INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
-
Upload
magnus-turner -
Category
Documents
-
view
216 -
download
0
Transcript of INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.
![Page 1: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/1.jpg)
INTRODUCTION TO DATA PROTECTION
An overview of the IrishData Protection legislation
![Page 2: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/2.jpg)
AGENDA
• Context• The Legislation• Definitions• The Data Life Cycle• The Data Subject Rights• The Data Protection Commissioner• Enforcement
![Page 3: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/3.jpg)
WHY COMPLY WITH THE ACTS?
• ‘It’s the law of the land!’• Protection of Brand• Avoid risk to Reputation• Protection of trust
– Employees– Suppliers– Customers
• Enables good decision-making• Makes good business sense
![Page 4: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/4.jpg)
CONTEXT
• Social• Technological• Historical• Commercial
![Page 5: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/5.jpg)
DATA PROTECTION AND ‘THE BRAND’
![Page 6: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/6.jpg)
IRISH DATA PROTECTION LEGISLATION
• Data Protection Act (1988)– Only for automated processing– Only for certain data management activities
• Data Protection (Amendment) Act (2003)– Applies to manual as well as electronic data
• Electronic Communications Regulations (2011)– Specifically for online/electronic marketing
![Page 7: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/7.jpg)
DEFINED TERMS
• Automated data• Manual data• Relevant Filing System• Personal data• Sensitive Personal data• Processing
![Page 8: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/8.jpg)
CHARACTERS IN THE ACTS
• Data Subject• Data Controller• Data Processor
![Page 9: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/9.jpg)
THE DATA PROTECTION RULES
The DP Characters
1. AcquireFairly
2. Specified Purpose
3. Compatible Processing
4. Keep Safe
5. Keep Accurate
6. Adequate Processing
7. Retain / Destroy
8. Allow Access
![Page 10: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/10.jpg)
RULE 1 – FAIRLY OBTAINING DATA
• Setting Data Subject Expectations• The Fair Processing Notice
– Verbal– Electronic– Graphic
• Lawful processing conditions– Section 2(a) – ‘Ordinary Data’– Section 2(b) – ‘ Sensitive Personal Data’
• On-going fair processing
![Page 11: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/11.jpg)
CONSENT / EXPLICIT CONSENT
• Should be…– Unambiguous– Freely given– Informed– An active indication
![Page 12: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/12.jpg)
CONSENT FOR DIRECT MARKETING
• Default ‘opt out’• Active ‘opt in’• Indication of interest• Prior purchase of product or service• A reasonable expectation of interest• Prior consent for calls to mobiles• Identification and provision of contact details• Message must include option to opt out• Must use contact data at least once in a
twelve-month period
![Page 13: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/13.jpg)
LAWFUL USE OF DATA
• Rule 2 – Specific purpose or purposes– Consider minimum data requirements
• Rule 3 – Compatible processing– Only process in line with specified purpose(s)
• Rule 6 – Adequate, relevant, but not excessive use– Only process the minimum necessary to satisfy
purpose
![Page 14: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/14.jpg)
RULE 4 – KEEPING DATA SAFE
• Proportionality• Acceptable use of available technology• Applies equally to automated and manual data• Importance of staff awareness• Due diligence towards third parties
– Contract must be in place!– Negotiation of contract clauses
![Page 15: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/15.jpg)
RULE 5 – DATA ACCURACY
• “Data are inaccurate if they are incorrect or misleading as to any matter of fact”
• Data Controller obligation
• Frequency of checks
• Data quality criteria– Completeness– Consistency– Correct representation of reality– Fitness for Use
![Page 16: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/16.jpg)
RULE 7 – DATA RETENTION AND DESTRUCTION
• Retention schedule– No specific guidelines within the legislation– UK National Archive guidelines– HIQA Recommendations
• Destruction policy– Constructive, verifiable method
• Rule applies equally to automated and manual data
![Page 17: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/17.jpg)
RULE 8 – RIGHT OF ACCESS TO DATA
• Entitles the Data Subject to a copy of their own data
• Formal request process– Request in writing– Adequate identification– Payment of fee
• Controller’s Obligation to respond• Opportunity to decline the request• Exemptions
![Page 18: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/18.jpg)
ROLE OF THE DP COMMISSIONER
• Helen Dixon – Irish DP Commissioner
• Role enshrined in the legislation• Responsible for dissemination of legislation• Interpretation of legislation in various
circumstances• Enforcement of lawful processing• Investigation on request• Prosecution in the event of a breach
![Page 19: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/19.jpg)
DATA PROTECTION OFFICER (PROPOSED)
The Controller or Processor processing more than 5000 records must designate a Data Protection Officer ('DPO') • Governance of organisation’s data management• Drafting, deployment and compliant with data policies• Influencing system and functional changes• Being the ‘go to’ person for DP issues
• Currently an optional role within organisations• May soon be mandatory in certain circumstances
![Page 20: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/20.jpg)
ENFORCEMENT OF LEGISLATION
• ‘Triable either way’ legislation• Summary Prosecution – capped at €3,000 / €5,000• Indictment prosecution – capped at €100,000 / €250,000
• Formal notices• Information• Enforcement• Prohibition
• Mandatory breach notification• Reputational damage of a breach• Cost of recovery of market share, good will, trust
![Page 21: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/21.jpg)
SO WHY COMPLY WITH THE ACTS?
• ‘It’s the law of the land!’• Protection of Brand• Avoid risk to Reputation• Protection of trust
– Employees– Suppliers– Customers
• Enables good decision-making• Makes good business sense
![Page 22: INTRODUCTION TO DATA PROTECTION An overview of the Irish Data Protection legislation.](https://reader036.fdocuments.net/reader036/viewer/2022070413/5697bff01a28abf838cbaca3/html5/thumbnails/22.jpg)
SYTORUS LTD. – WHO WE ARE
• Data Protection Consultancy• Training
• Introductory• DPO Certification• Tailored to sector
• Data Management Assessments• Interim Data Protection Officer• Liaison with Office of the DP Commissioner
• Visit www.sytorus.com