ENFR

Archive for category: News

Data Protection vs Health Care Emergencies

/in /by

There are many myths about privacy/data protection, but the most dangerous is the one that says ‘privacy/data protection gets in the way of saving lives.’ This is false, but the misunderstanding of data protection rules has led some officials being reluctant to disclose important personal health data for fear of repercussions. It has also led critics to mistakenly insist that data protection laws are too prescriptive, and governments should ease them to save lives. The truth is that privacy and data protection laws permit disclosure of personal data in cases where it is deemed necessary for individual health and public safety.

The Law makes specific provision for the collection, use and disclosure of personal data by medical professions for medical purposes. It also permits the same for purposes of protecting public health. This means that in circumstances where an individual requires urgent medical treatment, anyone with custody of personal data relevant to that treatment may disclose it to a health professional. In addition, appropriate officials may process the health data of individuals for ameliorating a public health emergency.

If you have custody of personal health data and someone requests it for providing treatment to an individual or for managing a public health emergency, you can disclose it to them. All you need is for them to be able to demonstrate that disclosure of the personal data is necessary to preserve and protect health and that the requestor could fulfil that purpose. If you are unsure, consult your data protection officer or our office. If there is no time to consult anyone, it is likely better to err on the side of caution to save lives. If you operate in good faith to the best of your knowledge, it is unlikely that you will suffer any negative repercussions.

Most jurisdictions across the world have had data protection laws in place for as long as 30 years (Jersey enacted its first piece of data protection legislation in 1987). We have collective experience of what has worked and where there have been unintended consequences. We have shared those experiences and refined our legislation and approach to regulation and enforcement accordingly. As a result, our data protection laws are sensible and consider virtually all of the circumstances where it is in the public interest to permit the processing of data. In any circumstance where you are in doubt, take the option that appears to be the most reasonable to you. It will almost certainly be the case that the data protection law will support that option. It certainly does where health and safety are concerned.

Data Privacy Myths: Cookies

/in /by

Most of the issues concerning cookies do not involve privacy or data protection but rather whether they are malicious, slow down your computer or cause pop-ups. Nevertheless, there are some issues concerning privacy and data protection that some people misunderstand. Many fear that cookies make them personally identifiable and track all their on-line activity, which they make available to the companies that manage websites. Neither of these is true always. It is important to understand what cookies are, how they work and what risks they pose.

What is a cookie?

A cookie is a small text file that a website places on your hard drive for different purposes when you access the website. Some cookies are limited to your one browsing session and disappear automatically when you exit your browser. These cookies do not appear on your hard drive and do not collect information from your computer. Other cookies are permanent, in that they do not disappear when you close your browser. They can identify individual users and track their surfing activities on a particular website. They also track information such as the total number of users, the average time users spend on a page and the overall performance of the website.

Normally, the website you are visiting will place the cookies on your hard drive. These are call ‘first-party’ cookies.  They remember what you have added to your shopping basket or data you have put into on one of their forms. Other companies, such as Google Ads, may also put cookies on your hard drive. These are ‘third-party’ cookies. They are responsible for you seeing adverts for the same thing popping up repeatedly on different sites.

The webserver sets the information contained in the cookie and the server can use it whenever you visit the site. Cookies make your user experience faster and easier by remembering details, such as your preferences, registration details or the contents of a shopping cart. Without cookies, you probably would have to re-enter data every time you returned to the same webpage. They are not computer programmes, and they cannot disseminate viruses or malware.

Cookies and privacy/data protection

What we are interested in from a privacy/data protection perspective is to what extent cookies pose a threat to privacy. With respect to personal data, cookies only collect what users input directly to a website, such as when shopping, or indirectly through their user activities, such as what pages they view. They do not surreptitiously access other information stored on the hard drive of a computer.

The privacy issues relating to cookies involve the information you give the website or what you do while you are on the website and how transparent the companies are about processing it. The website company must be able to demonstrate that they have a lawful basis under the privacy/data protection laws that authorises them to collect this personal data and use it (including to share with third parties). This is one reason many websites ask for consent to use non-essential cookies and the personal data that users provide.

Browsers enable you to control the use of cookies with a variety of settings. Use the one that is right for you. Privacy/data protection laws will govern how the website owner processes your data with cookies. If you believe that a website owner has processed your personal data unlawfully, you may make a complaint to our office. It is important to note that it is possible for web adverts to reflect the browsing history of the web browser without collecting personal data. It will take a detailed investigation to determine whether personal data has been involved and if there has been a contravention of the Law.

 

Data Privacy Myths: Part 3

/in /by

There is a myth that privacy, on one hand, and access to information for the purposes of accountability, on the other, are competing values. I have heard many times that ‘freedom of information and protection of privacy’ is an oxymoron or that they are a contradiction in terms. The comments result from a failure to understand what these concepts actually involve. Both elements are complimentary and necessary for a functioning democratic system of government and the protection of the rights of individuals.

Accountability

Accountability is about holding public officials to account for the expenditure of public funds and (in the data protection world) for holding private businesses to account for their processing of personal data. It requires providing access to information concerning the decisions that public officials make and the personal data that companies process. Privacy is (amongst other things) about protecting the personal information of individuals. I think it is informative to examine the French term for privacy: la vie privée, which translates literally as private life. Public officials must be accountable for their decisions as public officials. On the contrary, all individuals, including public officials, have a right to a private life and to protection of their personal data.

Privacy

Some people mistake the concept of privacy as protecting all types of confidential information. While certain general information can remain protected from disclosure in response to access requests made by data subjects, this has nothing to do with the concept of privacy. Privacy does not apply to confidential business information or communications subject to legal privilege. Privacy generally involves people in their personal, not professional, capacity.

Individuals should have a right of access to information created and managed by public authorities and to their own personal information. This does not include the personal information of officials; the individuals’ families, friends or neighbours; or that of celebrities. Protecting the private lives of individuals does not compromise accountability nor is it necessary to invade the privacy of individuals to ensure that public authorities or companies are accountable.

In fact, an individual’s rights to privacy and to access information are necessary to protect their rights in relation to public authorities and companies. Knowledge is power. When one party has knowledge of confidential information about another party, but not the other way around, it affects the balance of power between them. For democracy to function properly, it is crucial that individuals have access to information about the activities and decisions of public officials. It is equally crucial for individuals to understand what public authorities know about them. Public authorities and private companies possess distinct advantages over individuals in terms of financial and informational resources. Accordingly, individuals require the assistance of access to information and data protection laws to help to address this power imbalance.

A case study example

Here is how an innocent individual can suffer because of this power imbalance. Imagine a university student in England, with a name of Middle Eastern origin, because his great grandfather fought for the British during the First World War and then immigrated to England. The student’s name is the same as someone else who is unjustifiably on a terrorist watch list, and whose birthdate is almost the same. The student is on a scholarship to a university and in his penultimate year of study in politics and Middle Eastern studies. His parents run a large agricultural farm that his great grandfather had established. The student sometimes assists with the running of the farm, because it is in danger of falling into administration.

A week before the final exams for the year, a security services agent decides to undertake a standard routine check up on the terrorist with the same name. Through an administrative oversight, the agent mistakes the student for the terrorist (he misreads the date of birth) and places the student under surveillance instead of the terrorist. The agent can monitor the student’s internet browsing. The agent notes access to websites on Middle Eastern conflicts, terrorism, and bomb making that the student has used for research as part of his coursework. The agent also monitors the student’s movements and obtains video recordings of the student exiting a garden centre with a large supply of an industrial fertilizer for his parents’ farm, which is also a common ingredient in making bombs.

The agent informs the police who arrest the student and invoke the Terrorism Act that them to detain someone suspected of terrorist activity without charge for up to 28 days. The student is detained (despite protesting their innocence) and on the 27th day of their detention, the security services discover their error and release the student without charge. In the meantime, the student has missed his final exam with the result that he has failed his year of courses, requiring him to repeat the year. This results in him losing his scholarship. He also gains an undeserved reputation as a dangerous terror suspect. The incident also has repercussions for his parents that result in them losing the farm. The student’s only potential recourse is an expensive wrongful arrest and unlawful detention claim that he cannot afford to pursue. The police and security services also decline to confirm the student’s explanation of the matter to the university, citing national security reasons.

This is just a fictional account for the purposes of this blog, but it does represent serious issues that individuals can face and to help demonstrate that the unchecked use of highly privacy-invasive law enforcement powers can have devastating consequences for innocent people. That is one reason why it is important that there be rigorous controls in place on the processing of personal data including transparency about how it is used by public authorities. Without those checks and balances, we risk having our society degenerate into a Kafkaesque dystopia.

 

Data Privacy Myths: Part 2

/in /by

Another common myth is that privacy/data protection interferes with the ability of the police to investigate crimes effectively. That is incorrect; there is an exemption in our data protection law to enable the police to collect, use and disclose personal data that is relevant to the prevention, detection or investigation of crime (including the apprehension and prosecution of individuals). The law also permits public authorities and businesses to disclose personal data to the police to assist with any investigation. There is another exemption regarding subject access requests that permits the police to refuse to disclose information that would damage an investigation. Individuals should not use legal rights of access to information to obstruct an active investigation.

Police Investigations

This does not mean, however, that police have unbridled access to personal data. They are able to collate any personal data that is/may be relevant to an investigation, but they are not entitled to conduct a ‘fishing’ expedition without probable grounds. When police request personal data from a public authority or private business, they should provide the organisation with sufficient information to establish that they are conducting a formal investigation. In some cases, quoting a police file number would be sufficient. In other cases, it might be necessary to produce a warrant. Officials disclosing information to police must be able to demonstrate that they had reasonable grounds to believe that the information was relevant to a formal investigation. Officials should not use privacy/data protection as a blanket excuse not to provide information to police. If they are in doubt about whether the law permits disclosure, they should contact their privacy/data protection officer or regulator.

National Security

There is a similar misconception that privacy/data protection laws put national security at risk. All data protection laws make provision for the processing of personal data for purposes of protecting national security. There is no need for new national security laws to override the data protection laws. Current laws enable authorities to collect, use and disclose all of the personal data required to meet their specific needs. Nevertheless, some security services desire the authority to collect information that is not relevant to protecting national security, just in case it might be useful in future. Privacy/data protection laws strike the right balance between preserving national security and protecting the human rights of innocent people. Information should be available on a ‘need to know’ basis, not a ‘just in case it might be useful in future’ basis. Reports from the United States have indicated that personal data collected allegedly for national security purposes has been used for other purposes.

Community Services

Another myth is that community services caring for mutual vulnerable clients cannot share personal data or discuss coordinated care. Whether it involves children or adults, these organisations may share personal data for providing services to their common clients. There may be some cases where the client objects to this sharing. This does not mean that the law prevents sharing their information in these cases. However, service providers should take into account the wishes of the clients when determining whether to share their information. In the context of integrated services to clients, it is useful to draft an information sharing agreement that sets out what information may be shared by which organisations for what purposes. Parties drafting the agreement should involve data protection experts to ensure that that the proposed sharing conforms to the privacy/data protection laws. The agreement is a useful resource for staff in the field to refer to whenever they receive requests to share data.

As we can see from the numerous examples I have provided, fears about the harm of data protection laws are largely unfounded. Drafters took time and effort to examine all the possible circumstances where it would be in the public interest to process personal data, even without the consent of the individual. They consulted widely to ensure the laws would not hamper the provision of important services to individuals and the community in general. They facilitate getting the right information to the right people at the right time for the right purpose. Where problems exist, it is with the understanding about the laws. Some people believe that they prevent certain types of processing that is legal. If you believe that someone is inappropriately preventing the processing of personal data on the grounds of data protection, ask to speak to their data protection officer or call our office.

Data Privacy Myths: Part 1

/in /by

Being informed about our privacy/data protection laws also involves being able to distinguish valid information about them from misinformation. It is important to avoid succumbing to the many myths currently in circulation. These myths include what the laws entail, whom they cover, and how long they have been in place. Many people believe these myths to be true. They have misled individuals to disclose information when they should not, and to refuse to disclose when they should. Some organisations have incurred unnecessary expenses acting on incorrect information about the laws. Therefore, there is great value to dispelling these myths.

Data Protection is a Recent Innovation

One common myth is that privacy/data protection only became a legal requirement with recently. In fact, Canada and Europe have had privacy/data protection laws for more than 30 years. Recent changes to incorporate the European Union’s General Data Protection Regulation (GDPR) included some new provisions, but most of the fundamental requirements for data protection were already included in earlier laws. These included the general rules around the collection, use and disclosure of personal data, as well as the individual rights to request access to and correction of personal data. Most of the recent changes relate to strengthening the powers and effectiveness of data protection regulators. From the viewpoint of public authorities and private businesses, very has little changed, other than there being even more incentive to comply with the existing requirements. If these organisations have already been complying with the previously law, they should not have had to incur any significant new costs or administrative burden to comply with data protection requirements.

Is data protection bad for business?

One of the biggest myths is that privacy/data protection is bad for business: the costs of compliance are onerous and provide no benefits. On the contrary, personal data is an asset with increasing monetary value. It is subject to being lost or stolen, entailing considerable short-term and long-term costs. The short-term costs involve the time and money spent to clean up after a breach. There is also the question of financial liability to the data subjects affected, as well as court costs. The long-term costs are loss of client confidence resulting in loss of business. Our privacy/data protection laws implement a common-sense approach to good data stewardship that reduces the risk of data breaches and minimises the costs of recovering from them. Privacy/data protection should be an integral component of organisational risk management, irrespective of the existence of data protection laws. There is nothing onerous about a requirement to provide adequate security for valuable assets. It is good business practice to collect only the data an organisation truly needs, to use it only for the purpose collected, and to destroy it after it is no longer required. Privacy/data protection is a sound business investment comparable to a prudent insurance policy.

A good privacy/data protection regime can attract new clients for individual businesses and the entire community. An internationally recognised data protection enforcement framework (strong laws and an effective regulator) can better facilitate cross border data transfers. The extensive publicity in recent years that data breaches have received has made the public sceptical about sharing their personal data. Businesses that develop reputations for sound data protection practices gain an edge in the marketplace against their competitors. Trust and confidence are essential for business success, particularly in the digital economy. Privacy/data protection instils confidence and create opportunities for businesses that use personal data.  In summary, privacy data protection actually is good for business in many ways.

 

Employee Surveillance and Biometric Technologies

/in /by

New technologies can help to protect staff and secure assets, but it is important to remember that employees do not lose their privacy rights when they arrive at work. The same rules apply to data of employees as to the data of members of the public. If you are considering using biometric technologies, the data protection requirements are even more extensive. These technologies can provide effective solutions to real problems, but it is important to conduct a proper analysis to ensure that they provide the right solution to the right problem.

In cases where there have been documented incidents of violence against employees by members of the public, CCTV has allowed for the identification of offenders and has acted as a deterrent to others. This does not mean, however, that CCTV is necessary in every workplace. CCTV is highly privacy intrusive and the benefit of using it must outweigh the loss of privacy. The key risk is that it collects personal data on everyone within its field of vision, including individuals who are not the intended targets.

Employers should use it only as a last resort, once less invasive alternatives have failed to resolve the problem, such as physical barriers or additional security staff. Before you implement it, employers should have documented evidence of a continuing risk to the business and/or their employees. They will need to consult their employees beforehand, as surveillance can affect their psychological well-being as well as their human rights. It is also necessary to post signs informing the public of the existence of the surveillance, the purpose of the surveillance and the contact information of an office they may contact if they have questions. There needs to be policies and procedures in place indicating where the technology will be installed, who will have access to the data, how long it will be retained, and what technical safeguards will be in place.

Biometric technologies offer convenience of use and greater certainty of identification. However, they also require the collection of special category data on users, and this requires additional protection. Employers will probably need to conduct a data protection impact assessment prior to implementation. This involves examining the reasons why they think they need this technology and whether these reasons are compelling enough to warrant the invasion of privacy involved. For example, what is the security concern that requires the replacement of a pass card with a fingerprint scan or iris scan? There needs to be a good answer to that question.

Generally, employers should not use CCTV or other surveillance technologies, such as keystroke capturing software on computers, to put their employees under surveillance surreptitiously. The technology is not a replacement for proper in-person management supervision. They should not use it to enforce policy. They should not use it to measure employment performance and make decisions about an employee without an employee being made aware that they are going to be monitored in this way.

The only case where it would be acceptable to monitor employees without making them aware of it would be for the purposes of investigating incidents of wilful damage or theft of assets including data, when employers have exhausted other less-intrusive options. Any actions that could lead to employee discipline should follow standard human resources policies and procedures. Resorting to surveillance technologies precipitously can lead to employment tribunals finding against employers, even in cases where the employers’ suspicions are valid. Always consult a human resources advisor prior to implementing surveillance technologies in the workplace. If you were in the employee’s shoes, how would you feel if you were under surveillance and what would you expect from your employer in such a situation?

Surveillance and biometric technologies can provide innovative solutions to some intractable problems, but they involve their own risks and can create new problems. The transparency principle in data protection laws require notifying people when they are under surveillance. However, the sense of being watched can be unnerving and stressful for employees, and this can adversely affect their work performance. Some may make data protection complaints, and the entire situation could cause conflict and undermine positive working relationships unnecessarily and for no tangible benefit to the business.

Surveillance and biometric technologies, like marriages, should not be entered into unadvisedly or lightly; but reverently, discreetly, advisedly, and soberly.

Are Businesses Legally Responsible for Data Breaches by “Rogue” Employees?

/in /by

Data breaches are costly enough to businesses, even without having to add in regulatory fines and civil litigation awards of damages. Businesses that implement sound data protection programmes can still be vulnerable to breaches caused by employees who deliberately break the law. Clients affected by a breach may attempt to hold the business vicariously liable for the actions of these employees. Fortunately, there are steps that businesses may take that will reduce their civil liability and the chance of an adverse finding by a data protection regulator.

The Supreme Court of the United Kingdom recently held in the case of WM Morrisons Supermarkets plc v. Various Claimants [2020] UKSC 12 that the retail grocery chain Morrisons was not vicariously liable for the actions of a disgruntled former employee who deliberately disclosed the personal data of his colleagues. While the employee originally had legitimate access to the data as part of his employment responsibilities, the Supreme Court found it determinative that the disclosure was not part of his field of activities or an act he was authorised to do; he disclosed the data for his own vengeful purposes and the disclosure was not so closely connected with his legitimate task that it could be properly regarded as being done while acting in the course of his employment. This does not mean courts will never find businesses to be liable for the actions of their employees, as decisions will reflect the circumstances of each case. However, there are certain key factors that the courts and data protection regulators will consider.

Businesses that wish to avoid vicarious liability should have an effective data protection management programme in place. This includes an inventory of all personal data and written policies and procedures relating to the collection, use and disclosure of personal data. They should have reasonable physical and technical security measures in place to ensure the access by employees is strictly on a ‘need to know’ basis and, if feasible, to have an audit trail of any access to relevant information. There should be protocols in place for identifying and responding to breaches. Nevertheless, none of these measures will have any value unless all employees have a sufficient level of awareness. This means providing adequate and regular training for all staff. Finally, it is essential that the executive of the organisation clearly demonstrate to all staff its support for these measures and the importance of implementing them.

The key question in examining the causes of a breach is whether the business had done everything reasonable to prevent it from happening. Determined criminals and employees can circumvent even the strongest security measures, and even the best employees can make mistakes. A good data protection management programme will reduce the risk of that happening and help to mitigate any impact. It will also prevent employees from blaming the business for the fact that they were purportedly unaware that their actions were contrary to the law. The courts will take into consideration the efforts that businesses have made to ensure that their employees comply with the law. This would include measures to prevent employees taking personal data home unless necessary or to prevent ex-employees from using personal data they obtained while working.

Businesses should be able to limit liability in cases where employees abuse personal data for their own financial gain or for pursuing personal vendettas. Nevertheless, businesses might be liable in cases where their employees contravene the law for the sole purposes of furthering the financial interests of the company. That is why it is essential for businesses to be able to demonstrate with documented evidence that they have made all employees aware of what constitutes acceptable data processing and what does not. A strong data protection management programme will assist businesses to achieve that objective.

CCTV Under Scrutiny

/in /by

The use of CCTV has become so commonplace that most people have become oblivious to the risks that it poses. In the right circumstances, CCTV can be effective in protecting property and personal safety. Privacy and data protection laws permit the use of CCTV for the right purpose, with appropriate controls.

Nevertheless, businesses and individuals often use CCTV for purposes where it is excessive to their needs and not effective in that it does not help solve the problem they have. Service providers often promote their products aggressively. Some property developers automatically install it in new buildings, whether prospective tenants even want it. This results in the unnecessary overcollection of personal data that can compromise the rights and freedoms of individuals whose images the CCTV captures. It is important for everyone to understand the risks of CCTV and for data controllers to determine its use to be appropriate before implementing it.

Most people are rightly concerned about their personal security and that of the homes, businesses and assets, and they want to take appropriate and effective measures to protect themselves. CCTV is an attractive option because it is inexpensive and widely available. We assume that it will provide a deterrent to crime because it increases the risk to a perpetrator that law enforcement will apprehend them. However, CCTV often also captures the data of many innocent, law-abiding individuals. This raises the risk of someone abusing that data to compromise the rights and freedoms of those innocent people. In that way, if CCTV recordings fall into the wrong hands, they can facilitate crime, as well as detect it. Moreover, being under video surveillance affects how individuals behave and can become emotionally stressful.

Years ago, when I was investigating complaints about the overuse of CCTV in a block of flats, one of the complainants spoke eloquently about the impact of video surveillance:

Surveillance by video cameras has a different effect than other forms of collection of information. Being under a state of constant observation has real psychological effects. … People react differently to being under surveillance. … They feel self-conscious and nervous. They may feel humiliated, and certainly many are intimidated. There can be a sense of personal violation. The psychological impact of feeling under constant observation can be enormous, incalculable. It causes people to alter their social behaviour. Casual behaviour can no longer be casual. [1]

When we take into account how frequently CCTV captures our images during the course of a day in our cities, we see that this effect can multiply.

The question then becomes how to obtain the benefits of CCTV technology, while avoiding the risks. This involves a two-step process. The first step is to determine whether CCTV is appropriate for a particular purpose. Conducting a data protection impact assessment (DPIA) or privacy impact assessment (PIA) will help to answer this question. CCTV is highly invasive and is appropriate only when all of the following circumstances apply:

  1. There is a documented current issue with respect to personal security or the protection of property.
  2. There is evidence that CCTV will be effective in addressing that issue.
  3. All less invasive measures have been exhausted.
  4. The benefit obtained outweighs the harm of the loss of privacy involved.

It is important to note that the function of CCTV is forensic: that is to say, that it assists in the investigation of crimes. There is nothing in the technology that explicitly prevents crime. It is only the deterrent effect of the expectation that police are more likely to be able to identify the perpetrator of a crime. CCTV does not prevent drunken brawls. Nor does it prevent accidents. Therefore, it is not effective, for example, in ensuring safety around a swimming pool. It has proven effective, however, in deterring shoplifting, which is endemic in the retail sector. It is important to note that CCTV will only deter crime where people are aware of its existence. This requires adequate signage to notify the public of the deployment of CCTV. Privacy and Data Protection laws also require this notification on signs to include the purpose for the collection of personal data and the contact information of the person responsible.

If a DPIA or PIA determines that the four conditions above apply, it is necessary to complete the other elements of the assessment with respect to the deployment of the equipment. This includes such factors as the placement of the cameras, security measures to protect the images in the system, controls on who has access and the retention period for the recordings. The law requires that data controllers limit the collection of data to the minimum required to achieve the objective and limit the use of the data to only the stated purpose. The law prohibits using CCTV recordings, collected for the purpose of personal security or the protection property, for other purposes, except in limited circumstances.

These rules also apply to home surveillance systems and dash cams. Users must take care in positioning cameras to ensure that they do not capture the data of innocent, law-abiding individuals in public places. Dash cams should not be able to record the number plates of passing cars or the faces of passing cyclists. The Data Protection Law includes an exemption for the collection of personal data for domestic or family purposes, but this does not apply to the collection of personal data of members of the public acting lawfully in a public place.

Our privacy and data protection laws supports getting the right information to the right person at the right time for the right purpose. If used properly, CCTV can achieve these goals. However, when used improperly, it can be illegal and do more harm than good. The key message is to resist the allure of technology for its own sake. Conduct a thorough analysis of the existing problem and identify the most effective means to address it. If CCTV is the answer, make sure to implement it with the safeguards that the Law requires.

Data Protection & DPOs

/in /by

An effective Privacy or Data Protection Officer (DPO) is necessary for a successful privacy or data protection programme. Some privacy and data protection laws requires all public authorities and private businesses in certain circumstances formally to designate a DPO. Even in cases where not legally required, it is a good practice to assign to an employee responsibility for overseeing the implementation of the privacy/data protection programme. It does not have to be a standalone position and it is not necessary to give them the formal title. What is advisable is to identify someone with sufficient knowledge of good data protection practices and the operations of the organisation and to ensure that all employees know who they are. Their role is to provide leadership, advice and coordination on developing and implementing policies, procedures and practices that promote good data protection practice within the organisation. This individual will also function as the point of contact for the public or the privacy/data protection regulator to contact with respect to complaints or reports of data breaches.

Communication

The primary function of the DPO is to communicate. They also require a sufficient level of expertise in data protection and knowledge of the organisation. They must assess what the organisation needs to do to ensure compliance with the privacy/data protection laws. They need to communicate that to the executive of the organisation. They should ensure that the organisation implements the direction of the executive and report to executive on the organisation’s progress. They need to help ensure that all employees receive a level of data protection training that is commensurate with the type and sensitivity of the personal data that they work with.

They are also the resident expert on data protection and the point of contact for the outside world. Employees with questions or concerns about the processing of personal data should be able to contact the DPO for advice. When individuals want to make subject access requests or complain about the processing of their personal data, they should have access to contact information about the DPO. They are also the first point of contact for our office in the event we receive a complaint about their organisation or hear about a breach.

Contracting out

Some organisations have chosen to contract with a professional DPO or company that provides DPO services. While this might prove effective for smaller organisations with limited data processing and limited available resources, there are concrete advantages to an in-house DPO. It is important for the DPO to be knowledgeable about the structures, operations and data holdings of the organisation. It is difficult for an external DPO to obtain that knowledge. Moreover, it is critical that the executive and employees of an organisation develop a strong relationship with the DPO based on trust. For a data protection programme to function effectively, the DPO must be privy to confidential information. Executive and employees must be comfortable divulging sensitive information and asking for advice. They need to be able to trust that when the DPO tells them that certain data protection measures are necessary that they truly are necessary. Working together daily helps to foster the right kind of relationship. Executive needs to know that the primary loyalty of the DPO is to the organisation, and an employment relationship best achieves this. The law also stipulates that if an organisation does decide to contract out the DPO function, that they must be confident that the DPO is able to provide them with the support that they need, when they need it. Remember that whilst the role is contracted out data protection responsibilities and obligations stay firmly in-house.

Operational Independence

Some privacy/data protection laws requires that the DPO receive operational independence, but this does not preclude loyalty to the organisation. The DPO must have the necessary expertise and independence to conduct investigations and research regarding data protection issues and to give valid and reliable expert advice to executive and employees. No one must constrain their ability to fulfil those functions. This does not mean, however, that they should have ultimate authority to make all the decisions. It is right and proper that executive make final decisions about issues such as resourcing, changes to practice and the content of public statements relating to data protection. The DPO must be able to give the executive advice as to how the law applies and what the viable options are. The DPO is not to function as a mole on behalf of the Data Protection Authority. The DPO should have a direct line of sight to the Board and they should have the Board’s support. In cases where the Law requires the organisation to notify the Data Protection Authority about a personal data breach, the DPO should advise on the content of the notification but should not communicate without the approval or delegated authority from the executive.

DPO Function

In addition to public authorities, organisations that monitor the behaviour of individuals or process special category data on a large scale must appoint a formal DPO. Other organisations should delegate the responsibilities of a DPO to one of their employees and ensure that they have the training, resources and executive support required to ensure that they can be effective in assisting the organisation to comply with the Data Protection Law. Organisations have discretion to determine how best to implement this function, depending on its resources and the nature and quantity of the personal data that it processes. Delivering an effective data protection programme is in the best interests of everyone.

 

Email Us

+1 250.588.4494

Twitter

LinkedIn

© 2021 Two Islands | Deux Îles • All rights reserved • Web design by Caorda

Privacy Policy