Data Protection Acts 1988 and 2003 A Guide For Data Controllers
A Guide for Data Controllers
This booklet is intended as an introductory guide to those persons/bodies who are data controllers, in that they control the contents and use of personal data. It outlines the eight fundamental rules of data protection and presents them in a user friendly format. It is not an authoritative or definitive interpretation of the law, it is intended as a non-technical guide for data controllers. If, after reading this booklet, you require further information, please consult the Data Protection Commissioner’s website www.dataprotection.ie, or contact the office by the various means detailed on the back of this booklet. If in particular doubt in relation to your legal responsibilities please take legal advice as appropriate.
A pdf version of this booklet is available here for download.
As with any legislation, certain terms have particular meaning. The following are some useful definitions:
Data means information in a form which can be processed. It includes both automated data and manual data.
Automated data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer.
Manual data means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.
Relevant filing system means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible.
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances.
Processing means performing any operation or set of operations on data, including:
Data Subject is an individual who is the subject of personal data.
Data Controllers are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, Government Departments or voluntary organisations, or they can be individuals such as G.P.’s, pharmacists or sole traders.
Data Processor is a person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment. Again individuals such as G.P.’s, pharmacists or sole traders are considered to be legal entities.
Sensitive personal data relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.
You have additional rights in relation to the processing of any such data.
What is data protection?
It is the means by which the privacy rights of individuals are safeguarded in relation to the processing of their personal data. The Data Protection Acts 1988 and 2003 confer rights on individuals as well as placing responsibilities on those persons processing personal data.
Are you a data controller?
If you, as an individual or an organisation, collect, store or process any data about living people on any type of computer or in a structured filing system, then you are a data controller. In practice, to establish whether or not you are a data controller, you should ask, do you decide what information is to be collected, stored, to what use it is put and when it should be deleted or altered. Because of the serious legal responsibilities attached to a data controller under the Acts, you should seek the advice of the Commissioner if you have any doubts as to whether or not you are a data controller in any particular case.
What are your responsibilities as a data controller?
You have certain key responsibilities in relation to the information which you process. These may be summarised in terms of eight fundamental rules which you must follow. These rules which are detailed in this guide apply to all data controllers. Certain categories of data controllers are also obliged to register with the Data Protection Commissioner. This is a separate legal requirement and in no way obviates the need to comply with the requirements of the Acts having so registered.
There are some specific requirements on which more details can be found on our website, in various annual reports of the Data Protection Commissioner or by contacting this Office directly.
How do you as a data controller ensure compliance with the law?
You must make yourself aware of your data protection responsibilities, in particular, to process personal data fairly. You should ensure that your staff are made aware of their responsibilities through appropriate induction training with refresher training as necessary and the availability of an internal data protection policy that is relevant to the personal data held by you. An internal policy which reflects the eight fundamental data protection rules and applies them to your organisation, which is enforced through supervision and regular review and audit, is a valuable compliance tool.
How are the Acts enforced?
The Commissioner’s role is to ensure that those who keep personal data comply with the provisions of the Acts. He has a wide range of enforcement powers to assist him in ensuring that the principles of data protection are being observed. These powers include the serving of legal notices compelling data controllers to provide information needed to assist his enquiries, and compelling a data controller to implement one or more provisions of the Acts in a particular prescribed manner.
He may investigate complaints made by the general public or carry out investigations proactively. He may, for example, authorise officers to enter premises and to inspect the type of personal information kept, how it is processed and the security measures in place. You and your staff are required to co-operate fully with such officers.
A data controller found guilty of an offence under the Acts can be fined amounts up to €100,000, on conviction on indictment and/or may be ordered to delete all or part of the database.
The Commissioner also publishes an annual report which names, in certain cases, those data controllers that were the subject of investigation or action by his Office.
The Eight Rules of Data Protection
To fairly obtain data the data subject must, at the time the personal data is being collected, be made aware of:
In addition, where the personal data is not obtained from the data subject, either at the time their data is first processed or at the time of disclosure to a third party, all the above information must be provided to the data subject and they must also be informed of the identity of the original data controller from whom the information was obtained and the categories of data concerned.
To fairly process personal data it must have been fairly obtained, and:
g the data subject must have given consent to the processing;
g the processing must be necessary for one of the following reasons -
To fairly process sensitive data (see definitions panel at the beginning of this booklet) it must have been fairly obtained and there are additional special conditions (one of the conditions outlined above must also be met) of which at least one of the following must be met:
g the data subject has given explicit consent (or where they are unable to do so, for reasons of incapacity of age, explicit consent must be given by a parent or legal guardian) to the processing, i.e. the data subject has been informed of the purpose/s in processing the data and has supplied his/her data with that understanding;
g the processing must be necessary for one of the following reasons -
You may only keep data for a purpose(s) that are specific, lawful and clearly stated and the data should only be processed in a manner compatible with that purpose(s). An individual has a right to question the purpose for which you hold his/her data and you must be able to identify that purpose.
To comply with this rule:
g In general a person should know the reason/s why you are collecting and retaining their data.
g the purpose for which the data is being collected should be a lawful one
g you should be aware of the different sets of data which you keep and specific purpose of each
Any use or disclosure must be necessary for the purpose(s) or compatible with the purpose(s) for which you collect and keep the data. You should ask yourself whether the data subject would be surprised to learn that a particular use of or disclosure of their data is taking place.
A key test of compatibility is:
g do you use the data only in ways consistent with the purpose(s) for which they are kept?
g do you disclose the data only in ways consistent with that purpose(s)?
The rule, that disclosures of information must always be compatible with the purpose(s) for which that information is kept, is lifted in certain restricted cases by Section 8 of the Act. Examples of such cases would include some obvious situations where disclosure of the information is required by law or is made to the individual himself/herself or with his/her consent.
Any processing of personal data by a data processor on your behalf must also be undertaken in compliance with the Acts. This requires that, as a minimum, any such processing takes place subject to a contract between the controller and the processor which specifies the conditions under which the data may be processed, the security conditions attaching to the processing of the data and that the data be deleted or returned upon completion or termination of the contract. The data controller is also required to take reasonable steps to ensure compliance by the data processor with these requirements.
Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. The security of personal information is all-important, but the key word here is appropriate, in that it is more significant in some situations than in others, depending on such matters as confidentiality and sensitivity and the harm that might result from an unauthorised disclosure. High standards of security are, nevertheless, essential for all personal information. The nature of security used may take into account what is available technologically, the cost of implementation and the sensitivity of the data in question.
A minimum standard of security would include the following:
Apart from ensuring compliance with the Acts, this requirement has an additional importance in that you may be liable to an individual for damages if you fail to observe the duty of care provision in the Act applying to the handling of personal data which tends to arise substantially in relation to decisions or actions based on inaccurate data. In addition, it is also in the interests of your business to ensure accurate data for reasons of efficiency and effective decision making.
To comply with this rule you should ensure that:
The accuracy requirement does not apply to back-up data, that is, to data kept only for the specific and limited purpose of replacing other data in the event of their being lost, destroyed or damaged.
You can fulfil this requirement by making sure you are seeking and retaining only the minimum amount of personal data which you need to achieve your purpose(s). You should decide on specific criteria by which to assess what is adequate, relevant, and not excessive and apply those criteria to each information item and the purpose/s for which it is held.
To comply with this rule you should ensure that the information sought and held is:
A periodic review should be carried out of the relevance of the personal data sought from data subjects through the various channels by which information is collected, i.e. forms, website etc. In addition, a review should also be undertaken on the above basis of any personal information already held.
This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. It is a key requirement of Data Protection legislation as personal data collected for one purpose cannot be retained once that initial purpose has ceased. Equally, as long as personal data is retained the full obligations of the Acts attach to it. If you don’t hold it anymore then the Acts don’t apply.
You should assign specific responsibility to someone for ensuring that files are regularly purged and that personal information is not retained any longer than necessary. This can include appropriate anonymisation of personal data after a defined period if there is a need to retain non-personal data.
To comply with this rule you should have:
On making an access request any individual about whom you keep personal data is entitled to:
It is important that you have clear co-ordinated procedures in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is being made.
To make an access request the data subject must:
Every individual about whom a data controller keeps personal information has a number of other rights under the Act, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner.
In response to an access request you must:
If you do not keep any information about the individual making the request you should tell them so within the 40 days. You are not obliged to refund any fee you may have charged for dealing with the access request should you find you do not, in fact, keep any data. However, the fee must be refunded if you do not comply with the request, or if you have to rectify, supplement or erase the personal data concerned.
If you restrict the individual’s right of access in accordance with one of the very limited restrictions set down in the Acts, you must notify the data subject in writing within 40 days and you must include a statement of the reasons for refusal. You must also inform the individual of his/her entitlement to complain to the Data Protection Commissioner about the refusal.
There are a number of modifications to the basic Right to Access granted by the Acts which include the following:
Transferring Personal data Abroad
An area of concern for many data controllers are the requirements necessary for the transfer of data abroad. There are special conditions that have to be met before transferring personal data outside the European Economic Area (all EU countries plus Norway, Iceland and Liechtenstein), where the importing country does not have an EU approved level of data protection law. This is termed a finding of adequacy. In such a case, one of the following conditions must be met if a transfer is to take place. Either the transfer must be:
As the legislation on the transfer of data abroad is complex, where doubt arises it is advisable for persons to contact this Office in order to seek guidance on specific cases.
1. This is a certification programme overseen by the US Department of Commerce which allows certain US based companies to self certify as having an adequate level of data protection that meets US standards and consequently personal data can be transferred without the need for recourse to the EU Model contracts
Basic Data Protection Checklist
Further information is available from our website or you can contact the Office directly by email or by phone. Brochures and leaflets relating to the Acts are also available free of charge, on request from:
The Office of the Data Protection Commissioner
LoCall: 1890 252 231
Tel: 057 868 4800
Fax: 057 868 4757