 |
Definitions
As with any legislation, certain terms used in the Data Protection Acts, 1988 and 2003, have a quite specific meaning. The following are some important definitions, taken from section 1 of the Act, with additional comments and relevant links provided where appropriate.
Data means automated and manual data
Automated data means information that -
(a) is being processed by means of equipment operating automatically in response to instructions given for that
Purpose, or
(b) is recorded with the intention that it should should be processed by means of such equipment;
Manual data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;
Relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;
>> see guidance note on relevant filing system
Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;
>> see guidance note on personal data
Note that "personal data" means any information about or relating to the individual. In this respect, the term "personal data" has a different meaning than the term "personal information", as used in the Freedom of Information Act, which is restricted to the sort of private, confidential or sensitive information that might only be known to the individual and his or her family.
| LINK» | go to website of the Information Commissioner |
Sensitive personal data means personal data as to -
(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,
(b) whether the data subject is a member of a trade union
(c) the physical or mental health or condition or sexual life of the data subject,
(d) the commission or alleged commission of any offence by the data subject, or
(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;
Data subject is an individual who is the subject of personal data.
Data controller is a person who (either alone or with others) controls the contents and use of personal data.
Data processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.
Disclosure - In relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.
Comment: Arising from this definition, a transfer of personal data to an agent, who is carrying out a task on your behalf, is not a disclosure, and need not involve a contravention of the Data Protection Act in the same way as a disclosure to a third party. However, to rely on this provision, the principal-agent relationship must be bona fide and accompanied with appropriate safeguards. Where a data processor is involved there must be a contract in place that imposes equivalent security obligations on the processor as would apply to the controller.
| LINK» | more about disclosures of personal data to third parties |
Processing, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including-
(a) obtaining, recording or keeping the information or data
(b) collecting, organising, storing, altering or adapting the information or data, (c) retrieving, consulting or using the information or data,
(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or,
(e) aligning, combining, blocking, erasing or destroying the information or data, and, cognate words shall be construed accordingly;
Territorial Application of the Data Protection Acts
Naturally, if a data controller is based completely outside of Ireland, does not use equipment in Ireland for its processing, and does not have any branches or agencies acting on its behalf in Ireland, the data controller is not subject to the Data Protection Acts. Conversely, if a data controller is located in Ireland, carries on its activities in Ireland, and uses equipment and agencies located in Ireland, it is obvious that the Act applies to it.
However, what about less clear-cut cases? If the data controller is based outside of Ireland, but uses branches or agencies in Ireland to collect and process personal data, does the Irish Act apply? What if a company is legally established in Ireland, but carries on all of its activities in other countries? Does it affect matters if the other country is an EU or EEA country?
The Acts apply to data controllers 'established in Ireland', and to data controllers established outside the EEA who make use of equipment in Ireland for processing personal data. Further details are given below.
Data controllers established in Ireland
The Acts applies to all data controllers established in Ireland who process personal data in the context of that establishment. . It does not matter whether the personal data relates to non-Irish people, or whether the data controller actually carries on all of its activities outside of Ireland. Once the data controller is established in Ireland and processes personal data in the context of that establishment, then it is subject to Irish data protection law for the personal data processed in the context of that establishment.
However, the term ‘established in Ireland’ requires some clarification.
(i) Individuals normally resident in Ireland
Individuals can be data controllers – e.g. doctors, pharmacists, politicians and lawyers. Where the individual data controller is resident in Ireland, he or she must comply with the provisions of the Data Protection Acts.
(ii) A body incorporated under the law of the State
The bulk of Irish data controllers will fall into this category, which includes companies and other bodies corporate that are incorporated under Irish law. Note that this category includes all companies incorporated in Ireland, including a company that is a wholly-owned subsidiary of an overseas company.
(iii) A partnership or other unincorporated association formed under the law of the State.
This category includes some legal and accountancy firms, medical practices, and voluntary associations.
(iv) A person who does not fall within (i)-(iii) above, but who maintains either
I. an office, branch, or agency in Ireland, through which the person carries on any activity, or
II. a regular practice in Ireland.
This important category provides for situations in which a data controller located outside of Ireland carries on business activity in Ireland – whether through a branch, through retaining the services of an agency, or through maintaining a regular practice in Ireland. Any non-Irish data controller that does business in Ireland in this way is subject to Irish data protection law insofar as its processing of personal data in Ireland is concerned. Note that this rule makes no distinction between data controllers that are established in European Economic Area (EEA) countries[1], and those established in non-EEA ‘third countries’.
However, data controllers based elsewhere in the EEA who have direct dealings with Irish people – e.g. data controllers who engage in direct marketing over the telephone or the internet – are not covered by this category. Such data controllers, which do not operate via an Irish-based intermediary, would normally be subject to the data protection laws of the EEA country in which they are based.
Data controllers established outside of the EEA are subject to special rules – see next section below.
Data controllers established outside the EEA
Data controllers established outside of the European Economic Area (EEA) are subject to Irish data protection law in certain limited circumstances. The Regulations specify that any such non-EEA data controllers are subject to the Data Protection Act only in cases where they make use of equipment in Ireland for the purpose of processing personal data. (However, this rule does not apply if the only processing involved is the transit through the State of the personal data. This exemption may be of relevance to some telecommunications service providers, or telecommunications infrastructure companies.)
Non-EEA data controllers that are covered by this rule must designate a representative established in Ireland. This representative would, in general, be expected to be answerable for compliance with Irish data protection laws.
[1] The European Economic Area (EEA) is comprised of the twenty-seven EU countries together with Norway, Iceland and Liechtenstein.