Introduction to Personal Data Law for Researchers DCU Risk & Compliance Office April 2016

Transcription

1 Personal Data Law Introduction to Personal Data Law for Researchers DCU Risk & Compliance Office April 2016

2 Personal Data Protection - Aims Aims of this presentation 1) Cover basic definitions 2) Explain the 8 general principles of data protection 3) Specific considerations for Researchers 4) Communicate Researchers responsibilities ***Tip of the Iceberg***

3 Personal Data Protection Why? Why must we protect Personal Data? It is a legal requirement It promotes good information handling practices Protects your own & DCU s reputation Individuals have a right to expect that their personal data is handled in accordance with the law i.e. properly. Organisations such as DCU must protect it.

4 Personal Data Protection - Examples Examples of recent media coverage of DP issues January 2013: Newborn Bloodspot Screening Cards held from 1984 to 2002 were to be disposed of but the research community raised concerns. An expert committee is to advise. Spring 2015: Irish Water s request for details of customer s PPS numbers was referred to the Data Protection Commissioner and found to be compliant. 2014: Dept. of Social Welfare data breach: employee had a long standing arrangement with a Private Investigator for the sharing of clients personal data. PI Firms Directors were brought to court, found guilty and fined.

5 Personal Data Protection - Legislation Irish Data Protection Legislation Primary legislation 1) Data Protection Act ) Data Protection Amendment (Act) 2003 Put in place in response to EU Data Protection Directive Secondary legislation Other assorted EU & Irish Legislation / Regulations ***New Data Protection Regulation due in 2016 this will significantly strengthen rights and obligations*** Note: all of these slides are based on the current legislation

6 Personal Data Protection - Definitions What is Personal Data? Personal data is data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller; e.g. contact details, audio & visual recordings, clinical records, DNA samples, CVs etc. The definition is deliberately very broad. Personal data can be in an automated or manual format. Must be stored in a Relevant filing system.

7 Personal Data Protection - Definitions Sensitive Data An additional category of data which requires extra protection from misuse or disclosure e.g. patient s clinical records, religion, political opinions, race, ethnic origin, trade union membership, sexual orientation or any criminal record. Data Subject Individual who is the subject of the personal data. Data Controller Is a person or body who controls the contents & use of personal data e.g. DCU (but responsibility for implementing controls & safeguards extends to researchers, students and staff also).

8 Personal Data must be: Personal Data Protection 8 General Principles 1) Fairly obtained identify yourself & who you may share the data with obtain informed explicit consent (Plain Language Statement). 2) Processed only for a specified & lawful purpose(s) state purpose the data is required for i.e. the nature of the research. 3) Data cannot be used later for an alternative purpose can only be used for the stated purpose in 2 above (exceptions do exist). 4) Kept safe and secure e.g. restrict access (encryption of data or device, password protect, locked cabinets etc.) and train staff.

9 Personal Data Protection 8 General Principles Cont.. 5) Accurate & up to date periodically review accuracy. 6) Adequate, relevant & not excessive don t ask for data you do not need. 7) Not retained for longer than is necessary retention policy / safe disposal / or anonymize the data. 8) Data Subject s Right to Access provide copy of the data on request (exception exists for research data).

10 Research & personal data specific considerations Researchers and personal data specific considerations All 8 principles still apply especially requirement to state the purpose of collecting the data ( Plain Language Statement ). Consider anonymizing the data thereby allowing use of data for purpose(s) other than that for which it was originally collected. Limited exemptions apply to data held for research, statistical or scientific purposes provided the data subjects are not exposed to harm. Personal data should not be transferred / shared outside of the EU. Personal Data Agreements are required between Data Controllers and Data Processors.

11 Researcher s Responsibilities Data Protection Researcher s Responsibilities The PI and/or Researcher are responsible for the management of personal data. Be aware of any personal data you collect / process in course of your research. Ensure you apply the 8 general principles from the outset & throughout the course of your research (See DP Helpsheet). Plan for appropriate safeguards / disclosures prior to collecting & analysing personal data. Avoid data breaches (e.g. cc d s, poor disposal routines, non-encrypted transfers).

12 Personal Data Protection DCU s Approach Elements in DCU s approach to Personal Data Protection Policies & Guides Data Protection Policy Data classification Policy Data Handling Guidelines Data Breach Code of Practice Contact with 3 rd Parties Policy Data Protection Officer Advice on all DP related issues e.g. transferring our data to other parties (data processing agreements), staff training and management of data breaches. ISS Services e.g. encryption of devices, s etc. Tailored & unit specific Personal Data Security Schedule (PDSS)

13 Personal Data Protection Additional Guidance Contact DCU Data Protection Ext Helpful websites: 1) Irish Data Protection Commissioners Office 2) DCU Data Protection webpage 3) DCU Central Policies Webpage

14 Personal Data Protection - Conclusion Conclusion What we have covered 1) Basic definitions 2) 8 principles of data protection 3) Specific considerations for Researchers 4) Researchers responsibilities 5) Additional guidance which is available

15 Personal Data Protection Thanks & any questions?