Data Protection and the Voluntary Sector: Respecting the Rights of the Individual

Billy HawkesData Protection Commissioner

Carmichael CentreDublin, 2 November 2010

Presentation Outline

• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues

Data Protection: a Human Right

• Part of Right to Personal Privacy• Personal Privacy: necessary in a

Democratic Society (but not absolute)• Data Protection: Fundament Right

under EU Law • EU and Irish law on Data Protection

Data Protection Acts 2008 & 2003; Electronic Privacy Regulations 2003 & 2008

EU Charter of Fundamental Rights: Article 8• Protection of personal data• 1. Everyone has the right to the protection of personal data

concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.

Presentation Outline

• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues

The Data Protection Rules1. Fair obtaining &

processing• Consent

2. Specified purpose3. No disclosure

• unless “compatible”

4. Safe and secure

5. Accurate, up-to-date6. Relevant, not

excessive7. Retention period8. Right of access

Rights and Obligations• Rights of “data subject” (= identifiable, living

individual) to control the use of their “personal data”

Data Subject: volunteers, employees, customers/clients Personal Data: anything that can be linked to a living

individual (databases, lists, CCTV)

• Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

Usually a corporate entity e.g. Charitable Organisation – NOT individual employee or volunteer

Rights of Individuals• to fairness when giving information• to get a copy of their personal information –

includes both computer and manual files• to have wrong information corrected• to opt out of marketing - includes mail & phone • to complain to the Data Protection

Commissioner

Obtain & Process Fairly One of these conditions required: Consent (self or parent etc) Legal obligation Contract with individual Necessary to protect vital

interests of individual Necessary for a public function

(Justice) necessary for ‘legitimate

interests’ of organisation or third party

Balance with rights of individual

Rule 1

Beginning

Getting the Data

Middle

While you have the data

End

Disposing of data

Responsibilities on Organisations (Data Controllers) at the different stages

Beginning

Getting the Data

Middle

While you have the data

End

Disposing of data

Inform and get consent

Justification to process

Respond to access requests

Specify purpose

Only gather what is required

Keep accurate

Keep secure and dispose securely

Disclose only if compatible or allowable exception

Have a retention policy

Beginning

Getting the Data

Middle

While you have the data

End

Disposing of data

Inform and get consent

Justification to process

Respond to access requests

Specify purpose

Only gather what is required

Keep accurate

Keep secure and dispose securely

Disclose only if compatible or allowable exception

Have a retention policy

Beginning

Getting the Data

Middle

While you have the data

End

Disposing of data

Inform and get consent

Justification to process

Respond to access requests

Specify purpose

Only gather what is required

Keep accurate

Keep secure and dispose securely

Disclose only if compatible or allowable exception

Have a retention policy

Sensitive Data (special protection)• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Sexual life• Criminal convictions• Alleged commission of offence• Trade Union membership

Keep Safe and SecureAppropriate security measures

•Appropriate to the harm that might result..

•Appropriate to the nature of the data

May have regard to cost of implementation

May have regard to the current state of technology

Staff /volunteers must know and comply with measures

Rule 4

Data Protection Training.

• Obligation on organisation to ensure staff are aware of data protection obligations. Training

Retain no longer than necessary

• Legal obligations to hold data?• Customer/Client files

Do you need to hold all that data? Customers/? Volunteers? Supporters? Employees?

• Must have policy thought through Defend retention as necessary for

purpose.

Rule 7

Right of Access

• Every data subject has a right to request and receive a copy of All personal data in All forms relating to her/him (only) held by a data controller

• Maximum 40 days to respond• Maximum charge of €6.35 (includes

photocopying etc)

Right to opt out of direct marketing• Data subject may opt out of direct

marketing database (e.g. a mailing list)• Data controller must delete the data

subject’s details (or stop using them for direct marketing)

• Data controller must reply within 40 days

Electronic Marketing• SMS and e-mail unsolicited marketing

banned • Phone Marketing banned if:

Customer on National Directory Database ‘opt-out’ list

Has specifically asked not to be contacted

• Non-compliance a criminal offence

Data Processors

• Agents and sub-contractors• There must be a written contract in

place• Data Controller must take

reasonable steps to ensure compliance with security measures

Presentation Outline

• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues

Role of Data Protection Commissioner (standard throughout EU) • Enforcer Role: compliance by data controllers &

processors • Ombudsman Role: resolution of disputes between

data subjects and data controllers or processors • Educational Role: Promotes DP rights and good

practice• Registration Authority: obligation on major

holders of personal data to be placed on public register

How does (Irish) DPC fulfill role?• Investigations/Audits

Arising from complaints On own initiative

• Maintains public register• Codes of Practice• Guidance booklets, website,

presentations, advice, Annual Report

General Approach of DPC • Strong emphasis on Education• Supportive of compliant data

controllers • Alert to issues arising from Complaints

– Emphasis on Right of Access– Addressing the “big picture”

• Target problem data controllers– Use full powers

• Work with other Regulators

Complaints 2009

• 914 formal complaints• Many more enquiries dealt with informally• Most resolved

amicably

* Mainly electronic (SMS etc)

TYPE %

Direct Marketing*

30

Access Rights 29

Disclosure 17

Unfair Obtaining

5

Security 4

Presentation Outline

• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues

Good Practice: General• Transparent and Balanced approach to

collecting and using personal data• Build DP in early in systems and policy

proposals• People informed about data collection and

use (privacy notices on websites etc)• Consult DPC guidance

(www.dataprotection.ie)

Good Practice: Audit• Do we know what types of personal data we

hold? Electronically (also CCTV images) Paper

• Can we justify: Why we collect it? What it is used for? Length of time we hold it? Who has access to it? Who it is disclosed to?

Good Practice: Access & Correction Requests• Can we :

Provide a description of the personal data we hold on an individual within a max. of 20 days?

Provide copy of this data within a max. of 40 Days?

Correct or erase data within 40 days?

Good Practice: Security• Access Controls

Internal External Audit Trails

• Vulnerabilities Portable Devices

• Passwords AND encryption

Good Practice: Disposal• Do not retain personal for any longer

than can be objectively justified: clear policy

• Comply with legal retention obligations • Orderly and secure disposal of old

records

Good Practice : People• Does everyone handling personal data

know their responsibilities under Data Protection Law? Is this routinely included in training/induction?

• Are procedures for handling personal data properly documented?

• Are DP compliance responsibilities clearly allocated?

Good Practice: When things go wrong …• Have a clear plan – what will you do if

there is a security breach? • Notify DPC and customers

Anticipate legislation

• Tell customers/clients how you intend to remedy any damage done to their interests

Presentation Outline

• Why Data Protection?• What are our Responsibilities?• Data Protection Commissioner• Good Practice• Voluntary Sector: Some Issues

Who is the “Data Controller”?• “A person who, either alone or with others,

controls the contents and use of personal data”

• Voluntary Organisation, national umbrella-body

• Not the individual employee or volunteer Organisation accountable for how it handles

personal data Organisation needs to demonstrate it is taking this

responsibility seriously: training, security measures

Membership Information• Only collect Information you need

Explain how information will be used Privacy Statement if via website Extra care for sensitive information (e.g.

health)

• Only for Organisation’s legitimate use Any other use or disclosure (e.g. 3rd party

marketing) normally needs consent• OK if legal obligation (e.g. Revenue Commissioners)• Use BCC for membership e-mails

• Delete/Update as necessary

Fund-Raising (1) • Subject to rules governing Marketing• Post: OK to (i) businesses (ii) current

members/supporters (iii) other individuals where information from public source (e.g. Edited Electoral Register)

• Individuals have right to say STOP

Fund-Raising (2)

• Phone/Fax ILLEGAL if individual or business on

NDD (need check) unless current member/supporter

ILLEGAL if individual or business has objected

Fund-Raising (3)• E-Mail/SMS

OK to current members/supporters assuming they were provided with an opportunity to object to this use at the time their details were collected (message must still include STOP option)

OK to business (but must include STOP option) Otherwise ILLEGAL

Help-Lines• Recording/Monitoring

Need to justify and tell caller at beginning• Noting Client Information

If for analysis/statistics, use general categories: anonymise

Avoid collecting identifying information unless follow-up essential - explain to caller

Do NOT seek PPSN

Data Security• Responsibility of Organisation• Law says level of security appropriate to the

harm that might result from… loss etc and nature of the data Higher security for e.g. financial and health data

• Try avoid storage on home PCs Danger access by family etc members Data should be encrypted Option of secure central on-line database

Garda Vetting

• Sensitive data • Done on basis individual consent• Limit retention of “raw” data

Remember the Garda will be retaining the data

Child & Vulnerable Adult Protection• Duty to report suspected abuse to

Garda, HSE Does not require individual consent “Need to know” basis within

organisation

Further Guidance

•www.dataprotection.ie