State & Justice Use
Data Protection Act 2018
PART 3
DATA PROTECTION REGULATION
CHAPTER 1
General
Fees
28. The Commission may, with the consent of the Minister, prescribe the fees to be paid to
it—
(a) for the performance of its functions under Article 57(1)(r) and (s), and
(b) in relation to requests that are manifestly unfounded or excessive in accordance
with Article 57(4).
Designation of data protection officer
30. (1) The Minister may, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, make regulations requiring
controllers, processors, associations or other bodies representing categories of
controllers or processors to designate a data protection officer in accordance with
Article 37(4).
(2) Regulations under subsection (1) may apply to—
(a) one or more than one class of controller,
(b) one or more than one class of processor, or
(c) one or more than one class of association or other body representing categories of
controllers or processors.
(3) In making regulations under subsection (1) the Minister shall have regard to the need
for the protection of individuals with regard to the processing of their personal data
and, without prejudice to the generality of the foregoing, shall have regard in
particular to—
(a) the nature, scope, context and purposes of the processing,
(b) risks arising for the rights and freedoms of individuals,
(c) the likelihood and the severity of such risk for the individuals concerned, and
(d) the costs of implementation of any requirement if it were imposed under that
subsection.
Accreditation of certification bodies by Irish National Accreditation Board
31. The Irish National Accreditation Board is the accreditation body for the purposes of
Article 43(1).
Suitable and specific measures for processing
32. (1) Where a requirement that suitable and specific measures be taken to safeguard the
fundamental rights and freedoms of data subjects in processing personal data of those
subjects is imposed by this Act or regulations made under this Act, those measures
may include—
(a) explicit consent of the data subject for the processing of his or her personal data
for one or more specified purposes,
(b) limitations on access to the personal data undergoing processing within a
workplace in order to prevent unauthorised consultation, alteration, disclosure or
erasure of personal data,
(c) strict time limits for the erasure of personal data and mechanisms to ensure that
such limits are observed,
(d) specific targeted training for those involved in processing operations, and
(e) having regard to the state of the art, the context, nature, scope and purposes of
data processing and the likelihood of risk to, and the severity of any risk to, the
rights and freedoms of data subjects—
(i) logging mechanisms to permit verification of whether and by whom the
personal data have been consulted, altered, disclosed or erased,
(ii) in cases in which it is not mandatory under the Data Protection Regulation,
designation of a data protection officer,
(iii) where the processing involves data relating to the health of a data subject, a
requirement that the processing is undertaken by a person referred to in
section 46(2),
(iv) pseudonymisation of the personal data,
(v) encryption of the personal data, and
(vi) other technical and organisational measures designed to ensure that the
processing is carried out in accordance with the Data Protection Regulation
and processes for testing and evaluating the effectiveness of such measures.
(2) Suitable and specific measures referred to in subsection (1) may be identified in
regulations made by—
(a) the Minister following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(3) Without prejudice to the generality of subsection (2), suitable and specific measures
identified in regulations made under that subsection may include—
(a) any measure referred to in subsection (1),
(b) governance structures,
(c) processes or procedures for risk assessment purposes, and
(d) processes or procedures for the management and conduct of research projects.
(4) Regulations under subsection (2)—
(a) may identify different measures for different categories of personal data, different
categories of controllers, different types of processing or categories of
processing, and
(b) may specify that the measures identified are mandatory in respect of the
processing to which they are stated to apply.
(5) In making regulations under subsection (2), the Minister or any other Minister of the
Government, as the case may be, shall have regard to the public interest and the need
for protection of individuals with regard to the processing of their personal data and,
without prejudice to the generality of the foregoing shall have regard to—
(a) the nature, scope, context and purposes of the processing,
(b) risks arising for the rights and freedoms of individuals, and
(c) the likelihood and the severity of the risks for the individuals concerned.
(6) Suitable and specific measures referred to in subsection (1) shall be identified in
regulations made under section 45(2) and subsections (2) to (5) shall apply to
regulations made under that section in like manner as they apply to regulations made
under this section.
Limitation on transfers of personal data outside the European Union
33. (1) The Minister may, in the absence of an adequacy decision under Article 45, following
consultation with such other Minister of the Government as he or she considers
appropriate and the Commission, make regulations restricting the transfer of
categories of personal data to a third country or an international organisation for
important reasons of public policy.
(2) Regulations under subsection (1) shall specify the important reasons of public policy
for restricting the transfer concerned and may be expressed to apply by reference to
one or more of the following—
(a) a category or categories of personal data,
(b) a third country or classes of third country, or
(c) an international organisation.
(3) In making regulations under subsection (1), the Minister shall have regard to the
public interest and the need for protection of individuals with regard to the processing
of their personal data and, without prejudice to the generality of the foregoing, shall in
particular have regard to—
(a) the nature, scope, context and purposes of the processing,
(b) the desirability of facilitating international transfers of data,
(c) risks arising for the rights and freedoms of individuals, and
(d) the likelihood and the severity of such risks for individuals concerned.
Processing for a task carried out in the public interest or in the exercise of official authority
34. (1) The processing of personal data shall be lawful to the extent that such processing is
necessary for—
(a) the performance of a function of a controller conferred by or under an enactment
or by the Constitution, or
(b) the administration by or on behalf of a controller of any non-statutory scheme,
programme or funds where the legal basis for such administration is a function of
a controller conferred by or under an enactment or by the Constitution.
(2) Subject to subsection (3), the processing of personal data and disclosure of that data
to a person for the purposes of preserving of the Common Travel Area, or any part of
that Area, shall be lawful where the controller is an Irish air carrier, an air carrier or a
sea carrier.
(3) The Minister shall, following consultation with such other Minister of the
Government as he or she considers appropriate and the Commission, make regulations
for the purposes of subsection (2) specifying—
(a) the part of the Common Travel Area to which the regulations apply,
(b) the personal data that may be processed,
(c) the circumstances in which the personal data may be disclosed, including
specifying the person to whom the data may be disclosed, and
(d) such other conditions (if any) as the Minister considers appropriate to impose on
such processing.
(4) Processing of personal data which is necessary for the performance of a task carried
out in the public interest by a controller or which is necessary in the exercise of
official authority vested in a controller may be specified in regulations made by—
(a) the Minister following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(5) Regulations made under subsection (4) shall specify—
(a) the personal data that may be processed,
(b) the circumstances in which the personal data may be processed, including
specifying the persons to whom the data may be disclosed, and
(c) such other conditions (if any) as the Minister or any other Minister of the
Government, as the case may be, considers appropriate to impose on such
processing.
(6) In this section—
“air carrier” means an undertaking established in the State that provides air services;
“air service” has the meaning it has in Regulation (EC) No 1008/2008 of the
European Parliament and of the Council of 24 September 20087
on common rules for
the operation of air services in the Community (Recast);
“Common Travel Area” means the State, the United Kingdom of Great Britain and
Northern Ireland, the Channel Islands and the Isle of Man;
“Irish air carrier” means an undertaking with a valid operating licence, within the
meaning of Regulation (EC) No 1008/2008 of the European Parliament and of the
Council of 24 September 20088
, granted by the Commission for Aviation Regulation;
“passenger” means a person carried by an air carrier on an aircraft, or as the case may
be, a sea carrier in a passenger ship, other than a member of the crew of the aircraft or
passenger ship concerned;
“passenger ship” means a sea-going ship that carries more than 12 passengers;
“sea carrier” means an undertaking established in the State that, for remuneration,
carries passengers by sea in a passenger ship.
Processing for purpose other than purpose for which data collected
35. Without prejudice to the processing of personal data for a purpose other than the purpose
for which the data has been collected which is lawful under the Data Protection
Regulation, the processing of personal data and special categories of personal data for a
purpose other than the purpose for which the data has been collected shall be lawful to
the extent that such processing is necessary for the purposes—
(a) of preventing a threat to national security, defence or public security,
(b) of preventing, investigating or prosecuting criminal offences, or
(c) set out in paragraph (a) or (b) of section 41.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
36. (1) Subject to suitable and specific measures being taken to safeguard the fundamental
rights and freedoms of data subjects, personal data may be processed, in accordance
with Article 89, for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes.
(2) Processing of personal data for the purposes referred to in subsection (1) shall respect
the principle of data minimisation.
(3) Where the purposes referred to in paragraph (a), (b) or (c) of subsection (1) can be
fulfilled by processing which does not permit, or no longer permits, identification of
data subjects, the processing of information for such purposes shall be fulfilled in that
manner.
Data processing and freedom of expression and information
37. (1) The processing of personal data for the purpose of exercising the right to freedom of
expression and information, including processing for journalistic purposes or for the
purposes of academic, artistic or literary expression, shall be exempt from compliance
with a provision of the Data Protection Regulation specified in subsection (2) where,
having regard to the importance of the right of freedom of expression and information
in a democratic society, compliance with the provision would be incompatible with
such purposes.
(2) The provisions of the Data Protection Regulation specified for the purposes of
subsection (1) are Chapter II (Principles), other than Article 5(1)(f), Chapter III (rights
of the data subject), Chapter IV (controller and processor), Chapter V (transfer of
personal data to third countries and international organisations), Chapter VI
(independent supervisory authorities) and Chapter VII (cooperation and consistency).
(3) The Commission may, on its own initiative, refer any question of law which involves
consideration of whether processing of personal data is exempt in accordance with
subsection (1) to the High Court for its determination.
(4) An appeal shall, by leave of the High Court, lie from a determination of that Court on
a question of law under subsection (3) to the Court of Appeal.
(5) In order to take account of the importance of the right to freedom of expression and
information in a democratic society that right shall be interpreted in a broad manner.
Data processing and public access to official documents
38. (1) For the purposes of Article 86, personal data contained in a record may be disclosed
where a request for access to the record is granted under and in accordance with the
Act of 2014 pursuant to an FOI request.
(2) In this section—
“Act of 2014” means the Freedom of Information Act 2014;
“FOI request” has the same meaning as it has in the Act of 2014;
“record” has the same meaning as it has in the Act of 2014.
S.I. No. 81/1989 –
Data Protection Act, 1988 (Restriction of Section 4) Regulations, 1989.
DATA PROTECTION ACT, 1988 (RESTRICTION OF SECTION 4) REGULATIONS, 1989.
I, GERARD COLLINS, Minister for Justice, being of opinion that the prohibitions and restrictions on the disclosure, and the authorisations of the withholding, of information contained in the provisions of the enactments specified in the Schedule to these Regulations ought to prevail in the interests of the data subjects concerned and any other individuals concerned, hereby, in exercise of the powers conferred on me by subsections (2) and (3) (b) of section 5 of the Data Protection Act, 1988 (No. 25 of 1988), and after consultation with the other Ministers of the Government, make the following Regulations:
1. These Regulations may be cited as the Data Protection Act, 1988 (Restriction of Section 4) Regulations, 1989.
2. These Regulations shall come into operation on the 19th day of April, 1989.
3. The prohibition and restrictions on the disclosure, and the authorisations of the withholding, of information contained in the provision of the enactments specified in the Schedule to these Regulations shall prevail in the interests of the data subjects concerned and any other individuals concerned.
SCHEDULE
Section 22 (5) of the Adoption Act, 1952 (No. 25 of 1952).
Section 9 of the Ombudsman Act, 1980 (No. 26 of 1980).
GIVEN under my Official Seal, this 19th day of April, 1989.
GERARD COLLINS,
Minister for Justice.
EXPLANATORY NOTE
These regulations provide that certain existing enactments that prohibit or restrict the disclosure of information, or authorise it to be withheld, will continue to prevail notwithstanding the right of access to personal data conferred by section 4 of the Data Protection Act 1988 . The enactments relates to (1) the index kept by the Register of Births tracing the connection between entries in the Adopted Children Register and the register of births and (2) to information obtained by the Ombudsman during an investigation under the Ombudsman Act 1980 .
S.I. No. 95/1993 –
Data Protection Act, 1988 (Section 5 (1) (D)) (Specification) Regulations, 1993.
I, MAIRE GEOGHEGAN-QUINN, Minister for Justice, being of opinion that the functions described in column (1) of the Schedule to these Regulations, being functions conferred by or under the enactments specified in column (2) of that Schedule, are designed to protect members of the public against the financial loss referred to in subsection (1) (d) of section 5 of the Data Protection Act, 1988 (No. 25 of 1988), hereby, in exercise of the powers conferred on me by subsections (1) (d) and (2) of that section, and after consultation with the other Ministers of the Government who, having regard to their functions, ought, in my opinion, to be consulted, make the following Regulations:
1. These Regulations may be cited as the Data Protection Act, 1988 (Section 5 (1) (d) (Specification) Regulations, 1993.
2. These Regulations shall come into operation on the 7th day of April, 1993.
3. The functions described in column (1) of the Schedule to these Regulations are, in so far as they are conferred by or under the enactments specified in column (2) thereof and are designed to protect members of the public against the financial loss referred to in section 5 (1) (d) of the Data Protection Act, 1988 (No. 25 of 1988), hereby specified for the purposes of the said section 5 (1) (d).
4. The Data Protection Act, 1988 (Section 5 (1) (d)) (Specification) Regulations, 1989 ( S.I. No. 84 of 1989 ), are hereby revoked.
SCHEDULE
Description of function
(1)
Enactments by or under which function conferred
(2)
Functions of auditors of companies
Companies Act, 1963 to 1990.
Functions of Central Bank of Ireland
Building Societies Act, 1989 (No. 17 of 1989).
Central Bank Acts, 1942 to 1989.
Companies Act, 1990 (No. 33 of 1990).
European Communities Acts, 1972 to 1992.
Trustee Savings Banks Act, 1989 (No. 21 of 1989).
Unit Trusts Act, 1990 (No. 37 of 1990).
Functions of Director of Consumer Affairs and Fair Trade
Consumer Information Act, 1978 (No. 1 of 1978).
European Communities Acts, 1972 to 1992.
Prices Acts, 1958 to 1972.
Restrictive Practices Acts, 1972 and 1987.
Sale of Goods and Supply of Services Act, 1980 (No. 16 of 1980).
Functions of examiners
Companies (Amendment) Act, 1990 (No. 27 of 1990).
Functions of inspector appointed by a court
Companies Act, 1990 (No. 33 of 1990).
Functions of inspector appointed by or officer authorised by Minister for Industry and Commerce
Companies Act, 1990 (No. 33 of 1990).
Functions of Irish Stock
Companies Acts, 1963 to 1990.
Exchange, including officers authorised by the Exchange
European Communities Acts, 1972 to 1992.
Functions of liquidators
Companies Acts, 1963 to 1990.
Functions of Minister for Industry and Commerce
Companies Acts, 1963 to 1990.
Insurance Act, 1989 (No. 3 of 1989).
Functions of Official Assignee in Bankruptcy
Bankruptcy Act, 1988 (No. 27 of 1988).
Courts (Supplemental Provisions) Acts, 1961 to 1991.
Functions of receivers
Companies Acts, 1963 to 1990.
Functions of recognised body of accountants
Companies Acts, 1963 to 1990.
Functions of Registrar of Friendly Societies
Credit Union Act, 1966 (No. 19 of 1966).
Industrial and Provident Societies Acts, 1893 to 1978.
Friendly Societies Acts, 1896 to 1977.
GIVEN under my Official Seal, this 7th day of April, 1993.
M ?IRE GEOGHEGAN-QUINN,
Minister for Justice.
EXPLANATORY NOTE.
These Regulations update the Data Protection Act, 1988 (Section 5 (1) (d)) (Specification) Regulations, 1989 ( S.I. No. 84 of 1989 ). They restrict access to personal data kept by persons or bodies with statutory functions designed to prevent financial loss to members of the public through (a) dishonesty, incompetence or malpractice in the provision of financial services or the management of companies or (b) the conduct of persons who have been adjudicated bankrupt. The restriction applies only where access to the data would be likely to prejudice the proper performance of those functions.
S.I. No. 220/2016 –
Data Protection Act 1988 (Section 2A) Regulations 2016.
WHEREAS section 2A of the Data Protection Act 1988 (No. 25 of 1988) provides that personal data shall not be processed by a data controller unless section 2 of that Act is complied with and at least one of a number of conditions specified in that section is met;
AND WHEREAS subsection (1)(d) of the said section 2A provides that one of those conditions is where the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject;
AND WHEREAS subsection (2) of the said section 2A provides that the Minister may, after consultation with the Data Protection Commissioner, by regulations specify particular circumstances in which subsection (1)(d) of section 2A is, or is not, to be taken as satisfied;
AND WHEREAS the processing by an air carrier or a sea carrier of certain personal data in respect of which it is a data controller, for the purposes of the disclosure of that data, in the circumstances set out in these regulations, to the Home Secretary of the United Kingdom, is necessary for the purposes of the legitimate interests pursued by that carrier and is also necessary for the purposes of the legitimate interests pursued by the Home Secretary;
NOW I, FRANCES FITZGERALD, Minister for Justice and Equality, in exercise of the powers conferred on me by sections 2A(1)(d) and 2A(2) of the Data Protection Act 1988 (as adapted by the Justice and Law Reform (Alteration of Name of Department and Title of Minister) Order 2011 ( S.I. No. 138 of 2011 )), having consulted with the Data Protection Commissioner, make the following regulations:
1. These Regulations may be cited as the Data Protection Act 1988 (Section 2A) Regulations 2016.
2. In these regulations—
“Act of 1988” means the Data Protection Act 1988 (No. 25 of 1988);
“air carrier” means an undertaking established in the State that provides air services;
“air service” has the meaning it has in Regulation (EC) No 1008/2008 of the European Parliament and of the Council of 24 September 20081 ;
“established in the State” shall be construed in accordance with section 1(3B)(b) of the Act of 1988;
“Home Department” means the Home Department of the United Kingdom,
which is also known as the Home Office;
“Home Secretary” means the Secretary of State for the Home Department;
“passenger” means a person carried by an air carrier on an aircraft or, as the case may be, a sea carrier in a passenger ship, other than a member of the crew of the aircraft or passenger ship concerned;
“passenger ship” means a sea-going ship that carries more than 12 passengers;
“relevant information” means—
(a) in relation to a person carried or to be carried by an air carrier, the following, insofar as it is collected by the carrier—
(i) where he or she has, for the purpose of the flight, presented a travel document to the carrier concerned, the number, type, issuing state and expiry date of the travel document,
(ii) where he or she has, for the purpose of the flight, presented an identity document to the carrier concerned, the nature of the identity document,
(iii) his or her nationality, as provided to the carrier concerned,
(iv) his or her full names, as provided to the carrier concerned,
(v) his or her gender, as provided to the carrier concerned,
(vi) his or her date of birth, as provided to the carrier concerned,
(vii) the airport of arrival by the person into the United Kingdom or, as the case may be, the airport of departure by the person from the United Kingdom,
(viii) the code of transport used,
(ix) the scheduled departure and arrival times of the aircraft concerned,
(x) the total number of passengers and the total number of crew carried on the aircraft, and
(xi) whether the person concerned is a member of the crew, and
(b) in relation to a person carried or to be carried by a sea carrier, the following, insofar as it is collected by the carrier—
(i) where he or she has, for the purpose of the voyage, presented a travel document to the carrier concerned, the number, type, issuing state and expiry date of the travel document,
(ii) where he or she has, for the purpose of the voyage, presented an identity document to the carrier concerned, the nature of the identity document,
(iii) his or her nationality, as provided to the carrier concerned,
(iv) his or her full names, as provided to the carrier concerned,
(v) his or her gender, as provided to the carrier concerned,
(vi) his or her date of birth, as provided to the carrier concerned,
(vii) the port of arrival by the person into the United Kingdom or, as the case may be, the port of departure by the person from the United Kingdom,
(viii) the code of transport used,
(ix) the scheduled departure and arrival times of the passenger ship concerned,
(x) the total number of passengers and the total number of crew carried on the passenger ship, and
(xi) whether the person concerned is a member of the crew;
“sea carrier” means an undertaking established in the State that, for remuneration, carries passengers by sea in a passenger ship;
“United Kingdom” means the United Kingdom of Great Britain and Northern Ireland.
3. Section 2A (1)(d) of the Act of 1988 is to be taken as satisfied in relation to the processing by an air carrier of relevant information for the purposes of the disclosure of that information, in the circumstances specified in Regulation 5, to the Home Secretary.
4. Section 2A (1)(d) of the Act of 1988 is to be taken as satisfied in relation to the processing by a sea carrier of relevant information for the purposes of the disclosure of that information, in the circumstances specified in Regulation 6, to the Home Secretary.
5. The circumstances referred to in Regulation 3 are the following—
(a) the relevant information relates to a person who is, or persons who are, carried or to be carried by the air carrier on a flight that—
(i) departs from the State and arrives in the United Kingdom, or
(ii) departs from the United Kingdom and arrives in the State,
and
(b) the disclosure concerned has been requested by the Home Secretary.
6. The circumstances referred to in Regulation 4 are the following—
(a) the relevant information relates to a person who is, or persons who are, carried or to be carried by the sea carrier on a voyage where the passenger ship concerned—
(i) departs from the State and arrives in the United Kingdom, or
(ii) departs from the United Kingdom and arrives in the State,
and
(b) the disclosure concerned has been requested by the Home Secretary.
/images/ls
GIVEN under my Official Seal,
30 March 2016.
FRANCES FITZGERALD,
Minister for Justice and Equality.
1 OJ L 293/3 of 31.10.2008
Home Statutory Instruments 2016 S.I. No. 427/2016 –
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016.
WHEREAS the Government on 19 July 2016 approved the sharing of certain information by the Commissioner of An Garda Síochána as the Commissioner considers appropriate and consistent with the functions of An Garda Síochána set out in section 7 of the Garda Síochána Act 2005 in accordance with the terms of the Directive issued by the Minister for Justice and Equality on the 21 July 2016 to the Commissioner under section 25 (1) of the Garda Síochána Act 2005 , with the Coroner’s Inquest in Northern Ireland into the death of Arlene Arkinson;
AND WHEREAS sections 2 (amended by section 3 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003)) and 2A (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 have been complied with;
AND WHEREAS there are reasons of substantial public interest for the making of these Regulations;
Now I, FRANCES FITZGERALD, Minister for Justice and Equality, in exercise of the powers conferred on me by subsection (1)(b)(xi) of section 2B (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 (as adapted by the Justice and Law Reform (Alteration of Name of Department and Title of Minister) Order 2011 ( S.I. No. 138 of 2011 )), hereby make the following regulations:
1. These Regulations may be cited as the Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016.
2. The processing is authorised of sensitive personal data by the Commissioner of An Garda Síochána, or a member of the Garda Síochána of any rank below Commissioner acting on behalf of the Commissioner, for the purpose of enabling the Commissioner to comply with the Directive issued by the Minister for Justice and Equality on the 21 July 2016 to the Commissioner under section 25 (1) of the Garda Síochána Act 2005 with the Coroner’s Inquest in Northern Ireland into the death of Arlene Arkinson.
/images/ls
GIVEN under my Official Seal,
30 July 2016.
FRANCES FITZGERALD,
Minister for Justice and Equality.
S.I. No. 209/2012 –
Data Protection Act 1988 (Section 2B) Regulations 2012.
WHEREAS the Government on 31 January 2012, approved the entering into of an Arrangement between the Terrorist Screening Center of the United States of America and the Garda Síochána for the exchange of terrorism screening information;
AND WHEREAS sections 2 (inserted by section 3 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003)) and 2A (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 (No. 25 of 1988) have been complied with;
AND WHEREAS there are reasons of substantial public interest for the making of these Regulations;
NOW I, Alan Shatter, Minister for Justice and Equality, in exercise of the powers conferred on me by section 2B(1)(b)(xi) (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 (as adapted by the Justice and Law Reform (Alteration of Name of Department and Title of Minister) Order 2011 ( S.I. No. 138 of 2011 )) for reasons of substantial public interest, hereby make the following regulations:
1. These Regulations may be cited as the Data Protection Act 1988 (Section 2B) Regulations 2012.
2. The processing is authorised of sensitive personal data by the Garda Síochána under the terms of the Arrangement between the Terrorist Screening Center of the United States of America and the Garda Síochána, for the exchange of terrorism screening information signed on 17 February 2012.
/images/ls
GIVEN under my Official Seal,
15 June 2012.
ALAN SHATTER,
Minister for Justice and Equality.
S.I. No. 240/2015 –
Data Protection Act 1988 (Section 2B) Regulations 2015.
WHEREAS the Government on 3 June 2015 approved the sharing of certain information by the Commissioner of An Garda Síochána as the Commissioner considers appropriate and consistent with the functions of An Garda Síochána set out in section 7 of the Garda Síochána Act 2005 in accordance with the terms of the Directive issued by the Minister for Justice and Equality on the 9 June 2015 to the Commissioner under section 25 (1) of the Garda Síochána Act 2005 , with the Coroner’s Inquest in Northern Ireland into the deaths of 10 persons at Kingsmill, Co Armagh on 5 January 1976;
AND WHEREAS sections 2 (amended by section 3 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003)) and 2A (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 have been complied with;
AND WHEREAS there are reasons of substantial public interest for the making of these Regulations;
Now I, FRANCES FITZGERALD, Minister for Justice and Equality, in exercise of the powers conferred on me by subsection (1)(b)(xi) of section 2B (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 (as adapted by the Justice and Law Reform (Alteration of Name of Department and Title of Minister) Order 2011 ( S.I. No. 138 of 2011 )), hereby make the following regulations:
1. These Regulations may be cited as the Data Protection Act 1988 (Section 2B) Regulations 2015.
2. The processing is authorised of sensitive personal data by the Commissioner of An Garda Síochána, or a member of the Garda Síochána of any rank below Commissioner acting on behalf of the Commissioner, for the purpose of enabling the Commissioner to comply with the Directive issued by the Minister for Justice and Equality on the 9 June 2015 to the Commissioner under section 25 (1) of the Garda Síochána Act 2005 with the Coroner’s Inquest in Northern Ireland into the deaths of 10 persons at Kingsmill, Co Armagh on 5 January 1976.
/images/ls
GIVEN under my Official Seal,
10 June 2015.
FRANCES FITZGERALD,
Minister for Justice and Equality.
S.I. No. 220/2016 –
Data Protection Act 1988 (Section 2A) Regulations 2016.
WHEREAS section 2A of the Data Protection Act 1988 (No. 25 of 1988) provides that personal data shall not be processed by a data controller unless section 2 of that Act is complied with and at least one of a number of conditions specified in that section is met;
AND WHEREAS subsection (1)(d) of the said section 2A provides that one of those conditions is where the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject;
AND WHEREAS subsection (2) of the said section 2A provides that the Minister may, after consultation with the Data Protection Commissioner, by regulations specify particular circumstances in which subsection (1)(d) of section 2A is, or is not, to be taken as satisfied;
AND WHEREAS the processing by an air carrier or a sea carrier of certain personal data in respect of which it is a data controller, for the purposes of the disclosure of that data, in the circumstances set out in these regulations, to the Home Secretary of the United Kingdom, is necessary for the purposes of the legitimate interests pursued by that carrier and is also necessary for the purposes of the legitimate interests pursued by the Home Secretary;
NOW I, FRANCES FITZGERALD, Minister for Justice and Equality, in exercise of the powers conferred on me by sections 2A(1)(d) and 2A(2) of the Data Protection Act 1988 (as adapted by the Justice and Law Reform (Alteration of Name of Department and Title of Minister) Order 2011 ( S.I. No. 138 of 2011 )), having consulted with the Data Protection Commissioner, make the following regulations:
1. These Regulations may be cited as the Data Protection Act 1988 (Section 2A) Regulations 2016.
2. In these regulations—
“Act of 1988” means the Data Protection Act 1988 (No. 25 of 1988);
“air carrier” means an undertaking established in the State that provides air services;
“air service” has the meaning it has in Regulation (EC) No 1008/2008 of the European Parliament and of the Council of 24 September 20081 ;
“established in the State” shall be construed in accordance with section 1(3B)(b) of the Act of 1988;
“Home Department” means the Home Department of the United Kingdom,
which is also known as the Home Office;
“Home Secretary” means the Secretary of State for the Home Department;
“passenger” means a person carried by an air carrier on an aircraft or, as the case may be, a sea carrier in a passenger ship, other than a member of the crew of the aircraft or passenger ship concerned;
“passenger ship” means a sea-going ship that carries more than 12 passengers;
“relevant information” means—
(a) in relation to a person carried or to be carried by an air carrier, the following, insofar as it is collected by the carrier—
(i) where he or she has, for the purpose of the flight, presented a travel document to the carrier concerned, the number, type, issuing state and expiry date of the travel document,
(ii) where he or she has, for the purpose of the flight, presented an identity document to the carrier concerned, the nature of the identity document,
(iii) his or her nationality, as provided to the carrier concerned,
(iv) his or her full names, as provided to the carrier concerned,
(v) his or her gender, as provided to the carrier concerned,
(vi) his or her date of birth, as provided to the carrier concerned,
(vii) the airport of arrival by the person into the United Kingdom or, as the case may be, the airport of departure by the person from the United Kingdom,
(viii) the code of transport used,
(ix) the scheduled departure and arrival times of the aircraft concerned,
(x) the total number of passengers and the total number of crew carried on the aircraft, and
(xi) whether the person concerned is a member of the crew, and
(b) in relation to a person carried or to be carried by a sea carrier, the following, insofar as it is collected by the carrier—
(i) where he or she has, for the purpose of the voyage, presented a travel document to the carrier concerned, the number, type, issuing state and expiry date of the travel document,
(ii) where he or she has, for the purpose of the voyage, presented an identity document to the carrier concerned, the nature of the identity document,
(iii) his or her nationality, as provided to the carrier concerned,
(iv) his or her full names, as provided to the carrier concerned,
(v) his or her gender, as provided to the carrier concerned,
(vi) his or her date of birth, as provided to the carrier concerned,
(vii) the port of arrival by the person into the United Kingdom or, as the case may be, the port of departure by the person from the United Kingdom,
(viii) the code of transport used,
(ix) the scheduled departure and arrival times of the passenger ship concerned,
(x) the total number of passengers and the total number of crew carried on the passenger ship, and
(xi) whether the person concerned is a member of the crew;
“sea carrier” means an undertaking established in the State that, for remuneration, carries passengers by sea in a passenger ship;
“United Kingdom” means the United Kingdom of Great Britain and Northern Ireland.
3. Section 2A (1)(d) of the Act of 1988 is to be taken as satisfied in relation to the processing by an air carrier of relevant information for the purposes of the disclosure of that information, in the circumstances specified in Regulation 5, to the Home Secretary.
4. Section 2A (1)(d) of the Act of 1988 is to be taken as satisfied in relation to the processing by a sea carrier of relevant information for the purposes of the disclosure of that information, in the circumstances specified in Regulation 6, to the Home Secretary.
5. The circumstances referred to in Regulation 3 are the following—
(a) the relevant information relates to a person who is, or persons who are, carried or to be carried by the air carrier on a flight that—
(i) departs from the State and arrives in the United Kingdom, or
(ii) departs from the United Kingdom and arrives in the State,
and
(b) the disclosure concerned has been requested by the Home Secretary.
6. The circumstances referred to in Regulation 4 are the following—
(a) the relevant information relates to a person who is, or persons who are, carried or to be carried by the sea carrier on a voyage where the passenger ship concerned—
(i) departs from the State and arrives in the United Kingdom, or
(ii) departs from the United Kingdom and arrives in the State,
and
(b) the disclosure concerned has been requested by the Home Secretary.
/images/ls
GIVEN under my Official Seal,
30 March 2016.
FRANCES FITZGERALD,
Minister for Justice and Equality.
1 OJ L 293/3 of 31.10.2008
S.I. No. 659/2018 –
Data Protection Act 2018 (Section 159(1)) Rules 2018
View SIAmendments
Notice of the making of this Statutory Instrument was published in
“Iris Oifigiúil” of 26th April, 2019.
We, the Superior Courts Rules Committee, constituted pursuant to the provisions of the Courts of Justice Act 1936 , section 67, and reconstituted pursuant to the provisions of the Courts of Justice Act 1953 , section 15, by virtue of the powers conferred upon us by the Data Protection Act 2018 , section 159(1), and of all other powers enabling us in this behalf, do hereby make the following Rules.
Dated this 11th day of June 2018.
Frank Clarke
George Birmingham
Peter Kelly
Elizabeth Dunne
Michael Peart
Anthony Barr
Stuart Gilhooly
Liam Kennedy
Noel Rubotham
Mary Cummins
John Mahon
Citation and entry into force
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 159(1)) Rules 2018, shall come into operation on the 1st day of August 2018.
Scope
2. These Rules (being processing rules, within the meaning of section 159(9) of the 2018 Act) shall apply to the processing of personal data:
(a) of which a superior court of record, when acting in a judicial capacity, is a controller, and
(b) which are personal data contained in a record of that court,
where such personal data are processed on behalf of such controller by any processor, including any other processor engaged by a processor for carrying out specific processing activities on behalf of the controller.
Interpretation
3. (1) In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“court record” means a record of a superior court of record;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
in relation to personal data of which a court is the controller, “judge” , in the case of any proceedings the hearing of which has not been assigned to any judge or panel of judges or, in any case where the judge concerned is no longer a member of that court or the panel concerned can no longer be constituted, shall mean the Chief Justice in relation to a judge of the Supreme Court, the President of the Court of Appeal in relation to a judge of the Court of Appeal or, as the case may be, the President of the High Court in relation to a judge of the High Court;
“Processor” means a processor of personal data of which a superior court of record is the controller and includes without limitation, any court officer, any member of the staff of the Courts Service for the time being employed in a court office and any contractor of the Courts Service (including any employee or person working under the direction of such contractor) who is processing personal data of which a superior court of record is the controller.
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation or the Directive shall have the meanings given to them in the Data Protection Regulation or, as the case may be, the Directive.
Processing of personal data
4. (1) Where a Processor shall process personal data on behalf of any superior court of record or judge of such court, the subject matter, duration, nature and purpose of the processing, the type of personal data to be processed and the categories of data subjects to whom the personal data relate shall be as set out in this rule.
Subject matter of processing
(2) The subject matter of processing to which these Rules apply consists of personal data included, by or on behalf of a party to proceedings before a court, or any other person, in and, subject to any order of the court concerned, retained in, a court record, in accordance with the provisions of statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, for the purposes of the conduct of those proceedings.
(3) Personal data contained in a court record may be held securely in hard copy or in electronic form by a court officer or member of the staff of the Courts Service for the time being employed in a court office at an office of or attached to the court concerned or by a contractor of the Courts Service notified to the president of the court concerned, at premises or in a system used by the Courts Service or, as the case may be, by that contractor.
(4) A Processor may collect, record, organise, structure, store, retrieve, consult and use personal data in accordance with the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, for the purposes of the court or the proceedings to which they relate.
(5) A Processor may, subject to the provisions of statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, disclose by transmission, dissemination or otherwise, personal data contained in a court record:
(a) to a party to the proceedings to which such personal data relate, at the request of that party or by direction of the court concerned;
(b) to a legal representative of such party on record as acting in the proceedings, at the request of that legal representative or by direction of the court concerned;
(c) by direction of the court concerned to a member of An Garda Síochána or a prosecuting authority, for the purposes of —
(i) the investigation of, or
(ii) use as evidence in the prosecution of
an offence alleged;
(d) to any other person or persons (including an artificial legal person(s)) directed by the court concerned for any other purpose which the court concerned may determine to be appropriate having regard to the provisions of the Data Protection Regulation, the Directive and the 2018 Act;
(e) to any other court or officer of a court for the purposes of an appeal or any other proceedings relating to the proceedings to which the personal data relate;
(f) to any person in compliance with an order or direction of a court requiring production or discovery of the personal data concerned; and
(g) to a bona fide member of the Press or broadcast media in accordance with rules made under section 159(7) of the 2018 Act.
Duration of processing
(6) Personal data contained in a court record shall be retained for the purposes of the proceedings including any appeal and enforcement action and for archiving purposes following the determination of the proceedings to which the personal data relate (including by way of appeal), prior to transfer of the court record to the National Archives in accordance with the provisions of the National Archives Act 1986 save where the court record concerned is the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 , in which case the court record shall be disposed of in accordance with such authorisation.
Purpose of processing
(7) Personal data contained in a court record may be processed —
(a) in accordance with the provisions of statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, for the purposes of the proceedings to which they relate, or
(b) in accordance with an order of that court or of another competent court, for the purposes of proceedings before the last-mentioned court.
Type of personal data to be processed and data subjects to whom the personal data relate
(8) Subject to the requirements of statute, the Rules of the Superior Courts, rules made under section 159(7) of the 2018 Act, any applicable practice direction of the court concerned and any order of that court, personal data of any type and which relate to any data subject in a court record are liable to be processed where such data have been included in such record.
Obligations of the Processor
5. In respect of any processing of personal data contained in a court record, the Processor shall:
(a) act only on a direction or directions given by or on behalf of the court concerned (including such directions made under these Rules or the Rules of the Superior Courts or comprised in any practice direction of that court) in relation to the processing, except in so far as European Union law or the applicable law of a Member State of the European Union requires the Processor to act otherwise;
(b) ensure that any person authorised by the Processor to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so;
(c) assist the court in ensuring compliance with the court’s obligations under applicable data protection law in respect of data subject rights;
(d) in the case of a Processor who is a contractor of the Courts Service, on the conclusion of the contract or at any other time in accordance with the provisions of the contract, upon completion of the processing services carried out by the Processor on behalf of the court
(i) return to the court as directed by the Courts Service on behalf of the court, or
(ii) where the data are contained in records which are the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 authorising the disposal of such records, erase
all personal data, and erase any copy of the data, unless the Processor is required by European Union law or the law of a Member State of the European Union to retain the data;
(e) in the case of a Processor who is an officer of the court concerned or a member of staff of the Courts Service employed in an office of or attached to the court, maintain all personal data subject to the direction of the judge or, as the case may be, the senior of the judges referred to in section 65(3) of the Court Officers Act 1926 and otherwise in accordance with rule 4(6);
(f) make available to the court concerned all information necessary to demonstrate compliance by the Processor concerned with its obligations as a processor under these Rules and under law, including under Article 28 of the Data Protection Regulation and under the 2018 Act, as applicable, and allow for and contribute to audits, including inspections, conducted by an auditor on behalf of the court concerned;
(g) not engage any other processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) otherwise than in accordance with the prior specific or general written authorisation of the president of the court concerned; in the case of any general authorisation, the Courts Service shall inform the president of the court in advance of any intended changes concerning the addition or replacement of any other processor who is not a court officer or employed in a court office;
(h) ensure that where another processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) is engaged to process personal data on behalf of the court concerned, that other processor shall be subject to these Rules or a written contract shall exist between the Processor and such other processor containing obligations equivalent to those imposed on the Processor in these Rules; in the event that any such other processor fails to meet its data protection obligations in respect of any such processing, the Processor shall be fully liable to the court for the performance of its obligations in accordance with statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned, any order of that court, and these Rules;
(i) implement such technical and organisational security measures as are required to comply with the data security obligations under applicable data protection law;
(j) inform the president of the court concerned immediately if, in the Processor’s opinion, it receives an instruction from the court which infringes the Data Protection Regulation, the Directive or the 2018 Act;
(k) notify the president of the court concerned immediately after becoming aware of any personal data breach and provide the court concerned with such cooperation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach, and
(l) assist the court in complying with the court’s obligations under applicable data protection law in respect of data protection impact assessments.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules, made under section 159(1) of the Data Protection Act 2018 , govern, for the purposes of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Article 22(3) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, the processing by a processor of personal data contained in a record of a superior court of record.
.I. No. 658/2018 –
Data Protection Act 2018 (Section 158(3)) Rules 2018
Notice of the making of this Statutory Instrument was published in
“Iris Oifigiúil” of 26th April, 2019.
We, being the panel nominated by the Chief Justice pursuant to section 158 (6) of the Data Protection Act 2018 , by virtue of the powers conferred on us by section 158(3) of the Data Protection Act 2018 , and being satisfied:
(i) that it is necessary to make Rules for the purpose of ensuring the effective application of restrictions of the rights and obligations provided for in—
(a) Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, and
(b) sections 87, 90, 91, 92 and 93, and section 71 in so far as it relates to those sections;
and
(ii) that such restrictions, as applied by the Rules hereinafter mentioned, are necessary and proportionate to safeguard judicial independence and court proceedings,
do hereby make the following Rules.
Dated this 18th day of July 2018.
John A. Edwards
David Barniville
Marie Quirke
Citation and entry into force
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 158(3)) Rules 2018, shall
(i) come into operation on, and
(ii) apply to the processing of personal data referred to in rule 3 which takes place on or after,
the 1st day of August 2018.
Interpretation
2. (1) In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“Assigned Judge” means the judge, appointed by the Chief Justice, competent for supervision of data processing operations of the Courts when acting in their judicial capacity, in accordance with section 157(1) of the 2018 Act;
“court record” includes any document or other material issued or received by a court and forming part of the file or record of the proceedings before the court but does not include notes taken by or for a judge, or communications with, by or on behalf of a judge performing a judicial function in respect of such proceedings and not intended by the judge to form part of such file or record;
“Courts Service” means the body established by section 4(1) of the Courts Service Act 1998 ;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“proceedings” means proceedings before a court, and “civil proceedings” and “criminal proceedings” shall be construed accordingly.
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation shall have the meanings given to them in the Data Protection Regulation.
Scope
3. Save as otherwise provided in these Rules, these Rules shall apply to the processing of personal data by, for or on behalf of a court when acting in a judicial capacity and without prejudice to the generality of the foregoing shall include the processing of:
(i) personal data
(a) delivered to or by a court, judge, court office or court officer, or
(b) held by a court, judge, court office or court officer, or
(c) issued by a court, judge, court office or court officer,
for the purposes of or in connection with proceedings, or the performance of a judicial function, or (as the case may be) the performance by a court officer in civil proceedings of limited functions of a judicial nature conferred on that officer by law, and which forms or will form part of a court record; and
(ii) personal data created or held by
(a) a judge or a court officer or other person performing functions under the direction of a judge, or
(b) a court officer performing limited functions of a judicial nature conferred on that officer by law or a court officer or other person performing functions under the direction of such officer,
for the purposes of or in connection with proceedings, or the performance of a judicial function, or (as the case may be) the performance in civil proceedings of limited functions of a judicial nature conferred by law, and which does not form part of a court record.
Restrictions
4. In accordance with section 158(1) of the 2018 Act and for the purposes of section 158(3) of the 2018 Act, save to the extent specified in rules 5 to 7 of these Rules, Articles 12 to 22 and 34 (and Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22) of the Data Protection Regulation and sections 87, 90, 91, 92 and 93, and section 71 insofar as it relates to those sections, of the 2018 Act shall not apply to the processing of any personal data referred to in rule 3 of these Rules.
Provision of Information
5. The following information specified in Articles 13 and 14 of the Data Protection Regulation and section 90 of the 2018 Act shall be made publicly available by way only of general notice published on behalf of the courts in their capacity as data controllers on the Courts Service website:
Where personal data are collected from the data subject
Article 13.1(a) of the Data Protection Regulation and section 90(2)(a) of the 2018 Act
(i) the identity of the controller, being the Supreme Court, the Court of Appeal, the High Court, the Circuit Court, the District Court or a Special Criminal Court, as the case may be;
Article 13.1(c) of the Data Protection Regulation and section 90(2)(c) and (f) of the 2018 Act
(ii) that personal data are processed by and on behalf of the courts for the purposes of the performance by the courts of their functions under the Constitution and law, as interpreted in the decisions of the courts, and the fact that the legal basis for such processing is provided for in the Constitution, in statute, (principally but without limitation the Courts of Justice Acts 1924 to 2014, the Courts (Supplemental Provisions) Acts 1961 to 2017 and, in the case of a Special Criminal Court, Part V of the Offences against the State Act 1939 ) and otherwise in law;
Article 13.1(e) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(iii) that material comprised in a court record may be made available to a party to the proceedings concerned (or to that party’s legal representative) or to another person
(a) where statute (other than the 2018 Act) or rules of court so require or permit, or
(b) if applicable, where the practice of the court so permits, or
(c) for the purpose of facilitating the fair and accurate reporting of a hearing in the proceedings, to a bona fide member of the Press or broadcast media at the member’s request in accordance with section 159(7) of the 2018 Act and rules made thereunder,
and that in accordance with the requirements of Article 34 of the Constitution, proceedings are generally held in public save in such special and limited cases as may be prescribed by law;
Article 13.1(f) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(iv) that material comprised in a court record may in certain circumstances (including, without limitation, in matters of judicial co-operation and criminal justice mutual assistance and where the transcription of digital audio records of proceedings is carried out for the Courts Service in a third country) be transferred to a third country and that where same occurs in the absence of an adequacy decision pursuant to Article 45.3 of the Data Protection Regulation, the appropriate or suitable safeguards pursuant to Article 46 of the Data Protection Regulation which have been provided and the means by which to obtain a copy of them or where they have been made available;
Article 13.2(a) of the Data Protection Regulation and section 90(2)(f)(ii) of the 2018 Act
(v) that a court record is, by virtue of section 1(2) of the National Archives Act 1986 , a “departmental record” for the purposes of that Act and records of proceedings are therefore liable to be retained and preserved in accordance with and subject to section 7 of that Act and transferred to the National Archives in accordance with and subject to section 8 of that Act;
Article 13.2(b) of the Data Protection Regulation and section 90(2)(d) of the 2018 Act
(vi) that the right to request access to personal data contained in a court record is confined to the circumstances where statute or rules of court or the practice of the court so permits and, for the avoidance of doubt, that no such rights are exercisable in respect of personal data referred to in rule 3(ii), which data remain confidential and immune from production;
Article 13.2(b) of the Data Protection Regulation and section 90(2)(d) of the 2018 Act
(vii) that the right to request rectification of personal data contained in a court record is confined to the circumstances in which such right is available to a party to the proceedings concerned in accordance with rules of court and may be exercised only by the means available to such party to request rectification of a court record (including generally by application under the “slip rule” applicable in the relevant court) and, for the avoidance of doubt, that no such rights are exercisable in respect of personal data referred to in rule 3(ii), which remain confidential and immune from production;
Article 13.2(e) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(viii) that the nature of the obligation to provide personal data will depend on the circumstances but arises ultimately from the function conferred on courts by the Constitution and law; where the personal data is provided by a plaintiff, applicant or moving party in civil proceedings or by a complainant in criminal proceedings, it is essentially provided voluntarily and with the intention of, or directed towards, seeking a remedy in the proceedings and failure to provide it may diminish the prospects of securing that remedy; where the personal data is provided by a defendant or respondent in civil proceedings or by an accused in criminal proceedings, it is essentially provided voluntarily and with the intention of, or directed towards, defending the proceedings and failure to provide it may diminish the prospects of successfully defending the proceedings and may also involve a risk of being found in default of defence; where the personal data is provided under a summons to give evidence in any proceedings, it is essentially provided under compulsion and failure to provide it may render the person liable to be summoned in contempt of court;
Article 13.3 of the Data Protection Regulation and section 160 of the 2018 Act
(ix) that personal data held by courts may be further processed for purposes connected with the administration of justice, including the publication of a judgment or decision of a court, or of a list or schedule of proceedings or hearings in proceedings;
Article 13.3 of the Data Protection Regulation
(x) that personal data held by courts may be further processed for purposes connected with the efficient management and operation of the courts, including statistical analysis, but further processing for statistical analysis purposes will be subject to technical and organisational measures in order to ensure respect for the principle of data minimisation, (and for the avoidance of doubt, that the courts do not permit data held by them to be used by third parties for marketing or other commercial purposes);
Where personal data have not been obtained from the data subject
Article 14.1(a) of the Data Protection Regulation and section 90(2)(a) of the 2018 Act
(xi) the identity of the controller, being the Supreme Court, the Court of Appeal, the High Court, the Circuit Court, the District Court or a Special Criminal Court, as the case may be;
Article 14.1(c) of the Data Protection Regulation and section 90(2)(c) and (f) of the 2018 Act
(xii) that personal data are processed by and on behalf of the courts for the purposes of the performance by the courts of their functions under the Constitution and law, as interpreted in the decisions of the courts, and the fact that the legal basis for such processing is provided for in the Constitution, in statute (principally but without limitation the Courts of Justice Acts 1924 to 2014, the Courts (Supplemental Provisions) Acts 1961 to 2017 and, in the case of a Special Criminal Court, Part V of the Offences against the State Act 1939 ) and otherwise in law;
Article 14.1(d) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xiii) that the categories of personal data concerned depend on the nature of the proceedings concerned and the content of pleadings and other court documents lodged, exchanged or issued, and of evidence given and submissions made in, those proceedings;
Article 14.1(e) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xiv) that material comprised in a court record may be made available to a party to the proceedings concerned (or to that party’s legal representative) or to another person
(a) where statute (other than the 2018 Act) or rules of court so require or permit, or
(b) if applicable, where the practice of the court so permits, or
(c) for the purpose of facilitating the fair and accurate reporting of a hearing in the proceedings, to a bona fide member of the Press or broadcast media at the member’s request in accordance with section 159(7) of the 2018 Act and rules made thereunder,
and that in accordance with the requirements of Article 34 of the Constitution, proceedings are generally held in public save in such special and limited cases as may be prescribed by law;
Article 14.1(f) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xv) that material comprised in a court record may in certain circumstances (including, without limitation, in matters of judicial co-operation and criminal justice mutual assistance and where the transcription of digital audio records of proceedings is carried out for the Courts Service in a third country) be transferred to a third country and that where same occurs in the absence of an adequacy decision pursuant to Article 45.3 of the Data Protection Regulation, the appropriate or suitable safeguards pursuant to Article 46 of the Data Protection Regulation which have been provided and the means by which to obtain a copy of them or where they have been made available;
Article 14.2(a) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xvi) that a court record is, by virtue of section 1(2) of the National Archives Act 1986 a “departmental record” for the purposes of that Act and records of proceedings are therefore liable to be retained and preserved in accordance with and subject to section 7 of that Act and transferred to the National Archives in accordance with and subject to section 8 of that Act;
Article 14.2(c) of the Data Protection Regulation and section 90(2)(d) of the 2018 Act
(xvii) that the right to request access to personal data contained in a court record is confined to the circumstances where statute or rules of court or the practice of the court so permits and, for the avoidance of doubt, that no such rights are exercisable in respect of personal data referred to in rule 3(ii), which data remain confidential and immune from production;
Article 14.2(f) of the Data Protection Regulation
(xviii) that the source from which personal data originate in proceedings is usually a party to those proceedings (who may rely in his, her or its pleadings and documents submitted to the court on other, including publicly accessible sources), a person summoned to give evidence before the court by a party to the proceedings, or a person, not being a party to the proceedings, who is required to provide discovery in the proceedings;
Article 14.4 of the Data Protection Regulation and section 160 of the 2018 Act
(xix) that personal data held by courts may be further processed for purposes connected with the administration of justice, including the publication of a judgment or decision of a court, or of a list or schedule of proceedings or hearings in proceedings;
Article 14.4 of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xx) that personal data held by courts may be further processed for purposes connected with the efficient management and operation of the courts, including statistical analysis, but further processing for statistical analysis purposes will be subject to technical and organisational measures in order to ensure respect for the principle of data minimisation, (and for the avoidance of doubt, that the courts do not permit data held by them to be used by third parties for marketing or other commercial purposes).
Right of Access (Article 15 of the Data Protection Regulation and section 91 of the 2018 Act)
6. (1) A data subject shall be entitled to access to material comprised in a court record only where
(i) a provision of statute (other than the 2018 Act) or rules of court so permits,
or
(ii) the practice of the court so permits.
(2) A data subject may seek access to any part of a note or recording made of proceedings only by making an application to the court concerned subject to and in accordance with the provisions of Order 123, rule 9 of the Rules of the Superior Courts (in the case of the Supreme Court, Court of Appeal or High Court), Order 67A, rule 8 of the Circuit Court Rules (in the case of the Circuit Court) or, as the case may be, Order 12B, rule 5 of the District Court Rules (in the case of the District Court).
Right to Rectification (Article 16 of the Data Protection Regulation and section 92 of the 2018 Act)
7. An application by a data subject for the rectification without undue delay of inaccurate personal data processed by or on behalf of a Court which is contained in a judgment or order of the court may be made by means only of an application subject to and in accordance with the provisions of Order 28, rule 11 of the Rules of the Superior Courts (in the case of the Supreme Court, Court of Appeal or High Court), Order 65, rule 3 of the Circuit Court Rules (in the case of the Circuit Court) or, as the case may be, Order 12, rule 16 or Order 45E, rule 3 of the District Court Rules (in the case of the District Court), and only by a person entitled to make such application in accordance with the rule of court concerned.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules are made under section 158(3) of the Data Protection Act 2018 for the purpose of ensuring the effective application of restrictions of the rights and obligations provided for in—
(a) Articles 12 to 22 and Article 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and Article 5 of that Regulation in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, and
(b) sections 87, 90, 91, 92 and 93 of the Data Protection Act 2018 , and section 71 of that Act in so far as it relates to those sections.
S.I. No. 658/2018 –
Data Protection Act 2018 (Section 158(3)) Rules 2018
View SIAmendments
Notice of the making of this Statutory Instrument was published in
“Iris Oifigiúil” of 26th April, 2019.
We, being the panel nominated by the Chief Justice pursuant to section 158 (6) of the Data Protection Act 2018 , by virtue of the powers conferred on us by section 158(3) of the Data Protection Act 2018 , and being satisfied:
(i) that it is necessary to make Rules for the purpose of ensuring the effective application of restrictions of the rights and obligations provided for in—
(a) Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, and
(b) sections 87, 90, 91, 92 and 93, and section 71 in so far as it relates to those sections;
and
(ii) that such restrictions, as applied by the Rules hereinafter mentioned, are necessary and proportionate to safeguard judicial independence and court proceedings,
do hereby make the following Rules.
Dated this 18th day of July 2018.
John A. Edwards
David Barniville
Marie Quirke
Citation and entry into force
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 158(3)) Rules 2018, shall
(i) come into operation on, and
(ii) apply to the processing of personal data referred to in rule 3 which takes place on or after,
the 1st day of August 2018.
Interpretation
2. (1) In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“Assigned Judge” means the judge, appointed by the Chief Justice, competent for supervision of data processing operations of the Courts when acting in their judicial capacity, in accordance with section 157(1) of the 2018 Act;
“court record” includes any document or other material issued or received by a court and forming part of the file or record of the proceedings before the court but does not include notes taken by or for a judge, or communications with, by or on behalf of a judge performing a judicial function in respect of such proceedings and not intended by the judge to form part of such file or record;
“Courts Service” means the body established by section 4(1) of the Courts Service Act 1998 ;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“proceedings” means proceedings before a court, and “civil proceedings” and “criminal proceedings” shall be construed accordingly.
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation shall have the meanings given to them in the Data Protection Regulation.
Scope
3. Save as otherwise provided in these Rules, these Rules shall apply to the processing of personal data by, for or on behalf of a court when acting in a judicial capacity and without prejudice to the generality of the foregoing shall include the processing of:
(i) personal data
(a) delivered to or by a court, judge, court office or court officer, or
(b) held by a court, judge, court office or court officer, or
(c) issued by a court, judge, court office or court officer,
for the purposes of or in connection with proceedings, or the performance of a judicial function, or (as the case may be) the performance by a court officer in civil proceedings of limited functions of a judicial nature conferred on that officer by law, and which forms or will form part of a court record; and
(ii) personal data created or held by
(a) a judge or a court officer or other person performing functions under the direction of a judge, or
(b) a court officer performing limited functions of a judicial nature conferred on that officer by law or a court officer or other person performing functions under the direction of such officer,
for the purposes of or in connection with proceedings, or the performance of a judicial function, or (as the case may be) the performance in civil proceedings of limited functions of a judicial nature conferred by law, and which does not form part of a court record.
Restrictions
4. In accordance with section 158(1) of the 2018 Act and for the purposes of section 158(3) of the 2018 Act, save to the extent specified in rules 5 to 7 of these Rules, Articles 12 to 22 and 34 (and Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22) of the Data Protection Regulation and sections 87, 90, 91, 92 and 93, and section 71 insofar as it relates to those sections, of the 2018 Act shall not apply to the processing of any personal data referred to in rule 3 of these Rules.
Provision of Information
5. The following information specified in Articles 13 and 14 of the Data Protection Regulation and section 90 of the 2018 Act shall be made publicly available by way only of general notice published on behalf of the courts in their capacity as data controllers on the Courts Service website:
Where personal data are collected from the data subject
Article 13.1(a) of the Data Protection Regulation and section 90(2)(a) of the 2018 Act
(i) the identity of the controller, being the Supreme Court, the Court of Appeal, the High Court, the Circuit Court, the District Court or a Special Criminal Court, as the case may be;
Article 13.1(c) of the Data Protection Regulation and section 90(2)(c) and (f) of the 2018 Act
(ii) that personal data are processed by and on behalf of the courts for the purposes of the performance by the courts of their functions under the Constitution and law, as interpreted in the decisions of the courts, and the fact that the legal basis for such processing is provided for in the Constitution, in statute, (principally but without limitation the Courts of Justice Acts 1924 to 2014, the Courts (Supplemental Provisions) Acts 1961 to 2017 and, in the case of a Special Criminal Court, Part V of the Offences against the State Act 1939 ) and otherwise in law;
Article 13.1(e) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(iii) that material comprised in a court record may be made available to a party to the proceedings concerned (or to that party’s legal representative) or to another person
(a) where statute (other than the 2018 Act) or rules of court so require or permit, or
(b) if applicable, where the practice of the court so permits, or
(c) for the purpose of facilitating the fair and accurate reporting of a hearing in the proceedings, to a bona fide member of the Press or broadcast media at the member’s request in accordance with section 159(7) of the 2018 Act and rules made thereunder,
and that in accordance with the requirements of Article 34 of the Constitution, proceedings are generally held in public save in such special and limited cases as may be prescribed by law;
Article 13.1(f) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(iv) that material comprised in a court record may in certain circumstances (including, without limitation, in matters of judicial co-operation and criminal justice mutual assistance and where the transcription of digital audio records of proceedings is carried out for the Courts Service in a third country) be transferred to a third country and that where same occurs in the absence of an adequacy decision pursuant to Article 45.3 of the Data Protection Regulation, the appropriate or suitable safeguards pursuant to Article 46 of the Data Protection Regulation which have been provided and the means by which to obtain a copy of them or where they have been made available;
Article 13.2(a) of the Data Protection Regulation and section 90(2)(f)(ii) of the 2018 Act
(v) that a court record is, by virtue of section 1(2) of the National Archives Act 1986 , a “departmental record” for the purposes of that Act and records of proceedings are therefore liable to be retained and preserved in accordance with and subject to section 7 of that Act and transferred to the National Archives in accordance with and subject to section 8 of that Act;
Article 13.2(b) of the Data Protection Regulation and section 90(2)(d) of the 2018 Act
(vi) that the right to request access to personal data contained in a court record is confined to the circumstances where statute or rules of court or the practice of the court so permits and, for the avoidance of doubt, that no such rights are exercisable in respect of personal data referred to in rule 3(ii), which data remain confidential and immune from production;
Article 13.2(b) of the Data Protection Regulation and section 90(2)(d) of the 2018 Act
(vii) that the right to request rectification of personal data contained in a court record is confined to the circumstances in which such right is available to a party to the proceedings concerned in accordance with rules of court and may be exercised only by the means available to such party to request rectification of a court record (including generally by application under the “slip rule” applicable in the relevant court) and, for the avoidance of doubt, that no such rights are exercisable in respect of personal data referred to in rule 3(ii), which remain confidential and immune from production;
Article 13.2(e) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(viii) that the nature of the obligation to provide personal data will depend on the circumstances but arises ultimately from the function conferred on courts by the Constitution and law; where the personal data is provided by a plaintiff, applicant or moving party in civil proceedings or by a complainant in criminal proceedings, it is essentially provided voluntarily and with the intention of, or directed towards, seeking a remedy in the proceedings and failure to provide it may diminish the prospects of securing that remedy; where the personal data is provided by a defendant or respondent in civil proceedings or by an accused in criminal proceedings, it is essentially provided voluntarily and with the intention of, or directed towards, defending the proceedings and failure to provide it may diminish the prospects of successfully defending the proceedings and may also involve a risk of being found in default of defence; where the personal data is provided under a summons to give evidence in any proceedings, it is essentially provided under compulsion and failure to provide it may render the person liable to be summoned in contempt of court;
Article 13.3 of the Data Protection Regulation and section 160 of the 2018 Act
(ix) that personal data held by courts may be further processed for purposes connected with the administration of justice, including the publication of a judgment or decision of a court, or of a list or schedule of proceedings or hearings in proceedings;
Article 13.3 of the Data Protection Regulation
(x) that personal data held by courts may be further processed for purposes connected with the efficient management and operation of the courts, including statistical analysis, but further processing for statistical analysis purposes will be subject to technical and organisational measures in order to ensure respect for the principle of data minimisation, (and for the avoidance of doubt, that the courts do not permit data held by them to be used by third parties for marketing or other commercial purposes);
Where personal data have not been obtained from the data subject
Article 14.1(a) of the Data Protection Regulation and section 90(2)(a) of the 2018 Act
(xi) the identity of the controller, being the Supreme Court, the Court of Appeal, the High Court, the Circuit Court, the District Court or a Special Criminal Court, as the case may be;
Article 14.1(c) of the Data Protection Regulation and section 90(2)(c) and (f) of the 2018 Act
(xii) that personal data are processed by and on behalf of the courts for the purposes of the performance by the courts of their functions under the Constitution and law, as interpreted in the decisions of the courts, and the fact that the legal basis for such processing is provided for in the Constitution, in statute (principally but without limitation the Courts of Justice Acts 1924 to 2014, the Courts (Supplemental Provisions) Acts 1961 to 2017 and, in the case of a Special Criminal Court, Part V of the Offences against the State Act 1939 ) and otherwise in law;
Article 14.1(d) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xiii) that the categories of personal data concerned depend on the nature of the proceedings concerned and the content of pleadings and other court documents lodged, exchanged or issued, and of evidence given and submissions made in, those proceedings;
Article 14.1(e) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xiv) that material comprised in a court record may be made available to a party to the proceedings concerned (or to that party’s legal representative) or to another person
(a) where statute (other than the 2018 Act) or rules of court so require or permit, or
(b) if applicable, where the practice of the court so permits, or
(c) for the purpose of facilitating the fair and accurate reporting of a hearing in the proceedings, to a bona fide member of the Press or broadcast media at the member’s request in accordance with section 159(7) of the 2018 Act and rules made thereunder,
and that in accordance with the requirements of Article 34 of the Constitution, proceedings are generally held in public save in such special and limited cases as may be prescribed by law;
Article 14.1(f) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xv) that material comprised in a court record may in certain circumstances (including, without limitation, in matters of judicial co-operation and criminal justice mutual assistance and where the transcription of digital audio records of proceedings is carried out for the Courts Service in a third country) be transferred to a third country and that where same occurs in the absence of an adequacy decision pursuant to Article 45.3 of the Data Protection Regulation, the appropriate or suitable safeguards pursuant to Article 46 of the Data Protection Regulation which have been provided and the means by which to obtain a copy of them or where they have been made available;
Article 14.2(a) of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xvi) that a court record is, by virtue of section 1(2) of the National Archives Act 1986 a “departmental record” for the purposes of that Act and records of proceedings are therefore liable to be retained and preserved in accordance with and subject to section 7 of that Act and transferred to the National Archives in accordance with and subject to section 8 of that Act;
Article 14.2(c) of the Data Protection Regulation and section 90(2)(d) of the 2018 Act
(xvii) that the right to request access to personal data contained in a court record is confined to the circumstances where statute or rules of court or the practice of the court so permits and, for the avoidance of doubt, that no such rights are exercisable in respect of personal data referred to in rule 3(ii), which data remain confidential and immune from production;
Article 14.2(f) of the Data Protection Regulation
(xviii) that the source from which personal data originate in proceedings is usually a party to those proceedings (who may rely in his, her or its pleadings and documents submitted to the court on other, including publicly accessible sources), a person summoned to give evidence before the court by a party to the proceedings, or a person, not being a party to the proceedings, who is required to provide discovery in the proceedings;
Article 14.4 of the Data Protection Regulation and section 160 of the 2018 Act
(xix) that personal data held by courts may be further processed for purposes connected with the administration of justice, including the publication of a judgment or decision of a court, or of a list or schedule of proceedings or hearings in proceedings;
Article 14.4 of the Data Protection Regulation and section 90(2)(f) of the 2018 Act
(xx) that personal data held by courts may be further processed for purposes connected with the efficient management and operation of the courts, including statistical analysis, but further processing for statistical analysis purposes will be subject to technical and organisational measures in order to ensure respect for the principle of data minimisation, (and for the avoidance of doubt, that the courts do not permit data held by them to be used by third parties for marketing or other commercial purposes).
Right of Access (Article 15 of the Data Protection Regulation and section 91 of the 2018 Act)
6. (1) A data subject shall be entitled to access to material comprised in a court record only where
(i) a provision of statute (other than the 2018 Act) or rules of court so permits,
or
(ii) the practice of the court so permits.
(2) A data subject may seek access to any part of a note or recording made of proceedings only by making an application to the court concerned subject to and in accordance with the provisions of Order 123, rule 9 of the Rules of the Superior Courts (in the case of the Supreme Court, Court of Appeal or High Court), Order 67A, rule 8 of the Circuit Court Rules (in the case of the Circuit Court) or, as the case may be, Order 12B, rule 5 of the District Court Rules (in the case of the District Court).
Right to Rectification (Article 16 of the Data Protection Regulation and section 92 of the 2018 Act)
7. An application by a data subject for the rectification without undue delay of inaccurate personal data processed by or on behalf of a Court which is contained in a judgment or order of the court may be made by means only of an application subject to and in accordance with the provisions of Order 28, rule 11 of the Rules of the Superior Courts (in the case of the Supreme Court, Court of Appeal or High Court), Order 65, rule 3 of the Circuit Court Rules (in the case of the Circuit Court) or, as the case may be, Order 12, rule 16 or Order 45E, rule 3 of the District Court Rules (in the case of the District Court), and only by a person entitled to make such application in accordance with the rule of court concerned.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules are made under section 158(3) of the Data Protection Act 2018 for the purpose of ensuring the effective application of restrictions of the rights and obligations provided for in—
(a) Articles 12 to 22 and Article 34 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), and Article 5 of that Regulation in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, and
(b) sections 87, 90, 91, 92 and 93 of the Data Protection Act 2018 , and section 71 of that Act in so far as it relates to those sections.
S.I. No. 661/2018 –
Data Protection Act 2018 (Section 159(2)) Rules 2018
“Iris Oifigiúil” of 26th April, 2019.
We, the Circuit Court Rules Committee, constituted pursuant to the provisions of section 69 of the Courts of Justice Act 1936 , by virtue of the powers conferred on us by the Data Protection Act 2018 , section 159(2), and of all other powers enabling us in this behalf, do hereby make the following Rules.
Dated this 17th day of July 2018.
(Signed): Raymond Groarke
(Chairman of the Circuit Court Rules Committee)
Jacqueline Linnane
Sarah Berkeley
Fiona Duffy Coady
Ronan Boylan
Mairead Ahern
Rita Considine
Noel Rubotham
Citation and entry into force
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 159(2)) Rules 2018, shall come into operation on the 1st day of August 2018.
Scope
2. These Rules (being processing rules, within the meaning of section 159(9) of the 2018 Act) shall apply to the processing of personal data:
(a) of which the Circuit Court, when acting in a judicial capacity, is a controller,
and
(b) which are personal data that are contained in a record of the Circuit Court,
where such personal data are processed on behalf of such controller by any processor, including any other processor engaged by a processor for carrying out specific processing activities on behalf of the controller.
Interpretation
3. (1) In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“court record” means a record of the Circuit Court;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
in relation to personal data of which the Circuit Court is the controller, “judge”, in the case of any proceedings which have not been heard by any judge of the Circuit Court or, in any case where the judge concerned is no longer a member of the Circuit Court, shall mean the Judge or Senior Judge for the time being assigned to the Circuit in which the proceedings would be heard or, as the case may be, were heard;
“Processor” means a processor of personal data of which the Circuit Court is the controller and includes without limitation, any court officer, any member of the staff of the Courts Service for the time being employed in a court office and any contractor of the Courts Service (including any employee or person working under the direction of such contractor) who is processing personal data of which the Circuit Court is the controller.
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation or the Directive shall have the meanings given to them in the Data Protection Regulation or, as the case may be, the Directive.
Processing of personal data
4. (1) Where a Processor shall process personal data on behalf of the Circuit Court or Judge of the Circuit Court, the subject matter, duration, nature and purpose of the processing, the type of personal data to be processed and the categories of data subjects to whom the personal data relate shall be as set out in this rule.
Subject matter of processing
(2) The subject matter of processing to which these Rules apply consists of personal data included, by or on behalf of a party to proceedings before the Circuit Court, or any other person, in and, subject to any order of the Court, retained in, a court record, in accordance with the provisions of statute, the Circuit Court Rules, any applicable practice direction of the President of the Circuit Court and any order of the Circuit Court, for the purposes of the conduct of those proceedings.
(3) Personal data contained in a court record may be held securely in hard copy or in electronic form by a court officer or member of the staff of the Courts Service for the time being employed in a court office at an office of or attached to the Circuit Court concerned or by a contractor of the Courts Service notified to the President of the Circuit Court, at premises or in a system used by the Courts Service or, as the case may be, by that contractor.
(4) A Processor may collect, record, organise, structure, store, retrieve, consult and use personal data in accordance with the Circuit Court Rules, any applicable practice direction of the President of the Circuit Court and any order of the Circuit Court, for the purposes of the Circuit Court or the proceedings to which they relate.
(5) A Processor who is an officer of the Circuit Court or a member of staff of the Courts Service employed in an office of or attached to the Circuit Court may, subject to the provisions of statute, the Circuit Court Rules, any applicable practice direction of the President of the Circuit Court and any order of the Circuit Court, disclose by transmission, dissemination or otherwise of personal data contained in a court record:
(a) to a party to the proceedings to which such personal data relate, at the request of that party or by direction of the Circuit Court;
(b) to a legal representative of such party on record as acting in the proceedings, at the request of that legal representative or by direction of the Circuit Court;
(c) by direction of the Circuit Court to a member of An Garda Síochána or a prosecuting authority, for the purposes of —
(i) the investigation of, or
(ii) use as evidence in the prosecution of
an offence alleged;
(d) to any other person or persons (including an artificial legal person(s)) directed by the court concerned for any other purpose which the Circuit Court may determine to be appropriate having regard to the provisions of the Data Protection Regulation, the Directive and the 2018 Act;
(e) to any other court or officer of a court for the purposes of an appeal or any other proceedings relating to the proceedings to which the personal data relate;
(f) to any person in compliance with an order or direction of a court requiring production or discovery of the personal data concerned, and
(g) to a bona fide member of the Press or broadcast media in accordance with rules made under section 159(7) of the 2018 Act.
Duration of processing
(6) Personal data contained in a court record shall be retained for the purposes of the proceedings including any appeal and enforcement action and for archiving purposes following the determination of the proceedings to which the personal data relate (including by way of appeal), prior to transfer of the court record to the National Archives in accordance with the provisions of the National Archives Act 1986 save where the court record concerned is the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 , in which case the court record shall be disposed of in accordance with such authorisation.
Purpose of processing
(7) Personal data contained in a court record may be processed—
(a) in accordance with the provisions of statute, the Circuit Court Rules, any applicable practice direction of the President of the Circuit Court and any order of the Circuit Court, for the purposes of the proceedings to which they relate, or
(b) in accordance with an order of the Circuit Court or of another competent court, for the purposes of proceedings before the last-mentioned court.
Type of personal data to be processed and data subjects to whom the personal data relate
(8) Subject to the requirements of statute, the Circuit Court Rules, rules made under section 159(7) of the 2018 Act, any applicable practice direction of the President of the Circuit Court and any order of the Circuit Court, personal data of any type and which relate to any data subject in a court record are liable to be processed where such data have been included in such record.
Obligations of the Processor
5. In respect of any processing of personal data contained in a court record, the Processor shall:
(a) act only on a direction or directions given by or on behalf of the Circuit Court (including such directions made under these Rules or the Circuit Court Rules or comprised in any practice direction of the President of the Circuit Court) in relation to the processing, except in so far as European Union law or the applicable law of a Member State of the European Union requires the Processor to act otherwise;
(b) ensure that any person authorised by the Processor to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so;
(c) assist the Circuit Court in ensuring compliance with the Court’s obligations under applicable data protection law in respect of data subject rights;
(d) in the case of a Processor who is a contractor of the Courts Service, on the conclusion of the contract or at any other time in accordance with the provisions of the contract, upon completion of the processing services carried out by the Processor on behalf of the Circuit Court:
(i) return to the Circuit Court as directed by the Courts Service on behalf of the Court, or
(ii) where the data are contained in records which are the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 authorising the disposal of such records, erase
all personal data, and erase any copy of the data, unless the Processor is required by European Union law or the law of a Member State of the European Union to retain the data;
(e) in the case of a Processor who is an officer of the Circuit Court or a member of staff of the Courts Service employed in an office of or attached to the Circuit Court, maintain all personal data subject to the direction of the Judge or, as the case may be, the senior of the Judges referred to in section 65(3) of the Court Officers Act 1926 and otherwise in accordance with rule 4(6);
(f) make available to the Circuit Court all information necessary to demonstrate compliance by the Processor concerned with its obligations as a processor under these Rules and under law, including under Article 28 of the Data Protection Regulation and under the 2018 Act, as applicable, and allow for and contribute to audits, including inspections, conducted by an auditor on behalf of the Circuit Court;
(g) not engage any other processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) otherwise than in accordance with the prior specific or general written authorisation of the President of the Circuit Court; in the case of any general authorisation, the Courts Service shall inform the President of the Circuit Court in advance of any intended changes concerning the addition or replacement of any other processor who is not a court officer or employed in a court office;
(h) ensure that where another processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) is engaged to process personal data on behalf of the Circuit Court, that other processor shall be subject to these Rules or a written contract shall exist between the Processor and such other processor containing obligations equivalent to those imposed on the Processor in these Rules; in the event that any such other processor fails to meet its data protection obligations in respect of any such processing, the Processor shall be fully liable to the Circuit Court for the performance of its obligations in accordance with statute, the Circuit Court Rules, any applicable practice direction of the President of the Circuit Court, any order of the Circuit Court, and these Rules;
(i) implement such technical and organisational security measures as are required to comply with the data security obligations under applicable data protection law;
(j) inform the President of the Circuit Court immediately if, in the Processor’s opinion, it receives an instruction from the Circuit Court which infringes the Data Protection Regulation, the Directive or the 2018 Act;
(k) notify the President of the Circuit Court immediately after becoming aware of any personal data breach and provide the Circuit Court with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach, and
(l) assist the Circuit Court in complying with the Circuit Court’s obligations under applicable data protection law in respect of data protection impact assessments.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules, made under section 159(2) of the Data Protection Act 2018 , govern, for the purposes of Article 28(3) of Regulation (EU) 2016/679
S.I. No. 662/2018 –
Data Protection Act 2018 (Section 159(7): Circuit Court) Rules 2018
“Iris Oifigiúil” of 26th April, 2019.
We, the Circuit Court Rules Committee, constituted pursuant to the provisions of section 69 of the Courts of Justice Act 1936 , by virtue of the powers conferred on us by the Data Protection Act 2018 , section 159(7), and of all other powers enabling us in this behalf, do hereby make the following Rules.
Dated this 17th day of July 2018.
(Signed): Raymond Groarke
(Chairman of the Circuit Court Rules Committee)
Jacqueline Linnane
Sarah Berkeley
Fiona Duffy Coady
Ronan Boylan
Mairead Ahern
Rita Considine
Noel Rubotham
Citation and entry into force
1. (1) These Rules, which may be cited as the Data Protection Act 2018 (Section 159(7): Circuit Court) Rules 2018, shall come into operation on the 1st day of August 2018.
(2) These Rules shall apply to proceedings commenced on or after the 1st day of August 2018.
Interpretation
2. In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“court record” means a record of proceedings before the Circuit Court;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
Disclosure requests
3. (1) Subject to section 159(8)(a) of the 2018 Act and to any order made or direction given by the court in the proceedings concerned:
(a) at the request of a bona fide member of the Press or broadcast media (in this rule and rule 4, “the requester”) made to a person mentioned in sub-rule (2) (in this rule, “the person requested”), a disclosure of information, including personal data within the meaning of the Data Protection Regulation and the Directive, contained in a court record may be made to the requester by the person requested, for the purpose of facilitating the fair and accurate reporting of a hearing in the proceedings to which it relates;
(b) the disclosure may be made in a manner mentioned in sub-rule (3) and subject to the conditions mentioned in sub-rule (4).
(2) The persons who may make a disclosure authorised by sub-rule (1) are:
(i) an officer of the Circuit Court;
(ii) a member of the staff of the Courts Service employed in an office of, or attached to, the Circuit Court;
(iii) a contractor of the Courts Service who has been designated by the Courts Service with the consent of the President of the Circuit Court as authorised for the purposes of these Rules to make a disclosure (including, in the case of a corporate contractor, an officer or employee of such contractor).
(3) A person requested may make a disclosure authorised by these Rules by:
(i) allowing inspection by the requester of the court record in the proceedings concerned under the supervision of the person requested or another person referred to in sub-rule (2);
(ii) providing, or allowing the making by the requester of, a copy of a document forming part of the court file or court record which relates to the request, on the undertaking of the requester to return any such copy provided or made following the completion of the reporting of the hearing by the requester;
(iii) by the provision of a press release or the provision in oral or written form of other information concerning the proceedings prepared by that person.
(4) The conditions for granting a request are:
(i) that the requester has sufficiently verified to the satisfaction of the person requested his or her identity and his or her status as a bona fide member of the Press or broadcast media;
(ii) that the person requested is satisfied that the requester will comply with any undertaking given under sub-rule (3)(ii).
Other obligations of requester under data protection law not affected
4. (1) Nothing in these Rules authorises the use of any information in any document included in a court record which has not been opened or is not deemed to have been opened at a hearing before the court.
(2) These Rules do not affect any obligation of a processor under or arising from any provision of the Data Protection Regulation, the Directive or the 2018 Act to which a requester is subject or will become subject if a request is granted.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules, made under section 159(7) of the Data Protection Act 2018 , authorise the disclosure to a bona fide member of the Press or broadcast media at that member’s request of information contained in a record of the Circuit Court for the purpose of facilitating the fair and accurate reporting of a hearing in proceedings before that court, and prescribe conditions subject to which such disclosure is to be made.
S.I. No. 663/2018 –
Data Protection Act 2018 (Section 159(3)) Rules 2018
“Iris Oifigiúil” of 26th April, 2019.
The District Court Rules Committee, constituted pursuant to the provisions of the Courts of Justice Act 1936 , section 71, by virtue of the powers conferred upon us by the Data Protection Act 2018 , section 159(3), and of all other powers enabling us in this behalf, do hereby make the following Rules.
Dated this 23rd day of July 2018.
Rosemary Horgan
Chairperson
Mary C Devins
Conal Gibbons
Shane McCarthy
Riobard Pierse
Noel A Doherty
Michelle Johnston
Citation and entry into force
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 159(3)) Rules 2018, shall come into operation on the 1st day of August 2018.
Scope
2. These Rules (being processing rules, within the meaning of section 159(9) of the 2018 Act) shall apply to the processing of personal data:
(a) of which the District Court, when acting in a judicial capacity, is a controller,
and
(b) which are personal data contained in a record of the District Court,
where such personal data are processed on behalf of such controller by any processor, including any other processor engaged by a processor for carrying out specific processing activities on behalf of the controller.
Interpretation
3. (1) In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“court record” means a record of the District Court;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
in relation to personal data of which the District Court is the controller, “judge”, in the case of any proceedings which have not been heard by any judge of the District Court or, in any case where the judge concerned is no longer a member of the District Court, shall mean the Judge or Senior Judge for the time being assigned to the court district in which the proceedings would be heard or, as the case may be, were heard;
“Processor” means a processor of personal data of which the District Court is the controller and includes without limitation, any court officer, any member of the staff of the Courts Service for the time being employed in a court office and any contractor of the Courts Service (including any employee or person working under the direction of such contractor) who is processing personal data of which the District Court is the controller.
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation or the Directive shall have the meanings given to them in the Data Protection Regulation or, as the case may be, the Directive.
Processing of personal data
4. (1) Where a Processor shall process personal data on behalf of the District Court or Judge of the District Court, the subject matter, duration, nature and purpose of the processing, the type of personal data to be processed and the categories of data subjects to whom the personal data relate shall be as set out in this rule.
Subject matter of processing
(2) The subject matter of processing to which these Rules apply consists of personal data included, by or on behalf of a party to proceedings before the District Court, or any other person, in and, subject to any order of the District Court concerned, retained in, a court record, in accordance with the provisions of statute, the District Court Rules and any order of the District Court, for the purposes of the conduct of those proceedings.
(3) Personal data contained in a court record may be held securely in hard copy or in electronic form by a court officer or member of the staff of the Courts Service for the time being employed in a court office at an office of, or attached to, or serving the District Court or by a contractor of the Courts Service notified to the President of the District Court, at premises or in a system used by the Courts Service or, as the case may be, by that contractor.
(4) A Processor may collect, record, organise, structure, store, retrieve, consult and use personal data in accordance with the District Court Rules and any order of the District Court, for the purposes of the court or the proceedings to which they relate.
(5) A Processor may, subject to the provisions of statute, the District Court Rules and any order of the District Court, disclose by transmission, dissemination or otherwise, personal data contained in a court record:
(a) to a party to the proceedings to which such personal data relate, at the request of that party or by direction of the Court;
(b) to a legal representative of such party on record as acting in the proceedings, at the request of that legal representative or by direction of the Court;
(c) by direction of the Court to a member of An Garda Síochána or a prosecuting authority, for the purposes of —
(i) the investigation of, or
(ii) use as evidence in the prosecution of
an offence alleged;
(d) to any other person or persons (including an artificial legal person(s)) directed by the Court for any other purpose which the court concerned may determine to be appropriate having regard to the provisions of the Data Protection Regulation, the Directive and the 2018 Act;
(e) to any other court or officer of a court for the purposes of an appeal or any other proceedings relating to the proceedings to which the personal data relate;
(f) to any person in compliance with an order or direction of a court requiring production or discovery of the personal data concerned, and
(g) to a bona fide member of the Press or broadcast media in accordance with rules made under section 159(7) of the 2018 Act.
Duration of processing
(6) Personal data contained in a court record shall be retained for the purposes of the proceedings including any appeal and enforcement action and for archiving purposes following the determination of the proceedings to which the personal data relate (including by way of appeal), prior to transfer of the court record to the National Archives in accordance with the provisions of the National Archives Act 1986 save where the court record concerned is the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 , in which case the court record shall be disposed of in accordance with such authorisation.
Purpose of processing
(7) Personal data contained in a court record may be processed —
(a) in accordance with the provisions of statute, the District Court Rules and any order of the District Court, for the purposes of the proceedings to which they relate, or
(b) in accordance with an order of the District Court or of another competent court, for the purposes of proceedings before the last-mentioned court.
Type of personal data to be processed and data subjects to whom the personal data relate
(8) Subject to the requirements of statute, the District Court Rules, rules made under section 159(7) of the 2018 Act and any order of the District Court, personal data of any type and which relate to any data subject in a court record are liable to be processed where such data have been included in such record.
Obligations of the Processor
5. In respect of any processing of personal data contained in a court record, the Processor shall:
(a) act only on a direction or directions given by or on behalf of the Court (including such directions made under these Rules or the District Court Rules) in relation to the processing, except in so far as European Union law or the applicable law of a Member State of the European Union requires the Processor to act otherwise;
(b) ensure that any person authorised by the Processor to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so;
(c) assist the Court in ensuring compliance with the court’s obligations under applicable data protection law in respect of data subject rights;
(d) in the case of a Processor who is a contractor of the Courts Service, on the conclusion of the contract or at any other time in accordance with the provisions of the contract, upon completion of the processing services carried out by the Processor on behalf of the Court:
(i) return to the Court as directed by the Courts Service on behalf of the Court, or
(ii) where the data are contained in records which are the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 authorising the disposal of such records, erase
all personal data, and erase any copy of the data, unless the Processor is required by European Union law or the law of a Member State of the European Union to retain the data;
(e) in the case of a Processor who is an officer of the District Court or a member of staff of the Courts Service employed in an office of or attached to or serving the District Court, maintain all personal data subject to the direction of the Judge and otherwise in accordance with rule 4(6);
(f) make available to the Court all information necessary to demonstrate compliance by the Processor concerned with its obligations as a processor under these Rules and under law, including under Article 28 of the Data Protection Regulation and under the 2018 Act, as applicable, and allow for and contribute to audits, including inspections, conducted by an auditor on behalf of the court concerned;
(g) not engage any other processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) otherwise than in accordance with the prior specific or general written authorisation of the President of the District Court; in the case of any general authorisation, the Courts Service shall inform the President of the District Court in advance of any intended changes concerning the addition or replacement of any other processor who is not a court officer or employed in a court office;
(h) ensure that where another processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) is engaged to process personal data on behalf of the District Court, that other processor shall be subject to these Rules or a written contract shall exist between the Processor and such other processor containing obligations equivalent to those imposed on the Processor in these Rules; in the event that any such other processor fails to meet its data protection obligations in respect of any such processing, the Processor shall be fully liable to the Court for the performance of its obligations in accordance with statute, the District Court Rules, any applicable practice direction of the President of the District Court, any order of the District Court, and these Rules;
(i) implement such technical and organisational security measures as are required to comply with the data security obligations under applicable data protection law;
(j) inform the President of the District Court immediately if, in the Processor’s opinion, it receives an instruction from the Court which infringes the Data Protection Regulation, the Directive or the 2018 Act;
(k) notify the President of the District Court immediately after becoming aware of any personal data breach and provide the Court with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach, and
(l) assist the Court in complying with the court’s obligations under applicable data protection law in respect of data protection impact assessments.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules, made under section 159(3) of the Data Protection Act 2018 , govern, for the purposes of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Article 22(3) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, the processing by a processor of personal data contained in a record of the District Court.
S.I. No. 664/2018 –
Data Protection Act 2018 (Section 159(7): District Court) Rules 2018
“Iris Oifigiúil” of 26th April, 2019.
The District Court Rules Committee, constituted pursuant to the provisions of the Courts of Justice Act 1936 , section 71, by virtue of the powers conferred upon us by the Data Protection Act 2018 , section 159(7), and of all other powers enabling us in this behalf, do hereby make the following Rules.
Dated this 23rd day of July 2018.
Rosemary Horgan
Chairperson
Mary C Devins
Conal Gibbons
Shane McCarthy
Riobard Pierse
Noel A Doherty
Michelle Johnston
Citation and entry into force
1. (1) These Rules, which may be cited as the Data Protection Act 2018 (Section 159(7): District Court) Rules 2018, shall come into operation on the 1st day of August 2018.
(2) These Rules shall apply to proceedings commenced on or after the 1st day of August 2018.
Interpretation
2. In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“court record” means a record of proceedings before the District Court;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
Disclosure requests
3. (1) Subject to section 159(8)(a) of the 2018 Act, to any order made or direction given by the Court in the proceedings concerned and to rule 4:
(a) at the request of a bona fide member of the Press or broadcast media (in this rule and rule 4, “the requester”) made to a person mentioned in sub-rule (2) (in this rule, “the person requested”), a disclosure of information, including personal data within the meaning of the Data Protection Regulation and the Directive, contained in a court record may be made to the requester by the person requested, for the purpose of facilitating the fair and accurate reporting of a hearing in the proceedings to which it relates;
(b) the disclosure may be made in a manner mentioned in sub-rule (3) and subject to the conditions mentioned in sub-rule (4).
(2) The persons who may make a disclosure authorised by sub-rule (1) are:
(i) a District Court Clerk;
(ii) a member of the staff of the Courts Service employed in an office of, or attached to, or serving the District Court;
(iii) a contractor of the Courts Service who has been designated by the Courts Service with the consent of the President of the District Court concerned as authorised for the purposes of these Rules to make a disclosure (including any employee or person working under the direction of such contractor).
(3) A person requested may make a disclosure authorised by these Rules by:
(i) allowing inspection by the requester of the court record in the proceedings concerned under the supervision of the person requested or another person referred to in sub-rule (2);
(ii) providing, or allowing the making by the requester of, a copy of a document forming part of the court record which relates to the request, on the undertaking of the requester to return any such copy provided or made following the completion of the reporting of the hearing by the requester;
(iii) by the provision of a press release or the provision in oral or written form of other information concerning the proceedings prepared by that person.
(4) The conditions for granting a request are:
(i) that the requester has sufficiently verified to the satisfaction of the person requested his or her identity and his or her status as a bona fide member of the Press or broadcast media;
(ii) that the person requested is satisfied that the requester will comply with any undertaking given under sub-rule (3)(ii).
Other obligations of requester under data protection law not affected
4. (1) Nothing in these Rules authorises the use of any information in any document included in a court record which has not been opened or is not deemed to have been opened at a hearing before the Court.
(2) These Rules do not affect any obligation of a processor under or arising from any provision of the Data Protection Regulation, the Directive or the 2018 Act to which a requester is subject or will become subject if a request is granted.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules, made under section 159(7) of the Data Protection Act 2018 , authorise the disclosure to a bona fide member of the Press or broadcast media at that member’s request of information contained in a record of the District Court for the purpose of facilitating the fair and accurate reporting of a hearing in proceedings before that court, and prescribe conditions subject to which such disclosure is to be made.
S.I. No. 665/2018 –
Data Protection Act 2018 (Section 159(4)) Rules 2018
“Iris Oifigiúil” of 26th April, 2019.
We, being the panel nominated by the Chief Justice pursuant to section 158 (6) of the Data Protection Act 2018 , by virtue of the powers conferred on us by section 159 (4) of the Data Protection Act 2018 , do hereby make the following Rules.
Dated this 19th day of July 2018.
John A. Edwards
David Barniville
Marie Quirke
Citation and entry into force
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 159(4)) Rules 2018, shall come into operation on the 1st day of August 2018.
Scope
2. These Rules (being processing rules within the meaning of section 159(9) of the 2018 Act) apply to the processing of personal data —
(a) of which a judge or court, when acting in a judicial capacity, is a controller, and
(b) which are not personal data contained in a record of a court,
where such personal data are processed on behalf of such controller by any processor, including any other processor engaged by a processor for carrying out specific processing activities on behalf of the controller.
Interpretation
3. (1) In these Rules:
“2018 Act” means the Data Protection Act 2018 ;
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
in relation to personal data of which a court is the controller, references to a judge or court are references to that judge or court when acting in a judicial capacity and “judge”, in the case of any proceedings the hearing of which has not been assigned to any judge or panel of judges or, in any case where the judge concerned is no longer a member of that court or the panel concerned can no longer be constituted, shall mean —
(a) the Chief Justice in relation to a judge of the Supreme Court,
(b) the President of the Court of Appeal in relation to a judge of the Court of Appeal,
(c) the President of the High Court in relation to a judge of the High Court,
(d) the President of the Circuit Court in relation to a judge of the Circuit Court, and
(e) the President of the District Court in relation to a judge of the District Court;
“Processor” means a processor of personal data of which a court is the controller and includes without limitation, any court officer, any member of the staff of the Courts Service for the time being employed in a court office and any contractor of the Courts Service notified to the president of the court concerned by the Courts Service (including any employee or person working under the direction of such contractor) who is processing personal data of which a court is the controller.
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation or the Directive shall have the meanings given to them in the Data Protection Regulation or, as the case may be, the Directive.
Processing of personal data
4. (1) Where a Processor processes personal data on behalf of any court or judge of a court, the subject matter, duration, nature and purpose of the processing, the type of personal data to be processed and the categories of data subjects to whom the personal data relate shall be as set out in this rule.
Subject matter of processing
(2) The subject matter of processing to which these Rules apply consists of personal data to which rule 2 applies.
(3) Personal data to which rule 2 applies may, in addition to being held by the judge or court concerned, be held securely in hard copy or in electronic form by an officer of the court concerned, a member of the staff of the Courts Service or a contractor of the Courts Service notified to the president of the court concerned, at an office of or attached to the court concerned, at premises or in a system used by the Courts Service or, as the case may be, at premises or in a system used by that contractor.
(4) A Processor may collect, record, organise, structure, store, retrieve, consult and use personal data to which rule 2 applies in accordance with the directions of the judge or court concerned, solely for the purposes of the judge or, as the case may be, the court concerned.
(5) A Processor may not disclose personal data to which rule 2 applies to any person, other than the judge who is the controller, or the court which is the controller, save as directed by the judge or, as the case may be, the court concerned.
Duration of processing
(6) Personal data to which rule 2 applies shall be retained only for such period as the judge or, as the case may be, the court concerned shall require.
Purpose of processing
(7) Personal data to which rule 2 applies may be processed solely for the purposes of the judge or, as the case may be, the court concerned.
Type of personal data to be processed and data subjects to whom the personal data relate
(8) Any type of personal data (to which rule 2 applies) of any data subject is liable to be processed.
Obligations of Processor
5. In respect of any processing of personal data to which rule 4 applies, the Processor shall:
(a) act only on a direction given by or on behalf of the judge or, as the case may be, the court concerned in relation to the processing, except in so far as European Union law or the applicable law of a Member State of the European Union requires the Processor to act otherwise;
(b) ensure that any person authorised by the Processor to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so;
(c) assist the judge or, as the case may be, the court concerned in ensuring compliance with the judge’s, or as the case may be, the court’s obligations under applicable data protection law in respect of data subject rights;
(d) in the case of a Processor who is a contractor of the Courts Service, on the conclusion of the contract or at any other time in accordance with the provisions of the contract, upon completion of the processing services carried out by the Processor on behalf of the judge or, as the case may be, the court concerned —
(i) return to the judge or, as the case may be, the court concerned, as directed by the Courts Service on behalf of the judge or, as the case may be, the court, or
(ii) erase
all personal data, and erase any copy of the data, unless the Processor is required by European Union law or the law of a Member State of the European Union to retain the data;
(e) in the case of a Processor who is an officer of the court concerned or a member of staff of the Courts Service, maintain all personal data subject to the direction of the judge or the court concerned and otherwise in accordance with rule 4(6);
(f) make available to the judge or, as the case may be, the court concerned all information necessary to demonstrate compliance by the Processor concerned with its obligations as a processor under these Rules and under law, including under Article 28 of the Data Protection Regulation or under the 2018 Act, as applicable, and allow for and contribute to audits, including inspections, conducted by an auditor on behalf of the judge or, as the case may be, the court concerned;
(g) not engage any other processor (who is not a court officer or a member of the staff of the Courts Service) otherwise than in accordance with the prior specific or general written authorisation of the president of the court concerned; in the case of any general authorisation, the Courts Service shall inform the president of the court in advance of any intended changes concerning the addition or replacement of any other processor who is not a court officer or employed in a court office;
(h) ensure that where another processor (who is not a court officer or a member of the staff of the Courts Service) is engaged to process personal data on behalf of the judge or, as the case may be, the court concerned, that other processor shall be subject to these Rules or a written contract shall exist between the Processor and such other processor containing obligations equivalent to those imposed on the Processor in these Rules. In the event that any such other processor fails to meet its data protection obligations in respect of any such processing, the Processor shall be fully liable to the judge or, as the case may be, the court concerned for the performance of its obligations in accordance with these Rules;
(i) implement such technical and organisational security measures as are required to comply with the data security obligations under applicable data protection law;
(j) inform the judge or, as the case may be, the court concerned immediately if, in the Processor’s opinion, it receives an instruction from the judge or the court which infringes the Data Protection Regulation, the Directive or the 2018 Act;
(k) notify the judge or, as the case may be, the court concerned immediately after becoming aware of any personal data breach and provide the judge or, as the case may be, the court concerned with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach, and
(l) assist the judge or, as the case may be, the court concerned in complying with the judge’s or court’s obligations under applicable data protection law in respect of data protection impact assessments.
/images/ls
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These rules, made under section 159(4) of the Data Protection Act 2018 , govern, for the purposes of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Article 22(3) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, the processing by a processor of personal data —
(a) that are not personal data contained in a court record, and
(b) in respect of which a court, when acting in its judicial capacity, is a controller.
S.I. No. 221/2022 –
Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022
I, MICHAEL MCGRATH, Minister for Public Expenditure and Reform, in exercise of the powers conferred on me by section 60 (6) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (9)(b) and (10) of section 60 of that Act, hereby make the following regulations, with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving of the draft has been passed by each such House:
Citation and commencement
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022.
Interpretation
2. In these Regulations –
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018);
“relevant function” has the meaning assigned to it in Regulation 3;
“relevant objective” shall be construed in accordance with Regulation 4.
Relevant function
3. In these Regulations, “relevant function” means a function of the Ombudsman under the Ombudsman Act 1980 (No. 26 of 1980).
Relevant objective
4. In these Regulations, “relevant objective” means an objective –
(a) referred to in paragraph (b), (h), (l)(ii), (n) or (o) of section 60(7) of the Act of 2018, and
(b) pursued by the Ombudsman in performing a relevant function.
Categories of personal data
5. These Regulations apply to personal data (including special categories of personal data and Article 10 data) in respect of which the Ombudsman is the controller, processed by the Ombudsman.
Purpose of processing
6. These Regulations apply to the processing by the Ombudsman of personal data to which these Regulations apply in the pursuit of a relevant objective.
Restriction of rights and obligations
7. (1) Subject to paragraph (2), the rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22), of the Data Protection Regulation, in respect of processing to which these Regulations apply, are restricted to the extent that is –
(a) necessary to safeguard a relevant objective, and
(b) proportionate to the need to safeguard the relevant objective,
including, but not limited to, where the exercise of the right or compliance with the obligation, as the case may be –
(i) may interfere with –
(I) the performance by the Ombudsman of a relevant function,
(II) the independence of the Ombudsman in carrying out a relevant function, or
(III) the prohibitions and restrictions on the disclosure of information and documents under section 9(1) of the Ombudsman Act 1980 ,
(ii) would disclose that the Ombudsman is exercising a function in pursuit of a relevant objective, where such disclosure may prejudice the achievement of the relevant objective, or
(iii) would prevent the Ombudsman processing personal data for a period of time, where such delay to the processing may prejudice the achievement of a relevant objective.
(2) Matters which are relevant, for the purposes of paragraph (1), in determining whether a restriction of a right or obligation is necessary and proportionate for the purposes of safeguarding a relevant objective, include but are not limited to –
(a) the extent to which the exercise of the right or compliance with the obligation would prejudice the achievement by the Ombudsman of the relevant objective,
(b) the essence of the right to data protection of the data subject, and
(c) the risks to the rights and freedoms of the data subject that may result from such a restriction.
Information to be provided where a right is restricted
8. (1) Where a right or obligation referred to in paragraph (1) of Regulation 7 is restricted in accordance with that paragraph, the Ombudsman shall notify the data subject concerned in writing in a timely manner of the restriction, unless so notifying the data subject may prejudice the achievement of a relevant objective.
(2) A notification under paragraph (1) shall inform the data subject concerned of the following:
(a) the relevant right or obligation affected by the restriction;
(b) whether the right or obligation concerned has been restricted in whole or in part;
(c) the reasons for the restriction, unless informing the data subject concerned of the reasons may prejudice the achievement of a relevant objective;
(d) that the data subject concerned may lodge a complaint with the Commission pursuant to Article 77(1) of the Data Protection Regulation;
(e) that the right referred to in subparagraph (d) is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the Ombudsman.
(3) Where requested by a data subject notified in accordance with paragraph (1), the Ombudsman shall provide information on the policies and procedures referred to in Regulation 10(1) to the data subject.
Communication with data subject
9. The Ombudsman shall ensure that all information provided to a data subject under or in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language.
Safeguards
10. (1) The Ombudsman shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f) of the Data Protection Regulation.
(2) Without prejudice to the generality of paragraph (1), the policies and procedures of the Ombudsman referred to in that paragraph shall provide for the following:
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Ombudsman to access that personal data;
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Ombudsman, or entitled or permitted by law, to receive that personal data;
(c) the determination of appropriate storage periods for personal data or classes of personal data;
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c);
(e) data minimisation, including the use of anonymisation and pseudonymisation.
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Ombudsman on a regular basis and updated where the Ombudsman considers it appropriate to do so.
Interaction with other law
11. The restriction referred to in paragraph (1) of Regulation 7 is in addition to and not in substitution for any restriction of the rights and obligations referred to in that paragraph under any other enactment or law of the European Union in operation.
/images/ls
GIVEN under my Official Seal,
4 May, 2022.
MICHAEL MCGRATH,
Minister for Public Expenditure and Reform.
S.I. No. 354/2022 –
Data Protection Act 1988 (Section 2B) Regulations 2022
WHEREAS the Government on 21 June 2022 approved the sharing of certain information by the Commissioner of the Garda Síochána, as the Commissioner considers appropriate having regard to the functions of the Garda Síochána set out in section 7 of the Garda Síochána Act 2005 (No. 20 of 2005) and the independence of the Garda Síochána in performing functions relating to the investigation of a specific offence or the prosecution of an offence and in accordance with the terms of the Directive issued by the Minister for Justice on 23 June 2022 to the Commissioner under section 25 (1) of the Garda Síochána Act 2005 , with the Glenanne Gang review being conducted under Operation Denton, in response to the Barnard judgment of the Northern Ireland Court of Appeal (NICA 38/2019);
AND WHEREAS sections 2 (amended by section 3 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003)) and 2A (inserted by section 4 of the Data Protection (Amendment) Act 2003) of the Data Protection Act 1988 (No. 25 of 1988) have been complied with;
AND WHEREAS there are reasons of substantial public interest for the making of the following regulations;
NOW I, HELEN MCENTEE, Minister for Justice, in exercise of the powers conferred on me by subsection (1)(b)(xi) of section 2B (inserted by section 4 of the Data Protection (Amendment) Act 2003 (No. 6 of 2003)) of the Data Protection Act 1988 (No. 25 of 1988), hereby make the following regulations:
1. These Regulations may be cited as the Data Protection Act 1988 (Section 2B) Regulations 2022.
2. The processing is authorised of sensitive personal data by the Commissioner of the Garda Síochána, or a member of the Garda Síochána of any rank below Commissioner acting on behalf of the Commissioner, for the purpose of enabling the Commissioner to comply with the Directive issued by the Minister for Justice on 23 June 2022 to the Commissioner under section 25(1) of the Garda Síochána Act 2005 (No. 20 of 2005) relating to the Glenanne Gang review being conducted under Operation Denton, in response to the Barnard judgment of the Northern Ireland Court of Appeal (NICA 38/2019).
/images/ls
GIVEN under my Official Seal,
12 July, 2022.
HELEN MCENTEE,
Minister for Justice.
S.I. No. 601/2022 –
Data Protection Act 2018 (Section 60(6)) (Irish Auditing and Accounting Supervisory Authority) Regulations 2022
I, LEO VARADKAR, Minister for Enterprise, Trade and Employment, in exercise of the powers conferred on me by section 60 (6) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (9)(b) and (10) of section 60 of that Act, hereby make the following regulations with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House:
Citation
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(6)) (Irish Auditing and Accounting Supervisory Authority) Regulations 2022.
Definitions
2. In these Regulations –
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018);
“Article 10 data” has the same meaning as it has in section 55 of the Act of 2018;
“Authority” means the Irish Auditing and Accounting Supervisory Authority;
“enactment” has the same meaning as it has in the Interpretation Act 2005 (No. 23 of 2005);
“prescribed accountancy body” has the same meaning it has in section 900 of the Companies Act 2014 (No. 38 of 2014);
“relevant function” has the meaning assigned to it by Regulation 3;
“relevant objective” has the meaning assigned to it by Regulation 4;
“relevant provision” shall be construed in accordance with Regulation 3(a);
“statutory auditor” has the same meaning it has in the Companies Act 2014 .
Relevant function
3. In these Regulations, “relevant function” means a function of the Authority –
(a) under the Companies Act 2014 or Regulation (EU) No. 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC1 (each of which is in these Regulations referred to as a “relevant provision”), and
(b) that relates directly or indirectly to one or more of the following:
(i) conducting enquiries into whether or not a prescribed accountancy body has complied with applicable investigation and disciplinary procedures;
(ii) overseeing statutory auditors and the conduct of statutory audits;
(iii) imposing sanctions on prescribed accountancy bodies, members of such bodies or statutory auditors;
(iv) undertaking investigations into possible breaches of the standards of a prescribed accountancy body by a member of that body;
(v) undertaking investigations into possible contraventions of a relevant provision by a statutory auditor;
(vi) supervising the investigation and disciplinary procedures of prescribed accountancy bodies.
Relevant objective
4. In these Regulations, “relevant objective” means an objective –
(a) referred to in paragraph (b), (c), (d), (e), (f), (i), (k), (l) or (m) of section 60(7) of the Act of 2018, and
(b) pursued by the Authority in exercising a relevant function.
Scope: categories of personal data
5. These Regulations apply to personal data processed by the Authority (including special categories of personal data and Article 10 data), in respect of which the Authority is the controller.
Scope: purpose of processing
6. These Regulations apply to the processing, by the Authority, of personal data to which these Regulations apply in the pursuit of a relevant objective.
Restriction
7. (1) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22) of the Data Protection Regulation, in respect of processing to which these Regulations apply, are restricted to the extent that such a restriction is –
(a) necessary to safeguard a relevant objective, and
(b) proportionate to the need to safeguard that relevant objective,
including, but not limited to, where the exercise of the right or compliance with the obligation, as the case may be –
(i) may interfere with the prevention, detection or investigation of breaches of, or enforcement of, a relevant provision,
(ii) may interfere with a process, procedure, investigation, inquiry, assessment, scheme, application or settlement being undertaken by the Authority,
(iii) may interfere with proceedings pending or due before a court,
(iv) would disclose that the Authority is exercising a function in pursuit of a relevant objective, in a case in which such disclosure may prejudice the achievement of the relevant objective, or
(v) would prevent the Authority processing personal data for a period of time, in a case in which any delay to the processing may prejudice the achievement of a relevant objective.
(2) Matters that are relevant, for the purposes of paragraph (1), in determining whether a restriction of a right or obligation is necessary to safeguard a relevant objective and proportionate to the need to safeguard that relevant objective, include –
(a) whether or not the exercise of the right or compliance with the obligation would prejudice the achievement by the Authority of that relevant objective,
(b) the essence of the right to data protection of the data subject, and
(c) the risks to the rights and freedoms of the data subject which may result from such a restriction.
Information to be provided where a right is restricted
8. (1) Where a right or obligation referred to in paragraph (1) of Regulation 7 is restricted in accordance with that paragraph, the Authority shall notify the data subject concerned in writing in a timely manner, unless so notifying the data subject may prejudice the achievement of a relevant objective.
(2) A notification under paragraph (1) shall inform the data subject concerned of the following:
(a) the right or obligation referred to in Regulation 7(1) affected by the restriction;
(b) whether the right or obligation concerned has been restricted in whole or in part;
(c) the reasons for the restriction, unless informing the data subject concerned of the reasons may prejudice the achievement of a relevant objective;
(d) that the data subject concerned may lodge a complaint with the Commission pursuant to Article 77(1) of the Data Protection Regulation;
(e) that the right referred to in subparagraph (d) is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the Authority, including judicial review of a decision of the Authority.
(3) Where requested to do so by a data subject notified in accordance with paragraph (1), the Authority shall provide information on the policies and procedures referred to in Regulation 10(1) to the data subject.
Communication with data subject
9. The Authority shall ensure that all information provided to a data subject under or in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language.
Safeguards
10. (1) The Authority shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f) of the Data Protection Regulation.
(2) Without prejudice to the generality of paragraph (1), the policies and procedures referred to in that paragraph shall provide for the following:
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Authority to access that personal data;
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Authority, or entitled or permitted by law, to receive that personal data;
(c) the determination of appropriate storage periods for personal data or classes of personal data;
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c);
(e) data minimisation, including the use of anonymisation and pseudonymisation.
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Authority on a regular basis and updated where the Authority considers it appropriate to do so.
Interaction with other law
11. The restriction referred to in paragraph (1) of Regulation 7 is in addition to and not in substitution for any restriction of the rights and obligations referred to in that paragraph under any other enactment or law of the European Union.
/images/ls
GIVEN under my Official Seal,
28 November, 2022.
LEO VARADKAR,
Minister for Enterprise, Trade and Employment.
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These Regulations restrict, in limited circumstances, the rights and obligations provided for in the Data Protection Act 2018 . These restrictions apply only where necessary and proportionate to safeguard the statutory functions of the Irish Auditing and Accounting Supervisory Authority (IAASA). For example, where the exercise of the right may interfere with the prevention, detection or investigation of breaches, or where disclosure may prejudice the achievement of a relevant objective.
The Regulations provide that the essence of the right and any risk to the right that may result from a restriction are matters that are relevant in determining whether a restriction is necessary and proportionate to safeguard a statutory function. Furthermore, whether a restriction applies must be considered on a case-by-case basis following an assessment of the relevant circumstances. Whether it is necessary and proportionate to restrict the right in whole, or in part must also be considered.
Where a right or obligation is restricted, the Regulations provide that IAASA is obliged to notify the data subject and provide the reasons for the restriction, unless to do so may prejudice the achievement of a relevant objective. A notification must inform the data subject of the right or obligation affected by the restriction, whether the restriction applies in whole or in part, and the data subject’s statutory right to lodge a complaint with the Data Protection Commission.
The proposed measures also require IAASA to have in place certain policies and procedures relating to safeguards to prevent abuse or unlawful access or transfer and the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing. The measures also require that IAASA ensures that all information provided in relation to these Regulations is provided in a clear, concise and accessible manner.
1 O.J. No. L 158, p 77 27.5.2014
S.I. No. 602/2022 –
Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations 2022
I, LEO VARADKAR, Minister for Enterprise, Trade and Employment, in exercise of the powers conferred on me by section 60 (6) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (9)(b) and (10) of section 60 of that Act, hereby make the following regulations with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House:
Citation
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(6)) (Corporate Enforcement Authority) Regulations 2022.
Definitions
2. In these Regulations –
“Act of 2014” means the Companies Act 2014 (No. 38 of 2014);
“Act of 2015” means the Irish Collective Asset-Management Vehicles Act 2015 (No. 2 of 2015);
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018);
“Article 10 data” has the same meaning as it has in section 55 of the Act of 2018;
“Authority” means the Corporate Enforcement Authority;
“enactment” has the same meaning as it has in the Interpretation Act 2005 (No. 23 of 2005);
“Regulations of 2007” means the European Communities (European Public Limited-Liability Company) Regulations 2007 ( S.I. No. 21 of 2007 );
“Regulations of 2019” means the European Union (Qualifying Partnerships: Accounting and Auditing) Regulations 2019 ( S.I. No. 597 of 2019 );
“relevant function” has the meaning assigned to it by Regulation 3;
“relevant objective” has the meaning assigned to it by Regulation 4.
Relevant function
3. In these Regulations, “relevant function” means a function of –
(a) the Authority under –
(i) the Regulations of 2007,
(ii) the Act of 2014,
(iii) the Act of 2015, or
(iv) the Regulations of 2019,
or
(b) an inspector appointed under section 748, 763 or 764 of the Act of 2014.
Relevant objective
4. In these Regulations, “relevant objective” means –
(a) the important objective of general public interest of ensuring the winding up of a company under section 569(1)(g) of the Act of 2014 that is pursued by the Authority when exercising a relevant function under that section, or
(b) in relation to any other relevant function, an objective referred to in paragraph (b), (c), (d), (e), (f), (g), (i), (k), (l), (m) or (o) of section 60(7) of the Act of 2018 that is pursued by the Authority in exercising that function.
Scope: categories of personal data
5. These Regulations apply to personal data processed by the Authority (including special categories of personal data and Article 10 data), in respect of which the Authority is the controller.
Scope: purpose of processing
6. These Regulations apply to the processing, by the Authority, of personal data to which these Regulations apply in the pursuit of a relevant objective.
Restriction
7. (1) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22) of the Data Protection Regulation, in respect of processing to which these Regulations apply, are restricted to the extent that such a restriction is –
(a) necessary to safeguard a relevant objective, and
(b) proportionate to the need to safeguard that relevant objective,
including, but not limited to, where the exercise of the right or compliance with the obligation, as the case may be –
(i) may interfere with the prevention, detection or investigation of breaches of, or enforcement of, the Regulations of 2007, the Act of 2014, the Act of 2015 or the Regulations of 2019,
(ii) may interfere with a process, procedure, investigation, inquiry, assessment, scheme, application or settlement undertaken by the Authority,
(iii) may interfere with proceedings pending or due before a court,
(iv) would disclose that the Authority is exercising a function in pursuit of a relevant objective, in a case in which such disclosure may prejudice the achievement of the relevant objective, or
(v) would prevent the Authority processing personal data for a period of time, in a case in which any delay to the processing may prejudice the achievement of a relevant objective.
(2) Matters which are relevant, for the purposes of paragraph (1), in determining whether a restriction of a right or obligation is necessary to safeguard a relevant objective and proportionate to the need to safeguard that relevant objective, include –
(a) whether or not the exercise of the right or compliance with the obligation would prejudice the achievement by the Authority of that relevant objective,
(b) the essence of the right to data protection of the data subject, and
(c) the risks to the rights and freedoms of the data subject which may result from such a restriction.
Information to be provided where a right is restricted
8. (1) Where a right or obligation referred to in paragraph (1) of Regulation 7 is restricted in accordance with that paragraph, the Authority shall notify the data subject concerned in writing in a timely manner, unless so notifying the data subject may prejudice the achievement of a relevant objective.
(2) A notification under paragraph (1) shall inform the data subject concerned of the following:
(a) the right or obligation referred to in Regulation 7(1) affected by the restriction;
(b) whether the right or obligation concerned has been restricted in whole or in part;
(c) the reasons for the restriction, unless informing the data subject concerned of the reasons may prejudice the achievement of a relevant objective;
(d) that the data subject concerned may lodge a complaint with the Commission pursuant to Article 77(1) of the Data Protection Regulation;
(e) that the right referred to in subparagraph (d) is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the Authority, including judicial review of a decision of the Authority.
(3) Where requested to do so by a data subject notified in accordance with paragraph (1), the Authority shall provide information on the policies and procedures referred to in Regulation 10(1) to the data subject.
Communication with data subject
9. The Authority shall ensure that all information provided to a data subject under or in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language.
Safeguards
10. (1) The Authority shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f) of the Data Protection Regulation.
(2) Without prejudice to the generality of paragraph (1), the policies and procedures referred to in that paragraph shall provide for the following:
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Authority to access that personal data;
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Authority, or entitled or permitted by law, to receive that personal data;
(c) the determination of appropriate storage periods for personal data or classes of personal data;
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c);
(e) data minimisation, including the use of anonymisation and pseudonymisation.
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Authority on a regular basis and updated where the Authority considers it appropriate to do so.
Interaction with other law
11. The restriction referred to in paragraph (1) of Regulation 7 is in addition to and not in substitution for any restriction of the rights and obligations referred to in that paragraph under any other enactment or law of the European Union.
/images/ls
GIVEN under my Official Seal,
28 November, 2022.
LEO VARADKAR,
Minister for Enterprise, Trade and Employment.
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These Regulations restrict, in limited circumstances, the rights and obligations provided for in the Data Protection Act 2018 . These restrictions apply only where necessary and proportionate to safeguard the statutory functions of the Corporate Enforcement Authority (CEA). For example, where the exercise of the right may interfere with the prevention, detection or investigation of breaches, or where disclosure may prejudice the achievement of a relevant objective.
The Regulations provide that the essence of the right and any risk to the right that may result from a restriction are matters that are relevant in determining whether a restriction is necessary and proportionate to safeguard a statutory function. Furthermore, whether a restriction applies must be considered on a case-by-case basis following an assessment of the relevant circumstances. Whether it is necessary and proportionate to restrict the right in whole, or in part must also be considered.
Where a right or obligation is restricted, the Regulations provide that the CEA is obliged to notify the data subject and provide the reasons for the restriction, unless to do so may prejudice the achievement of a relevant objective. A notification must inform the data subject of the right or obligation affected by the restriction, whether the restriction applies in whole or in part, and the data subject’s statutory right to lodge a complaint with the Data Protection Commission.
The proposed measures also require the CEA to have in place certain policies and procedures relating to safeguards to prevent abuse or unlawful access or transfer and the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing. The measures also require that the CEA ensures that all information provided in relation to these Regulations is provided in a clear, concise and accessible manner.
S.I. No. 603/2022 –
Data Protection Act 2018 (Section 60(6)) (Competition and Consumer Protection Commission) Regulations 2022
I, LEO VARADKAR, Minister for Enterprise, Trade and Employment, in exercise of the powers conferred on me by section 60 (6) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (9)(b) and (10) of section 60 of that Act, hereby make the following regulations with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House:
Citation
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(6)) (Competition and Consumer Protection Commission) Regulations 2022.
Definitions
2. In these Regulations –
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018);
“Article 10 data” has the same meaning as it has in section 55 of the Act of 2018;
“Commission” means the Competition and Consumer Protection Commission;
“enactment” has the same meaning as it has in the Interpretation Act 2005 (No. 23 of 2005);
“relevant function” has the meaning assigned to it by Regulation 3;
“relevant objective” has the meaning assigned to it by Regulation 4;
“relevant provision” means a relevant statutory provision, within the meaning of the Competition and Consumer Protection Act 2014 (No. 29 of 2014).
Relevant function
3. In these Regulations, “relevant function” means a function of the Commission under a relevant provision that relates directly or indirectly to one or more of the following:
(a) regulating agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity;
(b) regulating conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market;
(c) reviewing or taking any other action in respect of mergers and acquisitions under Part 3 of the Competition Act 2002 (No. 14 of 2002) or under any law of the European Union;
(d) protecting consumers against conduct which may adversely affect their interests by persons carrying on a business;
(e) regulating compliance with safety requirements for products;
(f) regulating conduct on the part of grocery goods undertakings in accordance with Chapter 5 of Part 3 of the Consumer Protection Act 2007 (No. 19 of 2007);
(g) regulating credit intermediaries in accordance with Part XI of the Consumer Credit Act 1995 (No. 24 of 1995);
(h) regulating alternative dispute resolution (ADR) entities in accordance with the European Union (Alternative Dispute Resolution for Consumer Disputes) Regulations 2015 ( S.I. No. 343 of 2015 ).
Relevant objective
4. In these Regulations, “relevant objective” means an objective –
(a) referred to in paragraph (b), (c), (e), (f), (i), (k) or (m) of section 60(7) of the Act of 2018, and
(b) pursued by the Commission in exercising a relevant function.
Scope: categories of personal data
5. These Regulations apply to personal data processed by the Commission (including special categories of personal data and Article 10 data), in respect of which the Commission is the controller.
Scope: purpose of processing
6. These Regulations apply to the processing, by the Commission, of personal data to which these Regulations apply in the pursuit of a relevant objective.
Restriction
7. (1) The rights and obligations provided for in Articles 12 to 22, Article 34 and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22), of the Data Protection Regulation, in respect of processing to which these Regulations apply, are restricted to the extent that such a restriction is –
(a) necessary to safeguard a relevant objective, and
(b) proportionate to the need to safeguard that relevant objective,
including, but not limited to, where the exercise of the right or compliance with the obligation, as the case may be –
(i) may interfere with the prevention, detection or investigation of breaches of, or enforcement of, a relevant provision,
(ii) may interfere with a process, procedure, investigation, inquiry, assessment, scheme, application or settlement being undertaken by the Commission,
(iii) may interfere with proceedings pending or due before a court,
(iv) would disclose that the Commission is exercising a function in pursuit of a relevant objective, in a case in which such disclosure may prejudice the achievement of the relevant objective, or
(v) would prevent the Commission processing personal data for a period of time, in a case in which any delay to the processing may prejudice the achievement of a relevant objective.
(2) Matters which are relevant, for the purposes of paragraph (1), in determining whether a restriction of a right or obligation is necessary to safeguard a relevant objective and proportionate to the need to safeguard that relevant objective, include –
(a) whether or not the exercise of the right or compliance with the obligation would prejudice the achievement by the Commission of that relevant objective,
(b) the essence of the right to data protection of the data subject, and
(c) the risks to the rights and freedoms of the data subject which may result from such a restriction.
Information to be provided where a right is restricted
8. (1) Where a right or obligation referred to in paragraph (1) of Regulation 7 is restricted in accordance with that paragraph, the Commission shall notify the data subject concerned in writing in a timely manner, unless so notifying the data subject may prejudice the achievement of a relevant objective.
(2) A notification under paragraph (1) shall inform the data subject concerned of the following:
(a) the right or obligation referred to in Regulation 7(1) affected by the restriction;
(b) whether the right or obligation concerned has been restricted in whole or in part;
(c) the reasons for the restriction, unless informing the data subject concerned of the reasons may prejudice the achievement of a relevant objective;
(d) that the data subject concerned may lodge a complaint with the Data Protection Commission pursuant to Article 77(1) of the Data Protection Regulation;
(e) that the right referred to in subparagraph (d) is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the Commission, including judicial review of, and an appeal in relation to, a decision of the Commission.
(3) Where requested to do so by a data subject notified in accordance with paragraph (1), the Commission shall provide information on the policies and procedures referred to in Regulation 10(1) to the data subject.
Communication with data subject
9. The Commission shall ensure that all information provided to a data subject under or in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language.
Safeguards
10. (1) The Commission shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f) of the Data Protection Regulation.
(2) Without prejudice to the generality of paragraph (1), the policies and procedures referred to in that paragraph shall provide for the following:
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Commission to access that personal data;
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Commission, or entitled or permitted by law, to receive that personal data;
(c) the determination of appropriate storage periods for personal data or classes of personal data;
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c);
(e) data minimisation, including the use of anonymisation and pseudonymisation.
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Commission on a regular basis and updated where the Commission considers it appropriate to do so.
Interaction with other law
11. The restriction referred to in paragraph (1) of Regulation 7 is in addition to and not in substitution for any restriction of the rights and obligations referred to in that paragraph under any other enactment or law of the European Union.
/images/ls
GIVEN under my Official Seal,
28 November, 2022.
LEO VARADKAR,
Minister for Enterprise, Trade and Employment.
EXPLANATORY NOTE
(This note is not part of the Instrument and does not purport to be a legal interpretation.)
These Regulations restrict, in limited circumstances, the rights and obligations provided for in the Data Protection Act 2018 . These restrictions apply only where necessary and proportionate to safeguard the statutory functions of the Competition and Consumer Protection Commission (CCPC). For example, where the exercise of the right may interfere with the prevention, detection or investigation of breaches, or where disclosure may prejudice the achievement of a relevant objective.
The Regulations provide that the essence of the right and any risk to the right that may result from a restriction are matters that are relevant in determining whether a restriction is necessary and proportionate to safeguard a statutory function. Furthermore, whether a restriction applies must be considered on a case-by-case basis following an assessment of the relevant circumstances. Whether it is necessary and proportionate to restrict the right in whole, or in part must also be considered.
Where a right or obligation is restricted, the Regulations provide that the CCPC is obliged to notify the data subject and provide the reasons for the restriction, unless to do so may prejudice the achievement of a relevant objective. A notification must inform the data subject of the right or obligation affected by the restriction, whether the restriction applies in whole or in part, and the data subject’s statutory right to lodge a complaint with the Data Protection Commission.
The proposed measures also require the CCPC to have in place certain policies and procedures relating to safeguards to prevent abuse or unlawful access or transfer and the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing. The measures also require that the CCPC ensures that all information provided in relation to these Regulations is provided in a clear, concise and accessible manner.
Data Sharing and Governance Act 2019
PART 1
Preliminary and General
1. Short title and commencement
2. Definitions
3. Regulations and Orders
4. Expenses
PART 2
Application of Act
5. Application of Act to special categories of personal data
6. Interaction with Data Protection Acts and General Data Protection Regulation
7. Interaction with Social Welfare Consolidation Act 2005
8. Interaction with other enactments
9. Data-sharing: meaning
10. Public body: meaning
11. Deceased persons
12. Exclusions
PART 3
Regulation of Data-sharing
13. Data-sharing: requirements
14. Directions
PART 4
Data-sharing Agreements
15. Application (Part 4)
16. Obligation to enter into data-sharing agreement
17. Formal requirements
18. Accession to data-sharing agreement
19. Content of data-sharing agreement
20. Review of operation of data-sharing agreement
21. Lead agency
22. Cessation
PART 5
Public service information
23. Definitions (Part 5)
24. Application (Part 5)
25. Administration of Single Public Service Pension Scheme
26. Administration of pre-existing public service pension schemes
27. Public service policy analysis
28. Information requests
29. Data protection impact assessment
30. Anonymisation
31. Pension scheme information systems
32. Transparency
PART 6
Business Information
33. Definitions (Part 6)
34. Application (Part 6)
35. Allocation of unique business identifier number
36. Disclosure of business information
PART 7
Base Registries
37. Designation of base registry
38. Base registry owner
39. Processing of information
40. Terms of service
41. Access to information
42. Obligation to use base registry
PART 8
Personal Data Access Portal
43. Application (Part 8)
44. Establishment of personal data access portal
PART 9
Data Governance
Chapter 1
Data Governance Board
45. Appointment of Board
46. Functions of Board
47. Membership of Board and related matters
48. Committees
49. Disqualification from membership of Board
50. Resignation from membership
51. Casual vacancies
52. Reporting
Chapter 2
Review of Data Sharing Agreements
53. Definitions (Chapter 2)
54. Exclusions (Chapter 2)
55. Public consultation
56. Submission of documentation and information to Board
57. Review of data-sharing agreement
58. Amendments following review
59. Execution of agreement
60. Publication
62. Time periods and documentation
Chapter 3
Governance
63. Application (Chapter 3)
64. Rules, procedures and standards
65. Guidelines
66. Model agreements
67. Publication of regulations and guidelines
68. Compliance report
PART 10
Miscellaneous
69. Prohibition on requests for certain documents
70. Specification of information
71. Provision of information on data-sharing
72. Amendment of Act of 1997
73. Amendment of Ministers and Secretaries (Amendment) Act 2011
74. Amendment of Social Welfare Consolidation Act 2005
75. Amendment of National Shared Services Office Act 2017
SCHEDULE
Bodies to which definition of “public body” does not apply
Acts Referred to
Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010 (No. 24)
Civil Registration Act 2004 (No. 3)
Civil Service Regulation Act 1956 (No. 46)
Communications Regulation (Postal Services) Act 2011 (No. 21)
Companies Act 2014 (No. 38)
Comptroller and Auditor General Acts 1866 to 1998
Copyright and Related Rights Act 2000 (No. 28)
Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6)
Criminal Justice (Terrorist Offences) Act 2005 (No. 2)
Criminal Law Act 1976 (No. 32)
Data Protection Act 2018 (No. 7)
Data Protection Acts 1988 to 2018
Education Act 1998 (No. 51)
Education and Training Boards Act 2013 (No. 11)
Electronic Commerce Act 2000 (No. 27)
Employment Equality Act 1998 (No. 21)
European Parliament Elections Act 1997 (No. 2)
Family Law (Divorce) Act 1996 (No. 33)
Family Law Act 1995 (No. 26)
Interpretation Act 2005 (No. 23)
Irish Human Rights and Equality Commission Act 2014 (No. 25)
Local Government Act 2001 (No. 37)
Ministers and Secretaries (Amendment) Act 2011 (No. 10)
National Shared Services Office Act 2017 (No. 26)
Offences against the State Acts 1939 to 1998
Public Service Pay and Pensions Act 2017 (No. 34)
Public Service Pensions (Single Scheme and Other Provisions) Act 2012 (No. 37)
Public Service Superannuation (Miscellaneous Provisions) Act 2004 (No. 7)
Social Welfare Consolidation Act 2005 (No. 26)
Statistics Act 1993 (No. 21)
Taxes Consolidation Act 1997 (No. 39)
Vital Statistics and Births, Deaths and Marriages Registration Act 1952 (No. 8)
/static/images/base/harp.jpg
Number 5 of 2019
DATA SHARING AND GOVERNANCE ACT 2019
An Act to provide for the regulation of the sharing of information, including personal data, between public bodies; to provide for the regulation of the management of information by public bodies; to provide for the establishment of base registries; to provide for the collection of public service information; to establish the Data Governance Board; to amend the Taxes Consolidation Act 1997 ; to amend the Social Welfare Consolidation Act 2005 ; to amend the Ministers and Secretaries (Amendment) Act 2011 ; to amend the National Shared Services Office Act 2017 ; and to provide for related matters.
/static/images/base/harp.jpg
Number 5 of 2019
DATA SHARING AND GOVERNANCE ACT 2019
An Act to provide for the regulation of the sharing of information, including personal data, between public bodies; to provide for the regulation of the management of information by public bodies; to provide for the establishment of base registries; to provide for the collection of public service information; to establish the Data Governance Board; to amend the Taxes Consolidation Act 1997 ; to amend the Social Welfare Consolidation Act 2005 ; to amend the Ministers and Secretaries (Amendment) Act 2011 ; to amend the National Shared Services Office Act 2017 ; and to provide for related matters.
[4th March, 2019]
Be it enacted by the Oireachtas as follows:
PART 1
Preliminary and General
Short title and commencement
1. (1) This Act may be cited as the Data Sharing and Governance Act 2019.
(2) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions.
Definitions
2. In this Act—
“Act of 1997” means the Taxes Consolidation Act 1997 ;
“Act of 2005” means the Social Welfare Consolidation Act 2005 ;
“Act of 2014” means the Companies Act 2014 ;
“base registry” means a database which is designated as such in an order made under section 37 (1);
“base registry owner” means a public body specified as such in respect of a base registry in an order made under section 37 (1);
“Board” has the meaning assigned to it by section 45 (1);
“company” means a company formed and registered under the Act of 2014 or an existing company within the meaning of that Act;
“controller” has the same meaning as it has in the General Data Protection Regulation;
“data protection impact assessment” means an assessment carried out for the purposes of Article 35 of the General Data Protection Regulation;
“data protection law” means—
(a) the Data Protection Acts 1988 to 2018,
(b) the General Data Protection Regulation,
(c) all law of the State giving further effect to the General Data Protection Regulation, and
(d) all law of the State giving effect or further effect to Directive 2016/680;
“data protection officer” in respect of a public body, means the person designated in accordance with Article 37 of the General Data Protection Regulation;
“data-sharing” shall be construed in accordance with section 9 ;
“data-sharing agreement” means an agreement between two or more public bodies which provides for the disclosure of information by one or more of the parties to the agreement to one or more of the other parties to the agreement;
“data subject” has the same meaning as it has in the General Data Protection Regulation;
“database” has the same meaning as it has in the Copyright and Related Rights Act 2000 ;
“Directive 2016/680” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA1 ;
“enactment” has the same meaning as it has in the Interpretation Act 2005 ;
“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC2 ;
“information” includes data;
“information system” has the same meaning as it has in the Electronic Commerce Act 2000 ;
“lead agency” has the meaning assigned to it by section 21 ;
“Minister” means the Minister for Public Expenditure and Reform;
“personal data” has the same meaning as it has in the General Data Protection Regulation;
“prescribed” means prescribed by regulations made by the Minister under section 3 (1);
“processing” has the same meaning as it has in the General Data Protection Regulation;
“public body” shall be construed in accordance with section 10 ;
“public service pension scheme” has the same meaning as it has in Part 4 of the Public Service Pay and Pensions Act 2017 ;
“special categories of personal data” means information referred to in Article 9(1) of the General Data Protection Regulation.
Regulations and Orders
3. (1) The Minister may by regulations provide for any matter referred to in this Act as prescribed or to be prescribed.
(2) Without prejudice to any provision of this Act, regulations under this section may contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of the regulations.
(3) Every order (other than an order under section 1 (2)) and regulation under this Act shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the order or regulation is passed by either such House within the next 21 days on which that House sits after the order or regulation is laid before it, the order or regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder.
Expenses
4. The expenses incurred by the Minister in the administration of this Act shall be paid out of monies provided by the Oireachtas.
PART 2
Application of Act
Application of Act to special categories of personal data
5. This Act, other than Part 5, Part 8 and Chapter 3 of Part 9, shall not apply to special categories of personal data.
Interaction with Data Protection Acts and General Data Protection Regulation
6. (1) Subject to subsections (2) and (3), nothing in this Act shall affect the operation of data protection law.
(2) Section 38 of the Data Protection Act 2018 shall not apply to the disclosure of information by one public body to another public body.
(3) Regulations made under section 38 (4) of the Data Protection Act 2018 shall not constitute an enactment under which specific provision is made permitting or requiring data-sharing for the purpose of sections 13 (1), 15 (1) or 34(1).
Interaction with Social Welfare Consolidation Act 2005
7. (1) Subject to subsection (2), this Act, other than Part 5 and Chapter 3 of Part 9, does not affect the operation of the Act of 2005.
(2) Notwithstanding section 262(6)(b) of the Act of 2005, a specified body (in this section referred to as the “first mentioned specified body”) may, subject to subsection (3), disclose the information comprised in a person’s public service identity to another specified body (in this section referred to as the “second mentioned specified body”), where the information is disclosed in accordance with this Act.
(3) The first mentioned specified body may not disclose the information comprised in a person’s public service identity to the second mentioned specified body for the purpose specified in section 13 (2)(a)(ii)(VIII).
(4) The reference in subsections (2) and (3) to the disclosure of the information referred to in those subsections includes the accessing of that information by the second mentioned specified body where that information is contained in a base registry in respect of which the first mentioned specified body is the base registry owner.
(5) In this section—
“specified body” has the same meaning as it has in section 262 of the Act of 2005;
“public service identity” has the same meaning as it has in section 262 of the Act of 2005, subject to the modification that the reference, in the definition of that phrase in subsection (1) of that section, to information specified in subsection (3) of that section shall not include a reference to special categories of personal data.
Interaction with other enactments
8. (1) Subject to section 34 (3), nothing in this Act shall affect the operation of section 851A of the Act of 1997.
(2) Subject to section 64 (3), this Act shall not apply to information—
(a) collected for statistical purposes in accordance with the Statistics Act 1993 , or
(b) disclosed in accordance with regulations made under section 2 of the Vital Statistics and Births, Deaths and Marriages Registration Act 1952 .
(3) This Act, other than Chapter 3 of Part 9, shall not apply to the disclosure of information under the Civil Registration Act 2004 .
Data-sharing: meaning
9. (1) In this Act, “data-sharing” means the disclosure of information, including personal data, by a public body to another public body.
(2) For the purposes of this Act, an addition or change to the information held on an information system under the control of a public body that results automatically from an addition or change to information held on an information system under the control of another public body, is deemed to be a disclosure by the second mentioned public body to the first mentioned public body of the information so added or changed on the information system under the control of the first mentioned public body.
Public body: meaning
10. (1) In this Act, “public body” means—
(a) a Minister of the Government,
(b) the Attorney General,
(c) the Comptroller and Auditor General,
(d) the Revenue Commissioners,
(e) the Commissioners of Public Works in Ireland,
(f) the Commissioner of Valuation,
(g) the Garda Síochána,
(h) the Defence Forces,
(i) a local authority for the purposes of the Local Government Act 2001 ,
(j) the Health Service Executive,
(k) an education and training board,
(l) a recognised school established and maintained by an education and training board,
(m) a board of a recognised school established and maintained by an education and training board,
(n) a body (other than an exempted body) established—
(i) by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act), or
(ii) under the Act of 2014, or a former enactment relating to companies within the meaning of section 5 of that Act, in pursuance of powers conferred by or under another enactment, and financed wholly or partly by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government,
in respect of which a public service pension scheme exists or applies or may be made,
(o) a body (other than an exempted body) that is wholly or partly funded directly or indirectly out of moneys provided by the Oireachtas or from the Central Fund or the growing produce of that Fund and in respect of which a public service pension scheme exists or applies or may be made,
(p) any subsidiary of, or company controlled (within the meaning given by section 10 of the Act of 1997) by, a body to which paragraph (i), (j), (k), (n) or (o) relates and in respect of which a public service pension scheme exists or applies or may be made, and
(q) any other body specified in an order made under subsection (4).
(2) The Minister may, with the consent of the Minister of the Government in whom functions in relation to that body are vested and having had regard to the matters referred to in subsection (3), by order exempt a body that would otherwise be included in the definition of “public body” in subsection (1).
(3) The Minister shall, prior to making an order under subsection (2), have regard to whether—
(a) the body proposed to be specified in the order is engaged for gain in the production, supply or distribution of goods or the provision of a service, and
(b) the use by that body of information disclosed to it by a public body could lead to the distortion of competition in trade in any goods or services in the State or in any part of the State.
(4) The Minister may, at the request of a body that would not otherwise be included in the definition of “public body” in subsection (1) and with the consent of the Minister of the Government in whom functions in relation to that body are vested, by order designate that body as a public body where—
(a) that body is financed wholly or partly, whether directly or indirectly, by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government, and
(b) the Minister is satisfied that the principal activity of the body is the delivery of services to the public under an agreement with a public body.
(5) In this section—
“Act of 1998” means the Education Act 1998 ;
“board” has the same meaning as it has in the Act of 1998;
“education and training board” means an education and training board established under section 9 of the Education and Training Boards Act 2013 ;
“exempted body” means—
(a) a body specified or referred to in the Schedule ,
(b) a body specified in an order made under subsection (2),
(c) a recognised school (other than a recognised school referred to in subsection (1)(l)),
(d) a board (other than a board referred to in subsection (1)(m)), and
(e) a management committee established under section 37(3) of the Act of 1998;
“recognised school” has the same meaning as it has in the Act of 1998.
Deceased persons
11. Unless the context otherwise requires—
(a) a reference in this Act to a person includes a reference to a deceased person, and
(b) a reference in this Act to personal data or special categories of personal data includes a reference to the personal data or special categories of personal data, as the case may be, of a deceased person.
Exclusions
12. (1) This Act shall not apply to data-sharing for the purposes of—
(a) the prevention, detection or investigation of offences,
(b) the apprehension or prosecution of offenders,
(c) the imposition or execution of a fine or sentence of imprisonment,
(d) the exercise of the functions of the Criminal Assets Bureau,
(e) protecting the security of the State including, but not limited to, the following:
(i) preventing, detecting and investigating offences under the Offences against the State Acts 1939 to 1998, the Criminal Law Act 1976 , the Criminal Justice (Terrorist Offences) Act 2005 and the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 ;
(ii) protecting the State from—
(I) espionage,
(II) sabotage,
(III) unlawful acts that subvert or undermine, or are intended to subvert or undermine, parliamentary democracy or the institutions of the State, and
(IV) acts of foreign interference that are, or are intended to be, detrimental to the interests of the State and are clandestine or deceptive or involve a threat to any person,
whether directed from, or committed or intended to be committed within, the State or not,
(f) identifying foreign capabilities, intentions or activities within or relating to the State that impact on the international or economic well-being of the State,
(g) co-operating with authorities in other states and international organisations aimed at preserving international peace, public order and security,
(h) the defence of the State, or
(i) the international relations of the State.
(2) Subject to Part 5, this Act shall not apply to the disclosure by a public body to another public body of the personal data of a data subject for the internal administrative purposes of the first or second mentioned public body.
(3) The reference in subsection (2) to internal administrative purposes includes a reference to purposes relating to the employment of the data subject concerned.
PART 3
Regulation of Data-sharing
Data-sharing: requirements
13. (1) This section applies to the disclosure of personal data by a public body to another public body, where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing.
(2) A public body may disclose personal data to another public body, in a case in which this section applies to such disclosure, only where—
(a) the personal data concerned is disclosed—
(i) for the purpose of the performance of a function of the first or second mentioned public body, and
(ii) for one or more of the following purposes:
(I) to verify the identity of a person, where the first or second mentioned public body is providing or proposes to provide a service to that person;
(II) to identify and correct erroneous information held by the first or second mentioned public body;
(III) to avoid the financial or administrative burden that would otherwise be imposed on a person to whom a service is being or is to be delivered by the first or second mentioned public body were the second mentioned public body to collect the personal data directly from that person;
(IV) to establish the entitlement of a person to the provision of a service being delivered by the first or second mentioned public body, on the basis of information previously provided by that person to the first mentioned public body (or another public body that previously disclosed the information to the first mentioned public body);
(V) to facilitate the administration, supervision and control of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body;
(VI) to facilitate the improvement or targeting of a service, programme or policy delivered or implemented or to be delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body;
(VII) to enable the evaluation, oversight or review of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body;
(VIII) to facilitate an analysis of the structure, functions, resources and service delivery methods of the first or second mentioned public body,
(b) the personal data concerned is disclosed under and in accordance with a data-sharing agreement in compliance with Part 4,
(c) the first and second mentioned public body—
(i) comply with the rules, procedures and standards, if any, prescribed under section 64 ,
(ii) have regard to the guidelines, if any, issued under section 65 , and
(iii) where subsection (3) of section 66 applies, comply with that subsection,
(d) in a case in which the second mentioned public body is engaged for gain in the production, supply or distribution of goods or the provision of services, the use by that public body of the personal data could not lead to the distortion of competition in trade in those goods or services in the State or in any part of the State,
(e) the personal data concerned has been lawfully obtained and held by the first mentioned public body, and
(f) the personal data concerned is disclosed in accordance with the other provisions of this Act applicable to a disclosure of personal data to which this section applies and any other enactment or law of the European Union applicable to the first or second mentioned public body, and
(g) the disclosure of the personal data is—
(i) necessary for the performance of the functions in relation to which the information is being disclosed, and
(ii) proportionate in the context of the performance of those functions and the effects of the disclosure on the rights of the data subjects concerned.
(3) Subsection (2)(b) shall not apply to the disclosure of personal data under Part 5.
Directions
14. (1) The Minister may, with the consent of such other Minister of the Government, if any, in whom functions in relation to a public body to which the Minister proposes to issue a direction are vested, and having had regard to the matters referred to in subsection (8), direct one or more public bodies to disclose information to one or more other public bodies.
(2) A direction under subsection (1) shall specify the public bodies to which it applies and the information to be disclosed.
(3) A direction under subsection (1) may specify conditions in accordance with which specified information is to be disclosed.
(4) Where a direction under subsection (1) specifies conditions in accordance with which specified information is to be disclosed, those conditions shall be reflected in a data-sharing agreement relating to the disclosure of the information specified in the direction.
(5) Part 4 shall not apply to a data-sharing agreement referred to in subsection (4) unless section 13 applies to the disclosure to which the direction concerned relates.
(6) The Minister shall not issue a direction to a public body under subsection (1) if—
(a) the disclosure of the information concerned is prohibited by a law of the European Union or any enactment, or
(b) compliance with the direction would result in a public body being in breach of this Act, another enactment or a law of the European Union.
(7) Prior to issuing a direction under subsection (1), the Minister shall consult with the public bodies concerned, as well as such other Minister of the Government, if any, as the Minister considers appropriate having regard to the functions of that other Minister.
(8) The Minister, shall for the purposes of subsection (1), have regard to whether the disclosure of the information concerned would—
(a) assist in the carrying out of a function of one or more of the public bodies concerned by—
(i) reducing the duplication of tasks carried out by one or more public bodies,
(ii) increasing the efficiency of a public body in carrying out that function, or
(iii) facilitating an improvement in the quality of services being delivered,
(b) assist a public body in verifying the identity of a person receiving a service being delivered by the public body,
(c) assist in the identification or correction of any erroneous information held by one or more of the public bodies concerned,
(d) reduce the need for a person to provide the same information to more than one public body,
(e) assist a public body in establishing the entitlement of a person to a service being delivered by the public body,
(f) facilitate the administration, supervision and control of a service, programme or policy being delivered or implemented, as the case may be, by a public body,
(g) facilitate the improvement or targeting of a service, programme or policy being delivered or implemented, as the case may be, by a public body,
(h) enable the evaluation of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by a public body, or
(i) facilitate an analysis of the structure, functions, resources and service delivery methods of a public body.
(9) A public body to which a direction under subsection (1) applies shall comply with the direction.
(10) Where, following the issue of a direction under subsection (1)—
(a) the disclosure of the information concerned becomes prohibited by a law of the European Union or any enactment, or
(b) compliance with the direction would result in a public body being in breach of this Act, another enactment or a law of the European Union,
the direction shall, subject to subsection (11), cease to have effect.
(11) Where the Data Protection Commission, in exercise of its powers under Article 58(2)(f) of the General Data Protection Regulation, imposes a temporary limitation on a disclosure of information in accordance with a direction under subsection (1), the direction shall cease to have effect until the expiry of that temporary limitation.
PART 4
Data-sharing Agreements
Application (Part 4)
15. (1) Subject to subsection (2), this Part applies to the disclosure of personal data by a public body to another public body where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing.
(2) This Part does not apply to the disclosure of personal data under Part 5.
Obligation to enter into data-sharing agreement
16. A public body shall, in a case in which this Part applies to such disclosure, enter into a data-sharing agreement with the public body to which it proposes to disclose personal data prior to commencing that disclosure.
Formal requirements
17. A data-sharing agreement shall be in writing.
Accession to data-sharing agreement
18. (1) A public body that was not a signatory to a data-sharing agreement on its date of execution may accede to the agreement by executing an accession agreement to the data-sharing agreement.
(2) An accession agreement referred to in subsection (1) shall be executed, on behalf of the public bodies who were parties to the data-sharing agreement concerned immediately prior to the execution of the accession agreement, by the lead agency specified in that data-sharing agreement in accordance with section 21 (1).
(3) A lead agency specified in a data-sharing agreement in accordance with section 21 (1) shall notify the Board prior to executing an accession agreement to that data-sharing agreement.
Content of data-sharing agreement
19. (1) A data-sharing agreement shall—
(a) specify the names of the parties to the agreement in a schedule to the agreement,
(b) specify the information to be disclosed,
(c) specify the purpose of the data-sharing,
(d) specify the function of the public body concerned to which the purpose referred to in paragraph (c) relates,
(e) specify the legal basis for the data-sharing and for any further processing, by the parties to the agreement, of the information to be disclosed under the agreement,
(f) specify whether the impetus for the disclosure of information under the agreement will come from a data subject or a public body,
(g) specify whether, where information is disclosed under the agreement, the disclosure will be of information in relation to individual data subjects or classes of data subjects,
(h) specify whether the disclosure of information under the agreement will be on a once-off or ongoing basis,
(i) specify how the information to be disclosed is to be processed following its disclosure,
(j) specify any restrictions on the disclosure of information after the processing referred to in paragraph (i),
(k) include an undertaking by the parties to the agreement to comply with Article 5 of the General Data Protection Regulation in disclosing information under the agreement,
(l) where a data protection impact assessment has been carried out in relation to the data-sharing, include a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation in a schedule to the agreement,
(m) specify the security measures to apply to the transmission, storage and accessing of personal data, in a manner that does not compromise those security measures,
(n) specify the requirements in relation to the retention of—
(i) the information to be disclosed, and
(ii) the information resulting from the processing of that information,
for the duration of the agreement and in the event that the agreement is terminated,
(o) specify the method to be employed to destroy or delete—
(i) the information to be disclosed, and
(ii) the information resulting from the processing of that information,
at the end of the period for which the information is to be retained in accordance with the agreement,
(p) specify the procedure in accordance with which a party may withdraw from the agreement,
(q) include such other matters as may be prescribed under subsection (2),
(r) include in a schedule to the agreement a statement summarising the analysis of the parties in relation to the extent to which—
(i) the disclosure of the information is necessary for the performance of the functions in relation to which the information is being disclosed, and
(ii) the disclosure and safeguards applicable to that disclosure are proportionate in the context of the performance of those functions and the effects of the disclosure on the rights of the data subjects concerned.
(2) The Minister may prescribe matters, in addition to those listed in subsection (1), to be included in a data-sharing agreement where he or she is satisfied that the inclusion of those matters would—
(a) be consistent with Article 5(1) of the General Data Protection Regulation, and
(b) (i) improve transparency as regards the sharing of information by public bodies, or
(ii) facilitate good governance in the sharing of information by public bodies.
(3) A data-sharing agreement may provide for matters in addition to those listed in subsection (1).
Review of operation of data-sharing agreement
20. (1) The parties to a data-sharing agreement shall review the operation of the agreement on a regular basis, with each such review being carried out on a date that is not more than 5 years from—
(a) in the case of the first such review under this subsection, the date on which the agreement came into effect in accordance with section 61 (in this section referred to as the “effective date”), and
(b) in the case of each subsequent review under this subsection, the date of the previous review under this subsection.
(2) A review under subsection (1) shall consider the impact of the technical, policy and legislative changes that have occurred since the date of the previous review under that subsection or, in the case of the first review under that subsection, the effective date.
(3) Where the parties to a data-sharing agreement consider that it is appropriate following completion of a review under subsection (1), they shall prepare a draft amendment agreement to take account of the technical, policy and legislative changes that have occurred since the date of the previous review under that subsection or, in the case of the first review under that subsection, the effective date.
(4) A draft amendment agreement prepared in accordance with subsection (3) shall be submitted for review in accordance with Chapter 2 of Part 9.
Lead agency
21. (1) A data-sharing agreement shall specify a party (in this Act referred to as the “lead agency”) to that agreement to be responsible for carrying out the functions set out in subsection (3).
(2) Subject to section 38 (1)(e) and in default of agreement, the lead agency in respect of a data-sharing agreement shall—
(a) where one of the parties only to the data-sharing agreement is a controller in respect of the information being or to be disclosed under that agreement, be that party, and
(b) where more than one party to the data-sharing agreement is a controller in respect of the information being or to be disclosed under that agreement, be the controller nominated by those controllers to be the lead agency in respect of that agreement.
(3) The lead agency shall—
(a) where a public body that was not a signatory to the data-sharing agreement concerned on its date of execution accedes to the agreement in accordance with section 18 or where a party withdraws from the agreement, update the schedule referred to in section 19 (1)(a),
(b) notify the parties to the data-sharing agreement concerned of any changes to the schedule referred to in section 19 (1)(a),
(c) where a party that was the lead agency withdraws from the data-sharing agreement concerned, amend the agreement accordingly, and
(d) publish a copy of the conclusions of a review of the data-sharing agreement concerned carried out under section 20 on a website maintained by it or on its behalf.
(4) Where information in respect of a person is, or is believed by the person to be, included in the information disclosed or to be disclosed under a data-sharing agreement, that person may direct a request in relation to the exercise of a right of that person under Article 15, 16, 17, 18, 20 or 21 of the General Data Protection Regulation in respect of that information to the lead agency specified in that data-sharing agreement.
(5) Where a lead agency receives a request in accordance with subsection (4), the lead agency shall—
(a) where the lead agency is not a controller in respect of the information concerned, send the request to the controller, or
(b) where the lead agency is a joint controller (within the meaning of Article 26 of the General Data Protection Regulation) in respect of the information concerned, send the request to the other joint controller,
as soon as practicable following receipt of the request.
Cessation
22. (1) Where a data-sharing agreement expires or is terminated, the lead agency shall notify the Minister as soon as practicable after such expiration or termination, as the case may be.
(2) Where the Minister receives a notification under subsection (1), the Minister shall—
(a) publish, on a website maintained by him or her, a notification to the effect that the data-sharing agreement concerned has expired or has been terminated, as the case may be, and
(b) ensure that where a copy of the data-sharing agreement concerned or documentation in relation thereto is accessed on the website maintained by the Minister that it is clear to the person accessing the information that the agreement concerned has expired or has been terminated, as the case may be.
PART 5
Public service information
Definitions (Part 5)
23. (1) In this Part—
“Act of 2010” means the Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010 ;
“Act of 2011” means the Ministers and Secretaries (Amendment) Act 2011 ;
“Act of 2012” means the Public Service Pensions (Single Scheme and Other Provisions) Act 2012 ;
“administration”, in relation to a pension scheme, includes the technical and organisational measures implemented by a public service body for the purposes of the administration of the scheme;
“anonymised” in relation to personal data, means processed such that the personal data can no longer be attributed to a specific data subject;
“child” has the same meaning as it has in Part 2 of the Act of 2012;
“civil partner” shall be construed in accordance with section 3 of the Act of 2010;
“former scheme member” means a person who was a member of a public service pension scheme during the period of his or her employment with a public service body, irrespective of whether or not an entitlement has vested in that person as a member of that scheme;
“pension adjustment order” means an order under—
(a) section 12 of the Family Law Act 1995 ,
(b) section 17 of the Family Law (Divorce) Act 1996 ,
(c) section 121 of the Act of 2010, or
(d) section 187 of the Act of 2010;
“pension scheme beneficiary” means a person, other than a scheme member, former scheme member or pensioner, who has or had an entitlement to a benefit under a public service pension scheme;
“pension scheme membership information” means the information held by or on behalf of a public service body for the purposes of—
(a) keeping full and proper account of the contributions paid or repaid under a public service pension scheme by a scheme member or a former scheme member,
(b) keeping full and proper account of the benefits accrued by or restored to a scheme member or a former scheme member under a public service pension scheme,
(c) keeping full and proper account of all benefits paid or payable to a scheme member, a former scheme member, a pensioner or any other pension scheme beneficiary under a public service pension scheme,
(d) determining the eligibility of a person under a public service pension scheme,
(e) calculating or recalculating the contributions and benefits referred to in paragraphs (a) and (b), or
(f) the effective administration of a public service pension scheme;
“pensioner” means a person who—
(a) is entitled to the payment of a public service pension under a public service pension scheme,
(b) has a preserved benefit under a public service pension scheme, or
(c) is the surviving spouse, civil partner, cohabitant (or surviving former spouse, civil partner or cohabitant) or child of a scheme member or former scheme member who is entitled or may become entitled to the payment of a public service pension;
“pre-existing public service pension scheme” has the same meaning as it has in Part 2 of the Act of 2012;
“preserved benefit” has the same meaning as it has in the Public Service Superannuation (Miscellaneous Provisions) Act 2004 ;
“pseudonymised” in relation to personal data, means processed such that the personal data can no longer be attributed to a specific data subject without the use of additional information, where such additional information is—
(a) kept separately from the personal data, and
(b) subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“public servant” means—
(a) a person who is employed by, or holds any office or other position in, a public service body,
(b) the President,
(c) a Minister of the Government or Minister of State,
(d) a member of Dáil Éireann,
(e) a member of Seanad Éireann,
(f) the holder of a judicial office,
(g) the Comptroller and Auditor General,
(h) a member of a local authority, or
(i) any other person who is a member of a public service pension scheme;
“public service body” has the same meaning as it has in Part 2 of the Act of 2012, subject to the modification that the reference to the Civil Service in the definition of “public service body” in section 5 of that Act shall be construed as a reference to a person or body whose employees are civil servants (within the meaning of the Civil Service Regulation Act 1956 );
“public service pension” means a periodic payment of a pension or other benefit by whatever name called, which is not a lump sum, payable to or in respect of a public servant or former public servant under a public service pension scheme;
“relevant authority” has the same meaning as it has in Part 2 of the Act of 2012;
“scheme member” means a public servant who is a member of a public service pension scheme, irrespective of whether or not an entitlement has vested in that public servant as a member of that scheme;
“statutory pensions appeal” means a process provided for in an enactment for the resolution of a dispute in relation to an entitlement under a public service pension scheme;
“transfer network” has the same meaning as it has in Part 2 of the Schedule to the Rules for Pre-existing Public Service Pension Scheme Members Regulations 2014 ( S.I. No. 582 of 2014 ).
(2) For the purposes of this Part “cohabitant” has the meaning assigned to it in subsection (1) of section 172 of the Act of 2010 and, in determining whether or not 2 persons are cohabitants, regard shall be had to the circumstances that a court has to take into account under subsection (2) of that section.
(3) In this Part a reference to an entitlement includes a reference to a past, present, future, actual or contingent entitlement.
Application (Part 5)
24. (1) Subject to subsection (2), this Part applies to—
(a) personal data (other than special categories of personal data), and
(b) information other than personal data.
(2) This Part applies to special categories of personal data where the processing of the information concerned is for the purposes of—
(a) the administration of a public service pension scheme, or
(b) an actuarial valuation of a public service pension scheme.
Administration of Single Public Service Pension Scheme
25. (1) A relevant authority or an agent of that authority, where the information concerned is held by that agent, shall at the request of a Minister of the Government provide information referred to in subsection (2) to—
(a) the Minister, for the purposes of—
(i) the performance of a function of the Minister under the Act of 2012,
(ii) the performance of a function conferred on or transferred to the Minister under section 8(3), 9(1)(a), 10 or 17 of the Act of 2011, or
(iii) the administration of the Single Public Service Pension Scheme,
or
(b) the Minister of the Government making the request (where that Minister of the Government is not the Minister) or another relevant authority, for the purposes of—
(i) the performance of a function of that Minister or relevant authority under the Act of 2012, or
(ii) the administration of the Single Public Service Pension Scheme.
(2) The information to be provided under subsection (1) is the following information in respect of the Single Public Service Pension Scheme:
(a) pension scheme membership information in respect of—
(i) a scheme member,
(ii) a former scheme member,
(iii) a pensioner,
(iv) a person who was, but is no longer, a pensioner,
(v) a pension scheme beneficiary, or
(vi) a person whose eligibility under a public service pension scheme is in the process of being determined;
(b) such additional information as may be prescribed.
(3) The Minister shall, when prescribing additional information under subsection (2)(b), have regard to whether the provision of such information to the Minister, another Minister of the Government or another relevant authority would—
(a) reduce the duplication of tasks by relevant authorities or their agents,
(b) increase the efficiency of a relevant authority in carrying out a function of that relevant authority,
(c) improve the quality of services provided by a relevant authority to a scheme member, former scheme member, pensioner, pension scheme beneficiary or a person whose eligibility under a public service pension scheme is in the process of being determined,
(d) improve the quality of information created, held and maintained by relevant authorities,
(e) strengthen the accountability of relevant authorities in relation to the operation of the Single Public Service Pension Scheme, or
(f) improve the quality of analysis and decision-making in relation to the Single Public Service Pension Scheme.
Administration of pre-existing public service pension schemes
26. (1) A public service body or an agent of that body, where the information concerned is held by that agent, shall at the request of a Minister of the Government provide information referred to in subsection (2) to—
(a) the Minister, for the purposes of—
(i) the performance of a function of the Minister under the Act of 2012,
(ii) the performance of a function conferred on or transferred to the Minister under section 8(3), 9(1)(a), 10 or 17 of the Act of 2011,
(iii) the performance of a function of the Minister under an enactment relating to a pre-existing public service pension scheme, or
(iv) the administration of a pre-existing public service pension scheme,
or
(b) the Minister of the Government making the request (where that Minister of the Government is not the Minister) or another public service body, for the purposes of—
(i) the performance of a function of that Minister or public service body under an enactment relating to a pre-existing public service pension scheme, or
(ii) the administration of a pre-existing public service pension scheme.
(2) The information to be provided under subsection (1) is the following information in respect of a pre-existing public service pension scheme:
(a) pension scheme membership information in respect of—
(i) a scheme member,
(ii) a former scheme member,
(iii) a pensioner,
(iv) a person who was, but is no longer, a pensioner,
(v) a pension scheme beneficiary, or
(vi) a person whose eligibility under a public service pension scheme is in the process of being determined;
(b) information relating to—
(i) a statutory pensions appeal of a decision made in relation to an entitlement under the scheme,
(ii) an adjustment to the number of years of service of a person for the purposes of the calculation of an entitlement under the scheme,
(iii) the operation of the transfer network, or
(iv) the administration of a pension adjustment order, whether made or in respect of which an application has been or is proposed to be made, applying to an entitlement under the scheme;
(c) such additional information as may be prescribed.
(3) The Minister shall, when prescribing additional information under subsection (2)(c), have regard to whether the provision of such information to the Minister, another Minister of the Government or a public service body would—
(a) reduce the duplication of tasks by public service bodies or their agents,
(b) increase the efficiency of public service bodies in carrying out their functions,
(c) improve the quality of services provided by a public service body to a scheme member, former scheme member, pensioner or pension scheme beneficiary,
(d) improve the quality of information created, held and maintained by public service bodies,
(e) strengthen the accountability of public service bodies in relation to the operation of pre-existing public service pension schemes, or
(f) improve the quality of analysis and decision-making in relation to pre-existing public service pension schemes.
Public service policy analysis
27. (1) A public service body or an agent of that body, where the information concerned is held by that agent, shall at the request of the Minister provide information referred to in subsection (2) to the Minister for the purposes of—
(a) the performance of a function conferred on or transferred to the Minister under section 8(3), 9(1)(a), 10 or 17 of the Act of 2011,
(b) carrying out actuarial calculations in respect of public service pension schemes or public expenditure,
(c) calculating the adjustment to the expenditure by a public service body consequent upon the implementation of a policy or proposed policy of the Government,
(d) assessing the current and future staffing requirements of a public service body,
(e) developing, and analysing the consequences of, a policy or proposed policy of the Government for the purposes of—
(i) eliminating discrimination,
(ii) promoting equality of opportunity and treatment, or
(iii) protecting human rights,
in public service bodies, or
(f) carrying out an analysis of the structure, functions, resources and service delivery methods of a public service body.
(2) The information to be provided under subsection (1) is the following:
(a) the information referred to in section 25 (2)(a) and section 26 (2)(a) and (b);
(b) demographic information relating to a public servant, including age, gender and any disclosed disability;
(c) information relating to the employment of a public servant, including payment-related information and information relating to the public servant’s employer, contract of employment, length of service and grade;
(d) such additional information as may be prescribed.
(3) The Minister shall have regard to the following when prescribing additional information under subsection (2)(d):
(a) the need to strengthen the accountability of public service bodies;
(b) the need to improve the quality of decision-making of public bodies;
(c) the need to promote an evidence-based approach to the development of policy;
(d) the need to increase the efficiency of public service bodies in carrying out their functions;
(e) the need to ensure adequate information is available to facilitate effective staffing requirements planning across the public service;
(f) the need to facilitate trend analysis, scenario testing and forecasting in relation to—
(i) the number of public servants, and
(ii) expenditure on pay and pensions by public service bodies;
(g) the need to ensure adequate information is available to develop, implement and monitor policies for the purposes of—
(i) eliminating discrimination,
(ii) promoting equality of opportunity and treatment, or
(iii) protecting human rights,
in public service bodies.
(4) In paragraph (e) of subsection (1) and paragraph (g) of subsection (3)—
“discrimination” shall be construed in accordance with section 6 of the Employment Equality Act 1998 ;
“human rights” has the same meaning as it has in Part 3 of the Irish Human Rights and Equality Commission Act 2014 .
Information requests
28. A request under section 25 , 26 , or 27 may specify—
(a) the classes of information required,
(b) the period of time to which the information requested relates,
(c) the format in which the information requested is to be provided, and
(d) the date by which the information requested is to be provided.
Data protection impact assessment
29. The Minister shall, prior to prescribing any additional information to be provided under section 25 , 26 or 27 , carry out an assessment of the potential impact of the processing of that information on the protection of personal data.
Anonymisation
30. Where personal data is provided to the Minister under section 27 , it shall be anonymised or, where anonymisation of the information concerned would prevent the purpose for which the information is being provided from being achieved, pseudonymised, as soon as practicable following receipt of the information by the Minister.
Pension scheme information systems
31. (1) The Minister may establish a database comprising all of the information provided to the Minister under section 25 .
(2) The Minister may establish an information system for any or all of the following purposes:
(a) enabling a public service body to access information held on the database referred to in subsection (1);
(b) facilitating the calculation of the entitlement or liability of a person under the Act of 2012;
(c) administering entitlements and liabilities under the Act of 2012.
(3) Where an information system referred to in subsection (2) is established, a public service body shall establish and maintain a connection between that information system and an information system under the control of the public service body in order to facilitate—
(a) the transfer, from that public service body to the Minister, of information requested under section 25 , and
(b) the querying by that public service body of the database referred to in subsection (1) and the database, if any, which is part of an information system referred to in subsection (2), and the provision of the results of such querying to that public service body.
(4) The Minister may disclose information to a public service body through an information system referred to in subsection (2), or other secure means, for the purposes described in that subsection.
(5) The Minister shall be the controller in respect of personal data stored on—
(a) the database referred to in subsection (1), and
(b) the database, if any, which is part of an information system referred to in subsection (2),
for the purposes of the General Data Protection Regulation.
Transparency
32. The Minister shall publish, on a website maintained by him or her, the following in respect of information disclosed under this Part:
(a) a description of the information provided;
(b) the name of the public service body providing the information;
(c) the provision of this Part under which the information is provided;
(d) a description of the processing to which the information is subject;
(e) a description of the restrictions, if any, which apply to the further disclosure of the information;
(f) where a data protection impact assessment has been carried out in relation to the processing of the information, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation;
(g) a description of the security measures applying to the processing of the information;
(h) a description of the policies regarding the retention and destruction of the information;
(i) whether or not the information will be anonymised or pseudonymised following disclosure under this Part;
(j) such other details as the Minister considers necessary for the purposes of providing transparency with regard to the processing of the information.
PART 6
Business Information
Definitions (Part 6)
33. (1) In this Part—
“business information” means the following information in respect of an undertaking:
(a) the unique business identifier number;
(b) the registered name, if any;
(c) the business or operating name, if any;
(d) the address (including the postcode (if any) within the meaning of section 66 of the Communications Regulation (Postal Services) Act 2011 ) at which the undertaking carries on business or ordinarily resides;
(e) the number, if any, allocated or issued by a public body under an enactment or law of the European Union;
(f) the number, if any, assigned in a register held or maintained by a public body under an enactment or law of the European Union;
(g) the legal form;
(h) the number of employees, if any;
(i) the annual turnover;
(j) the net assets;
(k) in respect of the principal activity carried on by the undertaking, the NACE classification code, if any, as determined in accordance with Regulation (EC) No. 1893/2006 of the European Parliament and of the Council of 20 December 20063 , as amended by Regulation (EC) No 295/2008 of the European Parliament and of the Council of 11 March 20084 and Regulation (EU) No 70/2012 of the European Parliament and of the Council of 18 January 201255 ;
(l) in the case of a natural person, a partnership of natural persons or an unincorporated body of natural persons, the nationality of the person or persons, as the case may be;
(m) in the case of a legal person, the state under the law of which the legal person was established;
(n) such other information as may be prescribed by the Minister, having regard to the matters referred to in subsection (3);
“net assets”, in relation to an undertaking, means the total assets of the undertaking less the total liabilities of the undertaking as shown in the financial statements of the undertaking;
“turnover”, in relation to an undertaking, means the amounts of revenue derived from the provision of goods and services falling within the undertaking’s ordinary activities, after deduction of—
(a) trade discounts,
(b) value-added tax, and
(c) any other taxes based on the amounts so derived,
and, in the case of an undertaking whose ordinary activities include the making or holding of investments, includes the gross revenue derived from such activities;
“undertaking” means—
(a) a natural person or partnership of natural persons engaged for gain in the production, supply or distribution of goods or the provision of a service,
(b) a body corporate, or
(c) an unincorporated body of natural persons.
(2) For the purposes of the definition of “business information” in subsection (1), a company shall be deemed to be ordinarily resident at its registered office, and every other body corporate and every unincorporated body shall be deemed to be ordinarily resident at its principal office or place of business.
(3) The matters to which the Minister is to have regard for the purposes of paragraph (n) of the definition of “business information” in subsection (1) are whether the disclosure of the information concerned under section 36 would—
(a) facilitate the carrying out of a function of a public body by—
(i) reducing duplication of tasks carried out by one or more public bodies,
(ii) increasing the efficiency of a public body in carrying out that function, or
(iii) improving the quality of services provided or to be provided by the public body,
(b) assist a public body in verifying the identity of a person receiving a service,
(c) assist in the identification and correction of erroneous information held by a public body,
(d) reduce the need for a person to provide the same information to more than one public body,
(e) assist a public body in establishing the entitlement of a person to a service,
(f) facilitate the administration, supervision and control of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body,
(g) facilitate the improvement or targeting of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body, or
(h) facilitate the evaluation of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by a public body.
Application (Part 6)
34. (1) This Part applies to the disclosure of business information by a public body to another public body where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing.
(2) Subject to subsection (3), this Part shall not affect the operation of any restriction or prohibition contained in another enactment or law of the European Union on the disclosure of business information.
(3) The Revenue Commissioners may disclose business information that is taxpayer information (within the meaning of section 851A of the Act of 1997) in accordance with this Part.
Allocation of unique business identifier number
35. (1) The Minister may, for the purpose of uniquely identifying an undertaking, allocate and issue a number (to be known as the “unique business identifier number”) to that undertaking.
(2) The Minister may, with the consent of such other Minister of the Government, if any, in whom functions in relation to the public body are vested, by order delegate his or her functions under subsection (1) to a public body.
Disclosure of business information
36. A public body may disclose business information to another public body where the information is disclosed—
(a) for the purpose of the performance of a function of the first or second mentioned public body, and
(b) for one or more of the purposes specified in section 13 (2)(a)(ii).
PART 7
Base Registries
Designation of base registry
37. (1) The Minister may, with the consent of such other Minister of the Government, if any, in whom functions in relation to the public body are vested, by order designate a database, the copyright in which is owned by a public body, as a base registry.
(2) An order under subsection (1) shall specify—
(a) the name of the base registry,
(b) the public body that shall be the base registry owner in respect of the base registry,
(c) the purpose for which the information in the base registry may be processed by a public body accessing the base registry,
(d) the information to be contained in the base registry, and
(e) the name and associated description of each field in the database.
(3) The Minister may make an order under subsection (1) only if he or she is satisfied that it is necessary to do so for the purposes of—
(a) ensuring the consistency and accuracy of information which is frequently used by public bodies in the performance of their functions,
(b) avoiding the burden that would otherwise be imposed on a person to whom a service is being or is to be delivered by a public body if the information concerned was collected directly from that person, and
(c) avoiding the duplication of databases maintained by public bodies.
(4) The Minister shall, when making an order under subsection (1), have regard to whether the designation of the database concerned as a base registry would—
(a) reduce the duplication of tasks carried out by public bodies,
(b) increase the efficiency of public bodies in carrying out their functions,
(c) improve the quality of services provided by public bodies,
(d) assist a public body in verifying the identity of a person receiving a service being delivered or to be delivered by a public body,
(e) reduce the need for a person to provide the same information to different public bodies,
(f) assist a public body in establishing the entitlement of a person to a service being delivered or to be delivered by a public body,
(g) facilitate the administration, supervision and control of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body,
(h) facilitate the improvement or targeting of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body,
(i) facilitate the evaluation of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by a public body,
(j) assist in ensuring that information held by one or more public bodies is up to date, or
(k) assist in improving the accuracy of information held by one or more public bodies.
Base registry owner
38. (1) A base registry owner shall—
(a) take all reasonable steps to ensure that the information contained in the base registry is—
(i) accurate,
(ii) up to date, and
(iii) a complete record of the information specified in the order made under section 37 (1) relating to the base registry,
(b) ensure that the information contained in the base registry may be accessed by a public body which requires access to that information for the purpose of the performance of a function of the public body,
(c) put in place appropriate administrative and technical measures to control and monitor access to the base registry,
(d) publish a description of the measures referred to in paragraph (c) on the website maintained by it, and
(e) where the information contained in the base registry includes personal data, be the lead agency in respect of the data-sharing agreement relating to the disclosure of the information to public bodies accessing the information on the base registry.
(2) In this section and sections 39 to 42 , a reference to a base registry is a reference to the base registry in respect of which the base registry owner concerned has been specified as such in an order made under section 37 (1).
Processing of information
39. A base registry owner shall have the power to process the information specified in an order made under section 37 (1) relating to a base registry where that information is processed for the purposes of complying with the obligations of the base registry owner under section 38 , notwithstanding that the base registry owner has no such power under another enactment or law of the European Union.
Terms of service
40. (1) A base registry owner shall prepare, with the consent of the Minister, following consultation with the Board, the form of an agreement (in this section referred to as a “terms of service”) specifying the terms and conditions in accordance with which access to a base registry is to be provided to a public body.
(2) The Minister shall publish, on a website maintained by him or her, terms of service prepared in accordance with subsection (1).
(3) A base registry owner and a public body accessing a base registry shall comply with the terms of service relating to that base registry.
Access to information
41. A base registry owner may, for the purposes of meeting its obligation under section 38 (1)(a)—
(a) amend the information contained in a base registry, and
(b) access information, held by another public body, specified in the order made under section 37 (1) relating to the base registry.
Obligation to use base registry
42. (1) Subject to subsection (3), where the information contained in a base registry meets the qualitative requirements of a public body in respect of the purpose for which it intends to use that information, the public body shall not collect such information for that purpose from a source other than the base registry, save where the information so collected is collected for the purposes of enabling that public body to access information on the base registry relating to the information so collected.
(2) A base registry owner may appoint a public body for the purposes of subsection (3).
(3) Where a base registry owner appoints a public body for the purposes of this subsection, that public body may collect information in respect of which the base registry concerned has been designated for the purposes of providing that information to the base registry owner in order to assist the base registry owner in complying with its obligations under section 38 (1)(a).
(4) A public body that is required to access information stored in a base registry in accordance with subsection (1), or that provides information to a base registry owner in accordance with subsection (3), shall put in place the administrative and technical measures necessary to access or provide that information, as the case may be.
PART 8
Personal Data Access Portal
Application (Part 8)
43. This Part applies to personal data (including special categories of personal data).
Establishment of personal data access portal
44. (1) The Minister may, with the approval of the Government, establish an information system for the purpose of enabling a data subject to—
(a) exercise his or her rights under the General Data Protection Regulation, and
(b) view information in relation to the personal data breaches, if any—
(i) which affect his or her personal data, and
(ii) in respect of which a notification has been made for the purposes of Article 34(1) of the General Data Protection Regulation.
(2) The information system referred to in subsection (1) shall incorporate a website (to be known as the “Personal Data Access Portal”) which may include facilities by means of which a data subject may—
(a) view personal data relating to him or her held by a public body, together with the information relating to that personal data referred to in Article 15 of the General Data Protection Regulation,
(b) view information in relation to the personal data breaches, if any—
(i) which affect his or her personal data, and
(ii) in respect of which a notification has been made for the purposes of Article 34(1) of the General Data Protection Regulation,
(c) view a copy of a data-sharing agreement under which his or her personal data has been disclosed between public bodies, and
(d) send a request to a public body in relation to the exercise by him or her of the rights provided for in Articles 15, 16, 17, 18, 19, 20 and 21 of the General Data Protection Regulation.
(3) Where an information system referred to in subsection (1) includes a facility referred to in subsection (2) in respect of a public body, that public body shall use all reasonable endeavours to put in place and maintain technical and administrative measures for the purposes of—
(a) enabling the provision of the information referred to in subsection (2)(a), (b) and (c) held by that public body to the information system referred to in subsection (1) for the purpose of allowing it to be viewed by the data subject to whom it relates, and
(b) facilitating the sending of—
(i) a request referred to in subsection (2)(d), and
(ii) a response to such a request.
(4) A public body may disclose information to the Minister through the information system referred to in subsection (1) for the purpose of—
(a) providing the information referred to in subsection (2)(a), (b) or (c), or
(b) facilitating or responding to a request referred to in subsection (2)(d).
(5) Information shall not be disclosed in accordance with subsection (4) unless the data subject concerned has—
(a) requested to view the information referred to in subsection (2)(a), (b) or (c), or
(b) made a request referred to in subsection (2)(d),
through the information system referred to in subsection (1).
(6) The information disclosed in accordance with subsection (4) shall be stored on the information system referred to in subsection (1) only for so long as is necessary to facilitate the completion of the actions referred to in subsection (2).
(7) A public body that discloses personal data to the Minister in accordance with subsection (4) shall be the controller in respect of that personal data for the purposes of the General Data Protection Regulation.
(8) Nothing in this section shall be construed as requiring the disclosure of information in relation to a person to that person where the disclosure of that information to that person—
(a) is prohibited under an enactment or a law of the European Union, or
(b) may be restricted in accordance with an enactment or a law of the European Union.
(9) In this section “personal data breach” has the same meaning as it has in the General Data Protection Regulation.
PART 9
Data Governance
Chapter 1
Data Governance Board
Appointment of Board
45. (1) The Minister shall, in accordance with section 47 , appoint a board to be known as the Data Governance Board (in this Act referred to as the “Board”).
(2) Subject to this Act, the Board shall be independent in the performance of its functions.
Functions of Board
46. (1) The Board shall—
(a) advise the Minister in relation to the prescribing of rules, procedures and standards under section 64 ,
(b) advise the Minister in relation to the preparation of guidelines under section 65 ,
(c) promote compliance by public bodies with guidelines issued under section 65 ,
(d) advise the Minister in relation to the monitoring of compliance by public bodies with rules, procedures and standards prescribed under section 64 and guidelines issued under section 65 ,
(e) review data-sharing agreements in accordance with Chapter 2,
(f) advise the Minister in relation to the making of an order under section 37 (1), and
(g) advise the Minister, on request, in relation to the performance of the functions of the Minister under this Act.
(2) The Board may exercise its functions notwithstanding one or more vacancies in its membership.
(3) The Board may regulate its own procedure.
(4) The Minister shall provide such administration and support services to the Board as are necessary for the performance of the functions of the Board.
(5) The Minister may enter into an arrangement for the provision of consultancy, advice or other services to the Board.
Membership of Board and related matters
47. (1) The Board shall consist of not less than 6 and not more than 12 members.
(2) The members of the Board shall be appointed by the Minister.
(3) The Minister, in appointing the members of the Board, shall ensure that the members are persons who have the necessary knowledge, experience and competence in relation to the functions of the Board, including in relation to the protection of personal data.
(4) When appointing members of the Board, the Minister shall have regard to—
(a) the objective that at least 40 per cent of members of the Board shall be women and at least 40 per cent shall be men, and
(b) the guidelines, if any, prepared by the Minister in relation to appointments to boards of State bodies.
(5) The Minister may, following consultation with the Minister, if any, in whom functions in relation to the public body are vested, appoint a person who is an employee of, or holds an office or other position in, a public body to be a member of the Board.
(6) The Minister may appoint not less than 2 persons who are not employees of, or the holders of an office or other position in, a public body to be a member of the Board.
(7) The Minister shall ensure, where practicable, that not less than one third of the members of the Board are appointed pursuant to subsection (6).
(8) The Minister may from time to time appoint one member of the Board to act as its Chairperson.
(9) The Minister shall determine the terms and conditions of appointment of a member of the Board on appointment.
(10) Subject to subsection (11), each member of the Board shall hold office for 3 years from the date of his or her appointment.
(11) A person’s appointment under subsection (5) shall be terminated with effect from the earlier of—
(a) the date on which the person ceases to be employed by, or to hold an office or other position in, the public body concerned, and
(b) the date that is 3 years from the date of their appointment.
(12) A member of the Board whose term of office expires by the effluxion of time or whose appointment is terminated in accordance with subsection (11) shall be eligible for reappointment to the Board, but the total period of membership of the Board of a person shall not exceed 9 years.
(13) A member of the Board who is not employed by, or does not hold an office or position in, a public body may be paid, out of moneys provided by the Oireachtas, such remuneration and allowances for vouched expenses incurred by the member as the Minister may determine.
Committees
48. (1) The Board may establish such committees as it considers necessary or desirable to advise it in the performance of its functions and may appoint such members to such a committee as it considers necessary.
(2) A committee established under subsection (1) may include persons who are not members of the Board, but shall include not less than one member of the Board.
(3) The Board shall determine the terms of reference and procedures of a committee established under subsection (1).
(4) A member of a committee established under subsection (1) who is not a member of the Board may be paid, out of moneys provided by the Oireachtas, such remuneration and allowances for vouched expenses incurred by the member as the Minister may determine.
(5) A committee established under subsection (1) shall prepare and submit a report on its activities to the Board on a regular basis.
(6) A report prepared and submitted by the Board under section 52 shall include a summary of the activities of the committees, if any—
(a) established under subsection (1), and
(b) in existence in the period to which the report relates.
(7) A committee established under subsection (1) may be dissolved by a resolution of the Board at any time and shall stand dissolved on the date that is 2 years from the date of its establishment, unless the Board resolves that the committee is to continue in existence.
Disqualification from membership of Board
49. A person shall cease to be qualified to become a member of, and shall cease to be a member of, the Board if he or she—
(a) is nominated as a member of Seanad Éireann,
(b) is elected as a member of either House of the Oireachtas or of the European Parliament,
(c) is regarded pursuant to Part XIII of the Second Schedule to the European Parliament Elections Act 1997 as having been elected to the European Parliament,
(d) is a Judge, Advocate General or Registrar of the Court of Justice of the European Union,
(e) is a member of the Commission of the European Union,
(f) is a member of the Court of Auditors of the European Union,
(g) is appointed under the Constitution as a Judge or as the Comptroller and Auditor General,
(h) becomes a member of a local authority,
(i) becomes a Commissioner for Data Protection or a member of staff of the Data Protection Commission,
(j) has not been issued with a tax clearance certificate in accordance with section 1095 of the Act of 1997 or has been issued with a tax clearance certificate under that section which has been rescinded under subsection (3A) of that section,
(k) is undergoing a sentence of imprisonment for any term exceeding 6 months imposed by a court of competent jurisdiction in the State,
(l) is disqualified or restricted from being a director of any company, or
(m) is adjudicated bankrupt.
Resignation from membership
50. (1) A member of the Board may resign by notice in writing to the Chairperson or, where that member is the Chairperson, by notice in writing to the Minister.
(2) A resignation under subsection (1) shall take effect on—
(a) the date specified in the notice, or
(b) where no date is specified in the notice, the date on which the Chairperson or Minister, as the case may be, receives the notice.
(3) A person shall be taken to have resigned as a member of the Board where the person is absent, due to illness, from more than 50 per cent of the meetings of the Board held during a 12 month period commencing on the date of a meeting.
(4) A resignation under subsection (3) shall take effect on the next day after the end of the 12 month period concerned.
(5) A person who resigns as a member of the Board under this section also ceases on such resignation to be a member of any body to which he or she was elected, nominated or appointed by the Board.
Casual vacancies
51. If a member of the Board—
(a) dies,
(b) resigns,
(c) ceases to be qualified for office and ceases to hold office, or
(d) is removed from office in accordance with their terms and conditions of appointment,
the Minister may appoint a person to be a member of the Board to fill the casual vacancy so occasioned in the same manner as the member of the Board who occasioned the casual vacancy was appointed.
Reporting
52. (1) The Board shall, not later than 30 June in each year, prepare and submit to the Minister a report on—
(a) the performance by it of its functions under this Act, and
(b) the matters, if any, on which advices have been provided to it by the committees, if any, established under section 48 (1),
in the immediately preceding year, or, in the case of the period from the date the Board is first appointed to the next following 30 June, that period.
(2) The Minister shall, as soon as may be after receiving a report under subsection (1)—
(a) cause copies of it to be laid before each House of the Oireachtas, and
(b) publish a copy of it on a publicly accessible website.
Chapter 2
Review of Data Sharing Agreements
Definitions (Chapter 2)
53. In this Chapter—
“designated lead agency”, in relation to a proposed agreement, means the public body specified as the lead agency therein;
“proposed agreement” means—
(a) a draft data-sharing agreement under which it is proposed that personal data will be disclosed following execution of the draft agreement, or
(b) an existing data-sharing agreement, as amended by a draft amendment agreement, under which it is proposed that personal data will be, or will continue to be, disclosed following execution of the draft agreement;
“proposed party”, in relation to a proposed agreement, means a public body that is proposed to be a party thereto.
Exclusions (Chapter 2)
54. This Chapter shall not apply to an amendment to a data-sharing agreement for the purpose of—
(a) updating the schedule referred to in section 19 (1)(a), or
(b) reflecting a change to the lead agency in accordance with section 21 (3)(c).
Public consultation
55. (1) Each of the proposed parties to a proposed agreement shall publish on a website accessible to the public—
(a) a copy of the proposed agreement,
(b) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation,
(c) where no data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the reasons why no data protection impact assessment has been carried out,
(d) a statement from the data protection officer of each of the proposed parties to the effect that the data protection officer concerned—
(i) has reviewed the proposed agreement, and
(ii) is satisfied that compliance by the proposed parties with the terms of the proposed agreement would not result in a contravention of data protection law,
(iii) is satisfied that the agreement is consistent with Article 5(1) of the General Data Protection Regulation,
and
(e) a notice—
(i) stating that the proposed party is intending to enter into the proposed agreement,
(ii) stating where, on a website accessible to the public, the documents referred to in paragraphs (a) to (d) can be accessed,
(iii) inviting the making, during the period specified by the Board for this purpose, of submissions in relation to the proposed agreement to the designated lead agency, and
(iv) stating the date of publication of the notice.
(2) The proposed parties to a proposed agreement shall publish the information referred to in subsection (1) on the same date.
(3) The designated lead agency concerned shall notify the Board of the publication of the information referred to in subsection (1).
(4) The proposed parties to a proposed agreement shall consider the submissions, if any, made in response to the invitation referred to in subsection (1)(e)(iii) and may, where those proposed parties consider it appropriate, amend the proposed agreement concerned to take into account any such submissions.
Submission of documentation and information to Board
56. (1) The designated lead agency concerned shall, within the period specified by the Board for this purpose, submit the following to the Board:
(a) a copy of the proposed agreement (as amended in accordance with section 55 (4), where applicable);
(b) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation;
(c) the statements referred to in section 55 (1)(d);
(d) such information as the Board may specify in relation to the submissions, if any, made in response to the invitation referred to in section 55 (1)(e)(iii).
(2) The designated lead agency concerned shall provide such additional information relating to the proposed agreement as is requested by the Board, following receipt of the documentation referred to in subsection (1), within the period specified by the Board for this purpose.
Review of data-sharing agreement
57. (1) The Board shall review the documentation submitted under section 56 (1) and the additional information, if any, provided under section 56 (2).
(2) The Board shall have regard to the following matters when carrying out a review under this section:
(a) the extent to which the proposed agreement concerned complies with this Act;
(b) the extent to which the proposed agreement concerned reflects the model agreement, if any, prepared or revised under section 66 (1) for the purpose of the enactment in connection with which the proposed agreement is to be entered into;
(c) whether compliance by the proposed parties with the terms of the proposed agreement concerned would result in a contravention of data protection law;
(d) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement concerned, the summary of the matters referred to in Article 35(7) of the General Data Protection Regulation submitted in accordance with section 56 (1)(b);
(e) the extent to which the proposed agreement concerned complies with the orders and regulations, if any, made under this Act;
(f) the provisions of the proposed agreement concerned relating to the security measures to apply to the transmission, storage and accessing of personal data;
(g) the submissions, if any, made in response to the invitation referred to in section 55 (1)(e)(iii);
(h) whether, in the opinion of the Board, the proposed agreement concerned is in the public interest.
(3) The Board may, when carrying out a review under this section, consult with the Ministers of the Government, if any, in whom functions relating to the proposed parties to the proposed agreement concerned are vested and such other person as the Board considers appropriate having regard to the subject matter of the proposed agreement concerned.
(4) The Board shall notify the designated lead agency concerned following completion of the Board’s review under this section.
(5) A notification under subsection (4) shall—
(a) specify the recommendations, if any, of the Board as regards amendments to the proposed agreement concerned,
(b) where the Board is of the view that its recommendations concern substantive issues, state that the proposed agreement is to be submitted to the Board following amendment for further review under this section.
(6) The proposed parties to the proposed agreement concerned shall take account of the recommendations, if any, notified to the designated lead agency under subsection (4) and amend the proposed agreement accordingly.
Amendments following review
58. Where a proposed agreement is amended following receipt of a notification under section 57 (4) containing the statement referred to in section 57 (5)(b), the designated lead agency shall submit the proposed agreement, as amended, to the Board and section 57 shall apply as if the amended agreement was documentation submitted under section 56 (1).
Execution of agreement
59. Where, following a review of a proposed agreement under section 57 —
(a) the Board does not specify any recommendations in the notification given under section 57 (4) on foot of the review, or
(b) the Board specifies recommendations in the notification given under section 57 (4) on foot of that review and the following conditions are met:
(i) the notification does not contain the statement referred to in section 57 (5)(b);
(ii) the proposed parties are satisfied that the amendments made by them to the proposed agreement take account of the recommendations in that notification,
the proposed agreement may be executed by the proposed parties.
Publication
60. (1) The lead agency in respect of a data-sharing agreement shall send to the Minister—
(a) within 10 days of the execution of the agreement, a copy of the agreement, and
(b) within 10 days of the accession to or withdrawal from the agreement of any party, notification of such accession or withdrawal in writing.
(2) The Minister shall cause copies of the documents received by him or her under subsection (1)—
(a) to be laid before each House of the Oireachtas, and
(b) to be sent to the Board.
(3) The Minister shall publish, on a website maintained by him or her, a list of all documents received by him or her under subsection (1).
(4) The lead agency in respect of a data-sharing agreement shall publish a copy of the agreement on the website maintained by it as soon as practicable after sending a copy of the agreement to the Minister in accordance with subsection (1).
(5) The Board shall publish the following on the website maintained by it following receipt of a copy of the data-sharing agreement in accordance with subsection (2):
(a) a copy of the agreement;
(b) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation;
(c) a copy of the recommendations, if any, made under section 57 (2).
(6) The Minister shall, on request from a Committee, send a copy of a data-sharing agreement received by him or her under subsection (1) to that Committee.
(7) In subsection (6), “Committee” means a Committee appointed by either House of the Oireachtas or jointly by both Houses of the Oireachtas, other than—
(a) the Committee on Members’ Interests of Dáil Éireann or the Committee on Members’ Interests of Seanad Éireann, or
(b) a subcommittee of a Committee referred to in paragraph (a).
Effective date of agreement
61. A data-sharing agreement under which it is proposed that personal data will be disclosed shall come into effect on the date of its publication in accordance with section 60 (4).
Time periods and documentation
62. (1) The Board shall specify—
(a) the time periods referred to in section 55 (1)(e)(iii) and section 56 , and
(b) the information to be submitted in accordance with section 56 (1)(d).
(2) The time period specified by the Board for the purposes of section 55 (1)(e)(iii) shall not be less than 14 days.
Chapter 3
Governance
Application (Chapter 3)
63. This Chapter applies to—
(a) personal data (including special categories of personal data), and
(b) information other than personal data.
Rules, procedures and standards
64. (1) The Minister may, for the purposes referred to in subsection (2), prescribe rules, procedures and standards in relation to—
(a) the operation and use of base registries,
(b) the accessing of personal data by persons—
(i) employed by, or holding an office or other position in a public body, or
(ii) employed by a person acting for or on behalf of a public body,
(c) the recording of information relating to the accessing of personal data held by, or for or on behalf of, public bodies,
(d) the management, preparation and publication of information for re-use by persons other than public bodies,
(e) the processing of personal data by a public body designated in an order made under section 10 (4),
(f) the conduct of data protection impact assessments by public bodies, and
(g) other matters relating to the management of information held by public bodies.
(2) The purposes referred to in subsection (1) are as follows:
(a) to improve the quality and accuracy of information created, held and maintained by public bodies;
(b) to promote increased sharing of information between public bodies in accordance with this Act and any other enactment providing for such sharing of information;
(c) to ensure a consistent approach to the management of information by public bodies so as to facilitate the exchange of information between them;
(d) to increase the usefulness of information held by public bodies for the purposes of—
(i) performing their functions,
(ii) modernising and developing public services,
(iii) evaluating the effectiveness of services provided by public bodies, and
(iv) evaluating the effectiveness of expenditure by public bodies;
(e) to ensure that information is managed by public bodies in accordance with international best practice as regards data protection;
(f) to improve the availability and accessibility for re-use and redistribution of information, other than personal data, held by public bodies.
(3) A rule, procedure or standard prescribed under subsection (1)(a) shall apply to information—
(a) collected for statistical purposes in accordance with the Statistics Act 1993 , or
(b) disclosed in accordance with regulations made under section 2 of the Vital Statistics and Births, Deaths and Marriages Registration Act 1952 .
Guidelines
65. (1) The Minister may, after consultation with such (if any) other Ministers of the Government as the Minister considers appropriate, prepare and issue guidelines (including guidelines in relation to rules, procedures or standards prescribed under section 64 ) to assist public bodies in the performance of their functions under this Act or other enactments relating to data-sharing.
(2) Public bodies shall have regard to the guidelines, if any, issued under this section in the performance of their functions under this Act and the provisions of other enactments relating to data-sharing.
Model agreements
66. (1) The Minister may, after consultation with such (if any) other Ministers of the Government as the Minister considers appropriate, prepare or revise model data-sharing agreements for the purpose of this Act or another enactment relating to data-sharing.
(2) The Minister may request the Board to provide advice in relation to the preparation or revision of model data-sharing agreements.
(3) Where a model data-sharing agreement has been prepared or revised, as the case may be, for the purpose of an enactment under subsection (1), a public body entering into a data-sharing agreement for the purpose of that enactment shall use the model data-sharing agreement as a basis for the data-sharing agreement to be entered into by it.
Publication of regulations and guidelines
67. The Minister shall publish, on a website maintained by him or her—
(a) the rules, procedures and standards, if any, prescribed under section 64 , and
(b) the guidelines, if any, issued under section 65 .
Compliance report
68. (1) The Board may by notification in writing request a public body to provide a compliance report within a particular time.
(2) A public body shall provide the Board with a compliance report within the time period specified in a notification given to the public body under subsection (1).
(3) In this section, “compliance report” means a statement signed by—
(a) the person who is the accounting officer, in relation to the appropriation accounts of the public body concerned, for the purposes of the Comptroller and Auditor General Acts 1866 to 1998, or
(b) where there is no such accounting officer, the person who holds, or performs the functions of, the office of chief executive officer (by whatever name called) of the public body,
detailing how the public body has complied with its obligations under this Act and the orders and regulations, if any, made under this Act.
PART 10
Miscellaneous
Prohibition on requests for certain documents
69. (1) The Minister may, following consultation with any relevant Minister of the Government and having had regard to the matters referred to in subsection (4), prescribe—
(a) certain documents or classes of document the provision of which a public body shall not request from a person (other than a public body) in original, copy or electronic form, or
(b) certain uses for the purposes of which a public body shall not request the provision of certain documents or classes of documents from a person (other than a public body) in original, copy or electronic form.
(2) A public body shall not—
(a) request a document or class of document which is prescribed under subsection (1)(a), or
(b) request a document or class of document for the purposes of a use of such a document or class of document which is prescribed under subsection (1)(b).
(3) In this section “relevant Minister of the Government” means a Minister of the Government the exercise of whose functions would be affected by the making of an order proposed to be made under subsection (1).
(4) The matters to which the Minister is to have regard for the purposes of subsection (1) are as follows:
(a) whether the proposed prohibition would facilitate the carrying out of a function of a public body by—
(i) reducing the duplication of tasks carried out by one or more public bodies,
(ii) increasing the efficiency of the public body in carrying out the function, or
(iii) facilitating an improvement in the quality of services being delivered by one or more public bodies;
(b) whether the proposed prohibition would reduce the need for a person to provide the same information to more than one public body.
Specification of information
70. (1) The Minister may, with the consent of such other (if any) Minister of the Government as the Minister considers appropriate having regard to the functions of that other Minister, for the purposes of—
(a) ensuring greater consistency and accuracy of information held and managed by public bodies, and
(b) increasing the usefulness of information held and used by public bodies for the purposes of—
(i) performing their functions,
(ii) modernising and developing public services,
(iii) evaluating the effectiveness of services provided by public bodies, and
(iv) evaluating the effectiveness of expenditure by public bodies,
direct a public body to collect information or classes of information specified in the direction.
(2) A direction under subsection (1) may specify the format in which the information is to be stored following collection.
(3) A public body to which a direction under subsection (1) applies shall comply with the direction.
(4) This section applies to—
(a) personal data (including special categories of personal data), and
(b) information other than personal data,
whether or not the disclosure of that information is regulated by this or any other enactment.
Provision of information on data-sharing
71. (1) The Minister may direct a public body to provide him or her with the information specified in subsection (2).
(2) The information referred to in subsection (1) is as follows:
(a) a list of all data-sharing arrangements that that body has engaged in with other public bodies under this or any other enactment, setting out in respect of each such arrangement—
(i) the names of the participants in the arrangement,
(ii) the purpose of the data-sharing,
(iii) the function of the public body concerned to which the purpose referred to in subparagraph (ii) relates,
(iv) the legal basis for the data-sharing and any further processing, by the parties to the arrangement, of the information disclosed pursuant to the arrangement,
(v) a description of the information disclosed pursuant to the arrangement,
(vi) how the information is processed following its disclosure,
(vii) any restrictions on the disclosure of information after the processing of such information referred to in subparagraph (vi),
(viii) where a data protection impact assessment has been carried out, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation,
(ix) the security measures applied to the transmission, storage and accessing of personal data, in a manner that does not compromise those security measures,
(x) the requirements in relation to the retention of—
(I) the information disclosed, and
(II) the information resulting from the processing of that information,
for the duration of the arrangement and in the event that the arrangement is terminated, and
(xi) the method employed or to be employed to destroy or delete—
(I) the information disclosed, and
(II) the information resulting from the processing of that information,
at the end of the period for which the information is to be retained in accordance with the arrangement;
(b) any alteration of the data-sharing arrangements referred to in subsection (2) in the period since the public body last provided information on such data-sharing arrangements to the Minister;
(c) such additional information as may be prescribed under subsection (5).
(3) A direction under subsection (1) may specify that the information be provided—
(a) on a periodic basis, or
(b) on each occasion that a new arrangement is entered into or an existing arrangement is altered in any way.
(4) A public body to which a direction under subsection (1) applies shall comply with the direction.
(5) The Minister may, for the purposes of—
(a) increasing transparency in the activities of public bodies as regards their sharing of information under this Act or any other enactment, and
(b) promoting good governance in the sharing of information under this Act or any other enactment,
prescribe additional information to be provided by a public body in receipt of a direction under subsection (1).
(6) The Minister shall publish, on a website maintained by him or her, all of the information received by him or her pursuant to a direction issued under subsection (1).
Amendment of Act of 1997
72. Section 917D of the Act of 1997 is amended in subsection (1) by the substitution of the following definition for the definition of “digital signature”:
“ ‘digital signature’ in relation to a person, means—
(a) a qualified certificate (within the meaning of the Electronic Commerce Act 2000 ) provided to the person by the Revenue Commissioners (or a person appointed in that behalf by the Revenue Commissioners), and
(b) an advanced electronic signature (within the meaning of that Act) generated using the qualified certificate referred to in paragraph (a);”.
Amendment of Ministers and Secretaries (Amendment) Act 2011
73. Section 17A of the Ministers and Secretaries (Amendment) Act 2011 is amended by the substitution of the following subsection for subsection (2):
“(2) Information provided to the Minister under subsection (1) shall not include any personal data (within the meaning of the General Data Protection Regulation), unless that information is provided in accordance with Part 5 of the Data Sharing and Governance Act 2019.”.
Amendment of Social Welfare Consolidation Act 2005
74. Schedule 5 to the Act of 2005 is amended by the insertion, in paragraph 1(4), of “the National Shared Services Office,” after “the National Council for Special Education”.
Amendment of National Shared Services Office Act 2017
75. Section 6 of the National Shared Services Office Act 2017 is amended in subsection (1) by the substitution of “An Oifig Náisiúnta um Sheirbhísí Comhroinnte” for “Oifig Náisiúnta Seirbhísí Comhroinnte”.
SCHEDULE
Bodies to which definition of “public body” does not apply
Section 10 (5)
1. Any body corporate established by Act of Parliament before 6 December 1922 that, upon its establishment, was of a commercial character.
2. An Post.
3. Bord na gCon.
4. Bord na Móna Plc.
5. Central Bank of Ireland.
6. Córas Iompair Éireann.
7. Coillte Cuideachta Ghníomhaíochta Ainmnithe.
8. Cólucht Groighe Náisiúnta na hÉireann Cuideachta Ghníomhaíochta Ainmnithe (The Irish National Stud Designated Activity Company).
9. Cork Airport Authority, public limited company.
10. daa, public limited company.
11. Drogheda Port Company.
12. Dublin Port Company.
13. EirGrid Plc.
14. Electricity Supply Board.
15. Ervia.
16. Galway Harbour Company.
17. Horse Racing Ireland.
18. Irish Aviation Authority.
19. New Ross Port Company.
20. Port of Cork Company.
21. Port of Waterford Company.
22. Raidió Teilifís Éireann.
23. Shannon Airport Authority, public limited company.
24. Shannon Foynes Port Company.
25. Teilifís na Gaeilge.
26. Voluntary Health Insurance Board.
27. A subsidiary of a body to which this Schedule relates, including a subsidiary of such a subsidiary.
1 OJ No. L 119, 4.5.2016, p. 89.
2 OJ No. L 119, 4.5.2016, p. 1.
3 OJ No. L 393, 30.12.2006, p. 1.
4 OJ No. L 97, 9.4.2008, p. 13.
5 OJ No. L 32, 3.2.2012, p. 1.