Hipssa project
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

HIPSSA Project PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on
  • Presentation posted in: General

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa ,. TRAINING /DATA PROTECTION LAW Case Studies on Data Protection Violations Zambia, August 2013 Gertrude Mukuwa National Expert on Data Protection. Summary of the Content.

Download Presentation

HIPSSA Project

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Hipssa project

HIPSSA Project

Support for Harmonization of the ICT Policies in Sub-Sahara Africa,

TRAINING /DATA PROTECTION LAW

Case Studies on Data Protection Violations

Zambia, August 2013

Gertrude Mukuwa

National Expert on Data Protection


Summary of the content

Summary of the Content

  • International case studies on data protection law violations

  • Reveals the approach of the Data Protection Commissioner/ Authority

  • Reveals how the Data Protection Act and the principles are interpreted


Allianz requesting excessive personal information at quotation stage ireland

  • The insurance agent asked the potential provide her date of birth and her mother's maiden name for a quote for pet insurance.

  • The data protection law in Ireland provide that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed

  • Following intervention, Allianz confirmed its intention to cease using its ID verification screen and request for mothers maiden name at quotation stage.

Allianz requesting excessive personal information at quotation stage (Ireland)


Unlawful use of cctv to remotely monitor an employee ireland

  • Complaint to Commissioner - personal privacy was affected in workplace - inappropriate use of CCTV.

  • Phone calls from the employer allegedly described to him what he had been doing at a particular time.

  • Employee said that the CCTV system was installed without prior staff notification as to the reason for its installation or its purpose.

  • Commissioner noted rule that CCTV be proportionate response to risk taking into account of the legitimate privacy and other interests of workers. Furthermore requirement of meeting transparency staff must be informed – Employer ordered to cease use of CCTV.

Unlawful use of CCTV to remotely monitor an employee (Ireland)


Credit card transaction use of details from previous transaction without consent ireland

  • A customer of a car rental company alleged that the company had used his credit card data – obtained in a previous transaction – to process a disputed charge without his consent, and in spite of his objections to the charge

  • The specific data protection issue in this case was whether the rental firm obtained and processed the complainant's credit card details fairly, with the appropriate level of consent from the individual.

  • Commissioner “credit card data obtained for a particular transaction cannot be used subsequently for other transactions without express consent, without violating the ‘fair obtaining’ rule. The principle of transparency and fairness, which are key tenets of data protection law and practice, apply in this area just as in any other”

Credit card transaction – use of details from previous transaction without consent (Ireland)


Bank of scotland appropriate and effective security measures uk

  • 5 August 2013

  • A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.

  • 75 000 pounds monetary penalty

    http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/bank-of-scotland-monetary-penalty-notice.pdf

Bank of Scotland – appropriate and effective security measures (UK)


Nhs surrey appropriate and effective security measures uk

  • 12 July 2013

  • A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.

  • A member of the public informed the data controller that he had purchased a PC with confidential medical information from a third party company (the “third party company”) via an online auction site. Files contained confidential sensitive personal data and HR records including patient records relating to approximately 900 adults and 2000 children

  • 200 000 pounds monetary penalty

    http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/nhs-surrey-monetary-penalty-notice.pdf

NHS Surrey - appropriate and effective security measures (UK)


Glasgow city council appropriate and effective security measures encryption of laptops uk

  • 7 June 2013 A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.

  • 150 000 pounds penalty

    http://www.ico.org.uk/enforcement/~/media/documents/library/Data_Protection/Notices/Glasgow-city-council-monetary-penalty-notice.ashx

Glasgow City Council - appropriate and effective security measures – encryption of laptops (UK)


Concluding thoughts

Concluding Thoughts

  • Case studiesreveal the approach of the Data Protection Commissioner/ Authority

  • Reveals how the Data Protection Act and the principles are interpreted

  • Private and public sector, as data controllers, must assess their practices against the requirements of the Act

  • A transition period must be applied in the Bill for organisations to conform their practices

  • Ultimately, it is important that an Authority is established to enforce the Bill and realise data protection safeguards in Zambia


Thank you

Questions?

Gertrude M. Imbwae

National Legal Expert on Data Protection

Thank You


  • Login