In terms of article 40 of the Data Protection Act, the Data Protection Commissioner regularly meets representatives of the various sectors with the objective to discuss and agree on principles emanating from the Act and articulate in the form of guidelines or codes of practice.
Education
Data protection guidelines on the processing of visual images in schools have been launched on 27 October 2005.
These guidelines, the first in a series, have been jointly developed by the Data Protection Commissioner and a committee of school representatives composed of representatives of state schools, independent schools, independent schools, church schools, the Education Division and the Office of the Prime Minister. Such guidelines are intended to define good practice to be adopted in schools.
Data Protection Guidelines
Guidance for Schools - Processing of visual images in schools
Linji Gwida dwar il-Protezzjoni tad-Data
Gwida ghall-iskejjel - Processar ta' immagini vizwali fl-iskejjel
Having issued the first set of guidelines on visual images, the education committee has now commenced other discussions on issues relating to the processing of documents within a school in order to identify procedures of good practice.
Insurance
Data Protection guidlines for the promotion of good practice in the Insurance Business Sector have been launched on 15 February 2006 during an information session.
These guidelines have been jointly developed by a working group composed of representatives of the Malta Insurance Association, the Association of Insurance Brokers, the Malta Financial Services Authority and the Office of the Data Protection Commissioner. The working group will keep on meeting to discuss further issues related to the sector in order to develop a more exhaustive document.
Guidelines for the promotion of good practice - Insurance Business Sector
Banking
Guidance notes applicable to the banking sector have been jointly developed between this Office and the Malta Bankers' Association. The purpose of these guidelines is to provide the data subject with good practice information pertaining to the applicability of the Data Protection Act in the processing of personal data by the banking sector.
Guidelines for the promotion of good practice - The Banking Sector
Journalistic
Dialogue meetings have commenced with the journalistic sector to develop the code of conduct, as required by law, applicable to journalists and to the media. Various topics have already been set on the agenda.
Security
Surveillance methods involving the collection or otherwise processing of personal data, is another sector where guidelines will be issued by this Office. Meetings with representatives from the sector are currently focusing on CCTVs.
Engaging a Processor
Where a data controller subcontracts business or operational activities and for such reason entrusts a processor with the use of personal data, the controller shall still remain responsible in terms of data protection with regard to such processes carried out on his behalf.
Common examples of similar processes may include hiring an accounting firm to compile employees’ payroll or IT service providers for maintenance and support.
In these cases, the relationship between a data controller and a processor should be regulated by a written contract in accordance with article 25 of the Data Protection Act.
In order to facilitate data controllers in complying with the above provision, the Commissioner has developed specific sample clauses which could serve as a basis for developing similar agreements or which may form part of business/ service level agreements developed between the parties.
Click here for the sample agreement.
Sample Website Privacy Policy and information clause
Data Conrtollers are strongly encouraged to include a privacy policy on their website providing comprehensive information to site users in conformity with the requirements emanating from article 19 of the Data Protection Act. Click here to view a sample Website Privacy Policy.
A sample data protection information clause, which can form part of an application form when personal data is collected from a data subject, is being provided for guidance purposes and may be customised and adjusted by the data controller according to the requirements of the organisation:
"The personal information provided in this application form shall be processed in accordance with the provisions of the Data Protection Act (Cap. 440 of the Laws of Malta) and solely processed for the purpose(s) of [insert purpose/s].
Your personal information will not be disclosed to third parties without your express consent unless this will be strictly required by law.
You have the right to access, rectify and where applicable, the right to erase data concerning you.
I do hereby authorise [insert company name] to process the data contained in this form for the above-stated purpose(s)."
Processing of personal data for research and statistics
Where personal data is used for research or statistics purposes, similar processing involving identifiable data falls under the parameters of the Data Protection Act (Cap 440 – hereinafter ‘the Act’) and therefore shall be carried out in compliance with the general obligations contained therein. However, the law gives special considerations to the processing of data for the research and statistics.
Academic research
Where in the course of academic studies, students or academics undertake research projects involving personal data, such information may be processed being considered necessary on public interest grounds.
The information shall only be processed for the research purpose and should be deleted or rendered anonymous once the purpose of the study has been achieved or where the identity of the research subjects is no longer necessary.
Where personal data is used for academic research, the Act does not require the specific approval of the Data Protection Commissioner, unless such information involves sensitive data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life. If one of the abovementioned categories is processed, the Act stipulates that similar research requires the approval of the Commissioner upon advice from a research ethics committee recognised for such purposes. The Commissioner recognised the University Research Ethics Committee (UREC) as the advisory body and entrusted such organisation with the approvals of academic research involving sensitive data.
Given that every project involving human subjects always requires an ethical approval from UREC, the Commissioner reached an agreement whereby UREC approves projects both in terms of ethical and data protection considerations in order to speed up the research process. Such approval is granted on the condition that the researcher abides by the necessary data protection requirements which are contained in the application form submitted by the researcher.
Research projects are primarily evaluated by the respective faculty research ethics committee and then if the application fulfils the necessary criteria, this is forwarded to UREC for approval. Where in the evaluation of specific projects, there is uncertainty on complex data protection issues the Commissioner is always consulted.
The UREC periodically forwards a list of approved projects to the Commissioner for formal endorsement. Meanwhile, the researcher is allowed to proceed with his project immediately upon approval from UREC.
The application form and further information about UREC is available on the following website: http://www.um.edu.mt/urec/
Non-Academic research
In cases of non-academic research involving personal data (e.g. research carried out by a business institution or a regulatory body) similar processing is acceptable provided that it satisfies one of the legal criteria contained in the Data Protection Act. If the research is undertaken for business or marketing purposes, under normal circumstances, such processing would require the consent of individuals unless the data is rendered anonymous at collection stage. In cases where an entity carries out research in the exercise of a public or regulatory function, and is therefore legally empowered or obliged to collect such information, the consent from individuals would not be necessary.
Where the research involves sensitive data, similar processing may occur with the explicit consent of the individual or where such research is in the public interest, and with the approval of the Commissioner after consulting a research ethics committee. For the purposes of approving medical research which is non-academic, the Commissioner recognised the Health Ethics Committee (HEC), falling under the Superintendent of Public Health, as his advisory body. The HEC is also responsible for the approval of Clinical Trials. The same procedure adopted with UREC for academic research has been applied with HEC. This implies that the researcher submits an initial application at the HEC which is evaluated by the Committee both on ethical and data protection aspects. A list of approved projects is then periodically sent to the Commissioner for formal endorsement.
Click here for further information about HEC and the relevant application forms:
https://ehealth.gov.mt/HealthPortal/others/regulatory_councils/health_ethics_committee/health_ethics_committee.aspx
Use of sensitive data for statistics
In the case of sensitive data processed for the compilation of statistics, this would in principle only be permitted with the explicit consent of participants. However, where similar statistics are necessary in the public interest, such statistics may be collected subject to the direct approval of the Commissioner himself.
Basic principles and exceptions
Given the above premise, researchers should always use due caution and good practice when processing personal or sensitive information for research and statistics. In those cases where direct one-to-one contact will be made with the participant, the informed consent should always be sought. Where consent is not a prerequisite (e.g. in cases where the researcher is empowered by a specific law), participants should at least be informed on the purposes for which their personal data will be processed and also any recipients to whom it may be disclosed. Participants should also be informed about the right to request access to the personal data and where applicable, the correction or deletion of such information.
In those cases where personal data is not directly collected from the individual himself, but from other sources, the law provides an exception from the aforementioned requirement to inform the participants if it proves impossible or a disproportionate effort. Another exception relates to the right of access of an individual, which could be inapplicable if the data is solely processed for scientific research and only kept for the necessary period to compile statistics.
Safeguards
Personal details should only be kept for the necessary period of compiling the research. Information should be rendered anonymous at the earliest possible especially once that the research purpose has been achieved. In cases where the identification is necessary even after completion of a specific study (e.g. follow-up research), the use of pseudonyms or coding techniques or even segregation of data should be considered in order to render the information partially anonymous during the period where the identification is not required.
Adequate security mechanisms should also be implemented in order to protect the information from unauthorised access, use or disclosure.
|