And Why Do I Care? I’m in America (or India, or South Africa…)
A DPA is a Data Protection Authority. It also goes by the name of the “Privacy Office”, in some countries. It is the agency in a country, or even at the state/province level, that is responsible for the data protection compliance in that area. Most DPAs will accept and investigate complaints about possible privacy violations. Some DPAs have enforcement authority. Most countries that have a privacy law will have a DPA. In some countries, the DPA has not been designated or set up. In a few countries, the function of the DPA may be within another agency, such as a Ministry of Communication.
Why should you care about a DPA? Their power to investigate, name and shame, and assess fines should get your attention. And this power may be extra-territorial, meaning it can reach across country borders. However, a more important reason to know about the DPA is they are there to help you get privacy right. They are advocates of privacy and are most interested in helping organizations. Many DPAs provide excellent guidance information to employers, screening companies, and data subjects. DPAs are often very active in education of organizations and individuals about the proper way to handle and protect personal data. They provide guidance documents, host question and answer forums, and may even have games and interactive learning for young people. For employers, some DPA websites provide helpful guidance on crafting a proper Notice and Consent. The DPA website often has links to relevant legislation and procedural documents. Some DPAs host in-person training sessions. Many representatives from a DPA will speak at events. A couple of years ago, we were fortunate to have a presentation by a representative from the Mexican DPA (Federal Institute for Access to Information and Data Protection) at our National Association of Professional Background Screeners (NAPBS) Annual Conference.
In addition to being an excellent privacy resource, a DPA may post investigations and judgements on its website. Reviewing them can be an interesting way to learn how the local law is applied and what the focus for that DPA is. These judgements can be truly eye-opening. I shared one of my favorite ones from Canada in last month’s blog. The reference below from Hong Kong about the use of public information has also helped me explain to clients why a consent is always required, even for publicly available information.
Many of the best DPA websites are in English or provide some English language information. Some websites are only in the country’s local language. Even then, I am often able to find good information using translation websites such as Bing or Google Translate. For more information on that, check out January’s blog.
Below, I’ve listed some of the DPAs I have found to be most useful in my own privacy education. To find a DPA website, search for the country name and “data protection authority” or “privacy office”. The Austrian DPA has a list of many countries’ DPAs: http://archiv.dsb.gv.at/site/6280/default.aspx.
Australia: Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au/
The OAIC has a wealth of information on their site including guidance, explanations, and videos.
Canada: Office of the Privacy Commissioner of Canada (OPC) – www.priv.gc.ca/en/
In addition to many resources, including guides, case summaries, and training, the OPC lends some humor to the business of privacy. Check out some of the privacy cartoons: https://www.priv.gc.ca/en/about-the-opc/publications/illustrations/. Their Privacy Toolkit for Business (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/) provides training on PIPEDA in easy-to-understand language (French and English, of course).
Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD) – www.pcpd.org.hk
This office provides workshops and has online courses. They have an excellent section on judgements and many helpful guidance documents: https://www.pcpd.org.hk/english/resources_centre/resources_by_topics/resources_by_topics.html. The Hong Kong Commissioner’s office also has good information on the use of data obtained from the public domain as well as the details of a complaint on the same topic. This is useful information to review if a screener is being asked to run background searches without the subject having been given a Notice or providing consent.
HK Commissioner’s Guidance on Use of Personal Data Obtained from the Public Domain: http://www.pcpd.org.hk/english/publications/files/GN_public_domain_e.pdf
Complaint: Use of personal data obtained from a public register (Case No.:2002C04): http://www.pcpd.org.hk/english/enforcement/case_notes/casenotes_2.php?id=2002C04&content_type=3&content_nature=0&msg_id2=161
Ireland Data Protection Commissioner – www.dataprotection.ie
This office has a short, and humorous, training video on the Data Protection Act called “My Data – Your Business?”: https://www.dataprotection.ie/docs/Training-and-Awareness/805.htm. They also have a great Q&A section on Data Protection in the Workplace, which covers background checks: https://www.dataprotection.ie/docs/Data-Protection-in-the-Workplace/1239.htm
UK Information Commissioner’s Office (ICO) – https://ico.org.uk
This website has a wealth of information on data protection. For companies involved in screening, the information on the Employment Practices Code is invaluable: https://ico.org.uk/for-organisations/guide-to-data-protection/employment/.
|Kerstin Bagus – Director, Global Initiatives
Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S.
Kerstin is a passionate participant in the National Association of Professional Background Screeners (NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.
At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.