Data Protection Law in Ireland
The principal legislation governing Data Protection in Ireland is set out in the Data Protection Acts, 1988 and 2003 which are construed together as one act (the “Acts”). The Acts place responsibilities on the persons who collect and process personal information as well as conferring rights on individuals.
Who do the Acts apply to?
The Acts apply to persons and organisations that are established in Ireland and/or to persons and organisations who are based outside the Ireland and the European Economic Area and who actively process data in the state.
The Acts have general applicability across all businesses and, therefore, all businesses need to be aware of their duties and obligations arising under same.
What are Data Controllers & Data Processors?
A Data Controller is generally an individual or a company that controls and is responsible for the keeping and use of personal information on computer or in structured manual files.
A Data Processor holds or processes personal data but does not exercise responsibility or control over it.
Certain Data Controllers and Data Processors are required to register with the Data Protection Commissioner.
Are we a Data Controller or a Data Processor?
If you or your organisation or business either alone or with others:
(a) keeps or processes any information about living people;
(b) decides what personal information is going to be kept; and
(c) decides the use to which the information will be put;
then you, your organisation or business is a Data Controller. Data Controllers can include, for example, companies, government departments and voluntary organisations, general practitioners and sole traders.
If you or your organisation or business:
(a) keeps or processes personal data on behalf of Data Controllers; but,
(b) do not exercise any responsibility or control over the data;
then you or your organisation or business is most likely a Data Processor. Data Processors can include, for example, payroll companies, market research companies and firms of accountants.
An organisation can be both a Data Controller and a Data Processor. For example, a payroll company may be a Data Processor with respect to the employee information it processes on behalf of Data Controllers but it will be a Data Controller with respect to the information collected and used in relation to its own employees.
What is Personal Data?
Personal data includes any automated and manual data (data that is recorded as part of a structured filing system) relating to a living individual who is or can be identified from the data or from the data in conjunction with other information which is held by the Data Controller or is likely to be held by them.
What are the duties of Data Controllers?
Section 2 of the Acts outlines a number of data protection principles which all Data Controllers are required to comply with. Data Controllers must:
- Obtain and process information fairly. Individuals should be made aware at the time they provide personal information of:
(i) the identity of the persons collecting it;
(ii) to what use it will be put; and,
(iii) to whom the information will be disclosed.
Secondary, future or new uses of the information should also be brought to the attention of persons providing personal information and their consent to such uses should be sought. Examples of how entities might comply with fair processing requirements include where companies issue notices to employees detailing how they process employee data and website privacy policies that describe how companies obtain and process data from web users. Stricter requirements apply to the processing of information for minors.
- Keep information only for one or more specified and lawful purposes. When collecting personal data, Data Controllers need to clearly and explicitly specify to the person who is the subject of the data the purpose for which the data is being collected and stored. Collecting information personal information routinely and indiscriminately without a clear and legitimate purpose will result in a breach of this obligation.
- Process information only in ways compatible with the purposes for which it was initially provided. A key question under this duty is whetherthe data is used and disclosed in a way that those who provided the information would have expected it to be used and disclosed. For example, where a charity shared information about its customers with a financial institution for the marketing purposes of the financial institution, this was held to be a breach of this duty.
- Keep information safe and secure. The Acts provide that appropriate security measures for the protection of personal information must be put in place having regard to the state of technological development, cost of implementation, the nature of the information, and the harm that might occur from unauthorised processing, disclosure or loss. Data Controllers, and Processors, are required to take all reasonable steps to ensure that employees are aware of and comply with the security measures. The Acts also provide that if Data Controllers use a third party to process information the security measures should be covered by a contract which requires the conditions under which the information can be processed and the security measures to be implemented by the third party.
- Keep the information accurate and up to date. Inaccurate data is described by the Acts as data that it incorrect or misleading as to any matter of fact.
- Ensure the information is adequate and relevant and not excessive. This may be breached where a business seeks more information from a customer than is strictly necessary for the purpose of supply the good or service.
- Retain the information for no longer than is necessary for the specified purposes. An example of a breach of this duty may be where a business uses personal information about a former customer, which it obtained during the course of a previous relationship to send direct marketing materials.
- Give a copy of his or her personal data to any individual on request.
What are the Duties of Data Processors?
Data Processors have a limited set of obligations under the Acts, unlike Data Controllers. They include the necessity to keep personal information safe and secure from unauthorised access, disclosure, destruction or accidental loss.
What constitutes Processing Personal Data?
Processing is given a very wide definition in the Acts and includes performing any operation or set of operations on the information or data, whether or not by automatic means and includes, without limitation, obtaining, recording, collecting, storing, altering, adapting, retrieving, consulting, using, disclosing or destroying information.
The Acts outline certain pre-conditions that must be met before a Data Controller is permitted to process personal information. In addition to complying with the principles outlined above at least one of the following pre-conditions must be satisfied:
- The consent of the data subject must be obtained. The data subject’s consent must be freely given, specific and informed.
- The information is necessary for the performance of a contract to which the data subject is a party.
- The information is necessary to prevent injury or damage to the health of the data subject.
- The information is vital to protect the data subject’s vital interests.
- The information is necessary for the administration of justice.
- The information is necessary for the purposes of the legitimate interests of the Data Controller.
Additional pre-conditions must be satisfied where the Data Controller is processing sensitive personal information, relating to racial or ethnic origin, or mental or physical health, for example.
What are implications of a Breach of Duties?
A breach of the principles set out in the Acts does not automatically amount to a criminal offence. A data subject may make a complaint to the Data Protection Commissioner who, if it finds that a breach has occurred, can issue an Enforcement Notice (S10 (2) of the Acts). It is an offence not to comply with an Enforcement Notice. Under the Acts the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000. However, criminal prosecutions tend to be rare and fines at the lower end of the scale.
A Data Controller may also be subject to civil remedies in breach of contract or liable in tort where they fail to comply with the principles set out in Section 2 of the Acts. Section 7 of the Acts creates a duty of care between the Data Controller and the Data Subject and it is possible that an individual who has suffered a loss as a result of a breach could seek to recover damages against a Data Controller.
Section 2 (7) of the Acts details particular rules dealing with the use of personal information for direct marketing purposes. For example, where personal information is held for the purpose of direct marketing and a data subject requests in writing that the Data Controller stop processing information for that purpose then, generally, the Data Controller has 40 days to comply with that request.
Additional requirements, outlined in Section 2 (8), seem to place a positive obligation on Data Controllers to inform data subjects that they may object in writing, free of charge, to the Data Controller processing their information for direct marketing purposes.
The Electronic Communications Regulations were introduced in 2011 (SI 336/2011) and strengthened the rules and regulations surrounding direct marketing with the purpose of tackling the use of SPAM email and unwanted SMS among other things. The regulations restrict the ability of businesses to use electronic communications to send unsolicited communications or make unsolicited calls for the purpose of direct marketing. Breach of the regulations is a criminal offence and can attract a fine of up to €5,000 on summary conviction or if convicted on indictment, the fines range from €50,000 for a natural person to €250,000 if the offender is a body corporate.
Information – not just personal data – may not be stored on or retrieved from a person’s terminal equipment (computer, smartphone, mobile phone or other equipment used by an individual to access electronic communications networks) unless the individual: (a) has been given clear and comprehensive information about why this is being done and (b) has given her/his consent. This Regulation covers the use of “cookies”(a small file that can be downloaded to a PC or other device when the user accesses certain websites. A cookie allows a website to “recognise” the user’s device).
The Regulations do not prescribe how the information is to be provided or consent is to be obtained, other than this should be done. The obligation to meet the requirements for providing comprehensive information to users and obtaining their consent for the placement of cookies rests with the service providers who place cookies on users’ equipment. The settings currently available on the main browsers do not appear to be sufficient in themselves to meet the obligation.
What are the Rights of the Data Subject?
The Acts confer a number of rights on individuals as well as imposing responsibilities on Data Controllers and Data Processors. These rights include:
- The right to be informed of information being kept. Where one person suspects another is keeping personal information, they may write to that person requesting that they be informed as to whether such information is being kept. If it is, then that person must be given a description of the information and the purposes for which it is being kept within 21 days of the request being made.
- Right of access to information. If an individual makes a written request, a Data Controller must inform the individual whether they hold personal information relating to the individual and provide a detailed description of the information. If an individual makes a written request, then the Data Controller must also supply copies of the personal information relating to the individual within 40 days of the request being made. The Data Controller can charge a small fee for providing copies of the personal information, currently the fee is €6.35.
There are a number of exceptions to the right of access, including without limitation, where the information is legally privileged or confidential, where the information contains data relating to another person, or where the information might interfere with a criminal investigation.
- Right to prevent data being used for direct marketing purposes. This is discussed above.
- Right to prevent erasure. An individual has the right to have their information rectified, blocked or erased if a Data Controller doesn’t comply with the principles outlined above. A Data Controller has 40 days to comply with such a request.
- Right to prevent processing where it might cause damage or distress. By notice in writing to a Data Controller, an individual can request that processing or use of their information cease where it is likely to cause substantial damage or distress.
- Rights concerning automatic processing of information. The Acts provide that a decision which results in legal effects concerning or affecting an individual may not be based solely on the automatic processing of personal information for the purpose of, for example, evaluating work performance, creditworthiness, reliability or conduct.
- Rights in respect of transfer of information outside the State. The Act contains a number of restrictions on the transfer of personal information outside the State and provides that such a transfer may not take place unless the territory to which the information is being transferred ensures an adequate level of protection for the privacy of individuals when their personal information is processed. Exceptions include, where the individual has consented or the information is necessary for the performance of a contract to which the individual is a party. The European Commission has approved certain states which offer adequate protection, they do not include, however, the USA because of differing standards of data protection. To transfer personal information to the USA the recipient must sign up to the Safe Harbour Scheme, or the individual must provide their consent, or use model contractual clauses relating to the protection of data which have been prescribed and approved by the European Commission.
- Data Breaches. While the Acts do not explicitly oblige a Data Controller to inform an individual of when their information has been lost, stolen or otherwise compromised, the Data Protection Commissioner issued a ‘Data Security Breach Code of Practice’ in 2010. Pursuant to this code a Data Controller must give immediate consideration to informing an individual and any other appropriate authority, the Gardai, for example. Generally speaking the Data Protection Commissioner must also be informed of a breach. The Data Protection Commissioner doesn’t need to be informed where the individuals have been notified, the breach affects less than 100 individuals, and it doesn’t involve sensitive or financial information.
A new regulatory framework concerning Data Protection is currently making its way through the various legislative stages in Europe. The new regulations will be directly effective in all member states and will further harmonize EU data protection law. When introduced, the regulations will have serious implications for Irish businesses because of the increased regulation and seriousness of the sanctions that can be imposed in respect of any breach. They will be seen by many as a game changer for Irish businesses.
Among other things the new regulations envisage, a single data protection authority, increased sanctions on a sliding scale of up to €1,000,000 or 2% of a company’s global turnover, and, reduced periods for compliance with data access requests. They also envisage new rights for data subjects including a right to be forgotten and a right to object to profiling and that the consent obtained from an individual must be explicit.
There will be an obligation on Data Controllers to introduce written policies and procedures on how to deal with Data Access Requests and, in certain circumstances, to appoint an independent Data Protection Officer. As drafted, businesses will have to notify the Data Protection Commissioner on the occurrence of any breach of data security within 24 hours while also notifying any individual who may be adversely affected by the breach.
Currently it is not envisaged that the new regulations will be introduced before 2015 but they will have direct effect when they do. It will be important for Irish businesses to be prepared and to be aware of the increased regulation of data protection and their obligations under same.
For further information or if you have any queries relating to data protection or related matters please do not hesitate to contact .