Lecture 5 DPA
-
Upload
neelam-nursee -
Category
Documents
-
view
220 -
download
0
Transcript of Lecture 5 DPA
-
8/3/2019 Lecture 5 DPA
1/29
Cyber Laws
Lecture 5
Data Protection Act
Computer Science and Engineering
Faculty of Engineering
-
8/3/2019 Lecture 5 DPA
2/29
Topics to be Covered Data Protection
The legislative background
How Data protection regulations work.
Obligations under DPA
8 Compliance principles wit
hDPA
Consequences on non-compliance (Offences,Enforcement and penalties)
-
8/3/2019 Lecture 5 DPA
3/29
Importance of DPA
` All contemporary business organisations have the need
or desire to keep or gather information about peoplewhether they are existing customers or potentialcustomers.
` There are legislation which dictate how this informationis gathered and utilised.
` With the risks posed by problems like identity theft andpersonal information disclosure, people are increasinglyaware of the sensibility of personal information.
` If personal information are disclosed, or unlawfully
gath
ered, th
is can led to criminal conviction (companyoffice holders or employees), and this conviction willhave a negative effect on the organisation'simage/reputation
-
8/3/2019 Lecture 5 DPA
4/29
The Legislative Landscape
` The main aim of DPS is that: Members of theorganisation shall protect the fundamental rightsand freedoms of natural persons and in particular,their rights to privacy in respect of processing ofpersonal data - Article 1 of Data ProtectionDirective.
` DPA needs to provide a framework within which theindividuals rights and freedoms are protected.
` Organisations need to reach an equilibrium betweenArticle 1 of the Directive and the need of organisations for the purpose of business.
` DPA allows companies to hold and process personalinformation, but prevents them from abusing theinfo
-
8/3/2019 Lecture 5 DPA
5/29
Legislative Background
DPA
Freedom
of
Info
Act
Electronic Commerce
Regulation
Regulationof
Investigatory
P
PowersAct
Human
Rights
Act
Privacyand
Electronic
Comm.
Directive
-
8/3/2019 Lecture 5 DPA
6/29
Information Commissioner (IC)
` The Information Commissioner is the person whoregulates DP and Freedom of info in the UK.
`He seeks for breaches to DPA` The IC also gives recommendations on how Data
Controllers should comply.` The Data Controllers is the person who
determines the purpose for which data are to beprocessed or the manner in which they areprocessed.
`Data Controllers need to be conversant with DPAand attendant regulations, and guidance fromindustry organisations
-
8/3/2019 Lecture 5 DPA
7/29
Compliance
` Some bodies have the responsibility of producingindustry standards, and guidance on legalcompliance
` Compliance is either a state of being inaccordance with established guidelines,specifications, or legislation or the process of becoming so. Software, for example, may bedeveloped in compliance with specifications
created by some standards body, such as theInstitute of Electrical and Electronics Engineers(IEEE) and may be distributed in compliance withthe vendor's licensing agreement.
-
8/3/2019 Lecture 5 DPA
8/29
How Data Protection Regulation Work
`DP laws automatically come into play when the
Data Controller processed personal data.` Personal data is simply data pertaining to a living
individual (a.k.a the Data Subject) who can beidentified by the data in the possession or likely
to come in th
e possession of th
e Controller.` Foreign nationals can be data subjects even ifthey have no expectation of being protected byDPA.
`e.g. A company from country X processes all itsdatabases relating to individuals in othercountries in a location in the UK- because theprocessing in carried out in the UK, it will fallwithin the provision of DPA
-
8/3/2019 Lecture 5 DPA
9/29
Activity
What is the difference between personal data
and sensitive data. Give two examples of each.
-
8/3/2019 Lecture 5 DPA
10/29
DPA
DPA defines processing as obtaining,
recording, holding or deleting and destroying
the information or carrying out anyoperation or set of operations on the
information.
-
8/3/2019 Lecture 5 DPA
11/29
Obligations under DPA`The public should know, or at least be able to
know who is processing personal data and towhat means.
`Notification also known as Registration(providing details of the organisation) worksin the interest of : DC as they are able to publicise their activities,
and
Individuals, as they are able to query howpersonal information is being processed, and bywhom.
`DC should also notify IC about the processingbeing done. This process is to be renewedevery month.
-
8/3/2019 Lecture 5 DPA
12/29
Exemption to requirement of
notification
DC who only process information to
administer their business, and does not have
services using personal information.
Non-Profit Organisations
Data Controllers who do not process
personal information on computer
Organisations that are not data controllers
(e.g. Third Parties who process info on behalf
of DCs)
-
8/3/2019 Lecture 5 DPA
13/29
Compliance with Data Protection
There are 8 principles for compliance with DPA:
Fair and Lawful obtaining and processing Personal information shall be obtained only for
one or more specified purposes.
Adequate, relevant and not excessive
Personal Data are accurate and kept up-to-date
Information is not to be retained for more timethan it is required for processing.
Processing should be carried out in accordanceto the right of the data subjects
Security
Transfer of data to another country
-
8/3/2019 Lecture 5 DPA
14/29
Principle 1.
Fair and Lawful obtaining and processing.
To ensure that the gathering and processing of
information to be fair, the following conditionsmust
be met:` The identity of the data controller must beknown.
` The purpose for which the information is to be
processed sh
ould be clearly specified.`Other information relevant in the circumstanceswhereby the info might be disclosed (as this mayaffect the individual's decision to provide thepersonal information)
-
8/3/2019 Lecture 5 DPA
15/29
Principle 1 Applied online`With information being continuously gathered
online wh
en application or registration forms arebeing filled, the user may not realise thesensitive nature of the information beingrequested. The user will simply tend to fill in afield simply because it is there on the form.
`On websites, all of these must be specified in theprivacy policy, a data protection clause or amarketing opt-out in e-mails.
` The communication of the provision of the fairprocessing should be made prior to the infobeing requested from the data subject.
`DC should check ifThird Parties (e.g. List Brokers)who provide the data should be compliant
-
8/3/2019 Lecture 5 DPA
16/29
Principle 1
Lawful Processing
The DPA does not actually define the term
lawful processing. The Info Commissionerhowever regards the following methods of
obtaining information as being unlawful:
Breach of confidence Breach of contract
Infringement of Human Right Act or Freedom
ofInformation Act
-
8/3/2019 Lecture 5 DPA
17/29
Principle 1Conditions for ensuring fair and lawful processing` The consent of the Data Subject must have been
obtained for th
e processing.
` The processing is necessary for the performance of
the contract binding the individual
` The processing is necessary to protect the interest ofthe data subject.
` The processing is necessary for the administration of
justice The processing is required for the DC to comply
withhis own legal obligations (e.g. keeping a registerof shareholders)
` The processing is necessary for the purpose of
legitimate interest pursued by the DC provided these
interest are not detrimental to the data
-
8/3/2019 Lecture 5 DPA
18/29
Principle 1Should the DC wish to process personal data, he
must satisfy at least one of the conditions listed
below:
` Explicit Consent of the individual
` The DC us required to lawfully process info foremployment purposes
` Processing is required to protect the vital interest of adata subject (e.g. Medical history)
` Processing in connection to exercising or defending legalrights
` Processing for purposes of equal opportunitymonitoring.
` When the Data subject has deliberately been publishedby the individual e.g. parliamentary candidatesbroadcast his own details
-
8/3/2019 Lecture 5 DPA
19/29
Principle 1The processing can also be carried out without the
consent of th
e individual if:` It is meant to prevent unlawful acts, or undertaken
by police, or processing of political opinions that
are not prejudicial the rights of the individual.
` Necessary for research purposes or provision of
confidential counselling services.
`Processing undertaken by an insurance company orpension provider in connection with medicalunderwriting.
-
8/3/2019 Lecture 5 DPA
20/29
Consent`An individual must give consent before any
processing ofh
is personal data takes place,unless one of the conditions previously describedhave been met.
` Consent cannot be inferred from the lack ofactivity from the part of the data subject.
` Consent, though not defined in DPA is usuallyconsidered (as per Article 2 of DPD) as 'any freelygiven and informed indication of his wishes bywhich the Data subject signifies his agreement to
personal data relating to him to be processed'
` Consent must be adequate and the Data Subjectshould understand what processing is to takeplace on the data
-
8/3/2019 Lecture 5 DPA
21/29
Principle 2 & 3Personal information shall be obtained only for
one or more specified purposes.
` In other words, the processing must not beincompatible with its intended purpose. Thesepurposes are specified in a register (belonging to
the
DC) which is usually held by the IC.
Adequate, relevant and not excessive
` The DC should capture only the minimum of
personal information that is needed to properlyfulfil
the purpose of the processing. Information thatare
not used, or not likely to be used sh
ould not bestored.
-
8/3/2019 Lecture 5 DPA
22/29
Principle 4Personal Data are accurate and kept up-to-date
` Data which are out-of-date are most likely to be
regarded as excessive and irrelevant for theirpurpose.
Exceptions to this principle include:` The information is a snapshot in time and does not
require to be kept up-to-date
` The DC has taken reasonable steps to ensure privacy` The individual has challenged the accuracy and the DChas recorded this.
` The information, whilst inaccurate constitutes anaccurate recorded obtained from the Data Subject or
Third party (implies need for warranty from vendor)
-
8/3/2019 Lecture 5 DPA
23/29
Principle 5Information is not to be retained for more time
than it is required for processing.
In order to comply with this principle, there is the
need for continuous appraisal of the information, as
well as th
e purpose of its collection.I
n somecircumstances, information can be retained after its
processing based on legal requirements or
reasonable business needs. e.g. Contract: 6 years,
Accounting: 7 years,T
ax purpose and Health
&Safety : much longer, depending on statutory
requirements
-
8/3/2019 Lecture 5 DPA
24/29
Principle 6
Processing should be carried out in accordance tothe right of the data subjects` Right to access personal information (fee + proper identity
check)
` Right to object to automated Decision Making.
` Individual can request the DC to stop processing, or re-process on the basis of updated info.
` Right to object to direct marketing
` Right to object the certain processing likely to cause damage
` Right to compensation` Right to rectify, block erase or destroy (court order to do the
above on the inaccurate info)
-
8/3/2019 Lecture 5 DPA
25/29
Principle 7Security
` The DC should take the necessary precautions tosafeguard data against unauthorised access,
processing, disclosure, damage or loss.
` The DPA takes into consideration 2 factors:
` Cost of the security measure with regards to the
nature of the information and the perceived
harm that a security breach could cause
` The state of tec
hnological development at t
histime.
`Dealing with third parties, out-sourcing...
` StaffTraining, firewalls, Physical Security, Access
Controls. + Case Studies
-
8/3/2019 Lecture 5 DPA
26/29
Principle 8Transfer of data to another country
` DPA prevents private information to be transferred to
another country unless that country ensures anadequate level of protection for the rights and freedomof data of the subjects in relation to processing of personal information.
` Exceptions to the above:
` Transfer is necessary for a contract between the DC andthe subject
` Data Subject is agreeable to the transfer
` It is necessary for a contract with a third party
` It is necessary for substantial public interest` The transfer is authorised by the IC
` The transfer is necessary to court proceedings andhearings...
-
8/3/2019 Lecture 5 DPA
27/29
Consequence of non-compliance
`Offences under the DPA are criminal and cab be
prosecuted by the office of the IC.`Offences include:
` Processing personal data without notification.
` Failure to notify the IC of changes in registrable
details` Recklessly making a false statement in response
to an information notice is an offence
` Intentional obstruction of someone in execution
of a warrant.`Unlawful obtaining or disclosure of personal info.
` Enforced Subject Access
-
8/3/2019 Lecture 5 DPA
28/29
Enforcement & PenaltiesEnforcement
` Upon any breach of DPA, the IC will issue an Information
notice to the DC, asking for information within a definitetime-frame.
` If the IC concludes that there is a breach, an enforcementnotice is issued, and the DC cannot continue his processing.
` The IC can even request for a search warrant if the DC has
refused entry or caused hindrance to the IC.Penalties:
` Though criminal, offences under DPA do not carry custodialsentences. Though the DC, directors, and individualemployees can be help personally responsible for the
offences if the court finds that the offence was committedthrough their neglect, connivance or consent
-
8/3/2019 Lecture 5 DPA
29/29
Activity
Describe the role on an
Information Commissioner.