How will your business be affected by the new Data
Protection Act? MATTHEW VELLA speaks to Data Protection Commissioner
Prof. John Mamo
Data Protection Commissioner Prof. John Mamo has seen
the Data Protection Act come into operation ever since the bill first
passed through Parliament in December 2001. The Commission was subsequently
set up in March 2002, and he was appointed its first commissioner.
The DPA, hitherto an unknown formality but a principle enshrined within
the Maltese Constitution, is now fully operational. Prof. Mamo yesterday
gave a rundown of the Commissions activities since March as the
act came into full operation. The Commission is now in the process of
finalising a twinning agreement with a senior EU member that will be
guiding it in the implementation of the law itself.
The DPA, modelled on EU Directive 95/46/EC dealing with Data Protection,
makes provision for the protection of individuals against the
violation of their privacy by the processing of personal data and for
matters connected therewith or ancillary thereto.
"The right to privacy of the individual had already been enshrined
within the Constitution," John Mamo says, "and that is the
safeguard of privacy which is a fundamental human right. In this sense
this is a continuation of that act, but a formal structure has been
set up in order to ensure the full implementation of that right and
also to receive complaints from data subjects, that is individuals,
who feel their privacy has been abused."
In general, commercial bodies and entities cannot process sensitive
personal data without the explicit consent of the individual to whom
it belongs, but can do so if this information is publicly available,
such as an electoral register or a telephone directory. However, processing
of medical information to protect the health of the individual is allowed
as long as the person processing it is subject to the obligation of
professional secrecy, such as banks,
It is of great importance for commercial entities to understand the
full effects of the DPA. A business that employs personnel is at a minimum
in possession of employee data such as ID card numbers and addresses,
which must be protected. Client information also falls within the parameters
of this act. The DPA affects the processing of any information that
either relates to an identified natural person, or leads to the identification
of a data subject.
"This applies to information that is structured in such a way that
facilitates the identification of a person which could be contained
in databases, employee and customer files, and accounts records.
"Organisations are therefore required to respect privacy. Data
subjects who give their personal data to an organisation do so only
within the parameters of that personal information, meaning individuals
effectively decide how their own personal data is processed.
"Organisations therefore have to provide a structure which would
carry out the responsibilities related to the processing of personal
data. The DPA applies to any operation that involves the processing
of personal data, manual or automated. The act covers manual processing
such as the storage of data in filing cabinets."
This means that many functions of commercial entities will be affected
by the DPA, including personnel files, which may contain sensitive information
such as trade union affiliation and health details. Saviour Cachia,
special advisor to the Commission says this information can be processed
to comply with the duties, or to exercise any rights, under any law
regulating the conditions of employment. However, this information cannot
be freely disclosed to third parties without prior authorisation from
the data subject.
Another area which is bound to be affected are sales and marketing data,
where personal information cannot be used for direct marketing purposes
if the data subject chooses not to be included in such campaigns. This
will also encompass personal data processed by IT systems.
"Where before there were fewer safeguards for the processing of
information when it came to databases or mass marketing, today there
will be more safeguards for data subjects. Now they can defend themselves
against the abuse of their personal information. Malta is now coming
up to date with the legislation that exists all over the world."
As a judicial organ, the Data Protection Commission will also receive
complaints from data subjects who feel that their information has been
abused. "Every person who feels aggrieved has a right to make a
complaint with us and we will first try to settle it amicably with both
the data subject and the entity being charged. Before there was no control
over the information being given to commercial organisation."
Additionally, all commercial entities will have to appoint a controller
of personal data, who determines the purpose and method of personal
"We are currently setting out the qualifications for a data controller
as well as trying to establish a special course leading up to these
qualifications. At the moment people who come to mind for the post of
data controllers are lawyers and accountants. Moreover, a personal data
representative will be appointed by the data controller to ensure the
correct processing of personal data or maintaining a register of the
processing of the information."
The controller will have to notify the Data Protection Commissioner
before carrying out any operations involving personal data. It is possible
for some of the functions of the controller to be delegated to the personal
data representative. The personal data representative, in turn has to
honour certain obligations towards the Data Protection Commissioner
as stipulated in the Act.
Compliance with the DPA will be ongoing since controllers have to ensure
personal data processing is compatible with the initial purpose for
which it has been collected. "Organisations should inform the Data
Protection Commission or the personal data representative when the purposes
change. The controller is required to ensure that the data maintained
by the organisation is correct."
This could involve regular updating of information and that data should
not be kept for periods longer than is necessary.
Is the business required to provide any information to the data subject
when personal data is collected?
"Whenever personal data is collected, the controller must provide
the data subject with information relating to the intention behind the
data processing, or assure them that no information will be given to
The data subject also has the right to know whether the controller processes
his or her own personal data. Following a request in writing by the
data subject, the controller must reply also in writing as to whether
personal data relating to the data subject is being processed or not.
Companies should have by now already identified who could act as controllers
of personal data, such as heads of organisation, and those who will
act as their delegates when it comes to the processing of personal data.