Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of...
-
Upload
stephanie-stephens -
Category
Documents
-
view
221 -
download
0
Transcript of Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of...
![Page 1: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/1.jpg)
Data Protection in a Workplace Context
![Page 2: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/2.jpg)
Layout of Presentation
• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Data Controllers• Key points of information
![Page 3: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/3.jpg)
Data Protection: Background
• Human Right to Privacy• Unenumerated right under Irish
Constitution• Explicit right under European
Convention on Human Rights ECHR Act 2003
• EU Data Protection Directives
![Page 4: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/4.jpg)
EU & Irish Legislation• Data Protection
Directive 95/46/EC• Electronic Privacy
Directive 2002/58/EC
• EUROPOL etc
• Data Protection Acts 1988 & 2003
• EC Electronic Privacy Regulations 2003 (SI 535/2003)
• Corresponding Acts• Good Friday
Agreement• Disability Act 2005
![Page 5: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/5.jpg)
Definitions• Data
Includes automated and structured manual data
• Personal Data Data relating to a living identifiable individual
• Sensitive Personal Data (more protection) Racial/ethnic origin; political opinions;
religious/philosophical beliefs; trade union membership; health; sexual life; criminal record
![Page 6: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/6.jpg)
Definitions• Data Controller
a person who controls the contents and use of personal data
• Data Processor A person who processes personal
data on behalf of a data controller
![Page 7: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/7.jpg)
Layout of Presentation• Background to Data Protection• Role of Data Protection
Commissioner• Principles of Data Protection• Key Responsibilities of Data Controllers• Key points of information
![Page 8: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/8.jpg)
Role of the Data Protection Commissioner • Ombudsman Role: resolution of disputes between
data subjects and data controllers or processors • Enforcer Role: compliance by data controllers &
processors• Educational Role: Promotes DP rights and good
practice• Registration Authority: obligation on major
holders of personal data to be placed on public register
![Page 9: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/9.jpg)
How does DPC fulfill role?• Investigations/Audits
Arising from complaints On own initiative
• Maintains public register• Codes of Practice• Guidance booklets, website,
presentations, advice, Annual Report
![Page 10: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/10.jpg)
Penalties• Fine of up to €100,000• Court may order deletion• Enforcement notice prohibiting
processing• Data subject could pursue civil action
for damages under section 7 of the Act
![Page 11: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/11.jpg)
The Data Protection Rules1. Fair obtaining &
processing• Consent
2. Specified purpose3. No disclosure
• unless “compatible”
4. Safe and secure
5. Accurate, up-to-date6. Relevant, not
excessive7. Retention period8. Right of access
![Page 12: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/12.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Responsibilities on Data Controllers at the different stages
![Page 13: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/13.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
![Page 14: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/14.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
![Page 15: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/15.jpg)
Beginning
Getting the Data
Middle
While you have the data
End
Disposing of data
Inform and get consent
Justification to process
Respond to access requests
Specify purpose
Only gather what is required
Keep accurate
Keep secure and dispose securely
Disclose only if compatible or allowable exception
Have a retention policy
![Page 16: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/16.jpg)
Layout of Presentation• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Data
Controllers• Key points of information
![Page 17: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/17.jpg)
Key Responsibilities• Keep Information Accurate• Disclose only if compatible with purpose for
which given• Keep secure • Have a retention policy• Dispose and retain in line with retention policy• Respond to Requests for Access/Deletion• Manual data requirements from 24 October
2007
![Page 18: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/18.jpg)
1. Accurate
• Good business practice• Best achieved at point of collection• Ongoing requirement if intended to
be used.• Ask the data subject if needed
![Page 19: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/19.jpg)
2. Non-Disclosure• General rule – no
disclosure for different purpose
• Exceptions made, to balance other interests of society
• Stricter conditions for sensitive data
• Main exceptions: Investigation of crime Collection of taxes Security of the State Protect life & limb Required by Law Intl Relations Consent
![Page 20: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/20.jpg)
2. Non-Disclosure• The Data Controller should have a
policy in place to determine how requests for data from third parties are handled.
• This policy should be consulted by appropriate staff members
![Page 21: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/21.jpg)
2. Non- Disclosure -Data Transfer• Data Controller to Data Processor
Must have contract in place: Data Controller remains responsible
• International Data Transfers ‘white list’ countries Model Contracts Binding Corporate Rules Exceptions: individual consent etc (avoid for regular
transfers)
![Page 22: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/22.jpg)
3. Keep secure• Internal Access controls– physical,technical, • Tracking of activity on files– to see if
appropriate• Internet Connectivity/networks -anti-virus
software/firewalls/encryption• Access- need to know and relevant to
purpose• Third party interception
![Page 23: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/23.jpg)
3. Keep secure• Accidental disclosure to third parties, PC
in public area, non-secure fax• External-robust encryption, online forms,
technical measures• Audit trails, reviews, logs, unusual events• Manual Files !• Individual is the biggest risk- NB Training
![Page 24: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/24.jpg)
4. Retention Policy• Legal obligations to hold data?• Customer files
Do you need to hold all that data?
• Personnel files Revenue requirement?
• Must have policy thought through Defend retention as necessary for
purpose.
![Page 25: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/25.jpg)
5. Follow Retention Policy• A method appropriate to each
organisation to review files• Assign Responsibility• Reporting structure• Delete personal data that is outside
terms of policy.• Keep a record of deletions
![Page 26: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/26.jpg)
6. Right of Access
• A fundamental right granted to individuals as a means of granting them control over how their data are processed – transparency
• Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
![Page 27: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/27.jpg)
6. Right of Access• Every person has the right to access their data held
by any organisation subject to very limited exemption outlined in Sections 4 & 5 of the Data Protection Acts
• Standard maximum fee of €6.35. Must reply within 40 days or indicate reasons why cannot comply
• Commissioner takes this right very seriously and is now using legal enforcement powers to enforce rights
![Page 28: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/28.jpg)
6. Right of correction/erasure• Section 6 of the Act• Data Subject makes a written request• Personal data must be:
Corrected, if inaccurate; or Deleted, if should not be held.
• Data Controller has 40 days to respond• No fee
![Page 29: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/29.jpg)
7. Manual data • Manual data on file on October 2003
has been exempt from some rules until 24 October 2007 section 2 (identity of Data Controller,
purposes of processing, any disclosees) sections 2A (legitimate processing) and
2B (sensitive data) – see over All other provisions – including right of
access and correction – apply already
![Page 30: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/30.jpg)
7. Manual Data -Process Fairly
One of these conditions required: Consent Legal obligation Contract with individual Necessary to protect vital interests Necessary for a public function
(Justice) necessary for ‘legitimate interests’
![Page 31: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/31.jpg)
7.Manual Data - Process Sensitive Data fairlyOne of these additional conditions is required Explicit consent Necessary under employment law To prevent injury or protect vital interests Process the data of members/clients of
non-profit orgs. Legal advice For Medical Purposes Statutory function
![Page 32: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/32.jpg)
Layout of Presentation
• Background to Data Protection• Role of Data Protection Commissioner• Principles of Data Protection• Key Responsibilities of Data Controllers• Key Points of Information
![Page 33: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/33.jpg)
Key Points of Information• Workplace Monitoring• Biometrics in the Workplace• Internal Directories• Monitoring outside of Workplace• Interview/Exit Interview Notes• References• Access to appraisal forms
![Page 34: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/34.jpg)
CCTV/Email/Internet monitoring• organisations have a legitimate interest
to protect their business, reputation, resources and equipment.
• acceptable usage policy is key• Make employees aware of monitoring
![Page 35: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/35.jpg)
CCTV/Email/Internet monitoring (Ctd)• Access to any material being monitored
needs to be strictly controlled• Only access/disclose for uses indicated• E.g. If CCTV for security, can only be
accessed and disclosed for that purpose
![Page 36: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/36.jpg)
Biometrics in the Workplace• Proportionality• Section 2(1)(c)(iii) states that data• “shall be adequate, relevant and not
excessive in relation to the purpose or purposes for which they were collected or are further processed.”
• Assess the need for a system and evaluate the different types of system before introduction.
![Page 37: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/37.jpg)
Biometrics in the WorkplaceWhat are the considerations:• Environment. The nature of the workplace may require
high levels of security. • Purpose. Can the intended purpose be achieved in a less
intrusive way? • Efficiency. Ease of administration may necessitate the
introduction of a system where other less invasive systems have failed, or proved to be prohibitively expensive to run.
• Reliability. a system may be justified as long as other less invasive ones have been assessed and reasonably rejected.
![Page 38: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/38.jpg)
Monitoring outside of Workplace• Same general principles apply• Must be proportionate and not
intrusive into privacy• Employee should be aware that
could occur• Right of access to material applies
![Page 39: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/39.jpg)
Internal Directories• A photograph is sensitive data• Any proposal to have a corporate directory
including photographs should be discussed with employees
• Explicit consent not as relevant in workplace• Any requests from employees for the removal of
images must be accepted.• Legitimate interest of employer?• Inform all employees that photographs must not be
used for any other purpose
![Page 40: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/40.jpg)
Interview/Exit Interview Notes• Must be relevant and necessary • Accuracy. Relevance• Opinion –v- Fact.• Available as part of an Access Request.• Third party details removed?
![Page 41: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/41.jpg)
References• References obtained may be provided to
the person as part of the response to a subject access request, unless in confidence. Even then if fundamental rights of the person take precedence then release
• Be able to stand over data.
![Page 42: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/42.jpg)
Access to appraisal forms
• Typically made available to staff as part of process
• Where not, staff likely to have a right of access
![Page 43: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/43.jpg)
General points of advice• Appropriate data retention policy in place in
relation to spent disciplinary notices on file• Be clear as to the basis on which an
employee is referred to a doctor for consultation. Any resulting report should be made available to the employee and can only be used for the purpose indicated
![Page 44: Data Protection in a Workplace Context. Layout of Presentation Background to Data Protection Role of Data Protection Commissioner Principles of Data Protection.](https://reader035.fdocuments.in/reader035/viewer/2022081515/5697c01b1a28abf838ccf3fb/html5/thumbnails/44.jpg)
General points of advice (ctd)• Workplace accidents. Sometimes reports complied
by insurance companies seem to find their way back to the employer. What is the basis?
• Disciplinary proceedings including labour court etc, person has a right of access to personal data
• Note boundaries of legal professional privilege. Must be genuinely legal advice. Not just because it was written or amended by a legal person