GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4



Similar documents
Data protection policy

Corporate ICT & Data Management. Data Protection Policy

How To Understand The Data Protection Act

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection Policy

CORK INSTITUTE OF TECHNOLOGY

DATA PROTECTION POLICY

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

HERTSMERE BOROUGH COUNCIL

Little Marlow Parish Council Registration Number for ICO Z

Data Protection Policy

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Merthyr Tydfil County Borough Council. Data Protection Policy

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Information Governance Policy

Data Protection in Ireland

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

AlixPartners, LLP. General Data Protection Statement

Policy Document Control Page

DATA PROTECTION AUDIT GUIDANCE

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

White Paper Security. Data Protection and Security in School Management Systems

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

DATA PROTECTION POLICY

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Data Protection Good Practice Note

technical factsheet 176

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Data Protection Policy

Guidelines on Data Protection. Draft. Version 3.1. Published by

Data controllers and data processors: what the difference is and what the governance implications are

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

An overview of UK data protection law

The Manitowoc Company, Inc.

Human Resources and Data Protection

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Rick Parsons Information Governance Officer County Hall

Personal Data Act (1998:204);

on the transfer of personal data from the European Union

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

Clause 1. Definitions and Interpretation

Data Protection Policy

DATA PROTECTION MANUAL

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

University of Limerick Data Protection Compliance Regulations June 2015

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

CROATIAN PARLIAMENT 1364

Scottish Rowing Data Protection Policy

Data Security and Extranet

DATA PROTECTION POLICY

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

Data Protection Guidance

DATA PROTECTION AND DATA STORAGE POLICY

The Guide to Data Protection. The Guide to Data Protection

DATA PROTECTION POLICY

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Data protection compliance checklist

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

GSK Public policy positions

On the edge Lexis PSL Restructuring & Insolvency

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

ACCESS TO MEDICAL RECORDS. By Felicia Jolaoye Blavo & Co Solicitors Ltd.

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

DIFC LAW NO. 1 OF 2007

Data Protection and Privacy Policy

Data Protection Procedures

How To Protect Your Data In European Law

Data Protection Policy

So the security measures you put in place should seek to ensure that:

Data Protection. Policy and Application July 2009

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Information Security Policy. Appendix B. Secure Transfer of Information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection Policy

Data Protection Policy June 2014

SCOTLAND S COMMISSIONER FOR CHILDREN AND YOUNG PEOPLE STANDARD CONDITIONS OF CONTRACT FOR SERVICES

Transcription:

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

PREFACE The following provides general guidance on data protection legislation in the Isle of Man. It is recognised that this Guide will not completely answer detailed questions which clients and their advisers may have; it is not intended to be comprehensive. If any such questions arise in relation to the contents, they should be addressed to any member of the Isle of Man Regulatory Team using the contact information provided at the end of this Guide. Appleby Isle of Man February 2015 applebyglobal.com 1

1. BACKGROUND The Isle of Man laws relating to data protection are contained in the Isle of Man Data Protection Act 2002 (the DPA 2002). The DPA 2002 mirrors much of the UK Data Protection Act 1998. Definitions The DPA 2002 uses a number of important definitions, the main ones of which are: Data controller: a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. Personal data: data which relate to a living individual who can be identified: from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Processing: is given a very wide meaning and very little undertaken in regard to data is likely to fall outside of this definition. Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: organisation, adaptation or alteration of the information or data; retrieval, consultation or use of the information or data; disclosure of the information or data by transmission, dissemination or otherwise making available; or alignment, combination, blocking, erasure or destruction of the information or data. Sensitive personal data: personal data consisting of information as to: (e) (f) (g) (h) the racial or ethnic origin of the data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, whether he is a member of a trade union, his physical or mental health or condition, his sexual life, the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. Where a data controller is processing sensitive personal data, extra provisions need to be complied with. For further details see below. Data processor: any person who processes data on behalf of the data controller (other than an employee of the data controller). Data subject: an individual who is the subject of personal data. applebyglobal.com 2

Data Protection Supervisor: the Office of the Data Protection Supervisor is the body responsible for administration of the DPA 2002 in the Isle of Man. 2. DATA PROTECTIONS PRINCIPLES Data controllers are obliged to comply with eight data protection principles (the Data Protection Principles) each with detailed statutory guidelines. They can be summarised as follows: 2.1 First Data Protection Principle Personal data must be processed fairly and lawfully and must not be processed unless: at least one of the conditions in schedule 2 to the DPA 2002 is met; and in the case of sensitive personal data, at least one of the conditions in schedule 3 to the DPA 2002 is also met. Copies of schedules 2 and 3 of the DPA 2002 are attached. 2.2 Second Data Protection Principle Personal data must be obtained only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with that purpose or those purposes. The purpose or purposes for which personal data are obtained may be specified in a notice given by the data controller to the data subject or in a notification to the Data Protection Supervisor. In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data was obtained, regard must be had to the purpose or purposes for which the personal data is intended to be processed by any person to whom it is disclosed. 2.3 Third Data Protection Principle Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. In complying with this principle, data controllers should seek to identify the minimum amount of information that is required in order properly to fulfil their purpose. It is not acceptable to hold information on the basis that it might possibly be useful in the future without a view of how it will be used. 2.4 Fourth Data Protection Principle Personal data must be accurate and, where necessary, kept up to date. 2.5 Fifth Data Protection Principle Personal data processed for any purpose or purposes must not be kept for longer than is necessary for that purpose or those purposes. To comply with the fifth data protection principle, data controllers will need to review their personal data regularly and delete the information which is no longer required for their purposes. 2.6 Sixth Data Protection Principle Personal data must be processed in accordance with the rights of data subjects under the DPA 2002. applebyglobal.com 3

2.7 Seventh Data Protection Principle Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Management and organisational measures taken by a data controller are as important as the technical ones. A data controller must also take reasonable steps to ensure the reliability of any employees who have access to the personal data. Where the processing of personal data is carried out by a data processor on behalf of a data controller, in order to comply with the seventh data protection principle, the data controller must: choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and take reasonable steps to ensure compliance with those measures. In addition, where a data processor does process data on behalf of a data controller, the data controller will not be regarded as complying with the seventh data protection principle unless: the processing is carried out under a contract which is made or evidenced in writing and under which the data processor is to act only on instructions from the data controller, and the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh data protection principle. The seventh data protection principle relates to security of the processing of personal data as a whole and the measures to be taken by a data controller to provide security against any breaches of the DPA 2002, rather than just breaches of security. 2.8 Eighth Data Protection Principle Personal data must not be transferred to a country or territory outside the Isle of Man unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The level of protection must be adequate in all the circumstances of the case (the interpretation provisions of the DPA 2002 provide further details to aid in the assessment of adequacy). Countries or territories within the European Economic Area (EEA) will be deemed to have an adequate level of protection. In addition, if the European Commission makes a finding that a particular country or territory has an adequate level of protection that will be sufficient for the purposes of the eighth data protection principle. The European Commission has made an adequacy finding for US companies that have signed up to the Safe Harbour provisions. The European Commission also made a formal decision on 28 April 2004 recognising the Isle of Man as a jurisdiction with an adequate level of protection for personal data. 3. NOTIFICATION REQUIREMENTS Although there are some exceptions, generally, data controllers are required to notify certain registrable particulars with the Data Protection Supervisor. The particulars which a data controller is required to notify to the Data Protection Supervisor are: his name and address; applebyglobal.com 4

(e) a description of the personal data being or to be processed by or on behalf of the data controller and of the category or categories of data subject to which they relate; a description of the purpose or purposes for which the data are being or are to be processed; a description of any recipient or recipients to whom the data controller intends or may wish to disclose the data; and the names, or a description of, any countries or territories outside the Isle of Man and to which the data controller directly or indirectly transfers or intends or may wish directly or indirectly to transfer, the data. Notification lasts for 12 months and any changes in the particulars registered must be notified to the Data Protection Supervisor. Personal data must not be processed unless an entry in respect of the data controller is included in the Register maintained by the Data Protection Supervisor. In addition to the registrable particulars referred to above, a notification must give a general description of the measures to be taken by a data controller for the purpose of complying with the seventh data protection principle (measures against misuse and loss of data). Data being provided to a third party outwith the EEA If the data is being provided to a third party outwith the EEA then the following questions must be asked: (e) Is there an actual transfer of data taking place? There is a distinction between a transfer of data and data in transit. The eighth data protection principle only applies if there is a data move rather than just a pass through of personal data from one country to another. Has the country in question been designated as adequate by the European Commission? Has the company in question signed up to the safe harbour arrangements in the USA? Are there alternative grounds for concluding that the receiving company or country is nevertheless adequate in all the circumstances of the case? Does one of the derogations under schedule 4 of the DPA 2002 apply? The most common example is that the data subject has given consent to the transfer such consent must be freely given and the data subject must understand what he/she is agreeing to. A copy of schedule 4 of the DPA 2002 is attached. Is there an alternative basis for transfer? (e.g. contracts based on standard terms approved by the EU Commission or arrangements approved by the Data Protection Supervisor in the IOM). For more specific advice on the Data Protection Act in the Isle of Man, we invite you to contact: Isle of Man Claire Milne Partner Corporate +44 (0)1624 647 698 cmilne@applebyglobal.com For the convenience of clients in other time zones, a list of contacts available in each of our jurisdictions may be found here. This publication is for general guidance only and does not constitute definitive advice Appleby Global Group Services Limited 2015 applebyglobal.com 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information