data is taking place. A key test f cmpatibility is: g g d yu use the data nly in ways cnsistent with the purpse(s) fr which they are kept? d yu disclse the data nly in ways cnsistent with that purpse(s)? The rule, that disclsures f infrmatin must always be cmpatible with the purpse(s) fr which that infrmatin is kept, is lifted in certain restricted cases by Sectin 8 f the Act. Examples f such cases wuld include sme bvius situatins where disclsure f the infrmatin is required by law r is made t the individual himself/herself r with his/her cnsent. Any prcessing f persnal data by a data prcessr n yur behalf must als be undertaken in cmpliance with the Acts. This requires that, as a minimum, any such prcessing takes place subject t a cntract between the cntrller and the prcessr which specifies the cnditins under which the data may be prcessed, the security cnditins attaching t the prcessing f the data and that the data be deleted r returned upn cmpletin r terminatin f the cntract. The data cntrller is als required t take reasnable steps t ensure cmpliance by the data prcessr with these requirements. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

9 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers 4. Keep it safe and secure Apprpriate security measures must be taken against unauthrised access t, r alteratin, disclsure r destructin f, the data and against their accidental lss r destructin. The security f persnal infrmatin is all-imprtant, but the key wrd here is apprpriate, in that it is mre significant in sme situatins than in thers, depending n such matters as cnfidentiality and sensitivity and the harm that might result frm an unauthrised disclsure. High standards f security are, nevertheless, essential fr all persnal infrmatin. The nature f security used may take int accunt what is available technlgically, the cst f implementatin and the sensitivity f the data in questin. A minimum standard f security wuld include the fllwing: access t central IT servers t be restricted in a secure lcatin t a limited number f staff with apprpriate prcedures fr the accmpaniment f any nn-authrised staff r cntractrs; access t any persnal data within an rganisatin t be restricted t authrised staff n a need-t-knw basis in accrdance with a defined plicy; access t cmputer systems shuld be passwrd prtected with ther factrs f authenticatin as apprpriate t the sensitivity f the infrmatin; infrmatin n cmputer screens and manual files t be kept hidden frm callers t yur ffices; back-up prcedure in peratin fr cmputer held data, including ff-site back-up; all reasnable measures t be taken t ensure that staff are made aware f the rganisatin s security measures, and cmply with them; all waste papers, printuts, etc. t be dispsed f carefully; a designated persn shuld be respnsible fr security and fr peridic reviews f the measures and practices in place. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

10 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers 5. Keep it accurate, cmplete and up-t-date Apart frm ensuring cmpliance with the Acts, this requirement has an additinal imprtance in that yu may be liable t an individual fr damages if yu fail t bserve the duty f care prvisin in the Act applying t the handling f persnal data which tends t arise substantially in relatin t decisins r actins based n inaccurate data. In additin, it is als in the interests f yur business t ensure accurate data fr reasns f efficiency and effective decisin making. T cmply with this rule yu shuld ensure that: yur clerical and cmputer prcedures are adequate with apprpriate crss-checking t ensure high levels f data accuracy; the general requirement t keep persnal data up-t-date has been fully examined; apprpriate prcedures are in place, including peridic review and audit, t ensure that each data item is kept up-t-date. Nte: The accuracy requirement des nt apply t back-up data, that is, t data kept nly fr the specific and limited purpse f replacing ther data in the event f their being lst, destryed r damaged. 10 An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

11 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers 6. Ensure that it is adequate, relevant and nt excessive Yu can fulfil this requirement by making sure yu are seeking and retaining nly the minimum amunt f persnal data which yu need t achieve yur purpse(s). Yu shuld decide n specific criteria by which t assess what is adequate, relevant, and nt excessive and apply thse criteria t each infrmatin item and the purpse/s fr which it is held. T cmply with this rule yu shuld ensure that the infrmatin sught and held is: adequate in relatin t the purpse/s fr which yu sught it; relevant in relatin t the purpse/s fr which yu sught it; nt excessive in relatin t the purpse/s fr which yu sught it. A peridic review shuld be carried ut f the relevance f the persnal data sught frm data subjects thrugh the varius channels by which infrmatin is cllected, i.e. frms, website etc. In additin, a review shuld als be undertaken n the abve basis f any persnal infrmatin already held. 7. Retain it fr n lnger than is necessary fr the purpse r purpses This requirement places a respnsibility n data cntrllers t be clear abut the length f time fr which data will be kept and the reasn why the infrmatin is being retained. It is a key requirement f Data Prtectin legislatin as persnal data cllected fr ne purpse cannt be retained nce that initial purpse has ceased. Equally, as lng as persnal data is retained the full bligatins f the Acts attach t it. If yu dn t hld it anymre then the Acts dn t apply. Yu shuld assign specific respnsibility t smene fr ensuring that files are regularly purged and that persnal infrmatin is nt retained any lnger than necessary. This can include apprpriate annymisatin f persnal data after a defined perid if there is a need t retain nn-persnal data. T cmply with this rule yu shuld have: a defined plicy n retentin perids fr all items f persnal data kept; management, clerical and cmputer prcedures in place t implement such a plicy. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner 11

12 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers 8. Give a cpy f his/her persnal data t that individual, n request On making an access request any individual abut whm yu keep persnal data is entitled t: a cpy f the data yu are keeping abut him r her; knw the categries f their data and yur purpse/s fr prcessing it; knw the identity f thse t whm yu disclse the data; knw the surce f the data, unless it is cntrary t public interest; knw the lgic invlved in autmated decisins; data held in the frm f pinins, except where such pinins were given in cnfidence and even in such cases where the persn s fundamental rights suggest that they shuld access the data in questin it shuld be given. It is imprtant that yu have clear c-rdinated prcedures in place t ensure that all relevant manual files and cmputers are checked fr the data in respect f which the access request is being made. T make an access request the data subject must: apply t yu in writing (which can include ); give any details which might be needed t help yu identify him/her and lcate all the infrmatin yu may keep abut him/her e.g. previus addresses, custmer accunt numbers; pay yu an access fee if yu wish t charge ne. Yu need nt d s, but if yu d it cannt exceed Every individual abut whm a data cntrller keeps persnal infrmatin has a number f ther rights under the Act, in additin t the Right f Access. These include the right t have any inaccurate infrmatin rectified r erased, t have persnal data taken ff a direct marketing r direct mailing list and the right t cmplain t the Data Prtectin Cmmissiner. In respnse t an access request yu must: supply the infrmatin t the individual prmptly and within 40 days f receiving the request; prvide the infrmatin in a frm which will be clear t the rdinary persn, e.g. any cdes must be explained. 12 An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

13 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers If yu d nt keep any infrmatin abut the individual making the request yu shuld tell them s within the 40 days. Yu are nt bliged t refund any fee yu may have charged fr dealing with the access request shuld yu find yu d nt, in fact, keep any data. Hwever, the fee must be refunded if yu d nt cmply with the request, r if yu have t rectify, supplement r erase the persnal data cncerned. If yu restrict the individual s right f access in accrdance with ne f the very limited restrictins set dwn in the Acts, yu must ntify the data subject in writing within 40 days and yu must include a statement f the reasns fr refusal. Yu must als infrm the individual f his/her entitlement t cmplain t the Data Prtectin Cmmissiner abut the refusal. There are a number f mdificatins t the basic Right t Access granted by the Acts which include the fllwing: Access t Health and Scial Wrk Data There are mdificatins t the right f access in the interest f the data subject r the public interest, designed t prtect the individual frm hearing anything abut himself r herself which might cause serius harm t his r her physical r mental health r emtinal well-being; In the case f Examinatins Data There is an increased time limit fr respnding t an access request frm 40 days t 60 days and an access request is deemed t be made at the date f the first publicatin f the results r at the date f the request, whichever is the later. An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner 13

14 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers Transferring Persnal data Abrad An area f cncern fr many data cntrllers are the requirements necessary fr the transfer f data abrad. There are special cnditins that have t be met befre transferring persnal data utside the Eurpean Ecnmic Area (all EU cuntries plus Nrway, Iceland and Liechtenstein), where the imprting cuntry des nt have an EU apprved level f data prtectin law. This is termed a finding f adequacy. In such a case, ne f the fllwing cnditins must be met if a transfer is t take place. Either the transfer must be: cnsented t by the data subject; r required r authrised under an enactment, cnventin r ther instrument impsing an internatinal bligatin n this State; r necessary fr the perfrmance f a cntract between the data cntrller and the data subject; r necessary fr the taking f steps at the request f the data subject with a view t his r her entering int a cntract with the data cntrller; r necessary fr the cnclusin f a cntract between the data cntrller and a third party, that is entered int at the request f the data subject and is in the interests f the data subject, r fr the perfrmance f such a cntract; r necessary fr the purpse f btaining legal advice; r necessary t urgently prevent injury r damage t the health f a data subject; r part f the persnal data held n a public register; r authrised by the Data Prtectin Cmmissiner, which is nrmally the apprval f a cntract which is based n EU mdel cntracts r the transfer is by a US cmpany which is certified as what is knwn as Safe Harbr cmpliant. 1 As the legislatin n the transfer f data abrad is cmplex, where dubt arises it is advisable fr persns t cntact this Office in rder t seek guidance n specific cases. 1. This is a certificatin prgramme verseen by the US Department f Cmmerce which allws certain US based cmpanies t self certify as having an adequate level f data prtectin that meets US standards and cnsequently persnal data can be transferred withut the need fr recurse t the EU Mdel cntracts 14 An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner

15 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers Basic Data Prtectin Checklist Are the individuals whse data yu cllect aware f yur identity? Have yu tld the data subject what use yu make f his/her data? Are the disclsures yu make f that data legitimate nes? D yu have apprpriate security measures in place bth internally and externally t ensure all access t data is apprpriate? D yu have apprpriate prcedures in place t ensure that each data item is kept up-t-date? D yu have a defined plicy n retentin perids fr all items f persnal data? D yu have a data prtectin plicy in place? D yu have prcedures fr handling access requests frm individuals? Are yu clear n whether r nt yu shuld be registered? Are yur staff apprpriately trained in data prtectin? D yu regularly review and audit the data which yu hld and the manner in which they are prcessed? An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner 15

16 Data Prtectin Acts 1988 and 2003 A Guide Fr Data Cntrllers Further infrmatin is available frm ur website r yu can cntact the Office directly by r by phne. Brchures and leaflets relating t the Acts are als available free f charge, n request frm: The Office f the Data Prtectin Cmmissiner Canal Huse Statin Rad Prtarlingtn C. Lais LCall: Tel: Fax: inf@dataprtectin.ie Website: 16 An Cimisinéir Csanta Snraí Data Prtectin Cmmissiner