Data Protection and the Health Sector

Transcript Data Protection and the Health Sector

Data Protection and
the Voluntary Sector:
Respecting the Rights
of the Individual
Billy Hawkes
Data Protection Commissioner
Carmichael Centre
Dublin, 2 November 2010
Presentation Outline
•
•
•
•
•
Why Data Protection?
What are our Responsibilities?
Data Protection Commissioner
Good Practice
Voluntary Sector: Some Issues
Data Protection: a Human Right
• Part of Right to Personal Privacy
• Personal Privacy: necessary in a
Democratic Society (but not absolute)
• Data Protection: Fundament Right under
EU Law
• EU and Irish law on Data Protection
 Data
Protection Acts 2008 & 2003; Electronic
Privacy Regulations 2003 & 2008
EU Charter of Fundamental
Rights: Article 8
•
•
Protection of personal data
1. Everyone has the right to the protection of personal data concerning
him or her.
2. Such data must be processed fairly for specified purposes and on
the basis of the consent of the person concerned or some other
legitimate basis laid down by law. Everyone has the right of access to
data which has been collected concerning him or her, and the right to
have it rectified.
3. Compliance with these rules shall be subject to control by an
independent authority.
Presentation Outline
•
•
•
•
•
Why Data Protection?
What are our Responsibilities?
Data Protection Commissioner
Good Practice
Voluntary Sector: Some Issues
The Data Protection Rules
1. Fair obtaining &
processing
•
Consent
2. Specified purpose
3. No disclosure
•
unless “compatible”
4. Safe and secure
5.
6.
7.
8.
Accurate, up-to-date
Relevant, not excessive
Retention period
Right of access
Rights and Obligations
•
Rights of “data subject” (= identifiable, living
individual) to control the use of their “personal
data”


•
Data Subject: volunteers, employees, customers/clients
Personal Data: anything that can be linked to a living
individual (databases, lists, CCTV)
Obligations on “data controllers” (“a person who
controls the contents and use of personal data”) and
“data processors” (“A person who processes
personal data on behalf of a data controller”)

Usually a corporate entity e.g. Charitable Organisation – NOT
individual employee or volunteer
Rights of Individuals
• to fairness when giving information
• to get a copy of their personal information –
includes both computer and manual files
• to have wrong information corrected
• to opt out of marketing - includes mail & phone
• to complain to the Data Protection Commissioner
Rule 1
Obtain & Process Fairly
One of these conditions required:
 Consent (self or parent etc)
 Legal obligation
 Contract with individual
 Necessary to protect vital interests of
individual
 Necessary for a public function
(Justice)
 necessary for ‘legitimate interests’ of
organisation or third party

Balance with rights of individual
Responsibilities on Organisations (Data
Controllers) at the different stages
Beginning
Middle
End
Getting the
Data
While you have
the data
Disposing of
data
Keep
accurate
Inform and
get consent
Justification
to process
Have a
retention
policy
Beginning
Middle
End
Getting the
Data
While you have
the data
Disposing of
data
Specify
purpose
Only gather
what is
required
Respond
to access
requests
Disclose
only if
compatible
or allowable
exception
Keep secure
and dispose
securely
Keep
accurate
Inform and
get consent
Justification
to process
Have a
retention
policy
Beginning
Middle
End
Getting the
Data
While you have
the data
Disposing of
data
Specify
purpose
Only gather
what is
required
Respond
to access
requests
Disclose only
if compatible
or allowable
exception
Keep secure
and dispose
securely
Keep
accurate
Inform and
get consent
Justification
to process
Have a
retention
policy
Beginning
Middle
End
Getting the
Data
While you have
the data
Disposing of
data
Specify
purpose
Only gather
what is
required
Respond
to access
requests
Disclose
only if
compatible
or allowable
exception
Keep secure
and dispose
securely
Sensitive Data (special
protection)
•
•
•
•
•
•
•
•
Physical or mental health
Racial origin
Political opinions
Religious or other beliefs
Sexual life
Criminal convictions
Alleged commission of offence
Trade Union membership
Rule 4
Keep Safe and Secure
Appropriate security measures
• Appropriate to the harm that might
result..
• Appropriate to the nature of the data
May have regard to cost of
implementation
May have regard to the current state of
technology
Staff /volunteers must know and comply
with measures
Data Protection
Training.
• Obligation on organisation to ensure
staff are aware of data protection
obligations.
Training
Rule 7
Retain no longer than
necessary
• Legal obligations to hold data?
• Customer/Client files
 Do you need to hold all that data?
 Customers/?
 Volunteers? Supporters? Employees?
• Must have policy thought through
 Defend retention as necessary for purpose.
Right of Access
• Every data subject has a right to request and
receive a copy of All personal data in All
forms relating to her/him (only) held by a data
controller
• Maximum 40 days to respond
• Maximum charge of €6.35 (includes
photocopying etc)
Right to opt out of direct
marketing
• Data subject may opt out of direct
marketing database (e.g. a mailing list)
• Data controller must delete the data
subject’s details (or stop using them for
direct marketing)
• Data controller must reply within 40 days
Electronic Marketing
•
•
SMS and e-mail unsolicited marketing
banned
Phone Marketing banned if:


•
Customer on National Directory Database
‘opt-out’ list
Has specifically asked not to be contacted
Non-compliance a criminal offence
Data Processors
• Agents and sub-contractors
• There must be a written contract in place
• Data Controller must take reasonable
steps to ensure compliance with security
measures
Presentation Outline
•
•
•
•
•
Why Data Protection?
What are our Responsibilities?
Data Protection Commissioner
Good Practice
Voluntary Sector: Some Issues
Role of Data Protection
Commissioner
(standard throughout EU)
• Enforcer Role: compliance by data controllers &
processors
• Ombudsman Role: resolution of disputes between
data subjects and data controllers or processors
• Educational Role: Promotes DP rights and good
practice
• Registration Authority: obligation on major holders
of personal data to be placed on public register
How does (Irish) DPC fulfill
role?
• Investigations/Audits


Arising from complaints
On own initiative
• Maintains public register
• Codes of Practice
• Guidance booklets, website, presentations,
advice, Annual Report
General Approach of DPC
• Strong emphasis on Education
• Supportive of compliant data controllers
• Alert to issues arising from Complaints
–
–
Emphasis on Right of Access
Addressing the “big picture”
• Target problem data controllers
–
Use full powers
• Work with other Regulators
Complaints 2009
• 914 formal
complaints
• Many more enquiries
dealt with informally
• Most resolved
amicably
* Mainly electronic (SMS etc)
TYPE
Direct Marketing*
Access Rights
Disclosure
Unfair Obtaining
Security
%
30
29
17
5
4
Presentation Outline
•
•
•
•
•
Why Data Protection?
What are our Responsibilities?
Data Protection Commissioner
Good Practice
Voluntary Sector: Some Issues
Good Practice: General
• Transparent and Balanced approach to collecting
and using personal data
• Build DP in early in systems and policy proposals
• People informed about data collection and use
(privacy notices on websites etc)
• Consult DPC guidance (www.dataprotection.ie)
Good Practice: Audit
• Do we know what types of personal data we hold?


Electronically (also CCTV images)
Paper
• Can we justify:





Why we collect it?
What it is used for?
Length of time we hold it?
Who has access to it?
Who it is disclosed to?
Good Practice: Access &
Correction Requests
• Can we :
 Provide
a description of the personal data
we hold on an individual within a max. of 20
days?
 Provide copy of this data within a max. of 40
Days?
 Correct or erase data within 40 days?
Good Practice: Security
• Access Controls
 Internal
 External
 Audit
Trails
• Vulnerabilities
 Portable
Devices
• Passwords AND encryption
Good Practice: Disposal
•
•
•
Do not retain personal for any longer than
can be objectively justified: clear policy
Comply with legal retention obligations
Orderly and secure disposal of old records
Good Practice : People
•
•
•
Does everyone handling personal data know
their responsibilities under Data Protection
Law? Is this routinely included in
training/induction?
Are procedures for handling personal data
properly documented?
Are DP compliance responsibilities clearly
allocated?
Good Practice: When things
go wrong …
• Have a clear plan – what will you do if there is
a security breach?
• Notify DPC and customers

Anticipate legislation
• Tell customers/clients how you intend to
remedy any damage done to their interests
Presentation Outline
•
•
•
•
•
Why Data Protection?
What are our Responsibilities?
Data Protection Commissioner
Good Practice
Voluntary Sector: Some Issues
Who is the “Data Controller”?
• “A person who, either alone or with others,
controls the contents and use of personal data”
• Voluntary Organisation, national umbrella-body
• Not the individual employee or volunteer


Organisation accountable for how it handles
personal data
Organisation needs to demonstrate it is taking this
responsibility seriously: training, security measures
Membership Information
• Only collect Information you need



Explain how information will be used
Privacy Statement if via website
Extra care for sensitive information (e.g. health)
• Only for Organisation’s legitimate use

Any other use or disclosure (e.g. 3rd party
marketing) normally needs consent
• OK if legal obligation (e.g. Revenue Commissioners)
• Use BCC for membership e-mails
• Delete/Update as necessary
Fund-Raising (1)
• Subject to rules governing Marketing
• Post: OK to (i) businesses (ii) current
members/supporters (iii) other
individuals where information from public
source (e.g. Edited Electoral Register)
• Individuals have right to say STOP
Fund-Raising (2)
• Phone/Fax
 ILLEGAL
if individual or business on NDD
(need check) unless current
member/supporter
 ILLEGAL if individual or business has
objected
Fund-Raising (3)
• E-Mail/SMS



OK to current members/supporters assuming they
were provided with an opportunity to object to this
use at the time their details were collected
(message must still include STOP option)
OK to business (but must include STOP option)
Otherwise ILLEGAL
Help-Lines
•
Recording/Monitoring

•
Need to justify and tell caller at beginning
Noting Client Information



If for analysis/statistics, use general categories:
anonymise
Avoid collecting identifying information unless
follow-up essential - explain to caller
Do NOT seek PPSN
Data Security
• Responsibility of Organisation
• Law says level of security appropriate to the
harm that might result from… loss etc and
nature of the data

Higher security for e.g. financial and health data
• Try avoid storage on home PCs



Danger access by family etc members
Data should be encrypted
Option of secure central on-line database
Garda Vetting
•
•
•
Sensitive data
Done on basis individual consent
Limit retention of “raw” data

Remember the Garda will be retaining the
data
Child & Vulnerable Adult
Protection
• Duty to report suspected abuse to Garda,
HSE
 Does
not require individual consent
 “Need to know” basis within organisation
Further Guidance
• www.dataprotection.ie