(This article was originally published in the iTech Supplement of the Times of Malta in September 2002)
Data Controllers need not worry about the responsibilities imposed by the new Data Protection Act. They simply need to appoint a Personal Data Representative.
With the introduction of the Data Protection Act, organizations must ensure that the data protection principles laid down in the new legislation are adhered to. For this purpose, organizations can either have their own in-house personnel taking care of DP issues or alternatively they can appoint a Personal Data Representative.
The Personal Data Representative (PDR) is a person appointed by the data controller and has to ensure that personal data is processed in a correct and lawful manner.
The PDR holds an independent office and can be compared to an 'auditor' of personal data processing. He serves both as a link between the data controller and the Data Protection Commissioner as well as between the data controller and the data subjects on whom personal data is being processed.
The main functions of the PDR are of ensuring that the data controller who has appointed him processes personal data in accordance with the Data Protection Act and according to good practice.
The PDR, during the review of the processing of personal data as implemented by the data controller, has the duty to point out any irregularity found therein to the controller in order for the controller to rectify such breach.
The independence of office of the Personal Data Representative can be evidenced clearly by the fact that the PDR has the duty at law to report to the Commissioner if the data controller fails to rectify the inadequacies in the processing of personal as previously pointed out by the Representative to the data controller.
This highlights the fact that although the Personal Data Representative is appointed by a data controller, he is not answerable to the data controller, as his duty is to ensure that personal data is being properly processed and therefore protected.
Consulting with the Commissioner in the case of doubts of interpretation of the law, especially rules relating to the processing of personal data, is another important function of the PDR.
Surely, PDRs are more fluent in Data Protection issues and jargon and the relationship between controllers and the Data Protection Commissioner can result in being more efficient with the introduction of a Personal Data Representative in the picture as they can provide professional help in DP matters.
One of the biggest, and most evident, advantages to data controller that opt to appoint a Personal Data Representative is the shift in notification duties. Notification responsibilities of controllers would now be in the hands of the data protection representative who would maintain a register of the processing of personal data of the controllers to which the Data Protection Commissioner can refer to should the case arise. Therefore, with the introduction of a Data Protection Representative, controllers need not send their notifications to the Commissioner but are kept in a register with the Personal Data Representative who will be responsible to keep it up to date.
The Personal Data Representative has also to assist data subjects in matters relating to the protection and proper usage of their personal data advising data subject in cases when personal data is incorrect or incomplete. This is another instance where the independence of office of the PDR can be seen as he is not only ensuring that the data controller is acting according to law but also helping the data subjects themselves should they have any queries.
The new DPA also lays down that the Personal Data Representative has the obligation to submit for prior checking with the Commissioner any issues relating to the processing of personal data that involves particular risks of improper interference with the rights and freedoms of data subjects.
The Maltese Data Protection Commissioner has not as yet laid down the standards and requirements for persons to be able to act as a Personal Data Representative. It is prospected that these guidelines will be issued once the Data Protection Act will come fully into force.
No comments:
Post a Comment