Privacy secured

How will your business be affected by the new Data Protection Act? MATTHEW VELLA speaks to Data Protection Commissioner Prof. John Mamo

Data Protection Commissioner Prof. John Mamo has seen the Data Protection Act come into operation ever since the bill first passed through Parliament in December 2001. The Commission was subsequently set up in March 2002, and he was appointed its first commissioner.
The DPA, hitherto an unknown formality but a principle enshrined within the Maltese Constitution, is now fully operational. Prof. Mamo yesterday gave a rundown of the Commission’s activities since March as the act came into full operation. The Commission is now in the process of finalising a twinning agreement with a senior EU member that will be guiding it in the implementation of the law itself.
The DPA, modelled on EU Directive 95/46/EC dealing with Data Protection, makes ‘provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto’.
"The right to privacy of the individual had already been enshrined within the Constitution," John Mamo says, "and that is the safeguard of privacy which is a fundamental human right. In this sense this is a continuation of that act, but a formal structure has been set up in order to ensure the full implementation of that right and also to receive complaints from data subjects, that is individuals, who feel their privacy has been abused."
In general, commercial bodies and entities cannot process sensitive personal data without the explicit consent of the individual to whom it belongs, but can do so if this information is publicly available, such as an electoral register or a telephone directory. However, processing of medical information to protect the health of the individual is allowed as long as the person processing it is subject to the obligation of professional secrecy, such as banks,
It is of great importance for commercial entities to understand the full effects of the DPA. A business that employs personnel is at a minimum in possession of employee data such as ID card numbers and addresses, which must be protected. Client information also falls within the parameters of this act. The DPA affects the processing of any information that either relates to an identified natural person, or leads to the identification of a data subject.
"This applies to information that is structured in such a way that facilitates the identification of a person which could be contained in databases, employee and customer files, and accounts records.
"Organisations are therefore required to respect privacy. Data subjects who give their personal data to an organisation do so only within the parameters of that personal information, meaning individuals effectively decide how their own personal data is processed.
"Organisations therefore have to provide a structure which would carry out the responsibilities related to the processing of personal data. The DPA applies to any operation that involves the processing of personal data, manual or automated. The act covers manual processing such as the storage of data in filing cabinets."
This means that many functions of commercial entities will be affected by the DPA, including personnel files, which may contain sensitive information such as trade union affiliation and health details. Saviour Cachia, special advisor to the Commission says this information can be processed to comply with the duties, or to exercise any rights, under any law regulating the conditions of employment. However, this information cannot be freely disclosed to third parties without prior authorisation from the data subject.
Another area which is bound to be affected are sales and marketing data, where personal information cannot be used for direct marketing purposes if the data subject chooses not to be included in such campaigns. This will also encompass personal data processed by IT systems.
"Where before there were fewer safeguards for the processing of information when it came to databases or mass marketing, today there will be more safeguards for data subjects. Now they can defend themselves against the abuse of their personal information. Malta is now coming up to date with the legislation that exists all over the world."
As a judicial organ, the Data Protection Commission will also receive complaints from data subjects who feel that their information has been abused. "Every person who feels aggrieved has a right to make a complaint with us and we will first try to settle it amicably with both the data subject and the entity being charged. Before there was no control over the information being given to commercial organisation."
Additionally, all commercial entities will have to appoint a controller of personal data, who determines the purpose and method of personal data processing.
"We are currently setting out the qualifications for a data controller as well as trying to establish a special course leading up to these qualifications. At the moment people who come to mind for the post of data controllers are lawyers and accountants. Moreover, a personal data representative will be appointed by the data controller to ensure the correct processing of personal data or maintaining a register of the processing of the information."
The controller will have to notify the Data Protection Commissioner before carrying out any operations involving personal data. It is possible for some of the functions of the controller to be delegated to the personal data representative. The personal data representative, in turn has to honour certain obligations towards the Data Protection Commissioner as stipulated in the Act.
Compliance with the DPA will be ongoing since controllers have to ensure personal data processing is compatible with the initial purpose for which it has been collected. "Organisations should inform the Data Protection Commission or the personal data representative when the purposes change. The controller is required to ensure that the data maintained by the organisation is correct."
This could involve regular updating of information and that data should not be kept for periods longer than is necessary.
Is the business required to provide any information to the data subject when personal data is collected?
"Whenever personal data is collected, the controller must provide the data subject with information relating to the intention behind the data processing, or assure them that no information will be given to third parties."
The data subject also has the right to know whether the controller processes his or her own personal data. Following a request in writing by the data subject, the controller must reply also in writing as to whether personal data relating to the data subject is being processed or not.
Companies should have by now already identified who could act as controllers of personal data, such as heads of organisation, and those who will act as their delegates when it comes to the processing of personal data.