Data Protection

Question 1

What is DPA

Answer 1

Data Protection act 1998

Deigned to implement EU data protection directive

Protects the rights and freedoms of individuals in the processing of personal data

Question 2

What is Personal Data ?

Answer 2

Info that relates to a living individual (data subject) which identifies that person from the data

*Data is valuable

Question 3

What are data controllers?

Answer 3

Organisations that process personal data

DPA is applicable whenever data controller processes personal and/ or sensitive personal data

Question 4

What does ‘processing’ involve?

Answer 4

Obtaining, storing & retrieving data by computer or recording in a structured manual filing system

Question 5

Give examples of personal data and sensitive personal data

Answer 5

Personal Data

• Name
• DOB
• Address

*info is easily accessible as the client must opt in (i.e terms and conditions)

Sensitive Personal Data

• Ethic origin
• Political Opinions/ Religious Beliefs
• Criminal offences/ alleged
• Sexuality
• Physical/ mental Health
• Member of the trade union

Question 6

What are the conditions of the DPA to process data?

Answer 6

• Under DPA organisations processing data must notify the relevant authority (info commissioner) of the purpose & manner which they process the data
• Info is recorded in a register which can be inspected by the public
• Conditions to process sensitive personal data include:
• obtain explicit consent from the individual
• must be required by law to process the data (I.e employment purposes)
• processing must occur to protect the vital interests of the data subject

Question 7

What are the 8 Principles of the DPA

Answer 7

1) Rights of the individual (under the Act)
2) Personal data shall not be transferred to unsecured country outside European Economic Area / unless it ensures it offers the same adequate level of protection & security
3) Length of time keeping the processed data is no longer than necessary for its purpose
4) Secure Environmental Protection Systems (I.e. Fire walls, shred bins, clear desk, controls)
5) Personal Data only obtained for specified/ registered purpose / not incompatible with those purposes
6) Personal Data shall be accurate & up to date
7) Personal Data processed fairly and lawfully
8) Personal Data s adequate, relevant & not excessive in relation to the purpose for which it’s processed
* appropriate measures taken against unauthorised or unlawful processing of personal data & against accidental loss, damage or destruction of data

Question 8

State the criteria that must be met for data controllers in relation to;

1) data obtained fairly and lawfully
2) data processed in accordance with individuals rights
3) secure environmental systems p

Answer 8

1) -individual given consent / suitable system of opt in or out clauses
- purpose to monitor equal opportunities
- process necessary for contract

2) -privacy
- access personal data (£10)
- right to object to direct marketing
- right to issue data subject notice to stop processing if believed causing damage or distress
- right to compensation if suffered damage
- right to rectify, cease or destroy data

3)if dealing with 3rd party must have written consent and ensure data processor only acts on his instructions

Question 9

What are the offences of DPA

Answer 9

• processing personal data without notification
• failure to notify the information commissioner
• making a false statement in response to an information notice
• obstructing warrant holder
• unlawfully obtaining/ selling personal data

Question 10

Penalties for Non-compliance with the DPA

Answer 10

-offences are criminal however don’t carry prison sentences

Convictions

• Magistrates Court = £5000 fine
• Crown Court = unlimited fines
• if info commissioner believes data controller hasn’t complied with the DPA principles it can issue enforcement notice to stop processing or comply with the principles

Question 11

DPA offshore

Answer 11

Many offshore centres legislation is similar to the DPA / highly relevant as service providers may be considered as data controllers in their jurisdiction

GSY & JSY consider creation of single data protection commissioner responsible for both islands / example of crown dependencies cooperating to provide more consistent approach to those dealing and benefit organisations operating in both

This is important as DPA requirements often overlap & conflict with other legislation already in force

Question 12

Data Protection Law in Jersey

Answer 12

Contained in Data Protection (jersey) law 2005

Regulator, data protection commissioner, law office department and joint financial crime unit = FIU published guidance for business in response to concerns of interaction in JSY AML and data protection legislation

Concerns;

• obligation not to tip off about SAR made
• Individuals rights to access data
• guidance concluded while exemptions from subject access provision never assume they apply to SAR of disclosure of personal data would lead to tipping off offence under AML
• when subject access requested business must carefully consider disclosure of info in SAR would prejudice prevention of detection of crime, impact regulation of financial services, lead to tipping off offence

FIU (financial intelligence unit) - authority of jurisdiction responsible for receiving and dealing with SAR from institution