Established Data Protection

Principles
• On 17 September 1980
• The Committee of Ministers of the Council of Europe (CoE) adopted
the Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data
• The first legally binding international instrument in data protection
• Purpose-
1.To establish basic principles of data protection,
2.to reduce restrictions on transborder data flows on the basis of
reciprocity and
3.to bring about co-operation between national data protection
authorities (DPAs)
• On 23 September 1980, the Organisation for Economic Co-
operation and Development (OECD) Council adopted its Guidelines
on transborder data flows
• The OECD Guidelines are not legally binding, whereas the CoE
convention is binding on those countries that ratify it
• The CoE convention only applies to personal data that are
‘automatically’ processed,
• Whereas the Guidelines are valid for the processing of data in
general, irrespective of the particular technology employed.
• OECD: “There should be limits to the collection of personal data and
any such data should be obtained by lawful and fair means and,
where appropriate, with the knowledge or consent of the data
subject.”
• Convention 108: “Personal data undergoing processing shall be
processed lawful” and “Personal data undergoing processing shall be
processed … fairly and in a transparent manner” [Article 5 (3) and
(4)(a)]
• GDPR: “Personal data shall be processed lawfully, fairly and in a
transparent manner in relation to the data subject” [Article 5 (1)(a)]
Fair, Lawful, and Transparent
• To address selling and/or transfer of personal data that is fraudulently
obtained,
• ‘Fairness and transparency’ -ensuring that people’s data is not used in
ways they would not expect.
• ‘Lawful’ - data must be processed in a way that respects of rule of law
and that meets a legal ground for processing
• If there is an intention to share the data of an individual with a third
party but the data controller is not transparent about this fact and the
data subject is not clearly informed, it is likely that their personal data
was obtained unfairly, and the process will not be considered
transparent.
• OECD: “The purposes for which personal data are collected should be
specified not later than at the time of data collection and the subsequent
use limited to the fulfilment of those purposes or such others as are not
incompatible with those purposes and as are specified on each occasion of
change of purpose.”
• Convention 108: “Personal data undergoing processing shall be collected
for explicit, specified and legitimate purposes and not processed in a way
incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or
statistical purposes is, subject to appropriate safeguards, compatible with
those purposes.” [Article 5 (4)(b)]
• GDPR: “Personal data shall be collected for specified, explicit and
legitimate purposes and not further processed in a manner that is
incompatible with those purposes; further processing for archiving
purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be
considered to be incompatible with the initial purposes.” [Article 5 (1) (b)]
Purpose Limitation
• Determined, specific, and legitimate purpose
• No incompatible purpose
• It is not acceptable to state that you need a person’s data for one
purpose, and then use it for something else without notice or
justification.
• Personal data should not be disclosed, made available, or otherwise
used for purposes other than those specified
• Two common exceptions to this principle:
a) with the consent of the data subject b) by the authority of law
• A ferry company collects data from its passengers in order to make
bookings and so that it knows how many people are travelling with
them. The ferry company will need information regarding the
passenger’s seat number, registration of any vehicle, any special
physical needs. If the ferry company are asked to pass this
information on to Customs and Immigration, then the information is
then being used for a different purpose from that for which it was
originally collected. Transfer of the data to Customs and Immigration
would need a new and separate legal basis, which the company
would need to document.
• OECD: “Personal data should be relevant to the purposes for which
they are used, an, to the extent necessary for those purposes, should
be accurate, complete and kept up-to-date.”
• Convention 108: “Personal data undergoing processing shall be
adequate, relevant and not excessive in relation to the purposes for
which they are processed.” [Article 5 (4) (c)]
• GDPR: “Personal data shall be adequate, relevant and limited to what
is necessary in relation to the purposes for which they are processed.”
[Article 5(1)(c)]
Minimisation
• adequate, relevant and limited
• Only the data which is necessary and relevant for the purpose stated
should be processed.
• It is not acceptable to collect extra data because it might be useful
later on, or simply because no thought has been given
• Purpose test – will often involve the problem of whether or not harm
can be caused to data subjects because of lack of accuracy,
completeness and up-dating.
• Necessity -whether the same aim could be achieved in a way that is
less intrusive i.e. uses less data
• A recruitment agency places workers in a variety of jobs. It sends all
applicants (regardless of the job applied for) a questionnaire which
includes questions about health conditions that are only relevant to
particular manual occupations. It would be irrelevant and excessive to
obtain such information from all individuals, regardless of the job
they were actually applying for.
• OECD: “Personal data should be relevant to the purposes for which
they are used, an, to the extent necessary for those purposes, should
be accurate, complete and kept up-to-date.”
• Convention 108: “Personal data undergoing processing shall be
accurate and, where necessary, kept up to date.” [Article 5 (4) (d)]
• GDPR: “Personal data shall be accurate and, where necessary, kept up
to date; every reasonable step must be taken to ensure that personal
data that are inaccurate, having regard to the purposes for which they
are processed, are erased or rectified without delay.” [Article 5(1)(d)]
Accuracy
• Accuracy: All data processed must be accurate throughout the data
lifecycle
• Complete: Any category of data must be complete to the extent possible
• Up-to-date: Any data that is retained and may be further processed in
accordance with the provisions provided for in the data protection law
must be kept up-to-date
• Limited: Personal data should only be processed (and retained) for the
period of time it is required for the purpose for which it was collected and
stored.
• There is a high risk that if the data is not accurate and up-to-date, then the
outcome of the decision-making process will also be inaccurate.
• Convention 108: “Personal data undergoing automatic processing shall be
preserved in a form which permits identification of the data subjects for no
longer than is required for the purpose for which those data are stored”
[Article 5(e)]”
• GDPR: “Personal data undergoing processing shall be kept in a form which
permits identification of data subjects for no longer than is necessary for
the purposes for which the personal data are processed; personal data may
be stored for longer periods insofar as the personal data will be processed
solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1)
subject to implementation of the appropriate technical and organisational
measures required by this Regulation in order to safeguard the rights and
freedoms of the data subject. (‘storage limitation’)” [Article 5 (1) (e)]
Storage Limitation
• Data should not be kept for longer than necessary for the purpose for
which it was originally obtained. Any exceptions to this must be very
limited and clearly defined.
• To ensure that the data is not stored for longer than required and
necessary for the purpose for which it was collected
• Indefinite data retention is not only an infringement of the rights of
an individual but a risk for those processing it
• Outdated data should not be utilised
• OECD: “Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorised access, destruction,
use, modification or disclosure of data.”
• Convention 108: “Each Party shall provide that the controller, and, where
applicable the processor, take appropriate security measures against risks
such as accidental or unauthorised access to, destruction, loss, use,
modification or disclosure of personal data.” [Article 7 (1)]
• GPDR: “Personal data shall be processed in a manner that ensures
appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or organisational
measures” [Article 5 (1) (f)])
Integrity and Confidentiality
• security safeguards against risks such as unlawful or unauthorised
access, use and disclosure, as well as loss, destruction, or damage of
data.
• Security safeguards could include: • Physical measures, i.e. locked
doors and identification cards, • Organisational measures, i.e. access
controls; • Informational measures, i.e. enciphering (converting text
into a coded form), and threat-monitoring• Technical measures, i.e.
encryption
• Regular testing of the adequacy of these measures, implementation
of data protection and information security policies, training, and
adherence to approved codes of conduct.
• OECD: “A data controller should be accountable for complying with
measures which give effect to the principles stated above”
• Convention 108: “Each Party shall provide that controllers and, where
applicable, processors, take all appropriate measures to comply with
the obligations of this Convention and be able to demonstrate,
subject to the domestic legislation adopted in accordance with Article
11, paragraph 3, in particular to the competent supervisory authority
provided for in Article 15, that the data processing under their control
is in compliance with the provisions of this Convention.” [Article 10
(1)] GDPR: “The controller shall be responsible for, and be able to
demonstrate compliance with paragraph 1
Accountability
• Accountability mechanisms play an important role in investigating
breaches and holding entities subject to the law to account
• How they comply with data protection legislation, including the
principles, their obligations, and the rights of individuals.