Everyone has strong rights when it comes to the data that is held on them thanks to the Data Protection Act.
And it is up to the data protection commissioner to uphold those rights.
All businesses should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.
People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.
Individuals should know when they provide personal information to any organisation…..
- Who is gathering the data
- What use this data will be put
- Who the data will be disclosed to
If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.
Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.
Non compliance with data protection law
Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)
It should be noted that Irish data protection legislation only applies to data controllers who are established here.
Direct Marketing
The legislation provides detailed rules regarding the use of personal data for direct marketing purposes.
Where data is kept for this purpose then the data subject can request in writing to cease the use of the data for that purpose and the data controller must comply within 4 days. The data controller must inform the subject that they may object in this way.
Processing of personal data
In order to process personal data the most important pre-condition to be satisfied is that the data may only be processed where the subject has given his consent.
However there is considerable debate as to what ‘consent’ in this context means-is it the opt-in procedure (where the subject must expressly consent to his data being processed)?
Or is it the opt-out procedure (where the subject is asked if they object to their data being processed)
There are additional preconditions relating to the processing of sensitive personal data such as racial or ethnic origin, political opinion, religious belief etc. In these circumstances the data subject must expressly consent and the ‘opt out’ procedure would not be sufficient in these situations.
Rights of Data Subjects
These rights derive from the Data Protection acts and include…….
- The right to be informed of data being kept on them
- The right to access to the data (there are a number of exceptions to this right)
- It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
- Right to prevent processing where it may cause damage or distress
The transfer of data outside the state is restricted to countries outside of the European Economic Area.
It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.
Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to europe but not all companies sign up.
Registration with the Data Protection Commissioner
Data controllers fall into 3 categories for the purpose of registration
- Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
- Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
- Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material
Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.
Electronic Communication Regulation 2003
This legislation strengthens the safeguards concerning direct marketing and attempt to tackle the nuisance of Spam. It provides that………….
The use of automatic dialling machines, fax, email or text messaging for direct marketing purposes to individuals is prohibited unless the subscriber’s consent has been obtained in advance;
The use of the same methods is prohibited if the target has registered it’s objection in the National Directory Database of has advised the sender that it does not wish to receive such messages;
The making of phone calls for direct marketing is prohibited if the recipient has recorded it’s objection in the National Directory Database.
Breach of this regulation (13) is a criminal offence.
If in doubt see www.dataprivacy.ie or the Data Protection Commissioner or contact your solicitor.
For any data controller who is maintaining a data base it is prudent to consider offsite backup of data or an online data backup to ensure that data is not lost or falls into the wrong hands.
Related posts:
- Data Protection Act and the role of the Data Protection Commissioner The Data protection act of 2003 and the Data protection...
- The Data Protection Commissioner Data protection commissioner...
- Rights of Way Changes in the Land and Conveyancing Law Reform Act 2009 Rights of way are one of the most common forms...
- Working Time And Rest Periods-Organization Of Working Time Act 1997 The leave entitlements and rest periods of employees are governed...
- Small Business Topics Running a small business in Ireland, or anywhere for that...
