Data Protection Guide

Transcription

1 Data Protection Guide May 2013

2 Contents 1. Introduction... 3 Data Protection and Other Legislation... 3 Definitions Data Protection Principles Obtain and process data fairly Process it only for one or more specified, explicit and lawful purposes Use and disclose it only in ways compatible with the purposes for which it was obtained Keep it safe and secure Keep it accurate, complete and up-to-date Ensure that it is adequate, relevant and not excessive Retain it no longer than is necessary for the specified purpose or purposes Give a copy of his/her personal data to an individual, on request Management of possible breaches of personal data security Appendix One - Marketing Options Table... 19

3 1. Introduction Members of the Banking & Payments Federation Ireland (BPFI) collect and process personal data as an essential business activity. This activity is subject to the requirements of the Data Protection Acts 1988 and 2003 ( the Acts ), which are enforced by the Office of the Data Protection Commissioner (ODPC). The information set out in this Guide is aimed at Members of the BPFI ( Member Institutions ), in order to set out their responsibilities when collecting and processing personal data. The Guide is not intended to be a complete description of the responsibilities and rights of Member Institutions when collecting and processing personal data. Member Institutions are supported, when required, by their legal advisers. It is the responsibility of each Member Institution to ensure compliance with Data Protection legislation and this guide is intended to assist Member Institutions in doing so, by way of providing guidance. It supports the individual Member Institution s procedures and guidelines for their employees in relation to compliance with Data Protection legislative requirements. The Guide is also aimed at customers and prospective customers of Member Institutions, in order to provide an easy reference guide to assist them in their understanding of what happens to their personal data in a financial context. However, the Guide is not intended to be a definitive or complete description of the rights and responsibilities of Member Institutions and any customer who has a concern as to the use of their personal data by a Member Institution should consult the Data Protection legislation. Member Institutions maintain information pertaining to data protection requirements on their websites to assist their customers. This Guide provides examples of everyday situations in a financial context to illustrate how Member Institutions comply with the legislation and how the principles of data protection are applied. The BPFI is committed to promoting adherence to this Guide amongst its members. An up-to-date list of BPFI members is available from the BPFI website. ( The Guide has been prepared taking into account existing Data Protection legislation and guidance made available by the ODPC. The Guide will be reviewed and updated as required in line with changes to Data Protection legislation. This Guide is of use to any Member Institution that collects and processes personal data. If an individual wishes to ascertain his/her rights in relation to Data Protection legislation, he/she should examine the relevant legislation, visit the Data Protection Commissioner s website ( or contact the ODPC (LoCall ). A customer may also wish to refer to the Privacy Statement available on each Member Institution s website, which will advise of the privacy and security of a customer s information when used by that Member Institution. Data Protection and Other Legislation Due to the ever evolving legal and regulatory environment in which Member Institutions operate, the requirements to obtain and retain personal data in order to comply with or to evidence compliance with various legal and regulatory requirements may be subject to change. Member Institutions may seek legal advice or refer the matter to the ODPC for guidance where there may be apparent conflict between Data Protection legislation and other legislative requirements. In addition, the Revenue Commissioners has published a Guidance Note for Financial Institutions outlining the reporting requirements in relation to the return of interest and other payments under the Return of Payments Regulations The Guidance Note is available on the Revenue Commissioners website at

4 Definitions As with any legislation, certain terms have particular meaning. The following are some useful definitions in relation to data protection legislation: Access Request is a request by a customer to obtain a copy of any personal information relating to him/her kept on computer or in a structured manual filing system or intended for such a system by any Member Institution. Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer. Data means information in a form which can be processed. It includes both automated data and manual data. Data Controllers are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, government departments or voluntary organisations, or they can be individuals such as medical professionals, pharmacists or sole traders. Data Processors are those who process personal data on behalf of a data controller, but do not include an employee of a data controller who processes such data in the course of his/her employment. Again, individuals such as medical professionals, pharmacists or sole traders may be considered to be legal entities. Data Processing has a broad definition within the meaning of the Acts. It includes: Obtaining, recording or storing data; Altering or adapting data; Combining, transferring, erasing or destroying data. Data Subject is an individual who is the subject of personal data. Guarantor is an individual who guarantees to pay for another individual s or entity s debt if the individual or entity defaults on the loan obligation. Manual data means information that is kept as part of a relevant filing system or with the intention that it should form part of a relevant filing system. Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances. Processing means performing any operation or set of operations on data, including: Obtaining, recording or keeping data; Collecting, organising, storing, altering or adapting data; Retrieving, consulting or using data; Disclosing the information or data by transmitting, disseminating or otherwise making it available; Aligning, combining, blocking, erasing or destroying data.

5 Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals so that specific information is accessible. Sensitive personal data relates to specific categories of data which are defined as data relating to a person s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; and trade union membership. Data subjects have additional rights in relation to the processing of sensitive personal data. 2. Data Protection Principles Data protection is about a person s fundamental right to privacy. A person is entitled to access information and to correct data (personal information) that is stored about him/her. Organisations, including financial institutions, which retain data about a person, have to comply with data protection principles and data protection legislation. There are eight Data Protection principles, to which Member Institutions must adhere to in relation to Personal Data. These principles are described in this section of the Guide Obtain and process data fairly Principle Section 2 (1) (a) of the Acts requires that: "the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly" This is the fundamental principle of data protection. If an organisation wishes to obtain and retain personal data about individuals, it must collect and process (or use) that information fairly. This provision requires that: a) At the time of providing personal data, individuals are made fully aware of: The identity of the persons who are collecting it (though this may often be implied); To what use(s) the information will be put; The persons or category of persons to whom the information will be disclosed. b) Secondary or future uses, which might not be obvious to individuals, should be brought to their attention at the time of obtaining personal data. Individuals should be given the option of stating whether or not they wish their information to be used in these other ways. c) If a data controller has information about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the information was collected), he or she is obliged to give an option to those individuals to indicate whether or not they wish their information to be used for the new purpose. This is how a data controller achieves transparency and informed consent - the touchstones of fairness in data protection.

6 In practice Member Institutions obtain and process personal data at the start of an individual s (customer) relationship e.g., in order to open accounts, provide loans and credit cards, and/or to comply with anti-money laundering or other relevant legislation. Member Institutions may, where the individual has consented, also obtain and process information throughout the lifetime of the relationship with customers, in order to provide other products or services, or to correspond with them in relation to existing or other products and services that may be of interest to them. Examples in a Banking Context Where a Member Institution processes personal data (information), it will be collected and processed fairly i.e.: a) Member Institutions will make clear on application forms and other appropriate documentation, including on websites, the identity of the data controller, the purpose(s) for collecting personal data, and to whom it may be disclosed. Examples of why Member Institutions collect personal data include the following: Consent to use and process the information provided to open an account or transact the requested business activity; To establish a person s identity and home address to comply with legislative and regulatory requirements; To have sufficient information to enable the Member Institution to make a decision on a loan application. b) Where a Member Institution wishes to use personal data for purposes unrelated to that for which the Member Institution obtained the personal data under (a) above, the Member Institution will seek the individual s consent prior to using the personal data for the new purpose(s) e.g., to offer a different service or a different way of delivering a service. c) Where a Member Institution collects and processes sensitive personal data 1 (within the meaning of the Acts) the individual, to whom the personal data relates, must give explicit consent, unless it is otherwise permitted under the Acts e.g., personal medical records for the purposes of providing life assurance products. d) Member Institutions will advise individuals when it is intended to record telephone calls and all of the purposes for the recording e.g., for training purposes, regulatory requirements such as Stock Exchange rules, telephone sales records and distant marketing. This also relates to the recording of outbound calls, if applicable. e) Member Institutions will obtain the individual s consent to search the database of a credit reference agency. Member Institutions will only search a credit reference agency if the product/service concerned involves credit being facilitated or has the potential for credit to be facilitated, e.g., a current account with an overdraft facility or when managing clients in financial difficulty. 1 Sensitive Personal Data as defined by the Data Protection Acts means personal data as to - (a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject; (b) whether the data subject is a member of a trade-union; (c) the physical or mental health or condition or sexual life of the data subject; (d) the commission or alleged commission of any offence by the data subject; or (e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

7 2.2. Process it only for one or more specified, explicit and lawful purposes Principle Section 2 (1) (c) (i) of the Act specifies that: "the data shall have been obtained only for one or more specified explicit and legitimate purposes" An organisation may not keep information about individuals unless it is held for a specific, lawful and clearly stated purpose. It is therefore unlawful to collect information about individuals routinely and indiscriminately, without having a sound, clear and legitimate purpose for so doing. Data controllers, who are required to register with the Data Protection Commissioner, include in their register entry a statement of the purpose for holding personal data. This information is publicly available on the Data Protection Commissioners website. (Please refer to If those data controllers keep or use personal data for any purpose other than the specified purpose, they may be guilty of an offence. In practice Personal Data is obtained by Member Institutions to process applications, to set up accounts, to administer products and services, to undertake credit searches, for possible future direct marketing and to fulfil other legal obligations e.g., anti-money laundering legislation. Examples in a Banking Context Member Institutions will only collect and hold personal data on the basis that they have a clear and legitimate purpose for doing so. For example: a) Member Institutions are now required by law to request a copy of an individual s Tax Reference Number (TRN) when an account is opened on which an individual can potentially earn credit interest. Under the EU Savings Tax Directive, non-irish citizens may also be requested to provide details of their equivalent social insurance numbers. Member Institutions are also required to report to tax authorities the amount of interest their customers have earned in line with Revenue requirements (for details please refer to This information will not be used for any other purpose. Account opening can proceed if a person does not provide a Personal Public Service Number (PPSN)/TRN. b) Member Institutions must maintain records concerning individuals' identity (such as copies of passports or drivers licence), evidence of address (such as copies of utility bills), and other relevant data for specified periods of time under European and International legislation which is designed to combat money laundering and terrorist financing. c) Member Institutions may be required to retain documentation and information about individuals for longer periods of time where, for example, a direction is placed on a Member Institution by a statutory body e.g., Revenue Commissioners or in cases of litigation. (See Section 2.7 on retention requirements.) d) Member Institutions may record and retain CCTV images for legitimate purposes, such as security, and the prevention and detection of fraud. Normally, images will not be retained for longer than one month. However, they can be retained for longer where certain incidents require the Member Institutions to do so e.g., to facilitate the investigation of security incidents or suspected fraud. Access to and disclosure of images will be carefully controlled. Member Institutions should also display appropriate signage to identify the use of CCTV.

8 e) Member Institutions may use fairly obtained information for the direct marketing of products and services to customers and non-customers. f) Member Institutions will respect a customer s decision to opt-in or to opt-out of the receipt of direct marketing communications. These preferences will be recorded and adhered to by the relevant Member Institution. Member Institutions will advise individuals every time on how to opt-out of future direct marketing communications. g) Member Institutions will, at all times, ensure that they adhere to their responsibilities in relation to direct marketing in line with the Acts, the Consumer Protection Code and the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations, 2011, and any other legislative or regulatory requirements as appropriate. h) A table setting out the type of consent that is required for marketing purposes is included in Appendix One Use and disclose it only in ways compatible with the purposes for which it was obtained Principle Section 2 (1) (c) (ii) of the Act specifies that: "the data shall not be further processed in any manner incompatible with that purpose or those purposes" If personal information is obtained for a particular purpose, it may not be used for any other purpose, and may not be divulged to a third party, except in ways that are "compatible" with the specified purpose for which it was given. A key test of compatibility is whether the data is used and disclosed in a way in which those who supplied the information would expect it to be used and disclosed. The question to ask is would the data subject be surprised if he/she found out what their data was being used for and who the data was being used by. Transfers of personal data to an agent, who is processing the data on behalf of another organisation and not retaining it for his/her own purposes, do not constitute "disclosures" of data for the purposes of the Act and are acceptable. Examples of such transfers would include the transfer of staff data to a separate payroll company for payroll administration purposes, transfer of data to an agent for the purposes of processing customer payments where an appropriate written contract is in place and the transfer of personal data from a general practitioner to a clinical laboratory for analysis of tissue samples. The restriction on processing of personal data (including disclosure to a third party) is lifted in a limited number of circumstances, specified in Section 8 of the Data Protection Acts, where the right to privacy must be balanced against other needs of civil society, or where the processing is in the interests of the individual. For example, processing of personal information required in the interests of protecting the international relations of the State; required urgently to prevent injury or other damage to the health of a person, or serious loss or damage to property; required by or under any enactment or by a rule of law or order of court. The ODPC sets out further guidance in relation to the legal basis for private sector sharing of personal data on its website at:

9 In practice Where a Member Institution obtains personal data for a particular purpose(s), the personal data will not be used or disclosed, except in ways that are compatible with that particular purpose(s), unless otherwise permitted under the Acts. Examples in a Banking Context Persons to whom personal data may potentially be disclosed include the following: a) Person s acting on the individual s (data subject s) behalf e.g., solicitors, executors, intermediaries (provided the data subject has given written authority for the person to act on their behalf). Member Institutions will not disclose customer s personal data to other external third parties without their consent. The Member Institution should always check that the person is authorised to act for the data subject and that the Institution is authorised to furnish the person with the data subject s information. If in doubt, Member Institutions should check with their Legal Advisers before releasing any data to a third party. b) The Financial Services Ombudsman, the Pensions Ombudsman, the ODPC, the Central Bank of Ireland, or equivalent foreign supervisory body, or complaints body to whom a complaint has been made. c) Other group companies in pursuit of the company's legitimate business interests. Subject to local laws, personal data may be shared between group companies without consent, assuming a legitimate business purpose and notice to the customer. In the case of Ireland, the UK and US, there is no consent requirement for transfers of data between group companies. d) An Garda Síochána, the Central Bank of Ireland, the Office of the Revenue Commissioner, the ODPC or any other entity authorised by law to access individuals records. Such requests must be in writing stating the legal basis on which access is sought. e) Third party service providers to Member Institutions (e.g., external investigators, fraud prevention agencies, debt collection and/or recovery agents, firms responsible for computer maintenance or similar services, solicitors or other contractors/service providers etc.) provided appropriate contracts (which include security and confidentiality clauses) are in place. The ODPC s Annual Report 2011 includes a case study of the use of personal data by Private Investigators. The case study (Case Study 13) is available on page 63 of the link below: f) Guarantors, i.e., persons guaranteeing repayment of a facility to a customer, particularly in respect of arrears and recoveries, and limited to data in relation to the facilities guaranteed by the Guarantor Keep it safe and secure Principle Section 2 (1) (d) of the Act requires that: "Appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network and against all other unlawful forms of processing" The security of personal data is all-important. It will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity. High standards of security are, nevertheless,

10 essential for all personal data. Both data controllers and data processors must meet the requirement to keep data secure and not expose it to any unauthorised access. The ODPC provides the following guidance in relation to data security: Appropriate security measures In determining what security measures should be put in place in order to satisfy the requirements of section 2 (1) (d) a number of factors may be taken into consideration, including: The state of technological development - measures must be reviewed over time; The cost of implementing the measures - larger organisations with greater resources can be expected to implement more advanced measures, or update measures more regularly, than smaller bodies; The harm that might result from unlawful processing - might someone be at a financial loss or be at risk of suffering injury as a result of disclosure or destruction of data? For example, a third party could gain access to the data subject s personal data and use the data for unlawful purposes; The nature of the data concerned - there is a greater duty of care relating to the processing of sensitive personal data. Staff training and compliance A data controller or a data processor shall also ensure that staff are aware of the security measures. This requirement may be satisfied by having appropriate training in place e.g., web-based training courses on data protection, induction courses and day-to-day training. A data controller or a data processor is also responsible for ensuring that staff comply with these measures. This requirement may be satisfied by the automatic generation of audit trails or logs, combined with some form of internal audit or review procedure i.e., the data controller or data processor can check what accounts staff are accessing and that it is appropriate for them to access the accounts. In practice Member Institutions have their own security policies in place in respect of customers and employees personal data. Member Institutions will ensure that appropriate security measures (both physical and technological) are in place against unauthorised access to, alteration of, disclosure of, or destruction of personal data, and against its accidental loss or destruction. These security measures will have regard to the nature of the data concerned and the potential to cause harm by the disclosure of that data, and will be implemented on a case-by-case basis. Member Institutions will ensure that security measures are reviewed on a regular basis having regard to technological developments and the cost of implementing measures. Examples in a Banking Context a) Member Institutions will apply appropriate security standards to the transmission of personal data to ensure that data is kept safe and secure. b) Each Member Institution will take reasonable steps to ensure that its employees and third party contractors/service providers are made aware of its security standards and comply with them. This can be undertaken through training and monitoring of security standards and by ensuring adherence to security standards is built into contracts with third party service providers. c) Where personal data is transferred to a third party outside the European Economic Area (EEA), the Institution will ensure that the required data protection conditions are in place, including an appropriate

11 contract. This is to assist in ensuring the security of the personal data being transferred outside of the EEA. d) Member Institutions will have particular regard to the following areas: i. Clear access controls will be in place as appropriate to each Member Institution, so that personal data is only available to those people within the organisation that have a business requirement for such access i.e., personal data should not be viewed or processed by staff that do not have a requirement to view it; ii. Member Institutions will ensure access to personal data is appropriate and monitored as IT systems are developed; iii. Appropriate procedures will be in place in relation to back-up of personal data and personal data contained in data server rooms; iv. Computer systems will be password protected to ensure the data is protected; v. Portable equipment (such as laptops, USB sticks and Blackberry Devices) will be appropriately secured e.g., password protected with other factors of authentication, as appropriate to the sensitivity of the information, to ensure the data is protected; vi. Personal data on computer screens and manual files will be inaccessible to public viewing to ensure the confidentiality of the data; vii. Personal data will be disposed of securely when no longer required e.g., shredding of paper, hard drives on PCs wiped to ensure it does not get into third party hands that may use it for unlawful purposes; viii. Member Institutions will have customer meeting centres available, that allow for meetings/conversations with individuals to take place where they cannot be overheard; ix. Only authorised persons within Member Institutions will access, for authorised purposes, credit reference agencies. e) Where a Member Institution engages the services of an agent (for example a tracing agent for the purposes of debt recovery) or of a third party contractor or service provider to process personal data on its behalf, it will take the following steps to ensure that data protection standards are maintained: i. A Member Institution will only transfer personal data to a data processor on the basis of a written contract (or a contract in equivalent form) to ensure the data processor is legally bound to ensuring data protection standards are maintained; ii. The contract will require the data processor to apply appropriate security measures and to comply with all relevant Data Protection legislation; iii. The contract will require that the data processor will process the personal data only on the basis of the authorisation and instructions received from the Institution. The contract will also require that the personal data is not retained or used by the data processor for its own purposes; iv. Each Member Institution will satisfy itself that the data processor has suitable technical security measures and organisational measures in place to ensure compliance with data protection legislation.

12 2.5. Keep it accurate, complete and up-to-date Principle Section 2 (1) (b) of the Act requires that: "the data shall be accurate and complete and, where necessary, kept up-to-date." An organisation must ensure that the personal data it keeps is accurate and up-to-date. An obligation also exists with the customer to ensure the organisation is updated where amendments are required to his/her personal information i.e. change of address/contact details. Apart from ensuring compliance with the Acts, this requirement has an additional importance in that an organisation may be liable to an individual for damages if it fails to observe the duty of care provision in the Act applying to the handling of personal data. In practice Each Member Institution will ensure that: a) Its procedures are adequate to ensure appropriate levels of personal data accuracy; b) Where there are inaccuracies in the personal data held, the Member Institution will correct these errors no later than 40 calendar days after they are identified or brought to its attention by the data subject. Note: A customer or an employee has a responsibility to inform the Member Institution of any relevant changes to his/her personal information in accordance with that Institution s procedures e.g., a link on a website, internet banking messages, customer engagement to prompt individuals to advise the Institution of any changes to personal data. Examples in a Banking Context Member Institutions will update their records/systems with new information as it is received from a customer in accordance with the Member Institution s procedures. Such new information may include change of address details, a new phone number, change in marital status etc. New information may also include any inaccuracies noted by a customer and this will be amended by the Member Institution as soon as possible. Member Institutions will ensure that any information received from a customer is recorded accurately on their IT systems in accordance with the Member Institution s procedures. For example, when a customer notifies of a change in address, the Member Institution will update its records to ensure that the customer receives all correspondence to the new address.

13 2.6. Ensure that it is adequate, relevant and not excessive Principle Section 2 (1) (c) (iii) of the Act requires that: "the data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed" Personal data retained by an organisation should be sufficient to enable an organisation to achieve its purpose and no more. Personal data should not be collected or kept if it is not needed, "just in case" a use can be found for the data in the future. An organisation should not ask intrusive or personal questions if the information obtained in this way has no bearing on the specified purpose for which personal data is held. In practice a) Member Institutions will not collect any more personal data than is necessary for the purpose for which it is required. b) The collection of personal data from individuals will be kept under review to ensure that only relevant information is sought and provided e.g., periodic review of application forms. Examples in a Banking Context Member Institutions will ensure that all product application forms only contain information which is relevant to the product being applied for by the customer. Where additional information is requested, this information will be optional for the customer to provide. For example, when a customer is opening a savings account, the Member Institution will not seek employment information as this type of information would only be relevant if the customer was seeking credit facilities i.e., a loan. Legal/Compliance Departments in Member Institutions will review new documentation (i.e., product application forms) to ensure compliance with adequacy rules, relevance and that information being requested or collected is not excessive Retain it no longer than is necessary for the specified purpose or purposes Principle Section 2 (1) (c) (iv) of the Act requires that: "the data shall not be kept for longer than is necessary for that purpose or those purposes"

14 Nowadays personal data can be kept cheaply and effectively on computer. This requirement places a responsibility on data controllers to be clear about the length of time that data will be kept and the reason why the information is being retained. If there is no good reason for retaining personal data, then that data should be routinely deleted. Personal data should never be kept "just in case" a use can be found for it in the future. Particular attention should be paid to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which does not need to be held any longer. If a Member Institution wishes to retain personal data about customers to help provide a better service to them in the future, it must obtain the customer s consent in advance. Good housekeeping would also dictate that the need to retain records is reviewed regularly. In practice a) Each Member Institution will ensure that it has a data retention/disposal policy for both customers and non-customers/potential customers. b) Member Institutions will retain personal data only for periods necessary for the specified purpose(s) or as required by relevant legislation/statutory codes or other regulatory direction. For example, under the Consumer Protection Code, personal data, gathered in relation to the provision of products and services, will be held for a period of 6 years after the ending of the client relationship. c) In certain circumstances, Member Institutions may be required to retain personal data for longer periods of time where, for example, an order is placed on a Member Institution by the Office of the Revenue Commissioners. In other circumstances, Member Institutions may be permitted to retain personal data for longer periods of time, where the provisions of Section 8 of the Data Protection Acts apply e.g., where a Member Institution is required by law to retain the personal data. Examples in a Banking Context Information obtained from an individual for the purpose of a specific once-off event, e.g., a competition, will only be used for the purpose of that competition. Member Institutions will ensure that when destroying data under a retention and disposal policy that the data for destruction will be destroyed securely In the event that a customer provides a Member Institution with personal information to get an insurance quote, the Member Institution should only use the personal data to provide the customer with the insurance quote. The customer should be advised what the Member Institution will do with the data provided. If the customer does not proceed with taking out an insurance policy, the data provided should be destroyed and not used at a later date for another purpose e.g., at next renewal to offer a lower quote to the customer. Member Institutions will comply with regulatory obligations in relation to retention periods for insurance quotes given. If the customer wishes to accept the quote and proceeds with an application, the Member Institution should provide a full Data Protection Notice to the customer advising him/her exactly how their personal data will be used. In the event that a customer makes a complaint, the data provided by the customer in relation to the complaint should only be used for investigating and resolving the complaint. The data provided should be retained for as long as is necessary to comply with the relevant regulatory requirements e.g., the Consumer Protection Code. The data should be destroyed in line with the Member Institution s destruction policy.

15 2.8. Give a copy of his/her personal data to an individual, on request Principle Under section 4 of the Data Protection Acts, on making a written request, any individual about whom an organisation keeps personal data on computer or in a relevant filing system is entitled to: A copy of the data; A description of the purposes for which it is held; A description of those to whom the data may be disclosed; and The source of the data unless this would be contrary to public interest. An organisation is also obliged to explain to the data subject the logic used in any automated decision making process where the decision significantly affects the individual and the decision is solely based on the automated process. This "right of access" is subject to a limited number of exceptions, which are listed below. An individual making an access request must: Apply to the organisation in writing; Give any details which might be needed to help identify him or her and locate all the information that may be kept about him/her (e.g., previous addresses, customer account numbers). The individual must also pay an access fee if one is charged. Organisations are entitled to charge up to a maximum of 6.35, although in some instances, this fee can be waived. Every individual, about whom a data controller keeps personal data on computer or in a relevant filing system, has a number of other rights under the Acts in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner. More details about the rights of individuals are given on the website of the ODPC. There are a number of situations where exemptions apply to a right of access to data. Sections 4 and 5 of the Data Protection Acts set out a number of circumstances in which a person s right to see his/her personal records can be limited. The ODPC outline that this is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society on the other hand. The exemptions include: a) If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing/collecting any taxes or duties, but only in cases where allowing the right of access would be likely to impede any such activities Note: It would obviously be unacceptable to allow a criminal suspect to see all of the information kept about him by An Garda Síochána, where this would be likely to impede the effectiveness of the criminal investigation. On the other hand, however, if allowing an individual access to personal data about him or her would not be likely to impede an investigation, then the access request would have to be complied with. Case Study 2/04 on the ODPC Website provides an example of such a scenario:

16 b) If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention; c) If the information is kept for certain anti-fraud functions, but only in cases where allowing the right of access would be likely to impede any such functions; d) If granting the right of access would be likely to harm the international relations of the State; e) If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation: For example, arrears cases where the case has progressed to court and the customer may be trying to determine what write-off amount (if any) a bank may have factored against their loan; f) If the information would be subject to legal professional privilege in court: For example, data from a legal adviser to an Institution relating to the requestor; g) If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved; h) If the information is back-up data. It is important to note that if a Member Institution has recently fulfilled an Access Request for an individual (e.g., within the previous year), it does not have to fulfil another Access Request in relation to the same information. In practice A data subject is entitled to a copy of his/her personal data as provided for under Data Protection legislation. a) To make a request the individual should apply in writing, giving any details which are necessary to help the Institution identify him/her and locate the relevant personal data. Contact details to assist with making such requests should be available in a number of places, for example on application forms, in booklets setting out Terms & Conditions, various brochures and on BPFI Members websites etc. The data subject may be required to pay an access fee, which will not exceed the prescribed amount. The fee will be refunded if the request is not processed, or if it is necessary to rectify, supplement or erase the personal data concerned. b) When a written access request is made and personal data is held by the Institution, the Institution will: i) Provide the personal data requested to the individual within 40 calendar days of receiving the request and the applicable fee, if requested; ii) Provide the personal data in a form which will be clear to the ordinary person, as far as possible; iii) Ensure the personal data is given only to the data subject (or someone acting on his/her behalf and with his/her written authority); iv) Not provide the response over the phone. Please note that the statutory deadline for an Institution to respond to an access request may be extended by the time it takes the individual to provide the Institution with details which might reasonably be needed to help identify him/her, and to locate all the information that may be kept about him/her. c) The Institution may request ID from the data subject to ensure that the material collated on foot of the request is provided to them and not to an unauthorised third party.

17 d) Institutions will have documented procedures in place to ensure that all applicable manual and electronic files are checked for the personal data in respect of whom the access request is being made. e) A data subject will not be entitled to certain information e.g., data held for the prevention or detection of fraud, third party information, or opinions given in confidence. f) Where a very broad request is received, it can be helpful to contact the data subject to assess whether the request can be better scoped to fully meet the specific requirements of the data subject. g) If an institution does not comply with an Access Request, a data subject may make a complaint to the ODPC. It is recommended that the data subject contact the Institution to indicate their intention to complain to the ODPC as the issue may be addressed prior to the complaint going to the ODPC. Examples in a Banking Context The Access Request Pack is usually sent to the data subject by post (sometimes registered), courier or collected by the requestor at a bank branch convenient to the data subject. In the event of an Access Request on a joint account from one of the customers only, a Member Institution may seek the consent of the other party to the account before releasing any information. If consent is not given or is not forthcoming, the data relating to the other party will be redacted before being released to the requestor. In the event that an individual seeking his/her information is linked to a Limited Company, relevant personal information relating to that individual will be provided on foot of an Access Request. This may include, for example, copies of identification documents provided by that person at account opening such as a copy of a passport or address verification. Information in respect of a Limited Company is not in scope under the Acts and will therefore not be disclosed on foot of an Access Request. In the current environment, many customers are experiencing financial difficulty and may be engaged in legal proceedings with their financial institution. There may be an order for discovery (discovery order) made on that institution as part of the legal proceedings. The customer may also seek an Access Request from the institution and it can often be the case that a lot of the information requested by the customer under an Access Request is similar to the information sought by way of the discovery order. However, a discovery order does not negate the obligations of the data controller to provide the data subject with a copy of the personal information requested from his/her file. A discovery order should always be treated as a separate request.

18 3. Management of possible breaches of personal data security A personal data breach is an unintended release of a customer s personal information to an external environment or person. An example of a data breach is if correspondence is sent to somebody other than the person for whom it was intended. Each Member Institution has appropriate reporting mechanisms in place in respect of personal data breaches, in accordance with the ODPC s Personal Data Security Breach Code of Practice. This Code requires that all incidents in which personal data has been put at risk should be reported to the ODPC as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported, without delay, directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal data of a financial nature. In case of doubt, in particular any doubt related to the adequacy of technological risk-mitigation measures, a data controller should report incidents to the ODPC. Exception: If the data concerned is protected by technological measures which make it unintelligible to any person who is not authorised to access it e.g., personal data stored on an encrypted laptop with secure access controls. Even where there is no notification to the ODPC, the data controller should keep a summary record of each incident which has given rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data. The record should include a brief description of the nature of the incident and an explanation of why the data controller did not consider it necessary to inform the ODPC. Such records should be provided to the ODPC upon request. Member Institutions each operate to their own data breach procedures in accordance with the ODPC s Code of Practice. If a customer is concerned that his/her personal data has been the subject of a data breach, the customer should contact his/her financial institution to discuss any concerns.

19 Appendix One - Marketing Options Table The following table sets out the marketing requirements of not only the Data Protection Acts 1988 and 2003, but also requirements set out in the applicable sections of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. 336 of 2011 (the Regulations), which transpose E-Privacy Directive 2009/136/EC, which came into operation on 1st July Individual Customer (existing customer) Individual Customer Non- Business Contacts (Customer & Non- Customer) Postal Marketing Text/ Marketing Phone Marketing Landlines to Phone Marketing Fax Marketing Mobile Phones Opt-Out Opt-out Opt-Out Opt-out Opt-out Opt-Out Opt-out Opt-In Opt-In Opt-In if on NDD*, Opt-Out otherwise Opt-In if on NDD, Opt-Out otherwise Opt-In Opt-In if on NDD, Opt-Out otherwise Opt-In Opt-In to *NDD - National Directory Database Opt-in means that a Member Institution can only market an individual where it has obtained the individual s explicit consent to do so. Opt-out means that a Member Institution can market an individual provided it has given him/her the option not to receive such marketing and he/she has not availed of this option. For electronic communication to a business, an option to unsubscribe must be included.

20 Banking & Payments Federation Ireland Nassau House Nassau Street Dublin 2 Ireland +353 (1) info@bpfi.ie