|
 |
|
 |
Offences and Penalties
Disclaimer: Note that the material contained in this section is provided for general information purposes only, and does not purport to be legal advice or a definitive interpretation of the law. If you require legal advice on these or related matters, it is recommended that you consult a legal adviser. The Data Protection Acts and the Electronic Communications Regulations (SI 535 of 2003, as amended by SI 526 of 2008) set out the rules with which data controllers must obey. Breaches of these rules sometimes involve offences which are punishable by fines. The offences are as listed below:
Offences by data controllers who are required to register
Offences by any data controllers (not just those who are required to register)
Offences by employees or agents of registered data controllers Offences by data processors who are required to register
Offences by any data processors (not just those who are required to register)
Offences by employees or agents of data processors Offences by directors etc. of bodies corporate
Offences by Direct Marketers under S.I. 535 of 2003, as amended by SI 526 of 2008
Failure of a data controller or a data processor to register Under Section 19(6) of the Data Protection Acts, it is an offence for a data controller who is required to be registered to keep personal data unless he is registered. It is also an offence for a data processor, who is required to be registered, to process personal data unless the data processor is registered. Accordingly, data controllers who continue to keep personal data, and data processors who process personal data, without meeting their requirement to register are liable to be prosecuted. However, if a data controller or data processor has an registration application pending with this office, then there is no offence. Failure to comply with the particulars contained in the register entry A registered data controller specifies, in his registration application, what types of personal data will be kept, for what purpose, to whom the personal data will be disclosed, and to what places outside the State the data will be transferred. A registered data controller who knowingly treats personal data in a way not covered by the particulars included in the register entry is guilty of an offence, under section 19(6) of the Acts. The same rule applies to employees or agents of the data controller, other than data processors, who are subject to the same restrictions as the data controller in respect of the handling of the personal data. Data controllers, and their employees and agents, should therefore ensure that the particulars included in the registry entry adequately describe the scope of the data controller’s dealings with the personal data. If a data controller wishes to treat personal data in a way not covered by the register entry, then the data controller should amend the register entry accordingly. Failure to notify the Data Protection Commissioner of your change of address Under section 19(6) of the Data Protection Acts, it is an offence for a data controller or data processor, in respect of whom there is a register entry, to fail to notify the Commissioner of any change of address. Provision of false or misleading information when applying for registration It is an offence under section 20(2) of the Data Protection Acts to knowingly furnish the Commissioner with false or misleading information when applying for registration. Failure to comply with an enforcement notice Under Section 10(9) of the Data Protection Acts, it is an offence for any data controller or data processor, without reasonable excuse, to fail or refuse to comply with a requirement specified in an enforcement notice. There is a right of appeal against requirements specified in such notices. Failure to comply with an information notice Under Section 12(5) of the Data Protection Acts, it is an offence for any person, without reasonable excuse, to fail or refuse to comply with a requirement specified in an information notice. Knowingly to provide false information, or information that is misleading in a material respect, in response to an information notice is also an offence. There is a right of appeal against requirements specified in an information notice. Failure to comply with a prohibition notice Under Section 11(15) of the Data Protection Acts, it is an offence for any person, without reasonable excuse, to fail or refuse to comply with a prohibition specified in a prohibition notice. There is a right of appeal against requirements specified in such notices. Unauthorised disclosure of personal data by a data processor Under Section 21(2) of the Data Protection Acts, it is an offence for any data processor, or for any employee or agent of his, to knowingly disclose personal data without the prior authority of the data controller on whose behalf the data were processed. Offences by directors, managers, officers etc. of bodies corporate Bodies corporate, such as companies, statutory bodies, and formally-constituted voluntary bodies, are bound by the Data Protection Acts in the same way as individuals. Section 29 of the Act provides that directors, managers, secretaries or other officers of a body corporate which has committed an offence under the Act are also guilty of that offence, if it is proved to have been committed with their consent or connivance or to be attributable to any neglect on their part. If there is no officer of a body corporate who can be shown to bear personal responsibility for the offence, only the body corporate commits the offence. If there is, both the officer and the body corporate can be prosecuted. This principle is extended to bodies corporate that are managed by their members. Any member who is personally responsible for the offence can similarly be prosecuted as if he were a director or manager of the body corporate concerned. Disclosure of personal data which was obtained without authority The Data Protection Acts deal with the threat to privacy posed by persons who are not data controllers or data processors (or their employees) and who, having obtained unauthorised access to personal information, then disclose it to others. Under section 22 of the Acts, such conduct is an offence. This unauthorised access can occur in various ways. In the case of electronic data the most obvious is "hacking", i.e. obtaining access from a point remote from the computer by electronic means. Unauthorised access can also occur by someone gaining access to a data controller's equipment when the staff are not present. Someone might steal, or take without authority, a diskette or tape or manual file on which data are recorded. Or someone (other than the data controller or his staff) could be in a position to read personal data being shown on the computer screen or to read a printout. But whichever way the unauthorised access takes place, it will be an offence if the person concerned, having gained access, proceeds to disclose to another person the information he or she has accessed. Obstruction of, or failure to cooperate with, an "authorised officer" Section 24 of the Data Protection Acts confers certain powers upon an "authorised officer", a person authorised by the Data Protection Commissioner to exercise powers of entry and inspection.
Section 24(6) of the Acts makes it an offence for any person to obstruct or impede an authorised officer in the exercise of a power; to fail to comply with any of the requirements to cooperate with the authorised officer; or knowingly to give false or misleading information to an authorised officer, in purported compliance with such requirements. sending unsolicited marketing messages to individuals by fax, SMS, e-mail or automated dialling machine sending unsolicited marketing by fax, SMS, e-mail or automated dialling machine to a business if it has objected to the receipt of such messages marketing by telephone where the subscriber has objected to the receipt of such calls It is an offence under regulation 13(9) of S.I. 535 of 2003, as amended by S.I. 526 of 2008, to make an unsolicited telephone call for the purpose of direct marketing if the sender is notified of an objection to such communications or an objection is recorded in the National Directory Database for that line. When direct marketing telephone calls are being made or messages sent by e-mail, SMS, fax or automated dialling machines, then the caller or sender must identify themselves and provide a telephone number, address or e-mail address at which they can be contacted. Failure to do so is an offence under regulation 13(9) of S.I. 535 of 2003, as amended by S.I. 526 of 2008. Where direct marketing messages relating to the sender's own similar products are being sent to customers by e-mail or SMS the sender must give an easy to use, without charge, opportunity with each message sent, to object to future messages. This opportunity must also have been given when the contact details were initially collected from the customer. Failure to comply is an offence under regulation 13(9) of S.I. 535 of 2003, as amended by S.I. 526 of 2008. concealing the identity of the sender on whose behalf the marketing communication was made It is an offence under regulation 13(9) of S.I. 535 of 2003, as amended by S.I. 526 of 2008, for the sender of an e-mail or SMS for direct marketing purposes to disguise or conceal the identity of the sender or to fail to provide a valid address to which the recipient can send a request that such communication shall cease. Penalties for Offences under the Data Protection Act Criminal sanctions Summary proceedings for an offence under the Data Protection Act may be brought and prosecuted by the Data Protection Commissioner. Under section 31 of the Acts, the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000. If the commission of an offence under the Data Protection Acts also involves violence - for example, if an "authorised officer" is assaulted in trying to gain access to a premises under section 24 - then the offender can be proceeded against for assault and be liable to imprisonment. Civil sanctions Where a person suffers damage as a result of a failure by a data controller or data processor to meet their data protection obligations, then the data controller or data processor may be subject to civil sanctions by the person affected. Ordinarily, the "injury" suffered by a data subject will be damage to his or her reputation, possible financial loss and mental distress. The data subject concerned may have adequate remedies under the existing law (defamation where appropriate, breach of confidentiality and so on, but, more frequently perhaps, in negligence because in some cases a data controller or a data processor would owe a duty of care to data subjects about whom data are being kept or processed - a duty to see that damage is not caused to them by negligent handling of the data in question). In so far as a data controller or data processor may not be subject to this duty of care, section 7 of the Data Protection Acts remedies this by ensuring that such a duty will be implied in all cases where personal data are kept or processed. Forfeitures etc. Where a court convicts a person of an offence under the Data Protection Act, section 31(2) of the Acts provides that the court has discretion to order any data material, i.e. any document or other material used in connection with, or produced by, data equipment connected with the commission of the offence, to be forfeited or destroyed. The court may also order any relevant data to be erased. A court would use this power to prevent any further damage being done by the use of the material or of the data. When exercising this power, the court must give the owner of the data concerned or anyone who is otherwise interested in them an opportunity to show cause why a forfeiture etc. order should not be made. Penalties for offences under S.I. 535 of 2003, as amended by S.I. 526 of 2008. Summary proceedings for an offence under S.I. 535 of 2003, as amended by S.I. 526 of 2008, may be brought and prosecuted by the Commissioner. Each call or message can attract a fine of up to €5000 on summary conviction. If convicted on indictment, the fines range from €50,000 for a natural person to €250,000 or 10% of turnover if the offender is a body corporate. The court may also order the destruction of data that is connected with the commission of an offence. See Forfeitures above relating to penalties under the Data Protection Acts.
» Permanent Link |
||
|
||||
