An Overview of
Data Protection Legislation
Consumer Affairs Department
Tel 061 483286 / 87
© Health Service Executive
1
Contents
• Introduction and background.
• Main definitions.
• Rules and responsibilities for all staff.
• Contact details.
2
What is Data Protection?
• Safeguards the privacy rights of individuals in relation to the
processing of personal data by:

regulating computer use

giving individuals rights in relation to their personal information

imposing responsibilities on organisations in terms of
compliance with the Data Protection rules and rights of access
• Data Protection Acts 1988 & 2003 create rights for individuals and
responsibilities for computer and other users.
• When you create a record which contains personal data not only
should it remain confidential but you are also obliged to keep it safe
and secure and use it only for the purpose for which it was collected.
• Disciplinary action may follow a DP breach as each staff member
has an individual responsibility under DP legislation and the more
recent HSE policy
3
History
 Council of Europe Convention of Data Protection, 1981
 The purpose of this convention was to secure respect for a person’s
rights and fundamental freedoms, and in particular their right to privacy,
with regard to automatic processing of personal data relating to them
("data protection")
 Data Protection Act 1988 (gives effect to 1981 convention)
 Data Protection Directive, Directive 95/46/EC
 Manual Records
 Consent
 Transfer of Data
 Data Protection (Amendment) Act 2003
 Privacy Bill 2006
4
Corporate Responsibilities
• The HSE must comply with Data Protection legislation.
• The HSE must nominate Data Controllers – four in total
being the Consumer Affairs Area Manager in each of the
four regions.
• Each Data Controller must register all databases with the
Data Protection Commissioner and ensure that this
registration is kept up to date.
• The HSE must process all Data Protection Access
requests.
• The HSE must ensure that all staff have received Data
Protection training.
5
Definitions
•Personal information (even minimum information such as
name, address or email address) about a living individual
held either electronically or in paper files. It includes
information in the form of photographs, fingerprints, audio
recordings and text messages. Personal information can be
stored in a number of ways such as in mobile phones,
laptops, palm pilots, voicemail, fax machines and CCTV.
•Sensitive Personal Data
Relates to specific categories of data which are defined as
data relating to a person’s racial origin, political opinions
or religious or other beliefs; physical or mental health;
sexual life; criminal history; trade union membership
© Health Service Executive
6
Definitions
 Data
Information in a form which can be processed
(manual & electronic)
 Data Subject
An individual who is the subject of personal data
 Data Controller
A person who, either alone or with others, controls
content and use of personal data
 Data Processor
A person who processes personal information on
behalf of the data controller
© Health Service Executive
7
DEFINITIONS
• Processing of Data or Information – performing any
operation on data including:
–
–
–
–
–
Obtaining, recording, keeping
Collecting, organising, storing, altering, adapting
Retrieving, consulting, using
Disclosing, transmitting, disseminating
Aligning, combining, blocking, erasing or destroying
8
The 8 Principles of Data Protection
9
Principle Number 1
Obtain and process information fairly
•
In order to obtain personal data fairly from people, we need to ensure
that they are made aware of:
– Why the data is being collected.
– What it will be used for.
– Persons/third parties to whom data may be disclosed.
– Right to access their data.
• To fairly process personal data it must have been
fairly obtained and the data subject must have given
consent to the processing.
10
© Health Service Executive
Principle No 2
Keep it for one or more specified, explicit
and lawful purposes
•An individual should know the purpose for
which we collect and hold his/her data.
•He /she must also be aware of the different
sets of data which we hold and the specific
purpose of each set.
11
© Health Service Executive
Principle No 3
Use and disclose it only in ways compatible with
these purposes
key tests of compatibility are
1.Do you use the data only in ways consistent with the purpose for
which it was obtained
2.Do you disclose the data only in ways consistent with that purpose
What is Compatible Disclosure?
•Closely related to the specified purpose
•Consistent with the specified purpose
•Need to know basis
•The surprise test – would the subject be surprised to learn that the
disclosure is taking place
© Health Service Executive
12
Principle No 3
Use and disclose it only in ways compatible
with these purposes
We as staff of the HSE must ensure that personal data is used only
in ways consistent with the purpose for which it was obtained.
•Except where it is:
– Required urgently to protect life and limb.
– Required by law or court order.
– With consent of/on behalf of data subject.
– Crime; tax; State security; international relations.
© Health Service Executive
13
Principle No 4
Keep it safe and secure
• Appropriate security measures must be
taken against unauthorised access to,
alteration, disclosure or destruction of, the
data and against their accidental loss or
destruction.
14
© Health Service Executive
Principle No 4
Keep it safe and secure
All staff should be aware of the Information Security Policies
adopted by the HSE including:
– Information Security Policy
– Information Technology Acceptable Usage Policy
– Electronic Communications Policy
– Password Standards Policy
– Encryption Policy
– Mobile Phone Device Policy
15
Principle No 5
Keep it accurate, complete and up to date
•We need to ensure that clerical and computer
procedures are adequate to ensure high levels of data
accuracy.
•We also need to ensure that appropriate procedures
are in place, including periodic review and audit, to
ensure that all records are kept up to date.
16
© Health Service Executive
Principle No 6
Ensure that it is adequate relevant and not excessive
We must ensure that information being held is:
•
Adequate and relevant in relation to the purpose for which it is
being held.
•
Not excessive in relation to the purpose for which it is kept.
e.g. asking a job applicant about criminal convictions could be
relevant but it would be irrelevant and excessive to ask
the same question in an online booking form for theatre
tickets!
17
© Health Service Executive
Principle No 7
Retain it for no longer than is necessary for the purpose.
To comply with this you should have:
• Staff should be aware of:
– the length of time data/records are held.
– the reason why they are being retained.
– The process for destruction when no longer required.
• Responsibility should be assigned to a specific individual within a
department to ensure that files are reviewed on at least an annual
basis to ensure that personal information is not retained any longer
than necessary.
• All staff should be aware of:
– NHO Code of Practice for Healthcare Records Management.
– The National Policy for Health Boards on Record Retention Periods.
18
© Health Service Executive
Principle No 8
Give a copy of personal data on request
On making an access request any individual, about whom
you keep personal data is entitled to:
•A copy of the data you are keeping about him/her
•Know the purpose/s for processing the data
•Know the identity of those to whom you disclose the data
•Know the source of the data, unless it is contrary to public
interest
•Know the logic involved in automated decisions
•A copy of any data held in the form of opinions, except where
such opinions were given in confidence
19
© Health Service Executive
Right of correction or erasure
Section 6 of the Act
 The data subject must make a written request
 Personal data must be corrected if inaccurate or
deleted.
 Data controller has 40 days to respond.
 No fee is required.
20
Manual Data
This information must be in a ‘relevant filing system’
which is structured by reference to individuals in such
a way that specific information relating to a particular
individual is readily accessible.




The data must be part of a set
The set must be structured
The data must be accessible
Such access cannot be simply random but must be
according to specific criteria
21
Security Issues
Manual Files




Who has access?
At what level is it authorised?
Are they kept under lock and key?
Are there designated staff to make additions
to the file?
 Who deals with requests for information from
the file? - Set procedures for this?
22
Faxing Information
Confidential and personal information should not be transmitted by fax
message except if all persons identified in the fax message have fully
understood the risks and agreed or there are no other means available
or in a medical emergency where a delay would cause harm to a patient.
 Checking and confirming correct fax numbers
 Authorised access to fax only
 A phone call before fax is sent to ensure machine is
manned
Mailing Information



Registered Post
Check correct mailing address
Sealed envelopes
23
What are Electronic Records?
The term electronic record is a generic
description for a record held on, or produced by,
a computerised system.
Records can be output as any media: text, images,
sound or a combination of these and include electronic
documents and electronic messages.
24
Information Security Policies : HSE
• The aim of these policies is to help protect patient, client and staff
information.
• Each staff member who uses HSE ICT equipment or has HSE data
stored on an electronic device needs to make themselves familiar
with the policies.
Information Security Policy,
Information Technology Acceptable Usage Policy,
Electronic Communications Policy,
Password Standards Policy,
Encryption Policy, Mobile Phone Device Policy
• The full policies are available to download from the HSE intranet:
http://hsenet.hse.ie/HSE_Central/Commercial_and_Support_Services/ICT/
Policies_and_Procedures/Policies/
• If you have any queries contact your local ICT Department Tel 061
483308
25
Keep it Safe and Secure
• Personal laptops or other equipment (e.g. cameras, phones)
must NOT be used for HSE business.
• The storage of confidential or personal information on USB flash
drives (i.e. memory stick/pen/keys) is strictly prohibited.
Encrypted HSE approved USB memory sticks may only be used
on an exceptional basis where it is essential to store or
temporarily transfer confidential or personal data.
• Users must only use accounts and passwords that are assigned
to them.
• All confidential and personal information transmitted to an email
address outside the HSE Domain must be encrypted.
• All HSE laptop computer devices must be password protected,
have up to date anti-virus software installed and have encryption
software installed.
26
Keep it Safe and Secure
• Old and obsolete IT equipment must be securely recycled via the ICT
Directorate.
• Confidential and personal information must be securely deleted from your
PC when no longer required.
• All passwords must be a minimum of 8 characters and must contain a
combination of letters, numbers and at least one special character.
• Mobile phone devices should have PIN or password protection and those
with cameras must not be used inappropriately.
• Restrict access to records on a “need to know” basis & ensure premises
secure when unoccupied.
• Ensure there are back up procedures for computers including off-site back
up.
27
Keep it Safe and Secure
• PC should be locked when a person leaves their desk (ctrl; alt: delete).
• Staff should log out of their PC at the end of each working day.
• Confidential waste papers must be securely disposed of (shredded).
• Use screen savers and passwords
• Revoke Ids and passwords as soon as users resign or leave
• Use audit trails to track when a record is accessed and by whom
• Information on computer screens and manual files should be kept hidden
from callers and should be secured when office is unoccupied.
• Ensure there are contracts and confidentiality agreements in place with
data processors
28
Laptops – some basic precautions!
Do not leave the portable unattended
Do not position portables near exterior windows where they are subject to
‘smash & grab’ theft
Keep only the most necessary information on the portable
Back up files and store them in some other place other than the carry case
Pay attention to where you use the portable, be aware that someone could
see the screen behind you
Be cautious about installing any software from unknown sources – may
contain a virus
Ensure that sensitive files are password protected when stored on laptop
Ensure that anti-virus software has been installed
Ensure that the data held on your laptop is encrypted
29
Data Breach
•
HSE Data Protection Breach Management Policy
• An incident report must be completed immediately by HSE
employees and their line manager whenever confidential or personal
data belonging to the HSE is accidentally disclosed, lost or stolen, or
whenever a HSE mobile computer device or a mobile storage
device is lost or stolen.
• The completed report must be forwarded immediately via fax or
email (a scanned copy) to the employees local Consumer Affairs
Office (for incident involving the accidental disclosure, loss or theft
of manual (paper based) data) or ICT call centre / helpdesk (for
incidents involving the accidental disclosure, loss or theft of
electronic data or, the loss or theft of a HSE mobile computer or
storage device).
30
Data Breach
What to do in the event of a breach
• Contact Line Manager
• Fill out incident form with Line Manager
• Contact the Gardaí (if items stolen etc)
• Contact Consumer Affairs / ICT Helpdesk
• Recommendations: Key aspect of report which are
followed up by Consumer Affairs and DP Commissioner
• Disciplinary action may follow as each staff member has
an individual responsibility under DP legislation and the
more recent HSE policy
31
Data Protection Commissioner
32
DP Commissioner
Upholds rights of individuals
Enforces obligations of data controllers
Investigates complaints
Maintains public register
European functions
Codes of Practice
Investigation to ensure compliance and identify
contravention
Pre registration check
Name & Publish
Annual Report absolutely privileged
33
Commissioner’s Powers
Information notice (section 12)
Enforcement notice (section 10)
Prohibition notice (section 11)
Powers of entry and inspection (section 24)
“authorised officers”
Decision on complaints (section 10)
Refusal to register (section 17)
Auditing powers (section 10 (1) a)
34
Offences and Penalties
Failure to comply with a Notice
Failure to register
Failure to comply with terms of
register entry
Fine of up to E100,000
Court may order erasure of data
35
Guidelines & Contact Details
Consumer Affairs Dept, H.S.E., 31/33 Catherine St.
Limerick
Tel: 061 483286/87
ICT Dept, H.S.E., 31/33 Catherine St. Limerick
Tel: 061 4833308
HSE Website:
http://hsenet.hse.ie/Intranet/HSE_Central/Consumer_Af
fairs/
The Data Protection Commissioner’s Website:
http://www.dataprotection.ie
Tel: 057 8684800
© Health Service Executive
36