Transcript Data Protection and the Health Sector

Data Protection: Your
Rights as a Data Subject
Data Protection: a Human
Right
• Part of Right to Personal Privacy
• Personal Privacy : necessary in a
Democratic Society
• Not absolute: other necessary Rights on
a Democratic Society ( e.g. Freedom of
Expression, Rights of Others)
• Right protected by Irish Constitution and
European Law
The Data Protection Rules
1. Fair obtaining &
processing
•
Consent
2. Specified purpose
3. No disclosure
•
unless “compatible”
4. Safe and secure
5.
6.
7.
8.
Accurate, up-to-date
Relevant, not excessive
Retention period
Right of access
Background
Data Protection Acts, 1988 & 2003
The Acts create:
RIGHTS
for
individuals
RESPONSIBILITIES
for
users of personal
data
Rights and Obligations
•
•
Rights of “data subject” (= identifiable,
living individual) to control the use of their
“personal data”
Obligations on “data controllers” (“a person
who controls the contents and use of personal
data”) and “data processors” (“A person
who processes personal data on behalf of a
data controller”)
Definitions(1)
• Personal Data

Any Data relating to a living identifiable
individual
• Data

Automated data or structured manual data
• Manual Data

Structured by reference to individuals in a
way that makes data readily accessible
Definitions(2)
• Data Controller
a
person who controls the contents and use
of personal data
• Data Processor
A
person who processes personal data on
behalf of a data controller
Definitions(3)
• Data Subject
 an
individual who is the subject of
personal data
• Processing
 Anything
done with personal data,
from collection to disposal
Sensitive Data (special
protection)
•
•
•
•
•
•
•
•
Physical or mental health
Racial origin
Political opinions
Religious or other beliefs
Sexual life
Criminal convictions
Alleged commission of offence
Trade Union membership
Rights of Individuals
• to fairness when giving information
• to get a copy of their personal information –
includes both computer and certain manual
files
• to have wrong information corrected
• to opt out of marketing - includes mail & phone
• to complain to the Data Commissioner
Rule 1
Obtain & Process Fairly I
• Data controller must give full information
about
 identity
 purposes
 disclosees
 any other data necessary for “fairness”
• Third party data controllers
 must contact data subject to provide these
details
 must give name of original data controller
Rule 1
Obtain & Process Fairly II
One of these conditions required:
 Consent
 Legal obligation
 Contract with individual
 Necessary to protect vital interests
 Necessary for a public function
(Justice)
 necessary for ‘legitimate interests’
Rule 1
Processing Sensitive Data
One of these additional conditions is
required
 Explicit consent
 Necessary under employment law
 To prevent injury or protect vital
interests
 Process the data of members/clients of
non-profit orgs.
 Legal advice
 For Medical Purposes
 Statutory function
Rule 2
Specified Purpose
• Part of obligations when obtaining
to specify purpose
• Cannot expand purpose without
reverting to individual
Rule 3
Disclose only if compatible
• General rule – no
disclosure for
different purpose
• Exceptions made, to
balance other
interests of society
• Section 8 exceptions






Investigation of crime
Collection of taxes
Security of the State
Protect life & limb
Law or court order
Legal advice and legal
proceedings
• No general “public
interest” test
Rule 4
Keep Safe and Secure
Appropriate security measures
• Appropriate to the harm that might
result..
• Appropriate to the nature of the data
May have regard to cost of
implementation
May have regard to the current state of
technology
Staff must know and comply with
measures
Internal review of security measures-part
of Internal Audit function ?
Rule 5
Accurate, Complete and Up-toDate
• Longer personal data is held, more
likely it will be inaccurate and outof-date
• Right to have errors rectified (see
later)
Rule 6
Relevant and not Excessive
• No right to ask for, or hold,
information not relevant to service
etc being provided
• Challenge: who do you need all
this personal data ?
Rule 7
Retain no longer than
necessary
• Legal obligations to hold data?
• Customer files
 Do you need to hold all that data?
 Payment records might have one retention
period
 Exam results might have longer retention
period
 Credit card details retained with consent
• Must have policy thought through
 Defend retention as necessary for purpose.
Rule 8
Right of Access
• applies to manual as well as computer files
• data subjects are also entitled to know



purposes for which data is processed
persons to whom data are disclosed
the source of the data
Right of Access:
Empowerment
The Right of Access empowers
individuals by enabling them to
supervise the processing of
their personal data.
Scope of Access
Request
• Applies to all manual and electronic
records in existence at the time of receipt
of an access request – regardless of
when the record was created.
• Copy of information must be provided in
permanent form unless data subject
agrees otherwise or this is impossible or
involves disproportionate effort
What must be disclosed in an
access request
•
•
•
•
Personal data held
purposes for processing data
persons to whom data are disclosed
the source of the data

subject to confidentiality safeguards
• logic involved in automated decisions
Access Request Procedure
• Shall be in writing
• Data Subject shall provide sufficient
information to identify oneself
• Data Controller shall comply within
40 days
• May charge a fee up to €6.35
Opinions
• Exempt from an access request only if the
expression of an opinion was given in
confidence or under the understanding it would
be treated as confidential.
• References are not exempt in general
• High threshold required
• Work performance reports on colleagues are
accessible
• Interview notes-accessible
Exempt from Access
Requests
 Data relating to a claim of liability
 Data covered by legal privilege
 Data relating to a criminal investigation
 Certain research data
 Back-up data
Access: Exemptions (S.5)
• Right of Access does not apply if likely to
prejudice:


Preventing, detecting or investigating offences,
apprehending or prosecuting offenders
Security in a place of detention
• Other (international relations, privileged
information etc)
Right to correct/erase/block
• Section 6 of the Act
• Data Subject makes a written request
• Personal data must be:
Corrected, if inaccurate; or
Deleted, if should not be held.
• Data Controller has 40 days to respond
• No fee
Right of erasure
• Doesn’t apply if you have a lawful
purpose in retaining data
 Such
as auditing or accreditation
purposes
Automated decisions
• Key decisions cannot be made solely based on
automated processing of personal data



creditworthiness
work performance
reliability
• Exceptions

consent; legal necessity; contractual reasons
Right to object
Section 6A(1) allows the data subject to
object to the processing of data
(a) Is “likely to cause substantial
damage or distress to him or her, or
to another person, and
(b) The damage or distress is or would
be unwarranted”
DP/FOI Access to Personal
Information
• DP and FOI Acts reinforce one another in
relation to personal access in the public sector
• Defending access to personal information as
human (DP) and citizen (FOI) right
• 3rd Party Access restricted under both Acts
• FOI access to personal information should
sometimes prevail in the public interest
Right to opt out of direct
marketing
• Data subject may opt out of direct
marketing database (e.g. a mailing list)
• Data controller must delete the data
subject’s details (or stop using them for
direct marketing)
• Data controller must reply within 40 days
Electronic Communications
• Right to “opt-out” of all unsolicited
direct marketing calls
 Ex-Directory
customers (and most mobiles)
automatically ‘opted-out’
 If not ex-directory, Contact your phone line
provider and ask to be put on the National
Directory Database ‘opt-out’ list
 SMS and e-mail unsolicited marketing
banned
Frequently
Asked
Questions
Can my employer
monitor me?
• Yes, depending on the conditions of any
in-house policy document.
• Employees should be made fully aware of
Office policy in relation to e-mail content,
and acceptable usage
• Monitoring should be proportionate and
not unduly intrusive.
Can monitoring occur
without my consent?
• Where a criminal offence is being
investigated, covert monitoring may
be legitimate.
• Whilst transparency is fundamental
to the fair obtaining principle,
consent is not always required.
Can I get a copy of
my personnel file?
• You have a right to a copy of any records
relating to you – including personnel
files, assessments, evaluations and
interview notes.
Note – this may be subject to restriction,
for instance re statements of opinion or
third party .
How can I check my
credit rating?
• Contact the Irish Credit Bureau at 012600388 (www.icb.ie)
• Your credit rating can be checked by
member institutions (banks, etc.) when you
apply for credit.
How do I stop unwanted
phone marketing?
• You should contact your telephone line
provider – e.g. Eircom, BT – and ask to
have your details included in the National
Directory Database (the NDD) ‘opt-out list’
• After about one month, marketing calls
from Ireland should cease.
• More info: www.askcomreg.ie and
www.dataprotection.ie
How do I stop Junk Mail?
• You can write to the organisation sending the
mail, instructing them to stop. They are
obliged to comply.
• Or you can use the Mail Preference Service
operated by the Irish Direct Marketing
Association (www.idma.ie).
Further Guidance
• www.dataprotection.ie