1 / 78

DATA PROTECTION OFFICE

DATA PROTECTION OFFICE. TITLE:- DATA PROTECTION IMPLICATIONS FOR THE PUBLIC SECTOR PRESENTED BY THE DATA PROTECTION COMMISSIONER (MRS DRUDEISHA C-MADHUB) DATA PROTECTION OFFICE DEFENCE AND HOME AFFAIRS DEPARTMENT PRIME MINISTER’S OFFICE TEL:- 201 36 04

chidi
Télécharger la présentation

DATA PROTECTION OFFICE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. DATA PROTECTION OFFICE • TITLE:- DATA PROTECTION IMPLICATIONS FOR THE PUBLIC SECTOR • PRESENTED BY THE DATA PROTECTION COMMISSIONER (MRS DRUDEISHA C-MADHUB) • DATA PROTECTION OFFICE • DEFENCE AND HOME AFFAIRS DEPARTMENT • PRIME MINISTER’S OFFICE • TEL:-201 36 04 • EMAIL:- dmadhub@mail.gov.mu, pmo-dpo@mail.gov.mu • Website:- http://dataprotection.gov.mu

  2. DATA PROTECTION OFFICE • Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age. • Privacy is recognized around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties.

  3. DATA PROTECTION OFFICE • Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information. • In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law.

  4. DATA PROTECTION OFFICE • Defining Privacy • Of all the human rights in the international catalogue, privacy is perhaps the most difficult to define. Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information. • Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs. The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."

  5. DATA PROTECTION OFFICE • In the 1890s, United States Supreme Court Justice Louis Brandeis devised a concept of privacy as the individual's "right to be left alone." Brandeis argued that privacy was the most cherished of freedoms in a democracy. • Aspects of Privacy • Privacy can be divided into the following separate but related concepts:

  6. DATA PROTECTION OFFICE • Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records; • Bodily privacy, which concerns the protection of people's physical selves against invasive procedures such as genetic tests, drug testing and cavity searches;

  7. DATA PROTECTION OFFICE • Privacy of communications, which covers the security and privacy of mail, telephones, e-mail and other forms of communication; and • Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks.

  8. DATA PROTECTION OFFICE • The Data Protection Act 2004 (DPA) gives individuals the right to know what information is held about them. It provides the legal framework to ensure that personal information is handled properly. • The Eight Data Protection Principles which may be termed the mantras of data protection are as follows-

  9. DATA PROTECTION OFFICE • Personal data shall be processed fairly and lawfully. • The Commissioner takes the view that in assessing fairness, the first and paramount consideration must be given to the consequences of the processing to the interests of the data subject.

  10. DATA PROTECTION OFFICE • This will include particular reference to whether any person from whom the personal data are obtained is deceived or misled as to the purpose or purposes for which the personal data are to be processed. • This may also have a bearing on the validity of any consent given by the data subject to the processing, which in turn may remove the basis for processing which was being relied upon by the data controller.

  11. DATA PROTECTION OFFICE • Personal data shall be obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose:- • It is to be noted that the Commissioner takes a strict view of the concept of compatibility of processing of personal data.

  12. DATA PROTECTION OFFICE • Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are processed:- • In complying with this Principle, data controllers should seek to identify the minimum amount of information that is required in order to properly fulfill their purpose and this will be a question of fact in each case. • If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those cases.

  13. DATA PROTECTION OFFICE • It is not acceptable to hold information on the basis that it might possibly be useful in the future without a view of how it will be used. This is to be distinguished from holding information in the case of a particular foreseeable contingency which may never occur, for example, where an employer holds details of blood groups of employees engaged in hazardous occupations.

  14. DATA PROTECTION OFFICE • The data controller should consider for all personal data:- • the number of individuals on whom information is held; • the number of individuals for whom it is used; • the nature of the personal data; • the length of time it is held; • the way it was obtained; • the possible consequences for individuals of the holding or erasure of the data; • the way in which it is used; • the purpose for which it is held.

  15. DATA PROTECTION OFFICE • Personal data shall be accurate and, where necessary, kept up to date:- • Data are inaccurate if they are incorrect or misleading as to any matter of fact. • A data controller will need to consider the following factors:- • Is there a record of when the data were recorded or last updated?

  16. DATA PROTECTION OFFICE • Are all those involved with the data – including people to whom they are disclosed as well as employees of the data controller – aware that the data do not necessarily reflect the current position? • Are steps taken to update the personal data – for example, by checking back at intervals with the original source or with the data subject? If so, how effective are these steps? • Is the fact that the personal data are out of date likely to cause damage or distress to the data subject?

  17. DATA PROTECTION OFFICE • Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes:- • Data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes. • If personal data have been recorded because of a relationship between the data controller and the data subject, the need to keep the information should be considered when the relationship ceases to exist.

  18. DATA PROTECTION OFFICE • For example, the data subject may be an employee who has left the employment of the data controller. The end of the relationship will not necessarily cause the data controller to delete all the personal data. • It may well be necessary to keep some of the information so that the data controller will be able to confirm details of the data subject ‘s employment for, say, the provision of references in the future or to enable the employer to provide the relevant information in respect of the data subject’s pension arrangements.

  19. DATA PROTECTION OFFICE It may well be necessary in some cases to retain certain information to enable the data controller to defend legal claims, which may be made in the future. unless there is some other reason for keeping them. • Personal data shall be processed in accordance with the rights of the data subjects under the Data Protection Act:- • The rights are elaborated in Part VI of the Act.

  20. DATA PROTECTION OFFICE • What is the aim of these rights? • Data protection rights help to ensure that the information stored about us is:• factually correct;• only available to those who should have it; and• only used for stated purposes.

  21. DATA PROTECTION OFFICE • Appropriate security and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data:- • The Act gives some further guidance on matters which should be taken into account in deciding whether security measures are “appropriate”. These are as follows:-

  22. DATA PROTECTION OFFICE • Taking into account the state of technological development at any time , the cost of implementing any measures, the special risks that exist in the processing of the data and the nature of the data concerned ,the measures must ensure a level of security appropriate to: • (a) the harm that might result from a breach of security; and • (b) the nature of the data to be protected.

  23. DATA PROTECTION OFFICE • With regard to the technical and organisational measures to be taken by data controllers, the EU Directive states that such measures should be taken “ both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorised processing.” • Data controllers are, therefore, encouraged to consider the use of privacy enhancing techniques as part of their obligations under the Seventh Principle.

  24. DATA PROTECTION OFFICE • Minimum security arrangements would normally include the following physical and technical safeguards:- • Physical safeguards- Access to computers should be restricted to authorised personnel only, premises alarmed and secure when not occupied. • Technical Safeguards- Access to computers to be password-protected, PC workstation is subject to password-protected lock-out after period of inactivity, anti-virus software is in use, a firewall is used to protect systems connected to the internet. Do passwords give access to all levels of the system or only to those personal data with which that employee should be concerned?

  25. DATA PROTECTION OFFICE • For sensitive data, it is recommended to use additional safeguards such as routine encryption of files and multi-level access control. • It is clear from the above that there can be no standard set of security measures that is required for compliance with the Seventh Principle.

  26. DATA PROTECTION OFFICE • The Commissioner’s view is that what is appropriate will depend on the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend on the nature of the data. • The data controller, therefore, needs to adopt a risk-based approach to determining what measures are appropriate. Management and organisational measures are as important as technical ones.

  27. DATA PROTECTION OFFICE • The Commissioner’s view is that what is appropriate will depend on the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend on the nature of the data. • The data controller, therefore, needs to adopt a risk-based approach to determining what measures are appropriate. Management and organisational measures are as important as technical ones.

  28. DATA PROTECTION OFFICE • Standard risk assessment and risk management techniques involve identifying potential threats to the system, the vulnerability of the system to those threats and the counter- measures to put in place to reduce and manage the risk. • In many cases, a simple consideration of these matters will be sufficient. On the other hand, there are well-established formal methodologies which will assist any data controller to assess and manage the security risks to the system.

  29. DATA PROTECTION OFFICE • Some of the security controls that the data controller is likely to need to consider are set out below. (This is not a comprehensive list but is illustrative only.) • Security management: • Does the data controller have a security policy setting out management commitment to information security within the organisation? • Is responsibility for the organisation’s security policy clearly placed on a particular person or department? • Are sufficient resources and facilities made available to enable that responsibility to be fulfilled?

  30. DATA PROTECTION OFFICE • is there a procedure for cleaning media (such as tapes and disks) before they are reused or are new data merely written over old? In the latter case is there a possibility of the old data reaching somebody who is not authorised to receive it? (e.g. as a result of the disposal of redundant equipment). • is printed material disposed of securely, for example, by shredding? • is there a procedure for authenticating the identity of a person to whom personal data may be disclosed over the telephone prior to the disclosure of the personal data?

  31. DATA PROTECTION OFFICE • is there a procedure covering the temporary removal of personal data from the data controller’s premises, for example, for staff to work on at home? What security measures are individual members of staff required to take in such circumstances? • are responsibilities for security clearly defined between a data processor and its customers?

  32. DATA PROTECTION OFFICE • Ensuring business continuity: • are the precautions against burglary, fire or natural disaster adequate? • is the system capable of checking that the data are valid and initiating the production of back-up copies? If so, is full use made of these facilities? • are back-up copies of all the data stored separately from the live files? • is there protection against corruption by viruses or other forms of intrusion?

  33. DATA PROTECTION OFFICE • Staff selection and training: • is proper weight given to the discretion and integrity of staff when they are being considered for employment or promotion or for a move to an area where they will have access to personal data? • are the staff aware of their responsibilities? Have they been given adequate training and is their knowledge kept up to date? • do disciplinary rules and procedures take account of the requirements of the Act? Are these rules enforced?

  34. DATA PROTECTION OFFICE • does an employee found to be unreliable have his or her access to personal data withdrawn immediately? • are staff made aware that data should only be accessed for business purposes and not for their own private purposes? • Detecting and dealing with breaches of security: • do systems keep audit trails so that access to personal data is logged and can be attributed to a particular person? • are breaches of security properly investigated and remedied; particularly when damage or distress could be caused to an individual?

  35. DATA PROTECTION OFFICE • Where the data controller is using the services of a data processor , he must ensure that the data processor is providing sufficient guarantees in respect of security and organisational measures. • A data processor is also required to take all reasonable steps to ensure that any person employed by him is aware of and complies with relevant security measures. • The written contract must provide that the data processor will act only on the instructions received from the data controller and the data processor will be bound by the obligations devolving on the data controller.

  36. DATA PROTECTION OFFICE • Further advice may be found in ISO /IEC Standard 27001 and 1S0/IEC Standard 27002 • It is important to note that the Seventh Principle relates to the security of the processing as a whole and the measures to be taken by data controllers to provide security against any breaches of the Act rather than just breaches of security.

  37. DATA PROTECTION OFFICE Personal data shall not be transferred to another country, unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data.:- • Under section 31 of the DPA, no data controller is allowed to transfer personal data to another country, except with the authorisation of the Commissioner.

  38. DATA PROTECTION OFFICE • The word “transfer” is not defined in the DPA. The ordinary dictionary meaning of this word is transmission from one place, person, etc. to another. Transfer does not bear the same meaning as mere transit which refers for example, to data originating from Mauritius and routed through a server in Dubai on its way to Europe. • Before making a transfer, a data controller must consider whether it is possible for it to achieve its objectives without processing personal data at all and examine such options such as anonymisation of such data.

  39. DATA PROTECTION OFFICE • Derogations from the Eighth Principle:, i.e , the circumstances in which a transfer may be effected to a non-adequate country- • Where the data subject has given his consent for the transfer; • or the transfer is necessary for the execution or intended execution of a contract between the data subject or any other person acting at the request of data subject or in the interest of the data subject and the data controller; • or is in the public interest, to safeguard public security or national security; • or the transfer is made on such terms as may be approved by the Commissioner as ensuring adequate safeguards for the protection of the rights of the data subject;

  40. DATA PROTECTION OFFICE • The adequacy of the level of protection in a particular country as regards personal data is assessed by the Commissioner by taking into consideration the following principles:- • The nature of the personal data; • The purpose and duration of the proposed processing; • The country of origin and country of final destination;

  41. DATA PROTECTION OFFICE • the rules of law applicable in that particular country; • any relevant codes of conduct and security measures applicable in that country; • Where the particular country does not have any of the above-mentioned legal principles, Model Clauses as approved by the EU for transfers outside Europe which are recognised standard contractual clauses, safe harbor principles for transfers to the US or binding corporate rules, i.e, internal codes of conduct operating within a multinational organisation for transfers outside Europe may be considered as offering adequate safeguards by the Commissioner. • It is therefore imperative before any transfer of personal data is effected that these criteria are borne in mind and applied.

  42. DATA PROTECTION OFFICE • What does processing, legally speaking, mean? • "processing" means any operation or set of operations which is performed on the data wholly or partly by automatic means, or otherwise than by automatic means, and includes - • collecting, organising or altering the data; • retrieving, consulting, using, storing or adapting the data; • disclosing the data by transmitting, disseminating or otherwise making it available; or • aligning, combining, blocking, erasing or destroying the data.

  43. DATA PROTECTION OFFICE • The definition in the Act is a compendious definition and it is difficult to envisage any action involving data which does not amount to processing within this definition. • To ascertain whether processing is necessary in a particular circumstance as laid down in the DPA namely sections 24 and 25, the Commissioner takes the view that data controllers will need to consider objectively whether: • the purposes for which the data are being processed are valid, • such purposes can only be achieved by the processing of personal data and, • the processing is proportionate to the aim pursued.

  44. DATA PROTECTION OFFICE • Data subject means “an individual who is the subject of personal data”. A data subject must be a living individual. Organisations, such as companies and other corporate and unincorporated bodies of persons cannot, therefore, be data subjects. • For the purpose of the DPA, the data controller is the person who processes personal information of individuals.

  45. DATA PROTECTION OFFICE • Personal data is defined under the DPA as data, whether recorded electronically or otherwise, which relates to an identified or identifiable living individual, i.e, whose identity is apparent or can reasonably be ascertained from the data. • It is important not to look at the definition of personal data in isolation as it is the Commissioner’s view that for the scope of the definition to be understood properly, it should be considered in the context of the definitions of “data”, “data controller” and “data subject” in the Act.

  46. DATA PROTECTION OFFICE • The definition of personal data in the Data Protection Act reads as follows: • “personal data” means data which relates to (a living) individual who can be identified from those data or data or other information, including an opinion forming part of a database, whether or not recorded in material form, about an individual whose identity is apparent or can reasonably ascertained from the data, information or opinion.”

  47. DATA PROTECTION OFFICE A similar definition is contained in the EU Data Protection Directive (95/46/EC):“personal data”  shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. • The definition is – deliberately - a very broad one.  In principle, it covers any information that relates to an identifiable, living individual.

  48. DATA PROTECTION OFFICE • In the Commissioner’s view, whether or not data relate to a particular individual will be a question of fact in each particular case. One element to be taken into account would be whether a data controller can form a connection between the data and the individual. • Data do not have to relate solely to one individual and the same set of data may relate to two or more people and still be personal data about each of them. For example, joint tenants of a property or holders of a joint bank account or even individuals who use the same telephone or e-mail address.

  49. DATA PROTECTION OFFICE • Names, addresses, emails are obvious identifiers. But information may also be compiled about a particular web user without any intention of linking it to a name and address or e-mail address. • There might merely be an intention to target that particular user with advertising, or to offer discounts when they re-visit a particular web site, on the basis of the profile built up, without any ability to locate that user in the physical world. • CCTV images and sounds are also personal data.

  50. DATA PROTECTION OFFICE • The definition is also technology neutral.  It does not matter how the personal data is stored – on paper, on an IT system, on a CCTV system etc. • When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. We refer to organisations or individuals who control the contents and use of your personal details as ‘data controllers’.

More Related