Lecture 5 DPA

8/3/2019 Lecture 5 DPA

1/29

Cyber Laws

Lecture 5

Data Protection Act

Computer Science and Engineering

Faculty of Engineering


2/29

Topics to be Covered Data Protection

The legislative background

How Data protection regulations work.

Obligations under DPA

8 Compliance principles wit

hDPA

Consequences on non-compliance (Offences,Enforcement and penalties)


3/29

Importance of DPA

` All contemporary business organisations have the need

or desire to keep or gather information about peoplewhether they are existing customers or potentialcustomers.

` There are legislation which dictate how this informationis gathered and utilised.

` With the risks posed by problems like identity theft andpersonal information disclosure, people are increasinglyaware of the sensibility of personal information.

` If personal information are disclosed, or unlawfully

gath

ered, th

is can led to criminal conviction (companyoffice holders or employees), and this conviction willhave a negative effect on the organisation'simage/reputation


4/29

The Legislative Landscape

` The main aim of DPS is that: Members of theorganisation shall protect the fundamental rightsand freedoms of natural persons and in particular,their rights to privacy in respect of processing ofpersonal data - Article 1 of Data ProtectionDirective.

` DPA needs to provide a framework within which theindividuals rights and freedoms are protected.

` Organisations need to reach an equilibrium betweenArticle 1 of the Directive and the need of organisations for the purpose of business.

` DPA allows companies to hold and process personalinformation, but prevents them from abusing theinfo


5/29

Legislative Background

DPA

Freedom

of

Info

Act

Electronic Commerce

Regulation

Regulationof

Investigatory

P

PowersAct

Human

Rights

Act

Privacyand

Electronic

Comm.

Directive


6/29

Information Commissioner (IC)

` The Information Commissioner is the person whoregulates DP and Freedom of info in the UK.

`He seeks for breaches to DPA` The IC also gives recommendations on how Data

Controllers should comply.` The Data Controllers is the person who

determines the purpose for which data are to beprocessed or the manner in which they areprocessed.

`Data Controllers need to be conversant with DPAand attendant regulations, and guidance fromindustry organisations


7/29

Compliance

` Some bodies have the responsibility of producingindustry standards, and guidance on legalcompliance

` Compliance is either a state of being inaccordance with established guidelines,specifications, or legislation or the process of becoming so. Software, for example, may bedeveloped in compliance with specifications

created by some standards body, such as theInstitute of Electrical and Electronics Engineers(IEEE) and may be distributed in compliance withthe vendor's licensing agreement.


8/29

How Data Protection Regulation Work

`DP laws automatically come into play when the

Data Controller processed personal data.` Personal data is simply data pertaining to a living

individual (a.k.a the Data Subject) who can beidentified by the data in the possession or likely

to come in th

e possession of th

e Controller.` Foreign nationals can be data subjects even ifthey have no expectation of being protected byDPA.

`e.g. A company from country X processes all itsdatabases relating to individuals in othercountries in a location in the UK- because theprocessing in carried out in the UK, it will fallwithin the provision of DPA


9/29

Activity

What is the difference between personal data

and sensitive data. Give two examples of each.


10/29

DPA

DPA defines processing as obtaining,

recording, holding or deleting and destroying

the information or carrying out anyoperation or set of operations on the

information.


11/29

Obligations under DPA`The public should know, or at least be able to

know who is processing personal data and towhat means.

`Notification also known as Registration(providing details of the organisation) worksin the interest of : DC as they are able to publicise their activities,

and

Individuals, as they are able to query howpersonal information is being processed, and bywhom.

`DC should also notify IC about the processingbeing done. This process is to be renewedevery month.


12/29

Exemption to requirement of

notification

DC who only process information to

administer their business, and does not have

services using personal information.

Non-Profit Organisations

Data Controllers who do not process

personal information on computer

Organisations that are not data controllers

(e.g. Third Parties who process info on behalf

of DCs)


13/29

Compliance with Data Protection

There are 8 principles for compliance with DPA:

Fair and Lawful obtaining and processing Personal information shall be obtained only for

one or more specified purposes.

Adequate, relevant and not excessive

Personal Data are accurate and kept up-to-date

Information is not to be retained for more timethan it is required for processing.

Processing should be carried out in accordanceto the right of the data subjects

Security

Transfer of data to another country


14/29

Principle 1.

Fair and Lawful obtaining and processing.

To ensure that the gathering and processing of

information to be fair, the following conditionsmust

be met:` The identity of the data controller must beknown.

` The purpose for which the information is to be

processed sh

ould be clearly specified.`Other information relevant in the circumstanceswhereby the info might be disclosed (as this mayaffect the individual's decision to provide thepersonal information)


15/29

Principle 1 Applied online`With information being continuously gathered

online wh

en application or registration forms arebeing filled, the user may not realise thesensitive nature of the information beingrequested. The user will simply tend to fill in afield simply because it is there on the form.

`On websites, all of these must be specified in theprivacy policy, a data protection clause or amarketing opt-out in e-mails.

` The communication of the provision of the fairprocessing should be made prior to the infobeing requested from the data subject.

`DC should check ifThird Parties (e.g. List Brokers)who provide the data should be compliant


16/29

Principle 1

Lawful Processing

The DPA does not actually define the term

lawful processing. The Info Commissionerhowever regards the following methods of

obtaining information as being unlawful:

Breach of confidence Breach of contract

Infringement of Human Right Act or Freedom

ofInformation Act


17/29

Principle 1Conditions for ensuring fair and lawful processing` The consent of the Data Subject must have been

obtained for th

e processing.

` The processing is necessary for the performance of

the contract binding the individual

` The processing is necessary to protect the interest ofthe data subject.

` The processing is necessary for the administration of

justice The processing is required for the DC to comply

withhis own legal obligations (e.g. keeping a registerof shareholders)

` The processing is necessary for the purpose of

legitimate interest pursued by the DC provided these

interest are not detrimental to the data


18/29

Principle 1Should the DC wish to process personal data, he

must satisfy at least one of the conditions listed

below:

` Explicit Consent of the individual

` The DC us required to lawfully process info foremployment purposes

` Processing is required to protect the vital interest of adata subject (e.g. Medical history)

` Processing in connection to exercising or defending legalrights

` Processing for purposes of equal opportunitymonitoring.

` When the Data subject has deliberately been publishedby the individual e.g. parliamentary candidatesbroadcast his own details


19/29

Principle 1The processing can also be carried out without the

consent of th

e individual if:` It is meant to prevent unlawful acts, or undertaken

by police, or processing of political opinions that

are not prejudicial the rights of the individual.

` Necessary for research purposes or provision of

confidential counselling services.

`Processing undertaken by an insurance company orpension provider in connection with medicalunderwriting.


20/29

Consent`An individual must give consent before any

processing ofh

is personal data takes place,unless one of the conditions previously describedhave been met.

` Consent cannot be inferred from the lack ofactivity from the part of the data subject.

` Consent, though not defined in DPA is usuallyconsidered (as per Article 2 of DPD) as 'any freelygiven and informed indication of his wishes bywhich the Data subject signifies his agreement to

personal data relating to him to be processed'

` Consent must be adequate and the Data Subjectshould understand what processing is to takeplace on the data


21/29

Principle 2 & 3Personal information shall be obtained only for

one or more specified purposes.

` In other words, the processing must not beincompatible with its intended purpose. Thesepurposes are specified in a register (belonging to

the

DC) which is usually held by the IC.

Adequate, relevant and not excessive

` The DC should capture only the minimum of

personal information that is needed to properlyfulfil

the purpose of the processing. Information thatare

not used, or not likely to be used sh

ould not bestored.


22/29

Principle 4Personal Data are accurate and kept up-to-date

` Data which are out-of-date are most likely to be

regarded as excessive and irrelevant for theirpurpose.

Exceptions to this principle include:` The information is a snapshot in time and does not

require to be kept up-to-date

` The DC has taken reasonable steps to ensure privacy` The individual has challenged the accuracy and the DChas recorded this.

` The information, whilst inaccurate constitutes anaccurate recorded obtained from the Data Subject or

Third party (implies need for warranty from vendor)


23/29

Principle 5Information is not to be retained for more time

than it is required for processing.

In order to comply with this principle, there is the

need for continuous appraisal of the information, as

well as th

e purpose of its collection.I

n somecircumstances, information can be retained after its

processing based on legal requirements or

reasonable business needs. e.g. Contract: 6 years,

Accounting: 7 years,T

ax purpose and Health

&Safety : much longer, depending on statutory

requirements


24/29

Principle 6

Processing should be carried out in accordance tothe right of the data subjects` Right to access personal information (fee + proper identity

check)

` Right to object to automated Decision Making.

` Individual can request the DC to stop processing, or re-process on the basis of updated info.

` Right to object to direct marketing

` Right to object the certain processing likely to cause damage

` Right to compensation` Right to rectify, block erase or destroy (court order to do the

above on the inaccurate info)


25/29

Principle 7Security

` The DC should take the necessary precautions tosafeguard data against unauthorised access,

processing, disclosure, damage or loss.

` The DPA takes into consideration 2 factors:

` Cost of the security measure with regards to the

nature of the information and the perceived

harm that a security breach could cause

` The state of tec

hnological development at t

histime.

`Dealing with third parties, out-sourcing...

` StaffTraining, firewalls, Physical Security, Access

Controls. + Case Studies


26/29

Principle 8Transfer of data to another country

` DPA prevents private information to be transferred to

another country unless that country ensures anadequate level of protection for the rights and freedomof data of the subjects in relation to processing of personal information.

` Exceptions to the above:

` Transfer is necessary for a contract between the DC andthe subject

` Data Subject is agreeable to the transfer

` It is necessary for a contract with a third party

` It is necessary for substantial public interest` The transfer is authorised by the IC

` The transfer is necessary to court proceedings andhearings...


27/29

Consequence of non-compliance

Òffences under the DPA are criminal and cab be

prosecuted by the office of the IC.Òffences include:

` Processing personal data without notification.

` Failure to notify the IC of changes in registrable

details` Recklessly making a false statement in response

to an information notice is an offence

` Intentional obstruction of someone in execution

of a warrant.Ùnlawful obtaining or disclosure of personal info.

` Enforced Subject Access


28/29

Enforcement & PenaltiesEnforcement

` Upon any breach of DPA, the IC will issue an Information

notice to the DC, asking for information within a definitetime-frame.

` If the IC concludes that there is a breach, an enforcementnotice is issued, and the DC cannot continue his processing.

` The IC can even request for a search warrant if the DC has

refused entry or caused hindrance to the IC.Penalties:

` Though criminal, offences under DPA do not carry custodialsentences. Though the DC, directors, and individualemployees can be help personally responsible for the

offences if the court finds that the offence was committedthrough their neglect, connivance or consent


29/29

Activity

Describe the role on an

Information Commissioner.

Documents

Lecture 5 DPA