the data protection act what you need to know
DESCRIPTION
The Data Protection Act - Key PointsTRANSCRIPT
The Data Protection Act – What you need to know © Eamonn O’Raghallaigh 2010
TABLE OF CONTENTS
INTRODUCTION .......................................................................................................................... 2 THE RIGHT TO PRIVACY ........................................................................................................... 2 THE DATA PROTECTION ACTS, 1998 AND 2003 .................................................................... 3
Key Definitions of the Act .......................................................................................................... 3 Obligations under the Act ......................................................................................................... 5 Principles Relating to Obtaining and Processing Personal Data .............................................. 6
RIGHTS OF DATA SUBJECTS ................................................................................................... 7
Right to Access ......................................................................................................................... 7 Case Study: Failure to comply with an access request ........................................................ 8
Right ot be Informed of Data Being Kept .................................................................................. 9 Right to prevent data being used for the purposes of direct marketing .................................. 10 Right of blocking or erasure .................................................................................................... 10 Right to prevent processing where it might cause damage or distress .................................. 10
DATA PROTECTION AND ELECTRONIC COMMUNICATIONS ............................................. 10
Case Study: Opera Telecom: Forced to delete database ....................................................... 11 DATA PROTECTION AND CCTV .............................................................................................. 12
Case Study: Gresham Hotel breaches DP law in regard to use of covert CCTV footage ...... 13 REMEDIES ................................................................................................................................. 14 REFERENCES ........................................................................................................................... 14
INTRODUCTION
The securitisation of personal data and the protection of the rights of individuals whose
personal data is stored has become an important issue in the current knowledge-based
society. The storage of personal data is now ubiquitous, whether it is by service companies,
governmental agencies and departments, telecoms providers, internet service providers or
retail organizations. The potential for abuse and misuse of personal data is significant, hence
the existence of legislation in Ireland to protect this data and the rights of individuals whose
data is stored by third parties. Two acts of the Oireachtas were enacted for the purpose of
protection, namely the Data Protection Act 1988, and the Data Protection (Amendment) Act
2003.
The Data Protection Act 1988 is “an act to give effect to the convention for the protection of
individuals with regard to automatic processing of personal data done at Strasbourg on the
28th day of January, 1981, and for that purpose to regulate in accordance with its provisions
the collection, processing, keeping, use and disclosure of certain information relating to
individuals that is processed automatically.” The 1998 Act was amended in 2003 to bring it
in line with EU Directive 95/46/EC and it is “an act to give effect to directive 95/46/EC of the
European parliament and of the council of 24 October 1995 on the protection of individuals
with regard to the processing of personal data and on the free movement of such data, for
that purpose to amend the data protection act 1988 and to provide for related matters.”
(www.irishstatutebook.ie)
THE RIGHT TO PRIVACY
Data Protection relates to every citizen’s fundamental right to privacy. Although this right
was not set out in the Irish Constitution of 1937, it has been recognized by the courts. The
right to privacy was discovered in an Irish context in McGee v Attorney General [1974] IR
284 and most notably recognized by the High Court in Kennedy & Arnold v Ireland [1987]
IR 587. The former case was argued with the Unenumerated Rights Doctrine, and although
the constitution does not specifically set out a specific right to privacy, it is a right that was
established by the Christian and democratic nature of the state. The court stated that “The
right to privacy is one of the fundamental personal rights of the citizen which flow from the
Christian and democratic nature of the State… The nature of the right to privacy is such that
it must ensure the dignity and freedom of the individual in a democratic society. This cannot
be insured if his private communications, whether written or telephonic, are deliberately
and unjustifiably interfered with.”
The right to privacy was enacted into Irish Domestic law in The European Convention on
Human Rights Act 2003 which incorporated the European Convention on Human Rights.
Article 8 of the European Convention on Human Rights provides that: “Everyone has the
right to respect for his private and family life, his home and correspondence.”
THE DATA PROTECTION ACTS, 1998 AND 2003
Key Definitions of the Act
a. Automated Data means information that is processed by means of equipment
operating automatically in response to instructions given for that purpose or is
recorded with the intention that is should be processed by means of such
equipment.
b. Manual data means information that is recorded as part of a relevant filing
system or with the intention that it should form part of a relevant filing
system.
c. Relevant filing system means any set of information relating to individuals to
the extent that, although the information is not processed by means of
equipment operating automatically in response to instructions given for that
purpose, the set is structured, either by reference to individuals or by
reference to criteria relating to individuals, in such a way that specific
information relating to a particular individual is readily accessible;
d. Personal data means data relating to a living individual who is or can be
identified either from the data or from the data in conjunction with other
information that is in, or is likely to come into, the possession of the data
controller.
e. Sensitive personal data means personal data as to –
i. the racial or ethnic origin, the political opinions or the religious or
philosophical beliefs of the data subject,
ii. whether the data subject is a member of a trade union,
iii. the physical or mental health or condition or sexual life of the data
subject,
iv. the commission or alleged commission of any offence by the data
subject, or
v. any proceedings for an offence committed or alleged to have been
committed by the data subject, the disposal of such proceedings or the
sentence of any court in such proceedings.
f. Data subject is an individual who is the subject of personal data.
g. Data controller is a person who (either alone or with others) controls the
contents and use of personal data.
h. Data processor is a person who processes personal data on behalf of a data
controller but does not include an employee of a data controller who processes
such data in the course of his employment.
i. Disclosure – in relation to personal data, includes the disclosure of information
extracted from such data and the transfer of such data but does not include a
disclosure made directly or indirectly by a data controller or a data processor
to an employee or agent of his for the purpose of enabling the employee or
agent to carry out his duties; and, where the identification of a data subject
depends partly on the data and partly on other information in the possession
of the data controller, the data shall not be regarded as disclosed unless the
other information is also disclosed.
j. Processing, of or in relation to information or data, means performing any
operation or set of operations on the information or data, whether or not by
automatic means, including –
i. obtaining, recording or keeping the information or data
ii. collecting, organizing, storing, altering or adapting the information or
data,
iii. retrieving, consulting or using the information or data,
iv. disclosing the information or data by transmitting, disseminating or
otherwise making it available, or,
v. aligning, combining, blocking, erasing or destroying the information
or data, and, cognate words shall be construed accordingly;
(www.irishstatutebook.ie)
Obligations under the Act
The purpose of the Data Protection Act (DPA) is to protect against the invasion of privacy of
personal information. The Data Controller (i.e. the person who controls the content and use
of personal data) holds the responsibilities under the Act. A data processor is distinct; they
are a person who possesses data on behalf of a data controller, but does not include an
employee of the data controller.
The DPA does not apply to data:
a. Which in the opinion of the Minister is kept for safeguarding the security of the
State
b. Information which must legally be made public
c. Information which is kept only for the purpose of managing personal or household
affairs
d. Information kept for recreational purposes
e. Information kept solely for historical research, e.g. archives
Jurisdiction: A data controller will be subject to this legislation only if the data controller is
established in the State and the data is processed in the context of that establishment. There
are special provisions for the telecommunication of data within the European Union and the
European Economic Area. However, the Act will apply outside of that area if the
establishment uses equipment in the state for processing other than for the purpose of transit
through the territory of the state. Establishments deemed to be established in the State
include:
a. individuals normally resident in the State
b. a body incorporated under the law of the State
c. a partnership or other unincorporated association formed under the law of the State,
and
d. a person who does not fall within subparagraphs a, b and c of this paragraph, but
maintains in the State –
i. an office, branch or agency through which he or she carries on any
activity, or
ii. a regular practice (www.irishstatutebook.ie)
Principles Relating to Obtaining and Processing Personal Data
The DPA represents a code of practice and ethics which relates to the collection, processing
and storage of personal data in a fair and just manner. The main principles are as follows:
a. Data must be obtained and processed fairly – A certain degree of transparency is
required with relation the data’s collection and processing. Where the data is
obtained from the subject directly then the data controller must make his identity
known, as far as is practicable.
b. Data must not be disclosed or processed in a manner for which the data is not
intended for – There is an onus on the Data Controller to ensure that no unlawful
processing occurs
c. Data must be only kept for one or more specified lawful purpose - the data obtained
should be relevant but must also be adequate although not excessive for the purpose
for which it was obtained
d. Data must be kept safe and secure – This is an onus on the data controller to prevent
unauthorised access to subject’s personal data.
e. Data must be kept up to date and accurate – There is a clear duty to ensure the data is
complete, accurate and up-to-date; this is intended to prevent misleading information
being held or misrepresentation of the data subject.
f. Data must be only kept for as long as is necessary
g. A copy of the personal data must be given to the individual it pertains to on request
There are special provisions made under the Act with regard to the processing of Sensitive
Personal Data; this data is subject to tighter control and all Data Controllers of such data
must be registered with the data commissioner. This is a particularly high duty to maintain
the privacy and security of data relating to:
a. the racial or ethnic origin, the political opinions or the religious or philosophical
beliefs of the data subject
b. whether the data subject is a member of a trade union,
c. the physical or mental health or condition or sexual life of the data subject,
d. the commission or alleged commission of any offence by the data subject, or
e. any proceedings for an offence committed or alleged to have been committed by
the data subject, the disposal of such proceedings or the sentence of any court in
such proceedings (www.irishstatutebook.ie)
RIGHTS OF DATA SUBJECTS
Right to Access
One of the most practicable implications of the DPA is the right to access of personal data by
data subjects which is held by data controllers. The time limit for compliance with the access
request by the data subject is 40 days, after which the subject can lodge a complaint with the
Data Commissioner, who may or may not investigate the case, based upon the facts of the
matter. With appropriate notice in writing, and the payment of a nominal fee of €6 to cover
costs associate with complying with the access request the data subject can:
i. Description of the categories of data which are being processed
ii. Be informed of the purpose of the processing
iii. Be informed of the recipients or categories of recipients to whom the data is or
may be disclosed to
iv. Be provided with an intelligible copy or explanation of the information held by
the controller
Exceptions to the Right of Access do exist as follows:
a. An employer is not obliged to disclose information kept for the purpose of
preventing, detecting or investigating offences or apprehending or
prosecuting purported offenders
b. Information may be kept undisclosed if this is for the purpose of assessing
or collecting taxes or duties or for the calculation of damages or
compensation in a claim against the data controller
c. Data relating to an individual should not be made available to an
individual in response to a DPA access request if it would be likely to
cause serious harm to the physical or mental health of the data subject
(www.irishstatutebook.ie)
Case Study: Failure to comply with an access request The Data Commissioner received a complaint from the parents of a child that Caredoc (a
medical facility in Carlow) had failed to comply with an access request under Section 4 of the
Acts for access to the child's personal data. The Commissioner commenced an investigation
and established that the child had attended Caredoc in May 2004 and that the access request
was made by the solicitor for the child's family in August 2005. Prior to the complaint being
submitted to the Commissioner, Caredoc's solicitors informed the legal representative for the
child's family that the access request raised matters of serious importance to their clients and
that they wished to be absolutely sure of their position prior to making a formal reply.
In correspondence, the Commissioner was told that the access request had raised a
fundamental problem for Caredoc concerning the information gathered by them both
physically and electronically and that the opinion of Senior Counsel was required. This was
accepted in good faith on the basis that such advice would be forthcoming promptly. In a
further letter, Caredoc's solicitors informed my Office that genuine difficulties had arisen as
a result of the circumstances thrown up by the access request and that Caredoc was anxious
not to have any adverse precedents set in relation to the confidentiality issue as between
doctor and patient. After lengthy correspondence back and forth the Data Commissioner
gave Caredoc's solicitors a final opportunity to respond to the key questions raised with
them. They failed to respond and the Data Commissioner subsequently served an
Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide
the solicitor of the child's family with the personal data relating to the attendance of the
child at Caredoc's facility in Carlow in May 2004. In line with their legal entitlements,
pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the
requirement specified in the Enforcement Notice. The appeal was listed for hearing in
Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal
and agreed to supply the personal data sought.
This case is a perfect example of the effectiveness of Data Protection legislation as it allows for
members of the public, regardless of their status or access to legal advice, to request personal
information for a maximum of €6.35 and to receive it. If they do not receive the information they
have sought, they can complain to the Data Commissioner at no cost and they will pursue the matter
on their behalf (www.dataprotection.ie).
Right ot be Informed of Data Being Kept The DPA also make provision for the right to be informed of data being kept. If a person
suspects that another is keeping personal data, he or she may write to that person requesting
that he or she be informed as to whether any such data is being kept. If it is, then the
individual must be given a description of the data and of the purpose for which it is kept,
within 21 days of the request being made.
Right to prevent data being used for the purposes of direct marketing The DPA also makes provisions regarding the use of personal data for direct marketing
purposes. It provides that where personal data is kept for the purpose of direct marketing
and the relevant data subject requests in writing that the relevant data controller cease
processing the data for that purpose, the data controller has 40 days to accede to such
request. The DPA also makes the provision that the data controller informs data subjects
who are being targeted for direct marketing purposes of their rights to object to such use of
their personal data.
Right of blocking or erasure The DPA also gives the data subject a right to have his or her personal data in the data
controller’s possession rectified, erased or blocked if the data controller fails to comply with
its duties under the Acts and the data controller has 40 days to accede to such request.
Right to prevent processing where it might cause damage or distress The DPA also entitles an individual, by notice in writing served on a data controller to
request the data controller to cease or not to commence processing of that individuals’
personal data where such processing is likely to cause substantial damage or distress which is
or would be unwarranted.
DATA PROTECTION AND ELECTRONIC COMMUNICATIONS
The Electronic Communications Regulations 2003, enacted by the Oireachtas to fulfill
obligations under EU Directive 2002/58/EC, makes provisions regarding direct marketing and
unsolicited email (spam). Other issues provisioned for under the Act include the retention of
telephone records and the storage access to information held on personal computers and
terminals, for example ‘cookies’. The regulations also restricts the ability of entities to use
publicily available electronic communications services to send unsolicited communications
or to make unsolicited calls for the purpose of direct marketing.
These regulations should prove particularly useful in desisting entities from sending
unsolicitated marketing communications via SMS or email. The regulations prohibit:
(a) the use of automatic dialling machines, fax, email or SMS text messaging
for direct marketing to individuals is prohibited, unless the subscriber’s
consent has been obtained in advance; and
(b) the use of email, SMS text messaging, automatic dialling machines or fax
for direct marketing to non-natural persons or businesses is prohibited, if
the subscriber has recorded its objection in the National Directory
Database or has informed the sender that it does not consent to such
messages; and
(c) the making of telephone calls for direct marketing to the line of a
subscriber is prohibited if the subscriber has recorded its objection in the
National Directory Database or has informed the sender that it does not
consent to such messages.
Case Study: Opera Telecom: Forced to delete database
The Data Commissioner received a complaint from an individual regarding the receipt of an
unsolicited SMS message in November 2005. The message, sent by Opera Telecom, was a
promotional message for a subscription service. When the Commissioner investigated the
matter it was discovered that the complainant had attended a major music concert in Croke
Park in June 2005. During the concert, those attending were encouraged to text support for
the Global Call Against Poverty Campaign. The complainant did so. The information
collected from these texts was stored in a database held by Opera Telecom and was
subsequently used by the company for the purpose of sending unsolicited direct marketing
SMS messages. During the investigation, the Commissioner discovered that 16,000 concert
goers had used their mobile phones to text support for the Global Call Against Poverty
Campaign. Conscious of the potential risk of misuse for direct marketing, the Commissioner
initially requested in a letter to Opera Telecom that they delete the related Database. When
it did not comply with this request, the Commissioner used powers under Section 10 of the
Data Protection Act and issued an Enforcement Notice. Opera Telecom complied with the
Enforcement Notice and deleted the database. This case demonstrates clearly that
information collected for one purpose must not be used for another purpose unless the data
subject was informed at the time of collection of such an intended use and given an
opportunity to object (www.dataprotection.ie).
DATA PROTECTION AND CCTV
CCTV has become ubiquitous in society and it is difficult, especially in urban areas to go
anywhere without being captured on CCTV. To satisfy the right to access and disclosure of
purpose, it is necessary for data controllers who use CCTV to inform those individuals
captured on CCTV the purpose for the collection of the data and the identity of the Data
controller. In practice, a sign detailing the presence of CCTV cameras for security, together
with a contact number for the data controller will satisfy the requirements of the Act.
In relation to the use of CCTV to identify disciplinary or other issues pertaining to
employees, the Data Controller must inform the data subjects that the cameras are being used
for these purposes. Cameras must be positioned only in public or sensitive areas, the
placement of cameras in private staff areas may be seen as an excessive invasion of privacy.
In general, data from CCTV is stored for no longer than 28 days, after which it is recorded
over or deleted. This is in line with the provisions of the DPA which states that data "shall
not be kept for longer than is necessary for the purposes for which it was obtained.” Data
should be stored in a secure environment and access to the data should only be by authorized
individuals.
Any individual whose image has been captured and recorded has a right to be given a copy of
the information recorded. To access a copy of the information held by the data controller in
such an instance an application in writing must be made to the data controller, and in a
practicable sense, with the location, date and time of the recording specified. The data
controller may charge a nominal fee up to €6.35 for responding to such a request and within
40 days of application. It is important to note that the data controller is obliged to obscure
any identifiable data of other subject who may be in the same recording.
Case Study: Gresham Hotel breaches DP law in regard to use of covert CCTV footage
The Data Commissioner received a complaint in October 2006 from a data subject regarding
the unfair obtaining by her employer of her personal information and its subsequent use as
evidence to terminate her employment. The data subject had been employed in a supervisory
capacity at the Gresham Hotel in Dublin for a number of years. In January 2005 she was
called to a meeting by hotel management, at which she was informed that covert cameras
had been installed some time previously in the hotel for the purposes of an investigation. The
investigation was initiated on foot of a complaint received by the hotel regarding cash
handling at the bar. The data subject was not the subject of the investigation, she was not
made aware of the investigation nor was she informed of the covert CCTV recordings. At the
meeting, the data subject was confronted with a series of questions and was asked to explain
some of her actions which had been recorded by the covert cameras. Later in 2005, she was
dismissed from her employment with the hotel. Evidence taken from the covert CCTV
recordings was used in the decision to terminate the data subject’s employment. No criminal
prosecution took place following the hotel’s investigation nor was the data subject
interviewed by An Garda Síochána.
Covert CCTV cameras had been installed to investigate specific incidents. The data subject
was not the subject matter of this investigation. The personal data of the persons captured on
the footage was obtained for one purpose - the investigation of specific incidents in the hotel.
In the case of this data subject, her personal data was further processed in a manner
incompatible with the original purpose. Furthermore, the data subject’s personal data was
not processed in accordance with the requirements of ‘fair processing’ as she had not been
informed by the data controller, at the time when the data controller first processed her data,
of the purpose for which it intended to process her personal data. This constituted a breach
of the Act. The Data Commissioner asked both parties concerned to consider an amicable
resolution to the matter. Within a few weeks, a settlement was agreed between the parties.
(www.dataprotection.ie)
REMEDIES
Remedies for data subjects under the DPA are limited – there is no legal remedy for the data
subject if a data controller infringes section 2(1) of the Act, which pertains to the collection,
processing and storage of the act in a fair manner. If the Data Commissioner upholds that an
infringement occurs, the Commissioner may require the data controller to take remedial
action. In theory, there is the possibility of criminal sanction – if the data controller fails to
take remedial action a fine of €100,000 may be imposed. However in a practicable sense this
is unlikely as no notable prosecutions have occurred under the Act to date and the Act is
more an instrument of threat rather than action.
REFERENCES
The Data Protection Act 1988, 2003 | Retrieved online: 6.4.2010 | www.irishstatutebook.ie |
http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html
The Office of the Data Commissioner | www.dataprotection.ie | Retrieved online 6.4.2010 |
http://www.dataprotection.ie/docs/Home/4.htm
McGee v Attorney General [1974] IR 284 | Supreme Court of Ireland Decisions (1974) | www.bailii.org
Retrieved online: 6.4.2010 | http://www.bailii.org/ie/cases/IESC/1973/2.html