The Data Protection Act (UK – 1998, Malta – 2001): The DPA concerns the “collection, recording, organization, storage, adaptation, alteration, retrieval, gathering, use, disclosure, blocking, erasure or destruction of personal data”. The purpose of the Data Protection Act: a. The purpose of the DPA is to protect living individuals against the misuse of their personal data.
Examples of such misuse could include exposing of personal data without obtaining prior permission from the data subject, holding incorrect and possibly damaging personal information and unauthorised alteration of personal data. b. A secondary objective for the introduction of the DPA was to decrease public concerns over the level of confidentiality of their data held at various organisations. Personal Data & Sensitive Personal Data: This act defines Personal Data as any information relating to an identified or identifiable (both directly such as through an ID number as well as indirectly) natural person. Data Subjects” are the natural persons (i. e. not companies) to whom the personal data relates. The Act also distinguishes Sensitive Personal Data, which refers to personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life, and such data is subject to stricter rules. The 8 Principles of the Data Protection Act which Data Users must comply with: 1. Fair and Lawful Processing:
Personal Data shall be processed fairly and lawfully, as long as the data subject has given his permission for the use of the data and he/she has been informed of any other organizations which will use the information and the purpose of such use. In the special case of Sensitive Personal Data, the general rule is that this type of personal data cannot be processed but the law provides for a number of exceptions, such as: * Clear permission by data subject. * The data subject himself made the data public. Compliance with employment law (eg. Sick leave records). * Non-commercial organisations with political, philosophical, religious or trade union objects. * For health & hospital care reasons by a medical professional subject to an obligation of professional secrecy. * For research & statistics provided this is necessary for the public interest. 2. Use in conformity with purpose of collection: The Act states that the data is to be processed only for purposes compatible with the reason for which it was collected.
This implies that when an organization intends to sell information to other organizations, data subjects must be informed and the situation explained and they must at least be given an opportunity to opt out. 3. Adequacy of Data: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed. E. g. eye colour is not required to apply for college. 4. Correctness of Data: Data controllers are to take reasonable measures to ensure that the data they process is correct and up to date. E. g. end statements asking if any data or information has changed. 5. Duration: Personal data processed for any purpose shall not be kept longer than is necessary for that purpose. E. g. banks keep personal data about customers for 5 years after closing the accounts. 6. Rights of the Data Subject: Personal Data shall be processed in accordance with the rights of the data subject which the Act stipulates. For example; -The data subject is entitled to certain information from the Controller such as ‘the identity of the controller’, ‘purpose of processing’ and ‘recipients of the data’. Access Rights:The Controllers are obliged to provide the Data Subject with information about his personal data which they are processing given that: * The Request is made in writing. * At reasonable intervals. * This information is to be given free to charge. However certain processing is exempt from such requirement. Examples include processing for taxation purposes and criminal investigations. -Rectification And Erasure: The Data subject may also demand the correction or erasure of Personal Data not processed according to the Act.
The Controller is obliged to inform third parties to whom the Personal Data has been disclosed when such measures are taken. -Right To Compensation: The data subject has the right to sue for damages due to inaccuracies in data, loss or unauthorised disclosure of data. 7. Security Measures The controller is obliged to implement appropriate technical and organizational measures to protect the personal data that is processed against accidental destruction or loss or unlawful forms of processing. Appropriate – “skond iz-zmien” Technical – E. g. : Firewalls, Anti-virus, Encryption, Mirroring, Backups.
Organisational – Policies, authorisation, regulations. 8. Prohibition of Transfer of Data Personal data shall not be transferred to a country or territory outside the EU, unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Essential Criteria for Processing: 1. Consent: Must be freely given, specific and informed. 2. Necessity: E. g. Personal data can be processed without the necessity of consent for the purpose of complying with a contract of employment. . Compliance with a legal obligation of the Controller (E. g. for Social security, Income Tax, etc… ) 4. Protection of the vital interests of the Data Subject:E. g. Disclosure of medical history to a hospital treating a casualty. 5. In the public interest. 6. In the exercise of official authority or administration of justice. In some cases, the Act allows for revocation of consent – the right for the data subject to ask the data controller to erase personal data when not required anymore. Notification:
Controllers are obliged to notify the Data Protection Commissioner of processing operations and to give information about those operations as specified in the Act. Information includes purpose of processing, description of categories of Data subjects, disclosure, transfer abroad and security measures. Data Protection Commissioner: He is appointed by the Prime Minister after consultation with Leader of the Opposition. He acts independently as a Regulator, has security of tenure/term, has a right to issue orders, to access processed data, to order erasure, the power of search and to impose administrative fines.