Data Protection Good Practice Note

Transcription

1 Data Protection Good Practice Note This explanatory document explains what charities and voluntary organisations need to do to comply with the Data Protection Act 1988 as amended by the Data Protection Amendment Act 2003 (hereinafter collectively referred to as the Acts and statutory Instrument Number 535 of 2003 European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 ( SI 535/2003, as amended by SI 526 of 2008) in addition to wider European directives. Charities must become fully aware of Data Protection. They must comply with the law and be transparent and accountable for how data is processed. To do so they must ensure that staff, clients and volunteers understand their responsibilities thus affording them and the charity protection from liability. Registering with Data Protection Commissioner While certain categories of data controllers are obliged to register with the Data Protection Commissioner, there is no requirement for not for profit charities to register, however just because a charity is not required to register this in no way obviates your need to comply with all the requirements of the Act. Direct Marketing Underlying Principles Charities may engage in a range of activities that could be described as marketing or that require marketing based activities to achieve further objectives. Therefore Charities should observe good practice which suggests that all unsolicited direct contact with individuals should be treated as marketing. This would include seeking donations, marketing goods and services, promoting sponsored events, raffles etc. Opting Out Data Subjects have the right to require that their data not be used for marketing purposes. It is therefore required by law to make it clear to data subjects when there is an intention to use their data for marketing and to offer them an opt-out (via a tick-box or an easy to use alternative) at the earliest opportunity. Opt-in means you can only market to an individual where you have their explicit consent to do so. Opt-out means that the Data Subject has exercised their right under the legislation, and opted to be removed from future marketing or mailing campaigns. It is a breach of Data Protection legislation to continue to use their data for marketing purposes once such an opt-out request has been received. It is good practice with initial fundraising communications to donors, volunteers and others to include an opt-out clause and therefore give the data subject the opportunity to consent to the Charity communicating with them on fundraising matters on an ongoing basis or for specific activities. A failure to do so and a subsequent communication may result in a breach of the Acts. 1

2 Sharing Lists Charities must not share data with other organisations in order to carry out their own marketing-type activities. Charities must only obtain lists where it can be guaranteed that those on the list have been given an opportunity to opt out, and also lists which can be guaranteed to be sufficiently up to date. When using a purchased list, Charities must inform the recipient how their details were obtained and provide the required direct marketing options. Purchased lists should not be used to send electronic communications i.e. s and texts to individuals. A failure to respond by a data subject will be taken to mean they have not opted in to receive further marketing communications. Any list of groups or contacts held by the Charity even if they are in the public domain cannot under the laws of Data Protection be sent to other parties for their own use. Electronic Contact Under Data Protection and Telecommunications legislation all electronic marketing (by phone, fax, or text message) requires consent (opt-in) in all cases. This aspect of Data Protection comes under tighter controls and scrutiny. Further guidance is available at _A_ GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905.htm < DIRECT_MARKETING_%E2%80%93_A_GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905. htm> In accordance with the relevant legislation, electronic contact with individuals must be on an opt-in basis and every such communication must contain the means to opt out. Data Retention You have certain key responsibilities in relation to the information which you keep on computer or in a structured manual file about individuals this includes information you may keep on staff and volunteers as well as donors. The Acts are designed to protect an individual s right to privacy and ensure that the data held on them is accurate, lawfully obtained and that there is no unauthorised disclosure of personal data. This equally applies to the personal information held on staff and volunteers. In relation to retention of personal data, the Acts state that personal information held by data controllers should be retained for no longer than is necessary for the purpose or purposes for which it was obtained. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. However, the Acts do not stipulate specific retention periods for different types of data, and so organisations must have regard to any statutory obligations imposed on them as a data controller when determining appropriate retention periods. 2

3 Key Risks There are key risks for Charities that may lead to data breaches: Through lack of knowledge and training, data may be inadvertently used without clear consent of the data subject. Through poor security and access controls, data may get into the wrong hands. Individuals may be distressed by inappropriate disclosure or by inaccurate or insufficient data. Breaches may occur because clear boundaries may not exist between departments on what data can be shared. Data may be used for purposes other than the specific purpose or purposes for which the data was acquired. Failure to comply with Data Protections rules may lead to heavy penalties. Definitions Under the legislation the following definitions are important: Data Under the Acts, data means information in a form in which it can be processed. Data in this context refers to both automatic and manually processed data. Under legislation there are different classes of data. They include; Automated Data refers to information that is processed by means of equipment operating automatically. Manual Data is defined as information that is recorded as part of a relevant filing system or with the intention that it should form a relevant filing system. Personal Data means data relating to a living individual who can be identified either directly from the data or from other related information in the possession of the data controller. Under the Acts, Sensitive Personal Data is defined in specific ways as set out below: - racial or ethnic origin, political opinions of the data subject - religious or philosophical beliefs of the data subject - trade union membership or affiliation of the data subject - physical, mental health or condition, sexual orientation of the data subject - commission or alleged commission of any offence or offences by the data subject any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. 3

4 Processing DPA 2003 processing, of or in relation to information or data means performing any operation or set of operations on the information or data, whether or not by automatic means, including: Obtaining, recording or keeping the information or data. Collecting, organizing, storing, altering or adapting the information or data. Retrieving, consulting or using the information or data. Disclosing the information or data by transmitting, disseminating or otherwise making it available. Aligning, combining, blocking, erasing or destroying the information or data. Blocking It means marking data to the extent that it is not possible to process it for purposes in relation to which it was marked. Direct Marketing Direct marketing includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office. Data Subject The Act defines a data subject as a living individual who is the subject of personal data. Data Controller The Acts defines a Data Controller as a person who, either alone or in conjunction with others, controls the contents and use of personal data. By person it does not necessarily mean a living individual but refers to a legal person i.e. an organization or a nominated representative. It is the intangible being that controls the organization even though administered and decided upon by the individuals (the Board). The Act states that a Data Controller, shall, as respects personal data kept by him, comply with the provisions of the Act. Data Controllers have a vast amount of serious legal responsibilities placed upon them by virtue of the Act. The provisions are the rules which are imposed surrounding good information handling to direct the Data Controller to act, in relation to personal data held, in such a way that has the best interests of the Data Subject at hand. Data Processor As defined by the Acts refers to a person who processes personal data on behalf of a Data Controller but does not include an employee of the Data Controller who processes such data in the course of his employment. The Data Processor processes personal data on behalf of the Data Controller, thus this provides that the Data Controller cannot abdicate his responsibility to the Data Processor. All of the legal obligations and responsibilities lie with the Data Controller; therefore the Controller still remains liable. 4

5 The Act states that where the processing is conducted by a Data Processor, the Controller must ensure that the processing is conducted in the pursuance of a contract which is in evidence in writing or another equivalent form. It goes on further to state that the contract must contain clauses that the Processor shall only act on the instructions of the Controller and shall comply with the obligation equivalent to those imposed by the Data Controller with respect to the security of the data being processed. Data Protection Commissioner The Commissioner is responsible for upholding the rights of individuals conferred on them by the Acts. He is also responsible for providing enforcement action upon Data Controllers who breach or commit offences against the Acts. Data Protection Officer The Data Protection Officer is responsible for ensuring that the charity complies with the requirements of the Act, raising awareness among staff of their data protection rights and responsibilities. Ownership groups Ownership groups are defined as those groups who will use common data. Ownership Groups are a way of controlling access to Contact and Organisation records in a more flexible manner than just departments. Ownership Groups group records together and assign access to them to groups of users or individuals. Access given is not restricted to members of a department. In addition access can be limited to an individual record. This means that individuals across multiple departments can be given differing levels of access to any one or more records. For further information: Data Protection Commissioner The Commissioner is appointed by Government and is independent in the exercise of his or her functions. They can be contacted at: Canal House, Station Road, Portarlington, Co. Laois. Ph or National Directory Database The National Directory Database lists all phone numbers printed in public telephone directories or available through directory enquiries. It also records whether the subscriber has expressed a preference not to receive marketing calls. It applies to voice calls for residential subscribers and to both faxes and voice calls for business subscribers. All ex-directory numbers are automatically placed on the opt-out register. The NDD does not take instructions from individual subscribers, only from line providers. The Irish Direct Marketing Association (IDMA) DMA advocates industry standards for responsible marketing both online and offline. 5