Privacy and Data Protection
The Data Protection Act and the EU wide General Data Protection Regulation are designed to protect privacy. They severely restrict the acquisition, holding and use of information relating to identifiable individuals.
Any information that is capable of identifying or being associated with a living person is protected. The legislation does not apply to purely personal or household activities.
Personal information must be acquired fairly, freely and lawfully. Individuals must be told what will be done with the personal information. Data must not be collected which is irrelevant to the purposes for which it is required.
The controller must assess the adequacy, relevance and nexus of the data in an objective way. He must act fairly bearing in mind the purpose of the data collected and the circumstances of the acquisition.
Data must be collected only for a particular specified, explicit and legitimate purpose. It must not be used (processed) in a manner which is incompatible with that purposes. The relevant purpose must be specified at the time of collection.
Use of Personal Information
The Data Protection Act and GDPR provides certain principles, which are binding on data controllers. The principles are as follows. They require that personal information
- be processed fairly and lawfully;
- be processed for one or more specified lawful uses and not further processed in any way incompatible with that original purpose;
- be adequate relative and not excessive;
- be accurate and where necessary up to date;
- be kept for no longer than is necessary for the purpose;
- be processed in accordance with the rights of the individuals;
- be kept secure with appropriate technological and organisational measures;
- not be transferred outside the EEA (EU plus Norway, Iceland and Lichtenstein) unless there is adequate protection.
The data (personal information) must be processed fairly and lawfully. Fair processing requires that the data subject give informed consent to the use of his personal and that it be used in accordance with that consent. The data subject must be given information about the identity of the data controller, to whom it may be disclosed to and the purposes for which it is to be used, in the limited cases where this may be legitimate
“Processing” covers keeping, collecting, storing, altering, adapting, retrieving, consulting, using, transmitting, disseminating or otherwise making available, the data. It includes combining, blocking, erasing and destroying data.
Data processing must be objectively necessary. Data processing must be relevant to the purpose for which it is collected. It must not be excessive in the context of the purposes for which it is collected. Data must not be retained for any longer than necessary.
“Sensitive data” are those relating to the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, the commission of an offence and the sentence of the court in such proceedings. The processing of sensitive data is permissible in more limited circumstances than applies to personal data generally.
Explicit consent is required for the processing of sensitive personal data. The processing may take place with explicit consent only or in some other narrow circumstances where it is allowed by law/ Higher standards apply to the processing of sensitive personal data.
Personal data must be accurate and kept up-to-date. It must be adequate, relevant and not excessive in relation to the purposes for which it is collected.
Every reasonable step must be taken to ensure that data which is inaccurate or incomplete having regard to its purposes, is erased or corrected. Data is inaccurate if it is incorrect or misleading in relation to the factual position.
Data must be kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which it is collected, or for which it is further processed.
Generally, it is not permissible to disclose information to another person, business or organisation unless the individual concerned has given explicit consent to this being done. The third party should be specifically identified. Disclosure includes the disclosure of information extracted from data and the transfer of data.
Disclosure does not include disclosure made by a data controller or processor to his employee, for the purpose of carrying out his duties. Where the identification of the data subject depends partly on the data and partly on other information in the control or possession of the data controller, disclosure does not take place until the other connecting information is disclosed.
The GDPR requires organisations to notify the Data Protection Commission when a personal data breach occurs. All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or encrypted. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality –must also be reported to the individuals concerned.
Data Access Rights
The General Data Protection Regulation and the Data Protection Act gives significant rights to individuals in relation to data held by third parties about them. These rights may be enforced directly against the person or entity who holds or controls the data.
Any individual who believes that any person or entity is keeping personal data about him, shall if he so requests in writing, be informed by the person or entity whether he holds such data. If he does keep such data, the person or entity must give a description of the data and the purposes for which it is kept. This must be given as soon as may be and, in any event, not more than one month after the request has been made. No fee is payable.
The right to discover whether the information is held is much broader than the right to obtain disclosure. This latter right is subject to various exceptions which do not apply to the former right.
Copy of Data
A data subject (i.e. a person about whom personal information is kept by another) may make a request in writing to that other (the data controller) about the following if data is held:
- the categories of data being processed by or on behalf of the data controller;
- the personal data about that individual;
- the purpose of the processing; and
- the recipients or categories of recipients, to which the data may be disclosed.
The data subject is entitled to have information constituting the personal data, of which he is the subject, communicated to him in an intelligible form together with information known or available to the data controller in relation to its source, unless certain exceptions apply, which are broadly those in the public interest.
The individual who makes the request must give sufficient evidence to enable him to be identified and identify the information concerned. Under GDPR, fees are no longer payable in relation to a data request.
The data controller must supply a copy of the information in a permanent form, unless this would be disproportionate, not possible or unless the data subject otherwise agrees. There is no specified form for the data request. It must be made in writing. It must be complied with as soon as may be, but in any wait, within one month.
Where the information is in terms that are not intelligible to an average person, the information must be accompanied by an explanation of the terms concerned. Where the data controller refuses a request, he must set out the reason for refusal. He must indicate that the individual may complain to the Data Protection Commissioner in relation to the refusal.
Requests for the same information may not be made at repeatedly. Where a request has been previously complied with, which is substantially identical or similar, the data controller need not, comply, if he is of the opinion that a reasonable interval has not lapsed between compliance with the previous request and making of the current request. This is primarily a matter for the data controller.
The Data Protection Act provides that the right of access shall be complied with by supplying the individual with a copy of the information concerned in a permanent form unless the supply of such a copy is not possible or would involve disproportionate efforts. This is understood to mean that the supply should be in a permanent form. If this is not possible, some other type of access may be substituted.
Erasure or Correction
Where the information is not or is no longer validly held in accordance with the above principles, it must be erased and removed.
An individual may rectify, block and erase data if it is incomplete or inaccurate. He may require that a third party to whom the data has been disclosed, be notified of the rectification, erasure or blocking unless this is disproportionate or impossible. The data controller must comply promptly with a valid request.
Where the data is incorrect, the data controller may supplement it with a statement agreed by the individual affected. It must notify the individual as soon as may be, but not later than one month after the request has been made. Where the request materially modifies the data, if must notify third parties to whom it has been disclosed in the last 12 months within one month unless this would be disproportionate.
Data controllers must keep personal data secure. The security must be appropriate. What is appropriate will depend on the circumstances. Regard may be had to state of the art and the cost of implementation of measures. The security must be appropriate to the risk represented by the processing and the nature of the data.
Measures must be taken against unauthorised access, alteration, disclosure, destruction of data. Security measures must be taken to guard against unlawful forms of processing. The duty applies in particular, to the transmission of data over a network. The level of security required may take account of the state of technology and the cost of implementation.
The measures taken must be adequate to secure the data. They must be appropriate to the harm that might result from unauthorised or unlawful processing or from destruction or loss. The must be appropriate to the nature of the data concerned. They must take account of the risk of deliberate attempts to hack, as well as accidental disclosure.
Objection to Processing
An individual may object to the processing of data, where such processing is not permitted under the legislation or where it is incompatible with it. It is not enough that the individual disagrees with the processing, there must be a substantive ground of objection based on the Act.
An individual may at any time notify a data controller in writing and request him not to begin processing data or processing data for a specified purpose or in the manner specified, which relates to him.
An objection may be made by the individual where the processing of data or the processing for the particular purpose or in a particular manner is causing or likely to cause him substantial and unwarranted damage or distress.
Data Protection Impact Assessments and Data Protection Officers
A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It is designed to allow organisations to identify potential privacy issues before they arise and come up with a way to mitigate them.
The GDPR introduces mandatory DPIAs for those oganisations involved in high-risk processing; for example, where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area.
Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers are required to consult the DPC before engaging in the process.
The GDPR requires some organisations to designate a Data Protection Officer (DPO). organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Communications (Retention of Data) Act 2011
Criminal Justice (Surveillance) Act 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (An Garda Síochána) Regulations 2009, S.I. No. 275 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Revenue Commissioners) Regulations 2009, S.I. No. 290 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Defence Forces) Regulations 2010, S.I. No. 80 of 2010
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (Official Journal L 8 of 12.1.2001, pp. 1-22)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending (declared invalid by Court of Justice ruling, see below).
Directive 2002/58/EC (Official Journal L 105 of 13.4.2006, pp. 54-63)
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Official Journal L 173 of 26.6.2013, pp. 2-8).
European Communities (Directive 2000/31/Ec) Regulations 2003
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. No. 336 of 2011
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
Privacy and Data Protection Law in Ireland 2nd ed Denis Kelleher 2015
EU and UK Texts
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008
The Law of Personal Privacy David Sherborne, Mark Thomson, Hugh Tomlinson Due August 2019
Tort Law and the Protection of Privacy John Hartshorne April 2019
The Privacy, Data Protection and Cybersecurity Law Review The Privacy, Data Protection and Cybersecurity Law Review 5th ed Edited by: Alan Charles Raul 2017
International Cybersecurity and Privacy Law in Practice International Cybersecurity and Privacy Law in Practice Charlotte A. Tschider 2017
Determann’s Field Guide to International Data Privacy Law 3rd ed Lothar Determann
The Law of Privacy and The Media 3rd ed Edited by: Nicole Moreham, Mark Warby 2016