Restrictions

General Limitations on Rights

Data is not personal data, simply because the person’s name is mentioned. For example, data in an employment or agency context may be that of the employer.

Trade secrets and intellectual property need not be disclosed.  However, this must not involve the individual being refused all information. The obligation to provide data may require that the elements protected by intellectual property are removed. Data given in confidence need not be released but may have to be summarised, removing and redacting confidential elements.

A data controller is not obliged to disclose personal data relating to another individual unless that other person has also consented.  If the personal data of the requesting party can be given without disclosing that other information, it must be disclosed. Where it is reasonable for the data controller to conclude, that the data can be disclosed without the other party being identified, he is obliged to disclose the data with the omission of those particulars

Where personal data relating to an individual consists of an opinion about that individual by another person, the data may be disclosed to the individual without obtaining the consent of that other person, unless the opinion in question was given in confidence or on the understanding that it would be confidential.


Permitted Restrictions of Rights.

EU or Member State law to which the data controller or processor is subject may restrict by legislation the scope of the data subject’s rights relating to transparency, erasure, access, rectification and data processing principles, as far as its provisions correspond to such rights and obligations.

The restrictions must respect the essence of fundamental rights and freedoms and is necessary and proportionate in a democratic interest to safeguard the following

  • national security;
  • defence;
  • public security;
  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  • other important objectives of general public interest of the EU or of a Member State, in particular, an important economic or financial interest of the EU or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
  • the protection of judicial independence and judicial proceedings;
  • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the first, third and last case above;
  • the protection of the data subject or the rights and freedoms of others;
  • the enforcement of civil law claims.

Conditions for Exempting / Restricting Legislation

Any legislative measure referred to on the last page must   contain specific provisions at least, where relevant, as to:

  • the purposes of the processing or categories of processing;
  • the categories of personal data;
  • the scope of the restrictions introduced;
  • the safeguards to prevent abuse or unlawful access or transfer;
  • the specification of the controller or categories of controllers;
  • the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
  • the risks to the rights and freedoms of data subjects; and
  • the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

General Restriction on Data Subject’s Rights re Access etc.  Justice and Crime

The rights and obligations in relation to disclosure in relation to the acquisition of data, access to data, rectification, erasure, blocking, restriction, etc.  are (or may be further restricted by regulations) to the extent that the restrictions are necessary and proportionate—

  • for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties,
  • for the administration of any tax, duty or other money due or owing to the State or a local authority in any case in which the non-application of the restrictions concerned would be likely to prejudice the administration,
  • in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure,
  • for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim.

General Restriction on Data Subject’s Rights re Access etc  Confidentiality Essential

The rights and obligations in relation to disclosure in relation to the acquisition of data, access to data, rectification, erasure, blocking, restriction, etc. are or may be further restricted

  • to the extent, the personal data relating to the data subject consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information,
  • to safeguard cabinet confidentiality, judicial independence and court proceedings, parliamentary privilege, national security, defence and the international relations of the State,
  • for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the interests of the controller in relation to the claim,

The Minister may prescribe requirements to be complied with when the above rights and obligations are restricted.


Regulations Restricting Rights; Important Public Interest I

Regulations may be made restricting the rights in relation to disclosure in relation to the acquisition of data, access to data, rectification, erasure, blocking, restriction, etc.  where such restrictions are necessary for the purposes of safeguarding important objectives of general public interest.

The important objective or objectives of general public interest must be identified in those regulations. The regulations must respect the essence of the right to data protection and protect the interests of the data subject. They may restrict the exercise of data subjects’ rights only in so far as is necessary and proportionate to the aim sought to be achieved.

Important objectives of general public interest include:

  • preventing threats to public security and public safety;
  • avoiding obstructions to any official or legal inquiry, investigation or process, including any out-of-court redress procedure, proceedings pending or due before a court, a tribunal of inquiry or commission of investigation;
  • preventing, detecting, investigating and prosecuting breaches of discipline by, or the unfitness or incompetence of, persons authorised by law to carry on a profession or any other regulated activity and the imposition of sanctions for same;
  • preventing, detecting, investigating or prosecuting breaches of ethics for regulated professions;
  • taking any action for the purposes of considering and investigating a complaint made to a regulatory body in respect of a person carrying out a profession or other regulated activity where the profession or activity is regulated by that body and the imposition of sanctions on foot of such a complaint;
  • preventing, detecting, investigating or prosecuting, whether in the State or elsewhere, breaches of the law which are subject to civil or administrative sanctions and enforcing such sanctions.

Regulations Restricting Rights; Important Public Interest II

Important objectives of general public interest also include:

  • the identification of assets which are derived from, or are suspected to derive from, criminal conduct and the taking of appropriate action to deprive or deny persons of those assets or the benefits of those assets and any investigation or preparatory work in relation to any related proceedings;
  • ensuring the effective operation of the immigration system, the system for granting persons international protection in the State and the system for the acquisition by persons of Irish citizenship, including by preventing, detecting and investigating abuses of those systems or breaches of the law relating to those systems;
  • safeguarding the economic or financial interests of the European Union or the State, including on monetary, budgetary and taxation matters;
  • safeguarding monetary policy, the smooth operation of payment systems, the resolution of regulated financial service providers the operation of deposit-guarantee schemes, the protection of consumers and the effective regulation of financial service provider;
  • protecting members of the public against financial loss or detriment due to the dishonesty, malpractice or other improper conduct of, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate or other entities, financial loss or detriment due to the conduct of individuals who have been adjudicated bankrupt, or) financial loss or detriment due to the conduct of individuals who have been involved in the management of a body corporate which has been the subject of a receivership, examinership or liquidation of a company
  • protecting the health, safety, dignity, well-being of individuals at work against risks arising out of or in connection with their employment, and members of the public against discrimination or unfair treatment in the provision of goods or services to them;
  • the keeping of public registers for reasons of general public interest, whether the registers are accessible to the public on a general or restricted basis;
  • safeguarding public health, social security, social protection and humanitarian activities.

Archiving, scientific, historical research or statistical purposes

Where processing of data is for archiving purposes in the public interest, the rights of a data subject in relation to access to data, rectification, erasure, blocking, restriction etc. are restricted to the extent that the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes, and such restriction is necessary for the fulfilment of those purposes.

Where processing of data is for scientific or historical research purposes or statistical purposes, the above rights are restricted to the extent that the exercise of any of those rights would be likely to render impossible, or seriously impair, the achievement of those purposes, and such restriction is necessary for the fulfilment of those purposes.


Rights in relation to automated decision making

An individual is entitled to access the logic involved in data processing, where data is processed by automatic means and constitutes the sole basis for a decision, which affects that individual, significantly.

The fundamental rights and freedoms of the data subject, for the purposes of the right of a data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly, significantly affects him or her does not apply where—

  • it is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • it is based on the data subject’s explicit consent;
  • the decision is authorised or required by or under statutory law and either the effect of that decision is to grant a request of the data subject, or in all other cases adequate steps have been taken by the controller to safeguard the legitimate interests of the data subject which steps shall include the making of arrangements to enable him or her to make representations to the controller in relation to the decision.

Children

Parents have a presumptive right to information about their children, in the absence of exceptional circumstances.  The child’s welfare is paramount, but there is a presumption that this is served by what the parent wants.

It is presumed under the Data Protection Act, that a parent, guardian or uncle/aunt or close relative, may consent to the processing of personal data on behalf of a person who cannot do so, on account of physical, mental incapacity or age.


Regulation Health and Social Work

Regulations may be made by a Minister where he or she considers it necessary for the protection of a data subject or the rights and freedoms of others restricting the rights and obligations in relation to disclosure in relation to the acquisition of data, access to data, rectification, erasure, blocking, restriction etc.

  • if the application of those rights and obligations would be likely to cause serious harm to the physical or mental health of the data subject, and to the extent to which, and for as long as, such application would be likely to cause such serious harm, and
  • in relation to personal data kept for, or obtained in the course of, the carrying out of social work by a public authority, public body, a voluntary organisation or other body.

The Data Protection Act provided that a Minister, may if he considers desirable in the interest of the individual or in the public interest, declare the application of the Data Protection Act to medical records, relating to physical or mental health or kept by a public authority in the course of carrying out social work.  The general rules may be modified regulations from time-to-time.

Regulations provide that information on health are not to be supplied, where it would be likely to cause harm to the physical or mental health of the individual concerned.  Information that can be supplied without causing harm must be supplied.  The decision must be made by a health professional or must be made in consultation with a health professional.

Regulations in relation to social work provide that information containing social work data are not to be supplied, if it would be likely to cause serious harm to the mental or physical health or the emotional condition of the individual affected.  Once again, information that can be supplied without this happening should be supplied.


Health Regulations

A health practitioner  means

  • a person who is a medical practitioner, dentist, optician, pharmaceutical chemist, nurse or midwife and who is registered under the enactments governing his profession, and
  • a chiropodist, dietician, occupational therapist, orthoptist, physiotherapist, psychologist, child psychotherapist or speech therapist.

Information constituting health data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to a request under GDPR if it would be likely to cause serious harm to the physical or mental health of the data subject. This srestriction on providing information applies only to the extent to which, and for so long as, that likelihood pertains.

This does not excuse a data controller from supplying so much of the information sought by the request as can be supplied without causing such harm.

A data controller who is not a health practitioner shall not) supply information constituting health data in response to a request for the above purpose or  withhold any such information on the above grounds unless he has first consulted the person who appears to him to be the appropriate health practitioner.

The appropriate health practitioner” means the person who is currently or most recently responsible for the clinical care of the data subject in connection with the matters to which the information, the subject of the request, relates. Where there is more than one such person, the person who is the most suitable to advise on those matters. Where there is no such it is to mean a health practitioner who has the necessary experience and qualifications to advise on those matters


Social Work Regulations

Social work data means personal data kept for, or obtained in the course of, carrying out social work by a Minister of the Government, a local authority, the HSE, or a voluntary organisation or other body which carries out social work but excludes any health data.

Information constituting social work data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to a request under the GDPR if it would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject. This applies only to the extent to which, and for as long as, that likelihood pertains. This does not excuse a data controller from supplying so much of the information sought by the request as can be supplied without causing such  harm.

If the social work data include information supplied to a data controller by an individual (other than an employee or agent of the data controller) while carrying out social work, the data controller shall not supply that information to the data subject without first consulting that individual.

These provisions  are without prejudice to the power of a court to withhold from a data subject social work data kept by it and constituting information provided in a report supplied to it in any proceedings.


References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008