Civil Policy & Legislation (Republic of Ireland)
Children First Act, 2015
The Children First Act 2015 came into effect on 11th December 2017 and has since been amended.
The Children First Guidance 2017 - the national child safeguarding policy - has been issued under Section 6 the Act.
What are the legal requirements?
A provider of a relevant service shall ensure, as far as practicable, that each child availing of the service from the provider is safe from harm while availing of that service. (Section 10)
The main implications of the Act for those providing services to minors (such as the Prelature) are:
A. Every legal or natural person in the Republic of Ireland who is
a provider
of a relevant service
must publish a detailed Child Safeguarding Statement
which “has due regard to, and is in accordance with” the requirements of the Children First Guidance 2017.
B. There is a legal obligation on specified Mandated Persons to report safeguarding concerns received by them in the course of their work. This is known as mandatory reporting.
What is a relevant service?
A relevant service means any work or activity specified in Schedule 1 of the Act. The relevant provision for the purposes of the apostolates of the Prelature is specified in No. 7 of that Schedule:
"Any work or activity as a minister or priest or any other person engaged in the advancement of any religious beliefs which would or could bring that minister, priest or other person, as the case may be, into contact with a child."
Note: This definition is similar to but broader in scope than the equivalent definition in Section 7 of Part 1 of Schedule I of the National Vetting Bureau Act.
Who is a provider?
A provider of a relevant service must have at least one person employed or engaged by him/her in the provision of that service.
A woman giving private piano lessons to children is providing a “relevant service,” but, as a sole practitioner, is not a “provider” as defined in Part II of the Act. Likewise, a person who provides a relevant service on behalf of another (whether as employee or volunteer) is not a provider for the purposes of Part II of the Act.
A youth club which is owned by and responsible to a legal entity is not a “provider”, but is an agent of that legal entity. On the other hand, a club which is affiliated to a group of clubs, but not legally owned by that group or by another entity, is a provider in its own right.
Application to the Prelature
The Prelature in Ireland is a provider of a relevant service, in that it is responsible for persons who are engaged in the advancement of any religious beliefs to minors, as well as to adults.
What is a Child Safeguarding Statement?
A Child Safeguarding Statement is a written statement that specifies the relevant service being provided and the principles and procedures to be observed to ensure, as far as practicable, that a child availing of that service is safe from harm. It also includes an assessment of risk of harm to a child while availing of that service and specifies the procedures in place to manage any identified risks.
Tusla have also provided a visual presentation to the NBSCCCI outlining the requirements of the Children First Act 2015 regarding the Child Safeguarding Statement and the role of the Compliance Unit.
Section 11 of the Act requires providers of a relevant service to assess risks, prepare a Child Safeguarding Statement, circulate it to all staff, display it [“in a prominent place where the relevant service concerned relates or is provided, or both, as may be appropriate”] and make it available on request to parents, guardians, Tusla and members of the public.
The main elements of the Child Safeguarding Statement are:
1. A risk assessment of the relevant services
2. The specific procedures in place to manage or provide for:
a. The risks identified
b. Allegations of breaches of due conduct
c. Safe recruitment of personnel
d. Information and training of staff
e. Reporting concerns
3. List of Mandated Persons
4. Appointing Relevant Person.
Application to the Prelature
The current Statement for the Prelature in Ireland is published on the website of Opus Dei and in the relevant centres and can be downloaded in pdf format from here.
Who are Mandated Persons?
Mandated Persons are those who, in the course of their professional work, have ongoing contact with children and / or families and who are in a key position to protect children from harm. They include teachers, doctors, nurses, priests, Gardaí, foster carers, some child safeguarding personnel, youth workers and people in several other professions. See the complete list in Schedule 2 of the Act.
All such persons are, in principle, required to report any knowledge they might acquire in the course of their specified employment or profession to Tusla, the Child & Family Agency (see Section 14 of the Act for details and exemptions). This is known as mandatory reporting.
Application to the Prelature
Priests of the Prelature in Ireland would be included in Section 15(g) of Schedule 2 -
"member of the clergy (howsoever described) or pastoral care worker (howsoever described) of a church or other religious community".
The Safeguarding Coordinator (and deputies) of the region would be included in Section 15(i) of Schedule 2 -
"safeguarding officer, child protection officer or other person (howsoever described) who is employed for the purpose of performing the child welfare and protection function of religious, sporting, recreational, cultural, educational and other bodies and organisations offering services to children."
If the director of a youth club, although employed by a separate charity, were also engaged in relevant work for the Prelature, he / she would be included in Section 15(k) of Schedule 2 -
"person responsible for the care or management of a youth work service within the meaning of section 2 of the Youth Work Act 2001"
[youth work service: “a service which, directly or indirectly, assists in the provision of youth work", that is "a planned programme of education designed for the purpose of aiding and enhancing the personal and social development of young persons through their voluntary participation, and which is (a) complementary to their formal, academic or vocational education and training; and (b) provided primarily by voluntary youth work organisations"].
This statement has been prepared to comply with the requirements of the Children First Act 2015 and is derived from A Safe and Welcoming Church, Safeguarding Children Policy and Standards for the Catholic Church in Ireland 2024 and the Local Safeguarding Policy of the Prelature of Opus Dei in Ireland. The policy of the Catholic Church in Ireland is based on standards of practice accompanied by criteria that assist in reaching these standards and which can be used in assessing and managing risk.
A summary of the legal requirements of the Children First Act is given in the National Child Safeguarding Policy (RoI) section of this web page. The current Child Safeguarding Statement for Opus Dei in Ireland can be downloaded in pdf format from this website. It is also published on the Irish website of Opus Dei and in the relevant centres.
Section 3(1) of the Act provides that a person shall not be liable in damages in respect of the communication, whether in writing or otherwise, to a member of the Garda Síochána or to a designated member of a Health Board of his or her opinion that a child has been sexually abused, unless it is proved that he or she has not acted reasonably and in good faith in forming that opinion and communicating it to the appropriate person.
The Act would clearly protect the communication by an intermediary of what he learned from a victim to a member of the Garda Síochána or to a designated member of Tusla. Other than those mentioned in Section 3, the Act does not protect communications made to any other persons, or made in Northern Ireland.
Should a respondent become aware that an allegation has been transmitted other than to a member of the Garda Síochána or to a designated member of a Health Board, he or she may consider that their good name has been injured and have grounds for taking an action for defamation against any person making such a communication.
Qualified privilege:
The common law confers a protection known as “qualified privilege” on communications made by persons who have a right or a duty to make them, or who have an interest in protecting another person.
It would be necessary to know the circumstances of the allegation before acting on the basis of any qualified privilege and in any case to act in accordance with natural justice.
DoES, Child Protection Guidelines and Procedures for Post-Primary Schools, 2004, p. 7 — Section 1.4:
“Qualified privilege arises where the person making the communication has a duty to do so, or a right, or interest to protect the child and where the communication is made to a person with a similar duty, right or interest. The person making the report, acting in loco parentis, would be expected to act in the child’s best interests and in making the report would be regarded as acting in such a manner.
Privilege can be displaced only where it can be established that the person making the report acted maliciously. Furthermore, those reporting a child’s disclosure or concerns about a child’s behaviour or welfare are not regarded as making an allegation as a matter of charge, but simply carrying out their duty in good faith. They are not accusing or bringing a charge.”
Mandatory Reporting (General)B. Criminal Justice (Withholding of Information on Offences against Children and Vulnerable Persons) Act 2012
The Criminal Justice (Withholding of Information on Offences against Children and Vulnerable Persons) Act 2012 creates an offence of withholding information regarding certain arrestable offences against children and vulnerable persons. The Act applies to all, but it is of particular relevance to those working with children and vulnerable persons.
Section 2 of the Act requires a person—
who knows or believes that a Schedule 1 offence has been committed, and
who has information which he or she knows or believes might be of material assistance in the case
to report that knowledge or belief to a member of the Garda Siochána.
A “Schedule 1 offence” means an offence that is an arrestable offence and is specified in Schedule 1 of the Act. The specified offences against children and vulnerable adults are generally of a more serious nature. They include offences such as murder, assault, false imprisonment, rape, sexual assault and incest. Acts of ‘gross indecency’, for example, are not included. The role of the accused vis-à-vis the victim may be relevant, e.g. a person in authority, such as a teacher, would be liable for a greater sentence in respect of an offence on a pupil.
An offence under the Act is committed when a person who knows or believes that one or more of these specified offences has been committed by another person against a child or vulnerable adult, and the person has information which they know or believe might be of material assistance in securing apprehension, prosecution or conviction of that other person for that offence, and fails without reasonable excuse to disclose that information as soon as it is practicable to do so to a member of the Garda Síochána.
The offence applies to a person acquiring information after the passing of the Act on 18th July 2012 and it does not apply to the victim. The offence exists even if the information acquired is about an offence which took place prior to the Act being enacted, and even if the child or vulnerable adult is no longer a child or vulnerable adult.
There are various defences to the offence. They are to do with the circumstances where the child or vulnerable adult made the person acquiring the information aware of their wish for the Garda Síochána not to be informed, or when certain persons or certain professionals hold the reasonable view that the Garda Síochána should not be informed. These defences are subject to various factors however and the Act and/or a solicitor should be consulted on all of the defences and the exact details thereof.
Mandatory Reporting (Professionals)Mandated persons are, in principle, required to report any knowledge they might acquire in the course of their specified employment or profession to Tusla, the Child & Family Agency . This is known as mandatory reporting.
Mandated Persons are those who, in the course of their professional work, have ongoing contact with children and / or families and who are in a key position to protect children from harm. They include teachers, doctors, nurses, priests, Gardaí, foster carers, some child safeguarding personnel, youth workers and people in several other professions. See the complete list in Schedule 2 of the Act.
National Vetting Bureau Acts, 2012-16
The National Vetting Bureau (Children and Vulnerable Persons) Acts 2012-2016, which came into effect on 29 April 2016, make it mandatory for people working with children or vulnerable adults to be vetted by the Garda Síochána National Vetting Bureau (GNVB).
What is the main requirement of the Act?
A relevant organisation
shall NOT
engage, employ, enter into a contract for services with, or otherwise permit
any person (whether or not for commercial or any other consideration),
to undertake relevant work or activities on its behalf,
UNLESS
the organisation receives a vetting disclosure
from the Bureau
in respect of that person.
What is relevant work?
Relevant work or activity relating to children, for the purposes of the NVB Act, means a work or activity specified in Part 1 of Schedule 1 of that Act.
In the case of the Prelature of Opus Dei in Ireland, the NVB have confirmed by letter that Section 7 of Part 1 of Schedule 1 is applicable to the activities of the Prelature as such:
"Any work or activity as a minister or priest or any other person engaged in the advancement of any religious beliefs to children
unless such work or activity is merely incidental to the advancement of religious beliefs to persons who are not children."
Note that a similar definition of relevant work for the purposes of the Children First Act 2015 does not include the proviso "unless such work ...".
What is a relevant organisation?
Every natural person, body or other entity who is responsible for relevant work or activities (such as the Prelature in Ireland) is, in principle, a relevant organisation.
The vetting requirement does not apply, however, to an arrangement made by an individual for the provision by any person of relevant work or activities for the benefit of the individual or for the benefit of a child who is a member of the individual’s family.
What is a vetting disclosure?
A vetting disclosure is a statement issued to the liaison person of a registered relevant organisation by the NVB, on foot of an application by that person (with the consent and participation of the candidate), on behalf of the organisation, with a view to the engagement of the candidate for relevant work or activities.
The NVB will make such enquiries of the Garda Síochána as it deems necessary to establish whether there is any criminal record or specified information relating to the person, and will then issue the disclosure to the liaison person who made the application.
In accordance with the data protection principle of 'purpose limitation' set down in Article 5(1)(b) GDPR, vetting disclosures may only be used for the purpose for which they were provided to an organisation and vetting disclosures should not be shared with any other organisation.
An exception can be made where relevant organisations have a joint employment agreement in writing in accordance with Section 12(3A) of the National Vetting Bureau Act and the persons affected have consented.
► Indicator S1.B | Page S-21 to 22 | Template 1A: Service Level Agreement to Share Vetting Information and Template 1B: Consent to Share Vetting Information
Renewal of Vetting
There is no requirement at present for someone who is vetted once for a particular activity to be re-vetted, unless they change relevant activity or position with sporting or community organisations, and other limited circumstances. A Government Working Group is considering proposals to introduce a mandatory three-year vetting renewal requirement and other changes. The Minister has stated in the Dail that "I expect to receive the Group’s report on arrangements for Garda Vetting in the context of the introduction of a statutory re-vetting regime early this year [2024]."
What is an affiliate registration?
Not every relevant organisation will be accepted for full registration by the NVB. Where the number of applications likely to be made annually by the relevant organisation is low, the NVB grants the relevant organisation an "affiliate" status and registration number and requires it to channel its applications through a registered 'umbrella' organisation, which has approval to act for affiliate relevant organisations.
Under Section 13 (2) of National Vetting Bureau (Children and Vulnerable Persons) Act 2012:
‘A relevant organisation may submit an application for vetting disclosure under this section on its own behalf or on behalf of another relevant organisation that the organisation represents for the purposes of the vetting procedures under this Act and, where a relevant organisation submits an application on behalf of another relevant organisation, it shall inform the Bureau of that and provide it with the particulars referred to in Section 8 (5).’
In these circumstances, a Service Level Agreement (see NBSCCCI Indicator S1.B | Page S-21 to 22 | Template 1A) is developed between the organisations or Church bodies which sets out the terms and modality for the sharing of the disclosure. Sharing of such information can only be done with the permission of the subject of the disclosure (see NBSCCCI Indicator S1.B | Page S-21 to 22 | Template 1B).
The "Prelature of Opus Dei in Ireland" has an affiliate registration (No. GNVB/2010/CJ94) dated 8th October 2020 from the NVB. Accordingly, every vetting application made pursuant to this Local Safeguarding Policy will be submitted by the Dublin City Volunteer Centre, Unit 4, Whitefriars, Aungier Street, Dublin 2, D02 XT21 (a ‘registered organisation’), on behalf of the Prelature (as a ‘relevant organisation’) under a renewable Service-Level Agreement (currently dated 1st January 2023). DCVC are a vetting process service provider authorised by the National Vetting Bureau and the Liaison Person of the DCVC reviews and submits each online application and receives the disclosure before communicating it to the designated Garda Vetting Officer of the Prelature.
Further guidance
For details on the candidate procedure for giving consent and providing information for an application for a vetting disclosure, follow the step-by-step Vetting Guide.
See also the Vetting Glossary.
Data Protection Legislation
The EU adopted a new set of data protection rules - the General Data Protection Regulation (GDPR) - which introduced substantial changes to European data protection law, along with severe financial penalties for non-compliance. GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
The Data Protection Act 2018 (RoI) was signed into law on 24 May 2018, and some of the provisions came into effect on 25 May 2018, to coincide with the coming into force of the GDPR.
From May 25th, 2018 the key legislative frameworks in the Republic of Ireland are:
General Data Protection Regulation (GDPR)
Data Protection Act 2018
The ‘Law Enforcement Directive’ (Directive (EU) 2016/680) which has been transposed into Irish law by way of the Data Protection Act 2018
The Data Protection Acts 1988 and 2003
The 2011 ‘e-Privacy Regulations’ (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy And Electronic Communications) Regulations 2011)
The Data Protection Commission (DPC) is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
Data Protection Glossary
Personal data
is information that relates to, or can identify you, either by itself or together with other available information. Personal data can include:
Your name
Your address
Your contact details,
Identification numbers (for example your PPS number)
Your IP address (this is your internet address)
CCTV footage
Access cards
Audio-visual or audio recordings of you
Location data
Data subject
Under data protection law, if a person, organisation or company is holding or using your personal data, you are known as a data subject.
Data controller
A data controller is responsible for the keeping and use of personal information on computer or in structured manual files about living persons. Data controllers can be either individuals or "legal persons" such as companies, Government Departments and voluntary organisations. In practice, to find out who controls the contents and use of personal information stored, consider:
who decides what personal information is going to be kept?
who decides the use to which the information will be put?
If an entity controls and is responsible for the personal data which it holds, then it is a data controller. If, on the other hand, it holds the personal data, but some other entity decides and is responsible for what happens to the data, then that other entity is the data controller, and the holding entity is a "data processor". In case of doubt, consult a legal adviser or seek the advice of the Data Protection Commissioner.
Being a data controller carries with it serious legal responsibilities. All data controllers must comply with certain important rules about how they collect and use personal information. Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.
Data processor
The data controller can allow another person, organisation or company, known as a data processor, to process personal data on its behalf. Doing anything with personal data, including storing it, is known as processing. Examples of data processors include payroll companies, accountants and market research companies, all of which hold or process personal information on behalf of someone else. "Cloud" providers are also generally Data Processors.
It is possible for one entity to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.
A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a "data processor". However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data processor. A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data processor.
Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. They must only process personal data on the instructions of the Data Controller. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss.
Age of consent
The GDPR requires members states to set a digital age of consent. The digital age of consent is the minimum age a user must be before a social media and internet companies can collect, process and store their data. The E.U. has set the age of consent to sixteen by default and member states are given the option of adopting a lower age, but it may be no lower than thirteen years. In Ireland, the Digital Age of Consent was set at 16 in the Data Protection Act 2018.
Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (DPO). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority. An organisation is required to appoint a designated data protection officer (Article 37) where ... inter alia ... the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences.
The NBSCCCI Guidance in Appendix B (see Article 256) recommends that a Church Authority appoint a DPO.
The Article 29 Data Protection Working Party (WP29) – an advisory group made up of a representative from the Data Protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission – have published guidance on the interpretation of the words "core activities" and "large scale". Thus, a bank or insurance company processing customer data in the regular course of their business should be considered large scale but the processing of patient data by a single GP should not.
The processing of personal data is not in any sense a "core activity" of the NWE Region of the Prelature, in Ireland or elsewhere. Unlike, for example, a diocese, the instances in which Article 9 categories of data have to be processed are few and far between. Accordingly, the Prelature in Ireland does not require the formal appointment of a DPO. The Safeguarding Coordinator will supervise the compliance of the Prelature with the requirements of GDPR in its activities.
General data protection principles
Data protection
Data subjects are entitled to have their personal information:
Protected
Used in a fair and legal way
Made available to them when they ask for a copy
Corrected if they ask for the information to be corrected
kept for "lawful reasons" only.
Lawful reason
A Data Controller can only use or keep personal data where there is a lawful reason. The GDPR sets out six lawful reasons in Article 6:
Data subjects have given free and informed consent. Their consent cannot be assumed. This means that silence, pre-ticked boxes or inactivity cannot indicate consent. They must specifically agree to any proposed processing.
The processing is necessary to carry out a contract to which a data subject is a party, such as the delivery of a product.
The processing is necessary for the data controller to meet with a legal obligation, such as the mandatory collection of details for anti-money laundering or tax purposes.
The processing is necessary to protect the vital interests of the data subject or the vital interests of someone else, such as accessing medical records in an emergency.
The processing is necessary to perform a task carried out in the public interest or where the data controller has official authority, such as public security processing.
The processing is necessary in the legitimate interests of the processing organisation, if it does not conflict with the rights of the data subject.
Data controllers must provide information
Data subjects must be given enough information in simple and clear language to know what an organisation is going to do with their personal data. This is often found in privacy policies on websites or in forms which data subjects can read or sign in person. For instance, data subjects should be told:
The identity and contact details of the data controller or their EU representative
The contact details for the organisation or company’s Data Protection Officer
The reason for the intended processing and its legal basis
What ‘legitimate interest’ the data controller has in your personal data if they are relying on a ‘legitimate interest’ to process the data
Who will have access to your personal data
Whether your personal data may be transferred outside the EU and if so, the data safeguards in that country
How long your personal data will be stored or how that time period will be decided
Whether you are required by law or a contract to provide your personal data and the consequences of not providing it
If your personal data will be subject to any automated decision-making (decisions made by computer with no human input) or profiling processes
Personal data rights
The organisation should also tell data subjects about their rights, including their right to:
Request access to their data
Ask for their data to be corrected
Ask for their data to be erased
Ask for their data to be restricted
Object to their data being processed
Right to receive the data held in a form which allows it them to transfer it to another person
Withdraw consent if consent is the basis for their personal data being processed
Lodge a complaint
In general, only personal data necessary for those stated purposes for which it is collected should be collected and processed. Personal data should only be kept for as long as is necessary for the purpose for which it was collected.
While it is being stored or processed, personal data must be kept safe, and policies and procedures must be in place to make sure that there is no unauthorised access.
Special categories of data and limits on processing
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:
Personal data revealing racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
Data concerning health.
Data concerning a natural person’s sex life or sexual orientation.
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR. Paragraph 2 (d) allows that when ‘… processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects …’, then this data can be processed.
Some types of processing fall outside the GDPR, such as processing by An Garda Síochána in the context of criminal investigations and prosecutions and the processing of passenger name records to prevent terrorist activities.
Where the GDPR applies
The GDPR applies to the processing of personal data by controllers and processors established in the EU, regardless of whether the processing takes place in the EU or not.
The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.
Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.
Application to Safeguarding Practice
Garda Vetting & Data Protection
§1 A vetting application involves the transmission of sensitive personal data (see Appendix III Data Protection). There must be a lawful basis or legal justification for requiring or processing such data. The GNVB does not accept applications in respect of work which is not “relevant work” as defined in the Vetting Act and the Liaison Officer of a registered organisation is required to reject such applications.
§2 The Prelature in Ireland will not request a prospective volunteer or employee to make an application to obtain a vetting disclosure unless the proposed work relates to an identified statutory category of “relevant work”, which in the case of the Prelature would be “advancement of religious beliefs to children”.
§3 A Data Commission Guidance Note provides background information on the type of information that can be included in a vetting disclosure and sets out data protection considerations for organisations carrying out Garda vetting. The note also outlines some of the data protection rights of individuals undergoing vetting.
Shared Vetting Agreements
§1 In accordance with the data protection principle of purpose limitation set down in Article 5(1)(b) GDPR, vetting disclosures may only be used for the purpose for which they were provided to an organisation and vetting disclosures should not be shared with any other organisation.
§2 The sole exception to this is where relevant organisations have a joint employment agreement in writing in accordance with Section 12(3A) of the National Vetting Bureau Act.
► Indicator S1.B | Page S-21 to 22 | Template 1A: Service Level Agreement to Share Vetting Information and Template 1B: Consent to Share Vetting Information (for use only in the Republic of Ireland)
§3 Service Level Agreements to Share Vetting Information may be drawn up between Church bodies to reduce the duplication of applications in respect of the same applicant for similar work. A vetting applicant must give permission for a vetting disclosure from the GNVB to be shared with named persons for the purposes of the Vetting Act.
Article 5 of GDPR requires consideration of the following principles prior to making a decision to share information:
Lawfulness, fairness and transparency: Personal data shall be processed in a manner which is lawful, fair, and transparent;
Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accuracy: personal data shall be accurate and, where necessary, kept up to date;
Storage limitation: Securely destroy personal data when it is no longer required;
Integrity and confidentiality: Have strict access and security controls to ensure the appropriate security of the personal data.
Article 6 of GDPR requires that:
You need to make clear to individuals that their data may be shared and for what purpose;
You need to be proportionate in terms of their application and the objective(s) to be achieved;
You are only allowed to share the minimum amount of data required to achieve the stated public service objective.
There should be a procedure for a data subject requesting access to their personal records. Children and adults have the same rights over their personal data. These include the rights to access their personal data; request rectification; object to processing; and have their personal data erased.
CHILD for the purposes of the GDPR
The Act provides that references to “child” in the GDPR shall be taken to refer to a person under 18 years of age.
DIGITAL AGE OF CONSENT
The Act provides that 16 years is the minimum age at which a child may consent to the processing of their personal data by information society service providers. The consent of the child’s parent of guardian will be required by information society service providers for children under that age.
MICRO-TARGETING AND PROFILING OF CHILDREN
The Act provides that it will be an offence, punishable by an administrative fine, for a company to process the personal data of a child under 18 years of age for the purposes of direct marketing, profiling or micro-targeting.
CODES OF CONDUCT: CHILDREN
The Act requires the DPC to encourage associations and other bodies representing categories of controllers or processors to draw up of codes of practice to contribute to the proper application of the GDPR with regard to the protection of children, the manner in which the consent of holders of parental responsibility over a child is to be obtained by information society services providers, and with regard to the processing of children’s data for direct marketing and profiling purposes.
RIGHT TO BE FORGOTTEN: CHILDREN
The Act provides a specific right to erasure for children of personal data collected in relation to the offer of information society services.
DATA PROTECTION OFFICERS
The Act allows the Minister, in consultation with the DPC, to extend the categories of controllers and processors that are required to designate a data protection officer, as permitted by Article 34(7) of the GDPR (section 34).
DATA PROCESSING AND FREEDOM OF EXPRESSION
The GDPR requires Member States to reconcile an individual’s right to data protection with the right to freedom of expression and information (including processing for journalistic purposes, or for the purposes of academic, artistic or literary expression). The Act provides that processing carried out for the purpose of exercising the right to freedom of expression and information shall be exempt from specified provisions of the GDPR, insofar as compliance with those provisions would be incompatible with such purposes. The Act provides that the right to freedom of expression shall be interpreted in a broad manner (section 43).
SUITABLE AND SPECIFIC MEASURES FOR PROCESSING
The Act requires certain processing activities to be subject to the implementation of “suitable and specific measures” to safeguard the fundamental rights and freedoms of data subjects. Section 36 of the Act contains a “toolbox” of measures for application in such cases (e.g. strict time limits for erasure of personal data or specific targeting training for those involved in processing operations).
PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES
The Act gives effect to Article 10 of the GDPR, which permits personal data relating to criminal convictions and offences to be processed under the control of official authority or for specified purposes under national law. The Act provides examples of processing under official authority (e.g. for the administration of justice) and specifies five purposes where processing is permitted under the Act, including:
where the data subject has given explicit consent;
where the processing is necessary for the performance of a contract to which the data subject is a party;
for the purpose of legal advice, legal proceedings or defending legal claims;
to prevent injury or other damage to the data subject or another person or loss or damage to property, or
further to Ministerial regulations or other statute.
This provision is without prejudice to the provisions of the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (section 55).
RESTRICTIONS ON INDIVIDUALS’ RIGHTS
Article 23 of the GDPR permits Member States to restrict the exercise of individuals’ rights and controllers’ obligations in certain circumstances, for the purpose of safeguarding important objectives of general public interest. Section 60 of the Act provides that individuals’ rights and controllers’ obligations are restricted to the extent necessary and proportionate, inter alia, to protect personal data relating to a data subject which consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential.
NEW REGULATORY FRAMEWORK
The Act contains twenty-five sections dealing with the DPC’s enforcement and investigation powers (Part 6, Chapters 2, 4 & 5), along with additional provisions dealing with administrative fines and criminal offences (Part 6, Chapters 6 & 7). These lengthy provisions reflect the fact that the DPC now wields a powerful array of corrective powers.
HANDLING COMPLAINTS
The Act grants the DPC more discretion in regard to handling complaints from data subjects, or not-for-profit bodies acting on their behalf (Chapter 2). The Act requires the DPC to examine all complaints and to take such action as it considers appropriate, having regard to the nature and circumstances of the complaint. The DPC can only refuse to act on a complaint when it is manifestly unfounded or excessive, in particular because of its repetitive character which shall apply only in the narrowest of circumstances (Article 57(4) GDPR).
AMICABLE RESOLUTION
If the DPC considers there is a “reasonable likelihood” of the parties reaching an amicable resolution of the complaint, the DPC may arrange or facilitate such a resolution. Once a resolution has been reached, the complaint will be deemed to have been withdrawn by the complainant, and no formal statutory decision will be required.
OTHER ACTIONS
Where the DPC considers than an amicable resolution cannot be reached in the case of a domestic complaint, it must take one or more of the actions (section 109):
Reject the complaint
Dismiss the complaint
Provide advice to the data subject in relation to the complaint
Serve an enforcement notice requiring the controller or processor to take certain actions to comply with data protection law
Conduct an inquiry into the complaint (i.e. investigate the complaint), or
Take such other action as it considers appropriate.
CONDUCTING AN INQUIRY
The DPC may conduct an inquiry into a suspected infringement arising out of a complaint, or an inquiry of the DPC’s own volition (there is no requirement to establish a probable cause). In conducting its inquiry, the DPC may exercise any of its powers under Part 6, Chapter 4 (other than the power to require an expert report pursuant to section 135) and/or carry out an investigation under Chapter 5 (section 110).
REPRESENTATION OF DATA SUBJECTS
The Act permits a mandated not-for-profit body to bring a representative action on behalf of a data subject seeking injunctive relief or compensation for material or non-material damage suffered as a result of an infringement of data protection law (section 117). It remains to be seen whether this means not-for-profit bodies will be able to take class actions on behalf of multiple data subjects for breaches of the GDPR, as such actions are not currently permitted under Irish law. The Act does not address how the rules in relation to legal costs will apply to actions taken by not-for-profit bodies. Guidance will be needed on whether a court can award costs against a data subject as well as the not-for-profit body in the event of an unsuccessful civil claim.
CRIMINAL OFFENCES
The Act sets out a number of criminal offences, including:
Enforced Access Requests – It is an offence for a potential or current employer to require a data subject to make a data access request to a specified person or to require a data subject to supply any information obtained as a result of such a request (section 4).
Unauthorised disclosure by processor – It is an offence for a processor, or an employee or agent of the processor, to knowingly or recklessly disclose personal data being processed on behalf of a controller without the prior authority of the controller, unless the disclosure is required or authorised by any enactment, rule of law or court order (section 144).
Disclosure of personal data obtained without authority – It is an offence for a person to obtain and disclose personal data to a third party without the prior authority of the controller or processor, unless the disclosure is required or authorised by any enactment, rule of law or court order. It is also an offence for a person to sell or offer to sell personal data that were unlawfully disclosed to or obtained by him/her (section 145).
Offences by directors etc. of bodies corporate – Where an offence under the Act is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person being a director, manager, secretary, or other officer of that body, or a person purporting to act in such capacity, that person, as well as the body corporate shall be guilty of the offence and liable to be punished as if he/she were guilty of the first-mentioned offence (section 46).
Knowingly or recklessly processing data relating to criminal convictions or offences – It is an offence to knowingly or recklessly process personal data relating to criminal convictions or offences in contravention of the processing conditions set down in the Act (section 55(8)).
PUBLICATION OF CONVICTIONS, SANCTIONS ETC.
The Act requires the DPC to publish particulars of convictions, and any exercise of its powers to impose fines or order the suspension of non-EEA transfers, or court orders suspending, restricting or prohibiting data processing operations. It is a matter for the DPC to decide whether to publish particulars of the exercise of its other corrective powers.