Embed Size (px)
DESCRIPTION
Citation preview
DATA PROTECTION
Wednesday, 8 October 2008Friday, 10 October 2008
Monday, 13 October 2008
An Overview of Data Protection Legislation in
Guernsey
Jon Barclay, Advocate
AO Hall Advocates
Background: The EC Directive
● Sets out uniform standards for good data handling practice.
● Implemented in UK by Data Protection Act 1998.
● Not binding on Guernsey, but implemented here for business reasons.
● The Data Protection (Bailiwick of Guernsey) Law, 2001 is modelled on the 1998 Act.
● European Commission Decision of 21 November 2003: Guernsey has “adequate” data protection.
Main Features -
● Notification Requirements for Data
Controllers
● Data Subject Rights
● Good Data Handling Practices
● Supervision and Enforcement Procedures
Guernsey’s Data Protection Law
Definitions
● “Data” – information stored or processed electronically,
or manually if stored on a “relevant filing system”.
● “Relevant Filing System” – a set of information which
is structured, either by reference to individuals or by
reference to criteria related to individuals, in such a way that
specific information relating to a particular individual is
readily accessible.
Definitions continued…
● “Personal Data” – must relate to a living individual
who can be identified from those data or from those
data and other information which is in possession of the
data controller.
● “Data Controller” – a person who determines the
manner in which personal data is processed.
● “Data Processor” – any person other than an
employee who holds data on behalf of the data controller.
Definitions continued…
● “Data Subject” – a living individual who is the subject
of personal data.
● “Processing” – obtaining, recording or holding the data
or information and carrying out any operation in relation to it.
● “Sensitive Personal Data” – personal data which
consists of information about the subject’s racial or ethnic
origin, political opinions, religious beliefs, trade union affiliation,
physical or mental health, sex life, criminal activities or
criminal record.
Scope
● All data controllers in the Bailiwick.
● All personal data.
● Foreign controllers who process data here.
● Focus on privacy.
● There is no Freedom of Information legislation in Guernsey.
Personal Data
● Email and other addresses
● Telephone subscriber details
● Credit record
● Banking details
● Employment references
● Criminal convictions
● Biometric data
● Medical data
● CCTV footage
● Records of personal telephone calls
● Recorded expressions of personal opinion
● etc
Notification Requirement
● Annual notification unless exempt
● Public register
● Transparency and openness
Notification Details
● Contact details
● General purposes of processing
● Types of data subject
● Types of data
● Potential recipients
● Other jurisdictions
● Security measures
Useful addresses
• www.dpr.gov.gg
• www.gov.gg
Data Subject Rights
● Subject access
● Rectification, blocking, erasure and destruction
● To prevent processing likely to cause distress
● To prevent processing for direct marketing
purposes
● Compensation
● Automated decision-making
● Request for an assessment
Subject Access Requests
Individuals are entitled to request a data controller to provide
them with -
● a description of any data which is being processed by
reference to them
● a description of the purposes for which it is being
processed
● a description of any potential recipients of the data
● information as to the source of the data
Exemptions
● Public Security
● Investigation of Crime
● Regulatory Activity
● etc
Conflict of Subject Rights and Controller Duties
• STRs
• Third party privacy
• etc
Automated Decision Making
• Significant?
Objections to Data Processing
• Damage or distress
• Direct Marketing – Preference Services
Other Rights
• Rectification, blocking, erasure and destruction
• Compensation
• Assessments
Data controllers: duty to follow good data handling practices
• All data controllers must observe the Data Protection Principles
• Even if exempt from notification
The Data Protection Principles
Personal data must be :
1. processed fairly and lawfully
2. obtained for specified and lawful purposes only
3. adequate, relevant and not excessive
4. accurate and kept up to date
5. kept for no longer than is necessary
6. processed in accordance with the rights of data subjects
7. kept secure
8. transferred to third countries only if they ensure an adequate level of data protection
First and Second Principles: “Lawful”?
● Breach of Privacy
● Hacking
● Breach of Confidentiality
● Rehabilitation of Offenders
● Theft
● Obtaining by Deception (“Blagging”)
● Unlawful Interception of Communications
First and Second Principles: “Fair”?
Consider:
● The method by which the data was obtained
● Statutory authority or requirement
● Informed consent
Also:
● Is a Schedule 2 condition met?
● Sensitive personal data: Is a Schedule 3
condition met?
Quality Standards
Third Principle: relevant, adequate and not
excessive.
Fourth Principle: accurate and kept up to
date.
Fifth Principle: kept for no longer than is
necessary.
Sixth Principle: Data Subject Rights
● Subject access rights
● Privacy
● Security
Seventh Principle: Security
Security Measures –
● Passwords (which should be changed regularly)
● Careful location of computer screens
● Procedures to verify caller identity
● Clear, written data protection procedures
● Making breach of data protection procedures a disciplinary
offence
● Use of encryption
● Other technical and operational measures
Eighth Principle: Data export
• EEA• “Adequate” Countries• Elsewhere
•Data Transfer Agreements•Model Clauses
Enforcement Authorities
•The Commissioner•The Police•The Courts
The Data Protection Commissioner
● Role
● Enforcement Powers
● Requests for Assessment
Offences
• Failure to notify• Unauthorised disclosure, selling or obtaining• Failure to comply with a notice• Blagging• Unsolicited communications• Enforced SARs
The Commissioner’s Role
• Promote good information handling practices• Encourage respect for privacy• Enforce the legislation• Inform and direct policy
The Commissioner’s Powers
• Limited• Enforcement notices• Encouragement and Education rather than
coersion
Requests for Assessment
• Unverified• Verified• Enforcement Notices• Information Notices and Warrants
An Overview of Data Protection Legislation in
Guernsey
Jon Barclay, Advocate
AO Hall Advocates
DATA PROTECTION
Wednesday, 8 October 2008Friday, 10 October 2008
Monday, 13 October 2008
