Enforcement

Administration and Powers I

The Data Protection Commissioner is an independent body which enforces the Data Protection Act.  The EU directives on Data Protection require that there must be an independent body with the necessary means to perform its duties.

The EU Directive requires that the Commissioner must have effective powers of intervention, such as

  • power to deliver opinions before processing operations are carried out;
  • power to ensure appropriate publication of such opinions;
  • power to order the blocking, erasure or destruction of data;
  • power to impose a temporary or definitive ban on processing;
  • power to warn or admonish the data controller
  • power to refer the matter to the Parliament or other political institutions;
  • power to engage in legal proceedings where the national provisions adopted by the Directive have been violated.

Administration and Power II

The Data Protection Commissioner has the above powers under the Data Protection Acts. He may investigate contraventions of the Acts.  He may issue information notices.  He may enforce the Act by enforcement notices.  He may prohibit the transfer of personal data outside the State.  He may engage in prior checking of processing operations which may cause substantial damage or distress to the data subjects. He must maintain a register of data processing operations.

There is provision for appeal to the Circuit Court against certain decisions and actions of the Data Protection Commissioner, including enforcement notices, information notices and prohibition notices.  There is an appeal against decisions by the office in relation to complaints under certain provisions of the Act.

In hearing appeals, the courts allow a degree of latitude to specialist regulatory bodies.  This is not because the decision is a judicial review.  It is by way of deference to the specialist knowledge of the Commissioner.  The court may hear the appeal other than in public.


Investigation

The Commissioner may investigate contraventions of the Act of his own motion or on foot of   complaint made. He may refuse to investigate frivolous and vexatious complaints. The form of investigation is determined by the Commissioner.  He has an obligation to seek a voluntary resolution.  If this cannot be achieved, he must notify the complainant of the decision in relation to the matter.  The complainant may appeal to the court within 21 days of the decision.

Authorised officers of the Commissioner have standard investigatory powers.  They may obtain information as necessary for the performance of their functions.  They may enter premises reasonably believed to be occupied by a data controller or processor and inspect any data thereon.  They may operate any data equipment. They may inspect, take extracts and copy information.

Authorised officers may require a person on the premises being a data controller or processor, or an employee, to disclose and produce information in his power or control.  They may require persons to give such information as they reasonably require, in relation to procedures for complying with the Act.

They may require details of the sources from which data is obtained, the purposes for which it is kept, persons to whom it is disclosed and data equipment. It is an offence to obstruct an officer or to fail to comply with a requirement, without reasonable excuse.  It is an offence to give false information.


Notices

The Commissioner may serve an information notice on an individual in writing.  This requires that the information specified be furnished in relation to the matters concerned, as is necessary or expedient for the performance of the Commissioner’s function under the legislation.  The information notice should specify the matters in respect of which the information is sought, and the time for compliance.

The notice must state that there is a right to appeal to the Circuit Court. The time given for compliance is generally 21 days.  It may be seven days, in the event of urgency. Compliance may be pursued once the 21-day appeal period has expired or 7 days in the event of urgency. It is an offence without reasonable excuse, to fail to comply with an enforcement notice or a requirement made in an enforcement notice.

An enforcement notice may be served where there is a contravention, which is viewed as insufficiently serious to merit criminal prosecution or where it is expedient not to prosecute. An enforcement notice is in writing specifying that a provision of the Act being contravened, specifying the reason for the opinion and stating what is required to be done. It must state that the notice may be appealed to the Circuit Court within 21 days.

The enforcement notice may require the erasure, modification or rectification of material.  It may require supplemental data to be included with it. If the breach arises from the information being inaccurate or not up-to-date and the controller supplements and rectifies it as required, there is deemed no breach of the legislation in that regard. A notification is to be sent to the data subject within 40 days or as soon as possible.


Offences I

Breach of various parts of legislation is a criminal offence. This includes

  • failing to comply with an enforcement notice;
  • failing to comply with a prohibition notice, failing to comply with an information notice;
  • processing in breach of the legislation;
  • keeping personal data where is no entry in the register in respect of the data controller;
  • providing false and misleading information in relation to the register;
  • disclosure of data by a data processor without prior authority of the data controller;
  • obtaining access to personal data without prior authority of the data controller, or
  • obstructing or impeding an authorised officer.

Offences under the legislation are subject to a fine of up to €3,000 on summary conviction and up to €100,000 on conviction on indictment.  A court may make ancillary orders regarding erasure, destruction of information and/or forfeiture of data.


Offences II

Where an offence is committed by a company, any director, manager, secretary, other officer or a person purporting to act in such capacity is guilty of an offence, if he connived in relation to it or if it was attributable to his neglect.

The Data Protection Act permits a claim for damages for failure to discharge a duty under the Act.  In principle, a court may award compensation for breach.

It is a defence that a data controller accurately recorded data and information received and obtained from the individual or a third party and if the individual has informed the data controller that the information is inaccurate or is not up-to-date, it is rectified and supplemented within the requisite time limits.


References and Sources

Primary References

Employment Law  Meenan  2014 Ch.24

Employment Law Supplement Meenan 2016

Employment Law Regan & Murphy  2009 ( 2nd Ed 2017) Ch. 13

Employment Law in Ireland Cox & Ryan 2009 Ch 15

Practical Guide to Data Protection Law in Ireland     2003 A& L Goodbody

Data Protection: a Practical Guide to Irish & EU Law 2010   Carey

Privacy & Data Protection Law in Ireland       2015   2nd Ed Kelleher

Data Protection Law in Ireland: Sources & Issues     2016   2nd Ed     Lamber

Other Irish Books

Employment Law Forde & Byrne 2009

Principles of Irish Employment Law   Daly & Doherty           2010

Statutes

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Legislation

Dismissal & Redundancy Consolidated Legislation   Barrett, G        2007

Irish Employment legislation (Looseleaf)       Kerr     1999-

Employment Rights Legislation (IEL offprint) Kerr     2006

UK Texts

Textbook on Employment Law, Honeyball, et al. 13th Ed. 2014

Labour Law, Deakin and Morris 5th Ed. 2012

Employment Law, Smith and Wood 13th Ed 2017

Selwyn’s law of Employment Emir A 19 Ed. 2016

Employment law : the essentials. Lewis D Sargeant M and Schwab M 11 Ed.2011

Labour Law Collins H, Ewing K D and McColgan  2012

Industrial relations law reports. (IRLR): Law Section,

Employment law Benny R Jefferson M and Sargent  5th Ed.  2012

Pitt’s Employment Law 10th  Ed. Gwyneth Pitt 2016

CLP Legal Practice Guides: Employment Law 2016 Gillian Phillips, Karen Scott

Cases and Materials on Employment Law 10th  Ed. Richard Painter, Ann E. M. Holmes 2015

Blackstone’s Statutes on Employment Law 2015 – 2016 Richard Kidner

Drafting Employment Contracts 3rd  Ed. Gillian Howard 2017

The Contract of Employment Edited by Mark Freedland, Alan Bogg, David Cabrelli, Hugh Collins, Nicola Countouris, A.C.L. Davies, Simon Deakin, Jeremias Prassl 2016

UK Practitioner Services

Tolley’s Employment Handbook 2017 Mrs Justice Slade 2017

Butterworths Employment Law Handbook 2017 Peter Wallington 2017

Blackstone’s Employment Law Practice 2017 Edited by Gavin Mansfield, John Bowers, John Macmillan 2017