Data Protection Good Practice Note
This document explains what
WALK need to do to comply with the Data Protection Act 1988 as amended
by the Data Protection Amendment Act 2003 (hereinafter collectively
referred to as the Acts and statutory Instrument Number 535 of 2003
European Communities (Electronic Communications Networks and Services)
(Data Protection and Privacy) Regulations 2003 (“SI 535/2003”, as
amended by SI 526 of 2008) in addition to wider European directives.
WALK
must become fully aware of Data Protection. We must comply with the law
and be transparent and accountable for how data is processed. To do so
we must ensure that staff, clients and volunteers understand their
responsibilities thus affording them and WALK protection from liability.
Registering with Data Protection Commissioner
While
certain categories of data controllers are obliged to register with the
Data Protection
Commissioner, there is no requirement for not for profit charities to
register, however just because WALK is not required to register this in
no way obviates our need to comply with all the requirements of the Act.
Direct Marketing
Underlying Principles
WALK
may engage in a range of activities that could be described as
marketing or that requires marketing based activities to achieve further
objectives. Therefore WALK will observe good practice which suggests
that all unsolicited direct contact with individuals will be treated as
marketing. This would include seeking donations, marketing goods and
services, promoting sponsored events, raffles etc.
Opting Out
Data
Subjects have the right to require that their data not be used for
marketing purposes. It is therefore required by law to make it clear to
data subjects when there is an intention to use their data for marketing
and to offer them an opt-out (via a tick-box or an easy to use
alternative) at the earliest opportunity.
“Opt-in” means you can only market to an individual where you have their explicit consent to do so.
“Opt-out”
means that the Data Subject has exercised their right under the
legislation, and opted to be removed from future marketing or mailing
campaigns. It is a breach of Data Protection legislation to continue to
use their data for marketing purposes once such an opt-out request has
been received.
It is good practice with initial fundraising
communications to donors, volunteers and others to include an opt-out
clause and therefore give the data subject the opportunity to consent to
WALK’s communicating with them on fundraising matters on an ongoing
basis or for specific activities. A failure to do so and a subsequent
communication may result in a breach of the Acts.
Sharing Lists
WALK
must not share data with other organisations in order to carry out
their own marketing-type activities. WALK must only obtain lists where
it can be guaranteed that those on the list have been given an
opportunity to opt out, and also lists which can be guaranteed to be
sufficiently up to date. When using a purchased list, WALK must inform
the recipient how their details were obtained and provide the required
direct marketing options. Purchased lists will not be used to send
electronic communications i.e. emails and texts to individuals.
A failure to respond by a data subject will be taken to mean they have not opted in to receive further marketing communications.
Any
list of groups or contacts held by WALK even if they are in the public
domain cannot under the laws of Data Protection be sent to other parties
for their own use.
Electronic Contact
Under Data Protection
and Telecommunications legislation all electronic marketing (by phone,
fax, e-mail or text message) requires consent (opt-in) in all cases.
This aspect of Data Protection comes under tighter controls and
scrutiny.
Further guidance is available at http://www.dataprotection.ie/d...
GENERAL_GUIDE_FOR_DATA_CONTROLLERS/905.htm
In
accordance with the relevant legislation, electronic contact with
individuals must be on an ‘opt-in’ basis and every such communication
must contain the means to opt out.
Data Retention
WALK have
certain key responsibilities in relation to the information which you
keep on computer or in a structured manual file about individuals this
includes information that WALK may keep on staff and volunteers as well
as donors. The Acts are designed to protect an individual’s right to
privacy and ensure that the data held on them is accurate, lawfully
obtained and that there is no unauthorised disclosure of personal data.
This equally applies to the personal information held on staff and
volunteers.
In relation to retention of personal data, the Acts
state that personal information held by data controllers will be
retained for no longer than is necessary for the purpose or purposes for
which it was obtained. If the purpose for which the information was
obtained has ceased and the personal information is no longer required,
the data must be deleted or disposed of in a secure manner. However, the
Acts do not stipulate specific retention periods for different types of
data, and so organisations must have regard to any statutory
obligations imposed on them as a data controller when determining
appropriate retention periods
Key Risks
There are key risks for WALK that may lead to data breaches:
Through lack of knowledge and training, data may be inadvertently used without clear consent of the data subject.
Through poor security and access controls, data may get into the wrong hands.
Individuals may be distressed by inappropriate disclosure or by inaccurate or insufficient data.
Breaches may occur because clear boundaries may not exist between departments on what data can be shared.
Data may be used for purposes other than the specific purpose or purposes for which the data was acquired.
Failure to comply with Data Protections rules may lead to heavy penalties.
Definitions
Under the legislation the following definitions are important:
Data
Under
the Acts, ‘data’ means information in a form in which it can be
processed. Data in this context refers to both automatic and manually
processed data. Under legislation there are different classes of data.
They include;
Automated Data refers to information that is
processed by means of equipment operating automatically.
Manual Data is defined as information that is recorded as part of a
relevant filing system or with the intention that it will form a
relevant filing system.
Personal Data means data relating to a living individual who can be
identified either directly from the data or from other related
information in the possession of the data controller.
Under the Acts, Sensitive Personal Data is defined in specific ways as
set out below:
racial or ethnic origin, political opinions of the data subject
religious or philosophical beliefs of the data subject
trade union membership or affiliation of the data subject
physical, mental health or condition, sexual orientation of the data
subject
commission or alleged commission of any offence or offences by the data
subject any proceedings for an offence committed or alleged to have been
committed by the data subject to the disposal of such proceedings or
the sentence of any court in such proceedings
Processing
DPA 2003 “processing”, of or in relation to information
or data means performing any operation or set of operations on the
information or data, whether or not by automatic means, including:
Obtaining, recording or keeping the information or data.
Collecting, organizing, storing, altering or adapting the information or data.
Retrieving, consulting or using the information or data.
Disclosing the information or data by transmitting, disseminating or otherwise making it available.
Aligning, combining, blocking, erasing or destroying the information or data.
Blocking
It means marking data to the extent that it is not possible to process it for purposes in relation to which it was marked.
Direct Marketing
Direct
marketing includes direct mailing other than direct mailing carried out
in the course of political activities by a political party or its
members, or a body established by or under statute or a candidate for
election to, or a holder of, elective political office.
Data Subject
The Act defines a data subject as a ‘living individual’ who is the subject of personal data
Data Controller
The
Acts defines a ‘Data Controller’ as a person who, either alone or in
conjunction with others, controls the contents and use of personal data.
By person it does not necessarily mean a ‘living individual’ – but
refers to a ‘legal person’ i.e. an organization or a nominated
representative. It is the intangible being that controls the
organization even though administered and decided upon by the
individuals (the Board).
The Act states that a Data Controller,
shall, as respects personal data kept by him, comply with the provisions
of the Act. Data Controllers have a vast amount of serious legal
responsibilities placed upon them by virtue of the Act. The provisions
are the rules which are imposed surrounding good information handling to
direct the Data Controller to act, in relation to personal data held,
in such a way that has the best interests of the Data Subject at hand.
Data Processor
As
defined by the Acts refers to a person who processes personal data on
behalf of a Data Controller but does not include an employee of the Data
Controller who processes such data in the course of his employment.
The
Data Processor processes personal data on ‘behalf’ of the Data
Controller, thus this provides that the Data Controller cannot abdicate
his responsibility to the Data Processor. All of the legal obligations
and responsibilities lie with the Data Controller; therefore the
Controller still remains liable
The Act states that where the
processing is conducted by a Data Processor, the Controller must ensure
that the processing is conducted in the pursuance of a contract which is
in evidence in writing or another equivalent form. It goes on further
to state that the contract must contain clauses that the Processor shall
only act on the instructions of the Controller and shall comply with
the obligation equivalent to those imposed by the Data Controller with
respect to the security of the data being processed.
Data Protection Commissioner
The
Commissioner is responsible for upholding the rights of individuals
conferred on them by the Acts. He is also responsible for providing
enforcement action upon Data Controllers who breach or commit offences
against the Acts.
Data Protection Officer
The Data
Protection Officer is responsible for ensuring that the WALK complies
with the requirements of the Act, raising awareness among staff of their
data protection rights and responsibilities.
Ownership groups
Ownership
groups are defined as those groups who will use common data. Ownership
Groups are a way of controlling access to Contact and Organisation
records in a more flexible manner than just departments. Ownership
Groups group records together and assign access to them to groups of
users or individuals. Access given is not restricted to members of a
department. In addition access can be limited to an individual record.
This means that individuals across multiple departments can be given
differing levels of access to any one or more records.
For further information
Data Protection Commissioner
The
Commissioner is appointed by Government and is independent in the
exercise of his or her functions. They can be contacted at: Canal House,
Station Road, Portarlington, Co. Laois. Ph 1890 252 231 or
www.dataprotection.ie
Na... Directory Database
The
National Directory Database lists all phone numbers printed in public
telephone directories or available through directory enquiries. It also
records whether the subscriber has expressed a preference not to receive
marketing calls. It applies to voice calls for residential subscribers
and to both faxes and voice calls for business subscribers. All
ex-directory numbers are automatically placed on the opt-out register.
The NDD does not take instructions from individual subscribers, only
from line providers
The Irish Direct Marketing Association (IDMA)
DMA advocates industry standards for responsible marketing – both online and offline.
www.idma.ie