Data Protection Policy

EXECUTIVE SUMMARY

The General Data Protection Regulation (EU) 2016/679 (GDPR), and the Data Protection Act (Cap 586) regulate the processing of personal data whether held electronically or in manual form. The Office of the Attorney General is set to fully comply with the Data Protection Principles as set out in such data protection legislation.

PURPOSE AND SCOPE

The Office of the Attorney General collects and processes information to carry out its obligations in accordance with present legislation. All data is collected and processed in accordance with Data Protection Legislation and the General Data Protection Regulation.

This policy will be communicated to all staff through their personal email.

In addition to all the above requirements all staff is reminded to strictly adhere to all obligations outlined under the Official Secrets Act (Cap 50).

DATA PROTECTION PRINCIPLES AS PER THE GDPR

As per Article 5 of the GDPR, the Attorney General, being the data controller, has the responsibility of ensuring that his Office ensures that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

DATA CONTROLLER AND DESIGNATED OFFICERS

For the purposes of the Act the Data Controller is Dr. Peter Grech LL.D in his capacity of Attorney General. Mr. Jonathan Sciberras will be the Office Data Protection Officer and will provide guidance and support to the staff generally.

RESPONSIBILITY AND ACCOUNTABILITY FOR DATA PROTECTION

The Attorney’s General Office is classified as a controller of personal data under the GDPR and is therefore ultimately responsible for the implementation of appropriate policies and procedures in order to ensure compliance with the GDPR. However, day to day matters will be dealt with by the Office Data Protection Officer. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Office Data Protection Officer who will in turn refer to the Data Controller depending on the case in hand.

The Data Controller:

Has overall responsibility for ensuring that the office

​​ Manages its information and records properly and is compliant with all the relevant legislation. ​

 For ensuring that Management is briefed on all relevant information issues and obtaining where necessary the appropriate approvals for any actions required. ​

 Is accountable for the processing of personal data within the office such that compliance with the Act and good practice can be demonstrated. ​

 Is responsible for ensuring that the necessary policies and procedures are implemented, where appropriate, reviewed, and adhered to. ​

 Advising on personal data security and risk management. ​

 Compliance with this policy. ​​

 Liaising with Data Protection Officer.

RECIPIENTS OF DATA

Personal Information is accessed by the employees who are assigned to carry out the functions of the Office of the Attorney General. Personal Data will be disclosed to the Administration. Disclosure can also be made to third parties but only as authorized by law.

SECURITY OF PERSONAL DATA

The need to ensure that data is kept securely means that precautions must be taken against accidental destruction or loss or unlawful forms of processing of personal data and that both access and disclosure must be restricted.

​Data Controller should ensure that:

 Any personal data which the office hold is kept securely; and Personal data is not disclosed either orally, in writing, electronically or otherwise to any unauthorised person.

Personal data should:

​ Not be left lying around; ​

 Be kept in a locked filing cabinet or in a locked drawer; ​

 If in electronic format, be password protected; ​

 Be strictly retained for a period not longer than necessary and deleted after such period.

All Staff should make sure to adhere with these instructions.

YOUR RIGHTS

You are entitled to know, free of charge, what type of information the Office of the Attorney General holds and processes about you and why, who has access to it, how it is held and kept up to date, for how long it is kept, and what the Unit is doing to comply with data protection legislation.

The GDPR establishes a formal procedure for dealing with data subject access requests. All data subjects have the right to access any personal information kept about them by the Office of the Attorney General, either on computer or in manual files. Requests for access to personal information by data subjects are to be made in writing and sent to the Attorney General. Your identification details such as ID number, name and surname

must be submitted with the request for access. In case we encounter identification difficulties, you may be required to present an identification document.

The Office of the Attorney General aims to comply as quickly as possible with requests for access to personal information and will ensure that it is provided within a reasonable timeframe and in any case not later than one month from receipt of request, unless there is good reason for delay. When a request for access cannot be met within a reasonable time, the reason will be explained in writing to the data subject making the request.

Should there be any data breaches, the data subject will be informed accordingly. 

All data subjects have the right to request that their information is amended, erased or not used in the event the data results to be incorrect.

In case you are not satisfied with the outcome of your access request, you may refer a complaint to the Information and Data Protection Commissioner, whose contact details are provided below.

The Data Protection Officer may be contacted on dpo.ag@gov.mt or by telephone +356 2568 3173.

Attorney General

The (Office of the Attorney General Data Controller) may be contacted at:

Office of the Attorney General

The Palace

Republic Street

Valletta

Telephone: +356 2568 3100

Email: ag@gov.mt

The Information and Data Protection Commissioner

The Information and Data Protection Commissioner may be contacted at: Level 2, Airways House, High Street, Sliema SLM 1549

Telephone: +356 2328 7100

Email: idpc.info@gov.mt​

​​​​​​