Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

5. Topical Data Protection Issues

5.1 Can the RSA/Applus request my passport or driving licence when I present a car for the NCT?

The Road Traffic (National Car Test) Regulations 2009 permit the RSA (and Applus as its outsourced service provider) to request identification in conjunction with the NCT. The Regulations define "required identification" for the purposes of the NCT as "a driving licence or passport, for the time being in force, held by [the presenter] or such other photographic identification in respect of [the presenter] that the issuing authority may require, from time to time".  The Regulations allow the RSA (and Applus as its outsourced service provider) to refuse to conduct a test where the required identification is not presented.

Accordingly, as there is a statutory basis for the processing of personal data, this has the effect of setting aside the normative requirements of the Data Protection Acts.


5.2 When I am attending a public event, can the organisers take promotional photographs of me without my consent?

The Data Protection Acts 1988 and 2003 state that "personal data" means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. On this basis an image of a person is considered "personal data" and would be subject to the provisions of the Acts. The capturing of a person's image and the subsequent use of such an image would constitute processing of personal data within the meaning of the Acts.

Individuals have a right to have their personal data processed in a manner that complies with the requirements of the Acts. Section 2(1)(a) of the Acts requires that personal data "shall have been obtained, and the data shall be processed, fairly". One of the key provisions with regard to the processing of personal data is that it should be done with the consent of the individuals concerned.

The key issue is notice and choice in advance of the image being taken. Furthermore, a clear and accessible opt-out facility should be available to all attendees.

We would consider it best practice to have written notices in place advising attendees of the timing of the photo being taken, the purpose of taking the photo and the use to which the image will be put. Prior to the image being taken there should be an announcement informing individuals that the photo is about to be taken to allow attendees exercise their right not to participate in the initiative.


5.3 My website uses cookies - what do I need to consider?

Various provisions concerning electronic communications, including the storing and accessing of information on terminal equipment e.g. cookies, is set out in Statutory Instrument No. 336 of 2011 which implemented the ePrivacy Directive into Irish law on the 1st of July 2011. In order to meet the legal requirements, the minimum requirement is that clear communication to the user as to what he/she is being asked to consent to in terms of cookies usage and a means of giving or refusing consent is required. The Regulations do not prescribe how consent to drop cookies is to be obtained but envisage that, where it is technically possible and effective, such consent could be given by the use of appropriate browser settings, as long as reliance is not placed on the default browser settings.

It is particularly important that the requirements are met where so called 'third party' or 'tracking' cookies are being deployed, such as when advertising networks collect information about websites visited by users in order to better target advertising. For cookie usage, this Office would be satisfied with a prominent notice on the homepage informing users about the website's use of cookies with a link through to a Cookie Statement containing information sufficient to allow users to make informed choices and an option to manage and disable the cookies. Practically, for Irish website operators we suggest the following for minimum compliance with these requirements:

  • Consent

    The consent of the user must be captured.

    Consent may be obtained explicitly through the use of an opt-in check box which the user can tick if they agree to accept cookies.
    The consent of the user must be captured

    Consent may also be obtained by implication
    Consent may also be obtained by implication

    Not all cookies require consent to be used. These are cookies essential to delivering the service requested by the user - session cookies, authentication cookies (for the duration of the session,) and user security cookies. For example, for storage of items in a shopping cart on an online website advance consent will not be required.  This will generally be the case where the cookie is stored only for as long as the "session" is live and will be deleted at the end of the session.

    Extensive guidance on the 'Cookie Consent Exemption' has been published by the Article 29 Data Protection Working Party and is available here.

  • Notification

    • Consent should be sought as part of a "prominent notification" displayed on entry to a web site (this might be the home page of the site but may also be via a 'deep link' to an inner page, which a user has found from a search result, for example).
    • The notification should contain a link to a Cookie Statement which will outline in greater detail how the site makes use of cookies.
    As best practice, a positive action may be deployed to dismiss the notification.
    [Note: many websites have addressed this issue by providing a 'hide' button which dismisses the notification.]
  • Cookies Statement

    • The Cookie Statement should contain clear and comprehensive information on how cookies are used, including information on the types of cookies used and details on how to remove them
    As best practice, the following information could also be provided in the Cookie Statement:
    • Clear and comprehensive information
    • Itemised cookie types, including their purpose e.g. preferences such as language or, font, browsing & search history, tracking, session security and any third party cookies
    • Instructions on how to disable the cookies.
  • Third Party Cookies

    Where third party cookies are being used, it is not sufficient to simply refer the user to third party websites. In such situations or where there are many cookies being created or read by the site (or its partners) we recommend the inclusion in the Cookies Statement of a tabulated explanation of all cookies with the following details:
    • Type
    • Name
    • A description of their purpose
    • Their expiry dates
    • Links to advertising networks' opt-out mechanisms for third party cookies

    In terms of who is the data controller when third party cookies are deployed, the website operator is regarded as a joint data controller alongside the advertising network because even though the cookies are created by the third party site, the website operator has chosen to host these 3rd party cookies on its website.

    Guidance on Online Behavioural Advertising (and the use of cookies) has been published by the Article 29 Data Protection Working Party and is available here.

    Note: A mock web page based on this guidance can be viewed via this link   (PDF - 400Kb)

     


5.4 I have a concern about an image available on Google Streetview, what should I do?

In advance of Google capturing any imagery, this Office had extensive interactions with Google in relation to privacy concerns surrounding Street View.
Where images are captured by Street View cameras, there is typically a time delay before images are published on the internet; therefore the image available via Street View is not a 'real time' image. This delay allows for Google to deploy blurring technology to faces and car registration plates. In limited situations, even where blurring technology is deployed, it may be possible to identify an individual, in such situations Google can facilitate the removal of the image.
Individuals can request the removal of the image or report their concerns directly to Google via www.maps.google.ie A 'report a problem' link is posted at the bottom of each image on Street View. Individuals can follow the steps to report their concerns via this link. However, if an individual has any difficulty in progressing their query through Google, they can raise the matter with this Office.
A step by step guide to reporting problems to Google is available here.


5.5 What are my rights in relation to my exam results with my name being placed on a notice board, booklet or used at a conferral ceremony?

While this is a standard practice that has taken place for a considerable period of time, best practice in relation to Data Protection is that where a person raises a concern in relation to their personal details being displayed in such a manner that this would be respected. Particularly in relation to the display of actual results on a notice board or in a booklet form, this might be best achieved with student number rather than the actual name of the student.


5.6 My travel agent has requested a large amount of personal information from me as part of the process of booking my holiday. Am I obliged to hand over the information?

It is the case that a number of countries require large amounts of personal data, including name and address, photographs and even personal financial details, before they will agree to process visa applications thereby allowing you to travel to a country. Furthermore, certain countries require very detailed passenger information from airlines before they will allow the airline to land on their territory. The US is one such example. These issues are beyond the control of your travel agent. However, the travel agent should be very specific as to what information they require and for what purpose. If the purpose is clear and you wish to travel to a particular location then you will need to provide your personal data to do so. You can refuse to handover the data that is required but you should be aware that this may disrupt your travel plans.


5.7 I have received a toll notice from Eflow, how did they obtain my details?

In relation to the M50 Barrier Free Tolling Scheme and the access by a private entity to official vehicle ownership data, we have established that an appropriate legislative basis exists for such access by the NRA (under the provisions of the relevant Roads Acts (Section 64A(1) of the Roads Act 1993 as inserted by the Roads Act 2007)). The M50 operator (eFlow) is acting under the aegis of the NRA in this matter and subject to stringent contracts between both entities; it would be entitled to access the information in certain limited circumstances under that legislation.

Because there is a legal basis for the access by the NRA and its agent to this official data for toll collection purposes, the provisions of the data protection Acts in relation to the sharing of this data are set aside.


5.8 A debt recovery organisation has contacted me for payment of import tax associated with an overseas purchase I made some time ago. How did they get my details?

This practice of seeking the import duty - which we understand falls due to be paid, under Irish customs requirements, following delivery of goods - is not one which gives rise to any data protection issues. We understand that the duty falls legitimately to be paid and accordingly, where it is not paid, it is in order for parcel delivery services to use methods including the use of debt collection agencies to collect the monies owed.


5.9 Can the Revenue Commissioners seek access to my data for their administration of the Local Property Tax without my consent?

Under Finance legislation the Revenue Commissioners may request customer details from certain specified bodies (e.g. Electricity/gas suppliers). The sharing of these details with the Revenue Commissioners in relation to the Local Property Tax is covered under the Finance (Local Property Tax) Act 2012 (sections 151 and 153). Section 151 (3) states of this Act states:
3) The information which the Revenue Commissioners may request are details in the possession or control of the relevant person of the address or addresses, as the case may be, of residential properties, and in relation to each residential property-
(a) the name of the occupier,
(b) the name of the owner,
(c) the address contained in any geodirectory maintained by any relevant person or such other information as may allow the location of the property to be established,
(d) any unique identification number which the relevant person has assigned to the property or, as the case may be, to any meter or other device located in the property or to the occupier or owner of that property, and
(e) information in relation to the size and type of the property.

and section 153 states:

153.- In this Part "relevant person" means-
(a) the Local Government Management Agency,
(b) the Property Registration Authority,
(c) the Private Residential Tenancies Board,
(d) the holder of a licence under section 14(1) of the Electricity Regulation Act 1999 to supply electricity or to discharge the functions of the operator of the distribution system,
(e) the holder of a natural gas licence under section 16(1) of the Gas (Interim) Regulation Act 2002,
(f) An Post,
(g) the Valuation Office,
(h) Ordonance Survey Ireland,
(i) the Minister for Social Protection,
(j) the Minister for Agriculture, Food and the Marine,
(k) the Minister for the Environment, Community and Local Government,
(l) the Minister for Communications, Energy and Natural Resources,
(m) the Minister for Transport, Tourism and Sport,
(n) a local authority,
(o) the Health Service Executive,
(p) the National Asset Management Agency, or
(q) the Sustainable Energy Authority of Ireland.

Because of this legal basis, the processing of customer details is permitted from a data protection perspective.