Course Content
first topic
this is just a summary
0/2
Introduction to Privacy and Data Protection Part 1
About Lesson
  1. Updating: Updating customer information

Explains what you need to keep in mind when you update customer information.

Updating is Stage 5 of the Information Life Cycle.

 

Personal data:

Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

  1. Personal Data must be accurate and correct and must be updated whenever necessary.
  2. Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data.

 

Article 7 – General Obligations of the Controller

The Controller shall:

  1. maintain a special record of Personal Data which must include the data of the Controller and Data Protection Officer, as well as a description of the categories of Personal Data held thereby, data of the persons authorized to access such Personal Data, the Processing durations, restrictions and scope, the mechanism of erasure, modification or Processing of Personal Data, the purpose of Processing and any data related to the movement and Cross-Border Processing of such data, while indicating the technical and organizational procedures related to information security and Processing operations, provided that the Controller provides this record to the Office whenever requested to do so.

 

Article 8 – General Obligations of the Processor

  1. maintain a special record of Personal Data processed on behalf of the Controller, which must include the data of the Controller, Processor and Data Protection Officer, as well as a description of the categories of Personal Data held thereby, data of the persons authorized to access such Personal Data, the Processing durations, restrictions and scope, the mechanism of erasure, modification or Processing of Personal Data, the purpose of Processing and any data related to the movement and Cross-Border Processing of such data, while indicating the technical and organizational procedures related to information security and Processing operations, provided that the Processor provides this record to the Office whenever requested to do so.

 

Article 20 – Personal Data Security

  1. When evaluating the level of information security provided for in Item (1) of this Article, the following shall be taken into account:
  2. risks associated with Processing, including Personal Data damage, loss, accidental or illegal modification, disclosure or unauthorized access, whether transmitted, stored or processed.

 

  1. Disposal: Disposal of customer or personal information

Highlights the key steps when you are disposing of customer or personal information.

Disposal is Stage 6 of the Information Life Cycle.

 

Refer to Article 5.5., 7.4., 8.7.

 

Processing:

Any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission, dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying Personal Data or creating models therefor.” Another type is automated processing which is “processing that is carried out using an electronic program or system that is automatically operated, either completely independently without any human intervention, or partially independently with limited human supervision and intervention.

 

Article 8 – General Obligations of the Processor

The Processor shall:

  1. erase the data after expiry of the Processing period or hand it over to the Controller.

 

Article 13 – Right to Obtain Information

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
  2. procedures for correcting, erasing or limiting the Processing and objection to his/her personal data.

 

Article 15 – Right to Correction or Erasure of Personal Data

  1. The Data Subject has the right to request the correction or completion of his/her inaccurate Personal Data held with the Controller without undue delay.
  2. Without prejudice to the legislation in force in the State and what is required by the public interest, the Data Subject has the right to request the erasure of his/her Personal Data held with the Controller in any of the following cases:
  3. if his/her Personal Data is no longer required for the purposes for which it is collected or processed. b. if the Data Subject withdraws his/her Consent on which the Processing is based.
  4. if the Data Subject objects to the Processing or if there are no legitimate reasons for the Controller to continue the Processing.
  5. if his/her Personal Data is processed in violation of the provisions hereof and the legislation in force, and the erasure process is necessary to comply with the applicable legislation and approved standards in this regard.
  6. With the exception of what is stated in Item (2) of this Article, the Data Subject has no right to request erasure of his /her Personal Data held with the Controller in the following cases:
  7. if the request is for the erasure of his/her Personal Data related to public health and held with private establishments.
  8. if the request affects the investigation procedures, claims for rights and legal proceedings or defense by the Controller.
  9. if the request conflicts with other legislation to which the Controller is subject. d. any other cases set by the Executive Regulations of this Decree Law.

 

  1. Customer Credit reports

Explains the special rules for handling credit reports.

 

Article 2 – Applicability of the Decree Law

  1. The provisions of this Decree Law shall not apply to the following:
  2. banking and credit personal data and information that is subject to legislation regulating the protection and Processing thereof.

 

  1. Case Studies

  Provides the opportunity to apply what you have learnt to business scenarios.

 

What is the law?

The Law applies to the processing of all personal data by controllers and processors located in the UAE whether or not the personal data processing relates to data subjects in the UAE or abroad. It covers the personal data of data subjects residing or working in the UAE.

 

Refer to Article 2.1.

 

The law gives individuals (including customers, staff and suppliers) the right to access and correct personal information about them. Article 5.4, 5.5., 7.4., 8.7., 20.2.a.

It also ensures individuals have the right to make a complaint if they feel that their personal information has been misused.

 

Article 11 – Responsibilities of the Data Protection Officer

  1. The Data Protection Officer shall be responsible for ascertaining compliance by the Controller or Processor with the provisions of this Decree Law, the Executive Regulations thereof, and the instructions issued by the Office. The Data Protection Officer shall, in particular, undertake the following duties and powers:
  2. receiving requests and complaints related to Personal Data in accordance with the provisions of this Decree Law and the Executive Regulations thereof.

 

Article 13 – Right to Obtain Information

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
  2. the process of filing complaints with the Office.

 

Article 24 – Filing a Complaint

  1. The Data Subject may file a complaint with the Office if he/she has reasons to believe that any violation of the provisions hereof has occurred, or that the Controller or Processor processes his/her Personal Data in violation of the provisions hereof, in accordance with the procedures and rules established by the Office in this regard.
  2. The Office shall receive the complaints filed by the Data Subject in accordance with Item (1) of this Article and verify them in coordination with the Controller and Processor.
  3. The Office may impose the administrative penalties referred to in Article (26) hereof if it is proven that the Controller or Processor has violated the provisions of this Decree Law or the decisions issued in implementation thereof.

 

 

What other Data Privacy laws are there?

The core topics of this course focus on the above-mentioned law. However, they are not the only source of obligations relating to data protection and the handling of personal and customer data/information.

 

Other Privacy Rules

 

There are several UAE federal level laws that contain various provisions in relation to privacy and the protection of personal data:

  • Constitution of the UAE (Federal Law 1 of 1971)
  • Crimes and Penalties Law (Federal Law 31 of 2021, abrogating Federal Law 3 of 1987)
  • Cyber Crime Law (Federal Law 5 of 2012 regarding Information Technology Crime Control) (as amended by Federal Law No. 12 of 2016 and Federal Decree Law No. 2 of 2018), and
  • Regulating Telecommunications (Federal Law by Decree 3 of 2003 as amended), which includes several implementing regulations/policies enacted by the Telecommunications and Digital Government Regulatory Authority (‘TDRA’) in respect of data protection of telecoms consumers in the UAE.

 

For example, …

  • The UAE Central Bank is responsible for its Consumer Protection Regulation and Standards, and the SVF Regulation.
  • The Ministry of Health and Prevention is responsible for the ICT in Health Fields Law.
  • The Telecommunications and Digital Government Regulatory Authority is responsible for the regulation of its Consumer Protection Regulations.
  •  

Why is privacy important?

Privacy scenario 1 of 4

Pauline visits her local Magnet Mart department store to buy a new swim suit. She is unaware that the change rooms in which she is trying on swim suits are monitored by video surveillance.

 

Article 4 – Cases of Processing Personal Data without the Data Subject’s Consent

It is prohibited to process Personal Data without the consent of the Data Subject. However, the following cases, in which Processing is considered lawful, are excluded from such prohibition:

  1. if the Processing is necessary to protect the public interest.
  2. if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject.
  3. if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures.
  4. if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State.
  5. if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the State.
  6. if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the State.
  7. if the Processing is necessary to protect the interests of the Data Subject.
  8. if the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws.
  9. if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending or terminating a contract.
  10. if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers.
  11. any other cases set by the Executive Regulations of this Decree Law.

 

In this case, having a video surveillance in a changing room is prohibited without consent.

 

Privacy scenario 2 of 4

Magnet Mart’s procedures say that the video surveillance tapes and all copies must be erased after 7 days. However, the security guards who monitor the video regularly extract digital copies of the more revealing or embarrassing footage, and email them to co-workers.

 

Article 8 – General Obligations of the Processor

The Processor shall:

  1. erase the data after expiry of the Processing period or hand it over to the Controller.

 

Privacy scenario 3 of 4.

One of the guards, Julian, accidentally emails the footage to a distribution list that includes people outside the company. Within hours, the email is travelling around Country and eventually reaches a number of Pauline’s co-workers

The next day a news story features Pauline complaining about Magnet Mart’s misuse of video surveillance footage. Following this the Privacy Commissioner publicly announces that there will be an investigation. Pauline also seeks compensation for the humiliation she has suffered.

 

Article 23 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is not an Adequate Level of Protection

  1. With the exception of what is stated in Article (22) hereof, Personal Data may be transferred outside the State in the following cases:
  2. In countries where there is no data protection law, Establishments operating in the State and in those countries may transfer data under a contract or agreement that obliges the Establishment in those countries to implement the provisions, measures, controls and requirements set out herein, including provisions related to imposing appropriate measures on the Controller or Processor through a competent supervisory or judicial authority in that country, which shall be specified in the contract.
  3. The express Consent of the Data Subject to transfer his/her Personal Data outside the State in a manner that does not conflict with the security and public interest of the State.
  4. If the transfer is necessary to fulfill obligations and establish, exercise or defend rights before judicial authorities.
  5. If the transfer is necessary to enter into or execute a contract between the Controller and Data Subject, or between the Controller and a third party to achieve the Data Subject’s interest.
  6. If the transfer is necessary to perform a procedure relating to international judicial cooperation.
  7. If the transfer is necessary to protect the public interest.
  8. The Executive Regulations of this Decree Law shall set the controls and requirements for the cases referred to in Item (1) of this Article, which must be met for transferring Personal Data outside the State.

 

Article 25 – Grievances against the Office’s Decisions

Any concerned party may submit a written grievance to the Office General Manager against any decision, administrative penalty or procedure taken against him/her by the Office, within thirty (30) days from the date of being notified of such decision, administrative penalty or procedure. The grievance shall be decided on within thirty (30) days from the date of its submission.

Any decision issued by the Office in implementation of the provisions hereof may not be appealed without filing a grievance against it. The Executive Regulations of this Decree Law shall set the procedures for filing grievances and deciding thereon.

 

In this case, emailing the complaint to a list of people outside of the company is unlawful. Pauline can sue for compensation.

 

Privacy scenario 4 of 4.

Julian and the other implicated employees are hauled before the Magnet Mart HR Director. After a speedy investigation, they are summarily dismissed.

In response to the public outcry, Magnet Mart is forced to discontinue video surveillance and return to more costly and less effective methods of preventing shoplifting. Despite these steps and the frantic efforts of the Magnet Mart’s PR consultants, customers are unsettled by the reports and stop shopping at Magnet Mart. The company’s profits and share price suffer accordingly.

 

The importance of having laws which protect your privacy

After reading this scenario you can see why privacy laws are important!

They exist to protect individuals from the misuse of personal information by requiring entities to:

  • tell people what they will they do with their personal information.
  • in some cases, ask them for their consent.

 

Refer to Article 4, 7.4., 8.6., 23.1.a, 23.1.b, 23.1.c, 23.1.d, 23.1.e, 23.1.f

Refer to the definitions of profiling, and cross-border processing.

 

Consent:

The consent given by a Data Subject to authorize third parties to process his/her Personal Data, provided that such consent is a specific, informed and unambiguous indication of the Data Subject’s agreement to the Processing of his/her Personal Data, by a statement or by a clear affirmative action.

 

Article 2 – Applicability of the Decree Law

  1. The provisions of this Decree Law shall not apply to the following: a. government data.
    1. health personal data that is subject to legislation regulating the protection and Processing thereof.
    2. banking and credit personal data and information that is subject to legislation regulating the protection and Processing thereof.
    3. companies and institutions located in the free zones of the State and are subject to special legislation on Personal Data Protection.

 

Article 3 – Office’s Power of Exemption

Without prejudice to any other competencies established for the Office under any other legislation, the Office may exempt those Establishments that do not process a large amount of Personal Data from all or some of the requirements and conditions of the provisions of Personal Data Protection stipulated herein, in accordance with the standards and controls set by the Executive Regulations of this Decree Law.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

  1. Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.

 

Article 6 – Conditions for Consent to Data Processing

  1. In order to accept the Consent of the Data Subject to Processing, the following conditions must be met:
  2. The Controller must be able to prove the Consent of the Data Subject to process his/her Personal Data in the event that the Processing is based on such Consent.
  3. The Consent must be given in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form.
  4. The Consent must indicate the right of the Data Subject to withdraw it and that such withdrawal must be easily made.
  5. The Data Subject may, at any time, withdraw his/her Consent to the Processing of his/her Personal Data. Such withdrawal shall not affect the legality and lawfulness of the Processing made based on the Consent given prior to the withdrawal.

Article 7 – General Obligations of the Controller

The Controller shall:

  1. take the appropriate technical and organizational measures and procedures to apply the necessary standards to protect and secure Personal Data, in order to maintain its confidentiality and privacy and to ensure that it is not infringed, damaged, altered or tampered with, taking into account the nature, scope and purposes of Processing and the potential risks to the confidentiality and privacy of the Personal Data of the Data Subject.
  2. maintain a special record of Personal Data which must include the data of the Controller and Data Protection Officer, as well as a description of the categories of Personal Data held thereby, data of the persons authorized to access such Personal Data, the Processing durations, restrictions and scope, the mechanism of erasure, modification or Processing of Personal Data, the purpose of Processing and any data related to the movement and Cross-Border Processing of such data, while indicating the technical and organizational procedures related to information security and Processing operations, provided that the Controller provides this record to the Office whenever requested to do so.

 

Article 8 – General Obligations of the Processor

The Processor shall:

  1. apply the appropriate technical and organizational measures and procedures to protect Personal Data at the design stage, both when defining the means of Processing or during the Processing itself, taking into consideration the cost of applying such measures and procedures and the nature, scope and purposes of the Processing.
  2. protect and secure the Processing operation and secure the media and electronic devices used in the Processing and the Personal Data stored therein.
  3. maintain a special record of Personal Data processed on behalf of the Controller, which must include the data of the Controller, Processor and Data Protection Officer, as well as a description of the categories of Personal Data held thereby, data of the persons authorized to access such Personal Data, the Processing durations, restrictions and scope, the mechanism of erasure, modification or Processing of Personal Data, the purpose of Processing and any data related to the movement and Cross-Border Processing of such data, while indicating the technical and organizational procedures related to information security and Processing operations, provided that the Processor provides this record to the Office whenever requested to do so.

 

Article 11 – Responsibilities of the Data Protection Officer

  1. The Data Protection Officer shall be responsible for ascertaining compliance by the Controller or Processor with the provisions of this Decree Law, the Executive Regulations thereof, and the instructions issued by the Office. The Data Protection Officer shall, in particular, undertake the following duties and powers:
  2. providing technical advice related to the procedures of periodic evaluation and examination of Personal Data Protection systems and intrusion prevention systems of the Controller and Processor, documenting the results of such evaluation, and providing appropriate recommendations in this regard, including risk assessment procedures.

 

Article 13 – Right to Obtain Information

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
    1. protection measures for Cross-Border Processing made in accordance with Articles (22) and (23) hereof.
    2. The Controller may refuse the Data Subject’s request to obtain the information stated in Item (1) of this Article, if it is found out that:
    3. the request may adversely affect the efforts of the Controller to protect information security.

 

Article 14 – Right to Request Personal Data Transfer

  1. The Data Subject has the right to obtain his/her Personal Data provided to the Controller for Processing in a structured and machine-readable manner, so long as the Processing is based on the Consent of the Data Subject or is necessary for the fulfillment of a contractual obligation and is made by automated means.

 

Article 15 – Right to Correction or Erasure of Personal Data

  1. Without prejudice to the legislation in force in the State and what is required by the public interest, the Data Subject has the right to request the erasure of his/her Personal Data held with the Controller in any of the following cases:
  2. if his/her Personal Data is no longer required for the purposes for which it is collected or processed. b. if the Data Subject withdraws his/her Consent on which the Processing is based.
    1. if the Data Subject withdraws his/her Consent on which the Processing is based.

 

Article 16 – Right to Restrict Processing

  1. Notwithstanding the provisions of Item (1) of this Article, the Controller may proceed with the Processing of the Personal Data of the Data Subject without his/her Consent in any of the following cases:
  2. if the Processing is limited to storing Personal Data.
  3. if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial procedures.
  4. if the Processing is necessary to protect the rights of third parties in accordance with the legislation in force.
  5. if the Processing is necessary to protect the public interest.

 

Article 18 – Right to Processing and Automated Processing

  1. Notwithstanding the provisions of Item (1) of this Article, the Data Subject may not object to the decisions issued with respect to Automated Processing in the following cases:
  2. if the Data Subject has given his/her prior Consent on the Automated Processing in accordance with the conditions set out in Article (6) hereof.

 

  • generally, handle that information in a way which protects the privacy of the information.

 

Article 21 – Assessment of Personal Data Protection Impact

  1. Subject to the nature, scope and purposes of Processing, the Controller shall, before making the Processing, assess the impact of the proposed Processing on Personal Data Protection, when using any of the modern technologies that would pose a high risk to the privacy and confidentiality of the Personal Data of the Data Subject.
  2. The assessment provided for in Item (1) of this Article must include, at a minimum, the following:
  3. clear and systematic explanation of the impact of the proposed Processing on Personal Data Protection and the purpose of such Processing.

 

Article 22 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is an Adequate Level of Protection

Personal Data may be transferred outside the State in the following cases approved by the Office:

  1. if the country or territory to which the Personal Data is to be transferred has special legislation on Personal Data Protection therein, including the most important provisions, measures, controls, requirements and rules for protecting the privacy and confidentiality of the Personal Data of the Data Subject and his/her ability to exercise his/her rights, and provisions related to imposing appropriate measures on the Controller or Processor through a supervisory or judicial authority.
  2. if the State accedes to bilateral or multilateral agreements related to Personal Data Protection with the countries to which the Personal Data is to be transferred.

Without such laws, businesses could misuse personal data information as in the scenario you have just read

 

Complaints and Penalties

Should a person believe that their personal information has been handled inappropriately, the law allows for them to make a complaint. Data subjects can file a complaint with the Data Office if they have reason to believe that the Law has been breached by a controller or processor.

Controllers must, on becoming aware of any personal data breach that would “prejudice the privacy, confidentiality and security of a data subject’s personal data” inform the Data Office of the breach and any investigation conducted into the breach”. The Law sets out details to be included in any notification and the executive regulations will add further details, including any reporting period. The controller must also notify the data subject of the breach and there is no higher threshold (e.g. high risk) for any such data subject notification than that which is set for notifying the Data Office. Processors must inform the controller of any breach as soon as they become aware of it.

 

Article 11 – Responsibilities of the Data Protection Officer

  1. The Data Protection Officer shall be responsible for ascertaining compliance by the Controller or Processor with the provisions of this Decree Law, the Executive Regulations thereof, and the instructions issued by the Office. The Data Protection Officer shall, in particular, undertake the following duties and powers:
  2. receiving requests and complaints related to Personal Data in accordance with the provisions of this Decree Law and the Executive Regulations thereof.

 

Article 13 – Right to Obtain Information

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
  2. the process of filing complaints with the Office.

 

Article 24 – Filing a Complaint

  1. The Data Subject may file a complaint with the Office if he/she has reasons to believe that any violation of the provisions hereof has occurred, or that the Controller or Processor processes his/her Personal Data in violation of the provisions hereof, in accordance with the procedures and rules established by the Office in this regard.
  2. The Office shall receive the complaints filed by the Data Subject in accordance with Item (1) of this Article and verify them in coordination with the Controller and Processor.
  3. The Office may impose the administrative penalties referred to in Article (26) hereof if it is proven that the Controller or Processor has violated the provisions of this Decree Law or the decisions issued in implementation thereof.

 

UAE Data Office

The Data Office will be established under a separate statute (Federal Decree-Law No. 44 of 2021) which was issued contemporaneously with the Law.  The Data Office aims to ensure the fullest protection of Personal Data and is affiliated with the Cabinet. The Data Office is responsible for a range of tasks which include:

  • preparing legislation and policies relating to data protection;
  • proposing and approving mechanisms for data subject complaints and compensation;
  • proposing standards for the monitoring of the data protection legislation;
  • issuing guidance for the full implementation of data protection legislation.
  • imposing administrative penalties.

 

Administrative penalties can be imposed as part of a decision by the Council of Ministers in response to a breach of the Law or the executive regulations and based on a proposal from the Data Office’s Director General. The Law does not specify the range of potential administrative penalties. Data subjects can file a complaint with the Data Office if they have reason to believe that the Law has been breached by a controller or processor.

 

 

Data protection officer:

Any natural or legal person appointed by the Controller or Processor to undertake the responsibilities of ascertaining the compliance of his/her entity with the controls, conditions, procedures and rules for Processing and protecting Personal Data stipulated herein, and ascertaining the integrity of its systems and procedures in order to ensure compliance with the provisions hereof.

 

Article 10 – Appointment of Data Protection Officer

  1. The Controller and Processor shall appoint a Data Protection Officer who has sufficient skills and knowledge of Personal Data Protection, in any of the following cases:
    1. if the Processing would cause a high-level risk to the confidentiality and privacy of the Personal Data of the Data Subject as a result of adopting technologies that are new or associated with the amount of data.
    2. if the Processing will involve a systematic and comprehensive assessment of Sensitive Personal Data, including Profiling and Automated Processing.
    3. if the Processing will be made on a large amount of Sensitive Personal Data.
  2. The Data Protection Officer may be employed or authorized by the Controller or Processor, whether inside or outside the State.
  3. The Controller or Processor shall specify the contact address of the Data Protection Officer and notify the Office thereof.
  4. The Executive Regulations of this Decree Law shall specify the types of technologies and criteria for determining the amount of data required in accordance with this Article.

 

Article 11 – Responsibilities of the Data Protection Officer

  1. The Data Protection Officer shall be responsible for ascertaining compliance by the Controller or Processor with the provisions of this Decree Law, the Executive Regulations thereof, and the instructions issued by the Office. The Data Protection Officer shall, in particular, undertake the following duties and powers:
  2. verifying the quality and validity of the procedures adopted by both the Controller and Processor.
  3. receiving requests and complaints related to Personal Data in accordance with the provisions of this Decree Law and the Executive Regulations thereof.
  4. providing technical advice related to the procedures of periodic evaluation and examination of Personal Data Protection systems and intrusion prevention systems of the Controller and Processor, documenting the results of such evaluation, and providing appropriate recommendations in this regard, including risk assessment procedures.
  5. acting as a liaison between the Controller or Processor, as the case may be, and the Office regarding their implementation of the provisions of Personal Data Processing stipulated herein.
  6. any other duties or powers specified under the Executive Regulations of this Decree Law.
  7. The Data Protection Officer shall maintain the confidentiality of the information and data received thereby in implementation of the duties and powers given thereto pursuant to the provisions of this Decree Law and the Executive Regulations thereof and in accordance with the legislation in force in the State.

 

Article 12 – Obligations of the Controller and Processor towards the Data Protection Officer

  1. The Controller and Processor shall provide all means to ensure that the Data Protection Officer performs the responsibilities and duties assigned thereto, as stipulated in Article (11) hereof, in a proper manner, including, in particular, the following:
    1. ensuring that he/she is appropriately and timely engaged in all matters relating to Personal Data Protection.
    2. ensuring that he/she is provided with all the necessary resources and support to perform the duties assigned thereto.
    3. not to terminate his/her service or impose any disciplinary penalty for a reason related to the performance of his/her duties in accordance with the provisions hereof.
    4. ensuring that he/she is not assigned to duties that lead to a conflict of interest with the duties assigned thereto hereunder.
  2. The Data Subject may communicate directly with the Data Protection Officer for any matters related to his/her Personal Data and the Processing thereof in order to exercise his/her rights in accordance with the provisions hereof.

 

[1] At the date of writing this material, the Data Office responsible for administering and enforcing the PDPL has not yet been established.

 

 

 

Personal data/information

At the completion of this topic you will be able to:

  • Provide examples of information that your organization typically handle.
  • Identify which information applies to the Law.
  • Categorize information as non-personal, personal, or sensitive information.
  • List the stages of the Information Life Cycle.
  • Briefly explain the Privacy Principles.
  • Explain how the Information Life Cycle and the Privacy Principles fit together.

Before starting this training please complete the Registration Form below and then click Submit when you have finished.

 

Full Name: 

 

Address:

 

Phone [Home]: 

 

Date of Birth:

   

Place of Birth: 

 

Occupation: 

 

Salary: AUD

 

Employer:

 

Medical Conditions/Restrictions:

   

 

This registration form is when collecting the personal data information, this process is generally considered as “Automated Processing” since it is computer/ electronic based of collecting and processing personal data information.

 

Automated Processing:

Processing that is carried out using an electronic program or system that is automatically operated, either completely independently without any human intervention, or partially independently with limited human supervision and intervention.

 

Profiling:

form of Automated Processing consisting of the use of Personal Data to evaluate certain personal aspects relating to a Data Subject, including to analyze or predict aspects concerning his/her performance, economic situation, health, personal preferences, interests, behavior, location, movements or reliability.”

 

Your personal information

 

·        What was your reaction to being asked to complete the Registration Form?

_____________________________________________________________________

_____________________________________________________________________

·        Did you wonder why this information was being collected?

_____________________________________________________________________

_____________________________________________________________________

·        Did you provide accurate information?

_____________________________________________________________________

_____________________________________________________________________

·        Did you provide all the information requested?

_____________________________________________________________________

_____________________________________________________________________

·        Did you wonder how this information was going to be used?

_____________________________________________________________________

_____________________________________________________________________

 

·         

 

 

You have a right to know

If you are providing personal information you have a right to know:

  1. why the information is being collected
  2. how it is to be used, and
  3. whether it will be disclosed to other parties.

You have this right and so do your colleagues and customers. This is why the best rule of thumb with privacy is to ask: “Would I be happy with information about me being handled in this way?”

 

According to Article 13 – Right to Obtain Information.

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
    1. the types of his/her Personal Data that is processed.
    2. purposes of Processing.
    3. decisions made based on Automated Processing, including Profiling.
    4. targeted sectors or establishments with which his/her Personal Data is to be shared, whether inside or outside the State.
    5. controls and standards for the periods of storing and keeping his/her Personal Data.
    6. procedures for correcting, erasing or limiting the Processing and objection to his/her personal data.
    7. protection measures for Cross-Border Processing made in accordance with Articles (22) and (23) hereof.
    8. procedures to be taken in the event of a breach or infringement of his/her Personal Data, especially if the breach or infringement poses a direct and serious threat to the privacy and confidentiality of his/her Personal Data.
    9. the process of filing complaints with the Office.
  2. In all cases, the Controller shall, before starting the Processing, provide the Data Subject with the information stated in Paragraphs (B), (D) and (G) of Item (1) of this Article.
  3. The Controller may refuse the Data Subject’s request to obtain the information stated in Item (1) of this Article, if it is found out that:
    1. the request is not related to the information referred to in Item (1) of this Article or is excessively repetitive.
    2. the request conflicts with the judicial procedures or investigations made by the competent authorities.
    3. the request may adversely affect the efforts of the Controller to protect information security.
    4. the request affects the privacy and confidentiality of the Personal Data of others.

 

Establishment:

Any company or sole proprietorship established inside or outside the State, including companies which the federal or local government partially or wholly owns or has a shareholding therein.

 

State:

Within The United Arab Emirates.

 

Data Subject:

The natural person who is the subject of the Personal Data

 

You have this right and so do your colleagues and customers. This is why the best rule of thumb with privacy is to ask: “Would I be happy with information about me being handled in this way?”

 

So what about the personal information you entered on the Registration Form?

 

What we did with your personal information

The law prohibits us from collecting the information in the Registration Form without giving you certain information, and getting your consent.

 

Consent:

The consent given by a Data Subject to authorize third parties to process his/her Personal Data, provided that such consent is a specific, informed and unambiguous indication of the Data Subject’s agreement to the Processing of his/her Personal Data, by a statement or by a clear affirmative action.

 

Therefore, the information was immediately deleted when you clicked ‘Submit’.

 

Article 6 – Conditions for Consent to Data Processing

  1. In order to accept the Consent of the Data Subject to Processing, the following conditions must be met:
  2. The Controller must be able to prove the Consent of the Data Subject to process his/her Personal Data in the event that the Processing is based on such Consent.
  3. The Consent must be given in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form.

 

What information does entities typically handle?

Organizations typically collect, store, use and disclose a variety of information, including:

  • information about their customers (for example, their names and contact details)
  • details of transactions
  • information about employees
  • information about suppliers, and
  • financial information, such as budgets, revenues and expenses.

Some, but not all, of this information is regulated by the law.

 

What information does the law apply to?

 

To understand when the law applies it is useful to think of the information handled by your organization according to the following three categories:

 

Personal Information

 

Personal information means any information or opinion about an identifiable individual. It does not matter whether or not the information is true. The person does not need to be named for it to be personal, so long as the person’s identity is apparent, or can reasonably be ascertained, from the information or opinion.

 

Personal Information:

Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural, or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.

 

Sensitive information

 

Sensitive information is a sub-set of personal information, and is defined in the LAW as:

  • Information or an opinion about an individual’s:
  1. racial or ethnic origin
  2. political opinions
  3. membership of a political association
  4. religious beliefs or affiliations
  5. philosophical beliefs
  6. membership of a professional or trade association
  7. membership of a trade union
  8. sexual preference or practices
  9. criminal record, or
  10. Health information about an individual, including their use of health services.

 

 

 

Sensitive Personal Data:

Any data that directly or indirectly reveals a natural person’s family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.

 

Some other types of personal information which many individuals consider “sensitive” is, nevertheless, not classified as sensitive information under the law. Examples are an individual’s age, silent phone numbers, salary and credit card details.

 

Article 3 – Office’s Power of Exemption

Without prejudice to any other competencies established for the Office under any other legislation, the Office may exempt those Establishments that do not process a large amount of Personal Data from all or some of the requirements and conditions of the provisions of Personal Data Protection stipulated herein, in accordance with the standards and controls set by the Executive Regulations of this Decree Law.

 

Non-personal information

 

Non-personal information is any information that does not fall within the definition of personal information.

Non-personal information may be information that:

  • is permanently de-personalized and cannot be linked with or used to identify an individual
  • is aggregated based on a large number of individual transactions so that no one individual can be identified (eg. a company’s annual sales figures)
  • relates to a company or some other entity that is not an individual, such as the address of a business.

 

Anonymization:

Anonymization is the Processing of Personal Data in such a way that anonymizes the Data Subject’s identity so that such data can no longer be linked and attributed to the Data Subject and the Data Subject can no longer be identified in any way whatsoever.”

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

  1. Personal Data may not be kept after fulfilling the purpose of Processing thereof. It may only be kept in the event that the identity of the Data Subject is anonymized using the “Anonymization” feature.

 

What are the Data Privacy Principles (DPPs)?

 

The most important part of the law is the Data Privacy Principles or DPPs.

The DPPs set out the rules for the handling of personal data/information.

Here is a brief explanation:

You will learn more about the DPPs as you progress through the course.

 

  1. Collection

 

DPP1 contains rules about:

  • what type of personal information organizations can collect
  • how it should be collected
  • who it should be collected from, and
  • what kind of notification the organization has to give the individual when collecting their personal information.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

  1. Processing must be made in a fair, transparent and lawful manner.
  2. Personal Data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar or close to the purpose for which such data is collected.
  3. Personal Data must be sufficient for and limited to the purpose for which the Processing is made.
  4. Personal Data must be accurate and correct and must be updated whenever necessary.
  5. Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data.
  6. Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.
  7. Personal Data may not be kept after fulfilling the purpose of Processing thereof. It may only be kept in the event that the identity of the Data Subject is anonymized using the “Anonymization” feature.
  8. Any other controls set by the Executive Regulations of this Decree Law.

 

Article 8 – General Obligations of the Processor

The Processor shall:

  1. make and carry out the Processing in accordance with the instructions of the Controller and the contracts and agreements concluded between them that specify in particular the scope, subject, purpose and nature of the Processing, the type of Personal Data and categories of Data Subjects.
  2. apply the appropriate technical and organizational measures and procedures to protect Personal Data at the design stage, both when defining the means of Processing or during the Processing itself, taking into consideration the cost of applying such measures and procedures and the nature, scope and purposes of the Processing.
  3. make the Processing according to the purpose and period set therefor, and notify the Controller if the Processing exceeds the set period, in order to extend such period or issue the appropriate directions.
  4. erase the data after expiry of the Processing period or hand it over to the Controller.
  5. not to take any action that would disclose the Personal Data or the results of Processing, except in cases permitted by law.
  6. protect and secure the Processing operation and secure the media and electronic devices used in the Processing and the Personal Data stored therein.
  7. maintain a special record of Personal Data processed on behalf of the Controller, which must include the data of the Controller, Processor and Data Protection Officer, as well as a description of the categories of Personal Data held thereby, data of the persons authorized to access such Personal Data, the Processing durations, restrictions and scope, the mechanism of erasure, modification or Processing of Personal Data, the purpose of Processing and any data related to the movement and Cross-Border Processing of such data, while indicating the technical and organizational procedures related to information security and Processing operations, provided that the Processor provides this record to the Office whenever requested to do so.
  8. provide all means to prove abidance thereby to the provisions of this Decree Law, at the request of the Controller or Office.
  9. make and carry out the Processing in accordance with the rules, requirements and controls set by this Decree Law and the Executive Regulations thereof, or as instructed by the Office.
  10. If the Processing involves more than one Processor, the Processing must be made in accordance with a contract or written agreement whereby their obligations, responsibilities and roles related to the Processing are clearly defined, otherwise they shall be held jointly liable for the obligations and responsibilities stipulated in this Decree Law and the Executive Regulations thereof.
  11. The Executive Regulations of this Decree Law shall set the procedures, controls, conditions, and technical and standard criteria related to such obligations.

 

  1. Use and disclosure

 

DPP2 dictates that personal information can usually only be used and disclosed:

  • for the primary purpose for which it was collected
  • for a related secondary purpose the person would reasonably expect, or with the individual’s consent.

Any other use or disclosure must fit one of the specific exceptions listed in DPP2.

 

Refer to Article 8.5.

 

  1. Data quality

 

Under PP3 organizations must keep personal information in a way that is accurate, complete and up to date.

 

Refer to Article 5.4.

 

  1. Data security

 

Under DPP4, organizations must take reasonable steps to:

  • protect personal information from misuse, loss, unauthorized access, modification or disclosure,

 

 

Article 20 – Personal Data Security

  1. The Controller and Processor shall establish and take appropriate technical and organizational measures and procedures to ensure achievement of the information security level that is commensurate with the risks associated with Processing, in accordance with the best international standards and practices, which may include the following:
    1. encryption of Personal Data and application of Pseudonymization.
    2. application of procedures and measures that ensure the confidentiality, safety, validity and flexibility of Processing systems and services.
    3. application of procedures and measures that ensure the timely retrieval and access of Personal Data in the event of any physical or technical failure.
    4. application of procedures that ensure a smooth testing, evaluation and assessment of the effectiveness of technical and organizational measures so as to ensure the security of Processing.
  2. When evaluating the level of information security provided for in Item (1) of this Article, the following shall be taken into account:
    1. risks associated with Processing, including Personal Data damage, loss, accidental or illegal modification, disclosure or unauthorized access, whether transmitted, stored or processed.
    2. the costs, nature, scope and purposes of Processing, as well as the different potential risks to the privacy and confidentiality of the Personal Data of the Data Subject.

 

  • destroy or permanently de-identify any personal information that is no longer required

 

 

  1. Openness

 

Under DPP5 organizations should have clear and express policies on the management of personal information. These must be provided to any person who asks to see them.

 

Refer to Article 5.1.

 

Article 19 – Communication with the Controller

The Controller shall provide appropriate and clear ways and mechanisms to enable the Data Subject to communicate therewith and request the exercise of any of his/her rights stipulated herein.

 

  1. Access and correction

 

DPP6 gives individuals the right to seek access to their personal information and make corrections. This is subject to certain exceptions allowed by law.

 

Article 15 – Right to Correction or Erasure of Personal Data

  1. The Data Subject has the right to request the correction or completion of his/her inaccurate Personal Data held with the Controller without undue delay.

 

  1. Identifiers

 

Under DPP7 organizations cannot use government identifiers (like Drivers License Numbers and Tax File Numbers) to identify individuals in their own systems. You could not, for example, use a person’s Tax File Number as their Internet Banking Customer Registration Number.

 

Refer to Article 5.2., 5.6.,

 

  1. Anonymity

 

DPP8 dictates that where practical and lawful, organizations should give individuals the option of not identifying themselves when undertaking transactions with the organization.

 

Refer to Article 5.6.

 

  1. Transborder data flows

 

DPP9 dictates that if personal information travels overseas, privacy protection should travel with it. There are restrictions on transferring personal information to someone else outside Australia without the individual’s consent.

 

Cross-Border Processing:

Dissemination, use, display, transmission, receipt, retrieval, sharing or Processing of Personal Data outside the territory of the State.

 

Article 22 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is an Adequate Level of Protection

Personal Data may be transferred outside the State in the following cases approved by the Office:

  1. if the country or territory to which the Personal Data is to be transferred has special legislation on Personal Data Protection therein, including the most important provisions, measures, controls, requirements and rules for protecting the privacy and confidentiality of the Personal Data of the Data Subject and his/her ability to exercise his/her rights, and provisions related to imposing appropriate measures on the Controller or Processor through a supervisory or judicial authority.
  2. if the State accedes to bilateral or multilateral agreements related to Personal Data Protection with the countries to which the Personal Data is to be transferred.

 

However, there are restrictions that allow the transfer of personal information without the Data subject consent and this is under “Article 23 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is not an Adequate Level of Protection. Item (1) With the exception of what is stated in Article (22) hereof, Personal Data may be transferred outside the State in the following cases:

Section (b) The express Consent of the Data Subject to transfer his/her Personal Data outside the State in a manner that does not conflict with the security and public interest of the State.

 

  1. Sensitive information

 

Under DPP10 organizations are required to get an individual’s consent before collecting “sensitive information” like their racial or ethnic origin, political views and affiliations, religious beliefs, sexual preferences, health information or criminal record.

 

Article 6 – Conditions for Consent to Data Processing

  1. In order to accept the Consent of the Data Subject to Processing, the following conditions must be met:
  2. The Controller must be able to prove the Consent of the Data Subject to process his/her Personal Data in the event that the Processing is based on such Consent.

 

Article 10 – Appointment of Data Protection Officer

  1. The Controller and Processor shall appoint a Data Protection Officer who has sufficient skills and knowledge of Personal Data Protection, in any of the following cases:
  2. if the Processing will involve a systematic and comprehensive assessment of Sensitive Personal Data, including Profiling and Automated Processing.
  3. if the Processing will be made on a large amount of Sensitive Personal Data.

.

 

Article 3 – Office’s Power of Exemption

Without prejudice to any other competencies established for the Office under any other legislation, the Office may exempt those Establishments that do not process a large amount of Personal Data from all or some of the requirements and conditions of the provisions of Personal Data Protection stipulated herein, in accordance with the standards and controls set by the Executive Regulations of this Decree Law.

The following exemption underlined above, are the exemption from the privacy principle that goes with Article 3 of the data protection law.

 

Processing:

Any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission, dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying Personal Data or creating models therefore.

Information Life Cycle

 

The easiest way to think about data protection/privacy requirements is to consider the different things your organization does with data/information. Data/Information typically follows six stages as it moves within your organizations: collection, storage, use, disclosure, updating and disposal.

 

Each of the stages is illustrated in this graphic

Information Life Cycle and the PPs

For each stage of the Information Life Cycle, there are specific DPPs that apply. Some DPPs apply to more than one stage of the life cycle.

In this course, each stage of the Information Life Cycle will be discussed in a separate topic.

Match each category on the left to the corresponding information listed on the right.

 

o    Personal

o   An individual’s name, address and telephone number.

o    Non-Personal

o   An employee’s sick leave certificate.

o    Personal and Sensitive

o   The number of hits on a company web site.

o    Personal

o   Customer John Citizens transaction history.

o    Non-Personal

o   A tally of the number of calls received by company.

 

 

Data:

An organized or unorganized set of data, facts, concepts, instructions, views, or measurements, in the form of numbers, letters, words, symbols, images, videos, signs, sounds, maps, or any other form, that is interpreted, exchanged or processed by humans or computers, which also includes information wherever it appears herein.

 

Listed below is information about customer Damian Frasier.

Select the information that would not be classified as Sensitive Information under the law.

 

 

 Religion – Christian

 

 Liberal voter

 

 Net wealth – Greater than $250,000

 

 Homosexual

 

A brief summary…

 

Types of information

Information can be classified as personal, sensitive and non-personal information.

Personal information identifies an individual, for example their name, address or tax file number.

 

Sensitive information is a subset of personal information. It includes information about a person’s racial/ethnic origins, political/religious beliefs, sexual preference/practices, criminal record, political opinion, membership of a political party or trade union and health information.

Non-personal information is any information that is permanently depersonalized and cannot be linked with or used to identify an individual.

 

Sensitive personal data:

Any data that directly or indirectly reveals a natural person’s family, racial origin, political or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided thereto that reveals his/her health status.

 

Exemptions

 

The following are exemptions from the Privacy Principles, although each exemption will only apply in limited circumstances:

  • Employee records
  • Related bodies corporate
  • Media
  • Political parties and political representatives
  • State/Territory public sector (including contractors)
  • Small business
  • Personal or domestic affairs.

 

Article 3 – Office’s Power of Exemption

Without prejudice to any other competencies established for the Office under any other legislation, the Office may exempt those Establishments that do not process a large amount of Personal Data from all or some of the requirements and conditions of the provisions of Personal Data Protection stipulated herein, in accordance with the standards and controls set by the Executive Regulations of this Decree Law.

Information Life Cycle

Information will typically follow six stages as it moves through the organization: collection, storage, use, disclosure, updating and disposal.

 

Date Privacy Principles

 

There are specific PPs that apply to each stage of the Information Life Cycle. Some DPPs apply to more than one stage.

 

Personal data security:

A set of technical and organizational measures, procedures and operations, specified according to the provisions hereof, aimed at protecting the privacy, secrecy, safety, unity, integrity and availability of Personal Data.

 

Collection

At the completion of this topic you will be able to:

  • Provide examples of the types of activities that fall within the Collection stage of the Information Life Cycle.
  • Identify the Privacy Principles relevant to collection.
  • Identify the key steps to ensure personal information is collected in accordance with the Privacy Principles.

 

What is “Collection”?

Collection is the stage of the Information Life Cycle when information first enters your organization. Organizations can collect personal information either:

  • directly from the individual; or
  • from a third party (for example, by obtaining an individual’s details from a direct marketing company).

Even when personal information that was not requested is received by your organization, such as receiving unsolicited correspondence from individuals, this is still considered collection.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

  1. Personal Data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar or close to the purpose for which such data is collected.

 

Typical Activities

 

Typical collection activities include:

  • Obtaining a customer name and address whilst filling in an application either over the phone or in person.
  • Customers entering their registration/member number when entering an Internet site.
  • Gathering customer financial and employment information from the customer’s accountant and employer in connection with a credit application.
  • Receiving resumes from individuals.
  • Using an automated process to gather telephone numbers into a customer database by matching names and addresses with an electronic white pages.

 

Which DPPs are relevant to Collection?

 

Of the six stages in the Information Life Cycle, the Collection stage is the most complex and the most important. This is because taking the time to get things right when collecting information will mean that you and your organization will be able to use the information the way you intended.

 

Five DPPs are relevant when collecting personal data/information.

DPP1 Collection of information

 

PP1 Collection of information contains rules about:

·     what personal information organizations can collect

·     how it should be collected

·     who it should be collected from, and

·     what notification the organization has to give the individual when collecting their personal information.

 

Refer to Article 5.2.

 

DPP3 Data quality

Under PP3 organizations must ensure personal information collected is accurate, complete and up to date.

 

Refer to Article 5.2.

 

DPP5 Openness

 

Under PP5 organizations should have clearly expressed policies on the management of personal information available to any person who asks to see them.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

1.      Processing must be made in a fair, transparent and lawful manner.

 

DPP8 Anonymity

 

This dictates that where practical and lawful, organizations should give individuals the option of not identifying themselves when undertaking transactions with the organization.

 

Anonymization:

Processing of Personal Data in such a way that anonymizes the Data Subject’s identity so that such data can no longer be linked and attributed to the Data Subject and the Data Subject can no longer be identified in any way whatsoever.

 

DPP10 Sensitive information

 

Under PP10 organizations are required to get an individual’s consent before collecting “sensitive information” like their racial or ethnic origin, political views and affiliations, religious beliefs, sexual preferences, health information or request for criminal record.

 

Article 10 – Appointment of Data Protection Officer

1.      The Controller and Processor shall appoint a Data Protection Officer who has sufficient skills and knowledge of Personal Data Protection, in any of the following cases:

a.       if the Processing would cause a high-level risk to the confidentiality and privacy of the Personal Data of the Data Subject as a result of adopting technologies that are new or associated with the amount of data.

b.      if the Processing will involve a systematic and comprehensive assessment of Sensitive Personal Data, including Profiling and Automated Processing.

c.       if the Processing will be made on a large amount of Sensitive Personal Data.

 

Key questions during Collection

 

DPP1 Collection, DPP10 Sensitive Information and DPP3 Data Quality are the most important of the five PPs to consider when collecting personal information.

 

From these DPPs, there are six key questions (below) you should ask yourself whenever collecting personal information

 

●      Is collecting the information necessary?

 

Organizations should only collect personal information that is necessary for one or more of their functions or activities. They should not collect information just because it might be useful one day. Therefore, be careful of recording unnecessary information in “other comments” or similar sections of forms or databases.

 

For example, a financial institution is unlikely to need to know the marks a customer got at school to provide financial services to the customer.

 

Article 4 – Cases of Processing Personal Data without the Data Subject’s Consent

It is prohibited to process Personal Data without the consent of the Data Subject. However, the following cases, in which Processing is considered lawful, are excluded from such prohibition:

1.      if the Processing is necessary to protect the public interest.

2.      if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject.

3.      if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures.

4.      if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State.

5.      if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the State.

6.      if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the State.

7.      if the Processing is necessary to protect the interests of the Data Subject.

8.      if the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws.

9.      if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending or terminating a contract.

10.  if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers.

11.  any other cases set by the Executive Regulations of this Decree Law.

 

●      Is the information complete, accurate, and up to date?

 

Collecting information that tells only half the story is just as bad as collecting information that is incorrect. Both can distort the truth about an individual.

 

For example, imagine if a real estate agent compiled a list of tenants who left properties before the end of their lease, without also recording the reason they left. Even if the tenant had a good reason for leaving, this list might, quite unfairly, make them look like an unreliable tenant.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

4.      Personal Data must be accurate and correct and must be updated whenever necessary.

 

●      Is the information collected by fair and lawful means?

 

Organizations must not use any unlawful method to collect personal information. The method of collection should also be fair. This means:

 

·     the individual should usually be aware that information is being collected about them, and

·     the way the information is collected should not disguise the true purpose of collecting the information.

 

For example, pretending to make conversation with a customer to find out where they live in order to put them on a sales leads database would be unfair collection.

 

Refer to Article 5.1.

 

●      Is the information sensitive information?

 

If the information is sensitive information, you will usually need to answer ‘yes’ to one of the following questions:

·     Has the individual consented?

·     Is the collection required by law?

·     Is the individual incapable of giving consent and the collection is necessary to prevent a serious health and safety threat?

·     Is collection necessary for the defence of a legal claim?

 

Refer to the definition of sensitive personal data

 

●      Who should the information be collected from?

Personal information should usually be collected directly from the individual the information relates to, unless to do so would be impractical or unreasonable.

 

If your organization is collecting from someone else, they must take reasonable steps to try and give notice to the individual concerned that they have done this.

 

 

 

●      What must individuals be told when collecting their information?

Above, you were asked to enter your personal information on a registration form. Recall your reaction to not knowing why the information was being collected and how it was going to be used!

Collection is a two-way process. When an individual hand over their personal information, the organization has to provide notification of their privacy practices.

 

 

Each of the following scenarios involve the handling of personal information.

Read the scenarios that involve the collection of personal information. There may be more than one correct answer.

  • Josie works in funds management and receives a customer’s file sent to her by a mortgage broker. Correct.

 

Feedback: Receiving a customer’s personal information, even when received from a third party and not directly from the customer, is collection of personal information

 

  • Christopher is amending a customer’s address on the computer. Incorrect.

 

Feedback: This activity occurs within the updating stage of the Information Life Cycle.

  • Kim is completing a credit card application for a customer over the phone. Correct.

Feedback: Kim is collecting personal information from the customer

 

Article 13 – Right to Obtain Information

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
    1. the types of his/her Personal Data that is processed.
    2. purposes of Processing.
    3. decisions made based on Automated Processing, including Profiling.
    4. targeted sectors or establishments with which his/her Personal Data is to be shared, whether inside or outside the State.
    5. controls and standards for the periods of storing and keeping his/her Personal Data.
    6. procedures for correcting, erasing or limiting the Processing and objection to his/her personal data.
    7. protection measures for Cross-Border Processing made in accordance with Articles (22) and (23) hereof.
    8. procedures to be taken in the event of a breach or infringement of his/her Personal Data, especially if the breach or infringement poses a direct and serious threat to the privacy and confidentiality of his/her Personal Data.
    9. the process of filing complaints with the Office.

 

Which of the following Data Privacy Principles are relevant to the Collection stage?

Choose the five PPs that are relevant to the Collection stage.

  DPP1: Collection

  DPP6: Access and correction

  DPP2: Use and disclosure

  DPP7: Identifiers

  DPP3: Data quality

  DPP8: Anonymity

  DPP4: Data security

  DPP9: Transborder data flows

  DPP5: Openness

  DPP10: Sensitive information

 

 

Chris wants to open a cash management account. He asks Melanie, a customer service officer, what information he must provide to do this.

Which parts of Melanie’s response is she obliged under the law to tell customers when collecting information?

There may be more than one correct selection.

“Sir, the (1) Financial Transactions Reports Act requires us to obtain 100-points of (2) ID so that we can identify you. If you don’t provide the ID, (3) we cannot open the account for you.”

“(4) You can access the personal information we hold about you by contacting us on this number.”

“(5) We may also need to ask you further questions after we have opened the account.”

“(6) The organizations we usually disclose this information to are set out in this brochure, and includes companies like the mail house we use to print your statements and mail them to you.”

 

Feedback:

  1. Yes, Melanie must advise Chris of the purpose for which the information is being collected.
  2. Yes, Melanie must advise Chris of the purpose for which the information is being collected.
  3. You’re right. Melanie must outline the consequences for the customer if the requested information is not provided.
  4. Good. Chris must be advised that he may have access to personal information the bank/entity holds about him.
  5. Incorrect. While this is good customer service, the NPPs don’t require the bank to tell Chris about information they might request.
  6. Yes. It is very important to inform Chris whom the information will be disclosed to.

 

Read the scenario and then answer the following question.

 

Paul is a real estate agent selling house and land packages at a new housing development called Australia Bay. Aisha comes into the display center and talks to Paul about the sort of home she is looking for and how much she wants to spend. Paul asks her about her finances and Aisha reveals that she earns $43,000 per annum.

Paul is keen to get Aisha’s contact details so he can put her on his sales contacts list, but he wants to be subtle. After all, he doesn’t want to scare her off and lose a possible commission!

Paul and Aisha have the following conversation.

Paul: “Which suburb do you currently live in?

Aisha: ” Campbell.”

Paul: “Oh really? I’ve got a good friend who lives in Campbell. Which street?”

Aisha: ” Octavia Street.”

Paul: “Wow. That’s the street he lives in! He’s at number 8 I think. Which one is yours?”

Aisha: “What a coincidence! I’m down the other end, at 53.”

After Aisha leaves, Paul records her address in his sales leads database.

Why is this collection of Aisha’s personal information a problem?

 

Select the correct answers from the list below. There may be more than one correct answer.

1.  The method of collection is unfair

CORRECT- By disguising the fact that he was getting Aisha’s address details, Paul has collected her personal information in an unfair way.

2.  Paul is collecting sensitive information –the amount Aisha earns

INCORRECT- Paul has collected no sensitive information here. Financial information is not treated as sensitive information under the law.

3.  Paul hasn’t given Aisha any privacy notification when collecting her information

CORRECT- Paul hasn’t given Aisha the necessary privacy notification when collecting the information, such as identifying his organization, the way it usually uses personal information, and its usual disclosure practices.

4.  Paul is collecting unnecessary information

INCORRECT – Paul needs this information to follow up with customers who might want to purchase house and land packages.

 

Pam goes to Grand Northern Insurance to apply for home and contents insurance.

From the list below, select the actions that Grand Northern Insurance is required to take under the DPPs. There may be more than one correct answer.

1.   Collect any personal information about Pam that could possibly come in handy later on

INCORRECT- Grand Northern Insurance should only collect information that is necessary for its functions or activities

2.   Ensure that the personal information it collects is complete

CORRECT- Grand Northern Insurance has an obligation to ensure that the information collected is complete, accurate and up to date.

3.   Explain the reasons for collecting Pam’s personal information

CORREECT- Grand Northern Insurance has an obligation to explain the reasons for collecting personal information from customers.

4.   Only collect sensitive information about Pam if she gives her consent

INCORRECT- Grand Northern Insurance can collect sensitive information if it gets Pam’s consent. However, it can also collect the information without her consent if the collection is required by law, or necessary for the defense of a legal claim, or if Pam is incapable of giving consent and the collection is necessary to prevent a serious health and safety threat.

 

 

A brief summary…

 

ILC

 

Five Privacy Principles apply when collecting personal data/information:

DPP1: Collection

DPP10: Sensitive information

DPP3: Data quality

DPP5: Openness

DPP8: Anonymity

As a result, there is a lot to consider when collecting personal information.

It is important to recognize that what you do in the collection stage of the Information Life Cycle may affect what you can and cannot do in later stages.

There are six key questions you should ask whenever collecting personal information:

  1. Is collecting the information necessary?
  2. Is the information complete, accurate and up to date?
  3. Is the information collected by fair and lawful means?
  4. Is the information sensitive information?
  5. Who should the information be collected from?
  6. What must individual(s) be told when collecting their information?

 

DPP5 & DPP8

 

  • Organizations must have an information management policy that is available on request.
  • Organizations should provide individuals with the option of transacting anonymously, if it is practical and legal to do so.

 

Storage

At the completion of this topic you will be able to:

  • Provide examples of the types of activities that fall within the Storage stage of the Information Life Cycle.
  • Identify the Privacy Principles relevant to storage.
  • Identify the key steps to ensure personal information is stored in accordance with the Data Privacy Principles.

 

What is ‘Storage’?

 

This is the stage of the Information Life Cycle when information is stored within your organization.

Typical storage activities include:

hard-copy documents/files stored in an appropriate storage area (for example, in a filing cabinet), and electronic files stored in a computer database.

 

Which DPPs are relevant to Storage?

 

There are two DPPs that are relevant when storing personal information.

 

Data Security

Under DPP4 an organization must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorized access, modification or disclosure.

An organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under DPP2.

It is the first aspect of DPP4 that is most important when storing personal information.

 

Article 20 – Personal Data Security

  1. The Controller and Processor shall establish and take appropriate technical and organizational measures and procedures to ensure achievement of the information security level that is commensurate with the risks associated with Processing, in accordance with the best international standards and practices, which may include the following:
    1. encryption of Personal Data and application of Pseudonymization.
    2. application of procedures and measures that ensure the confidentiality, safety, validity and flexibility of Processing systems and services.
    3. application of procedures and measures that ensure the timely retrieval and access of Personal Data in the event of any physical or technical failure.
    4. application of procedures that ensure a smooth testing, evaluation and assessment of the effectiveness of technical and organizational measures so as to ensure the security of Processing.

 

When evaluating the level of information security provided for in Item (1) of this Article, the following shall be taken into account: a. risks associated with Processing, including Personal Data damage, loss, accidental or illegal modification, disclosure or unauthorized access, whether transmitted, stored or processed. b. the costs, nature, scope and purposes of Processing, as well as the different potential risks to the privacy and confidentiality of the Personal Data of the Data Subject.

 

Identifiers

Under DPP7 organizations cannot use government identifiers (like Driver’s License Numbers and Tax File Numbers) to identify individuals in their own systems. You could not, for example, use a person’s Tax File Number as their Customer Registration Number.

 

Personal data:

Any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.

 

Key questions during Storage

When personal information is being stored it is essential to ask yourself the following key questions. In order to comply with the DPPs, you should be able to answer ‘yes’ to each question.

In light of the sensitivity of the information and the risk of a security breach, have we taken reasonable steps to protect the personal information from:

  • misuse?
  • loss?
  • unauthorized access?
  • unauthorized modification?
  • unauthorized disclosure?

 

Organizations has many policies and processes in place to protect the personal information that it holds. These include document management policies, system audit trails and your Organization’s Code of Conduct. The Code of Conduct sets out expectations of employees when handling personal and confidential information. This includes the requirement that employees will only access such information where they have a legitimate work-related reason for doing so. Where information has been inappropriately accessed, disciplinary action may result.

 

Read a case study about the consequences of not storing personal information correctly:

 

  1. A-Line Models is a modeling agency that regularly interviews people to put on its books. During the interview process photos are taken of the candidate for A-Line’s files and impressions of the candidate are recorded

 

  1. Monica, the agency’s administrative assistant, decides to clear some space in the filing cabinets. She pulls out all the files of candidates who were not given work with the agency and whose last interview was over 12 months ago. She throws the files in a dumpster in the lane behind the office.

 

  1. Terry, who works in the building next door, comes into the lane for a cigarette. He notices the files and photos in the dumpster. He pulls a few out and sees that they contain photos of semi-naked models. He also reads some of the interviewer’s comments, which include statements like, ‘No way!’, ‘Nose too big’ and ‘Just awful skin!’

 

  1. Terry takes a couple of the worst examples and shows them to a friend who works at a national newspaper. The bad publicity about A-Line’s poor information storage practices means that models refuse to work with A-Line and the agency quickly goes out of business.

 

 

Which of the following Privacy Principles are relevant to the Storage stage?

Choose the two DPPs that are relevant to the Storage stage.

  NPP1: Collection

  NPP6: Access and correction

  NPP2: Use and disclosure

  NPP7: Identifiers

  NPP3: Data quality

  NPP8: Anonymity

  NPP4: Data security

  NPP9: Transborder data flows

  NPP5: Openness

  NPP10: Sensitive information

 

Processing:

Any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission, dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying Personal Data or creating models therefore.

 

Complete the following statement. Select your answers and then check your answer.

When storing personal information it must be protected from              and              , and from unauthorized              , modification and 

 

Correct answer: When storing personal information it must be protected from misuse and loss, and from unauthorized access, modification and disclosure.

Article 5:Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.

Which of the following activities would breach the Data Privacy Principles in relation to Storage?

Select the correct answers from the list below. There may be more than one correct answer.

1. The password needed to access a customer database is on a post-it note stuck on a PC in an unsecured area. CORRECT This is a breach of PP4 Data Security.

2. Filing customer files using the customer’s Tax File Number as an identifier. CORRERCT-This is a breach of DPP7 Identifiers.

3. A customer’s financial details are left in a Branch Manager’s filing tray. CORRECT-This is a breach of PP4 Data Security and any your organization’s document management policies, if any. Due to access to your organization buildings by other individuals (cleaners, security employees and even colleagues) all documents containing customer and personal information are to be locked away overnight.

 

Article 9 – Reporting a Personal Data Breach

  1. In addition to the obligations of the Controller stipulated herein, the Controller shall, immediately upon becoming aware of any infringement or breach of the Personal Data of the Data Subject that would prejudice the privacy, confidentiality and security of such data, report such infringement or breach and the results of the investigation to the Office within such period and in accordance with such procedures and conditions as set by the Executive Regulations of this Decree Law. Such reporting shall be accompanied by the following data and documents:
    1. the nature, form, causes, approximate number and records of the infringement or breach.
    2. the data of the Data Protection Officer appointed thereby.
    3. the potential and expected effects of the infringement or breach.
    4. the procedures and measures taken thereby and proposed to be applied to address this infringement or breach and reduce its negative effects.
    5. documentation of the infringement or breach and the corrective actions taken thereby.
    6. any other requirements by the Office.
  2. In all cases, the Controller must notify the Data Subject in the event that the infringement or breach would prejudice the privacy, confidentiality and security of his/her Personal Data and advise him/her of the procedures taken thereby, within such period and in accordance with such procedures and conditions as set by the Executive Regulations of this Decree Law.
  3. The Processor shall, immediately upon becoming aware of any infringement or breach of the Personal Data of the Data Subject, notify the Controller of such infringement or breach in order for the Controller, in turn, to report it to the Office in accordance with Item (1) of this Article.
  4. After receiving the report from the Controller, the Office shall verify the causes of the infringement and breach to ascertain the integrity of the security measures taken, and shall impose the administrative penalties stated in Article (26) of this Decree Law if it is proven that the Controller or Processor violates the provisions of this Decree Law and decisions issued in implementation thereof.

 

A brief summary…

 

Personal Information

 

There are 2 Data Privacy Principles which apply when storing personal information:

  • DPP4: Data Security, and
  • DPP7: Identifiers.

 

DPP7: Identifiers

 

Information may be stored using a unique identifier, however it is essential that this identifier is not a government identifier such as a Tax File Number or a driver’s license number.

 

 Use

 

At the completion of this topic you will be able to:

  • Provide examples of the types of activities that fall within the Use stage of the Information Life Cycle.
  • Identify the Privacy Principles relevant to use of personal information.
  • Identify the key steps to ensure personal information is used in accordance with the Privacy Principles.
  • Determine when consent from an individual is required prior to using personal information.

 

 What is ‘Use’?

 

This is the stage of the Information Life Cycle when information is used within the organization.

Your organization uses personal information whenever it utilizes the information inside the organization or with the individual for some purpose.

Sending the information to a third party out of your organization is therefore disclosure, rather than use.

Use is also different from updating which involves changing the information in some way.

 

Typical usage activities

 

These include:

  • Using contact information to call a customer, or to send them a statement.
  • Using financial information to assess a customer’s credit application.
  • Determining whether a person would like a particular product and service that you sell, and then sending them marketing information.
  • Informing unsuccessful job applicants that they will not be required to come in for an interview.

 

Which DPPs are relevant to Use?

 

Two DPPs are relevant when using personal information.

 

Use and disclosure of information

 

Under DPP2 personal information can usually only be used and disclosed:

  • for the primary purpose for which it was collected
  • for a related secondary purpose, the person would reasonably expect, or
  • with the individual’s consent.

Any other use or disclosure must fit within one of the following exceptions:

  • in health/emergency situations
  • where there is suspected fraud or unlawful activity
  • where it is required or authorized by law
  • for law enforcement, or
  • for direct marketing.

Because of the limitations on the direct marketing exception, many organizations rely on express or implied consent to engage in direct marketing activities.

 

Article 20 – Personal Data Security

  1. When evaluating the level of information security provided for in Item (1) of this Article, the following shall be taken into account:
    1. risks associated with Processing, including Personal Data damage, loss, accidental or illegal modification, disclosure or unauthorized access, whether transmitted, stored or processed.
    2. the costs, nature, scope and purposes of Processing, as well as the different potential risks to the privacy and confidentiality of the Personal Data of the Data Subject.

 

Data quality

 

Under PP3 organizations must ensure that personal information they use is accurate, complete and up to date.

 

Article 11 – Responsibilities of the Data Protection Officer

  1. The Data Protection Officer shall be responsible for ascertaining compliance by the Controller or Processor with the provisions of this Decree Law, the Executive Regulations thereof, and the instructions issued by the Office. The Data Protection Officer shall, in particular, undertake the following duties and powers:
    1. verifying the quality and validity of the procedures adopted by both the Controller and Processor.

 

Key Questions during Use

 

There are four key questions you should ask when using personal information. You should be sure about the answers to each before proceeding.

  • What was the primary purpose for collecting the information?
  • Can we use the information in the way we want to, without getting consent?
  • If we have to get consent, how do we get it?
  • Is the information we’re using complete, accurate and up to date?

Each question is examined in further detail on the following slides/screens.

 

Can we use personal information without consent?

 

Whether you can use information without getting an individual’s consent depends on the purpose for which the information was collected. The main situations in which organizations can use personal information without getting consent are:

  1. for the primary purpose for which it was collected.
  2. for a related secondary purpose which the individual would reasonably expect.

If the use doesn’t come within either a primary or a related secondary purpose, then in most cases consent will be required.

Read the statement below that best describes the primary purpose for which Sophie’s personal information is being collected.

 

  1. Determining Sophie’s suitability for the loan and, if she is suitable, providing the loan.

 

Correct: This statement best describes the primary purpose for Sophie’s personal information being collected. When considering the primary purpose, you also need to look at Sophie’s reasons for handing over the information, not just what the credit provider would like to do with it.

 

  1. So the credit provider can tell Sophie about its new products as they are released.

 

Incorrect: This may be one of the things the credit provider would like to do with the information, but it is not the primary purpose for Sophie’s personal information being collected. When considering the primary purpose you also need to look at Sophie’s reasons for handing over the information, not just what the credit provider would like to do with it.

 

Article 6 – Conditions for Consent to Data Processing

  1. In order to accept the Consent of the Data Subject to Processing, the following conditions must be met:
  2. The Controller must be able to prove the Consent of the Data Subject to process his/her Personal Data in the event that the Processing is based on such Consent.
  3. The Consent must be given in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form.
  4. The Consent must indicate the right of the Data Subject to withdraw it and that such withdrawal must be easily made.
  5. The Data Subject may, at any time, withdraw his/her Consent to the Processing of his/her Personal Data. Such withdrawal shall not affect the legality and lawfulness of the Processing made based on the Consent given prior to the withdrawal.

 

Identifying a related secondary purpose

Using Sophie’s story as the example, read each of the activities below to see which are categorized as a secondary related purpose and whether Sophie’s consent would be required.

 

  1. Using the information to determine whether Sophie is suitable for the loan.

 

Activity 1

This activity falls within the primary purpose and so consent is not required

  • Contacting Sophie to get feedback on the bank’s level of customer service in relation to her loan.

 

Activity 2

Conducting a customer satisfaction survey is still connected with the primary purpose. Sophie would reasonably expect to be asked how the bank can improve services it provides to her. Therefore, this is considered a related secondary purpose and consent is not required.

  • Using Sophie’s information for the purposes of training our employees.

 

 

Activity 3

The training of our employees, whilst important, has no relationship to Sophie’s primary reason for providing the information (ie to get a car loan). Consent from Sophie would be required for this use.

 

Obtaining consent

There are two ways an individual can give you consent to use their personal information in a particular way:

 

Express consent is explicit and unambiguous, and does not require any inference on the part of the organization. It may be verbal or written.

 

Express Consent: When applying for a personal loan, Josephine signs an additional form allowing the bank to deduct money from her other accounts when she is in arrears. By signing the form Josephine has provided her express consent to the use of information about her various accounts for this purpose.

 

Implied consent arises where consent may be reasonably inferred from the action or inaction of the individual. You should be careful when relying on implied consent, particularly where the information about the use may not be read or understood, or withholding consent would require cost or effort on the part of the individual. The Privacy Commissioner recommends against using implied consent for email and electronic message marketing, and this may also have implications under the Spam Act.

 

Implied Consent

Mr Hodgson completes a form providing his name and address and requesting the bank to send him a copy of next year’s Annual Report. The form includes a prominent tick box next to the words, “Please tick this box if you do NOT want to be contacted for product surveys.” By not ticking the box, Mr Hodgson has given his implied consent to being contacted for product surveys.

Accurate, complete and up-to-date information is essential

 

Article 4 – Cases of Processing Personal Data without the Data Subject’s Consent

It is prohibited to process Personal Data without the consent of the Data Subject. However, the following cases, in which Processing is considered lawful, are excluded from such prohibition:

1.      if the Processing is necessary to protect the public interest.

2.      if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject.

3.      if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures.

4.      if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State.

5.      if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the State.

6.      if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the State.

7.      if the Processing is necessary to protect the interests of the Data Subject.

8.      if the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws.

9.      if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending or terminating a contract.

10.  if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers.

11.  any other cases set by the Executive Regulations of this Decree Law.

 

PP3 Data Quality states that organizations must keep personal information accurate, complete and up-to-date.

This is especially important during the Use stage, because using inaccurate personal information could have a serious impact on the individual. Imagine the consequences if a bank posted a new account card and PIN to an out of date address.

 

Therefore, you should always make sure that the information you are about to use has been kept accurate, complete and up to date. This may require setting up suitable processes such as including a form with routine mailings for individuals to complete if their contact details have changed.

Which of the following Privacy Principles are relevant to the Use stage?

Choose the two DPPs that are relevant to the Use stage.

 

Top of Form

  NPP1: Collection

  NPP6: Access and correction

  NPP2: Use and disclosure

  NPP7: Identifiers

  NPP3: Data quality

  NPP8: Anonymity

  NPP4: Data security

  NPP9: Transborder data flows

  NPP5: Openness

  NPP10: Sensitive information

 

Read the scenario by clicking on the pictures below and then answer the following question.

Transborder data flows

DPP9 dictates that if personal information travels overseas, privacy protection should travel with it. There are restrictions on transferring personal information to someone else outside Australia without the individual’s consent. 

 

Processing:

Any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission, dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying Personal Data or creating models therefor.” Another type is automated processing which is “processing that is carried out using an electronic program or system that is automatically operated, either completely independently without any human intervention, or partially independently with limited human supervision and intervention.

 

Article 4 – Cases of Processing Personal Data without the Data Subject’s Consent

It is prohibited to process Personal Data without the consent of the Data Subject. However, the following cases, in which Processing is considered lawful, are excluded from such prohibition:

  1. if the Processing is necessary to protect the public interest.
  2. if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject.
  3. if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures.
  4. if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State.
  5. if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the State.
  6. if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the State.
  7. if the Processing is necessary to protect the interests of the Data Subject.
  8. if the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws.
  9. if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending or terminating a contract.
  10. if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers.
  11. any other cases set by the Executive Regulations of this Decree Law.

 

Article 5 – Personal Data Processing Controls

Personal Data shall be processed according to the following controls:

  1. Processing must be made in a fair, transparent and lawful manner.
  2. Personal Data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar or close to the purpose for which such data is collected.
  3. Personal Data must be sufficient for and limited to the purpose for which the Processing is made.
  4. Personal Data must be accurate and correct and must be updated whenever necessary.
  5. Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data.
  6. Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.
  7. Personal Data may not be kept after fulfilling the purpose of Processing thereof. It may only be kept in the event that the identity of the Data Subject is anonymized using the “Anonymization” feature.
  8. Any other controls set by the Executive Regulations of this Decree Law.

 

Cross-Border Processing:

Dissemination, use, display, transmission, receipt, retrieval, sharing or Processing of Personal Data outside the territory of the State.

 

Article 22 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is an Adequate Level of Protection

Personal Data may be transferred outside the State in the following cases approved by the Office:

  1. if the country or territory to which the Personal Data is to be transferred has special legislation on Personal Data Protection therein, including the most important provisions, measures, controls, requirements and rules for protecting the privacy and confidentiality of the Personal Data of the Data Subject and his/her ability to exercise his/her rights, and provisions related to imposing appropriate measures on the Controller or Processor through a supervisory or judicial authority.
  2. if the State accedes to bilateral or multilateral agreements related to Personal Data Protection with the countries to which the Personal Data is to be transferred.

 

There are five key questions you should ask when disclosing personal information. You should be sure of the answer to each question before you proceed.

 

  • What was the primary purpose for collecting the information?
  • Can we disclose the information without getting consent?
  • If we have to get consent, how do we get it?
  • Is the information we’re disclosing complete, accurate and up to date?
  • Are we sending any personal information overseas?

 

Notice that these questions are very similar to the questions asked during the Use stage. This is because many of the principles and concepts that apply to Use also apply when disclosing personal information.

 

Can we disclose personal information without consent?

 

Consent:

The consent given by a Data Subject to authorize third parties to process his/her Personal Data, provided that such consent is a specific, informed and unambiguous indication of the Data Subject’s agreement to the Processing of his/her Personal Data, by a statement or by a clear affirmative action.

 

When it comes to obtaining consent, the same rules apply to disclosing information as they do when using personal information.

 

The main situations in which organization can disclose personal information without obtaining consent are:

 

  1. for the primary purposefor which it was collected;

 

Refer to Article 4

 

Article 6 – Conditions for Consent to Data Processing

  1. In order to accept the Consent of the Data Subject to Processing, the following conditions must be met:
  2. The Controller must be able to prove the Consent of the Data Subject to process his/her Personal Data in the event that the Processing is based on such Consent.
  3. The Consent must be given in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form.
  4. The Consent must indicate the right of the Data Subject to withdraw it and that such withdrawal must be easily made.
  5. The Data Subject may, at any time, withdraw his/her Consent to the Processing of his/her Personal Data. Such withdrawal shall not affect the legality and lawfulness of the Processing made based on the Consent given prior to the withdrawal.

 

Primary purpose

 

This is the dominant or fundamental reason for information being collected in a particular transaction. This needs to be considered from the perspective of the individual whose personal information it is as well as from the organization’s perspective.

 

  1. for a related secondary purposewhich the individual would reasonably expect.

 

Related secondary purpose

 

All purposes other than the primary purpose of collection are secondary purposes.

A secondary purpose will be a related secondary purpose where it arises in the course of fulfilling the primary purpose.

 

The individual must also reasonably expect the organization to use or disclose the information for the secondary purpose.

 

If the disclosure doesn’t fall under either of these purposes, then in most cases consent will be required.

 

Read the following story then complete the question.

 

Case Study

 

Philip is purchasing gym equipment from a department store website. Doing so requires that he provide his name, home address, telephone number and email address. The department store forwards Philip’s information to the contractor used to deliver the gym equipment to customers.

Is consent required?

 

Yes. (Incorrect) Consent is not required as the disclosure is related to the primary purpose of fulfilling Philip’s order. However, if the department store wanted to sell their database of names and addresses to a distributor of workout videos for use in a marketing campaign then consent would be required. 

 

No. (Incorrect) Consent is not required as the disclosure is related to the primary purpose of fulfilling Philip’s order. However, if the department store wanted to sell their database of names and addresses to a distributor of workout videos for use in a marketing campaign then consent would be required.

Refer to Article 4.8., 4.9.

 

When is consent required?

 

Whether using or disclosing personal information the principles are the same for determining if consent is required.

 

However, generally individuals are less concerned with the ORGANIZATIONS using the information themselves than they are with them disclosing the information to a third party. This means that their reasonable expectations may differ and consent may be required more often for disclosure.

 

Refer to Article 4.

 

Obtaining consent

 

As in the Use stage, there are two ways of obtaining an individual’s consent to disclose their personal information – express and implied consent. You should be even more cautious about relying on implied consent when disclosing information. This is because individuals often want to know which organizations hold information about them.

 

Refer to Article 6.

 

Read each scenario below.

 

  1. Josephine signs a personal loan application which has a prominent notice saying that by signing she provides her consent for the bank to contact a credit reporting agency to obtain a credit reference.

 

Article 6 – Conditions for Consent to Data Processing

  1. In order to accept the Consent of the Data Subject to Processing, the following conditions must be met:
  2. The Consent must be given in a clear, simple, unambiguous and easily accessible manner, whether in writing or electronic form.

 

Consent?

 

Signing the application with the prominent notice is express consent

 

  1. Frank completes a form requesting the bank to send him a copy of next year’s Annual Report. The Annual Report arrives with a separate page saying that the bank intends to outsource the delivery of future Annual Reports to an external mailing house. It also states that customers should call the Service Centre by the end of the month if they do not want their contact details disclosed. Frank does not call the number

 

By not calling, Frank is giving his implied consent for the bank to disclose his contact details to the mailing house. 

 

Article 23 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is not an Adequate Level of Protection

  1. With the exception of what is stated in Article (22) hereof, Personal Data may be transferred outside the State in the following cases:
    1. The express Consent of the Data Subject to transfer his/her Personal Data outside the State in a manner that does not conflict with the security and public interest of the State.

 

Ensuring information is complete, accurate and up-to-date

 

To comply with DPP3 (Data Quality), you need to ask whether the information you are about to disclose is accurate, complete and up-to-date. Note, this question was also asked in the Collection and Use stages.

 

This may require setting up suitable processes such as including a form with routine mailings for individuals to complete if their contact details have changed.

 

Refer to Article 5.4.

 

Article 15 – Right to Correction or Erasure of Personal Data

  1. The Data Subject has the right to request the correction or completion of his/her inaccurate Personal Data held with the Controller without undue delay.

 

Disclosing personal information overseas

 

If you are planning to send personal information to a third-party organization or individual outside the country, you need to be able to answer ‘yes’ to one of the following questions:

 

  • Do we have the individual’s consent?
  • If it’s not practical to get consent, is the transfer for the benefit of the individual and would they have been likely to consent?
  • Is the recipient required to observe similar privacy standards to the PPs? (This is often dealt with in the contract between your organization and the recipient.)
  • Is the transfer necessary for the performance of a contract with, or in the interests of, the individual?

 

Refer to the definitions of cross-border processing and consent, Article 22,

Article 8 – General Obligations of the Processor

The Processor shall:

  1. maintain a special record of Personal Data processed on behalf of the Controller, which must include the data of the Controller, Processor and Data Protection Officer, as well as a description of the categories of Personal Data held thereby, data of the persons authorized to access such Personal Data, the Processing durations, restrictions and scope, the mechanism of erasure, modification or Processing of Personal Data, the purpose of Processing and any data related to the movement and Cross-Border Processing of such data, while indicating the technical and organizational procedures related to information security and Processing operations, provided that the Processor provides this record to the Office whenever requested to do so.

 

Article 13 – Right to Obtain Information

  1. The Data Subject, based on a request submitted thereby to the Controller, has the right to obtain the following information without charge:
    1. protection measures for Cross-Border Processing made in accordance with Articles (22) and (23) hereof.

 

Article 23 – Cross-Border Personal Data Transfer and Sharing for Processing Purposes if there is not an Adequate Level of Protection

  1. With the exception of what is stated in Article (22) hereof, Personal Data may be transferred outside the State in the following cases:
    1. In countries where there is no data protection law, Establishments operating in the State and in those countries may transfer data under a contract or agreement that obliges the Establishment in those countries to implement the provisions, measures, controls and requirements set out herein, including provisions related to imposing appropriate measures on the Controller or Processor through a competent supervisory or judicial authority in that country, which shall be specified in the contract.
    2. The express Consent of the Data Subject to transfer his/her Personal Data outside the State in a manner that does not conflict with the security and public interest of the State.
    3. If the transfer is necessary to fulfill obligations and establish, exercise or defend rights before judicial authorities.
    4. If the transfer is necessary to enter into or execute a contract between the Controller and Data Subject, or between the Controller and a third party to achieve the Data Subject’s interest.
    5. If the transfer is necessary to perform a procedure relating to international judicial cooperation.
    6. If the transfer is necessary to protect the public interest.
  2. The Executive Regulations of this Decree Law shall set the controls and requirements for the cases referred to in Item (1) of this Article, which must be met for transferring Personal Data outside the State.

 

Which of the following Data Privacy Principles are relevant to the Disclosure stage?

 

Choose the three DPPs that apply to the Disclosure stage.

 

  NPP1: Collection

  NPP6: Access and correction

  NPP2: Use and disclosure

  NPP7: Identifiers

  NPP3: Data quality

  NPP8: Anonymity

  NPP4: Data security

  NPP9: Transborder data flows

  NPP5: Openness

  NPP10: Sensitive information

 

 

Read the following story then complete the question.

 

Susan’s story

 

An investment company that Susan has a managed fund with discloses her name, address and current investment details to an external statement production company so that they can print emboss Susan’s current investment statement. 

 

Would Susan’s bank have to seek her consent prior to disclosing her details to the credit card production company?

 

Yes (Incorrect) Susan would not have to provide consent because her details are being disclosed for a secondary purpose that is related to the primary purpose for which the information was collected. That is, to provide her with a credit card account.

 

No (Correct) Susan would not have to provide consent because her details are being disclosed for a secondary purpose that is related to the primary purpose for which the information was collected. That is, to provide her with a credit card account.

 

Refer to Article 4.8.

 

Match a stage in the Information Life Cycle with a definition listed on the right.

 

Disclosure

Use: Handling of personal information within an organization

Use

Disclosure: Release/communicate of information to another organization.

 

 

 

A brief summary…

 

DPP2: Use and Disclosure

 

Use and Disclosure are two different stages of the Information Life Cycle.

 

Use refers to the handling of personal information within a single legal entity (e.g. a company) or with the individual. The information remains within the direct control of this one entity. Information transferred between different departments or business units will be uses of information unless those departments or business units are operated by separate entities.

 

Disclosure refers to the release/communication of information to a third party outside the organization. It includes where information is passed between different companies in a corporate group. 

 

Consent

 

Before disclosing personal information, you need to determine whether the disclosure is for a primary purpose or for a related secondary purpose.

 

Remember to take into account the individual’s perspective when determining the primary purpose for which their information was collected.

 

Consent is usually required when the information is not being disclosed for either a primary purpose, or a related secondary purpose. There are some exceptions for special disclosures that do not require consent, for example, law enforcement.

 

Express consent is the clear expression of an individual’s wish whereas implied consent is not directly expressed by the individual. Therefore implied consent can only be relied upon where consent can be confidently and reasonably inferred through the actions of the individual. 

 

DPP3: Data Quality

 

When disclosing personal information, you must ensure that the information is accurate, complete and up to date. 

 

DPP9: Transborder Data Flows

 

Personal information may only be transferred to someone else outside the country:

  • with the individual’s consent,
  • if the recipient must observe information handling rules at least as strict as those in sender’s country, or
  • in other limited circumstances.