DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE 2016 Saviour Cachia Commissioner for Information and Data Protection
Conception of DPA Council of Europe ETS 108 Convention on the protection of individuals with regard to automatic processing of personal data Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data Data Protection Act CAP. 440 (Laws of Malta)
Why Data Protection? The right to privacy is a fundamental human right. No right is absolute. Data Protection is a means to protect the privacy of persons The Data Protection Act provides for the protection of individuals against the violation of their privacy rights by the processing of personal data. CREATING THE RIGHT BALANCE BETWEEN RIGHTS OF DATA SUBJECTS NEED FOR DATA PROCESSING
What is Data Protection
Basic Definitions Personal Data information relating to an identified or identifiable person Sensitive Personal Data reveals race or ethnic origin, political opinions, religious or philosophical beleifs, trade union membership, health, or sex life Processing collection, recording, organisation, storage, alteration, retrieval, alignment or combination, disclosure, blocking, erasure, destruction Data Subject natural person to whom personal data relates Controller determines processing and means of processing of personal data Processor processes personal data on behalf of a controller
Who s involved Commissioner Data Controller Personal Data Representative Data Subject subject of the personal data - Member of Public - Supplier - Customer - Employee Processor Recipient Third Party
Responsibilities of Controllers Data Controller - has the following responsibilities: Determines the purpose, requirement and criteria. Ensures security measures related to processing. Maintains data quality. Interfaces with the Commissioner. Deals with the Data Subject.
Responsibilities of Processors Processor - processes data as follows: Solely under the authority of the Controller. In accordance with instructions from the controller. As governed by a contract or legal act in written form. Ensures adequate security measures with regards to processing of personal data. Data Controller ultimately responsible for Processor s actions.
Data Subject Rights Be informed of the processing operations (Business details, purpose, disclosure) Gives explicit consent where required Revokes consent on legitimate grounds. Access, rectify and erase data where applicable. Can complain to the Commissioner when aggrieved
Decisions & Appeals IDPC issues Decision/Ruling DP Complainant Appeals Tribunal gives Ruling Court on a point of law Parties aggrieved by a decision can always appeal.
Criteria for Processing DPA Article 9 1. Unambiguous consent or 2. Contract performance or 3. Legal obligation or 4. Vital interests of data subject or 5. Public Interest / Official Authority or 6. Legitimate interest
Data Protection Principles FINALITY Data to be collected for specific, explicit and legitimate purposes and processed in a way compatible with those purposes. TRANSPERANCY Individuals need to know: - what data is being collected about them; - the processing purpose. Transparency is also assured by the right of access and the data controller s obligation to notify the Commissioner about the processing operations.
Data Protection Principles PROPORTIONALITY Personal data must be adequate, relevant and not excessive in relation to the purpose for which such data is processed. ACCURACY Personal data must be kept correct, of good quality and up-to-date. RETENTION Personal data shall not be kept for a period longer than necessary having regard to the purposes for processing. Personal data of a historical value may be retained for a longer period, provided that this is not used for a decision concerning the individual.
Security Measures Technical and Organisational Personal data must be protected against accidental destruction or loss or unlawful forms of processing Adequate level of Security Technical possibilities available Implementation cost Special risks that exist in the processing operation Sensitivity of the personal data Data Protection Awareness training important
Security Measures Paper files: how are they stored overnight or long term? how are they passed around the organisation? how do you keep track of who has them and why? how are they safeguarded if they leave your premises? Computer files: what back up procedures are used for PCs? what procedures are used to manage passwords? who has what levels of access to centrally held computer records, and why? (RBAC model) access monitored by an audit trail?
Privacy Enhancement Technologies (PETS) Some examples of PETs : - Access rights and restrictions (e.g. Restricting copying on external storage devices); - Full audit trail, including, recording of any action performed on a system; - Encryption mechanisms; - Degree of anonymity (use of pseudonyms & anonymisation); - Data minimisation minimise the personal data collected; - Segregation of data (unlinkability); - Automatic deletion of data.
Escalation of DP Issues DP Issue DPO Tech/Legal Advice Solved? Yes No Stop IDPC
Data Protection Architecture Data Protection Act 2001 Data Protection Policy Data Protection Procedures and Guidelines Forms, Files, Records, Databases involving personal data
Implementation Approach Introduce standard procedures for: Recording of new systems to be developed. Providing for flags and audit trail within systems. Ensuring fair and lawful processing: - Manual Forms; - Electronically. Meeting the rights of the data subject. Notifying the Commissioner. Identify adequate security level. Carry out data protection audit. Rectify non-compliances. DP Impact Assessment for new processes.
Contact Details Thank you! Office of the Information and Data Protection Commissioner Tel: (+356) 2328 7100 E-Mail: idpc.info@gov.mt Portal: www.idpc.gov.mt