Draft Model Legislative text on Privacy and Data Protection

Similar documents
Casino, Liquor and Gaming Control Authority Act 2007 No 91

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Training and Skills Development Act 2008

ACCReDITATION COuNCIL OF TRINIDAD AND TOBAGO ACT

Small Business Grants (Employment Incentive) Act 2015 No 14

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH

DATA PROTECTION POLICY

CREDIT REPORTING BILL EXPLANATORY NOTES

Queensland. Right to Information Act 2009

The Role and Function of a Data Protection Officer in the European Commission s Proposed General Data Protection Regulation. Initial Discussion Paper

PUBLIC INTEREST DISCLOSURE (WHISTLEBLOWER PROTECTION) ACT

Tax Agent Services Act 2009

NATIONAL PAYMENT SYSTEM ACT

Act on the Supervision of Financial Institutions etc. (Financial Supervision Act)

REPUBLIC OF TRINIDAD AND TOBAGO. Act No. 16 of 2004

PERSONAL INFORMATION PROTECTION ACT

CHAPTER E12 - ENVIRONMENTAL IMPACT ASSESSMENT ACT

Personal Data Protection LAWS OF MALAYSIA. Act 709 PERSONAL DATA PROTECTION ACT 2010

PUBLIC SERVICE ACT An Act to make provision in respect of the public service of Lesotho and for related matters. PART I - PRELIMINARY

Overview of. Health Professions Act Nurses (Registered) and Nurse Practitioners Regulation CRNBC Bylaws

How To Manage A Major International Event

AS TABLED IN THE HOUSE OF ASSEMBLY

National ElectricIty (Victoria) BIll

NOTE - This document is provided for guidance only and does not purport to be a legal interpretation. PERSONAL INSOLVENCY ACT 2012

Queensland. Right to Information Act 2009

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

No. of Freedom of Saint Christopher Information Bill and Nevis. ARRANGEMENT OF SECTIONS

The Credit Information Companies (Regulation) Act,

THE GENERAL INSURANCE BROKERS CODE OF PRACTICE

First Session Tenth Parliament Republic of Trinidad and Tobago REPUBLIC OF TRINIDAD AND TOBAGO. Act No. 13 of 2011

It is hereby notified that the President has assented to the following Act which is hereby published for general information:-

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Queensland NURSING ACT 1992

TEACHERS ACT [SBC 2011] Chapter 19. Contents PART 1 - DEFINITIONS

COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

COMPLAINTS MANAGEMENT POLICY AND PROCEDURES

CONTENT OF THE AUDIT LAW

Personal Data Protection Bill

Australian Charities and Not-for-profits Commission: Regulatory Approach Statement

DIFC LAW NO. 1 OF 2007

LAW ON THE PROTECTOR OF HUMAN RIGHTS AND FREEDOMS

Merchants and Trade - Act No 28/2001 on electronic signatures

New South Wales. 1 Name of Act 2 Commencement 3 Definitions 4 Who is a witness?

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Authorisation Requirements and Standards for Debt Management Firms

An Bille um Iomaíocht agus Cosaint Tomhaltóirí, 2014 Competition and Consumer Protection Bill 2014 EXPLANATORY MEMORANDUM

DELEGATION AGREEMENT

INVESTMENT FUNDS ACT 2006 BERMUDA 2006 : 37 INVESTMENT FUNDS ACT 2006

GUIDANCE NOTE DECISION-MAKING PROCESS

(28 February 2014 to date) NATIONAL PAYMENT SYSTEM ACT 78 OF 1998

Electronic Commerce ELECTRONIC COMMERCE ACT Act. No Commencement LN. 2001/ Assent

Data controllers and data processors: what the difference is and what the governance implications are

Financial Services (Collective Investment Schemes) FINANCIAL SERVICES (EXPERIENCED INVESTOR FUNDS) REGULATIONS 2012

Financial Services (Banking Reform) Act 2013

DATA PROTECTION [CH.324A 1 CHAPTER 324A DATA PROTECTION ARRANGEMENT OF SECTIONS

BAHRAIN STOCK EXCHANGE LAW

CONSULTATION PAPER NO

(1 May to date) ACCREDITATION FOR CONFORMITY ASSESSMENT, CALIBRATION AND GOOD LABORATORY ACT 19 OF 2006

THE NATIONAL PAYMENT SYSTEMS BILL, 2007

Queensland WHISTLEBLOWERS PROTECTION ACT 1994

Community Housing Providers (Adoption of National Law) Bill 2012

The Manitoba Child Care Association PRIVACY POLICY

Firm Registration Form

Queensland. Health Practitioner Regulation (Administrative Arrangements) National Law Act 2008

A Guide to the Financial Services Regulations

WESTERN AUSTRALIA HEAVY VEHICLE ACCREDITATION SCHEME (WAHVAS) BUSINESS RULES (DRAFT)

LEGAL AID ACT ARRANGEMENT OF SECTIONS PART I. Establishment of Legal Aid Council. 1. Legal Aid Council. 2. Membership of the Council, etc.

Witness Protection Act 1995 No 87

[Brought into force by appointed day notice on 16 th June 2003.]

THE ELECTRONIC TRANSACTIONS LAW,

CREDIT REPAIR AUSTRALIA Pty Ltd ( CRA ) A.C.N CODE OF CONDUCT IN RELATION TO CREDIT RESTORATION SERVICES

Education and Early Childhood Services (Registration and Standards) Act 2011

Queensland. Trust Accounts Act 1973

(28 February 2014 to date) PENSION FUNDS ACT 24 OF 1956

Nauru Utilities Corporation Act 2011

Act 5 Foreign Exchange Act 2004

NATIONAL ACCREDITATION AND EQUIVALENCY COUNCIL CHAPTER 47A NATIONAL ACCREDITATION AND EQUIVALENCY COUNCIL ARRANGEMENT OF SECTIONS PART I - PRELIMINARY

Our approach to information gathering

Information Governance Policy

THE PRIVATE SECURITY SERVICE BILL (No. VI of 2004) Explanatory Memorandum

The Archives and Public Records Management Act

National Solidarity Bond - Terms and Conditions Issue 4

The Credit Reporting Act

AUTHORISATION JAMES PAGET UNIVERSITY HOSPITALS NHS FOUNDATION TRUST

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

REVIEW REPORT

MANAGEMENT AND REDUCTION OF GREENHOUSE GASES BILL. No. 95

Motor Vehicle Accidents (Lifetime Support Scheme) Act 2013

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

SUNCORP INSURANCE AND FINANCE AMENDMENT BILL 1996

Disability Act 2006 A guide for disability service providers

PRIVATE HEALTH INSURANCE INTERMEDIARIES PRACTICE CODES JUNE 2015 VERSION 2

S TATUTORY INSTRUMENTS No. COMPANIES AUDITORS. Draft. Made *** Laid before Parliament *** Coming into force - - ***

Gaming Control Act CHAPTER 4 OF THE ACTS OF as amended by

Standard conditions of the Electricity Distribution Licence

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Consultation on the technical legislative implementation of the EU Audit Directive and Regulation

2015 No FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Finance Platforms) Regulations 2015

Transcription:

The views expressed in this presentation are those of the author and do not necessarily reflect the opinions of the ITU or its Membership. This document has been produced with the financial assistance of the European Union. The views expressed herein can in no way be taken to reflect the official opinion of the European Union. ITU-EC HIPCAR Project Draft Model Legislative text on Privacy and Data Protection Presentation at the Second Consultation Workshop for Working Group 1 ITU-EC HIPCAR Project Saint Kitts, 19-22 July, 2010

Objective To provide an overview of the Draft Model Legislative text for Privacy and Data Protection To highlight where particular positions agreed to in the Policy Building Blocks are given effect. To highlight suggested points of deliberation for the ready review and acceptance of the Draft Model Legislative text.

Methodology Overview There is much precedence in Privacy laws in the Commonwealth and beyond Much case law precedence and ongoing discussion papers have been produced EU EPA encourages CARIFORUM to implement frameworks in line with provisions therein. HIPCAR Policy Building Blocks provide the direction on particular points of policy for CARIFORUM Formed basis for amendment of precedent models to meet regional consensus Regional Precedent used to allow adoption of style of drafting conducive for ready adaptation to needs of the Beneficiary States. Model text enabling in nature, deferring questions of procedure and standards to Regulations.

Key References EU Directive 95/46/EC EU Directive 2002/58/EC Data Protection Act, Malta Data Protection Act, UK Data Protection Act, Australia HIPCAR Regional Assessment Report, Privacy & Data Protection HIPCAR Privacy and Data Protection Policy Building Blocks Data Protection Act, St. Vincent and the Grenadines Data Protection Act, Bahamas Data Protection Bill, Trinidad and Tobago

Overview of Structure Model text comprises of 9 Parts, 80 sections Preliminary Obligations of Data Controllers Rights of Data Subjects Particular Obligations of Public Authorities Special Exemptions Review and Appeals Office of the Data Commissioner Contravention and Enforcement Miscellaneous

Part 1 Preliminary Section 3 Definitions data and information (which are made equivalent) as it underscores a wide interpretation of applicable forms, formats and technologies (electronic or otherwise) in which the data can be presented or stored Policy Building Block 1.2 data controller the definition of which is intended to have broad catchment of the term persons, including parties in both the public and private sectors. Policy Building Block 1.4 Distinction between personal information and sensitive personal information, where the treatment of the latter is more closely prescribed. Policy Building Block 1.5

Preliminary Section 4 Enactment Binds the State Section 5 provides clarity on the jurisdictional limits of the Legislative text recognising the multinational nature of certain businesses, particularly in the context of e commerce Section 6 Limits of Applicability non limitation of exiting powers exercised: in the function of the Courts or in tribunals established by the President.

Part 2 Obligations of Data Controllers This Part consists of 16 sections. Section 8 (1) provides for the recognition of data controllers by the Data Commissioner The form of recognition registration or notification is subject to interpretation and regulatory strategy of the Beneficiary State. Policy Building Block 3.1 Subsection 8 (2) limits the information collected to only that necessary for the provision of service. Policy Building Blocks 4.1, 4.3

Obligations of Data Controllers Section 9 & 10 treat with how the data controller is to collect personal information: directly from the data subject after they are informed of the purpose of collection identified circumstances are exempted from these obligations. Policy Building Block 1.8 Sections 11 & 12 provide for the data controllers adherence to data retention and disposal guidelines which may be established.

Obligations of Data Controllers Section 13 makes the controller responsible for ensuring the accuracy of data stored, and works with Section 28 to ensure Data Quality is maintained. Section 14 makes the controller responsible for securing the data stored. Responsibilities clarify where liabilities may lie in the instance of civil motions where a persons deems these obligations breached.

Obligations of Data Controllers Sections 15 & 16 elaborate upon the premise that processing or use of information is limited to the purposes outlined at the time of collection Section 15 outlines the reasons for processing personal information Section 16 outlines the greater limitations on the processing of sensitive personal information. Policy Building Blocks 5.1, 5.9

Obligations of Data Controllers Section 17, 18 and 19 outline situations where personal information can be disclosed without prior consent of the data subject: For purposes that are consistent with the purpose for which collection and processing was consented by the data subject, For the undertaking of research and statistical analysis, where there is assurance of appropriate security arrangements; For archival purposes, where the information meets particular criteria, or the data subject is deceased for a specified period. Policy Building Block 6.2

Obligations of Data Controllers Section 20 limits data controllers from storing or processing information in any other jurisdiction where the Law in enforced or a jurisdiction with equivalent privacy protection laws. Policy Building Blocks 6.2, 6.3 Sections 21 and 22 provides for the Data Commissioner s utilising a co regulatory approach where such is deemed appropriate, through the development of sector specific Codes of Conduct.

Part 3 Rights of the Data Subject This Part consists of 6 sections. Section 23 provides the general right for an individual to access his own personal records, within a framework outlined in the Part. Policy Building Block 6.5 Section 24 provides the framework under which a data controller may refuse access to an applying individual, while ensuring that if the access is so denied, to all or part of a document, the onus falls on the data controller to justify the denial. Policy Building Block 6.5

Rights of the Data Subject Section 25 provides for the severance of exempt information from a document to be disclosed to a subject pursuant to a request Policy Building Block 6.5 Section 26 recognises that a data subject may need to delegate particular rights to agents to act on their behalf (e.g. in the case of incapacity or where the subject is a minor) Section 27 provides statutory time limit in which time a subject may expect a response from a controller Section 28 provides for the data subject to request a correction to their personal information stored by a controller.

Part 4 Particular Obligations of Public Authorities This Part consists of 6 sections which provide particular operational requirements of controllers who are public authorities. Section 29 obliges public authorities to create and maintain Privacy Impact Assessments (PIAs) on the compliance of their programmes to the Law. PIAs form a key part of an ex ante, co regulatory framework with the Data Commissioner Section 30 obliges public authorities to maintain centralised privacy information filing systems to facilitate ready audit of systems, while Section 31 exempts archived information at the National Archives from the obligation of Section 30.

Particular Obligations of Public Authorities Section 32 provides for public authorities to identify liaison officers to facilitate the internal evaluation of systems and function to compliance with the Data Protection Law Section 33 facilitates the sharing of information between Ministries in accordance with guidelines established by, and/ or approval attained from the Data Commissioner these are critical to the implementation of e government services. Section 35 obliges the Commissioner to publish reports of the status of the various mechanisms and instruments established to monitor the management of personal information public authorities

Part 5 Special Exemptions This Part consists of 4 sections and provides provisions for amendments to the applicability of provisions in Part 2 to identified data controllers for specific purposes and circumstances Section 35 clarifies that a person may use personal information where that information is used for personal, or family affairs Sections 36 through 37 provide for exemptions from Parts 2, 3 and 4 where applicable in accordance with international best practice

Special Exemptions Section 38 provides for exemption of applicability in relation to endeavours associated with the existing freedoms of expression, including in the pursuit of works in journalism, literature and art. Adequate protection against defamation of character generally are already in place to provide some sort of protection to the data subject without the undue restriction of activity.

Part 6 Review and appeals This Part consists of 10 sections and provides for a data subject to appeal and/ or seek review of a decision of a data controller with the Data Commissioner. Section 39 provides the general right of appeal of an individual who is dissatisfied by the outcome of a request made pursuant to sections 24 and section 29 to the Data Commissioner, who is empowered to resolve the dispute Policy Building Block 5.8

Review and appeals Sections 40 through 42 provide for the generic process by which an appeal is accepted by the Data Commissioner, from the timeframe from the time of the decision in question in which the appeal should be lodged, through to the notification to the data controller that appeal has been lodged Sections 43 through 46 provide the general rubric through which the Data Commissioner may utilise alternative dispute resolution techniques in the resolution of the appeal Section 48 provides for the appeal of the decision of the Data Commissioner to the Courts

Part 7 Office of the Data Commissioner This Part consists of 23 sections and establishes the Office of the Data Commissioner the independent oversight essential to oversee compliance by the data controllers, in both the public and private sectors.

Office of the Data Commissioner Section 49 provides for the eligibility, appointment and removal of an independent Data Protection Commissioner in the same manner as and with similar criteria for eligibility a Parliamentary Commissioner or Ombudsman. Provides for appointment of temporary Commissioner Is there appropriate balance in the institutional positioning of the Commissioner? Policy Building Blocks 1.6, 3.3, 3.12

Office of the Data Commissioner Sections 50 through 54 establish the regulatory powers of the Office and entrenchment provisions associated with the office. Provisions explicitly outline the independence of the Office. Provides for tenure in office should there be provisions on remuneration as well? Policy Building Blocks 3.2, 3.4, 3.10 Sections 55 through 57 establish the functions of the Commissioner and empower him as a regulator for the purpose of carrying out his investigative and enforcement roles, and provides for the delegation of such powers to agents Policy Building Blocks 1.6, 3.5, 3.6

Office of the Data Commissioner Sections 58 through 59 establish a mechanism through which the Authority may request information pursuant to an investigation the information notice Policy Building Blocks 3.7 Section 60 obliges data controllers to reply truthfully to an information notice, while Section 61empowers the Commissioner to order the limitation of collection and processing activity in response to inadequate response to an information notice.

Office of the Data Commissioner Sections 62 through 66 establish the appropriate process by which the Commissioner may undertake an audit or investigation Provides for initiation of an investigation in response to a complaint, or on its own accord Includes powers, and limitations thereto, of search and seizure pursuant to a warrant Policy Building Blocks 3.8, 3.9 Sections 67 through 69 establish the mechanism and process by which the Commissioner may issue directions to data controllers deemed to operating in a manner not consistent with the Legislative text. Data controllers are herein obliged to respond or comply with instruction

Office of the Data Commissioner Sections 70 and 71 establish further logistical conditions within which the investigations should be held, and provides for, where a breach is deemed to have occurred the appropriate action of the Data Commissioner in the referral of the record to the appropriate person. Section 72 obliges the Data Commissioner to report on its activities to the Parliament, in line with Parliamentary best practice Policy Building Blocks 3.11

Part 8 Contravention and Enforcement This Part consists of 5 sections which outline the criminal offences associated with the breach of particular provisions of the Legislative text. Policy Building Blocks 5.10, 6.6 Section 73 defines the breach of section 9 as an offence, and outlines the different penalties associated with the offence where the breach is deemed to have occurred with personal information and sensitive personal information respectively. It is intended that the penalty for the breach of the latter information type will be more punitive

Contravention and Enforcement Section 74 defines breaches to any of the provisions from Section 10 through 16 and 21 as offences, and outlines the standard penalty associated with these offences Section 75 treats with the direct or indirect obstruction of authorised agents of the Data Commissioner in the exercise of their functions during an investigation and outlines the standard penalty associated with this offence.

Contravention and Enforcement Section 76 treats with persons who are deemed to abuse the rights conferred by Part 3. The offences created and the penalties outlined are to be disincentives to the vexatious abuse of these empowering provisions which would otherwise undermine the operational viability of the data controller, the Office of the Data Commissioner or both

Contravention and Enforcement Section 77 seeks to treat with persons who breach oaths of confidentiality entered into in undertaking functions within the Office of the Data Commissioner. This is geared to limit such occurrences and ensure the continued public trust in the Office Breaches to provisions which are not explicitly outlined either in this Part of other prevailing sections may be treated by the Courts under civil law. Policy Building Blocks 4.8, 5.10, 6.6

Part 9 Miscellaneous Section 78 provides protection for persons who, while within the employ of a data controller and becomes knowledgeable of actions by that party which run counter to the objectives of the text or the provisions therein, wilfully informs the relevant authority of such action. Section 79 provides a general enabling provision through which the relevant Minister may enact Regulations necessary to effect or elaborate on particular provisions throughout the Legislative text

Miscellaneous Section 80 clarifies the role of the Courts as the ultimate appellate forum where either party remains dissatisfied with outcome of any dispute resolution process undertaken by the Data Commissioner. This Section also reinforces the power of the Courts to impose civil penalties for breaches of the Law not deemed an offence by Part 8.

Suggested Points of deliberation Are there particular considerations with regard to the registration or notification of data controllers that should be addressed in Part 2? Can the particular obligations of public authorities outlined in Part 4 be strengthened to facilitate smoother interaction between the public authority and the Data Commissioner? Are there situations or circumstances that may warrant provision for special exemptions that are not outlined in Part 5? Are there contraventions that should also be considered as criminal offences that have been overlooked in Part 8?

Questions?

Thank You. Kwesi PRESCOD Prescod Associates & Co. PO Box 3228 Petit Valley TRINIDAD & TOBAGO Website: www.prescodassociates.com e mail: kwesiprescod@prescodassociates.com Tel: + 1 868 633 2951 Mobile: + 1 868 688 4380 Fax: + 1 868 632 3606 Special acknowledgement to Ms. Karen Stephen Dalton

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information