Data Protection Legislation
The EU adopted a new set of data protection rules - the General Data Protection Regulation (GDPR) - which introduced substantial changes to European data protection law, along with severe financial penalties for non-compliance. GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
The Data Protection Act 2018 (RoI) was signed into law on 24 May 2018, and some of the provisions came into effect on 25 May 2018, to coincide with the coming into force of the GDPR.
From May 25th, 2018 the key legislative frameworks in the Republic of Ireland are:
General Data Protection Regulation (GDPR)
Data Protection Act 2018
The ‘Law Enforcement Directive’ (Directive (EU) 2016/680) which has been transposed into Irish law by way of the Data Protection Act 2018
The Data Protection Acts 1988 and 2003
The 2011 ‘e-Privacy Regulations’ (S.I. No. 336 of 2011 – the European Communities (Electronic Communications Networks and Services) (Privacy And Electronic Communications) Regulations 2011)
The Data Protection Commission (DPC) is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.
Data Protection Glossary
Personal data
is information that relates to, or can identify you, either by itself or together with other available information. Personal data can include:
Your name
Your address
Your contact details,
Identification numbers (for example your PPS number)
Your IP address (this is your internet address)
CCTV footage
Access cards
Audio-visual or audio recordings of you
Location data
Data subject
Under data protection law, if a person, organisation or company is holding or using your personal data, you are known as a data subject.
Data controller
A data controller is responsible for the keeping and use of personal information on computer or in structured manual files about living persons. Data controllers can be either individuals or "legal persons" such as companies, Government Departments and voluntary organisations. In practice, to find out who controls the contents and use of personal information stored, consider:
who decides what personal information is going to be kept?
who decides the use to which the information will be put?
If an entity controls and is responsible for the personal data which it holds, then it is a data controller. If, on the other hand, it holds the personal data, but some other entity decides and is responsible for what happens to the data, then that other entity is the data controller, and the holding entity is a "data processor". In case of doubt, consult a legal adviser or seek the advice of the Data Protection Commissioner.
Being a data controller carries with it serious legal responsibilities. All data controllers must comply with certain important rules about how they collect and use personal information. Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices.
Data processor
The data controller can allow another person, organisation or company, known as a data processor, to process personal data on its behalf. Doing anything with personal data, including storing it, is known as processing. Examples of data processors include payroll companies, accountants and market research companies, all of which hold or process personal information on behalf of someone else. "Cloud" providers are also generally Data Processors.
It is possible for one entity to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.
A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a "data processor". However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data processor. A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data processor.
Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. They must only process personal data on the instructions of the Data Controller. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss.
Age of consent
The GDPR requires members states to set a digital age of consent. The digital age of consent is the minimum age a user must be before a social media and internet companies can collect, process and store their data. The E.U. has set the age of consent to sixteen by default and member states are given the option of adopting a lower age, but it may be no lower than thirteen years. In Ireland, the Digital Age of Consent was set at 16 in the Data Protection Act 2018.
Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (DPO). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority. An organisation is required to appoint a designated data protection officer (Article 37) where ... inter alia ... the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences.
The NBSCCCI Guidance in Appendix B (see Article 256) recommends that a Church Authority appoint a DPO.
The Article 29 Data Protection Working Party (WP29) – an advisory group made up of a representative from the Data Protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission – have published guidance on the interpretation of the words "core activities" and "large scale". Thus, a bank or insurance company processing customer data in the regular course of their business should be considered large scale but the processing of patient data by a single GP should not.
The processing of personal data is not in any sense a "core activity" of the NWE Region of the Prelature, in Ireland or elsewhere. Unlike, for example, a diocese, the instances in which Article 9 categories of data have to be processed are few and far between. Accordingly, the Prelature in Ireland does not require the formal appointment of a DPO. The Safeguarding Coordinator will supervise the compliance of the Prelature with the requirements of GDPR in its activities.
General data protection principles
Data protection
Data subjects are entitled to have their personal information:
Protected
Used in a fair and legal way
Made available to them when they ask for a copy
Corrected if they ask for the information to be corrected
kept for "lawful reasons" only.
Lawful reason
A Data Controller can only use or keep personal data where there is a lawful reason. The GDPR sets out six lawful reasons in Article 6:
Data subjects have given free and informed consent. Their consent cannot be assumed. This means that silence, pre-ticked boxes or inactivity cannot indicate consent. They must specifically agree to any proposed processing.
The processing is necessary to carry out a contract to which a data subject is a party, such as the delivery of a product.
The processing is necessary for the data controller to meet with a legal obligation, such as the mandatory collection of details for anti-money laundering or tax purposes.
The processing is necessary to protect the vital interests of the data subject or the vital interests of someone else, such as accessing medical records in an emergency.
The processing is necessary to perform a task carried out in the public interest or where the data controller has official authority, such as public security processing.
The processing is necessary in the legitimate interests of the processing organisation, if it does not conflict with the rights of the data subject.
Data controllers must provide information
Data subjects must be given enough information in simple and clear language to know what an organisation is going to do with their personal data. This is often found in privacy policies on websites or in forms which data subjects can read or sign in person. For instance, data subjects should be told:
The identity and contact details of the data controller or their EU representative
The contact details for the organisation or company’s Data Protection Officer
The reason for the intended processing and its legal basis
What ‘legitimate interest’ the data controller has in your personal data if they are relying on a ‘legitimate interest’ to process the data
Who will have access to your personal data
Whether your personal data may be transferred outside the EU and if so, the data safeguards in that country
How long your personal data will be stored or how that time period will be decided
Whether you are required by law or a contract to provide your personal data and the consequences of not providing it
If your personal data will be subject to any automated decision-making (decisions made by computer with no human input) or profiling processes
Personal data rights
The organisation should also tell data subjects about their rights, including their right to:
Request access to their data
Ask for their data to be corrected
Ask for their data to be erased
Ask for their data to be restricted
Object to their data being processed
Right to receive the data held in a form which allows it them to transfer it to another person
Withdraw consent if consent is the basis for their personal data being processed
Lodge a complaint
In general, only personal data necessary for those stated purposes for which it is collected should be collected and processed. Personal data should only be kept for as long as is necessary for the purpose for which it was collected.
While it is being stored or processed, personal data must be kept safe, and policies and procedures must be in place to make sure that there is no unauthorised access.
Special categories of data and limits on processing
Certain types of sensitive personal data are subject to additional protection under the GDPR. These are listed under Article 9 of the GDPR as “special categories” of personal data. The special categories are:
Personal data revealing racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data and biometric data processed for the purpose of uniquely identifying a natural person.
Data concerning health.
Data concerning a natural person’s sex life or sexual orientation.
Processing of these special categories is prohibited, except in limited circumstances set out in Article 9 of the GDPR. Paragraph 2 (d) allows that when ‘… processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and that the personal data are not disclosed outside that body without the consent of the data subjects …’, then this data can be processed.
Some types of processing fall outside the GDPR, such as processing by An Garda Síochána in the context of criminal investigations and prosecutions and the processing of passenger name records to prevent terrorist activities.
Where the GDPR applies
The GDPR applies to the processing of personal data by controllers and processors established in the EU, regardless of whether the processing takes place in the EU or not.
The GDPR also applies to the processing of personal data of individuals in the EU by a controller or processor established outside the EU, where those processing activities relate to offering goods or services to EU citizens or the monitoring of their behaviour.
Non-EU organisations processing the personal data of EU citizens must appoint a representative located in the EU.
Application to Safeguarding Practice
Excerpts from NBSCCCI GAP Paper 7Article 5 of GDPR requires consideration of the following principles prior to making a decision to share information:
Lawfulness, fairness and transparency: Personal data shall be processed in a manner which is lawful, fair, and transparent;
Purpose limitation: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
Accuracy: personal data shall be accurate and, where necessary, kept up to date;
Storage limitation: Securely destroy personal data when it is no longer required;
Integrity and confidentiality: Have strict access and security controls to ensure the appropriate security of the personal data.
Article 6 of GDPR requires that:
You need to make clear to individuals that their data may be shared and for what purpose;
You need to be proportionate in terms of their application and the objective(s) to be achieved;
You are only allowed to share the minimum amount of data required to achieve the stated public service objective.
There should be a procedure for a data subject requesting access to their personal records. Children and adults have the same rights over their personal data. These include the rights to access their personal data; request rectification; object to processing; and have their personal data erased.
Excerpts from a general briefing on GDPR published (2018) by A&L Goodbody, Solicitors.CHILD for the purposes of the GDPR
The Act provides that references to “child” in the GDPR shall be taken to refer to a person under 18 years of age.
DIGITAL AGE OF CONSENT
The Act provides that 16 years is the minimum age at which a child may consent to the processing of their personal data by information society service providers. The consent of the child’s parent of guardian will be required by information society service providers for children under that age.
MICRO-TARGETING AND PROFILING OF CHILDREN
The Act provides that it will be an offence, punishable by an administrative fine, for a company to process the personal data of a child under 18 years of age for the purposes of direct marketing, profiling or micro-targeting.
CODES OF CONDUCT: CHILDREN
The Act requires the DPC to encourage associations and other bodies representing categories of controllers or processors to draw up of codes of practice to contribute to the proper application of the GDPR with regard to the protection of children, the manner in which the consent of holders of parental responsibility over a child is to be obtained by information society services providers, and with regard to the processing of children’s data for direct marketing and profiling purposes.
RIGHT TO BE FORGOTTEN: CHILDREN
The Act provides a specific right to erasure for children of personal data collected in relation to the offer of information society services.
DATA PROTECTION OFFICERS
The Act allows the Minister, in consultation with the DPC, to extend the categories of controllers and processors that are required to designate a data protection officer, as permitted by Article 34(7) of the GDPR (section 34).
DATA PROCESSING AND FREEDOM OF EXPRESSION
The GDPR requires Member States to reconcile an individual’s right to data protection with the right to freedom of expression and information (including processing for journalistic purposes, or for the purposes of academic, artistic or literary expression). The Act provides that processing carried out for the purpose of exercising the right to freedom of expression and information shall be exempt from specified provisions of the GDPR, insofar as compliance with those provisions would be incompatible with such purposes. The Act provides that the right to freedom of expression shall be interpreted in a broad manner (section 43).
SUITABLE AND SPECIFIC MEASURES FOR PROCESSING
The Act requires certain processing activities to be subject to the implementation of “suitable and specific measures” to safeguard the fundamental rights and freedoms of data subjects. Section 36 of the Act contains a “toolbox” of measures for application in such cases (e.g. strict time limits for erasure of personal data or specific targeting training for those involved in processing operations).
PROCESSING OF PERSONAL DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES
The Act gives effect to Article 10 of the GDPR, which permits personal data relating to criminal convictions and offences to be processed under the control of official authority or for specified purposes under national law. The Act provides examples of processing under official authority (e.g. for the administration of justice) and specifies five purposes where processing is permitted under the Act, including:
where the data subject has given explicit consent;
where the processing is necessary for the performance of a contract to which the data subject is a party;
for the purpose of legal advice, legal proceedings or defending legal claims;
to prevent injury or other damage to the data subject or another person or loss or damage to property, or
further to Ministerial regulations or other statute.
This provision is without prejudice to the provisions of the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (section 55).
RESTRICTIONS ON INDIVIDUALS’ RIGHTS
Article 23 of the GDPR permits Member States to restrict the exercise of individuals’ rights and controllers’ obligations in certain circumstances, for the purpose of safeguarding important objectives of general public interest. Section 60 of the Act provides that individuals’ rights and controllers’ obligations are restricted to the extent necessary and proportionate, inter alia, to protect personal data relating to a data subject which consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential.
NEW REGULATORY FRAMEWORK
The Act contains twenty-five sections dealing with the DPC’s enforcement and investigation powers (Part 6, Chapters 2, 4 & 5), along with additional provisions dealing with administrative fines and criminal offences (Part 6, Chapters 6 & 7). These lengthy provisions reflect the fact that the DPC now wields a powerful array of corrective powers.
HANDLING COMPLAINTS
The Act grants the DPC more discretion in regard to handling complaints from data subjects, or not-for-profit bodies acting on their behalf (Chapter 2). The Act requires the DPC to examine all complaints and to take such action as it considers appropriate, having regard to the nature and circumstances of the complaint. The DPC can only refuse to act on a complaint when it is manifestly unfounded or excessive, in particular because of its repetitive character which shall apply only in the narrowest of circumstances (Article 57(4) GDPR).
AMICABLE RESOLUTION
If the DPC considers there is a “reasonable likelihood” of the parties reaching an amicable resolution of the complaint, the DPC may arrange or facilitate such a resolution. Once a resolution has been reached, the complaint will be deemed to have been withdrawn by the complainant, and no formal statutory decision will be required.
OTHER ACTIONS
Where the DPC considers than an amicable resolution cannot be reached in the case of a domestic complaint, it must take one or more of the actions (section 109):
Reject the complaint
Dismiss the complaint
Provide advice to the data subject in relation to the complaint
Serve an enforcement notice requiring the controller or processor to take certain actions to comply with data protection law
Conduct an inquiry into the complaint (i.e. investigate the complaint), or
Take such other action as it considers appropriate.
CONDUCTING AN INQUIRY
The DPC may conduct an inquiry into a suspected infringement arising out of a complaint, or an inquiry of the DPC’s own volition (there is no requirement to establish a probable cause). In conducting its inquiry, the DPC may exercise any of its powers under Part 6, Chapter 4 (other than the power to require an expert report pursuant to section 135) and/or carry out an investigation under Chapter 5 (section 110).
REPRESENTATION OF DATA SUBJECTS
The Act permits a mandated not-for-profit body to bring a representative action on behalf of a data subject seeking injunctive relief or compensation for material or non-material damage suffered as a result of an infringement of data protection law (section 117). It remains to be seen whether this means not-for-profit bodies will be able to take class actions on behalf of multiple data subjects for breaches of the GDPR, as such actions are not currently permitted under Irish law. The Act does not address how the rules in relation to legal costs will apply to actions taken by not-for-profit bodies. Guidance will be needed on whether a court can award costs against a data subject as well as the not-for-profit body in the event of an unsuccessful civil claim.
CRIMINAL OFFENCES
The Act sets out a number of criminal offences, including:
Enforced Access Requests – It is an offence for a potential or current employer to require a data subject to make a data access request to a specified person or to require a data subject to supply any information obtained as a result of such a request (section 4).
Unauthorised disclosure by processor – It is an offence for a processor, or an employee or agent of the processor, to knowingly or recklessly disclose personal data being processed on behalf of a controller without the prior authority of the controller, unless the disclosure is required or authorised by any enactment, rule of law or court order (section 144).
Disclosure of personal data obtained without authority – It is an offence for a person to obtain and disclose personal data to a third party without the prior authority of the controller or processor, unless the disclosure is required or authorised by any enactment, rule of law or court order. It is also an offence for a person to sell or offer to sell personal data that were unlawfully disclosed to or obtained by him/her (section 145).
Offences by directors etc. of bodies corporate – Where an offence under the Act is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of a person being a director, manager, secretary, or other officer of that body, or a person purporting to act in such capacity, that person, as well as the body corporate shall be guilty of the offence and liable to be punished as if he/she were guilty of the first-mentioned offence (section 46).
Knowingly or recklessly processing data relating to criminal convictions or offences – It is an offence to knowingly or recklessly process personal data relating to criminal convictions or offences in contravention of the processing conditions set down in the Act (section 55(8)).
PUBLICATION OF CONVICTIONS, SANCTIONS ETC.
The Act requires the DPC to publish particulars of convictions, and any exercise of its powers to impose fines or order the suspension of non-EEA transfers, or court orders suspending, restricting or prohibiting data processing operations. It is a matter for the DPC to decide whether to publish particulars of the exercise of its other corrective powers.