DA by suchenfz

VIEWS: 31 PAGES: 78

									        DATA PROTECTION OFFICE
• TITLE:- DATA PROTECTION IMPLICATIONS FOR THE
  PUBLIC SECTOR
• PRESENTED BY THE DATA PROTECTION
  COMMISSIONER (MRS DRUDEISHA C-MADHUB)
• DATA PROTECTION OFFICE
• DEFENCE AND HOME AFFAIRS DEPARTMENT
• PRIME MINISTER’S OFFICE
• TEL:- 201 36 04
• EMAIL:- dmadhub@mail.gov.mu, pmo-
  dpo@mail.gov.mu
• Website:- http://dataprotection.gov.mu

3/12/2011                                        1
          DATA PROTECTION OFFICE
• Privacy is a fundamental human right. It underpins
  human dignity and other values such as freedom of
  association and freedom of speech. It has become one
  of the most important human rights of the modern age.
• Privacy is recognized around the world in diverse
  regions and cultures. It is protected in the Universal
  Declaration of Human Rights, the International
  Covenant on Civil and Political Rights, and in many
  other international and regional human rights treaties.

  3/12/2011                                          2
           DATA PROTECTION OFFICE
• Nearly every country in the world includes a right of privacy in
  its constitution. At a minimum, these provisions include rights
  of inviolability of the home and secrecy of communications.
  Most recently written constitutions include specific rights to
  access and control one's personal information.
• In many of the countries where privacy is not explicitly
  recognized in the constitution, the courts have found that
  right in other provisions. In many countries, international
  agreements that recognize privacy rights such as the
  International Covenant on Civil and Political Rights or the
  European Convention on Human Rights have been adopted
  into law.
   3/12/2011                                                  3
           DATA PROTECTION OFFICE
• Defining Privacy
• Of all the human rights in the international catalogue, privacy
  is perhaps the most difficult to define. Definitions of privacy
  vary widely according to context and environment. In many
  countries, the concept has been fused with data protection,
  which interprets privacy in terms of management of personal
  information.
• Outside this rather strict context, privacy protection is
  frequently seen as a way of drawing the line at how far
  society can intrude into a person's affairs. The lack of a single
  definition should not imply that the issue lacks importance.
  As one writer observed, "in one sense, all human rights are
  aspects of the right to privacy."

   3/12/2011                                                   4
          DATA PROTECTION OFFICE
• In the 1890s, United States Supreme Court Justice
  Louis Brandeis devised a concept of privacy as the
  individual's "right to be left alone." Brandeis argued
  that privacy was the most cherished of freedoms in
  a democracy.
• Aspects of Privacy
• Privacy can be divided into the following separate
  but related concepts:

  3/12/2011                                          5
          DATA PROTECTION OFFICE
• Information privacy, which involves the
  establishment of rules governing the collection and
  handling of personal data such as credit
  information, and medical and government records;
• Bodily privacy, which concerns the protection of
  people's physical selves against invasive procedures
  such as genetic tests, drug testing and cavity
  searches;

  3/12/2011                                        6
          DATA PROTECTION OFFICE
• Privacy of communications, which covers the
  security and privacy of mail, telephones, e-mail and
  other forms of communication; and
• Territorial privacy, which concerns the setting of
  limits on intrusion into the domestic and other
  environments such as the workplace or public
  space. This includes searches, video surveillance
  and ID checks.

  3/12/2011                                        7
          DATA PROTECTION OFFICE
 The Data Protection Act 2004 (DPA) gives
  individuals the right to know what information is
  held about them. It provides the legal framework
  to ensure that personal information is handled
  properly.
 The Eight Data Protection Principles which may
  be termed the mantras of data protection are as
  follows-

  3/12/2011                                       8
          DATA PROTECTION OFFICE
• Personal data shall be processed fairly and
  lawfully.
• The Commissioner takes the view that in assessing
  fairness, the first and paramount consideration
  must be given to the consequences of the
  processing to the interests of the data subject.



  3/12/2011                                      9
          DATA PROTECTION OFFICE
• This will include particular reference to whether any
  person from whom the personal data are obtained
  is deceived or misled as to the purpose or purposes
  for which the personal data are to be processed.
• This may also have a bearing on the validity of any
  consent given by the data subject to the processing,
  which in turn may remove the basis for processing
  which was being relied upon by the data controller.

  3/12/2011                                        10
          DATA PROTECTION OFFICE
 Personal data shall be obtained only for a
  specified and lawful purpose, and shall not be
  further processed in any manner incompatible
  with that purpose:-
 It is to be noted that the Commissioner takes a
  strict view of the concept of compatibility of
  processing of personal data.



  3/12/2011                                    11
          DATA PROTECTION OFFICE

 Personal data shall be adequate, relevant and not
  excessive in relation to the purpose for which they
  are processed:-
 In complying with this Principle, data controllers
  should seek to identify the minimum amount of
  information that is required in order to properly
  fulfill their purpose and this will be a question of
  fact in each case.
 If it is necessary to hold additional information
  about certain individuals, such information should
  only be collected and recorded in those cases.

  3/12/2011                                         12
          DATA PROTECTION OFFICE
• It is not acceptable to hold information on the basis
  that it might possibly be useful in the future
  without a view of how it will be used. This is to be
  distinguished from holding information in the case
  of a particular foreseeable contingency which may
  never occur, for example, where an employer holds
  details of blood groups of employees engaged in
  hazardous occupations.

  3/12/2011                                        13
            DATA PROTECTION OFFICE
• The data controller should consider for all personal data:-
• the number of individuals on whom information is held;
• the number of individuals for whom it is used;
• the nature of the personal data;
• the length of time it is held;
• the way it was obtained;
• the possible consequences for individuals of the holding or
  erasure of the data;
• the way in which it is used;
• the purpose for which it is held.


    3/12/2011                                            14
          DATA PROTECTION OFFICE
 Personal data shall be accurate and, where
  necessary, kept up to date:-

• Data are inaccurate if they are incorrect or
  misleading as to any matter of fact.
• A data controller will need to consider the
  following factors:-
• Is there a record of when the data were recorded or
  last updated?
  3/12/2011                                      15
           DATA PROTECTION OFFICE
• Are all those involved with the data – including people
  to whom they are disclosed as well as employees of the
  data controller – aware that the data do not necessarily
  reflect the current position?
• Are steps taken to update the personal data – for
  example, by checking back at intervals with the original
  source or with the data subject? If so, how effective are
  these steps?
• Is the fact that the personal data are out of date likely
  to cause damage or distress to the data subject?
   3/12/2011                                           16
          DATA PROTECTION OFFICE
 Personal data processed for any purpose shall
  not be kept longer than is necessary for that
  purpose or those purposes:-
 Data controllers will need to review their personal
  data regularly and to delete the information which
  is no longer required for their purposes.
 If personal data have been recorded because of a
  relationship between the data controller and the
  data subject, the need to keep the information
  should be considered when the relationship
  ceases to exist.
  3/12/2011                                      17
           DATA PROTECTION OFFICE
• For example, the data subject may be an employee
  who has left the employment of the data controller.
  The end of the relationship will not necessarily cause
  the data controller to delete all the personal data.
• It may well be necessary to keep some of the
  information so that the data controller will be able to
  confirm details of the data subject ‘s employment for,
  say, the provision of references in the future or to
  enable the employer to provide the relevant
  information in respect of the data subject’s pension
  arrangements.

   3/12/2011                                           18
          DATA PROTECTION OFFICE
  It may well be necessary in some cases to retain
  certain information to enable the data controller
  to defend legal claims, which may be made in the
  future. unless there is some other reason for
  keeping them.
 Personal data shall be processed in accordance
  with the rights of the data subjects under the
  Data Protection Act:-
 The rights are elaborated in Part VI of the Act.


  3/12/2011                                    19
          DATA PROTECTION OFFICE
What is the aim of these rights?
Data protection rights help to ensure that the
 information stored about us is:
 • factually correct;
 • only available to those who should have it; and
 • only used for stated purposes.



  3/12/2011                                          20
          DATA PROTECTION OFFICE

 Appropriate security and organisational measures
    shall be taken against unauthorised or unlawful
    processing of personal data and against accidental
    loss or destruction of, or damage to, personal
    data:-
• The Act gives some further guidance on matters
  which should be taken into account in deciding
  whether security measures are “appropriate”. These
  are as follows:-


  3/12/2011                                       21
        DATA PROTECTION OFFICE
Taking into account the state of technological
development at any time , the cost of
implementing any measures, the special risks that
exist in the processing of the data and the nature
of the data concerned ,the measures must ensure a
level of security appropriate to:
(a) the harm that might result from a breach of
security; and
(b) the nature of the data to be protected.
3/12/2011                                     22
          DATA PROTECTION OFFICE
• With regard to the technical and organisational
  measures to be taken by data controllers, the EU
  Directive states that such measures should be taken “
  both at the time of the design of the processing
  system and at the time of the processing itself,
  particularly in order to maintain security and thereby
  to prevent any unauthorised processing.”
• Data controllers are, therefore, encouraged to
  consider the use of privacy enhancing techniques as
  part of their obligations under the Seventh Principle.

  3/12/2011                                         23
        DATA PROTECTION OFFICE

 Minimum security arrangements would normally include
  the following physical and technical safeguards:-
 Physical safeguards- Access to computers should be
  restricted to authorised personnel only, premises
  alarmed and secure when not occupied.
 Technical Safeguards- Access to computers to be
  password-protected, PC workstation is subject to
  password-protected lock-out after period of inactivity,
  anti-virus software is in use, a firewall is used to protect
  systems connected to the internet. Do passwords give
  access to all levels of the system or only to those
  personal data with which that employee should be
  concerned?
3/12/2011                                                 24
          DATA PROTECTION OFFICE
  For sensitive data, it is recommended to use
   additional safeguards such as routine encryption of
   files and multi-level access control.
 It is clear from the above that there can be no
  standard set of security measures that is required
  for compliance with the Seventh Principle.




  3/12/2011                                         25
          DATA PROTECTION OFFICE

• The Commissioner’s view is that what is appropriate
  will depend on the circumstances, in particular, on
  the harm that might result from, for example, an
  unauthorised disclosure of personal data, which in
  itself might depend on the nature of the data.
• The data controller, therefore, needs to adopt a
  risk-based approach to determining what measures
  are appropriate. Management and organisational
  measures are as important as technical ones.
  3/12/2011                                      26
          DATA PROTECTION OFFICE

• The Commissioner’s view is that what is appropriate
  will depend on the circumstances, in particular, on the
  harm that might result from, for example, an
  unauthorised disclosure of personal data, which in
  itself might depend on the nature of the data.
• The data controller, therefore, needs to adopt a risk-
  based approach to determining what measures are
  appropriate. Management and organisational measures
  are as important as technical ones.

  3/12/2011                                          27
           DATA PROTECTION OFFICE

• Standard risk assessment and risk management
  techniques involve identifying potential threats to the
  system, the vulnerability of the system to those threats
  and the counter- measures to put in place to reduce
  and manage the risk.
• In many cases, a simple consideration of these matters
  will be sufficient. On the other hand, there are well-
  established formal methodologies which will assist any
  data controller to assess and manage the security risks
  to the system.
   3/12/2011                                          28
           DATA PROTECTION OFFICE

• Some of the security controls that the data controller is likely
  to need to consider are set out below. (This is not a
  comprehensive list but is illustrative only.)
• Security management:
• Does the data controller have a security policy setting out
  management commitment to information security within the
  organisation?
• Is responsibility for the organisation’s security policy clearly
  placed on a particular person or department?
• Are sufficient resources and facilities made available to
  enable that responsibility to be fulfilled?

   3/12/2011                                                  29
           DATA PROTECTION OFFICE

• is there a procedure for cleaning media (such as tapes and
  disks) before they are reused or are new data merely
  written over old? In the latter case is there a possibility of
  the old data reaching somebody who is not authorised to
  receive it? (e.g. as a result of the disposal of redundant
  equipment).
• is printed material disposed of securely, for example, by
  shredding?
• is there a procedure for authenticating the identity of a
  person to whom personal data may be disclosed over the
  telephone prior to the disclosure of the personal data?

   3/12/2011                                                 30
          DATA PROTECTION OFFICE

• is there a procedure covering the temporary
  removal of personal data from the data controller’s
  premises, for example, for staff to work on at
  home? What security measures are individual
  members of staff required to take in such
  circumstances?
• are responsibilities for security clearly defined
  between a data processor and its customers?
  3/12/2011                                       31
          DATA PROTECTION OFFICE
• Ensuring business continuity:
• are the precautions against burglary, fire or natural
  disaster adequate?
• is the system capable of checking that the data are
  valid and initiating the production of back-up copies?
  If so, is full use made of these facilities?
• are back-up copies of all the data stored separately
  from the live files?
• is there protection against corruption by viruses or
  other forms of intrusion?

  3/12/2011                                          32
          DATA PROTECTION OFFICE
• Staff selection and training:
• is proper weight given to the discretion and integrity
  of staff when they are being considered for
  employment or promotion or for a move to an area
  where they will have access to personal data?
• are the staff aware of their responsibilities? Have they
  been given adequate training and is their knowledge
  kept up to date?
• do disciplinary rules and procedures take account of
  the requirements of the Act? Are these rules
  enforced?
  3/12/2011                                           33
           DATA PROTECTION OFFICE
• does an employee found to be unreliable have his or her
  access to personal data withdrawn immediately?
• are staff made aware that data should only be accessed for
  business purposes and not for their own private purposes?
• Detecting and dealing with breaches of security:
• do systems keep audit trails so that access to personal data
  is logged and can be attributed to a particular person?
• are breaches of security properly investigated and
  remedied; particularly when damage or distress could be
  caused to an individual?
   3/12/2011                                              34
           DATA PROTECTION OFFICE
 Where the data controller is using the services of a data
  processor , he must ensure that the data processor is
  providing sufficient guarantees in respect of security and
  organisational measures.
 A data processor is also required to take all reasonable
  steps to ensure that any person employed by him is aware
  of and complies with relevant security measures.
 The written contract must provide that the data processor
  will act only on the instructions received from the data
  controller and the data processor will be bound by the
  obligations devolving on the data controller.
   3/12/2011                                             35
          DATA PROTECTION OFFICE
• Further advice may be found in ISO /IEC Standard
  27001 and 1S0/IEC Standard 27002
• It is important to note that the Seventh Principle
  relates to the security of the processing as a whole
  and the measures to be taken by data controllers to
  provide security against any breaches of the Act
  rather than just breaches of security.


  3/12/2011                                       36
          DATA PROTECTION OFFICE
Personal data shall not be transferred to another
country, unless that country ensures an adequate
level of protection for the rights of data subjects in
relation to the processing of personal data.:-
 Under section 31 of the DPA, no data controller
  is allowed to transfer personal data to another
  country, except with the authorisation of the
  Commissioner.


  3/12/2011                                       37
          DATA PROTECTION OFFICE
 The word “transfer” is not defined in the DPA. The
  ordinary dictionary meaning of this word is
  transmission from one place, person, etc. to
  another. Transfer does not bear the same meaning
  as mere transit which refers for example, to data
  originating from Mauritius and routed through a
  server in Dubai on its way to Europe.
 Before making a transfer, a data controller must
  consider whether it is possible for it to achieve its
  objectives without processing personal data at all
  and examine such options such as anonymisation
  of such data.
  3/12/2011                                         38
           DATA PROTECTION OFFICE
 Derogations from the Eighth Principle:, i.e , the circumstances in
  which a transfer may be effected to a non-adequate country-
 Where the data subject has given his consent for the transfer;
 or the transfer is necessary for the execution or intended execution
  of a contract between the data subject or any other person acting
  at the request of data subject or in the interest of the data subject
  and the data controller;
 or is in the public interest, to safeguard public security or national
  security;
 or the transfer is made on such terms as may be approved by the
  Commissioner as ensuring adequate safeguards for the protection
  of the rights of the data subject;


   3/12/2011                                                       39
          DATA PROTECTION OFFICE
The adequacy of the level of protection in a
 particular country as regards personal data is
 assessed by the Commissioner by taking into
 consideration the following principles:-
The nature of the personal data;
The purpose and duration of the proposed
 processing;
The country of origin and country of final
 destination;
  3/12/2011                                 40
           DATA PROTECTION OFFICE
 the rules of law applicable in that particular country;
 any relevant codes of conduct and security measures applicable in
  that country;
 Where the particular country does not have any of the above-
  mentioned legal principles, Model Clauses as approved by the EU for
  transfers outside Europe which are recognised standard contractual
  clauses, safe harbor principles for transfers to the US or binding
  corporate rules, i.e, internal codes of conduct operating within a
  multinational organisation for transfers outside Europe may be
  considered as offering adequate safeguards by the Commissioner.
• It is therefore imperative before any transfer of personal data is
  effected that these criteria are borne in mind and applied.
   3/12/2011                                                     41
           DATA PROTECTION OFFICE
What does processing, legally speaking, mean?
"processing" means any operation or set of operations
 which is performed on the data wholly or partly by
 automatic means, or otherwise than by automatic means,
 and includes -
collecting, organising or altering the data;
retrieving, consulting, using, storing or adapting the data;
disclosing the data by transmitting, disseminating or
 otherwise making it available; or
aligning, combining, blocking, erasing or destroying the
 data.

   3/12/2011                                               42
           DATA PROTECTION OFFICE
• The definition in the Act is a compendious definition and it is
  difficult to envisage any action involving data which does not
  amount to processing within this definition.
• To ascertain whether processing is necessary in a particular
  circumstance as laid down in the DPA namely sections 24 and
  25, the Commissioner takes the view that data controllers will
  need to consider objectively whether:
• the purposes for which the data are being processed are
  valid,
• such purposes can only be achieved by the processing of
  personal data and,
• the processing is proportionate to the aim pursued.

   3/12/2011                                                43
          DATA PROTECTION OFFICE
• Data subject means “an individual who is the
  subject of personal data”. A data subject must be a
  living individual. Organisations, such as companies
  and other corporate and unincorporated bodies of
  persons cannot, therefore, be data subjects.
• For the purpose of the DPA, the data controller is
  the person who processes personal information of
  individuals.

  3/12/2011                                       44
           DATA PROTECTION OFFICE
• Personal data is defined under the DPA as data,
  whether recorded electronically or otherwise, which
  relates to an identified or identifiable living individual,
  i.e, whose identity is apparent or can reasonably be
  ascertained from the data.
• It is important not to look at the definition of personal
  data in isolation as it is the Commissioner’s view that
  for the scope of the definition to be understood
  properly, it should be considered in the context of the
  definitions of “data”, “data controller” and “data
  subject” in the Act.
   3/12/2011                                              45
          DATA PROTECTION OFFICE
• The definition of personal data in the Data
  Protection Act reads as follows:
• “personal data” means data which relates to (a
  living) individual who can be identified from those
  data or data or other information, including an
  opinion forming part of a database, whether or not
  recorded in material form, about an individual
  whose identity is apparent or can reasonably
  ascertained from the data, information or opinion.”
  3/12/2011                                       46
           DATA PROTECTION OFFICE
 A similar definition is contained in the EU Data Protection
 Directive (95/46/EC):
 “personal data” shall mean any information relating to an
 identified or identifiable natural person (‘Data Subject’); an
 identifiable person is one who can be identified, directly or
 indirectly, in particular by reference to an identification
 number or to one or more factors specific to his physical,
 physiological, mental, economic, cultural or social identity.
The definition is – deliberately - a very broad one. In
 principle, it covers any information that relates to an
 identifiable, living individual.

   3/12/2011                                                  47
           DATA PROTECTION OFFICE
• In the Commissioner’s view, whether or not data relate
  to a particular individual will be a question of fact in
  each particular case. One element to be taken into
  account would be whether a data controller can form a
  connection between the data and the individual.
• Data do not have to relate solely to one individual and
  the same set of data may relate to two or more people
  and still be personal data about each of them. For
  example, joint tenants of a property or holders of a
  joint bank account or even individuals who use the
  same telephone or e-mail address.
   3/12/2011                                          48
           DATA PROTECTION OFFICE
• Names, addresses, emails are obvious identifiers. But
  information may also be compiled about a particular
  web user without any intention of linking it to a name
  and address or e-mail address.
• There might merely be an intention to target that
  particular user with advertising, or to offer discounts
  when they re-visit a particular web site, on the basis of
  the profile built up, without any ability to locate that
  user in the physical world.
• CCTV images and sounds are also personal data.
   3/12/2011                                            49
          DATA PROTECTION OFFICE
• The definition is also technology neutral. It does
   not matter how the personal data is stored – on
   paper, on an IT system, on a CCTV system etc.
When you give your personal details to an
  organisation or individual, they have a duty to keep
  these details private and safe. We refer to
  organisations or individuals who control the
  contents and use of your personal details as ‘data
  controllers’.
  3/12/2011                                        50
          DATA PROTECTION OFFICE
• Can personal data be anonymised?
• Yes, by stripping those data of all personal
  identifiers.
• In anonymising personal data, the data controller
  will be processing such data and, in respect of such
  processing, will still need to comply with the
  provisions of the Act.


  3/12/2011                                        51
          DATA PROTECTION OFFICE
• The Commissioner recognises that the aim of
  anonymisation is to provide better data protection.
  However, true anonymisation may be difficult to
  achieve in practice. Nevertheless, the Commissioner
  would encourage that, where possible, information
  relating to a data subject, which is not necessary for
  the particular processing being undertaken, should
  be stripped from the personal data being
  processed.
  3/12/2011                                         52
           DATA PROTECTION OFFICE
Are you a data controller?
If you, as an individual or an organisation, collect, store or
 process any data about living people on any type of computer
 or in a structured filing system, then you are a data controller.
 In practice, to establish whether or not you are a data
 controller, you should ask, do you decide what information is
 to be collected, stored, to what use it is put and when it
 should be deleted or altered. A data controller must be a
 “person” i.e. a legal person.
Because of the serious legal responsibilities attached to a data
 controller under the Act, you should seek the advice of the
 Commissioner if you have any doubts as to whether or not
 you are a data controller in any particular case.
   3/12/2011                                                 53
          DATA PROTECTION OFFICE
Most of us give information about ourselves to groups
 such as government bodies, banks, insurance
 companies, medical professionals and telephone
 companies to use their services or meet certain
 conditions.
Organisations or individuals can also get information
 about us from other sources. Under data protection
 law, individuals thus have rights regarding the use of
 these personal details and data controllers have certain
 responsibilities in how they handle this information.

  3/12/2011                                           54
        DATA PROTECTION OFFICE
• Data controllers are the natural or legal persons, who
  determine the purposes and the means of the processing
  of personal data, both in the public and in the private
  sector.
• A medical practitioner would usually be the controller of
  the data processed on his clients; a company would be
  the controller of the data processed on its clients and
  employees; a sports club would control the data
  processed on its members and a public library controls
  the data processed on its users.
3/12/2011                                             55
         DATA PROTECTION OFFICE
•Where the data controller is not established in
Mauritius, he must nominate a representative
who resides in Mauritius to carry out his data
processing activities through an office in
Mauritius.
•Each data controller must adhere to the Data
Protection Act where he is established in
Mauritius and where he is not established in
Mauritius but uses equipment in Mauritius for
processing data, other than for the purposes of
transit through Mauritius.
 3/12/2011                                  56
           DATA PROTECTION OFFICE
 What does sensitive personal data mean?
   It means personal information of a data subject
    which consists of information as to his/her -
   racial or ethnic origin;
   political opinion or adherence;
   religious belief or other belief of a similar nature;
   membership to a trade union;
   physical or mental health;
   sexual preferences or practices;
   3/12/2011                                          57
          DATA PROTECTION OFFICE
   the commission of an offence; or
   any proceedings for an offence committed or
    alleged to have been committed by him, the
    disposal of such proceedings or the sentence of
    any court in such proceeding.
 Can sensitive data be processed by a data controller   ?
   No sensitive data can be processed without the
    consent of the data subject or where the latter has
    made the data public, subject to certain further
    exceptions as provided in the Act.

  3/12/2011                                              58
           DATA PROTECTION OFFICE
How is an application made to the Data Protection Office for registration?
 It must be made in writing to the Commissioner by filling in
  the registration form for data controllers which contain the
  following information as required by the DPA:-
    His/her name and address and that of his/her
     representative.
    A description of the personal data being processed, the
     purpose for which it is being processed and the category
     and class of data subjects targetted, where possible
     their names.
    A statement as to whether he/she holds sensitive
     personal data
    A description of the intended recipients to whom the data
     controller intend to disclose the personal data in his
     possession.
    A description of the country to which the data controller
     intends to transfer the data, directly or indirectly.
   3/12/2011                                                            59
          DATA PROTECTION OFFICE
 After the form is duly filled in and approved by the
  Commissioner and upon payment of the relevant
  fee, it will then be included in the public register
  which will be available at the DPO for viewing by the
  public and a copy may be also made available on
  request upon the payment of a fee of Rs 100. A list
  of registered controllers is also available on the
  website.
 Remember to use a separate application form for
  each purpose for which you process personal data.
  3/12/2011                                        60
           DATA PROTECTION OFFICE
 Remember it is an offence not to register if you are a data
  controller!
 The Commissioner may refuse an application for registration
  where:-
she reasonably believes that the details supplied to her by the
  applicant are insufficient or simply not furnished; or
appropriate safeguards for the protection of the privacy of the
  data subjects have not been provided by the data controller; or
the applicant is not a proper and fit person.
 The Commissioner must as soon as is reasonably practicable,
  notify in writing, the applicant of the reasons for refusal and of
  the fact that he may appeal to the ICT Tribunal.

   3/12/2011                                                    61
           DATA PROTECTION OFFICE
What if the data controller supplies false information to the
  Commissioner?
 It is an offence and the penalty is a fine not exceeding Rs 100,000
  and imprisonment not exceeding 2 years.

For how long does the registration remain valid?
 It remains valid for a period of one year and if registration is not
  renewed, it will be cancelled.

Is it an offence not to register or to renew registration?
 Yes, the penalty is a fine not exceeding Rs 200,000 and imprisonment
  not exceeding 5 years.


   3/12/2011                                                             62
        DATA PROTECTION OFFICE
The types of personal data to be provided on
 the registration form may range from contact
 , financial, income, employment, medical,
 marital details to property owned,
 qualifications, amount of debt, transaction
 details.
The purposes for their processing are actually
 the nature of the business being carried out.



3/12/2011                                   63
        DATA PROTECTION OFFICE
Any change in address is to be notified in
 writing to the Commissioner within 15 days of
 the change. Otherwise, it is an offence.
You may also request the Commissioner to
 remove your name from where it is contained
 in the register, whenever you are no longer a
 data controller or data processor.
An amendment has recently been brought to
 the DPA to include changes in particulars of
 the data controller to be notified in writing to
 the Commissioner within 14 days of the
 change.
3/12/2011                                    64
          DATA PROTECTION OFFICE
What can the Data Protection Office do when a
 data controller or a data processor contravenes
 the Data Protection Act?
  - Where the Commissioner finds that a data controller
 or a data processor is acting in violation of the Data
 Protection Act, she may serve an enforcement notice
 on the data controller or the data processor requiring
 him/her to take such steps within the period of time
 specified in the notice which must not be less than 21
 days, to remedy the matter and implement the
 measures recommended by the Commissioner in the
 enforcement notice.

  3/12/2011                                         65
      DATA PROTECTION OFFICE
 The data controller or the data processor must then
  notify the data subject of his compliance with the
  enforcement notice, not later than 21 days after such
  compliance.
 Is it an offence not to comply with the enforcement
  notice?
  Yes. Any person who does not comply with the
  enforcement notice and does not have a reasonable
  excuse for not complying will commit an offence, the
  penalty of which will be a fine not exceeding Rs 50,000
  and imprisonment not exceeding 2 years
   3/12/2011                                          66
          DATA PROTECTION OFFICE
 Under section 28 of the DPA, the data controller
  must notify the data processor holding data ,
  where the purpose for keeping which has lapsed,
  to destroy it as soon as is reasonably practicable.
 Under section 29 of the DPA, any data processor,
  who without lawful excuse, discloses personal data
  processed by him without the prior authority of
  the data controller shall commit an offence, the
  penalty of which is a fine not exceeding Rs 200,
  000 and imprisonment for a term not exceeding 5
  years.
  3/12/2011                                      67
           DATA PROTECTION OFFICE
 What are the powers of the Commissioner?
   to issue or approve codes of practice or guidelines;

   create and maintain a register of all data controllers;

   promote self-regulation among data controllers;

   take such measures as may be necessary so as to bring to
    the knowledge of the general public the provisions of this
    Act;
   3/12/2011                                                  68
        DATA PROTECTION OFFICE
 undertake research into, and monitor developments in, data
  processing and information technology, including data-
  matching and data linkage;
 examine any proposal for data matching or data linkage that
  may involve an interference with, or may otherwise have
  adverse effects on the privacy of individuals and, ensure that
  any adverse effects of such proposal on the privacy of
  individuals are minimised;
 do anything incidental or conducive to the attainment of the
  objects of, and to the better performance of his duties and
  functions under this Act.

3/12/2011                                                   69
            DATA PROTECTION OFFICE
     What are the other powers of the Commissioner?

     Where the Commissioner is of the view that the
      investigation reveals the commission of a criminal
      offence under the Data Protection Act, she can
      refer the matter to the Police.

     The Commissioner can also request information
      from a person whenever it is required for the
      Commissioner to discharge her functions properly
      by sending a notice.

    3/12/2011                                          70
        DATA PROTECTION OFFICE
 The Commissioner can also carry out security checks
  when she believes that the processing or transfer of data
  by a data controller will entail specific risks to the privacy
  rights of the data subjects to assess the security
  measures taken by the data controller prior to the
  beginning of the processing or transfer.

 The Commissioner can also carry out periodical audits
  of the systems of data controllers to ensure compliance
  with the data protection principles.

 An officer of the Data Protection Office may at any time
  enter and search the premises where data processing
  activities are being carried on.

3/12/2011                                                  71
          DATA PROTECTION OFFICE
 Who can make a complaint to the Data
  Protection Office?
  Any individual or organization who feels that his
  privacy rights with regard to the processing of his
  personal data may have been affected.

 What does the Data Protection Office do when it
  receives a complaint?

    It investigates the complaint, unless the complaint is
    frivolous, and as soon as possible, notify the
    complainant in writing of its decision.
  3/12/2011                                             72
          DATA PROTECTION OFFICE
 What can the complainant do if he/she is not
  satisfied with the outcome of the investigation?

  – The complainant may appeal to the Information and
    Communication Technologies (ICT) Tribunal if
    he/she is not satisfied with the decision reached by
    the Commissioner.




  3/12/2011                                         73
           DATA PROTECTION OFFICE
 Dealing with Subject Access Requests
 The key right for the individual is the right of access.
  Essentially this means that you as data controller have to
  supply to the individual the personal data that you hold if a
  valid request is made to you under Section 41 of the DPA.
 The data subject must fill in the request for access to
  personal data form available at the DPO and send it to you.
 The time limit for complying with an access request is 28
  days. In order to ensure your compliance with the time limit
  and your other access obligations the following long term
  organisational and procedural steps may be effected:


   3/12/2011                                              74
           DATA PROTECTION OFFICE
 Appoint a Data Protection Co-ordinator who will be
  responsible for the response to the access request. A
  description of the functions and responsibilities of the Co-
  ordinator should be circulated within the organisation and
  staff should be advised of the necessity for co-operation
  with the Co-ordinator.

 All subject access matters should be submitted to the Co-
  ordinator.

 Check the validity of the access request. Ensure that it is in
  writing, that the appropriate fee of Rs 75 is included.



   3/12/2011                                               75
        DATA PROTECTION OFFICE
 Check that sufficient material has been supplied to
  definitively identify the individual. This is most
  important as a third party may provide false material
  to lodge a false access request.

 Check that sufficient information to locate the data
  has been supplied. If it is not clear what kind of data
  is being requested you should ask the data subject for
  more information. This could involve identifying the
  databases, locations or files to be searched or giving a
  description of the interactions the individual has had
  with the organisation.

 Log the date of receipt of the valid request.

3/12/2011                                               76
          DATA PROTECTION OFFICE
• When should I contact the Data Protection
  Commissioner?
• If you are not happy with how your details are being
  used, you should contact the organisation in
  question. If you believe that the organisation or
  individual is still not respecting your data protection
  rights, you should contact the Office of the Data
  Protection Commissioner for help.

  3/12/2011                                          77
        DATA PROTECTION OFFICE


                                OR
                                COMMENTS?
                    ANY
                    QUESTIONS

            THANK
            YOU

3/12/2011                                   78

								
To top