• TITLE:- DATA PROTECTION IMPLICATIONS FOR THE PUBLIC SECTOR

• PRESENTED BY THE DATA PROTECTION COMMISSIONER (MRS DRUDEISHA C-MADHUB)

• DATA PROTECTION OFFICE• DEFENCE AND HOME AFFAIRS DEPARTMENT• PRIME MINISTER’S OFFICE• TEL:- 201 36 04• EMAIL:- dmadhub@mail.gov.mu,

pmo-dpo@mail.gov.mu• Website:- http://dataprotection.gov.mu

04/21/23 1

• Privacy is a fundamental human right. It underpins human dignity and other values such as freedom of association and freedom of speech. It has become one of the most important human rights of the modern age.

• Privacy is recognized around the world in diverse regions and cultures. It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights treaties.

04/21/23 2

• Nearly every country in the world includes a right of privacy in its constitution. At a minimum, these provisions include rights of inviolability of the home and secrecy of communications. Most recently written constitutions include specific rights to access and control one's personal information.

• In many of the countries where privacy is not explicitly recognized in the constitution, the courts have found that right in other provisions. In many countries, international agreements that recognize privacy rights such as the International Covenant on Civil and Political Rights or the European Convention on Human Rights have been adopted into law.

04/21/23 3

• Defining Privacy• Of all the human rights in the international catalogue, privacy

is perhaps the most difficult to define. Definitions of privacy vary widely according to context and environment. In many countries, the concept has been fused with data protection, which interprets privacy in terms of management of personal information.

• Outside this rather strict context, privacy protection is frequently seen as a way of drawing the line at how far society can intrude into a person's affairs. The lack of a single definition should not imply that the issue lacks importance. As one writer observed, "in one sense, all human rights are aspects of the right to privacy."

04/21/23 4

• In the 1890s, United States Supreme Court Justice Louis Brandeis devised a concept of privacy as the individual's "right to be left alone." Brandeis argued that privacy was the most cherished of freedoms in a democracy.

• Aspects of Privacy• Privacy can be divided into the following separate

but related concepts:

04/21/23 5

• Information privacy, which involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records;

• Bodily privacy, which concerns the protection of people's physical selves against invasive procedures such as genetic tests, drug testing and cavity searches;

04/21/23 6

• Privacy of communications, which covers the security and privacy of mail, telephones, e-mail and other forms of communication; and

• Territorial privacy, which concerns the setting of limits on intrusion into the domestic and other environments such as the workplace or public space. This includes searches, video surveillance and ID checks.

04/21/23 7

The Data Protection Act 2004 (DPA) gives individuals the right to know what information is held about them. It provides the legal framework to ensure that personal information is handled properly.

The Eight Data Protection Principles which may be termed the mantras of data protection are as follows-

04/21/23 8

• Personal data shall be processed fairly and lawfully.

• The Commissioner takes the view that in assessing fairness, the first and paramount consideration must be given to the consequences of the processing to the interests of the data subject.

04/21/23 9

• This will include particular reference to whether any person from whom the personal data are obtained is deceived or misled as to the purpose or purposes for which the personal data are to be processed.

• This may also have a bearing on the validity of any consent given by the data subject to the processing, which in turn may remove the basis for processing which was being relied upon by the data controller.

04/21/23 10

Personal data shall be obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose:-

It is to be noted that the Commissioner takes a strict view of the concept of compatibility of processing of personal data.

04/21/23 11

Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are processed:-

In complying with this Principle, data controllers should seek to identify the minimum amount of information that is required in order to properly fulfill their purpose and this will be a question of fact in each case.

If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those cases.

04/21/23 12

• It is not acceptable to hold information on the basis that it might possibly be useful in the future without a view of how it will be used. This is to be distinguished from holding information in the case of a particular foreseeable contingency which may never occur, for example, where an employer holds details of blood groups of employees engaged in hazardous occupations.

04/21/23 13

• The data controller should consider for all personal data:- • the number of individuals on whom information is held; • the number of individuals for whom it is used; • the nature of the personal data; • the length of time it is held; • the way it was obtained; • the possible consequences for individuals of the holding or

erasure of the data; • the way in which it is used; • the purpose for which it is held.

04/21/23 14

Personal data shall be accurate and, where necessary, kept up to date:-

• Data are inaccurate if they are incorrect or misleading as to any matter of fact.

• A data controller will need to consider the following factors:-

• Is there a record of when the data were recorded or last updated?

04/21/23 15

• Are all those involved with the data – including people to whom they are disclosed as well as employees of the data controller – aware that the data do not necessarily reflect the current position?

• Are steps taken to update the personal data – for example, by checking back at intervals with the original source or with the data subject? If so, how effective are these steps?

• Is the fact that the personal data are out of date likely to cause damage or distress to the data subject?

04/21/23 16

Personal data processed for any purpose shall not be kept longer than is necessary for that purpose or those purposes:-

Data controllers will need to review their personal data regularly and to delete the information which is no longer required for their purposes.

If personal data have been recorded because of a relationship between the data controller and the data subject, the need to keep the information should be considered when the relationship ceases to exist.

04/21/23 17

• For example, the data subject may be an employee who has left the employment of the data controller. The end of the relationship will not necessarily cause the data controller to delete all the personal data.

• It may well be necessary to keep some of the information so that the data controller will be able to confirm details of the data subject ‘s employment for, say, the provision of references in the future or to enable the employer to provide the relevant information in respect of the data subject’s pension arrangements.

04/21/23 18

It may well be necessary in some cases to retain certain information to enable the data controller to defend legal claims, which may be made in the future. unless there is some other reason for keeping them.

Personal data shall be processed in accordance with the rights of the data subjects under the Data Protection Act:-

The rights are elaborated in Part VI of the Act.

04/21/23 19

What is the aim of these rights? Data protection rights help to ensure that the

information stored about us is:• factually correct;• only available to those who should have it; and• only used for stated purposes.

04/21/23 20

Appropriate security and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data:-

• The Act gives some further guidance on matters which should be taken into account in deciding whether security measures are “appropriate”. These are as follows:-

04/21/23 21

04/21/23 22

Taking into account the state of technological development at any time , the cost of implementing any measures, the special risks that exist in the processing of the data and the nature of the data concerned ,the measures must ensure a level of security appropriate to:(a) the harm that might result from a breach of security; and (b) the nature of the data to be protected.

• With regard to the technical and organisational measures to be taken by data controllers, the EU Directive states that such measures should be taken “ both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorised processing.”

• Data controllers are, therefore, encouraged to consider the use of privacy enhancing techniques as part of their obligations under the Seventh Principle.

04/21/23 23

Minimum security arrangements would normally include the following physical and technical safeguards:-

Physical safeguards- Access to computers should be restricted to authorised personnel only, premises alarmed and secure when not occupied.

Technical Safeguards- Access to computers to be password-protected, PC workstation is subject to password-protected lock-out after period of inactivity, anti-virus software is in use, a firewall is used to protect systems connected to the internet. Do passwords give access to all levels of the system or only to those personal data with which that employee should be concerned?

04/21/23 24

For sensitive data, it is recommended to use additional safeguards such as routine encryption of files and multi-level access control.

It is clear from the above that there can be no standard set of security measures that is required for compliance with the Seventh Principle.

04/21/23 25

• The Commissioner’s view is that what is appropriate will depend on the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend on the nature of the data.

• The data controller, therefore, needs to adopt a risk-based approach to determining what measures are appropriate. Management and organisational measures are as important as technical ones.

04/21/23 26

• The Commissioner’s view is that what is appropriate will depend on the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend on the nature of the data.

• The data controller, therefore, needs to adopt a risk-based approach to determining what measures are appropriate. Management and organisational measures are as important as technical ones.

04/21/23 27

• Standard risk assessment and risk management techniques involve identifying potential threats to the system, the vulnerability of the system to those threats and the counter- measures to put in place to reduce and manage the risk.

• In many cases, a simple consideration of these matters will be sufficient. On the other hand, there are well-established formal methodologies which will assist any data controller to assess and manage the security risks to the system.

04/21/23 28

• Some of the security controls that the data controller is likely to need to consider are set out below. (This is not a comprehensive list but is illustrative only.)

• Security management: • Does the data controller have a security policy setting out

management commitment to information security within the organisation?

• Is responsibility for the organisation’s security policy clearly placed on a particular person or department?

• Are sufficient resources and facilities made available to enable that responsibility to be fulfilled?

04/21/23 29

• is there a procedure for cleaning media (such as tapes and disks) before they are reused or are new data merely written over old? In the latter case is there a possibility of the old data reaching somebody who is not authorised to receive it? (e.g. as a result of the disposal of redundant equipment).

• is printed material disposed of securely, for example, by shredding?

• is there a procedure for authenticating the identity of a person to whom personal data may be disclosed over the telephone prior to the disclosure of the personal data?

04/21/23 30

• is there a procedure covering the temporary removal of personal data from the data controller’s premises, for example, for staff to work on at home? What security measures are individual members of staff required to take in such circumstances?

• are responsibilities for security clearly defined between a data processor and its customers?

04/21/23 31

• Ensuring business continuity: • are the precautions against burglary, fire or natural

disaster adequate? • is the system capable of checking that the data are

valid and initiating the production of back-up copies? If so, is full use made of these facilities?

• are back-up copies of all the data stored separately from the live files?

• is there protection against corruption by viruses or other forms of intrusion?

04/21/23 32

• Staff selection and training: • is proper weight given to the discretion and integrity

of staff when they are being considered for employment or promotion or for a move to an area where they will have access to personal data?

• are the staff aware of their responsibilities? Have they been given adequate training and is their knowledge kept up to date?

• do disciplinary rules and procedures take account of the requirements of the Act? Are these rules enforced?

04/21/23 33

• does an employee found to be unreliable have his or her access to personal data withdrawn immediately?

• are staff made aware that data should only be accessed for business purposes and not for their own private purposes?

• Detecting and dealing with breaches of security: • do systems keep audit trails so that access to personal data

is logged and can be attributed to a particular person? • are breaches of security properly investigated and

remedied; particularly when damage or distress could be caused to an individual?

04/21/23 34

Where the data controller is using the services of a data processor , he must ensure that the data processor is providing sufficient guarantees in respect of security and organisational measures.

A data processor is also required to take all reasonable steps to ensure that any person employed by him is aware of and complies with relevant security measures.

The written contract must provide that the data processor will act only on the instructions received from the data controller and the data processor will be bound by the obligations devolving on the data controller.

04/21/23 35

• Further advice may be found in ISO /IEC Standard 27001 and 1S0/IEC Standard 27002

• It is important to note that the Seventh Principle relates to the security of the processing as a whole and the measures to be taken by data controllers to provide security against any breaches of the Act rather than just breaches of security.

04/21/23 36

Personal data shall not be transferred to another country, unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data.:-Under section 31 of the DPA, no data controller is allowed to transfer personal data to another country, except with the authorisation of the Commissioner.

04/21/23 37

The word “transfer” is not defined in the DPA. The ordinary dictionary meaning of this word is transmission from one place, person, etc. to another. Transfer does not bear the same meaning as mere transit which refers for example, to data originating from Mauritius and routed through a server in Dubai on its way to Europe.

Before making a transfer, a data controller must consider whether it is possible for it to achieve its objectives without processing personal data at all and examine such options such as anonymisation of such data.

04/21/23 38

Derogations from the Eighth Principle:, i.e , the circumstances in which a transfer may be effected to a non-adequate country-

Where the data subject has given his consent for the transfer; or the transfer is necessary for the execution or intended

execution of a contract between the data subject or any other person acting at the request of data subject or in the interest of the data subject and the data controller;

or is in the public interest, to safeguard public security or national security;

or the transfer is made on such terms as may be approved by the Commissioner as ensuring adequate safeguards for the protection of the rights of the data subject;

04/21/23 39

The adequacy of the level of protection in a particular country as regards personal data is assessed by the Commissioner by taking into consideration the following principles:-

The nature of the personal data;The purpose and duration of the proposed

processing;The country of origin and country of final

destination; 04/21/23 40

the rules of law applicable in that particular country; any relevant codes of conduct and security measures applicable in

that country;Where the particular country does not have any of the above-

mentioned legal principles, Model Clauses as approved by the EU for transfers outside Europe which are recognised standard contractual clauses, safe harbor principles for transfers to the US or binding corporate rules, i.e, internal codes of conduct operating within a multinational organisation for transfers outside Europe may be considered as offering adequate safeguards by the Commissioner.

• It is therefore imperative before any transfer of personal data is effected that these criteria are borne in mind and applied.

04/21/23 41

What does processing, legally speaking, mean?"processing" means any operation or set of operations

which is performed on the data wholly or partly by automatic means, or otherwise than by automatic means, and includes -

collecting, organising or altering the data; retrieving, consulting, using, storing or adapting the data;disclosing the data by transmitting, disseminating or

otherwise making it available; oraligning, combining, blocking, erasing or destroying the

data.

04/21/23 42

• The definition in the Act is a compendious definition and it is difficult to envisage any action involving data which does not amount to processing within this definition.

• To ascertain whether processing is necessary in a particular circumstance as laid down in the DPA namely sections 24 and 25, the Commissioner takes the view that data controllers will need to consider objectively whether:

• the purposes for which the data are being processed are valid,

• such purposes can only be achieved by the processing of personal data and,

• the processing is proportionate to the aim pursued.

04/21/23 43

• Data subject means “an individual who is the subject of personal data”. A data subject must be a living individual. Organisations, such as companies and other corporate and unincorporated bodies of persons cannot, therefore, be data subjects.

• For the purpose of the DPA, the data controller is the person who processes personal information of individuals.

04/21/23 44

• Personal data is defined under the DPA as data, whether recorded electronically or otherwise, which relates to an identified or identifiable living individual, i.e, whose identity is apparent or can reasonably be ascertained from the data.

• It is important not to look at the definition of personal data in isolation as it is the Commissioner’s view that for the scope of the definition to be understood properly, it should be considered in the context of the definitions of “data”, “data controller” and “data subject” in the Act.

04/21/23 45

• The definition of personal data in the Data Protection Act reads as follows:

• “personal data” means data which relates to (a living) individual who can be identified from those data or data or other information, including an opinion forming part of a database, whether or not recorded in material form, about an individual whose identity is apparent or can reasonably ascertained from the data, information or opinion.”

04/21/23 46

A similar definition is contained in the EU Data Protection Directive (95/46/EC):“personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The definition is – deliberately - a very broad one. In principle, it covers any information that relates to an identifiable, living individual.

04/21/23 47

• In the Commissioner’s view, whether or not data relate to a particular individual will be a question of fact in each particular case. One element to be taken into account would be whether a data controller can form a connection between the data and the individual.

• Data do not have to relate solely to one individual and the same set of data may relate to two or more people and still be personal data about each of them. For example, joint tenants of a property or holders of a joint bank account or even individuals who use the same telephone or e-mail address.

04/21/23 48

• Names, addresses, emails are obvious identifiers. But information may also be compiled about a particular web user without any intention of linking it to a name and address or e-mail address.

• There might merely be an intention to target that particular user with advertising, or to offer discounts when they re-visit a particular web site, on the basis of the profile built up, without any ability to locate that user in the physical world.

• CCTV images and sounds are also personal data.

04/21/23 49

• The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an IT system, on a CCTV system etc.

When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. We refer to organisations or individuals who control the contents and use of your personal details as ‘data controllers’.

04/21/23 50

• Can personal data be anonymised? • Yes, by stripping those data of all personal

identifiers. • In anonymising personal data, the data controller

will be processing such data and, in respect of such processing, will still need to comply with the provisions of the Act.

04/21/23 51

• The Commissioner recognises that the aim of anonymisation is to provide better data protection. However, true anonymisation may be difficult to achieve in practice. Nevertheless, the Commissioner would encourage that, where possible, information relating to a data subject, which is not necessary for the particular processing being undertaken, should be stripped from the personal data being processed.

04/21/23 52

Are you a data controller? If you, as an individual or an organisation, collect, store or

process any data about living people on any type of computer or in a structured filing system, then you are a data controller. In practice, to establish whether or not you are a data controller, you should ask, do you decide what information is to be collected, stored, to what use it is put and when it should be deleted or altered. A data controller must be a “person” i.e. a legal person.

Because of the serious legal responsibilities attached to a data controller under the Act, you should seek the advice of the Commissioner if you have any doubts as to whether or not you are a data controller in any particular case.

04/21/23 53

Most of us give information about ourselves to groups such as government bodies, banks, insurance companies, medical professionals and telephone companies to use their services or meet certain conditions.

Organisations or individuals can also get information about us from other sources. Under data protection law, individuals thus have rights regarding the use of these personal details and data controllers have certain responsibilities in how they handle this information.

04/21/23 54

• Data controllers are the natural or legal persons, who determine the purposes and the means of the processing of personal data, both in the public and in the private sector.

• A medical practitioner would usually be the controller of the data processed on his clients; a company would be the controller of the data processed on its clients and employees; a sports club would control the data processed on its members and a public library controls the data processed on its users.

04/21/23 55

•Where the data controller is not established in Mauritius, he must nominate a representative who resides in Mauritius to carry out his data processing activities through an office in Mauritius. •Each data controller must adhere to the Data Protection Act where he is established in Mauritius and where he is not established in Mauritius but uses equipment in Mauritius for processing data, other than for the purposes of transit through Mauritius.

04/21/23 56

What does sensitive personal data mean? It means personal information of a data

subject which consists of information as to his/her -

racial or ethnic origin; political opinion or adherence; religious belief or other belief of a similar

nature; membership to a trade union; physical or mental health; sexual preferences or practices;04/21/23 57

the commission of an offence; or any proceedings for an offence committed

or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceeding.

Can sensitive data be processed by a data controller ?

No sensitive data can be processed without the consent of the data subject or where the latter has made the data public, subject to certain further exceptions as provided in the Act.

04/21/23 58

How is an application made to the Data Protection Office for registration?

It must be made in writing to the Commissioner by filling in the registration form for data controllers which contain the following information as required by the DPA:-His/her name and address and that of his/her

representative.A description of the personal data being processed, the

purpose for which it is being processed and the category and class of data subjects targetted, where possible their names.

A statement as to whether he/she holds sensitive personal data

A description of the intended recipients to whom the data controller intend to disclose the personal data in his possession.

A description of the country to which the data controller intends to transfer the data, directly or indirectly.

04/21/23 59

After the form is duly filled in and approved by the Commissioner and upon payment of the relevant fee, it will then be included in the public register which will be available at the DPO for viewing by the public and a copy may be also made available on request upon the payment of a fee of Rs 100. A list of registered controllers is also available on the website.

Remember to use a separate application form for each purpose for which you process personal data.

04/21/23 60

Remember it is an offence not to register if you are a data controller!

The Commissioner may refuse an application for registration where:-

she reasonably believes that the details supplied to her by the applicant are insufficient or simply not furnished; or

appropriate safeguards for the protection of the privacy of the data subjects have not been provided by the data controller; or

the applicant is not a proper and fit person.The Commissioner must as soon as is reasonably practicable,

notify in writing, the applicant of the reasons for refusal and of the fact that he may appeal to the ICT Tribunal.

04/21/23 61

What if the data controller supplies false information to the Commissioner?

It is an offence and the penalty is a fine not exceeding Rs 100,000 and imprisonment not exceeding 2 years.

For how long does the registration remain valid?

It remains valid for a period of one year and if registration is not renewed, it will be cancelled.

Is it an offence not to register or to renew registration?

Yes, the penalty is a fine not exceeding Rs 200,000 and imprisonment not exceeding 5 years.

04/21/23 62

The types of personal data to be provided on the registration form may range from contact , financial, income, employment, medical, marital details to property owned, qualifications, amount of debt, transaction details.

The purposes for their processing are actually the nature of the business being carried out.

04/21/23 63

Any change in address is to be notified in writing to the Commissioner within 15 days of the change. Otherwise, it is an offence.

You may also request the Commissioner to remove your name from where it is contained in the register, whenever you are no longer a data controller or data processor.

An amendment has recently been brought to the DPA to include changes in particulars of the data controller to be notified in writing to the Commissioner within 14 days of the change.

04/21/23 64

What can the Data Protection Office do when a data controller or a data processor contravenes the Data Protection Act?

- Where the Commissioner finds that a data controller or a data processor is acting in violation of the Data Protection Act, she may serve an enforcement notice on the data controller or the data processor requiring him/her to take such steps within the period of time specified in the notice which must not be less than 21 days, to remedy the matter and implement the measures recommended by the Commissioner in the enforcement notice.

04/21/23 65

The data controller or the data processor must then notify the data subject of his compliance with the enforcement notice, not later than 21 days after such compliance.

Is it an offence not to comply with the enforcement notice?

Yes. Any person who does not comply with the enforcement notice and does not have a reasonable excuse for not complying will commit an offence, the penalty of which will be a fine not exceeding Rs 50,000 and imprisonment not exceeding 2 years

04/21/23 66

Under section 28 of the DPA, the data controller must notify the data processor holding data , where the purpose for keeping which has lapsed, to destroy it as soon as is reasonably practicable.

Under section 29 of the DPA, any data processor, who without lawful excuse, discloses personal data processed by him without the prior authority of the data controller shall commit an offence, the penalty of which is a fine not exceeding Rs 200, 000 and imprisonment for a term not exceeding 5 years.

04/21/23 67

What are the powers of the Commissioner?to issue or approve codes of practice or guidelines;

create and maintain a register of all data controllers;

promote self-regulation among data controllers;

take such measures as may be necessary so as to bring to the knowledge of the general public the provisions of this Act;

04/21/23 68

undertake research into, and monitor developments in, data processing and information technology, including data-matching and data linkage;

examine any proposal for data matching or data linkage that may involve an interference with, or may otherwise have adverse effects on the privacy of individuals and, ensure that any adverse effects of such proposal on the privacy of individuals are minimised;

do anything incidental or conducive to the attainment of the objects of, and to the better performance of his duties and functions under this Act.

04/21/23 69

What are the other powers of the Commissioner?

Where the Commissioner is of the view that the investigation reveals the commission of a criminal offence under the Data Protection Act, she can refer the matter to the Police.

The Commissioner can also request information from a person whenever it is required for the Commissioner to discharge her functions properly by sending a notice.

04/21/23 70

The Commissioner can also carry out security checks when she believes that the processing or transfer of data by a data controller will entail specific risks to the privacy rights of the data subjects to assess the security measures taken by the data controller prior to the beginning of the processing or transfer.

The Commissioner can also carry out periodical audits of the systems of data controllers to ensure compliance with the data protection principles.

An officer of the Data Protection Office may at any time enter and search the premises where data processing activities are being carried on.

04/21/23 71

Who can make a complaint to the Data Protection Office?

Any individual or organization who feels that his privacy rights with regard to the processing of his personal data may have been affected.

What does the Data Protection Office do when it receives a complaint?

It investigates the complaint, unless the complaint is frivolous, and as soon as possible, notify the complainant in writing of its decision.

04/21/23 72

What can the complainant do if he/she is not satisfied with the outcome of the investigation?

– The complainant may appeal to the Information and Communication Technologies (ICT) Tribunal if he/she is not satisfied with the decision reached by the Commissioner.

04/21/23 73

Dealing with Subject Access RequestsThe key right for the individual is the right of access.

Essentially this means that you as data controller have to supply to the individual the personal data that you hold if a valid request is made to you under Section 41 of the DPA.

The data subject must fill in the request for access to personal data form available at the DPO and send it to you.

The time limit for complying with an access request is 28 days. In order to ensure your compliance with the time limit and your other access obligations the following long term organisational and procedural steps may be effected:

04/21/23 74

Appoint a Data Protection Co-ordinator who will be responsible for the response to the access request. A description of the functions and responsibilities of the Co-ordinator should be circulated within the organisation and staff should be advised of the necessity for co-operation with the Co-ordinator.

All subject access matters should be submitted to the Co-ordinator.

Check the validity of the access request. Ensure that it is in writing, that the appropriate fee of Rs 75 is included.

04/21/23 75

Check that sufficient material has been supplied to definitively identify the individual. This is most important as a third party may provide false material to lodge a false access request.

Check that sufficient information to locate the data has been supplied. If it is not clear what kind of data is being requested you should ask the data subject for more information. This could involve identifying the databases, locations or files to be searched or giving a description of the interactions the individual has had with the organisation.

Log the date of receipt of the valid request.04/21/23 76

• When should I contact the Data Protection Commissioner?

• If you are not happy with how your details are being used, you should contact the organisation in question. If you believe that the organisation or individual is still not respecting your data protection rights, you should contact the Office of the Data Protection Commissioner for help.

04/21/23 77

04/21/23 78