News

Sweeping Changes to Privacy Law

11th August 2003

In this article we briefly summarise the principal changes from the perspective of:

(1) data controllers (organisations who process personal data),

(2) data subjects (anyone who is the subject of personal data) and

(3) the activities of the Data Protection Commissioner (the office in Ireland which oversees the implementation of data protection laws).

Data Controllers

Pretty much all organisations are likely to be regarded as “data controllers” and the Act extends and clarifies the existing responsibilities of data controllers.  

  • Application to manual records: One of the most controversial aspects of the new legislation is its extension to manual records held on relevant filing systems (i.e. manual records which are structured by reference to individuals or criteria relating to individuals so that specific information relating to a particular individual is readily accessible). All new manual records held on relevant filing systems will be subject to the new Act while records in existence prior to 1 July, 2003 are not subject to all of the provisions of the new Act until 24 October 2007. However, these pre-existing records are now subject to certain sections of the new Act, including the access provisions.
  • Fair obtaining: The requirement to obtain data fairly remains largely unchanged. The data subject must still be provided with the controller’s identity, the purpose for processing data and any other information to be provided in the interests of fairness at the time the data is being collected.
  • Fair processing: Additionally, all controllers must now comply with at least one of a number of further requirements in order to satisfy the requirements as to fair processing of data including:
    • obtain the consent of the data subject;
    • the processing is legally necessary;
    • the processing is contractually necessary;
    • it is necessary to protect the interests of the data subject (where it is not possible to obtain consent in advance);
    • the processing is necessary for the performance of a public function performed in the public interest;
    • it is necessary for legitimate purposes pursued by the controller.
  • Processing sensitive data: In addition to the requirements set out above, all controllers processing sensitive data (which is, broadly speaking, personal data relating to a person’s race, politics, religion, sexual life or criminal life) must satisfy a further requirement under the new Act.
  • Security: Security measures taken must be appropriate to the content of the data recorded taking into account the potential harm unauthorised access could bring about. The controller must inform all employees of the security measures taken and must also ensure that employees adhere to the legislation. Where a controller engages the services of a data processor it must ensure that the data processor utilises equivalent security measures.
  • Processing of publicly available information: The Act restricts the use of certain databases (such as electoral registers) which may be used for the purposes of direct marketing. The data subject must be informed of his/her right to object to such processing.

Data Subjects

The Act extends and clarifies the existing rights of data subjects.

  • Right to be informed: Controllers who obtain personal data must inform the relevant data subject of the controller’s identity (and the identity of the original controller if any), the purpose for keeping such data and any information which they ought to provide to ensure that their handling of the data is ‘fair’.
  • Improved right of access: The right now extends to information held on relevant manual filing systems. As well as providing a copy of the data held the controller must describe the type of data, the purpose for which the data is held, the names of persons the data will be disclosed to, the source of the data and the logic used in any automated decision-making.

An additional right is the right of access to an opinion on the data subject. The only exception to this additional right is where the opinion was given in confidence.

  • No enforced access: Data subjects may not be required to access data held by a controller. Under the provisions of the Act no person can force a data subject to make an access request or reveal the results of an access request as a condition of recruitment or employment. Where vetting for employment purposes is necessary, consent may be given by the data subject to release the personal data to a third party (this provision has not been enacted yet).
  • Right to object: Where a data subject considers that the use of personal data could cause substantial and unwarranted damage or distress to him/her, they may, subject to certain exceptions, request the controller to stop using such data.
  • Right to block certain use: Under the Act data subjects may require organisations holding data to ‘block’ it in order to prevent it from being used for certain purposes such as direct marketing.
  • Freedom from automated decision making: Important decisions (including as to creditworthiness) may not be made solely by automated means unless the data subject consents to it.

The Data Protection Commissioner

The new Act is likely to result in the Data Commissioner having a more proactive role to play in regulating the application of privacy laws.

The Commissioner’s rights will include:

  • the ability to initiate investigations to ensure that the Data Protection Acts 1988 and 2003 are complied with;
  • the right to set out codes of good practice which may be given statutory effect;
  • the authority to approve codes put forward by trade associations prior to their enactment;
  • the authority to carry out investigations where he sees fit (this may be on a random basis in respect of individual controllers); and
  • vetting each data controller registration application to check whether proposed processing is likely to cause substantial damage to the data subjects.

Miscellaneous Provisions

Registration of Controllers: Under the new Act all controllers will be required to register unless exempted by the Minister for Justice, Equality and Law Reform. The Minister intends to hold consultations to determine the precise ambit of the requirement - it is not the intention of the Minister to require controllers undertaking ‘low-risk’ processing to register as controllers under the Act.

Territorial Effect: Generally, the Acts will now apply to controllers established in and processing data in Ireland or those controllers who use equipment in Ireland for processing data.

Transfers outside the EEA: The new Act sets out provisions in relation to the transfer of personal data outside the EEA. These provisions have in fact been in force since April 2002. The new Act provides that personal data may not be transferred to a country outside the EEA unless such country ensures an adequate level of protection or a number of alternative conditions are satisfied, one being that the explicit consent of the data subject is obtained . These provisions are of particular relevance for multi-national organisations which may be transferring personnel and other data overseas.

Marianne Crowley/Adrian Wall

 

Back

sidepic3

Main Navigation