1 / 16

Data Protection and Records Management

Data Protection and Records Management. Key Responsibilities - Record Management. Keep Information Accurate Disclose only if compatible with purpose for which given Keep secure Have a retention policy Dispose and retain in line with retention policy. 1. Accurate. Good business practice

lamis
Télécharger la présentation

Data Protection and Records Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection and Records Management

  2. Key Responsibilities - Record Management • Keep Information Accurate • Disclose only if compatible with purpose for which given • Keep secure • Have a retention policy • Dispose and retain in line with retention policy

  3. 1. Accurate • Good business practice • Best achieved at point of collection • Ongoing requirement if intended to be used. • Ask the data subject if needed

  4. General rule – no disclosure for different purpose Exceptions made, to balance other interests of society Stricter conditions for sensitive data Main exceptions: Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law Intl Relations Consent 2. Non-Disclosure

  5. 2. Non-Disclosure • The Data Controller should have a policy in place to determine how requests for data from third parties are handled. • This policy should be consulted by appropriate staff members

  6. 3. Keep secure • Internal Access controls– physical,technical, • Tracking of activity on files– to see if appropriate • Internet Connectivity/networks -anti-virus software/firewalls/encryption • Access- need to know and relevant to purpose • Third party interception

  7. 3. Keep secure • Accidental disclosure to third parties, PC in public area, non-secure fax • External-robust encryption, online forms, technical measures • Audit trails, reviews, logs, unusual events • Manual Files ! • Individual is the biggest risk- NB Training

  8. Legal obligations to hold data? Customer files Do you need to hold all that data? Personnel files Revenue requirement? Must have policy thought through Defend retention as necessary for purpose. 4. Retention Policy

  9. 4. Retention Policy – Public Bodies • Overlap between data protection rights of identifiable persons and obligation to keep data for passing to the National Archives in 30 years • Balance between rights of the person and public interest. • Option of Regulations under the DP Acts specifying the appropriate period that such records may be held

  10. 5. Follow Retention Policy • A method appropriate to each organisation to review files • Assign Responsibility • Reporting structure • Delete personal data that is outside terms of policy. • Keep a record of deletions

  11. Key Information Points • Right of Access • Right of Correction/Erasure • Manual Data Exemption

  12. Right of Access • A fundamental rights granted to individuals as a means of granting them control over how their data are processed – transparency • Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.

  13. Right of Access • Every person has the right to access their data held by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts • Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights

  14. Right of correction/erasure • Section 6 of the Act • Data Subject makes a written request • Personal data must be: • Corrected, if inaccurate; or • Deleted, if should not be held. • Data Controller has 40 days to respond • No fee

  15. Manual Data -Process Fairly One of these conditions required: • Consent • Legal obligation • Contract with individual • Necessary to protect vital interests • Necessary for a public function (Justice) • necessary for ‘legitimate interests’

  16. Manual Data - Process Sensitive Data fairly One of these additional conditions is required • Explicit consent • Necessary under employment law • To prevent injury or protect vital interests • Process the data of members/clients of non-profit orgs. • Legal advice • For Medical Purposes • Statutory function

More Related