Data Protection Commission

Getting organised for Data Protection

A quick look at some of the steps to take to comply with your Data Protection obligations:

The right of access is the most important right that an individual has and you need to make preparations for handling access requests. Dealing with access requests is not your only obligation. Staff should be made aware of the obligations imposed by the Data Protection Acts. To comply you should:

· Ensure that the basic principles of data protection are explained to staff;

· Ensure that there are regular updates to guidance material and staff training and awareness, so that data protection is a "living" process aligned to the way the organisation conducts its business;

· Document procedures, for example with regard to accuracy and have regular security reviews;

· Allocate responsibility for compliance and set-out what in-house sanctions may be imposed if correct procedures are not followed;

· Set out the circumstances in which personal data may be disclosed to third parties, including Gardai and other enforcement agencies.

Staff should be aware that from October 2007 the principles of data protection apply to manual records, including those created before July 2003.

Obligations on retention and security need to be addressed

· Adhere to the 'need to know principle' – only personal data necessary for the purpose should be collected and staff should only be able to access the personal data that they need to carry out their functions;

· Have adequate access controls, firewalls and virus protection and do not forget manual files;

· There should be retention policies for the various categories of data.

The organisation should provide for

· Periodic audit checks and reviews;

· A procedure for complaints handling;

· Plans for remedial steps if things go wrong;

· Privacy /Data Protection Statements on Forms and Websites and an internal e-mail and internet use policy.

Dealing with Subject Access Requests

As stated above the key right for the individual is the right of access. Essentially this means that you have to supply to the individual the personal data that you hold if a valid request is made under Section 4. Click here for more detail on your obligations in respect of an access request. The time limit for complying with an access request is 40 days. In order to ensure your compliance with the time limit and your other access obligations the following organisational and procedural steps are recommended:

1. Appoint a Co-ordinator who will be responsible for the response to the access request. A description of the functions and responsibilities of the Co-ordinator should be circulated within the organisation and staff should be advised of the necessity for co-operation with the Co-ordinator. If the organization is a public sector organization and subject to the Freedom of Information Acts, there should be co-ordination between the FOI and DP processes.

2. All subject access matters should be submitted to the Co-ordinator.

3. Check the validity of the access request. Ensure that it is in writing, that a fee of max €6.35 is included if you choose to charge the fee.

4. Check that sufficient material has been supplied to definitively identify the individual. This is most important. You should set down criteria on what is sufficient to prove identity for your organisation. This may be the signature, an ID number in combination with name and address or date of birth. It should not be possible for a third party to provide the material to lodge a false access request.

5. Check that sufficient information to locate the data has been supplied. If it is not clear what kind of data is being requested you should ask the data subject for more information. This could involve identifying the databases, locations or files to be searched or giving a description of the interactions the individual has had with the organisation.

6. Log the date of receipt of the valid request.

7. Keep note of all steps taken to locate and collate data – if different divisions of the organisation are involved, have the steps "signed off" by the appropriate person.

8. Check each item of data to establish if any of the modifications in respect of health or social work data (section 4(8)) or any of the restrictions on access provided by section 5 apply.

9. If data relating to a third party is involved, do not disclose without the consent of the third party or anonymise such data if this would conceal the identity of the third party. An opinion given by a third party may be disclosed unless it is an opinion which was given in confidence on the clear understanding that it would be treated as confidential.

10. Monitor process of responding to the request – observing time limit of 40 days.

11. Supply the data in an intelligible form (include an explanation of terms if necessary). Also provide description of purposes, disclosees and source of data (unless revealing the source would be contrary to the public interest). Number the documents supplied. Have the response "signed-off" by an appropriate person.

12. Regularly review your procedures and processes.