Data Protection Update: DPC publishes new guide to audit process

Submit a Feature

Legal

Data Protection Update: DPC publishes new guide to audit processThe Data Protection Commissioner (the DPC) has published new guidance on its powers to carry out privacy audits into organisations' data protection compliance (21 August 2014).

The legal basis for audits by the DPC is contained in Section 10 (1A) of the Data Protection Acts 1988 and 2003 (the Acts), which provides that:

"The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and the Electronic Communications Networks and Services Regulations of 2003 and to identify any contravention thereof."

An organisation selected for an audit is usually given a number of weeks' notice. However, the DPC is also empowered to carry out unscheduled inspections pursuant to section 24 of the Acts.

The purpose of audits is to detect any weaknesses in how organisations handle personal data and reduce the likelihood of potential breaches of the Acts. At the close of an audit, the audit team produces a written report, with its findings and recommendations aimed at improving data protection practices. The preparation for an audit, the questions from the audit team, and the final Audit Report, all serve to increase awareness within organisations of data protection responsibilities.

The DPC has taken a proactive role in regard to privacy audits.  During 2013, he carried out 44 scheduled audits and inspections (a 10% increase on 2012). The DPC's Annual Report for 2013 notes that factors for selecting the targets of an audit include the amount and nature of personal data processed by an organisation, and the number of complaints and enquiries received by the DPC.

The guide will no doubt serve as a useful tool for organisations, selected for an audit by the DPC, to prepare for same. The appendices to the guide contain sample audit questions and checklists, which enable organisations to conduct self-assessments of their compliance with their data protection obligations.

Enforced Subject Access now an Offence

The remaining provisions of the Data Protection Acts 1988 and 2003 (the Acts), including sections 4(13), 6(2) (b), and 10(7) (b) were commenced on 18 July 2014, by Statutory Instruments 337 and 338 of 2014.

Statutory Instrument 337 of 2014

This Regulation commences sections 6(2) (b) and 10(7)(b) of the Acts. These provisions provide data controllers with an obligation to notify third parties when personal data has been rectified or erased.

Section 6 already provides that a data controller must notify a data subject when the controller rectifies, blocks or erases personal data that are collected, processed or otherwise dealt with in contravention of the Data Protection Acts. Section 6(2) (b) now requires the data controller to also notify any person to whom personal data were disclosed during the preceding 12 months, unless such notification proves impossible or involves disproportionate effort.

Section 10 already provides that a data controller must notify the data subject, where the controller rectifies, blocks, erases, destroys, or adds a statement to personal data, in compliance with an enforcement notice issued by the DPC. Section 10(7)(b) now requires the data controller to also notify any person to whom the personal data were disclosed during the preceding 12 months, unless such notification provides impossible or involves a disproportionate effort.

Statutory Instrument 338 of 2014

This Regulation commences section 4(13) of the Acts, concerning enforced subject access. It makes it a criminal offence for an employer to attempt to require an employee, prospective employee, or independent contractor, to make an access request or to reveal the result of such an access request.

CJEU clarifies scope of right of access to personal data

The CJEU in Joined Cases C-141/12 and C-372/12 has clarified the scope of a data subject's right of access to a copy of their personal data. The CJEU's ruling may serve to lighten the burden of access requests on organisations. It confirms that the Data Protection Directive 1995 (the Directive) does not establish a right of access to any specific document or file in which personal data are listed or used, nor does it specify the material form in which personal data must be made accessible. Member States enjoy a margin of discretion to determine the form in which to make personal data accessible, so long as it is intelligible. Accordingly, the CJEU found that the Dutch authorities, in this case, had met their legal obligations under data protection law by extracting from the relevant documents the personal data relating to the data subject.

Facts

The applicants were three third-country nationals who applied for residence permits in the Netherlands. They made data access requests for a copy of the full minute containing the legal analysis that underpinned the decisions by the Dutch authorities regarding their permit applications. Although a summary of the personal data in the minute was provided to one applicant, a copy of the full minute was denied to all three applicants.

The Netherlands' courts asked the CJEU whether the data in the minute concerning the data subject constituted 'personal data' within the meaning of Article 2(a) of the Directive; whether the legal analysis contained in the minute constituted 'personal data' within the meaning of Article 2(a) of the Directive; whether Article 12(a) of the Directive and Article 8(2) of the Charter of Fundamental Rights of the European Union meant that there was a right to a copy of the minute or whether it was sufficient to provide a summary, in intelligible form, of the personal data.

Decision

The CJEU held that a legal analysis of an applicant's entitlement to lawful residence, contained in an administrative document (such as the 'minute' at issue in the main proceedings) was not 'personal data' within the meaning of Article 2(a) of the Directive. Therefore the applicant should not be granted access to that part of the minute.

However, the CJEU held that there was no doubt that the data relating to the application for a residence permit contained in the minute, such as the applicant's name, date of birth, nationality, gender, ethnicity, religion and language, constituted information relating to the applicant, and was therefore 'personal data'. The CJEU found that for the right of access in Article 12(a) and Article 8(2) of the Charter to be complied with, it was sufficient that the applicant be provided with a full and comprehensive summary of those data in an intelligible form, that is, a form which would allow the applicant to become aware of those data and to check that they were accurate and processed in compliance with the Directive. The data subject could not derive from either Article 12(a) of the Directive or Article 8(2) of the Charter the right to obtain a copy of the document or the original file in which those data appear.

For further information please contact Davinia Brennan at dbrennan@algoodbody.com.