data protection your rights as a data subject l.
Skip this Video
Loading SlideShow in 5 Seconds..
Data Protection: Your Rights as a Data Subject PowerPoint Presentation
Download Presentation
Data Protection: Your Rights as a Data Subject

Loading in 2 Seconds...

play fullscreen
1 / 42

Data Protection: Your Rights as a Data Subject - PowerPoint PPT Presentation

  • Uploaded on

Data Protection: Your Rights as a Data Subject. Data Protection: a Human Right. Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Data Protection: Your Rights as a Data Subject

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
data protection a human right
Data Protection: a Human Right
  • Part of Right to Personal Privacy
  • Personal Privacy : necessary in a Democratic Society
  • Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)
  • Right protected by Irish Constitution and European Law
the data protection rules
Fair obtaining & processing


Specified purpose

No disclosure

unless “compatible”

Safe and secure

Accurate, up-to-date

Relevant, not excessive

Retention period

Right of access

The Data Protection Rules
rights and obligations
Rights and Obligations
  • Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”
  • Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)
definitions 1
  • Personal Data
    • Any Data relating to a livingidentifiable individual
  • Data
    • Automated data or structured manual data
  • Manual Data
    • Structured by reference to individuals in a way that makes data readily accessible
definitions 2
  • Data Controller
    • a person who controls the contents and use of personal data
  • Data Processor
    • A person who processes personal data on behalf of a data controller
definitions 3
  • Data Subject
    • an individual who is the subject of personal data
  • Processing
    • Anything done with personal data, from collection to disposal
sensitive data special protection
Sensitive Data (special protection)
  • Physical or mental health
  • Racial origin
  • Political opinions
  • Religious or other beliefs
  • Sexual life
  • Criminal convictions
  • Alleged commission of offence
  • Trade Union membership
rights of individuals
Rights of Individuals
  • to fairness when giving information
  • to get a copy of their personal information – includes both computer and certain manual files
  • to have wrong information corrected
  • to opt out of marketing - includes mail & phone
  • to complain to the Data Commissioner
obtain process fairly i

Rule 1

Obtain & Process Fairly I
  • Data controller must give full information about
    • identity
    • purposes
    • disclosees
    • any other data necessary for “fairness”
  • Third party data controllers
    • must contact data subject to provide these details
    • must give name of original data controller
obtain process fairly ii

Rule 1

Obtain & Process Fairly II

One of these conditions required:

  • Consent
  • Legal obligation
  • Contract with individual
  • Necessary to protect vital interests
  • Necessary for a public function (Justice)
  • necessary for ‘legitimate interests’
processing sensitive data

Rule 1

Processing Sensitive Data

One of these additional conditions is required

  • Explicit consent
  • Necessary under employment law
  • To prevent injury or protect vital interests
  • Process the data of members/clients of non-profit orgs.
  • Legal advice
  • For Medical Purposes
  • Statutory function
specified purpose

Rule 2

Specified Purpose
  • Part of obligations when obtaining to specify purpose
  • Cannot expand purpose without reverting to individual
disclose only if compatible
General rule – no disclosure for different purpose

Exceptions made, to balance other interests of society

Section 8 exceptions

Investigation of crime

Collection of taxes

Security of the State

Protect life & limb

Law or court order

Legal advice and legal proceedings

No general “public interest” test

Rule 3

Disclose only if compatible
keep safe and secure

Rule 4

Keep Safe and Secure
  • Appropriate security measures
    • Appropriate to the harm that might result..
    • Appropriate to the nature of the data
  • May have regard to cost of implementation
  • May have regard to the current state of technology
  • Staff must know and comply with measures
  • Internal review of security measures-part of Internal Audit function ?
accurate complete and up to date

Rule 5

Accurate, Complete and Up-to-Date
  • Longer personal data is held, more likely it will be inaccurate and out-of-date
  • Right to have errors rectified (see later)
relevant and not excessive

Rule 6

Relevant and not Excessive
  • No right to ask for, or hold, information not relevant to service etc being provided
  • Challenge: who do you need all this personal data ?
retain no longer than necessary

Rule 7

Retain no longer than necessary
  • Legal obligations to hold data?
  • Customer files
    • Do you need to hold all that data?
    • Payment records might have one retention period
    • Exam results might have longer retention period
    • Credit card details retained with consent
  • Must have policy thought through
    • Defend retention as necessary for purpose.
right of access

Rule 8

Right of Access
  • applies to manual as well as computer files
  • data subjects are also entitled to know
    • purposes for which data is processed
    • persons to whom data are disclosed
    • the source of the data
right of access empowerment
Right of Access: Empowerment

The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

scope of access request
Scope of Access Request
  • Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
  • Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort
what must be disclosed in an access request
What must be disclosed in an access request
  • Personal data held
  • purposes for processing data
  • persons to whom data are disclosed
  • the source of the data
    • subject to confidentiality safeguards
  • logic involved in automated decisions
access request procedure
Access Request - Procedure
  • Shall be in writing
  • Data Subject shall provide sufficient information to identify oneself
  • Data Controller shall comply within 40 days
  • May charge a fee up to €6.35
  • Exempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential.
  • References are not exempt in general
  • High threshold required
  • Work performance reports on colleagues are accessible
  • Interview notes-accessible
exempt from access requests
Exempt from Access Requests
  • Data relating to a claim of liability
  • Data covered by legal privilege
  • Data relating to a criminal investigation
  • Certain research data
  • Back-up data
access exemptions s 5
Access: Exemptions (S.5)
  • Right of Access does not apply if likely to prejudice:
    • Preventing, detecting or investigating offences, apprehending or prosecuting offenders
    • Security in a place of detention
  • Other (international relations, privileged information etc)
right to correct erase block
Right to correct/erase/block
  • Section 6 of the Act
  • Data Subject makes a written request
  • Personal data must be:
    • Corrected, if inaccurate; or
    • Deleted, if should not be held.
  • Data Controller has 40 days to respond
  • No fee
right of erasure
Right of erasure
  • Doesn’t apply if you have a lawful purpose in retaining data
    • Such as auditing or accreditation purposes
automated decisions
Automated decisions
  • Key decisions cannot be made solely based on automated processing of personal data
    • creditworthiness
    • work performance
    • reliability
  • Exceptions
    • consent; legal necessity; contractual reasons
right to object
Right to object

Section 6A(1) allows the data subject to object to the processing of data

  • Is “likely to cause substantial damage or distress to him or her, or to another person, and
  • The damage or distress is or would be unwarranted”
dp foi access to personal information
DP/FOI Access to Personal Information
  • DP and FOI Acts reinforce one another in relation to personal access in the public sector
  • Defending access to personal information as human (DP) and citizen (FOI) right
  • 3rd Party Access restricted under both Acts
  • FOI access to personal information should sometimes prevail in the public interest
right to opt out of direct marketing
Right to opt out of direct marketing
  • Data subject may opt out of direct marketing database (e.g. a mailing list)
  • Data controller must delete the data subject’s details (or stop using them for direct marketing)
  • Data controller must reply within 40 days
electronic communications
Electronic Communications
  • Right to “opt-out” of all unsolicited direct marketing calls
    • Ex-Directory customers (and most mobiles) automatically ‘opted-out’
    • If not ex-directory, Contact your phone line provider and ask to be put on the National Directory Database ‘opt-out’ list
    • SMS and e-mail unsolicited marketing banned
can my employer monitor me
Can my employer monitor me?
  • Yes, depending on the conditions of any in-house policy document.
  • Employees should be made fully aware of Office policy in relation to e-mail content, and acceptable usage
  • Monitoring should be proportionate and not unduly intrusive.
can monitoring occur without my consent
Can monitoring occur without my consent?
  • Where a criminal offence is being investigated, covert monitoring may be legitimate.
  • Whilst transparency is fundamental to the fair obtaining principle, consent is not always required.
can i get a copy of my personnel file
Can I get a copy of my personnel file?
  • You have a right to a copy of any records relating to you – including personnel files, assessments, evaluations and interview notes.

Note – this may be subject to restriction, for instance re statements of opinion or third party .

how can i check my credit rating
How can I check my credit rating?
  • Contact the Irish Credit Bureau at 01-2600388 (
  • Your credit rating can be checked by member institutions (banks, etc.) when you apply for credit.
how do i stop unwanted phone marketing
How do I stop unwanted phone marketing?
  • You should contact your telephone line

provider – e.g. Eircom, BT – and ask to have your details included in the National Directory Database (the NDD) ‘opt-out list’

  • After about one month, marketing calls from Ireland should cease.
  • More info: and
how do i stop junk mail
How do I stop Junk Mail?
  • You can write to the organisation sending the mail, instructing them to stop. They are obliged to comply.
  • Or you can use the Mail Preference Service operated by the Irish Direct Marketing Association (
further guidance
Further Guidance