white_paper_on_data_protection_in_india_171127_final_v2
The OAIC is mandated to ensure enforcement of the provisions of the Privacy Act. 791 The OAIC is appointed by the Governor‐General by a written instrument 792 for a duration of no more than five years. 793 To ensure the lawful enactment of his/her duties by the OAIC, she may not engage in paid employment outside the duties of his or her office without the Minister‘s approval. 794 (ii) Functions, powers and duties of data protection authorities European Union The functions, duties and powers of the supervisory authority under EU GDPR include the following: 795 a. Monitoring, enforcement and investigation The supervisory authority must monitor and enforce the application of the EU GDPR. It also has the power to handle complaints lodged by a data subject, duty to investigate the complaint (including obtaining from the data controller access to all personal data as required) and inform the complainant of the progress and outcome of the investigation within a reasonable period. The supervisory authority has the power to order the rectification or erasure of personal data, issue warnings and reprimands, and impose administrative fines on a data controller in case of breach of data protection obligations. The supervisory authority also has the power to carry out data protection audits and impact assessments. b. Advisory powers The supervisory authority can advise the Member States and other institutions on legislative and administrative measures relating to protection of natural persons‘ rights and freedoms about processing. c. Standard setting powers The supervisory authority can establish codes of conduct, encourage the establishment of data protection certification mechanisms, data protection seals and marks, and undertake periodic review of issued certifications. d. Awareness generation 791 The OAIC is established under Section 5, Australian Information Commissioner Act, 2010 (Australian Information Commissioner Act). 792 Section 14, Australian Information Commissioner Act. 793 Section 15, Australian Information Commissioner Act. Per Section 16, Australian Information Commissioner Act, the OAIC is not permitted to engage in paid employment outside the duties of her office without the Minister‘s approval. 794 Section 16, Australian Information Commissioner Act. 795 See Articles 35, 57, 58, 77 and 83, EU GDPR. 178
The supervisory authority shall promote awareness of data controllers and processors of their obligations under the EU GDPR and promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. United Kingdom The functions, duties and powers of the Information Commissioner of UK include the following: 796 a. Monitoring and enforcement The Information Commissioner has the power to issue an ‗enforcement notice‘, ‗assessment notice‘ and ‗information notice‘ in order to determine whether the data controller has complied with the provisions of the UK DPA. 797 b. Standard setting powers The Information Commissioner may encourage trade associations to prepare and to disseminate to their members codes of practices, and where any trade association submits a code of practice to the Information Commissioner for her consideration, notify the trade association whether in her opinion the code promotes the following of good practice. c. Awareness generation The Information Commissioner must also provide educational materials to the public so that individuals are aware of their data protection rights. In order to ensure that data controllers are aware of their obligations in relation to processing operations of personal data, the Information Commissioner can disseminate information to data controllers that pertains to the same. Canada The functions, duties and powers of the Privacy Commissioner include the following: a. Monitoring, enforcement and investigation The Privacy Commissioner‘s investigative powers predominantly include the handling of all complaints filed under PIPEDA. 798 While conducting an investigation, the Privacy Commissioner may review evidence, collect relevant records, and enter any premises and prepare a report within one year of filing of the complaint that contains all the findings and recommendations. 799 Where the Privacy Commissioner deems a complaint resolvable without 796 Section 51, UK DPA. 797 Sections 40, 41A and 43, UK DPA. 798 Section 11(1), PIPEDA. 799 Section 13(1), PIPEDA. 179
- Page 137 and 138: Information Act, 1982 or other appr
- Page 139 and 140: CHAPTER 9: INDIVIDUAL PARTICIPATION
- Page 141 and 142: . the processing is unlawful and th
- Page 143 and 144: such a right may be unsuitable in t
- Page 145 and 146: from being taken solely on the basi
- Page 147 and 148: CHAPTER 10: INDIVIDUAL PARTICIPATIO
- Page 149 and 150: emove data for ―the processing of
- Page 151 and 152: South Africa Section 24 of the POPI
- Page 153 and 154: PART IV REGULATION AND ENFORCEMENT
- Page 155 and 156: they form core, substantive element
- Page 157 and 158: CHAPTER 2: ACCOUNTABILITY AND ENFOR
- Page 159 and 160: have been taken or that the data su
- Page 161 and 162: The EU GDPR focuses on a ―risk ba
- Page 163 and 164: person who processes personal infor
- Page 165 and 166: with developing certain baseline ac
- Page 167 and 168: ENFORCEMENT TOOLS 2.6 Introduction
- Page 169 and 170: Australia The Privacy Act makes ext
- Page 171 and 172: B. PERSONAL DATA BREACH NOTIFICATIO
- Page 173 and 174: eputation, and loss of confidential
- Page 175 and 176: There is a need to put in place a n
- Page 177 and 178: C. CATEGORISATION OF DATA CONTROLLE
- Page 179 and 180: The Treasury Board of Canada Secret
- Page 181 and 182: Under the EU GDPR, only certain dat
- Page 183 and 184: 5. What range of additional obligat
- Page 185 and 186: D. DATA PROTECTION AUTHORITY 2.18 I
- Page 187: and approval of the appointment by
- Page 191 and 192: . Advisory The functions of the OAI
- Page 193 and 194: standards be set by different entit
- Page 195 and 196: maintain reasonable security practi
- Page 197 and 198: notices‘ 827 and ‗information n
- Page 199 and 200: 5. Given that the Appellate Tribuna
- Page 201 and 202: CHAPTER 4: REMEDIES A. PENALTIES In
- Page 203 and 204: sector, size, financial and other r
- Page 205 and 206: to an overly adverse impact on smal
- Page 207 and 208: B. COMPENSATION Awarding of compens
- Page 209 and 210: United Kingdom As per the guidance
- Page 211 and 212: C. OFFENCES There are certain types
- Page 213 and 214: 4.11 Provisional Views 1. The law m
- Page 215 and 216: SCOPE AND EXEMPTIONS 1. Territorial
- Page 217 and 218: 6. Are there any other views relati
- Page 219 and 220: 2. Should the definition of process
- Page 221 and 222: 1. What are your views on including
- Page 223 and 224: 9. Data Localisation Data localisat
- Page 225 and 226: 2. Child’s Consent It is estimate
- Page 227 and 228: Alternatives: a. Assigning a ‗dat
- Page 229 and 230: If ‗sensitive personal data‘ is
- Page 231 and 232: 2. Should there be a restriction on
- Page 233 and 234: 3. Does a right to be forgotten add
- Page 235 and 236: 1. What are your views on the use o
- Page 237 and 238: oth for principled and practical re
The supervisory authority shall promote awareness of <strong>data</strong> c<strong>on</strong>trollers and processors of their<br />
obligati<strong>on</strong>s under the EU GDPR and promote public awareness and understand<strong>in</strong>g of the<br />
risks, rules, safeguards and rights <strong>in</strong> relati<strong>on</strong> to process<strong>in</strong>g.<br />
United K<strong>in</strong>gdom<br />
The functi<strong>on</strong>s, duties and powers of the Informati<strong>on</strong> Commissi<strong>on</strong>er of UK <strong>in</strong>clude the<br />
follow<strong>in</strong>g: 796<br />
a. M<strong>on</strong>itor<strong>in</strong>g and enforcement<br />
The Informati<strong>on</strong> Commissi<strong>on</strong>er has the power to issue an ‗enforcement notice‘, ‗assessment<br />
notice‘ and ‗<strong>in</strong>formati<strong>on</strong> notice‘ <strong>in</strong> order to determ<strong>in</strong>e whether the <strong>data</strong> c<strong>on</strong>troller has<br />
complied with the provisi<strong>on</strong>s of the UK DPA. 797<br />
b. Standard sett<strong>in</strong>g powers<br />
The Informati<strong>on</strong> Commissi<strong>on</strong>er may encourage trade associati<strong>on</strong>s to prepare and to<br />
dissem<strong>in</strong>ate to their members codes of practices, and where any trade associati<strong>on</strong> submits a<br />
code of practice to the Informati<strong>on</strong> Commissi<strong>on</strong>er for her c<strong>on</strong>siderati<strong>on</strong>, notify the trade<br />
associati<strong>on</strong> whether <strong>in</strong> her op<strong>in</strong>i<strong>on</strong> the code promotes the follow<strong>in</strong>g of good practice.<br />
c. Awareness generati<strong>on</strong><br />
The Informati<strong>on</strong> Commissi<strong>on</strong>er must also provide educati<strong>on</strong>al materials to the public so that<br />
<strong>in</strong>dividuals are aware of their <strong>data</strong> protecti<strong>on</strong> rights. In order to ensure that <strong>data</strong> c<strong>on</strong>trollers<br />
are aware of their obligati<strong>on</strong>s <strong>in</strong> relati<strong>on</strong> to process<strong>in</strong>g operati<strong>on</strong>s of pers<strong>on</strong>al <strong>data</strong>, the<br />
Informati<strong>on</strong> Commissi<strong>on</strong>er can dissem<strong>in</strong>ate <strong>in</strong>formati<strong>on</strong> to <strong>data</strong> c<strong>on</strong>trollers that perta<strong>in</strong>s to the<br />
same.<br />
Canada<br />
The functi<strong>on</strong>s, duties and powers of the Privacy Commissi<strong>on</strong>er <strong>in</strong>clude the follow<strong>in</strong>g:<br />
a. M<strong>on</strong>itor<strong>in</strong>g, enforcement and <strong>in</strong>vestigati<strong>on</strong><br />
The Privacy Commissi<strong>on</strong>er‘s <strong>in</strong>vestigative powers predom<strong>in</strong>antly <strong>in</strong>clude the handl<strong>in</strong>g of all<br />
compla<strong>in</strong>ts filed under PIPEDA. 798 While c<strong>on</strong>duct<strong>in</strong>g an <strong>in</strong>vestigati<strong>on</strong>, the Privacy<br />
Commissi<strong>on</strong>er may review evidence, collect relevant records, and enter any premises and<br />
prepare a report with<strong>in</strong> <strong>on</strong>e year of fil<strong>in</strong>g of the compla<strong>in</strong>t that c<strong>on</strong>ta<strong>in</strong>s all the f<strong>in</strong>d<strong>in</strong>gs and<br />
recommendati<strong>on</strong>s. 799 Where the Privacy Commissi<strong>on</strong>er deems a compla<strong>in</strong>t resolvable without<br />
796<br />
Secti<strong>on</strong> 51, UK DPA.<br />
797<br />
Secti<strong>on</strong>s 40, 41A and 43, UK DPA.<br />
798 Secti<strong>on</strong> 11(1), PIPEDA.<br />
799 Secti<strong>on</strong> 13(1), PIPEDA.<br />
179