Data Protection and the Voluntary Sector: Respecting the Rights of the Individual

Data Protection and the Voluntary Sector: Respecting the Rights of the Individual Billy Hawkes Data Protection Commissioner Carmichael Centre Dublin, 2 November 2010

Presentation Outline • Why Data Protection? • What are our Responsibilities? • Data Protection Commissioner • Good Practice • Voluntary Sector: Some Issues

Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy: necessary in a Democratic Society (but not absolute) Data Protection: Fundament Right under EU Law EU and Irish law on Data Protection • Data Protection Acts 2008 & 2003; Electronic Privacy Regulations 2003 & 2008

EU Charter of Fundamental Rights: Article 8 • Protection of personal data • 1. Everyone has the right to the protection of personal data concerning him or her.2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.3. Compliance with these rules shall be subject to control by an independent authority.

Fair obtaining & processing Consent Specified purpose No disclosure unless “compatible” Safe and secure Accurate, up-to-date Relevant, not excessive Retention period Right of access The Data Protection Rules

Rights and Obligations • Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data” • Data Subject: volunteers, employees, customers/clients • Personal Data: anything that can be linked to a living individual (databases, lists, CCTV) • Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”) • Usually a corporate entity e.g. Charitable Organisation – NOT individual employee or volunteer

Rights of Individuals • to fairness when giving information • to get a copy of their personal information – includes both computer and manual files • to have wrong information corrected • to opt out of marketing - includes mail & phone • to complain to the Data Protection Commissioner

Rule 1 Obtain & Process Fairly One of these conditions required: • Consent (self or parent etc) • Legal obligation • Contract with individual • Necessary to protect vital interests of individual • Necessary for a public function (Justice) • necessary for ‘legitimate interests’ of organisation or third party • Balance with rights of individual

Responsibilities on Organisations (Data Controllers) at the different stages Beginning Getting the Data Middle While you have the data End Disposing of data

Keep accurate Have a retention policy Inform and get consent Justification to process Beginning Getting the Data Middle While you have the data End Disposing of data Specify purpose Disclose only if compatible or allowable exception Keep secure and dispose securely Respond to access requests Only gather what is required

Sensitive Data (special protection) • Physical or mental health • Racial origin • Political opinions • Religious or other beliefs • Sexual life • Criminal convictions • Alleged commission of offence • Trade Union membership

Rule 4 Keep Safe and Secure • Appropriate security measures • Appropriate to the harm that might result.. • Appropriate to the nature of the data • May have regard to cost of implementation • May have regard to the current state of technology • Staff /volunteers must know and comply with measures

Data Protection Training. • Obligation on organisation to ensure staff are aware of data protection obligations. • Training

Rule 7 Retain no longer than necessary • Legal obligations to hold data? • Customer/Client files • Do you need to hold all that data? • Customers/? • Volunteers? Supporters? Employees? • Must have policy thought through • Defend retention as necessary for purpose.

Right of Access • Every data subject has a right to request and receive a copy of All personal data in All forms relating to her/him (only) held by a data controller • Maximum 40 days to respond • Maximum charge of €6.35 (includes photocopying etc)

Right to opt out of direct marketing • Data subject may opt out of direct marketing database (e.g. a mailing list) • Data controller must delete the data subject’s details (or stop using them for direct marketing) • Data controller must reply within 40 days

Electronic Marketing • SMS and e-mail unsolicited marketing banned • Phone Marketing banned if: • Customer on National Directory Database ‘opt-out’ list • Has specifically asked not to be contacted • Non-compliance a criminal offence

Data Processors • Agents and sub-contractors • There must be a written contract in place • Data Controller must take reasonable steps to ensure compliance with security measures

Role of Data Protection Commissioner (standard throughout EU) • Enforcer Role: compliance by data controllers & processors • Ombudsman Role: resolution of disputes between data subjects and data controllers or processors • Educational Role: Promotes DP rights and good practice • Registration Authority: obligation on major holders of personal data to be placed on public register

How does (Irish) DPC fulfill role? • Investigations/Audits • Arising from complaints • On own initiative • Maintains public register • Codes of Practice • Guidance booklets, website, presentations, advice, Annual Report

General Approach of DPC Strong emphasis on Education Supportive of compliant data controllers Alert to issues arising from Complaints • Emphasis on Right of Access • Addressing the “big picture” Target problem data controllers • Use full powers Work with other Regulators

Complaints 2009 914 formal complaints Many more enquiries dealt with informally Most resolved amicably * Mainly electronic (SMS etc)

Good Practice: General Transparent and Balanced approach to collecting and using personal data Build DP in early in systems and policy proposals People informed about data collection and use (privacy notices on websites etc) Consult DPC guidance (www.dataprotection.ie)

Good Practice: Audit • Do we know what types of personal data we hold? • Electronically (also CCTV images) • Paper • Can we justify: • Why we collect it? • What it is used for? • Length of time we hold it? • Who has access to it? • Who it is disclosed to?

Good Practice: Access & Correction Requests • Can we : • Provide a description of the personal data we hold on an individual within a max. of 20 days? • Provide copy of this data within a max. of 40 Days? • Correct or erase data within 40 days?

Good Practice: Security • Access Controls • Internal • External • Audit Trails • Vulnerabilities • Portable Devices • Passwords AND encryption

Do not retain personal for any longer than can be objectively justified: clear policy Comply with legal retention obligations Orderly and secure disposal of old records Good Practice: Disposal

Good Practice : People • Does everyone handling personal data know their responsibilities under Data Protection Law? Is this routinely included in training/induction? • Are procedures for handling personal data properly documented? • Are DP compliance responsibilities clearly allocated?

Good Practice: When things go wrong … Have a clear plan – what will you do if there is a security breach? Notify DPC and customers Anticipate legislation Tell customers/clients how you intend to remedy any damage done to their interests

Who is the “Data Controller”? • “A person who, either alone or with others, controls the contents and use of personal data” • Voluntary Organisation, national umbrella-body • Not the individual employee or volunteer • Organisation accountable for how it handles personal data • Organisation needs to demonstrate it is taking this responsibility seriously: training, security measures

Membership Information • Only collect Information you need • Explain how information will be used • Privacy Statement if via website • Extra care for sensitive information (e.g. health) • Only for Organisation’s legitimate use • Any other use or disclosure (e.g. 3rd party marketing) normally needs consent • OK if legal obligation (e.g. Revenue Commissioners) • Use BCC for membership e-mails • Delete/Update as necessary

Fund-Raising (1) • Subject to rules governing Marketing • Post: OK to (i) businesses (ii) current members/supporters (iii) other individuals where information from public source (e.g. Edited Electoral Register) • Individuals have right to say STOP

Fund-Raising (2) • Phone/Fax • ILLEGAL if individual or business on NDD (need check) unless current member/supporter • ILLEGAL if individual or business has objected

Fund-Raising (3) • E-Mail/SMS • OK to current members/supporters assuming they were provided with an opportunity to object to this use at the time their details were collected (message must still include STOP option) • OK to business (but must include STOP option) • Otherwise ILLEGAL

Help-Lines • Recording/Monitoring • Need to justify and tell caller at beginning • Noting Client Information • If for analysis/statistics, use general categories: anonymise • Avoid collecting identifying information unless follow-up essential - explain to caller • Do NOT seek PPSN

Data Security • Responsibility of Organisation • Law says level of security appropriate to the harm that might result from… loss etc and nature of the data • Higher security for e.g. financial and health data • Try avoid storage on home PCs • Danger access by family etc members • Data should be encrypted • Option of secure central on-line database

Garda Vetting • Sensitive data • Done on basis individual consent • Limit retention of “raw” data • Remember the Garda will be retaining the data

Child & Vulnerable Adult Protection • Duty to report suspected abuse to Garda, HSE • Does not require individual consent • “Need to know” basis within organisation

Further Guidance • www.dataprotection.ie

Data Protection and the Voluntary Sector: Respecting the Rights of the Individual