The information contained in this tab relates specifically to data protection incidents occurring before 25 May 2018. It should be noted that content here is framed in terms of the law as it applied under the Data Protection Acts 1988 and 2003, as well as the 1995 Directive.
The enhanced powers under the General Data Protection Regulation cannot be applied to incidents that occurred before 25 May 2018.
What is data protection?
When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. This process is known as data protection. We refer to organisations or individuals who control the contents and use of your personal details as 'data controllers'.
Most of us give information about ourselves to groups such as Government bodies, banks, insurance companies, medical professionals and telephone companies to use their services or meet certain conditions. Organisations or individuals can also get information about us from other sources. Under data protection law, you have rights regarding the use of these personal details and data controllers have certain responsibilities in how they handle this information.
When do these rights apply?
You have the right to data protection when your details are:
- held on a computer;
- held on paper or other manual form as part of a filing system; and
- made up of photographs or video recordings of your image or recordings of your voice.
What is the aim of these rights?
Data protection rights will help you to make sure that the information stored about you is:
- factually correct;
- only available to those who should have it; and
- only used for stated purposes.
When should I contact the Data Protection Commissioner?
If you are not happy with how your details are being used, you should contact the organisation in question. If you believe that the organisation or individual is still not respecting your data protection rights, you should contact the Office of the Data Protection Commissioner to ask for help.
What are my rights?
You have a range of rights when a person or organisation takes and records your personal details. Please read this section carefully to make sure that you are aware of your rights.
1. Right to have your details used in line with data protection regulations
A data controller who holds information about you must:
- get and use the information fairly;
- keep it for only one or more clearly stated and lawful purposes;
- use and make known this information only in ways that are in keeping with these purposes;
- keep the information safe;
- make sure that the information is factually correct, complete and up-to-date;
- make sure that there is enough information – but not too much - and that it is relevant;
- keep the information for no longer than is needed for the reason stated; and
- give you a copy of your personal information when you ask for it.
2. Right to information about your personal details
Data controllers who obtain your personal information must give you:
- the name of the organisation or person collecting the information or for whom they are collecting the information;
- the reason why they want your details; and
- any other information that you may need to make sure that they are handling your details fairly – for example the details of other organisations or people to whom they may give your personal details.
If an organisation or individual gets your personal details from someone else and not directly from you, they must tell you which details they hold and give you the name of the original data controller.
3. Right to access your personal details
You can ask for a copy of all your personal details by writing to any organisation or person holding these details on a computer or in manual form. See the section below on 'How to request access to your details'.
You can also ask the data controller to inform you of any opinions given about you, unless the data controller considers that the opinions are confidential. Even in such cases, your right to such information will usually be greater than the right of the person who gave this opinion in private. This right does not apply, however, in a small number of cases where it could harm certain interests – for example when someone is investigating an offence.
You should also be informed of, and given the chance to object to, any decisions about you that are automatically generated by a computer without any human involvement.
4. Right to know if your personal details are being held
If you think that an organisation or individual may be holding some of your personal details, you can ask them to confirm this within 21 days. If they do have personal details about you, they must tell you which details they hold and the reason why they are holding this information. You can ask for this information free of charge.
5. Right to change or remove your details
If you discover that a data controller has details about you that are not factually correct, you can ask them to change or, in some cases, remove these details.
Similarly, if you feel that the organisation or person does not have a valid reason for holding your personal details or that they have taken these details in an unfair way, you can ask them to change or remove these details.
In both cases, you can write to the organisation or person, explaining your concerns or outlining which details are incorrect. Within 40 days, the organisation must do as you ask or explain why they will not do so.
6. Right to prevent use of your personal details
You can also ask a data controller not to use your personal details for purposes other than their main purpose – for example for marketing.
You can do this by simply writing to the organisation or person holding your details and outlining your views. Within 40 days, they must do as you ask or explain why they will not do so.
7. Right to remove your details from a direct marketing list
If a data controller holds personal details about you for direct marketing purposes, you can ask them to remove your details. You can do this by writing to the organisation or person holding these details. They must let you know within 40 days if they have dealt with your request.
8. Right to object
A data controller may intend to use your details for official purposes, in the public interest or for their own interests. If you feel that doing so could cause you unnecessary damage or distress, you may ask the data controller not to use your personal details.
This right does not apply if:
- you have already agreed that the data controller can use your details;
- a data controller needs your details under the terms of a contract to which you have agreed;
- election candidates or political parties need your details for electoral purposes; or
- a data controller needs your details for legal reasons.
You can also object to use of your personal details for direct marketing purposes if these details are taken from the electoral register or from information made public by law, such as a shareholders' register. There is no charge for objecting.
9. Right to freedom from automated decision making
Generally, important decisions about you based on your personal details should have a human input and must not be automatically generated by a computer, unless you agree to this. For example, such decisions may be about your work performance, creditworthiness or reliability.
10. Right to refuse direct marketing calls or mail
If you do not want to receive direct marketing telephone calls, you should contact your service provider. They will make a note of your request in the National Directory Database (NDD) 'opt-out' register. It is an offence to make direct marketing calls to any phone number listed in the NDD. If you have not included your phone number in this register, you can also refuse such calls by simply asking the caller not to phone you again.
An organisation must get your permission before they contact you by fax machine or automated dialing for direct marketing purposes.
An organisation must also get your permission before they send marketing emails to your computer or before they send marketing text messages to your mobile phone.
How do I request access to my details?
To request access to your details, send a letter or email to the organisation or person holding your personal details and ask them for a copy of this information. The details should be easy to understand and you should receive them within 40 days of your request. You may have to pay a small fee, but this cannot be higher than €6.35.
In your request you should:
- give any details that will help the person to identify you and find your data – for example a customer account number, any previous address or your date of birth; and
- be clear about which details you are looking for if you only want certain information. This will help the organisation or person respond more quickly.
Some sample wording appears below as a guide.
Dear Data Protection Officer,
Under the Data Protection Acts 1988 and 2003, I wish to make an access request for a copy of any information you keep about me, on computer or in manual form.
[My customer account number is ...]
[My date of birth is...]
[My previous address was....]
What is the role of the Data Protection Commissioner?
The Data Protection Commissioner aims to make sure that your rights are being upheld and that data controllers respect data protection rules. If you think that an organisation or person is breaking these rules and you are not satisfied with their response to your concerns, you can complain to the Commissioner.
How do I make a complaint to the Commissioner?
Can I claim compensation?
Organisations or people holding your personal details have a legal duty to handle this data with care. If you suffer damage through the mishandling of your personal details, you may be able to claim compensation through the courts. You should discuss this matter with your solicitor. The Commissioner has no function in these actions and cannot give you legal advice.
If you need further information about your rights, you can contact our office by telephone or email. We will also send you information on data protection rules, free of charge, when you contact us here
The following terms are useful when reading this guide:
Data – information or facts that are usually stored on a computer or on paper
Data controllers – a person or group of people who control the contents and use of personal details. Data controllers can either be legal entities such as companies, Government departments or voluntary organisations or they can be individuals such as general practitioners (GPs), pharmacists or sole traders.
Manual data – information stored on paper as part of a filing system.
The information contained in this section relates specifically to data protection law as it applied under the Data Protection Acts 1988 and 2003, as well as the 1995 Directive. Some of the obligations (such as registration) and some of the exemptions (such as those for data processors) are no longer relevant since the advent of GDPR on May 25th 2018. This information is purely for reference in respect of incidents occurring before 25th May 2018.
Are you a "data controller"?
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation. If you are in any doubt, or are unsure about the identity of the data controller in any particular case, you should consult your legal adviser or seek the advice of the Data Protection Commissioner.
In essence, you are a data controller if you can answer YES to the following question:
- Do you keep or process any information about living people?
In practice, to find out who controls the contents and use of personal information kept, you should ask the following questions:
- who decides what personal information is going to be kept?
- who decides the use to which the information will be put?
If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller. If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the data contoller, and your organisation is a "data processor" (see below).
Types of Data Controller
Data controllers can be either individuals or "legal persons" such as companies, Government Departments and voluntary organisations. Examples of cases where the data controller is an individual include general practitioners, pharmacists, politicians and sole traders, where these individuals keep personal information about their patients, clients, constituents etc.
Group companies and subsidiary companies
It is common in the business world for a holding company to own one or more subsidiary companies. If personal data is flowing within the group of companies, who is the data controller? In answering this question, it should be noted that each company, whether it is a parent company or a subsidiary, is a distinct legal person with its own set of legal and data protection responsibilities. Each company within a group may therefore be a data controller in respect of the personal data which it has obtained and for which it is legally responsible; and it is necessary for each data controller to assess whether disclosures of personal data to other group companies are permissible. It is only in rare cases that two or more companies may properly exercise legal or de facto control and responsibility for a given set of personal data. In such cases, the companies are regarded as joint data controllers.
Responsibilities of data controllers
All data controllers must comply with certain important rules about how they collect and use personal information.
Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.
As mentioned above, if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a "data processor". Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. "Cloud" providers are also generally Data Processors.
It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.
A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a "data processor". However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data processor. A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data processor.
Responsibilities of data processors
Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. They must only process personal data on the instructions of the Data Controller. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register, are also required to register with the Data Protection Commissioner as a data processor.
A Pre-GDPR Guide for Data Controllers
This section is intended as an introductory guide to those persons/bodies who are data controllers, in that they control the contents and use of personal data. It outlines the eight fundamental rules of data protection and presents them in a user friendly format. It is not an authoritative or definitive interpretation of the law, it is intended as a non-technical guide for data controllers. If, after reading this document, you require further information, please Contact Us
As with any legislation, certain terms have particular meaning. The following are some useful definitions:
means information in a form which can be processed. It includes both automated data and manual data.
means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer.
means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system.
Relevant filing system
means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information is accessible.
means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. This can be a very wide definition depending on the circumstances.
means performing any operation or set of operations on data, including:
- obtaining, recording or keeping data,
- collecting, organising, storing, altering or adapting the data,
- retrieving, consulting or using the data,
- disclosing the information or data by transmitting, disseminating or otherwise making it available,
- aligning, combining, blocking, erasing or destroying the data.
is an individual who is the subject of personal data.
are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, Government Departments or voluntary organisations, or they can be individuals such as G.P.’s, pharmacists or sole traders.
is a person who processes personal data on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment. Again individuals such as G.P.’s, pharmacists or sole traders are considered to be legal entities.
Sensitive personal data
relates to specific categories of data which are defined as data relating to a person’s racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence; trade union membership.
You have additional responsibilities in relation to the processing of any such data.
What is data protection?
It is the means by which the privacy rights of individuals are safeguarded in relation to the processing of their personal data. The Data Protection Acts 1988 and 2003 confer rights on individuals as well as placing responsibilities on those persons processing personal data.
Are you a data controller?
If you, as an individual or an organisation, collect, store or process any data about living people on any type of computer or in a structured filing system, then you are a data controller. In practice, to establish whether or not you are a data controller, you should ask, do you decide what information is to be collected, stored, to what use it is put and when it should be deleted or altered. Because of the serious legal responsibilities attached to a data controller under the Acts, you should seek the advice of the Commissioner if you have any doubts as to whether or not you are a data controller in any particular case.
What are your responsibilities as a data controller?
You have certain key responsibilities in relation to the information which you process. These may be summarised in terms of eight fundamental rules which you must follow. These rules which are detailed in this guide apply to all data controllers. Certain categories of data controllers are also obliged to register with the Data Protection Commissioner. This is a separate legal requirement and in no way obviates the need to comply with the requirements of the Acts having so registered.
There are some specific requirements on which more details can be found on our website, in various annual reports of the Data Protection Commissioner or by contacting this Office directly.
- the obligatory requirement on certain categories of data controllers (and Data Processors) to register with the Data Protection Commissioner. Guidance notes of Registration for Data Controllers are also available from this Office. If you are required to register and are not it is illegal to process personal data.
- the specific requirements for marketing by phone, e-mail, fax or other electronic means, including text message, which are contained in separate Regulations.
- the processing of publicly available information for other purposes including direct marketing.
How do you as a data controller ensure compliance with the law?
You must make yourself aware of your data protection responsibilities, in particular, to process personal data fairly. You should ensure that your staff are made aware of their responsibilities through appropriate induction training with refresher training as necessary and the availability of an internal data protection policy that is relevant to the personal data held by you. An internal policy which reflects the eight fundamental data protection rules and applies them to your organisation, which is enforced through supervision and regular review and audit, is a valuable compliance tool.
How are the Acts enforced?
The Commissioner’s role is to ensure that those who keep personal data comply with the provisions of the Acts. He has a wide range of enforcement powers to assist him in ensuring that the principles of data protection are being observed. These powers include the serving of legal notices compelling data controllers to provide information needed to assist his enquiries, and compelling a data controller to implement one or more provisions of the Acts in a particular prescribed manner.
He may investigate complaints made by the general public or carry out investigations proactively. He may, for example, authorise officers to enter premises and to inspect the type of personal information kept, how it is processed and the security measures in place. You and your staff are required to co-operate fully with such officers.
A data controller found guilty of an offence under the Acts can be fined amounts up to €100,000, on conviction on indictment and/or may be ordered to delete all or part of the database.
The Commissioner also publishes an annual report which names, in certain cases, those data controllers that were the subject of investigation or action by his Office.
The Eight Rules of Data Protection
- Obtain and process information fairly
- Keep it only for one or more specified, explicit and lawful purposes
- Use and disclose it only in ways compatible with these purposes
- Keep it safe and secure
- Keep it accurate, complete and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it for no longer than is necessary for the purpose or purposes
- Give a copy of his/her personal data to an individual, on request
To fairly obtain data the data subject must, at the time the personal data is being collected, be made aware of:
- the name of the data controller;
- the purpose in collecting the data;
- the identity of any representative nominated for the purposes of the Acts;
- the persons or categories of persons to whom the data may be disclosed;
- whether replies to questions asked are obligatory and the consequences of not providing replies to those questions;
- the existence of the right of access to their personal data;
- the right to rectify their data if inaccurate or processed unfairly;
- any other information which is necessary so that processing may be fair and to ensure the data subject has all the information that is necessary so as to be aware as to how their data will be processed.
In addition, where the personal data is not obtained from the data subject, either at the time their data is first processed or at the time of disclosure to a third party, all the above information must be provided to the data subject and they must also be informed of the identity of the original data controller from whom the information was obtained and the categories of data concerned.
To fairly process personal data it must have been fairly obtained, and:
- the data subject must have given consent to the processing;
- the processing must be necessary for one of the following reasons
- the performance of a contract to which the data subject is a party;
- in order to take steps at the request of the data subject prior to entering into a contract;
- compliance with a legal obligation, other than that imposed by contract;
- to prevent injury or other damage to the health of the data subject;
- to prevent serious loss or damage to property of the data subject;
- to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
- for the administration of justice;
- for the performance of a function conferred on a person by or under an enactment;
- for the performance of a function of the Government or a Minister of the Government;
- for the performance of any other function of a public nature performed in the public interest by a person;
- for the purpose of the legitimate interests pursued by a data controller except wherethe processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
To fairly process sensitive data (see definitions panel at the beginning of this booklet) it must have been fairly obtained and there are additional special conditions (one of the conditions outlined above must also be met) of which at least one of the following must be met:
- the data subject has given explicit consent (or where they are unable to do so, for reasons of incapacity of age, explicit consent must be given by a parent or legal guardian) to the processing, i.e. the data subject has been informed of the purpose/s in processing the data and has supplied his/her data with that understanding;
- the processing must be necessary for one of the following reasons -
- for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
- to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where, consent cannot be given, or the data controller cannot reasonably be expected to obtain such consent;
- to prevent injury to, or damage to the health of, another person, or serious loss in respect of, or damage to, the property of another person, in a case where such consent has been unreasonably withheld;
- it is carried out by a not for profit organisation in respect of its members or other persons in regular contact with the organisation;
- the information being processed has been made public as a result of steps deliberately taken by the data subject;
- for the purpose of obtaining legal advice, or in connection with legal proceedings, or is necessary for the purposes of establishing, exercising or defending legal rights;
- for medical purposes (more extensive advice as to what constitutes medical purposes is available from www.dataprotection.ie or you can contact the office directly);
- it is carried out by political parties or candidates for election in the context of an election;
- for the purpose of the assessment or payment of a tax liability;
- in relation to the administration of a Social Welfare scheme.
You may only keep data for a purpose(s) that are specific, lawful and clearly stated and the data should only be processed in a manner compatible with that purpose(s). An individual has a right to question the purpose for which you hold his/her data and you must be able to identify that purpose.
To comply with this rule:
- In general a person should know the reason/s why you are collecting and retaining their data.
- the purpose for which the data is being collected should be a lawful one
- you should be aware of the different sets of data which you keep and specific purpose of each
Any use or disclosure must be necessary for the purpose(s) or compatible with the purpose(s) for which you collect and keep the data. You should ask yourself whether the data subject would be surprised to learn that a particular use of or disclosure of their data is taking place.
A key test of compatibility is:
- do you use the data only in ways consistent with the purpose(s) for which they are kept?
- do you disclose the data only in ways consistent with that purpose(s)?
The rule, that disclosures of information must always be compatible with the purpose(s) for which that information is kept, is lifted in certain restricted cases by Section 8 of the Act. Examples of such cases would include some obvious situations where disclosure of the information is required by law or is made to the individual himself/herself or with his/her consent.
Any processing of personal data by a data processor on your behalf must also be undertaken in compliance with the Acts. This requires that, as a minimum, any such processing takes place subject to a contract between the controller and the processor which specifies the conditions under which the data may be processed, the security conditions attaching to the processing of the data and that the data be deleted or returned upon completion or termination of the contract. The data controller is also required to take reasonable steps to ensure compliance by the data processor with these requirements.
Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction. The security of personal information is all-important, but the key word here is appropriate, in that it is more significant in some situations than in others, depending on such matters as confidentiality and sensitivity and the harm that might result from an unauthorised disclosure. High standards of security are, nevertheless, essential for all personal information. The nature of security used may take into account what is available technologically, the cost of implementation and the sensitivity of the data in question.
A minimum standard of security would include the following:
- access to central IT servers to be restricted in a secure location to a limited number of staff with appropriate procedures for the accompaniment of any non-authorised staff or contractors;
- access to any personal data within an organisation to be restricted to authorised staff on a ‘need-to-know’ basis in accordance with a defined policy;
- access to computer systems should be password protected with other factors of authentication as appropriate to the sensitivity of the information;
- information on computer screens and manual files to be kept hidden from callers to your offices;
- back-up procedure in operation for computer held data, including off-site back-up;
- all reasonable measures to be taken to ensure that staff are made aware of the organisation’s security measures, and comply with them;
- all waste papers, printouts, etc. to be disposed of carefully;
- ]a designated person should be responsible for security and for periodic reviews of the measures and practices in place.
Apart from ensuring compliance with the Acts, this requirement has an additional importance in that you may be liable to an individual for damages if you fail to observe the duty of care provision in the Act applying to the handling of personal data which tends to arise substantially in relation to decisions or actions based on inaccurate data. In addition, it is also in the interests of your business to ensure accurate data for reasons of efficiency and effective decision making.
To comply with this rule you should ensure that:
- your clerical and computer procedures are adequate with appropriate cross-checking to ensure high levels of data accuracy;
- the general requirement to keep personal data up-to-date has been fully examined;
- appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.
The accuracy requirement does not apply to back-up data, that is, to data kept only for the specific and limited purpose of replacing other data in the event of their being lost, destroyed or damaged.
You can fulfil this requirement by making sure you are seeking and retaining only the minimum amount of personal data which you need to achieve your purpose(s). You should decide on specific criteria by which to assess what is adequate, relevant, and not excessive and apply those criteria to each information item and the purpose/s for which it is held.
To comply with this rule you should ensure that the information sought and held is:
- adequate in relation to the purpose/s for which you sought it;
- relevant in relation to the purpose/s for which you sought it;
- not excessive in relation to the purpose/s for which you sought it.
A periodic review should be carried out of the relevance of the personal data sought from data subjects through the various channels by which information is collected, i.e. forms, website etc. In addition, a review should also be undertaken on the above basis of any personal information already held.
This requirement places a responsibility on data controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. It is a key requirement of Data Protection legislation as personal data collected for one purpose cannot be retained once that initial purpose has ceased. Equally, as long as personal data is retained the full obligations of the Acts attach to it. If you don’t hold it anymore then the Acts don’t apply.
You should assign specific responsibility to someone for ensuring that files are regularly purged and that personal information is not retained any longer than necessary. This can include appropriate anonymisation of personal data after a defined period if there is a need to retain non-personal data.
To comply with this rule you should have:
- a defined policy on retention periods for all items of personal data kept;
- management, clerical and computer procedures in place to implement such a policy.
On making an access request any individual about whom you keep personal data is entitled to:
- a copy of the data you are keeping about him or her;
- know the categories of their data and your purpose/s for processing it;
- know the identity of those to whom you disclose the data;
- know the source of the data, unless it is contrary to public interest;
- know the logic involved in automated decisions;
- data held in the form of opinions, except where such opinions were given in confidence and even in such cases where the person’s fundamental rights suggest that they should access the data in question it should be given.
It is important that you have clear co-ordinated procedures in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is being made.
To make an access request the data subject must:
- apply to you in writing (which can include email);
- give any details which might be needed to help you identify him/her and locate all the information you may keep about him/her e.g. previous addresses, customer account numbers;
- pay you an access fee if you wish to charge one. You need not do so, but if you do it cannot exceed €6.35.
Every individual about whom a data controller keeps personal information has a number of other rights under the Act, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner.
In response to an access request you must:
- supply the information to the individual promptly and within 40 days of receiving the request;
- provide the information in a form which will be clear to the ordinary person, e.g. any codes must be explained.
If you do not keep any information about the individual making the request you should tell them so within the 40 days. You are not obliged to refund any fee you may have charged for dealing with the access request should you find you do not, in fact, keep any data. However, the fee must be refunded if you do not comply with the request, or if you have to rectify, supplement or erase the personal data concerned.
If you restrict the individual’s right of access in accordance with one of the very limited restrictions set down in the Acts, you must notify the data subject in writing within 40 days and you must include a statement of the reasons for refusal. You must also inform the individual of his/her entitlement to complain to the Data Protection Commissioner about the refusal.
There are a number of modifications to the basic Right to Access granted by the Acts which include the following:
- Access to Health and Social Work Data
There are modifications to the right of access in the interest of the data subject or the public interest, designed to protect the individual from hearing anything about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being;
- In the case of Examinations Data
There is an increased time limit for responding to an access request from 40 days to 60 days and an access request is deemed to be made at the date of the first publication of the results or at the date of the request, whichever is the later.
Transferring Personal data Abroad
An area of concern for many data controllers are the requirements necessary for the transfer of data abroad. There are special conditions that have to be met before transferring personal data outside the European Economic Area (all EU countries plus Norway, Iceland and Liechtenstein), where the importing country does not have an EU approved level of data protection law. This is termed a finding of adequacy. In such a case, one of the following conditions must be met if a transfer is to take place. Either the transfer must be:
- consented to by the data subject; or
- required or authorised under an enactment, convention or other instrument imposing an international obligation on this State; or
- necessary for the performance of a contract between the data controller and the data subject; or
- necessary for the taking of steps at the request of the data subject with a view to his or her entering into a contract with the data controller; or
- necessary for the conclusion of a contract between the data controller and a third party, that is entered into at the request of the data subject and is in the interests of the data subject, or for the performance of such a contract; or
- necessary for the purpose of obtaining legal advice; or
- necessary to urgently prevent injury or damage to the health of a data subject; or
- part of the personal data held on a public register; or
- authorised by the Data Protection Commissioner, which is normally the approval of a contract which is based on EU model contracts.
As the legislation on the transfer of data abroad is complex, where doubt arises it is advisable for persons to contact this Office in order to seek guidance on specific cases.
Basic Data Protection Checklist
- Are the individuals whose data you collect aware of your identity?
- Have you told the data subject what use you make of his/her data?
- Are the disclosures you make of that data legitimate ones?
- Do you have appropriate security measures in place both internally and externally to ensure all access to data is appropriate?
- Do you have appropriate procedures in place to ensure that each data item is kept up-to-date?
- Do you have a defined policy on retention periods for all items of personal data?
- Do you have a data protection policy in place?
- Do you have procedures for handling access requests from individuals?
- Are you clear on whether or not you should be registered?
- Are your staff appropriately trained in data protection?
- Do you regularly review and audit the data which you hold and the manner in which they are processed?