7.) Data Protection Flashcards
What’s the main aim of data protection legislation
To protect individuals from unauthorised use of personal information held on computer and paper records
What’s the history of data protection legislation in Jersey and the U.K?
Data protection legislation stems from the fundamental human right to privacy
In 1950, the council of Europe adopted the European convention on human rights, a ‘convention for the protection of human rights and fundamental freedoms’, which each member state was expected to ratify and implement into their own legislative framework
The convention decreed that every citizen has a right to a private life
Back in the 1970’s, the increasing use of computers prompted concerns about the risks they posed to a citizen’s fundamental right to privacy
In 1981, the council of Europe established basic standards to ensure the free flow of info amongst their members, without infringing on individual’s personal privacy
The UK’s first data protection act was introduced in 1984, and Jersey’s in 1987
Jersey’s 1987 law required both private and public organisations with access to computer held personal data to register with a data protection registrar, who also enforced the law
However, the standards established by the council of Europe in 1981 (to ensure the free flow of info amongst member states, without infringing personal privacy) didn’t explicitly recognise an individual’s right to privacy.
As such, in 1995 the European Commission implemented its directive, aimed explicitly at protecting the right of privacy
In 1998, the UK replaced its 1984 act with the current data protection act 1998, and in 2005 Jersey implemented the data protection (Jersey) law 2005, or the DPJL
The DPJL has been recognised by the European Commission as having ‘ADEQUATE STATUS’, and as a third country outside the EEA, Jersey can now state unequivocally that its data protection regime is compliant with the highest European standards
The DPJL specifies conditions for the processing of data, tightens restrictions on the use of particularly sensitive info and broadens the scope of data to include some paper records
Most significantly with all data protection law across Europe and internationally were the inclusion of basic rules or principles of data handling designed to encourage best data handling practice. These are enforceable principles, and form the bedrock of the DPJL
Its main aim is to protect individual’s rights to privacy, and to ensure they have access to info held about them, and can correct it.
It also protects against excessive collection and unreasonable retention of personal data
What is the main aim of the data protection (Jersey) law 2005, or DPJL
PROTECTS - RIGHTS AND AGAINST
To protect individual’s rights to privacy, and to ensure they have access to info held about them, and can correct it.
It also protects against excessive collection and unreasonable retention of personal data
Describe the data protection (Jersey) law 2005, or DPJL
The DPJL has been recognised by the European Commission as having ‘ADEQUATE STATUS’, and as a third country outside the EEA, Jersey can now state unequivocally that its data protection regime is compliant with the highest European standards
The DPJL specifies conditions for the processing of data, tightens restrictions on the use of particularly sensitive info and broadens the scope of data to include some paper records
Most significantly with all data protection law across Europe and internationally were the inclusion of basic rules or principles of data handling designed to encourage best data handling practice. These are enforceable principles, and form the bedrock of the DPJL
Its main aim is to protect individual’s rights to privacy, and to ensure they have access to info held about them, and can correct it.
It also protects against excessive collection and unreasonable retention of personal data
Define data/personal data/sensitive data, as set out in the DPJL
Data - Manually or electronically recorded info
Personal data - Info about a living individual person who can be identified from that information, or a combination of data which, when brought together, identifies a living person. Info about a company or dead person isn’t covered by the DPJL
To benefit from the provisions of the DPJL, personal info should be biographic, and focus exclusively on the individual.
Sensitive personal data -
REMEMBER THE COMMUNIST STORY
X Racial/ethnic origin
X Political views
X Religious views
X Membership of a trade union
X Health, either physical or mental
X Sex life
X Offences committed, or alleged to have committed
X Criminal convictions or sentences
Info held about an individual falling into any of the above categories requires a much higher level of security and care in its use
Define sensitive personal data, as set out in the DPJL
REMEMBER THE COMMUNIST STORY
The DPJL creates a separate category for more sensitive personal info. These are categorised by a person’s:
X Racial/ethnic origin
X Political views
X Religious views
X Membership of a trade union
X Health, either physical or mental
X Sex life
X Offences committed, or alleged to have committed
X Criminal convictions or sentences
Info held about an individual falling into any of the above categories requires a much higher level of security and care in its use
Define processing, as set out in the DPJL
The carrying out of any operation on any personal info, including obtaining, holding, using or disclosing the info. Essentially, anything you do with personal info is likely to fall within the term ‘processing’
Define data subject, as set out in the DPJL
The person to whom the info relates. This could be a client or member of staff
Define data controller and data processor, as set out in the DPJL
Data controller - The person who, either alone or in common with other persons, determines the manner in which personal info is to be used. Usually the company itself, though can be a sole trader/individual
Data processor - A person (other than an employee of the data controller) who processes personal info on behalf of a data controller
This arrangement will normally occur when a particular function of the business is outsourced to another company, such as HR or customer service administration. In either case, a comprehensive contract should be in place between the two companies, setting out the expectations of the data controller in relation to how the info should be used
Why should organisations appoint a data processing officer, despite it not being a legal requirement of the DPJL
While not a legal requirement of the DPJL, organisations should appoint a data protection officer to ensure compliance with the legislation
This may be a person within an existing compliance team, or a specific person with a suitable data protection qualification, or experience
Their duties will include training and educating employees on their responsibilities and obligations under the DPJL, so the individual taking on the role must be experienced
Describe the eight data protection principles of the DPJL
X Info must be obtained and processed fairly and lawfully
X Info can only be held for the specified purpose for which it has been gathered, and shouldn’t be further processed in any manner incompatible with that purpose
X Info must be adequate, relevant and not excessive for the purpose
X Info must be accurate and up to date
X Info mustn’t be kept for longer than necessary for that purpose
X Personal data shall be processed in accordance with the rights of data subjects under the law
X Adequate technical and organisational measures should be taken against unauthorised and unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data
X Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data
Describe the data protection procedures that the DPJL advises organisations to put into place
Procedures should be put in place regarding the:
O Handling
O Use
O Manner
…in which data is accessed and maintained, as well as data security, access to info and the retention and weeding of personal info
Why might a financial institution require personal data from a customer
The customer must be made aware from the first contact that the financial institution will require significant amounts of data in order to:
X Conform to KYC (know your client) regulations
X Provide a suitable and appropriate level of service
X Validate information, possibly from third parties, such as medical records for a life assurance policy
The customer will need to be advised when their phone conversations are being recorded, and for what purposes, in order to ensure compliance with the first data protection principle (info must be obtained and processed fairly and lawfully). The customer will need to be reassured about the confidentiality of the info being maintained
Describe the enhanced rights of customers under the DPJL/data protection (Jersey) law 2005
X Right of access to personal data held about them
X Right to request an organisation stop processing personal data about them which causes harm or distress
X Right to request an organisation stop processing personal data for direct marketing purposes
X Right to request an organisation to ensure that no decisions are taken which significantly affect an individual and are solely based on the processing by automatic means
X Right to compensation for any breach of the law which causes damage or distress
X Right to apply to the court to have inaccurate data rectified, blocked, erased or destroyed
Further details on these rights can be found within part 2 of the DPJL
What are the implications of the DPJL/data protection (Jersey) law 2005 for financial organisations
Organisations must take steps to ensure that they don’t breach the legislation:
X The company must provide the customer with specific info on collecting their personal data, including:
O Identity of the data controller (usually the organisation)
O The purposes for which their personal data will be used
O Any other relevant info, such as any disclosures likely to be made to third parties
X The company must obtain consent to divulge info to other associated companies for the purpose of cross-selling or marketing their products (usually, the client ticks a opt-in or opt-out box for this)
X If the personal data is maintained elsewhere, or via a data holding centre, the customer should be advised of this in the terms and conditions of service
X Any company holding personal info must be registered to hold such data with the relevant data protection authority in that jurisdiction
X The purposes for which they hold the data must be specified
X The data must be accurate and up to date. This would be done either annually, or on an ongoing basis, usually in conjunction with trigger events, such as changes to a customer’s account profile
X The data must be secure, and alternative arrangements in place by way of disaster recovery plans should have something happen resulting in loss of data, whether in a paper or electronic format:
O Data subject access requests should be verified to ensure identification
O Data which the company is obliged to provide must be supplied within 40 days of the request. Note that this is the maximum term, and data should be provided as soon as it’s available
O Employees should be made aware of their obligations and understand what to do should a request for information, known as a subject access request, be received