Everyone has strong rights when it comes to the data that is held on them thanks to the Data protection act of 2003 and Data protection act of 1988.
And it is up to the data protection commissioner to uphold those rights.
The role of the data protection commissioner in protecting your privacy rights when it comes to data being held about you is critical.
Firstly though, it is important to understand what a data controller and what a data subject is as defined under the legislation. Many data controllers do not understand the vital responsibility that they have when it comes to retaining data on employees, customers etc.
The article below goes into the role of the data protection commissioner, the data protection act and the various forms of redress that you have against data controllers if you feel that they are in breach of data protection law.
For data controllers there may also be a mandatory requirement on them to register as data controllers with the Data Protection commissioner and the three categories of people who may be obliged to register are set out in this article.
Data Protection for Employers
As an employer you should be concerned with other aspects of your role as a data controller such as the usefulness of online backup services which can provide online backups of your valuable data or offsite backup if that is more convenient for you.
All businesses should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.
People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.
Individuals should know when they provide personal information to any organisation…..
- Who is gathering the data
- What use this data will be put
- Who the data will be disclosed to
If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.
Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.
Non compliance with data protection law
Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)
It should be noted that Irish data protection legislation only applies to data controllers who are established here.
The legislation provides detailed rules regarding the use of personal data for direct marketing purposes.
Where data is kept for this purpose then the data subject can request in writing to cease the use of the data for that purpose and the data controller must comply within 4 days. The data controller must inform the subject that they may object in this way.
Processing of personal data
In order to process personal data the most important pre-condition to be satisfied is that the data may only be processed where the subject has given his consent.
However there is considerable debate as to what ‘consent’ in this context means-is it the opt-in procedure (where the subject must expressly consent to his data being processed)?
Or is it the opt-out procedure (where the subject is asked if they object to their data being processed)
There are additional preconditions relating to the processing of sensitive personal data such as racial or ethnic origin, political opinion, religious belief etc. In these circumstances the data subject must expressly consent and the ‘opt out’ procedure would not be sufficient in these situations.
Rights of Data Subjects
These rights derive from the Data Protection acts and include
- The right to be informed of data being kept on them
- The right to access to the data (there are a number of exceptions to this right)
- It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
- Right to prevent processing where it may cause damage or distress
The transfer of data outside the state is restricted to countries outside of the European Economic Area.
It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.
Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to europe but not all companies sign up.
Data Protection and Employment Law
The Data Protection Acts 1988 and 2003 also impose stringent requirements on the data kept by employers about employees and in particular in respect of sensitive personal data. Employers are of course data controllers and processors within the legislation.
The Data Protection Commissioner can impose fines of up to €100,000 and employees can succeed in claims in relation to breaches of data protection law.
The principle obligations on the employer in respect of sensitive personal data is to collect and process it fairly, is accurate and up to date, and is kept no longer than necessary. For this reason employers should ensure that they have a data protection policy in the workplace.
Employee as Data Subject
The employee, as a data subject, has a general right to know what personal data is held about him/her, to whom it is disclosed, and to have it deleted or amended if incorrect. A written data request from an employee should be responded to within 40 days.
The Data Protection Acts, section 8 in particular, set out the circumstances where the employer may disclose the employee’s data to a third party. Whether the 3rd party is a member of the EEA (European Economic Area) or not will determine whether the request can be complied with or not by the employer. If the data is being disclosed to a 3rd party within the EEA then a written contract is required.
If not, the transfer of data is prohibited (subject to exceptional safeguards).
Registration with the Data Protection Commissioner
Data controllers fall into 3 categories for the purpose of registration
- Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
- Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
- Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material
Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.
Electronic Communication Regulation 2003
This legislation strengthens the safeguards concerning direct marketing and attempt to tackle the nuisance of Spam. It provides that
- The use of automatic dialling machines, fax, email or text messaging for direct marketing purposes to individuals is prohibited unless the subscriber’s consent has been obtained in advance;
- The use of the same methods is prohibited if the target has registered it’s objection in the National Directory Database of has advised the sender that it does not wish to receive such messages;
- The making of phone calls for direct marketing is prohibited if the recipient has recorded it’s objection in the National Directory Database.
Breach of this regulation (13) is a criminal offence.
If in doubt see www.dataprivacy.ie or the Data Protection Commissioner or contact your solicitor.
For any data controller who is maintaining a data base it is prudent to consider offsite backup of data or an online data backup to ensure that data is not lost or falls into the wrong hands.
Data Protection and Schools
Data protection legislation applies to schools even though the Freedom of Information Act does not.
The Data Protection Commissioner has stated that
CCTV may be used legitimately for security related purposes at the perimeter of a school. Any use beyond this would need to be fully justifiable and evidence-based with a very high threshold for such evidence. This is particularly the case in a school environment as most of the personal data processed will relate to minors.
Data requests can be made by parents on behalf of children or any member of staff. Learn more about how the law applies in schools in Ireland at education law Ireland.
If you have a question or concern, please use the contact form below. We respond within 24 hours, guaranteed.