SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

Transcription

1 DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) [S.L SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS 30th September, 2004 LEGAL NOTICE 142 of 2004, as amended by Legal Notices 188 of 2012 and 146 of The title of these regulations is the Data Protection (Processing of Personal Data in the Police Sector) Regulations. 2. (1) In these regulations, unless the context otherwise requires: "Act" means the Data Protection Act; "body exercising police powers" means the Police, Customs Department or other authority that is authorised by national law to detect, prevent and investigate offences or criminal activities and to exercise authority and take coercive measures in the context of such activities and excludes authorities, bodies, agencies or units dealing especially with national security issues. For the purpose of these regulations, the European Police Office Europol and Eurojust shall be considered as bodies exercising Police powers; "for Police Purposes" means all the tasks which the police (or other public entities, authorities or bodies exercising police powers) must perform for the prevention and suppression of criminal offences or the maintenance of public order; "identifiable person" means a natural person who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. A natural person shall not be regarded as identifiable if identification requires an unreasonable amount of time, cost or manpower effort; "controller" means the Commissioner of Police or his representative, or any other head of a public authority or body exercising police powers or his representative. (2) The definitions contained in article 2 of the Act shall, unless the context otherwise requires and subject to the provisions of subregulation (1), apply to these regulations. 3. (1) The scope of these regulations is to ensure a high level of data protection in the Police sector, in accordance with the principles contained in Recommendation No. R (87) 15 of the Council of Europe. (2) The Act shall be extended to apply to public bodies exercising police powers to the extent as is provided in these regulations. Citation. Interpretation. Amended by: L.N. 146 of Cap Scope. Substituted by:

2 2 [S.L DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) Control and notification. Amended by: Collection of personal data. Requirements for processing. 4. (1) Without prejudice to article 23 of the Act, the controller shall notify the Commissioner for Data Protection where in the exercise of his duty, the controller is required to process personal data for police purposes. (2) The notification referred to in subregulation (1) must specify: (a) the name and address of the controller and of any other person authorised by him in that behalf, if any; (b) the purpose or purposes of processing; (c) a description of the category or categories of data subject and of the data or categories of data relating to him; (d) the recipient or categories of recipients to whom the data might be disclosed. (3) Public bodies exercising police powers shall consult with the Information and Data Protection Commissioner, prior to processing personal data which will form part of a new filing system to be created where: (a) sensitive personal data are to be processed; or (b) the type of processing, in particular using new technologies, mechanism or procedures, holds otherwise specific risks for the fundamental rights and freedoms, and in particular the privacy of the data subject. 5. (1) The collection of personal data for police purposes shall be such as is necessary for the prevention, suppression, investigation, detection and prosecution of specific criminal offences or for the prevention of real danger, or as specified in any law. (2) Without prejudice to article 23 of the Act, where personal data has been processed without the knowledge of the person concerned, the data subject should only be informed, where practicable, that information is held about him, as soon as the object of police activities is no longer likely to be prejudiced, and if the data are not deleted. (3) The collection of personal data by technical surveillance or other automated means can be performed for police purposes, or in accordance with any law. (4) The processing of sensitive personal data is allowed if this is necessary for the purposes of a particular inquiry. 6. (1) The processing of personal data for police purposes shall as far as possible, be limited to accurate data and to such data as are necessary to allow the public authority exercising police powers to perform their functions according to Law and to fulfil international obligations arising out of any convention, treaty or bilateral agreement relating to police matters to which Malta is a party.

3 DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) [S.L (2) Collection of personal data for police purposes shall not be processed for any other purpose that is incompatible with such police purposes. (3) Personal data processed for police purposes shall not be kept for a period longer than is necessary having regard to the police purposes for which they are processed. (4) The controller shall take reasonable measures to complete, correct, block or erase personal data to the extent that such data is incomplete or incorrect having regard to the police purposes for which they are processed. 7. The processing of personal data for historical, statistical or scientific purposes shall not be regarded as incompatible with police purposes provided that the controller shall ensure that: (a) the appropriate safeguards are in place where personal data processed for historical, statistical or scientific purposes may be kept for a period longer than is necessary having regard to the purposes for which they are processed; or (b) personal data kept for historical, statistical or scientific purposes shall not be used for any decision concerning a data subject. 8. (1) The communication of personal data between different bodies exercising police powers shall only be permitted where there exists a legitimate interest for such communication within the framework of the legal powers of such bodies. (2) Communication of personal data from bodies exercising police powers, to other Government Departments or to bodies established by law, or to other private parties may only be made in accordance with regulation 10 if: (a) there exists a legal obligation or authorisation to communicate such data ; or (b) the Commissioner for Data Protection authorises such communication of data. (3) In exceptional cases, communication of personal data from bodies exercising police powers, to other Government Departments or to bodies established by law, or to other private parties, may also be made if: (a) it is clearly in the interest of the data subject and either the data subject himself has consented to the communication or circumstances are such as to allow a clear presumption of such consent; or (b) it is necessary for the prevention of a serious and imminent danger. (4) Bodies exercising police powers may also communicate personal data to other Government Departments or bodies established by law, if the data are necessary for the recipient to enable him to fulfil his lawful task and provided that the purpose of the processing to be performed by the recipient is not incompatible Processing for historical purposes, etc. Communication of personal data.

4 4 [S.L DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) with the original processing or contrary to the legal obligations of the body exercising police powers. Communication of data to foreign authorities. Amended by: L.N. 188 of 2012; L.N. 146 of Requests for communication. Substituted by: L.N. 146 of (1) Without prejudice to the provisions of any law or regulation laying down specific rules on the processing or exchange of personal data in the context of police and judicial cooperation, transfer of personal data to foreign authorities may only be made in accordance with regulation 10 and if the recipients of such data are bodies exercising police powers. (2) Subject to subregulation (1), such transfer of data shall only be permissible if there exists a legal obligation under any law, any European Union law, or an international obligation under a treaty, convention or international agreement on mutual assistance, to which Malta is a party. (3) In the absence of a provision as referred to in subregulation (2), transfer of data to foreign authorities may also be made if such communication is necessary for the prevention of a serious and imminent danger, or is necessary for the suppression of a serious criminal offence. 10. (1) Requests for communication of personal data shall be submitted in writing to the body exercising police powers, and shall include an indication of the person or body making the request and of the reason and purpose for which the request is made unless any other law or any international agreement to which Malta is a party, provides otherwise. (2) The body exercising police powers shall reply in writing informing the body making the request of the decision taken as to whether the request can be met or not. (3) Notwithstanding the provisions of sub-regulation (1), the body exercising police powers may, without any prior request being necessary, communicate in writing to the body exercising police powers within the European Union, personal data in cases where there are factual reasons to believe that the data could assist in the detection, prevention or investigation of any serious criminal offences. (4) The provisions of sub-regulation (3) shall also apply to communication of personal data with other bodies established under European Union law, in so far as the exchange of information refers to a criminal offence within their mandate. (5) The body exercising police powers shall keep a record of all personal data communicated, indicating the following: (a) the details of the body making the request; (b) the purpose and reason for the request; (c) the date of transmission of data. (6) Personal data communicated from bodies exercising police powers, to other Government Departments or to bodies established by law, or to other private parties, or to foreign authorities, shall not be used for purposes other than those specified in the request for communication of data without the authorisation of the bodies

5 DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) [S.L communicating such data. (7) When it is necessary that personal data referred to in subregulation (6) be used for purposes other than those for which it was requested, the recipient shall submit a new request to the body exercising police powers in accordance with sub-regulation (1), and that data shall not be used by the recipient for purposes other than those included in the original request unless there is written agreement to the new request. 11. In the communication of personal data the following rules shall, as far as possible, be adhered to: (a) the accuracy of the data shall be verified no later than at the time when the data are first disclosed; (b) data based on opinions or personal assessments shall be checked at source prior to its disclosure and its degree of reliability or accuracy shall be indicated; (c) data consisting of judicial decisions or decisions not to prosecute should be clearly indicated as such; (d) data that are no longer accurate or up to date shall not be communicated and in the event that it is discovered that data which have been communicated are no longer accurate and up to date, the recipients of the data shall be informed unless the granting of such information would involve a disproportionate effort. 12. Without prejudice to the provisions of these regulations, the body exercising police powers may, in the course of executing their duties for the prevention, suppression, investigation, detection and prosecution of criminal offences, have access to a personal data filing system held for purposes other than police purposes, in accordance with the law provided that the communicating body or the Commissioner for Data Protection has authorised such access. 13. (1) The data subject may request in writing the following from the controller: (a) whether personal data is being processed about him for a stated purpose, (b) rectification, blocking or erasure of data that has not been processed in accordance with these regulations. (2) Without prejudice to article 23 of the Act, the controller shall provide the data subject with information in accordance with article 21(2) of the Act and rectify, block or erase personal data subject to article 22 of the Act and without excessive delay and without expense. Provided that: (a) the rights of access, rectification and blocking are not restricted or refused in accordance with subregulation 3, or (b) in the interest of the data subject, there is no other law excluding the provision of information. Safeguards for communications. Access to other files. Rights of access, rectification and appeal.

6 6 [S.L DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) (3) The exercise of the rights of access, rectification and blocking or erasure by the data subject, shall only be restricted or refused insofar as the restriction or refusal is justified for the purpose of the suppression of criminal offences, or is necessary for the protection of the data subject or the rights and freedom of others. (4) The data subject shall be informed in writing of the decision imposing a restriction or refusal to the exercise of the rights mentioned in subregulation (3) and shall include reasons for the restriction or refusal: Provided that it shall be lawful not to communicate the said reasons if such restriction or refusal to communicate reasons is necessary for the performance of a legal task of the police or is necessary for the protection of the rights and freedom of others. (5) Where access, rectification or erasure are refused or restricted, the data subject shall be entitled to appeal to the Commissioner for Data Protection within thirty days from when the data subject is informed, or may reasonably be deemed to have known, of the decision. (6) In considering the appeal the Commissioner for Data Protection shall review the decision and shall satisfy himself that the refusal or restriction is reasonable and well founded. Compensation for damages. Substituted by: Confidentiality of processing. Added by: Security of processing. Added by: 14. Where a data subject has suffered damage as a result of an unlawful processing operation, or of any act incompatible with these regulations, he shall be entitled to exercise an action for damages in accordance with article 46 of the Act. 15. (1) Any person who has access to personal data which falls within the scope of these regulations may process such data only if that person is a member of, or acts on instructions of public bodies exercising police powers, unless he is required to do so by law. (2) Persons working for a public body exercising police powers shall be bound by all the data protection rules applicable to such body and also any other law or legally binding instrument regulating confidentiality and secrecy applicable to their official capacity. 16. (1) Public bodies exercising police powers shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission over a network or the making available by granting direct automated access, and against all other unlawful forms of processing, taking into account in particular the risks represented by the processing and the nature of the data to be protected. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

7 DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) [S.L (2) In respect of automated data processing, public bodies exercising police powers shall implement measures designed to: (a) deny unauthorised persons access to data-processing equipment used for processing personal data (equipment access control); (b) prevent the unauthorised reading, copying, modification or removal of data media (data media control); (c) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control); (d) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control); (e) ensure that persons authorised to use an automated data-processing system only have access to the data covered by their access authorisation (data access control); (f) ensure that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available using data communication equipment (communication control); (g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems and when and by whom the data were input (input control); (h) prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (transport control); (i) ensure that installed systems may, in case of interruption, be restored (recovery); (j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (reliability) and that stored data cannot be corrupted by means of a malfunctioning of the system (integrity). (3) Where a public bodies exercising police powers engages a processor to act upon its behalf within the meaning of article 25 of the Act, such processor may be designated only if it can guarantee observance of the requisite technical and organisational measures under sub-regulation (1) and comply with the instructions of the public bodies exercising police powers under regulation 15. The public bodies exercising police powers shall monitor the processor in those respects. (4) Personal data may be processed by a processor only on the basis of a written contract or by any other legally binding instrument laying down specific data protection rules applicable to the entrusted data processing.

8 8 [S.L DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) Independent supervision. Added by: English text to prevail. Re-numbered by: 17. (1) The Information and Data Protection Commissioner shall be responsible for the independent supervision and to provide advice and monitor the application of these regulations. (2) In order to ensure compliance with these regulations the Information and Data Protection Commissioner shall exercise the same functions and powers as conferred to him under the Act. (3) Pursuant to sub-regulation (2), the Information and Data Protection Commissioner may impose fines as stipulated in the Act and as may be prescribed by means of regulations laying down effective, proportionate and dissuasive penalties to be imposed in case of infringements of said Act and regulations made thereunder. 18. In the case of conflict between the Maltese and English texts of these regulations, the English text shall prevail.