Data protection is in essence a simple concept, and organisations that manage personal data should have an understanding of the basics. It is about respecting the privacy of personal data held.
There are a couple of essential points to remember; define the purpose for processing personal data, know if this data is being shared with third parties, know how long data will be retained for, make Subjects aware of the above at time of collection and inform them of their rights. Once your organisation has done this you’re most of the way there.
‘Purposes’ for processing
The most basic step to keeping your organisation safe is to understand the purpose(s) for processing. A purpose for processing must be ‘specific, explicit and legitimate’. Access to that data should be restricted and only made available for those specific purposes. The Purpose for processing will also drive how long data should be held and is central to any retention policy or guideline. This will also define how to structure and store data within the organisation.
The use of cctv recordings for the purpose of security and safety is generally acceptable. If it is used for other purposes such as the monitoring visitors of staff, it is typically considered excessive and it’s use can expose the business to liability. There is much precedent in the courts in this area and the DPC (Data Protection Commissioner) takes a tough line on other uses unless they are robustly justified.
If you are presented with a passport for identification validation you should in general never take a copy of it, simply witness the passport as a validation and retain the number for the record. However, if you are in an industry where you need to retain data for AML (Anti Money Laundering) purposes you have a responsibility to retain this information for this purpose. This is covered by law. Having retained it for AML it should not be used for any other purposes.
If it is used for another purpose, and the organisation is in litigation with the Subject and relies on the identification, this could collapse a case. It is like being arrested and an officer not reading you your rights.
In this example there were two separate purposes and the key to managing these scenarios is to ensure that staff are aware that a piece of data can have multiple purposes and that use of data is restricted to particular purposes. Typically a well documented process will mitigate against inadvertent misuse of this type of personal data.
Note; Documentation of processes do not need to be extensive. Typically short, detailed and ideally with a flow chart to make them easily understood is best practice. Keep it simple.
Identifying, documenting and understanding the purpose for which you are holding personal data is the key to understanding how to manage your personal data.
Respecting the rights of the individual
This can be a little more complex but very understandable. The individual has an absolute right for their personal data not to be processed unless there is a legitimate reason for doing so. This will typically be in the form of a contract, consent, a legal requirement or the legitimate interest of an organisation.
The 5 key elements require to ensure that Subject rights are observed;
- Know your legitimate reasons for processing personal data.
- Inform Subjects of the purpose and particulars of this processing.
- Inform subjects of their rights.
- Take steps to ensure that personal data is not further processed or retained for excessive periods within the organisation and that Subject rights are observed in practice.
- And for your own protection, have the documentation to prove the above.
These five steps will keep an organisation in good shape, demonstrate it’s respect for the rights of data Subjects and avoid unwanted data protection related action. It is also important to be aware that there are other rules around international transfer, the treatment of minors, transferring to third parties and the treatment of special categories of data.
Protecting the personal data that you hold
Following some well publicised data breaches over the last year it would be remiss not to touch upon the security measures required. There is a legal obligation to protect the personal data that you hold and this is backed up with significant fines and enforcement penalties for breaches. Firms need to take care to protect themselves against unauthorised access to both paper and digital personal data.
In particular cyber threats are becoming even more common, and simple precautions and staff training will go a long way prevent a cybersecurity event. A cyber breach can be costly, time consuming, attract regulatory enforcement and damage reputations. It is advisable to take sensible precautions.
While there is often a lot of detail relating to Data Protection, remaining compliant should not be too difficult. For most organisations it is about respecting personal data and putting processes in place to ensure that personal data is not accidentally or unknowingly misused.
…. and a final consideration. Holding unnecessary Personal Data is a liability. The recent updating of Data Protection regulation has provided data subjects with real power and this means that infringements can cause an organisation real harm. Holding personal data of any type without a lawful reason is can expose an organisation to regulatory action and we need to reprogram a lifetime’s instinct to store data and move to a world where our instinct is to ‘delete personal data by default’.
My next blog will cover my top tips to stay compliant.