Aug 21, 2019

Personal Data Protection , Privacy and GDPR Rights

Personal data
Personal data is information that relates to an identified or identifiable individual.

The identifiers of an individual could be a name or a number, IP, cookie identifier, or other factor.

Even if identifiers removed or  pseudonymised the data is still
personal data.

Information about a deceased person does not constitute personal data.

What are sensitive data? It

  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health information
  • sexual orientation
  • Financial data

The right to protection of reputation is is protected by Article 12 of the Universal Declaration of Human Rights states:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Article 17 of the International Covenant on Civil and Political Rights states:

"2. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks."

General Comment No. 16 to Article 17 Right to Privacy in the International Covenant on Civil and Political Rights to which Sri Lanka is a signatory State Party emphasized that:

°The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.

Effective measures have to be taken by States to ensure that information concerning a person's private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the Covenant. 

In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, Whether, and if so, What personal data is stored in automatic data files, and for What purposes.

Every infividual should also be able to, ascertain which public authorizes or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination."

GDPR
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’. 
A controller determines the purposes and means of  personal data.
A processor is responsible for personal data.

on bmehalf of a controller  processor has specific legal obligations 

If s call center maintain records  of personal data and processing activities and legally   responsible in case of a  data breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors
comply with the GDPR.

The GDPR applies to processing carried out by organisations operating within the EU. 

It also applies
to organisations outside the EU that offer goods or services to individuals in the EU.

The GDPR does not apply to certain activities including processing covered by the Law Enforcement
Directive, processing for national security purposes and processing carried out by individuals purely
for personal or household activities.

GDPR 7 key principles:
processing personal data.

Lawfulness, fairness and Transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

Valid consent
Consent must be freely given
require an action to opt in. 

Unbundled from other terms and conditions

Concise and easy to understand and user friendly

Consent must specifically cover the controller’s name, the purposes of the processing and the types of
processing activity.

Explicit consent must be expressly confirmed in words, rather than by any other positive action.

There is no set time limit for consent. 

How long it lasts will depend on the context. 

You should review
and refresh consent as appropriate.

How should we obtain, record and manage consent?

consent request need to be prominent, concise, separate from other terms and conditions

Tell
why you want the data;
what you will do with it; 
and individuals can withdraw consent at any time.

Don’t use pre-ticked boxes, opt-out boxes Or other default settings.

Keep records to evidence consent – who consented, when, how, and what they were told.

Make it easy for people to withdraw consent at any time they choose.

Vital interest
A person admitting to hospital can't give consent, his wife has to give consent to access his medical records need to save life.

Public interest
Individuals’ rights to erasure and data portability do not apply if you are processing on the basis of
public task.

processing necessary for:
the justice;

parliamentary functions;
statutory functions;
governmental functions; or
activities that support or promote democratic engagement.

GDPR may not apply if:

A business less than 250 employees

not handle sensitive data, such as religious affiliation

data processing does not affect the rights and freedoms of individuals.

Sensitive data?

Racial or ethnic origin
Political opinions
Religious beliefs
Trade union membership
Genetic data
Biometric data
Health information
sexual orientation

Acceptable reasons for data processing:

The subject has consented, or

To fulfill a contract or to enter into a contract, or

To comply with a legal obligation related to the subject, or

To protect the “vital interests” of a person, or

To perform a task in the public interest, or

legitimate interests” of the controller 


Cloud-based Environments

Cloud Data Storage present number of technical security risks such as:

Data breaches
Hijacking of accounts
Unauthorised access


Security Measures

Access controls
Firewalls
Antivirus software
Staff training
Policy development

 Rights
Ok
Data protection is a fundamental right set out in Article 8 of the EU Charter of Fundamental Rights:

1. Everyone has the right to the protection of personal data concerning him or her.

2 Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.

3. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

4. Compliance with these rules shall be subject to control by an independent authority.

Personal Rights
The right to be informed (Article 13 & 14 of the GDPR)

The right to access information (Article 15 of the GDPR)

The right to rectification (Articles 16 & 19 of the GDPR)

The right to erasure (Articles 17 & 19 of the GDPR)

The right to data portability (Article 20 of the GDPR)
The right to object to processing of personal data (Article 21 of the GDPR)

The right of restriction (Article 18 of the GDPR)

Your rights in relation to automated decision making, including profiling (Article 22 of the GDPR)



Tools 
SOC 2 is a report based on AICPA's existing Trust Services principles and criteria. The purpose of the SOC 2 report is to evaluate an organization's information systems relevant to security, availability, processing integrity, and confidentiality or privacy.

Allgress
A software for data protection.
Allgress helps enterprise security and risk professionals solve the problem of how to assess, understand and manage corporate risk. Its founders and management team are committed to providing CISOs with the ability to make effective investment decisions that align security and compliance programs with top business priorities, communicate the value.


References:

Personal Data Security Breach Code of Practice 

https://www.dataprotection.ie/docs/Data_Security_Breach_Code_of_Practice/1082.htm

https://www.enisa.europa.eu

Niranjan Meegammana
HR Researcher & Technologist
Digital Human Rights Institute

1 comment:

upul said...

it’s very helpful details...