Data protection and Data Privacy in Ireland: the Basic Principles for Companies (Part 1)

By Brendan Ringrose, Solicitor, WhitneyMoore Solicitors. 16th January 2014

1. Personal data

Data protection in Ireland is currently regulated by means of the Data Protection Act 1988 (“the 1988 Act”) which has been amended by the Data Protection (Amendment) Act 2003 (“the 2003 Act”) (together ‘the Act’).   It is only personal data which is governed by the Act.

The Act defines “personal data” as:

“data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller”. 

The Act distinguishes between personal data and sensitive personal data. ‘Sensitive personal data’ is defined to include personal data as to:

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the Data Subject,

(b) whether the data subject is a member of a trade union,

(c) the physical or mental health or condition or sexual life of the data subject, or

(d) the commission or alleged commission of any offence by the data subject.

The Act affords different levels of protection according to whether data is ‘personal data’ or ‘sensitive personal data’.

The Act refers to ’Data Controllers’ and ‘Data Processors’ and it is important to understand what these two terms mean. A ‘Data Controller’ is defined in the Act as a person who either alone or with others controls the content and use of personal data. A ‘Data Processor’ is a person who processes data on behalf of a Data Controller (excluding employees of a Data Controller).

The Act sets out a number of data protection principles.  It is very important that the processing of personal data is done in a fair manner, although “fair” which is the critical term is not defined. Furthermore, it is essential that the Data Subject (i.e. an individual who is the subject of personal data) gives their consent to the processing (further details of which are set out below).  The overriding principles to be considered regarding the obligations of Data Controllers are as follows:

a)         Personal data shall be accurate, complete and where necessary kept up to date.

b)         Personal data shall be held only for one or more specified, explicit and legitimate purposes.

c)         Personal data shall not be further processed in a manner incompatible with that purpose or those purposes.

d)         Personal data shall be adequate, relevant and not excessive in relation to that purpose or those purposes for which they were collected or further processed.

e)         Personal data shall not be kept for longer than is necessary for that purpose or those purposes.

f)          Appropriate security measures shall be taken against unauthorised access to or unauthorised alteration, disclosure or disruption of personal data.  What are “appropriate security measures” is not defined but they should be such to prevent unauthorised access to and disclosure of information.

g)         Data Controllers and Data Processors are also obliged to take all reasonable steps to ensure that their employees and other persons at the place of work concerned are aware of and comply with the relevant security measures.

 2. Purpose of the processing

Both (a) the specific purpose for which the data is used and (b) the individuals in respect of which the data is collected (i.e. the data subjects) must come within the definition set out below in order for the exemption to apply to those uses and those persons.  It is important to note that to the extent that a company processes data for any purpose other than an approved purpose a company may be required to register with the Commissioner.  In addition, guidelines published by the Data Protection Commissioner provide as follows:

1. Data subjects should be made fully aware at the time they provide personal data of:

(i)                       The identity of the persons who are collecting it.

(ii)                         To what use the information will be put.

(iii)                        Persons or category of persons to whom the information will be disclosed.

The secondary or future uses which might not be obvious to individuals should be brought to their attention at the time their personal data is obtained. Individuals should be given the option of saying whether or not they wish the information to be used in these other ways.

If a Data Controller has information about people and wishes to use it for a new purpose (which was not disclosed and perhaps not even contemplated at the time the information was collected) he is obliged to give an option to individuals to indicate whether or not they wish their information to be used for the new purpose.

This is not intended to be an exhaustive list of obligations on Data Controllers but an outline of some of the main duties. The Acts provide that a Data Controller or Data Processor is required to obtain the Data Subject’s consent to the processing of their personal data.

 3. Sensitive personal data

There is a higher category of protection afforded to data that is considered sensitive personal data. Firstly all of the duties of Data Controllers listed at (a) to (e) above must be complied with. Secondly, there are several possible exceptions to the obligation to register in respect of the processing of personal sensitive data.  The most usual relevant exception includes where explicit consent to the processing is given by the Data Subject. Explicit consent involves actively consenting to the processing, i.e. the positive step of ‘opting-in’ rather than ‘opting-out’ from an assumed or default permission.  This will be set out in further detail in part 2 of this article.

Exemptions also exist for the processing carried out by a health professional for medical purposes, processing required by law in connection with employment or where necessary to prevent injury to health.  It should be kept in mind that even if a company is exempt from the registration requirements in the legislation they are still bound by the Data Protection responsibilities in the Acts.

4. Registration

The Acts contain a general requirement that most categories of data controllers and data processors must register with the Data Protection Commissioner and the register is accessible by the public.  Registration can be made online at www.dataprotection.ie and must be renewed annually.  For most applicants with 6 to 25 Employees (inclusive), the fee is €100, with 26 employees or more the fee is €480.

(This is Part 1 of a two-part series of articles on Data Processing.)

Brendan Ringrose (Brendan.ringrose@whitneymoore.ie) is a Corporate Lawyer in WhitneyMoore Solicitors, Dublin 2 and advises on all aspects of data processing, data protection, shareholders agreements, share sale agreements and corporate contracts.

WhitneyMoore Solicitors, Wilton Park House, Wilton Place, Dublin 2.  Telephone + 353 (0)1 6110000.

Disclaimer This article is for guidance purposes only. It does not constitute legal or professional advice. No liability is accepted by Company Bureau for any action taken or not taken in reliance on the information set out in this article. Professional or legal advice should be obtained before taking or refraining from any action as a result of this article. Any and all information is subject to change.