Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Transcription

1 Data Protection Awareness Based on DIT s Data Protection Policy, the Data Protection Acts, 1988 & 2003 and guidance from the Office of the Data Protection Commissioner

2 Index Definitions What is Data Protection? Rights of Individuals Responsibilities of DIT The 8 Principles of Data Protection Summary of DIT s Responsibilities as a Data Controller during the Data Lifecycle Further Information

3 Definitions Personal Data: Any data relating to a living identifiable individual. Data: Automated data or structured manual data. Manual Data: Structured by reference to individuals in a way that makes data readily accessible. Sensitive Data: Relates to physical/mental health, racial origin, political opinions, religious or other beliefs, sexual life, criminal convictions, alleged commission of offence or Trade Union membership. Data Controller: A person who controls the contents and use of personal data. Data Processor: A person who processes personal data on behalf of a data controller. Data Subject: An individual who is the subject of personal data. Processing: Anything done with personal data, from collection to disposal.

4 What is Data Protection? Data Protection is the safeguarding of privacy rights of individuals in relation to the processing of personal data in both paper and electronic format. DIT is obliged to comply with the provisions set out by the Data Protection Acts, 1988 and 2003 ( DP Acts ). The DP Acts create: RIGHTS for Individuals (i.e. Data Subject) RESPONSIBILITIES for Users of Personal Data (i.e. Data Controllers/ Data Processors)

5 Rights of Individuals Right to fairness when giving information; Right to request a copy of own personal information; Right to have wrong information corrected; Right to opt out of marketing; Right to make a complaint to the Data Protection Commissioner.

6 Responsibilities of DIT DIT, as a data controller, must comply with certain rules about how it collects and uses personal information. These rules are known as: The 8 Principles of Data Protection* 1) Obtain and process information fairly; 2) Keep it only for one or more specified and lawful purposes; 3) Process it only in ways compatible with the purposes for which it was given to you initially; 4) Keep it safe and secure; 5) Keep it accurate and up-to-date; 6) Ensure that it is adequate, relevant and not excessive; 7) Retain it no longer than is necessary for the specified purpose or purposes; 8) Give a copy of his/her personal data to any individual on request. *Further information on each of these principles is available on the following slides

7 The 8 Principles of Data Protection 1. Obtain and Process Information Fairly DIT must provide data subjects with full information about: its identity; the purposes for which the data subject s personal data will be used; to whom, if anyone, the personal data will be disclosed to; any other data necessary for fairness. To obtain personal information, one of the following conditions is required: Consent; Contract with Individual; Legal Obligation; Necessary to Protect Vital Interests; Necessary for legitimate interests ; Necessary for a Public Function (Justice). In order to process sensitive personal information, explicit consent is required Processing must be necessary for one of the following reasons: For the purposes of DIT s obligations under Employment Law; To prevent injury or protect vital interests; For the purpose of obtaining legal advice; For medical purposes; Statutory Function. or

8 The 8 Principles of Data Protection 2. Keep Information only for one or more Specified and Lawful Purposes DIT is required to inform data subjects of the reason(s) why it collects and keeps personal data. The purpose cannot be expanded without reverting to the data subject and seeking additional consent. 3. Process Information only in ways compatible with purposes for which it was initially given General Rule: Personal data should not be disclosed for any purposes other than that for which it was originally provided to DIT.

9 The 8 Principles of Data Protection 4. Keep Information Safe and Secure Appropriate security measures are required to ensure that personal data is kept safe and secure, e.g. s include laptop encryption, password security etc. 5. Keep Information Accurate and Up-To-Date Personal data held by DIT must be accurate, complete and up to date. Data subjects have a right to have errors relating to personal data rectified. 6. Keep Information Adequate, Relevant and Not Excessive Only the minimum amount of personal data required must be sought and retained, that is, DIT does not have a right to ask for, or hold, data which is not relevant to the service being provided.

10 The 8 Principles of Data Protection 7. Retain Information only as long as necessary Personal data must only be held for as long as is necessary in accordance with the purpose for which it was collected. DIT s Record Retention Schedules are available at 8. Right of Access An individual has a right of access to his/her personal data on request. An individual also has a right to request that DIT corrects/erases/ blocks or ceases to process personal data on the grounds that it would cause unwarranted damage or distress. Please refer all Data Protection Access Requests immediately to the Records Manager at [email protected] or telephone (01)

11 Summary of DIT s Responsibilities as a Data Controller during the Data Lifecycle Inform & Get Consent Justification To Process Keep Accurate Have A Retention Policy Beginning Middle End Getting The Data While DIT Has The Data Disposing Of Data Specify Purpose Only Gather What Is Required Respond To Access Requests Disclose Only If Compatible Or Allowable Exception Keep Secure & Dispose Securely Source: Office of the Data Protection Commissioner

12 Further Information Data Protection in DIT: Office of the Data Protection Commissioner: For further information, please contact: Theresa Whelan Records Manager DIT Lower Rathmines Road Dublin 6 Telephone: (01) [email protected] or [email protected]