29 June - 5 July 2000

Data protection: implications for organisations

Organisations must be aware of the implications of data protection and the proposed legislation in this regard, Eric Muscat from global consultants KPMG, said.

Among the action points required, organisations have to identify data that falls under the bill by:

Using process models;

Using workshops;

Analysing databases;

Analysing manual filing systems; and seeing whether the organisation makes use of a bureau service.

The impact of the data protection law will be such that there will have to be more control over systems, that these are well documented and audit trails in place.

"There will be a need to appoint a controller, as well as having well trained IT staff," Mr Muscat said.

He also encouraged the setting up of a Personal Data Representative, who would receive derogation from the obligation for notification. He will be independent of the controller and must ensure processing in a lawful and correct manner and in accordance with good practice.

"In case of a contravention which is not rectified, he is obliged to notify the competent authority. The PDR will maintain a register of that which would have been subject to notification and he will assist the data subject to exercise his rights," Mr Muscat said.

He added that there was a need to ensure business continuity, thus the establishment of a competent authority.

"The Authority must be notified before any data processing occurs. The authority must be aware of the name and address of the controller/representative, the purpose for the processing of data, the different categories of related data subjects, the recipients to whom the data might be disclosed, any proposed transfer to third countries and a general description of security measures," Mr Muscat said.

He said that the three bills will require every organisation to control its information requirements and to apply the best practice.