Since 2006, Gibraltar has had its own data protection legislation through the provisions of the Data Protection Act (“the Act”). The Act is concerned with personal data (information about people who can be identified) which is used in the normal running of a business, government department or other organisation. The provisions of the Act apply to all forms of data which may be obtained, covering everything from manual or written records to electronic or computerised data.
It is important that the protection of data is adequately regulated. On a daily basis, people will be asked to provide personal and confidential information (such as dates of birth or credit card details – the list is endless) which will be required for the relevant business or organisation to provide its services. Anybody who gives out this information will want to know that it is being dealt with properly; although release of this personal information may not result in any actual harm being caused to anybody, more and more often we are hearing of cases of identity theft and substantial problems being caused to those who fall prey to this. It is because of this that the legislation has been brought into effect.
The Act covers both the responsibilities of data controllers and data processors (i.e. those dealing with data in some way or another, including employees’ personal details) and the rights of data subjects (i.e. anybody who has ever given out personal information – basically, everybody!). In this article we will be considering the responsibilities of data controllers as set out in the Act.
The main responsibilities of a data controller are as follows:
1. Obtaining and processing data in a fair and lawful manner.
2. The data obtained must be accurate and complete. In certain circumstances, such as where there is an ongoing relationship with a data subject, it is also necessary to ensure that the data is kept up to date.
3. Data must only be collected for one or more specific and explicit purposes. Any data obtained should only be used in a manner compatible with the purpose or purposes for which it was obtained. Furthermore, the data has to be relevant to the purpose(s) and not more excessive, and should not be kept any longer than necessary to fulfil the purpose(s).
4. Appropriate security measures must be in place in order to protect data and to prevent unauthorised or accidental access or alterations to the same.
Even though these requirements may seem like a case of stating the obvious, it is very easy for a data controller to fall foul of them and subsequently be in breach of the Act. For example, point 3 above covers the obtaining of data to be used for specific and explicit purposes. A data controller should explain to a client (preferably in writing and in no uncertain terms) why the data is being obtained and how it is going to be used; thereafter it is very important that the data is not used for any other purpose unless specifically authorised by the client.
Another example of a breach can be in terms of security as covered in point 4 above. Many people will have heard of recent security breaches in the UK, where laptops or documents containing confidential information have been left behind in public places. These are very serious and obvious examples of breaches of security and confidentiality, as the data has been left in a place where it can be accessed by anybody. However, there are other, perhaps less obvious, breaches that can still constitute a data security breach. Something as simple as an unlocked filing cabinet, or having a computer terminal in a place where the screen can be seen by visitors to the premises, can constitute a security breach as this can allow for easier unauthorised access to personal data. These are just two examples of the countless ways in which a data controller can be in breach of its duties under the Act.
Other than handling data properly, data controllers are obliged to register themselves on the Data Protection Register. There are very few exceptions, such as organisations that process information which is meant to be open and available to the general public. However, almost every organisation will fulfil the criteria of being a data controller, and it is therefore essential that the requirements of the Act are complied with.
Apart from the possibility of causing very serious harm and loss to a client or customer, a data protection breach resulting in non-compliance the Act can result in financial penalties being imposed on the data controller. Depending on the severity of the breach, the Act allows for fines of up to £5,000 to be imposed, and there could also be legal costs involved. For many businesses, such costs would seriously outweigh the cost of ensuring that their data is adequately protected.
Clearly, the provisions of the Act apply to pretty much all organisations dealing with client/customer information You don’t choose whether you’re covered by the provisions or not; in fact, bearing in mind the very limited number of exceptions to the rule, there’s every chance you or your business is deemed a ‘data controller’ for the purposes of the Act and you didn’t yet know it! This is not a choice, but an obligation – if you are a data controller and are not yet compliant with the Act, you need to review your systems and review them as soon as possible. If you’re unsure as to whether all these frankly crucial provisions apply to you as a ‘data controller and whether or not you’re compliant, you can contact us to carry out a full Data Protection Review of your organisation and advise you on how best to address any data protection compliance issues such a review might reveal.
My name is Mark Hook. I work for ISOLAS of Suite 23, Portland House, Glacis Road Gibraltar. My telephone number is +350 200 78363 and my email address is mark.hook@isolas.gi. So, what are you going to do with that information now?