Data Protection Act 2003 & 2018
Emilia Connolly
Both the Data Protection Act 2003 and that of 2018 aim to protect an individuals privacy. These acts give rights to people in relation to their personal data as well as making the responsibilities of those holding and processing it very clear. Personal data is any information that relates to an identified or identifiable living individual, for example: ○ ○ ○ ○ ○ ○ ○ ○
a name and surname a home address an email address location data (for example the location data function on a mobile phone) an Internet Protocol (IP) address a cookie ID the advertising identifier of your phone data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
They provide protection against unwanted or harmful use of such data.
What does the Data Protection Act 2003 state? Within the Data Protection Act 2003 there is eight rules which govern the processing of personal data. 1. 2. 3. 4. 5. 6. 7. 8. 9.
Obtain and process the information fairly Keep it only for one or more specified and lawful purposes Process it only in ways compatible with the purposes for which it was given to you initially Keep it safe and secure Keep it accurate and up-to-date Ensure that it is adequate, relevant and not excessive Retain it no longer than is necessary for the specified purpose or purposes Give a copy of his/her personal data to any individual, on request.
This data can be held on computers or manual files. In order to comply with these rules, the following procedures must be observed at all times.
In relation to rules 1, 2 and 6 ) Obtain personal data only when there is a clear purpose for doing so, obtain only that which is necessary for fulfilling that purpose and ensure that it is used only for that purpose. In relation to rule 3 ) Do not disclose any personal data to any third party without the consent of the data subject. In relation to rule 4 ) The Department must protect personal data from unauthorised access when in use and in storage and must protect it from inadvertent destruction, amendment, loss, disclosure, corruption or unlawful processing. In relation to rule 5 ) Data subjects have a responsibility to advise the Department of any errors or changes to data. Once informed, it is imperative that the data be amended accordingly. In relation to rule 7 ) Data should not be kept for any longer than is necessary for the purpose for which it was collected. In relation to rule 8 ) The DP Acts provide for the right of access by the data subject to his or her personal information Why was the Data Protection Act 2003 updated? On the 25th of May 2018, the GDPR was brought into legislation. The GDPR is the General Data Protection Agency. The EU GDPR is more than the Data Protection Act as it is a regulation and not a directive. A regulation is effectively a law not a set of minimum requirements which is essentially what the Data Protection Act was. The EU GDPR took many years to write and had thousands of amendments due to jurisdictional requirements or small issues but it is now in effect. Anybody who holds data on an EU citizen must comply with this regulation. If you have data on an EU citizen then this regulation applies to you. It was updated due to the boom in social media accounts and digital information. 2003 was well before the internet became the online business hub that it is today. Consequently, the directive is outdated and does not address many ways in which data is stored, collected and transferred today. Why is it important to protect stakeholders data? The public concern over data privacy grows with every data breach. According to the RSA Data Privacy & Security Report, for which RSA surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S, 80 percent of consumers said lost banking and financial data is a top concern. Lost security information (e.g. passwords) and identity information (e.g. passports or driving license) was cited as a concern of 76 percent of the respondents.
An alarming statistic for companies that deal with consumer data is the 62 percent of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. The report’s authors concluded that, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.” Lack of trust in how companies treat their personal information has led some consumers to take their own countermeasures. According to the report, 41 percent of the respondents said they intentionally falsify data when signing up for services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold were among their top concerns. For this reason, it is a top priority to businesses to make sure that consumers know that their data is protected and that the GDPR rules are being followed. How is it enforced? The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation, and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations and the EU Directive known as the Law Enforcement Directive.The Data Protection Commission will: ● ● ● ● ● ●
Monitor the enforce the application of the GDPR Promote public awareness of the rules and rights around data processing Advise the Government on data protection issues Promote awareness among controllers and processors of their obligations Provide information to individuals about their data protection rights Maintain a list of processing operations requiring data protection impact assessment
The Data Protection Commission has the power to order any controller or processor to provide information that the authority requires to assess compliance with the Regulation. It may carry out investigations of controllers and processors in the form of data audits, including accessing the premises of a controller or processor. It authority can order a controller or processor to change their processes, comply with data subject requests. The Data Protection Commission can also issue warnings to controllers and processors and can ban processing as well as commence legal proceedings against a controller or processor. The GDPR has introduced a new European data protection supervisory authority, the European Data Protection Board. The EDPB is responsible for ensuring that the GDPR is applied
consistently across the European Union. It will issue guidelines and recommendations on the application of the Regulation. It will also advise the EU Commission on the application of the Regulation and any updates that may be required. Penalties For the most serious infringements (for example, not having sufficient customer consent to process data or violating the core of privacy by design concepts) organisations can be fined up to 4% of their annual global turnover or €20 million, whichever is greater. Each member state may introduce further fines legislation, which will be enforceable within that state only. Under the GDPR, organisations in breach of the Regulation can be fined up to 2% of their annual global turnover or €10 million, whichever is greater, for lesser breaches. Some examples of lesser breaches include: not having records in order, not notifying the supervisory authority and data subject about a breach or not an conducting impact assessment. An example of a GDPR breach: Only recently, worldwide company Google was found to be in breach of new GDPR legislation in France. They were fined 50 million euro just one day before they moved their headquarters from the US to Ireland. Doing this would have made Google Ireland Limited the “data controller” legally responsible for EEA and Swiss users’ information. It was found that Google is not GDPR-compliant for two reasons: 1) data processing for new Android users appears to happen outside Europe without consent and 2) data processing permissions intended to help personalise ads are not transparent enough for users. (The original complaint focussed on the notion of “forced consent“). Google also by default ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy” when a user creates a new account on their smartphone, without clearly specifying that this is for personalised ads not just on Android but across Youtube also. “The general architecture of the information chosen by the company does not respect the obligations of the Regulation. Essential information, such as the purposes for which the data is processed, the length of time the data is stored, or the categories of data used to personalise the advertisement, are excessively scattered throughout several documents, which include buttons
and links that it is necessary to activate to read additional information” CNIL said in a French language statement. Google said it is studying the statement. It added: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.” Varonis‘s Matt Lock in an emailed comment described the fine as likely to “quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower.” “It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”