Kilroys Solicitors - boardroom picture kilroys solicitors irish ireland law legal library international publication Kilroys Solicitors - Logo
Kilroys Solicitors - Logo Kilroys Solicitors - Logo
Kilroys Solicitors - Insurance Sector Kilroys Solicitors - IT sector Kilroys Solicitors - Public Tendering Sector Kilroys Solicitors - Motoring Sector Kilroys Solicitors - Telecoms Sector Kilroys Solicitors - Financial Services Sector
Kilroys Solicitors - Home page
Kilroys Solicitors - About us
Kilroys Solicitors - Partners
Kilroys Solicitors - Areas of Practice
Kilroys Solicitors - The Library
Kilroys Solicitors - eBusiness in Ireland
Kilroys Solicitors - Careers
Kilroys Solicitors - links
Kilroys Solicitors - Contact us
Kilroys Solicitors - Search this site
Kilroys Solicitors - Terms of use
Kilroys Solicitors - ezine subscription
Subscribe  

<<< Back


July 2003 - Important new Data Protection Act legislation in force since 1st July.

Introduction.

On the 1st July 2003 the Data Protection (Amendment) Act 2003 came into force. This important legislation substantially updates Irish Data Protection law by giving full effect to EU Directive 95/46 on Data Protection.

The legislation is this area is now entitled the Data Protection Acts 1988 and 2003 ("the Acts"). It is vital that all entities in Ireland dealing with information about living persons whether computerised or in manual form understand the rights conferred and the obligations imposed by this legislation.

What does Data Protection mean?
The legislation is concerned with the protection of the privacy of individuals in relation to the uses to which their personal information is put.

Examples of the type of information that the legislation covers would include; an individual's name, address, telephone number, e-mail address, mobile number, PPS number, employment records, health records, financial records, credit history and family details.

Any entity, which processes such personal information, must ensure that it is collected fairly and then processed for legitimate purposes only. Failure to do so is unlawful and exposes Data Controllers and Data Processors to potential criminal and civil sanctions.

Conviction on indictment carries a maximum fine of €100,000.

Individuals value their data privacy rights very highly and are becoming increasingly concerned that their Personal Data is being misused. Personal Data is a valuable asset of any business and as with any other business asset it should be properly protected.

What does compliance with this legislation require?
The Acts set down the rights to be respected and the obligations to be adhered to before any entity operating in Ireland can lawfully collect, obtain, use, or store Personal Data.

It is worth remembering that the Acts extend to all Personal Data whether stored on computer, obtained from a website or stored on manual files created since July 2003. Manual files in existence prior to July 2003 will only come under the remit of the Acts in October 2007.

Some Key Terms

"Automated Data"
 means broadly speaking, any information or data that is processed on computer or which is recorded with the intention that it should be processed on computer.

"Data"
means Automated Data and Manual Data.

"Data Controller"
means a person who alone or with others controls the contents and use of Personal Data.

"Data Processor"
means the person who processes Personal Data on behalf of the Data Controller but does not include an employee of a Data Controller who processes such data in the course of his/her employment.

"Data Subject"
means an individual who is the subject of Personal Data.

"Direct Marketing"
 includes direct mailing other than direct mailing carried out in the course of political activities by a political party, a body established by statute, a candidate for election or the holder of elective political office.

"Manual Data"
means information that is kept as part of a Relevant Filing System or with the intention that it should form part of a Relevant Filing System.

"Personal Data"
 means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in or likely to come into the possession of the Data Controller.

"Processing"
means the performance of any operation or set of operations on Personal Data including;
  • obtaining, recording or keeping the data;
  • collecting, organising, storing, altering or adapting the data;
  • retrieving, consulting or using the data;
  • disclosing the data by transmitting, disseminating or otherwise making it available;
  • aligning, combining, blocking, erasing or destroying the data.
"Relevant Filing System"
means any set of information relating to individuals that, although not computerised is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular individual is readily accessible.

"Sensitive Personal Data"
means Personal Data relating to a person's racial origin; political opinions or philosophical beliefs; trade union membership; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence including the outcome of any proceedings.

The Eight Data Protection Rules
These eight rules lie at the heart of Irish Data Protection law. Every Data Controller and Data Processor needs to be familiar with, and to obey them.

1. Obtain and process fairly and lawfully

To fairly obtain Personal Data the Data Subject must be made aware when the data is being collected of the following;
  • the Data Controller's identity;
  • the purpose for which the Personal Data is being collected;
  • the persons or categories of persons to whom the Personal Data may be disclosed and;
  • any other information necessary to ensure that the processing is fair.
For the processing of Personal Data to be lawful the Data Subject must consent, or the processing must be necessary for one of the following reasons:
  • the performance of a contract with the Data Subject, or some essential pre-contract step carried out his request, or
  • compliance with a non-contractual legal obligation, or
  • to prevent injury or damage to the health of the Data Subject, or
  • to prevent serious loss or damage to the property of the Data Subject, or
  • to protect the vital interests of the Data Subject, or
  • for the administration of justice, or
  • for the performance of a function conferred by law, or
  • for the performance of a Governmental or Ministerial function, or
  • for the performance of any other public interest function, or
  • to protect the legitimate interests of the Data Controller or some third party to whom the data is disclosed unless unwarranted because it would prejudice the fundamental rights, freedoms or legitimate interests of the Data Subject.
To lawfully process Sensitive Personal Data in addition to complying with the requirements above the Data Subject must explicitly consent, or the processing must be necessary for one of the following reasons:
  • the performance or exercise of any legal right or obligation imposed on the Data Controller in connection with employment, or
  • to prevent injury or damage to the health or serious loss or damage to the property or the vital interests of the Data Subject or another person, where consent cannot be given or cannot be reasonably obtained, or
  • to prevent injury to or damage to the health of , or serious loss or damage to the property of another person where consent has been unreasonably withheld, or
  • is carried out by a not for profit organisation existing for political, philosophical, religious or trade union purposes in respect of its own membership or other persons in regular contact with the organisation, or
  • where the information is being processed having been made public deliberately by the Data Subject, or
  • for the purposes of obtaining legal advice, or in connection with legal proceedings or the establishment, exercise or defence of legal rights, or
  • for medical purposes, where carried out by a health professional or a person with an equivalent duty of confidentiality to the Data Subject, or
  • for statistical purposes under the Statistics Act 1993, or
  • where carried out by political parties or candidates for election purposes, or
  • where authorised by Ministerial Regulation for reasons of substantial public interest, or
  • in connection with the assessment or payment for tax, or
  • in relation to the administration of a Social Welfare scheme.
2. Keep accurate, complete and up to date.
Personal Data must be kept accurate, complete and up to date. This means that databases should be periodically reviewed, inaccurate data corrected and redundant data deleted. This obligation does not extend to "back up" data, kept for that purpose.

3. Keep for specified, explicit and legitimate purposes.

Personal Data may only be kept for purposes that are specific, lawful and clearly outlined in advance to the Data Subject and may then only be processed in a manner that is compatible with the stated purposes. A Data Subject has the right to know why his/her Personal Data is being held and can demand an explanation of the reasons why it is being used.

4. Do not then process for incompatible purposes.

Personal Data cannot be processed or disclosed in a manner that is incompatible with the purpose(s) for which it was originally obtained unless further consent to such processing is first obtained from the Data Subject or certain limited circumstances provided for in the Acts apply.

5. Ensure that it is adequate, relevant and not excessive.

Personal Data that is not required to achieve the specific stated purpose cannot be collected. Any Personal Data, which is irrelevant or excessive, must be deleted from the database.

6. Retain for no longer than is necessary.

Personal Data must not be retained for longer than is necessary for the purposes for which it was first obtained. Redundant Personal data should be periodically purged from relevant databases.

7. Keep safe and secure.

Data Controllers must ensure that appropriate security measures are in place to guard against unauthorised access to, or unauthorised alteration, disclosure or destruction of Personal Data.

A balance must be struck between what is currently technically available and the costs of implementation. The level of security must be proportionate to the risk and the consequences for the individuals if their Personal Data is unlawfully accessed, damaged or destroyed. The more sensitive the Personal Data the higher the level the security needs to be.

Employees must be properly trained and if any activities such as, for example, HR or Payroll have been outsourced, a written contract which requires the contractor to abide by the Data Protection Rules; to act only on the Data Controller's instructions as regards Personal Data and that guarantees that adequate security measures are in place, must exist.

8. Comply with access requests from Data Subjects.
Upon making a written request a Data Subject has the right to receive the following within 40 days;
  • confirmation whether or not the Data Controller is processing Personal Data relating to the Data Subject;
  • a description of the Personal Data being processed;
  • the purposes for which it is being processed;
  • the identities of those to whom it is disclosed;
  • a copy of the Personal Data;
  • confirmation of the source of the Personal Data (unless its disclosure is contrary to the public interest);
  • and if automated processing of the Personal Data is likely to constitute the sole basis for any decision being made that is capable of significantly affecting the Data Subject, an explanation of the logic behind it.
Data Controllers are not obliged to provide information to a Data Subject where the provision of such information might cause serious harm to the physical or mental health or emotional well being of that individual.

The Rights of the Data Subject
In addition to the access right referred to above, the Acts confer the following additional rights on Data Subjects.

1. Rectification, blocking or erasure.
On written request a Data Controller must within 40 days, rectify any notified errors in the individual's Personal Data, or in appropriate circumstances, have such data blocked or erased.

If requested in writing, the Data Controller must cease processing Personal Data within a reasonable time or refrain from beginning the processing, if it would be likely to cause substantial damage or distress to the Data Subject or to another person and where the damage or distress would be unwarranted, unless consent has been obtained or one of the following circumstances apply:-
  • the Data Subject has given his/her explicit consent to the processing, or
  • the processing is necessary :-
    • for the performance of a contract with the Data Subject,
    • for the performance of an essential pre-contract step carried out at the request of the Data Subject,
    • to comply with a legal obligation not being one imposed by contract,
    • to protect the vital interests of the Data Subject, or
    • for processing carried out by political parties or candidates for election to or the holders of elective office, or in the course of electoral activities or,
    • it is authorised by Ministerial Regulation after consultation with the Data Protection Commissioner.
2. Direct Marketing
An individual has the right to demand that his Personal Data is not used for Direct Marketing purposes. If requested, the Data Controller has 40 days to comply.

If Direct Marketing is the only purpose for which the Personal Data is being kept, then it must be erased from the database. However, if the Personal Data is being kept for some other purpose then the Data Controller must cease using it for Direct Marketing purposes.

The Data Controller must then confirm to the Data Subject in writing that it has complied with the request and where appropriate inform him/her of the other purposes for which the Personal Data is being processed.

 If the Data Controller proposes to use the Personal Data or anticipates that it may be used for Direct Marketing purposes, the Data Subject must be informed at the point that the Data is collected, of the Data Subject's right to object in writing to such processing free of charge.

3. Automated Decision Making
Personal Data may not be processed so as to reach decisions with legal effects for the Data Subject by means that solely rely on the automated processing of the data to arrive at the decision. Examples of such activities would include the evaluation of work performance, creditworthiness, reliability or conduct.

To be lawful there must be some element of human evaluation in the decision making process.

Transfers Abroad
Personal Data may not be lawfully transferred from Ireland to a country or territory outside the European Economic Area (EEA) unless that country or territory has adequate levels of data protection.

To be lawful the transfer must have the consent of the individual or at least one of the following conditions must be met: -
  • it is required or authorised by law, or
  • it is necessary for the performance of a contract or an essential pre-contract step with the Data Subject, or
  • it is necessary to conclude a contract between the Data Controller and a third party entered into at the request of the Data Subject and in the interests of the Data Subject, or
  • it is necessary for reasons of substantial public interest, or
  • it is necessary for the purposes of obtaining legal advice or in connection with legal proceedings, or
  • is necessary so as to prevent injury or other damage to the health, or serious loss or damage to the Data Subject's property or to protect his/her vital interests where disclosure to the Data Subject is likely to damage such vital interests, or
  • where the transfer is of part only of the personal data on a public register, or
  • the transfer has been authorised by the Data Protection Commissioner where he is satisfied that adequate safeguards are in place.
To be lawful, any contract between a Data Controller and a third party located outside the EEA to whom Personal Data is to be transferred, must provide for the enforcement by the Data Subject of any clause that confers rights on the Data Subject and that entitles the Data Subject to compensation for breach, in the same way as if he/she was a party to the contract.

The Data Commissioner has the authority to prohibit the transfer of Personal Data from Ireland unless such a transfer is required by or authorised by law.

Registration with the Data Protection Commissioner
Data Controllers and Data Processors (unless exempted) must register annually with the Data Protection Commissioner and pay the appropriate annual registration fee.

Where the Data Controller keeps Sensitive Personal Data, the Data Protection Commissioner will have to be satisfied that appropriate safeguards for its protection are in place and will be maintained.

Data Controllers cannot lawfully process Personal Data unless first registered and once registered, cannot then lawfully process Personal Data, or obtain Personal Data from any source, or disclose Personal Data to any person, or directly or indirectly transfer such Personal Data to any location outside Ireland unless all of these details are included in their registration.

Data Processors cannot lawfully process Personal Data unless registered

The breach of the obligation to register would constitute an offence under the Acts.

 For further information or general enquiries contact: -
Patrick Ryan
Email: pryan@kilroys.ie
Telephone: +3531-439 5600
Fax: +3531-439 5601/439 5602

© Kilroys Solicitors 2003
kilroys solicitors irish ireland law legal library international publication
kilroys solicitors irish ireland law legal library international publication