Post on 21-Jan-2015
description
SPEED DATE all you need is love?
Linda NiChualladh
Regulatory Counsel
An Post Group
WARNING!!!!! DISCLAIMER!!!!!
The content of my presentation does not constitute legal advice nor does it purport to be legal advice.
The content of my presentation does not represent nor does it purport to represent in any way the views,
opinions or positions of An Post, it’s board, directors or staff.
Any mistakes, errors and/or ‘typos’ are my own, unless I can attribute them to someone else!
ALWAYS ENSURE YOU GET YOUR OWN INDEPENDENT LEGAL ADVICE SPECIFICALLY
TAILORED FOR YOUR COMPANY/BODY.
A LOVE STORY
Kind of.....
Fran’s Story
• Single. Wants to meet new people
• Fran gets information about other single people:
– “Personal” ad
– Business contacts
– Online contacts
– Contacts from friends etc
LESSONS: DATING AND DATA
• Not all that different:
– Partnership
– Connection
– Relationship
– Trust
– Authenticity
– Exclusivity
LESSONS
IT IS PERSONAL
IT IS BUSINESS
STOP LYING!
LESSON: THINK LIKE PEOPLE
• People think like people
• The DPC thinks like people
• PURPOSIVE APPROACH
– Aka ‘Surprise!”
FRAN’S NEW BUSINESS VENTURE
• Was in IT but was fired
• Watched a lot of Dragon’s Den while ‘analysing the employment market’ at home
• Was always creative
• Living ‘organically’ and now ethically
• Made soap and bath accessories
• Some medicinal/wellness claims
• The Natural Soapy Accessories Company
The Natural Soapy Accessories Company
Getting closer to you without you even noticing
Lessons learned.
• Fran looks at whether he needs to register as a data controller
• He gets to grips with the lingo: – What is personal data – What is a data subject – What is a data controller – What is a data processor – Who will he be working with and what DP ‘title’ will they
have? – Does he have a privacy policy? – Is worried about SARs ... But who wouldn’t be?!
• Did you do this amount of prep work?
Fran learned his lesson.......I hope The five worst business database mistakes you can make -
By Frazer Hossack | Publication date: 30/01/2013 | Category: Tactics > B-to-b focus
1. Not keeping it clean… 35% decay rate annually 2. Not planning ahead… do you have enough leads? Is it a
relaunch? 3. Not looking to improve… it probably is broke and it ain’t
good not to fix it 4. Not picking the right man for the job… so why not let
women do it right?! 5. Not choosing the right data specialist… Source: http://www.catalog-biz.com/tactics/The-five-worst-
business-database-mistakes-you-can-make_4019.asp
Lessons learned: Do we need to bother about the data protection
legislation? What impact could it have on us?
What does registering ('notifying') involve?
What are the penalties likely to be, if we haven't notified when we should have done?
How do the authorities decide who gets 'assessed'?
We hear there are scams involving notification. How can we tell if the correspondence we have received is genuine?
Someone working for one of our sub-contractors now wants copies of all the information we have in which his name appears. Do we have to provide it?
Some of our customer records are still held in paper form. Are they covered by the Data Protection Act?
Do we really have to get our customers to agree that we can send them marketing information?
Do we have to get our customers to agree if we want to sell our mailing lists or disclose customer details to third parties?
What do we have to do, if we want to use a third party to do payroll processing or direct mail marketing for us?
If we conduct our direct mail marketing through a foreign firm, what do we have to do to stay on the right side of the law?
If I take notes at a recruitment interview, can I be forced to show them to the interviewee?
Is there any problem over us monitoring our employees' use of office phones, internet access or email system?
Do we have to provide employees (or customers) with copies of the information we hold on them?
Do we have to provide former employees with copies of the references that we have given about them to third parties?
We are thinking of installing CCTV. Will we land ourselves with any data protection obligations if we do?
We have a problem with petty pilfering, of employees' belongings as well as stock, and want to install continuous CCTV. Will that cause us problems?
Do we need to tell customers if we operate a CCTV system?
We put up CCTV cameras to deter break-ins, and caught one of our staff stealing. Can we use the tapes for disciplinary or court proceedings?
What sort of penalties might we suffer for breaching the Data Protection Act?
http://www.lawdonut.co.uk/law/data-protection-and-it/data-protection/data-protection-20-faqs
Lessons learned: Creating a database
• What does Fran have in ways of contacts? – Agency/ third party suppliers – Electoral roll – edited – Publicly available information – Anyone who has given him information – Businesses who agree to work with him
• Can NSA contact these contacts? – Consent – Legal right – Legitimate purpose?
• LETS’S DO THE CHECK: WHERE’S THE CONSENT? CAN HE PROVE IT? LOOK AT HOW STRINGENT GERMAN DP LAWS ARE!
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Source: www.dataprotection.ie DPC website
this option. For a electronic communication to a business, an option to unsubscribe must be included.
Postal Text/Email
Phone Marketing
to Landlines
Fax Phone
Marketing to Mobile Phones
Individual Customer
Opt-Out
Opt-0ut (provided similar
product or service)
Opt-Out Opt-Out Opt-Out
Individual Non-Customer
Opt-Out Opt-In
Opt-In if on NDD,
Opt-Out otherwise
Opt-In
Opt-In
Business Contacts
(Customer & Non-Customer)
Opt-out Opt-Out
Opt-In if on NDD,
Opt-Out otherwise
Opt-In if on NDD, Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
Lessons learned: Creating a database
• Who does NSA need to contact? – Businesses
• Marketing • Cloud providers • Retail partners • Service providers
– Customers • New • Existing
• Can NSA contact these contacts? – Consent – Legal right – Legitimate purpose?
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Source: www.dataprotection.ie DPC website
this option. For a electronic communication to a business, an option to unsubscribe must be included.
Postal Text/Email
Phone Marketing
to Landlines
Fax Phone
Marketing to Mobile Phones
Individual Customer
Opt-Out
Opt-0ut (provided similar
product or service)
Opt-Out Opt-Out Opt-Out
Individual Non-Customer
Opt-Out Opt-In
Opt-In if on NDD,
Opt-Out otherwise
Opt-In
Opt-In
Business Contacts
(Customer & Non-Customer)
Opt-out Opt-Out
Opt-In if on NDD,
Opt-Out otherwise
Opt-In if on NDD, Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
Lessons learned – creating a database • What channels for contact?
– Leaflet drop – Posters – Radio – Postal
• Addressed • Unaddressed
– Social Media – Email – SMS
• Not really direct advertising? – Competitions – Special offers through voucher/discount channels – Surveys/questionnaires – Sponsorship – Trade shows
• New cool advertising – Like addressed mail but not – No issues with DP because it’s unique addressing
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Source: www.dataprotection.ie DPC website
this option. For a electronic communication to a business, an option to unsubscribe must be included.
Postal Text/Email
Phone Marketing
to Landlines
Fax Phone
Marketing to Mobile Phones
Individual Customer
Opt-Out
Opt-0ut (provided similar
product or service)
Opt-Out Opt-Out Opt-Out
Individual Non-Customer
Opt-Out Opt-In
Opt-In if on NDD,
Opt-Out otherwise
Opt-In
Opt-In
Business Contacts
(Customer & Non-Customer)
Opt-out Opt-Out
Opt-In if on NDD,
Opt-Out otherwise
Opt-In if on NDD, Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
FRAN’S MANTRA DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent DPC= Data Purpose Consent DPC= Data
Purpose Consent DPC= Data Purpose Consent
DPC= Data Purpose Consent DPC= Data Purpose Consent DPC= Data Purpose Consent
DPC= Data Purpose Consent
Fran even gets to grips with other regulatory laws/ codes
• Anything else I should consider?
– Are there regulatory rules that apply?
• Financial Products
• Consumer protection
– What is the nature of the contact?
• Health?
• Sensitive data?
External Contracts
• For your company to operate – Procurement – R&D – Marketing
• For products/services you intend to offer for sale – OUTSOURCING – Hosting/cloud/IT – Data management
• For customers – What you will do with their information?
MANDATORY or VOLUNTARY
SECTORAL SPECIFIC RULES???
Nondisclosure Agreements Confidentiality Agreements Distribution Agreements Supply Agreements Licensing Agreements Procurement Rules IT Contracts Hosting Cloud Support BC/DR User Agreements Terms and Conditions Policies Statements Receipts Phone/online/hard-copy
Now understands contracts are in fact ‘biographies’
What type of clauses should I include? Definitions • (recitals) • Scope/Services - Obligations
– Usually more detailed in the schedules
• The promises - obligations – Data protection standards – Indemnity – Insurance – Cooperation with NRAs/ breach
• The checks – Audit/ Inspection/ reporting/ certificates/registration
• The punishment – Liability – Litigation – Alternative dispute resolution
• The odd bits – Third party beneficiary – Severability – Choice of law and jurisdiction
• THE END – Termination
• AFTER THE END – Post-termination – Indemnity – Liability
Remember the story you are telling: What we do What we promise to do What we won’t do What responsibilities we have/haven’t got What if it all goes wrong Who can do what
IF YOU DO NOT UNDERSTAND THE CONTRACT, HOW WILL YOUR CUSTOMERS OR YOUR PARTNERS? THIS IS NOT JUST A LEGAL MATTER. THIS IS THE STORY OF HOW YOU DO BUSINESS
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Source: www.dataprotection.ie DPC website
this option. For a electronic communication to a business, an option to unsubscribe must be included.
Postal Text/Email
Phone Marketing
to Landlines
Fax Phone
Marketing to Mobile Phones
Individual Customer
Opt-Out
Opt-0ut (provided similar
product or service)
Opt-Out Opt-Out Opt-Out
Individual Non-Customer
Opt-Out Opt-In
Opt-In if on NDD,
Opt-Out otherwise
Opt-In
Opt-In
Business Contacts
(Customer & Non-Customer)
Opt-out Opt-Out
Opt-In if on NDD,
Opt-Out otherwise
Opt-In if on NDD, Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
No more of this
• Promotion – Enter the competition to win SOMETHING
AMAZING!!!!!!!!!!!!!!!!
– All you need to do is fill out the form with your details
– Terms and Conditions apply
– Please tick here if you want to receive AMAZING updates about more competitions and exciting stuff from us
– NSA– Address – Contact -
• What does this allow you to do? • If they don’t opt out...........
BUT MORE OF THIS – Enter the competition to win SOMETHING AMAZING!!!!!!!!!!!!!!!! – All you need to do is fill out the form with your details – Terms and Conditions apply – We will use your details for the purpose of administering the promotion
only – Please
• Tick here if you don’t want to receive AMAZING updates about more competitions and exciting stuff by post from Lindy Luck
• Tick here if you don’t want to receive stuff from Lindy Luck’s partners by post • Tick here if you want to receive stuff from Lindy luck by email • Tick here if you want to receive stuff from Lindy Luck by SMS • Tick here if you want to receive stuff from Lindy Luck’s partners by email • Tick here if you want to be contacted by Lindy Luck telephone • Tick here if you don’t want to be contacted by Lindy Luck’s partners by telephone • CLICK HERE or go to www.lindyluck.ll if you want to opt-out/ change preferences
at any time alternatively you can contact us at 1580 REALLY EXPENSIVE CALL
• Any Problems?
WIN BACKS
• If you want to contact a former customer – Check if they have agreed to post-term contact
• You can specify this: “we would like to contact you about new products and services during your time with us and after......Please tick etc etc”
– AND: Follow specific sectoral rules/ time-limits • Telecommunications
• Financial services
– No post-term contact? • Choose a method that doesn’t require opt-in
• What method would that be?
Fran became THE ‘Rules’ guy?
• Obtain and process the information fairly
• Keep it only for one or more specified and lawful purposes
• Process it only in ways compatible with the purposes for which it was given to you initially
• Keep it safe and secure
• Keep it accurate and up-to-date
• Ensure that it is adequate, relevant and not excessive
• Retain it no longer than is necessary for the specified purpose or purposes
• Give a copy of his/her personal data to any individual, on request.
Please please please please Mr. Postman
• “We have received several complaints concerning communications from NSA............... Under the DPA we are notifying you of the commencement of an investigation.......”
• Fran is shocked.
• What went wrong?
Complaints
• Addressed direct mail
– Letters destined for Mr. X at 1 Main St. Were put into envelopes for 2 Main Street. The whole sequence out of synch
– Some people found out that other people had eczema and dermatitis and used prescription-drugs
– Some people got advertising offers for other products that NSA liked but didn’t sell
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
Source: www.dataprotection.ie DPC website
this option. For a electronic communication to a business, an option to unsubscribe must be included.
Postal Text/Email
Phone Marketing
to Landlines
Fax Phone
Marketing to Mobile Phones
Individual Customer
Opt-Out
Opt-0ut (provided similar
product or service)
Opt-Out Opt-Out Opt-Out
Individual Non-Customer
Opt-Out Opt-In
Opt-In if on NDD,
Opt-Out otherwise
Opt-In
Opt-In
Business Contacts
(Customer & Non-Customer)
Opt-out Opt-Out
Opt-In if on NDD,
Opt-Out otherwise
Opt-In if on NDD, Opt-Out
otherwise
Opt-In
DON’T FORGET TO CHECK THE IDMA OPT-OUT LIST!
Complaints
• Unnatural amount of text messages sent • No consent for text messages
– Some sent by NSA – Some sent by NSA’s service provider
• Other people being contacted by Consumer Information Authority (CIA) conducting research interviews
• Fruity Beauty Inks (FBI) also contacting customers – Fran has had on-going arguments with them. His former ‘friend’
who worked the market stall with them upped and left
• Emails about accounts with ‘NSA product placement’ on the account data
Complaints
• Credit card receipts found flying around local park
– Local authority also ‘doing’ him for illegal dumping
– He’s also being investigated for security breaches.
DPC 2012 Annual Report
Sharing personal data in the public sector
• “data sharing can bring benefits in terms of efficient delivery of public services but cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. ”
• Department of Social Protection INFOSYS database* : Full audit report carried out
• Audit “uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data”.
2011 - Breakdown of complaints opened by data protection issue
2011 Percentages Totals Access Rights 48% 562 Electronic Direct Marketing 22% 253 Disclosure 10% 118 Unfair Processing of Data 6% 62 Unfair Obtaining of Data 4% 42 Use of CCTV Footage 3% 37 Failure to secure data 2% 25 Accuracy 1% 14 Excessive Data Requested 1% 14 Unfair Retention of Data 1% 12 Postal Direct Marketing 1% 11 Other 1% 11 TOTAL 100% 1161
Source: Annual Report 2011 – DPC Website
DPC ANNUAL REPORT 2012 Complaints
Table 1 Breakdown of complaints opened 2012/by DP issue*
Electronic Direct Marketing 44.93% 606
Access Rights 32.77% 442
Disclosure 7.86% 106
Unfair Processing of Data 2.59% 35
Unfair Obtaining of Data 0.96% 13
Use of CCTV Footage 2.37% 32
Failure to secure data 2.59% 35
Accuracy 1.41% 19
Excessive Data Requested 1.78% 24
Unfair Retention of Data 1.26% 17
Postal Direct Marketing 0.74% 10
Other 0.74% 10
TOTALS 100.00% 1349