Safeguarding privacy

The Data Protection Act was published in the Government Gazette, as Act XXVI of 2001, on December 14, 2001. This act is parallel to, and conforms to, Directive 95/46/EC of the European parliament and of the Council of October 24, 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

After its publication, the Act was placed in an incubator. Eighteen months later, on July 15, 2003 to be precise, a series of legal notices (LN 150-156 of 2003) were published, bringing into force the regulations.

The law is intended to "... make provision for the protection of individuals against the violation of their privacy by the processing of personal data and for matters connected therewith or ancillary thereto" (introduction to Chapter 440 of the Laws of Malta, also known as the Data Protection Act).

Under the Act, an organisation wishing to hold and/or process information about a person, either on a computer or otherwise, must, with certain exceptions, notify the Data Protection Commission about what data they wish to collect and for what reason.

Among other things, the notification must contain descriptions of the personal data being processed, the purposes for which they are being processed and the third parties to whom the information might be disclosed.

It is an offence to process personal data without notifying, unless the particular data are exempt from the notification requirement. The Commission may, if it believes to be appropriate, ask an entity to stop collecting any piece of information which has little or nothing to do with the purpose in question, as notified by the entity itself.

Once the Data Protection Commission finds the requirements of the data controller as complying with the Act, then this data controller is obliged to make fair use of such data.

The entity will also bind itself to protect the data from any illegal access to it. The data controller is also compelled to inform the data subject that data about her/him is being kept and for what reason it is being kept.

Furthermore, the data controller must ensure that the data is kept up-to-date and must not keep data longer than necessary. At the same time, the data subject may ask a data controller to update some information that may have become outdated, or possibly, may ask for the complete removal of any data concerning her/him from the data controller's records.

What can you, as a data subject, do if you feel your rights have been violated? The first obvious step is to try to settle things in a civilised manner with the data controller.

Ideally, all claims should start, and stop, at the data controller's desk. But if you feel you did not get a satisfactory result, then you should contact the Data Protection Commission.

The Commission is obliged to look into any such claim it receives and inform the data subject of the outcome of the investigations.

Should the data subject be still unhappy of the outcome of the Commission's investigations then the case may be referred to the Data Protection Appeals Tribunal.

Being in conformity with the European Union's Directive 95/46 also gives the data subject protection of personal data in all the European Union's member states. That is, the policies that local data controllers are obliged to adhere to a local data subject also hold for all data controllers in all the member states in respect of all local data subjects. On the same argument, local data controllers have to adhere to the same regulations applicable to EU data subjects.

On the same day the Data Protection Act came into force, Erkki Liikanen, member of the European Commission responsible for enterprise and information society, gave a press conference on the issue of unsolicited e-mails, more commonly known as spam.

Spam is a worrying issue since personal data is transmitted through the internet without the actual consent of the individual. This is a clear threat to data protection.

In his speech, Mr Liikanen said that statistics about spam were very worrying, reaching about 50 per cent globally. Apart from being very annoying, "taking care" of spam is time-consuming. And, as the old proverb goes, time is money.

Mr Liikanen quoted research institute Ferris saying that in 2002 spam cost European companies €2.5 billion just in terms of lost productivity.

The cost is not only monetary though - psychologically, spam weakens the consumers' confidence in the building of an e-society since they find themselves betrayed.

Spam may also require the provision of new legislation to safeguard the rights of the individual similar to the provisions of The Press Act.

In the recent referendum and election campaigns in Malta, a number of libellous e-mails were spammed and although reports had been made to the police no criminal action was taken. Even in cases where the spammer was known.

Mr Liikanen believes that the Commission, through a series of effective regulations, will be able to fight back spam, and spammers, successfully.

Without any doubt, this is a positive step forward. Hopefully, all data controllers and data subjects will learn to live together in harmony.

It is clear that organisations that use personal data will have to change the way they operate. Many organisations and private firms would require a total culture change and additional resources to comply with the various regulators and agencies requesting information from the economic operators.

Furthermore, there might also be the need for specialised service providers - consultants - to give advice on the various legal obligations being imposed on firms/organisations through the various legislation and legal notices coming into force.

It is also the duty of the state to encourage the dissemination of information on the citizens' rights under the various legislation being introduced in Malta.

Use should be made of the local media. Putting billboards on our shabby roads is not enough. It is for this purpose that I continue to emphasise the persistent message that a communications strategy must be incorporated into any project, public or private.