Transcript Data Protection and the Health Sector

Data Protection: The
Law
EU & Irish Legislation
• Data Protection Directive
95/46/EC
• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Data Protection Acts
1988 & 2003
• EC Electronic Privacy
Regulations 2003 (SI
535/2003)
• Corresponding Acts
• Good Friday Agreement
• Disability Act 2005
The Data Protection Rules
(Directive 95/46 & Data
Protection Acts)
1. Fair obtaining &
processing
•
Consent
2. Specified purpose
3. No disclosure
•
unless “compatible”
4. Safe and secure
5.
6.
7.
8.
Accurate, up-to-date
Relevant, not excessive
Retention period
Right of access
Definitions(1)
• Personal Data

Any Data relating to a living identifiable
individual
• Data

Automated data or structured manual data
• Manual Data

Structured by reference to individuals in a
way that makes data readily accessible
Definitions(2)
• Data Controller
a
person who controls the contents and use
of personal data
• Data Processor
A
person who processes personal data on
behalf of a data controller
Definitions(3)
• Data Subject
 an
individual who is the subject of
personal data
• Processing
 Anything
done with personal data,
from collection to disposal
Sensitive Data (special
protection)
•
•
•
•
•
•
•
•
Physical or mental health
Racial origin
Political opinions
Religious or other beliefs
Sexual life
Criminal convictions
Alleged commission of offence
Trade Union membership
Using Sensitive Data
EXTRA conditions: S.2B
(one only is needed)
1. explicit consent
2. necessary under employment law
3. non-profit body (political, philosophical,
religious, trade-union) – its members / clients
4. necessary for medical purposes
(contd)
Using Sensitive Data
EXTRA conditions:
5.
6.
7.
8.
(one only is needed)
necessary to protect vital interests
necessary for legal advice / legal claim
for electoral purposes
for substantial public interest
1.
as prescribed by Minister
Genetic Testing
• Disability Act 2005 (Part 4):
consent of data subject required
 Prohibited in relation to insurance policies,
pensions, and mortgages
 Subject to DPC prior approval in relation
to employment
 Informed
Electronic Communications
(SI 535/2003)
• General DP Principles apply
• Telecom-specific:







‘Cookies’ on PCs
Caller ID (phones)
Location Data (mobiles)
Directories
‘SPAM’
Data Retention
‘Cold Calling’ opt-out
North/South Bodies
• S 31, British-Irish Agreement Act, 1999:
 Irish
DPC responsible for Bodies established
in Republic
 UK Information Commissioner responsible
for Bodies established in Northern Ireland
DP/FOI Access to Personal
Information
• DP and FOI Acts reinforce one another in
relation to personal access in the public sector
• Defending access to personal information as
human (DP) and citizen (FOI) right
• 3rd Party Access restricted under both Acts
• FOI access to personal information should
sometimes prevail in the public interest
Access right: DP v FOI
• FOI - Public Interest (s 28(5)(a)) when “on
balance, the public interest that the request
should be granted outweighs the public interest
that the right to privacy of the individual to
whom the information relates should be
upheld”
• Information Commissioner: Case No 99001- “the
protection of personal privacy afforded by s.28
exemption is intended to be a strong one”
DP and FOI
• A right conferred by the Data Protection Act
shall not prejudice the exercise of a right
conferred by the Freedom of Information Act
1997.
• The Commissioner and the Information
Commissioner shall, in the performance of their
functions, co-operate with and provide
assistance to each other (DP Act 2003)