Rights of Personal Information Protection : PIMS are here to stay!
The United Nations Declaration of Human Rights (UDHR) Article 12 states :
"No one shall be subjected to arbitrary interference with his privacy...." which makes privacy is undeniable human right. Privacy is like breathing. Everyone needs it.
Personal Data Protection is an emerging issue in the world. Most nations are following European Union GDPR model of regulations to enact local laws. Sri Lanka enacted Personal Data Protection Act No. 9 of 2022, on march 9th 2022. It binds all public and private organisations to protect personal information to ensure privacy of data subject, and to give individuals control over their personal data.
Data Subject :
In data protection legislations, an individual is legally known as a data subject. A data subject have various rights relevant to their Personally Identifiable Information (PII).
Personally Identifiable Information (PII):
PII represents any information that allows identification of an individual directly with conjunction with other data. For instance name, address, social security number, telephone number, address, email address, IP address are PII. This information can be maintained in either paper, electronic or other media.
Data Controller:
A data controller determines the purposes of data collection and processing. The employees processing personal data within an organisation fulfil the task of the data controller.
Joint data controller:
When two or more organisations jointly determines ‘why’ and ‘how’ personal data should be collected and processed, they become joint data controllers. It requires them enter into an arrangement setting out their responsibilities for complying with data protection regulations. This arrangement must be communicated to the data subjects.
Data Processer:
The data processor processes personal data on behalf of the controller.
The duties of the processor towards the controller must be specified in a contract, specifying what happens to the personal data once the contract is terminated. There can be situations where the data controller and data processor are the same.
Data subjects have following rights:
Right to informed consent :
Collecting of personal data requires informed consent of the data subject. The consent must be given freely, and It must be specific and given voluntarily, without pressure or influence that can affect the personal choice. For the consent to be valid, the data subject must know the identity of the dara controller, what kind of data will be processed, how it will be used and the purpose of the data processing. The data subject must be informed about his or her right to withdraw the consent anytime.
The right to be informed:
This includes purpose of data processing, data retention periods, and who it will be shared with. This information usually given in the privacy policy document in a concise, transparent, easily accessible, clear and plain language.
The right of access to data:
The data controller, must provide data subject with a confirmation that his or her data is being processed, a contact method to the controller, how to access personal data, and how to make an acccess request.
The right to rectification of data:
The data subject has the right to correct any personal information held by dara controller, and ask to ensure the data is accurate.
The right to erasure or be forgotten:
The data subject has the right to ask data controller to erase his or her personal data if the data is no longer necessary with relation to the purpose for which it was collected and processed, or on withdrawal of the consent, or object to the processing and there is no overriding legitimate interest or ground to continue processing. Data subject can object to use of personal data for direct marketing purposes. The data must be processed lawfully.
If a data subject exercises their right to erasure, the organization has to notify any third parties with whom the data was shared and request the erasure of data.
The data controller have following rights to can refuse an erasure request:
to comply with a legal obligation or performing a task of public interest, in defence of a legal claim, for a purpose relating to national security, public health, public interest, scientific/historic research or statistics.
The right to restrict processing of data:
The data subject has the right to restrict the processing of personal data held by the data controller where:
- The data subject has contested its accuracy.
- The data subject has objected to the processing.
- When the data controller has no legitimate ground for processing data.
- When data controller no longer needs the data.
- When data controller need not establish or defend a legal claim.
The right to data portability:
The right to data portability allows individuals to move, copy or transfer personal data easily from one data processor to another in a safe and secure way, without hindaring the usability. This enables data subject to obtain and reuse personal data across different services.
The right to data portability only applies:
- When personal data data subject has personally provided to data controller.
- Where the processing is based on consent or the performance of a contract.
- Where processing is carried by automated means (excludes paper files).
The right to object:
Data subject has the right to object to processing of his or her personal data in certain circumstances and have an absolute right to stop the data being used for direct marketing.
The data subject can also object if the processing is for:
- A task carried out in the public interest.
- The exercise of official authority vested in the data controller.
- Data controllers legitimate interests or those of a third party.
- However, in these circumstances the right to object is not absolute and data subject must give specific reasons why he or she is objecting to the processing of their data.
The data controller would be able to continue processing personal data of the subject if:
- The data controller demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject.
- the processing is for the establishment, exercise or defence of legal claims.
- Rights relating to automated decision making and profiling
- Automated decision-making takes place when an electronic system uses personal information to make decisions without human intervention.
- The data controller uses automated decision-making in the following circumstances:
- Where the data subject has been notified of the decision and given the data subject a period request a reconsideration.
- Where it is necessary to perform the contract and appropriate measures are in place to safeguard data subject rights.
With emerging concerns for privacy regulations, organisations require aligning the ISMS to comply with personal data protection regulations.
Precisely, an organization collecting personal data is obligated to provide information about:
• data controller’s information and contact details
• purpose of personal data processing
• legal basis for personal data processing
• third party involvement details, if any.
• personal data retention period,
• rights granted to the data subject under the data protection law,
• the right to file a complaint,
• whether the provision of personal data is a statutory or contractual requirement,
• whether the individual is obligated to provide the personal data and so on.
This information needs to be communicated in plain and clear language.
Data subjects have a right to know whether their personal information is being processed. The organization is then obligated to provide a copy of personal data they have about the individual and additional information including:
- what is the purpose of the processing
- what categories of personal data they are processing
- with whom the data is shared
- how long will the organization keep the data
- information about rights of the data subjects
- If data is used for automated decision-making, including profiling
- the he source of collected data, if not collected from the data subject.
The right to rectification allows the individuals to ask the organization to update any inaccurate or incomplete data they have on them. In case the organization confirms that the data is inaccurate, the organization should take steps to ensure that the data is indeed inaccurate and rectify it. This right sets new operational challenges for organizations, since rectifying one data set can have wider consequences on the entire database.
Many organisations use Artificial Intelligence (AI)0and Machine Learning (ML) technologies for customer profiling for marketing purposes that analyses personal behaviors to predict buying patterns, performance at work, economic situation, health, personal preferences, interests, reliability, behavior, or location. The data subjects have the right not to be subject to automated decision-making if it is producing an effect that affects them.
Any violation of data subject rights provokes the highest penalties under the GDPR, up to €20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher. Sri Lanka Data Protection Act can impose possible penelties up to Re. 10 million or more on recurrences of vialation of personal data protection regulations.
This represents a real risk for the organization, both financial and reputational since the operationalization of the data subject rights remains one of the privacy compliance challenges. Privacy Information Management Systems (PIMS) help organisations to establish information security controls to manage risks involving personal data protection. ISO 27701 standard provides a framework for PIMS fir the protection of PII.
Niranjan Meegammana
Comments
Post a Comment