Transcript Document
DATA PROTECTION
DATA PROTECTION
and Research
David Cauchi Office of the Commissioner for Data Protection
University Research Ethics Committee – 30.05.2008
DATA PROTECTION
Data Protection Act
General Provisions Processing for Research Purposes Procedure agreed with UREC
ORIGIN
Council of Europe – ETS 108 Convention
on the protection of individuals with regard to automatic processing of personal data
Directive 95/46/EC
on the protection of individuals with regard to the processing of personal data and on the free movement of such data
DATA PROTECTION
Data Protection Act
CAP. 440
WHAT IS DATA PROTECTION ACT?
DATA PROTECTION
An Act that makes provision for the
protection of individuals
against the
violation of their privacy rights
by the
processing of personal data.
DATA PROTECTION
Key Terms in Data Protection
PERSONAL DATA
DATA PROTECTION
“…any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;”
DPA Art. 2
SENSITIVE PERSONAL DATA
DATA PROTECTION
“…personal data that reveals
race
or
ethnic origin
,
political opinions
,
religious or philosophical beliefs
,
membership of a trade union
,
health
, or
sex life
;”
DPA Art. 2
PROCESSING
DATA PROTECTION
“…includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data”
DPA Art. 2
CONSENT
DATA PROTECTION
“…any
freely given, specific and informed
indication of the wishes of the data subject by which he signifies his agreement to personal data relating to him being processed”
DPA Art. 2
Criteria for Processing
DATA PROTECTION
CRITERIA FOR PROCESSING
DATA PROTECTION PERSONAL DATA
DPA Article 9 1. Unambiguous consent or 2. Contract performance or 3. Legal obligation or 4. Vital interests of data subject or 5. Public Interest / Official Authority or 6. Legitimate interest
SENSITIVE PERSONAL DATA
DPA Articles 12 & 13 1. Explicit Consent 2. Subject made data public 3. Conditions of employment 4. Vital Interests & data subject incapable of giving consent 5. Legal claims
Data Protection Principles
DATA PROTECTION
THE NINE PRINCIPLES for ‘good information handling’
Personal Data to be:
DATA PROTECTION
1. processed fairly and lawfully 2. processed in accordance with good practice 3. collected for specific, explicitly stated & legitimate purposes 4. processed for reasons compatible with the purpose it was collected 5. adequate and relevant to the processing purpose 6. not more than required for the processing purpose 7. correct and, if necessary, up to date 8. rectified 9. not kept for longer than necessary for the processing purpose DPA Art. 7
Rights of Data Subjects
DATA PROTECTION
RIGHTS OF DATA SUBJECTS (1) DATA PROTECTION INFORMATION TO DATA SUBJECT
The data subject should be informed with at least the following: a) identity and habitual residence or principal place of business of controller; b) purposes of processing; c) any further information such as: i) recipients or categories of recipients of data ii) whether reply to any questions is obligatory or voluntary, and possible consequence of failure to reply iii) existence of right of access, right to rectify and where applicable right to erase data.
DPA Art. 19
RIGHTS OF DATA SUBJECTS (2) RIGHT OF ACCESS
Request of Data Subject must be: at reasonable intervals in writing signed by data subject
DATA PROTECTION
Data Controller to provide: without excessive delay without expense written information in an intelligible form DPA Art. 21
RIGHTS OF DATA SUBJECTS (3) DATA PROTECTION RECTIFICATION
The Data Subject may request rectification, blocking or erasure of his personal data.
If the request is justified, the Data Controller shall rectify, block or erase such personal data accordingly.
notify third parties about such an event, unless this involves a disproportionate effort.
DPA Art. 22
Security Measures
DATA PROTECTION
APPROPRIATE SAFEGUARDS DATA PROTECTION
These include: Access controls to information
e.g.
passwords, access rights/privileges, encryption
etc.
Physical Security safeguards
e.g.
locking of file cabinets, computers, offices
etc.
Awareness
Processing For Research Purposes
DATA PROTECTION
DATA PROTECTION IN RESEARCH DATA PROTECTION THE DATA PROTECTION ACT APPLIES WHEN:
Research is about individuals Research involves personal data Individuals are identifiable
PROCESSING CONCERNING RESEARCH DATA PROTECTION Sensitive Personal Data may be processed for Research Purposes:
On Public Interest grounds With the approval of the Commissioner, on the advice of a Research Ethics Committee DPA Art 16
PROCESSING CONCERNING RESEARCH DATA PROTECTION
Specific Data Protection matters in research include:
Personal and Sensitive Data Identifiable VS Anonymous Data Consent – When do I need consent??
Dealing with children and vulnerable persons Retention of Data DPA Art 16
CREATING THE RIGHT BALANCE
BETWEEN:
DATA PROTECTION
RIGHTS OF PRIVACY OF INDIVIDUAL NEED TO CARRY OUT RESEARCH
Procedure agreed With UREC
DATA PROTECTION
PROCEDURE (1) DATA PROTECTION RESEARCH INVOLVING SENSITIVE PERSONAL DATA
Proposal Form for ethical approval is submitted by researcher Research Proposals are examined by the Faculty Research Ethics Committee and by the UREC Approval is given if proposals are satisfactory Approval from the UREC is deemed to be an adequate advice for the approval by the Commissioner Researcher may proceed with the project once this is approved by the UREC
PROCEDURE (2) DATA PROTECTION
A list of approved projects is periodically forwarded to the Commissioner for final approval The UREC may always consult the Commissioner in case of problems with particular projects OBJECTIVES Allow the researcher ample time to proceed with the study The Researcher is not required to obtain an approval directly from the Commissioner
PROPOSAL FORM DATA PROTECTION
INCLUDES
Data Protection Principles Rights of Data Subjects
OBJECTIVES
Inform researchers and ensure that these principles and rights are respected
It is important that all faculties use the same form in order to provide the same conditions and information to students
FURTHER INFORMATION DATA PROTECTION Office of the Commissioner for Data Protection
E-Mail: [email protected]
Website: www.dataprotection.gov.mt
THANK YOU!
Floor is open for discussion
DATA PROTECTION