Print

Billy Hawkes Data Protection CommissionerWhat are the Duties of a Data Controller

The following information comes from the office of the Data Protection Commissioner. 

A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation. If you are in any doubt, or are unsure about the identity of the data controller in any particular case, you should consult your legal adviser or seek the advice of the Data Protection Commissioner. 

In essence, you are a data controller if you can answer YES to the following question:- 

In practice, to find out who controls the contents and use of personal information kept, you should ask the following questions:- 

If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller. If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the data contoller, and your organisation is a "data processor" (see below). 

Types of Data Controller 

Data controllers can be either individuals or "legal persons" such as companies, Government Departments and voluntary organisations. Examples of cases where the data controller is an individual include general practitioners, pharmacists, politicians and sole traders, where these individuals keep personal information about their patients, clients, constituents etc. 

Group companies and subsidiary companies 

It is common in the business world for a holding company to own one or more subsidiary companies. If personal data is flowing within the group of companies, who is the data controller? In answering this question, it should be noted that each company, whether it is a parent company or a subsidiary, is a distinct legal person with its own set of legal and data protection responsibilities. Each company within a group may therefore be a data controller in respect of the personal data which it has obtained and for which it is legally responsible; and it is necessary for each data controller to assess whether disclosures of personal data to other group companies are permissible. It is only in rare cases that two or more companies may properly exercise legal or de facto control and responsibility for a given set of personal data. In such cases, the companies are regarded as joint data controllers. 

Responsibilities of data controllers 

All data controllers must comply with certain important rules about how they collect and use personal information. 

Some data controllers must register annually with the Data Protection Commissioner, in order to make transparent their data handling practices. 

Data Processors 

As mentioned above, if you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a "data processor". Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else. 

It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies. 

A data processor is distinct from the data controller for whom they are processing the personal data. An employee of a data controller, or a section or unit within a company which is processing personal data for the company as a whole, is not a "data processor". However, someone who is not employed by the data controller, but is contracted to provide a particular data processing service (such as a tax adviser, or a telemarketing company used to manage customer accounts) would be a data processor. A subsidiary company owned by a data controller to process personal data on its behalf (for example to manage the payroll) is a distinct legal person and is a data processor. 

Responsibilities of data processors 

Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition, all data processors "whose business consists wholly or partly in processing personal data on behalf of data controllers" are required to register with the Data Protection Commissioner. 


 

Data Protection Rule 4 

Security of Personal Data 

"appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing" 

section 2(1)(d) of the Act 

The security of personal information is all-important. It will be more significant in some situations than in others, depending on such matters as confidentiality and sensitivity. High standards of security are, nevertheless, essential for all personal information. Both "data controllers" and "data processors" must meet the requirement to keep data secure. 

Appropriate security measures 

In determining what security measures should be put in place in order to satisfy the requirements of section 2(1)(d) a number of factors may be taken into consideration; 

Staff training and compliance 

A data controller or a data processor shall also ensure that staff are aware of the security measures. This requirement may be satisfied by having appropriate training in place. 

They are also responsible for ensuring that staff comply with these measures. This requirement may be satisfied by the automatic generation of audit trails or logs, combined with some form of internal audit or review procedure. 

The use of Data Processors 

If a data controller uses a third party to process data, the processing of such data should be covered by contract. This contract should stipulate at least the following: 

For more information on security requirements


Keeping Personal Data Secure: Test Yourself 

As a minimum standard, you should be able to answer YES to the following questions:-

 

 

Practical steps

 

Compile a checklist of security measures for your own systems.

 

Some Case Studies relevant to this topic:

 

The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

 

CASE STUDY 3/01 - Employee performance ratings disclosed to other staff - inadequate security

 

CASE STUDY 6/00 - Financial institutions - Laser card - printing of home address on receipts - incompatible disclosure - adequate security

 

CASE STUDY 2/99 — life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures

 

CASE STUDY 1/98 — employee data - appropriate security measures - disclosure

 

CASE STUDY 6/96 — inadequate security - position of computer screen in public area

 

 

 


 

The Medical and Health Sector

 

The Data Protection Rules in Practice

 

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care. This tradition of confidentiality is in line with the requirements of the Data Protection Acts 1988 & 2003, under which personal data must be obtained for a specified purpose, and must not be disclosed to any third party except in a manner compatible with that purpose.

 

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data. The questions and answers set out below shed some light on the considerations for this sector. The issues raised in this section are dealt with in a general fashion. The Data Protection Commmissioner recognises that it would be preferable for comprehensive and carefully thought-through guidelines to be designed by the appropriate representative bodies in this sector, by way of statutory codes of practice.

 

 

I am a general practitioner: can my locum access my patient records?

 

Yes. The Data Protection Commissioner’s view is that making clinical patient records available to a locum doctor, so that the locum may provide medical care to patients, is compatible with the purpose for which the GP keeps the patient record.

 

Should my secretary or office manager be allowed access to my patient records?

 

Yes, although only to the extent necessary to enable the secretary or manager to perform their functions. Non-medical professionals should have no need to access clinical material or medical notes, as distinct from administrative details (such as patients' names and addresses). The patient is entitled to an assurance that their medical information will be treated on a need-to-know basis.

 

Do I need to obtain patients’ explicit permission before storing their medical details?

 

As a general rule, no. The Commissioner’s view is that the patient’s consent for the storage and use of their personal data is implicit in the fact that they come to you, as a medical professional, for help. However, it is good practice to inform people that you will keep their details, and to inform them of what use will be made of their data. Section 2(b)(vii) allows for the processing of sensitive data for medical purposes by health professionals.  In addition, you will need to obtain clear consent for some uses of personal data which might not be obvious to the patient (see below), and be for a non-medical purpose.

 

Can I pass patient details on to another health professional for clinical purposes?

 

If you are passing patient data on to a person or body acting in an agency capacity for you - such as a clinical laboratory - then this is not a "disclosure" under the Data Protection Act, and the Commissioner does not insist on specific patient consent in such cases. However, you should inform the patient in advance that their data will be used in this way.

 

If you are passing the patient data to another health professional for guidance and advice on clinical issues, the patient data should be kept anonymous. If you wish to pass on the full patient data, including identifying details, you will need the consent of the patient in advance, except in cases of urgent need.

 

Can I pass patient data to the Health Boards or other bodies for administrative purposes?

 

You can pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data.

 

What if I need to disclose patient data, and I don't have the time to obtain consent?

 

If patient details are urgently needed to prevent injury or other damage to the health of a person, then you may disclose the details. Section 8(d) of the Acts makes special provision for such disclosures. However, if the reason for the disclosure is not urgent, then you will need to obtain consent in advance.

 

 

 


 

Can I use patient data for research or statistical purposes?

 

Ideally you should make patients aware in advance if you intend to use their data for your own research purposes. However, the Acts provide that such uses of personal data are permitted, even where the patient was not informed in advance, provided that no damage or distress is likely to be caused to the individual.

 

Can I disclose patient data to others for research or statistical purposes?

 

You may pass on anonymised or aggregate data, from which individual patients cannot be identified. Ideally, you should inform patients in advance of such uses of their personal data. If you wish to pass on personal data, including identifying details, you will need to obtain patient consent in advance.

 

Cancer research and screening is an exception to this rule. Under the Health (Provision of Information) Act, 1997, any person may provide any personal information to the National Cancer Registry Board for the purpose of any of its functions; or to the Minister for Health or any body or agency for the purpose of compiling a list of people who may be invited to participate in a cancer screening programme which is authorised by the Minister.

 

If I may only disclose anonymised data for research purposes, how can the researchers avoid duplication of data in respect of the same individual?

 

Researchers who obtain anonymised patient data are sometimes faced with the problem that they may be dealing with two or more data-sets from the same individual, received from different sources. To address this problem, it may be permissible for a data controller (such as a doctor) to make available anonymous data together with a unique coding, which falls short of actually identifying the individual to the researcher. For example, a data controller might "code" a unique data-set using a patient’s initials and date-of-birth. The essential point is that the researcher should not be in a position to associate the data-set with an identifiable individual.

 

Do I need to register with the Data Protection Commissioner?

 

If you keep personal details on computer relating to people’s health or medical care, then yes, you do need to register. Registration is a straightforward process, intended to make your data-handling practices transparent.

 

Do my patients have a right to see their medical records?

 

Yes they do. An individual is entitled to see a copy of any records which you keep relating to him or her on computer or on paper.  This right of access is subject to a limited exemption in the case of health and medical records, and in the case of social worker records, where allowing access would be likely to damage the physical, mental or emotional well-being of the individual.

 

Some Case Studies relevant to the medical and health sector

 

The following Case Studies, which have appeared in Annual Reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

 

 

 


 


 

What is Personal Data?

 

The definition in the Act reads:

 

“personal data” means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;

 

A similar definition is contained in the Directive (95/46/EC):

 

“personal data”  shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

 

The definition is – deliberately - a very broad one.  In principle, it covers any information that relates to an identifiable, living individual.  However, it needs to be borne in mind that data may become personal from information that could likely come into the possession of a data controller.

 

There are different ways in which an individual can be considered ‘identifiable’.  A person’s full name is an obvious likely identifier.  But a person can also be identifiable from other information, including a combination of identification elements such as physical characteristics, pseudonyms occupation, address etc.

 

The definition is also technology neutral.  It does not matter how the personal data is stored – on paper, on an IT system, on a CCTV system etc.

 

While the definition of personal data is very broad, an individual’s rights in relation to such data are subject to various qualifications.  For example, in relation to personal data contained in printed (as opposed to electronic) form, the right of access to such data only applies if the data is part of a relevant filing system .   Also, where a huge volume of personal data is involved, the data controller can refuse to provide a copy of all of the material involved on the grounds that this would involve disproportionate effort (but the data controller is still obliged to describe the data, including what it is used for, who it is disclosed to etc).

 

Often a case by case assessment must be made taking account of some of the above considerations as to whether data could be deemed to be personal.

 

What is Manual Data and what is a Relevant Filing System

 

The definitions in the Acts read:

 

manual data” means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

 

relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

 

The following are this office’s recommended tests / guidance that should be applied in determining if manual data is part of a “relevant filing system” and therefore subject to the Data Protection Acts 1988 & 2003.

 

(a) the personal data must be part of a set i.e. a regular filing system within a particular organisation which the organisation maintains for conducting its business. If the organisation maintains different Departments in different locations, the data subject should specify the subject matter and the department/office where s/he believes the file/data is located;

 

(b) the set must be structured by reference to individuals. If a file exists with a person’s name or ID number on it this meets the criterion. If the file does not have a name on it but has sub-divisions with a name or ID, and the file title indicates that it contains personal data e.g. record of sick absences then this would also meet the criterion.

 

(c) the data must be readily accessible. If files are archived and are not used for decision–making as part of the day to day operations of the organisation, and retrieval involves disproportionate effort (or perhaps even cost where a storage company is used), then the data could be said to be not readily accessible. In such a circumstance, the data subject would need to be able to identify particular data by file reference or date so that on a reasonable view of things the data could be said to be readily accessible;

 

(d) such access cannot be simply random but must be according to specific criteria. The data cannot be located in miscellaneous files. At the same time, the search criteria do not have to meet the standards inherent in a computer system. The more readily accessible the particular information is, the clearer it is that it will be.

 

Investigation procedures by the Office of the Data Protection Commissioner

 

For the sake of clarity the general procedures adopted by the Office and ultimately by the Commissioner when investigating complaints received under the Data Protection Acts 1988 and 2003 are as follows:

 

 

The foregoing process aims to ensure that the Commissioner is aware of all the facts that he has to consider before he makes the final decision. Either party can appeal the Commissioner’s decision to the Circuit Court

 

Guidance Material - Back-up systems

 

Back-up data are defined in the Data Protection Acts, 1988 & 2003 as being

 

 " data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged".

 

In order to come within the definition of 'back-up data', data cannot be part of a live system nor can they be used for any purpose other than replacing lost, destroyed or damaged data.

 


 

What constitutes lost, destroyed or damaged data?

 

Data that are either accidentally, or deliberately, deleted can be considered to be destroyed. Data that can no longer be found may be considered to be lost. Damaged data may result from files being corrupted.

 

However, a draft of a work in progress which is later overwritten is not considered to have been damaged or destroyed unless there is a clear policy of retaining drafts, in which case the draft should not have been overwritten.

 

What is the purpose of backing-up data?

 

There is a requirement in the Data Protection Act that adequate measures be taken to prevent the unauthorised destruction or alteration of data.

 

2(1)(d) "appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data.."

 

By backing-up data, a data controller/processor is taking steps to recover from such actions. In general, back-ups are most useful in a disaster recovery situation, where there has been a catastrophic system failure resulting in a large scale, if not total loss or corruption of data.

 

For how long should back-up data be held?

 

This depends on how long after an event is it likely to be discovered that data have been lost, destroyed or damaged. This time period will depend both on the nature of the data and the nature of the organisation processing the data. For most situations, it would not be reasonable to keep more than a small number (ten or less) back-up tapes. On a daily back-up regime, this would allow for two working weeks in which to discover that data were lost, destroyed or deleted.

 

Security Guidelines

 

The Data Protection Acts, 1988 and 2003 do not detail specific security measures that a Data Controller or Data Processor must have in place. Rather section 2(1)(d) of the 1988 Act places an obligation on persons to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction."

 

SI 626 of 2001, and later the Data Protection (Amendment) Act, 2003, introduced a new section 2C into the 1988 Act. This section helps interpret the nature of security measures required to demonstrate compliance with 2(1)(d). When determining measures, a number of factors need be taken into account:

 

 

A further development introduced by the 2003 Act is the obligation on data controllers and data processors to ensure that their staff are aware of security measures and comply with them. This guidance is purely intended as an indication of issues which data controllers and data processors may wish to consider when developing security policies.

 

Access Control

 

The obligation to prevent unauthorised access to data can, at the simplest level, be met by placing a password onto a computer. This would certainly be the minimum measure acceptable. However, it is only effective if staff keep the password secure, and is reviewed and changed if necessary. A password is one, simple, form of authentication. A more advanced form is the use of a token (such as a smart card), or the use of biometrics (such as an iris scan or a finger print scan). Where all three are used in combination, this would offer a high level of authentication.

 

Network administrators can add a level of security beyond mere authentication. Users tend to develop unique profiles, depending on what they normally do on their computers. This can be a combination of the time and frequency of access; location; nature of data accessed. Where a user seeks to access data in an unusual manner, which conflicts with an established profile, a challenge response question can be asked by the system. This type of authentication prevents a person who has found a password from accessing the system.

 

In conjunction with authentication, the nature of access allowed to an individual user should be set and reviewed on a regular basis. Ideally, users should only have access to data which they require in order to perform their duties. Regular reviews are necessary in order to increase if necessary as well as to restrict previous access where a user role changes.

 

A logging and reporting system can be a valuable tool in assisting the network administrator in identifying abuses and developing appropriate responses.

 

Encryption

 

There are a variety of tools available with which to encrypt data. These can be useful in closed systems, where all users can have access to the key with which to decrypt data. Providing such a key is held securely, encryption offers a high degree of protection against external attack.

 

Where encryption currently does not work satisfactorily is in sending data to the outside world. Use of a Public Key Infrastructure (PKI) requires that both sender and recipient use the same encryption system. Until such time as a market leader or industry standard exists, such PKI's will be slow to develop.

 


 

Anti-Virus Software

 

Anti-Virus software is not only required to prevent infection from the internet (either e-mail or web-sourced). Viruses may also be introduced from diskettes or CD's. No anti-virus package will prevent all infections, as they are only updated in response to infections. It is essential that users update such software on a regular basis, but also keep vigilant for potential threats. A policy of not opening e-mail attachments from unexpected sources can be a useful way of preventing infection.

 

Firewalls

 

A firewall is useful where there is any external connectivity, either to other networks or to the internet. It is important that firewalls are properly configured, as they are a key weapon in combating unauthorised access attempts. As firewalls are available for free download from the internet, they should routinely be installed by all data controllers and processors. This will become more important as persons progress to "always-on" internet connections, exposing themselves to a greater possibility of attack.

 

Automatic screen savers

 

Most systems allow for screensavers to activate after a period of inactivity, on the computer. This automatic activation is useful as the alternative manual locking of a workstation requires positive action by the user every time he/she leaves the computer unattended. Regardless of which method an organisation employs, computers should be locked when unattended. This not only applies to computers in public areas, but to all computers. It is pointless having an access control system in place if unattended computers may be accessed by any staff member.

 

Logs and Audit trails

 

It is of course pointless having an access control system and security policy if the system cannot identify any potential abuses. Consequently, a system should be able to identify the user name that accessed a file, as well as the time of the access. A log of alterations made, along with author/editor, should also be created. Not only can this help in the effective administration of the security system, its existence should also act as a deterrent to those staff tempted to abuse the system.

 

The Human Factor

 

No matter what technical or physical controls are placed on a system, the most important security measure is to ensure that staff are aware of their responsibilities. Passwords should not be written down and left in convenient places; passwords should not be shared amongst colleagues; unexpected e-mail attachments should not be opened unless first screened by anti-virus software.

 

IS17799 Certification

 

The National Standards Authority of Ireland has set a standard for information security management systems. If a body is certified to be IS17799 compliant, it would demonstrate compliance with the security requirements of the Data Protection Acts, 1988 & 2003.

 

Further information on IS 17799 may be found on the NSAI website.

 

Remote Access

 

Where a worker is allowed to access the network from a remote location (e.g. From home or from an off-site visit), such access is creating a potential weakness in the system. Therefore, the need for such access should be properly assessed and security measures reassessed before remote access is granted.

 

Wireless networks

 

Access to a server by means of a wireless connection (such as infrared or radio signals) can expose the network to novel means of attack. The physical environment in which such systems are used may also be a factor in determining any weakness in the system security. As with remote access, wireless networks should be assessed on security grounds rather than solely on apparent ease of use.

 

Laptops

 

Laptops, personal organisers and other form of portable computers are especially vulnerable, as there is not only a higher risk of theft, but also a new risk of accidental loss. It would be a sensible precaution not only to have adequate security measures, but also to limit what data are placed on such machines in the first place. If practical, collected data should be downloaded at an early date with administrators reviewing the nature and quantity of data held.

 

Where laptops are the personal property of an individual, the data controller should have a contract in place to detail the conditions under which data may be processed on personal computers. A contract might also be advisable to cover all employee use of portable computers, especially concerning use of data where a person leaves the employment of a data controller.

 

Even where data are not routinely deleted from portable computers, such data should be backed up onto the network. This will assist in keeping the data on the network accurate and up to date, as well as defending against the accidental loss or destruction of data on portable computers.

 

Back-up systems

 

A back up system is an essential means of recovering from the loss or destruction of data. While some system should be in place, the frequency and nature of back up will depend, amongst other factors, on the organisation concerned and the nature of data being processed. The security standards for back-up data are the same as for live data.

 

click here for more information on back-up data

 

Physical Security

 

Physical security includes issues like perimeter security (office locked and alarmed when not in use); computer location (so that the screen may not be viewed by members of the public); disposal (so that computer print outs containing sensitive data are securely disposed of).

 


 

Data Protection & CCTV

 

Fair obtaining

 

To satisfy the fair obtaining principle of the Data Protection Acts 1988 & 2003, it is necessary that those people whose images are captured on camera are informed about the identity of the data controller and the purpose(s) in processing data. This can be achieved by placing easily read and well-lit signs in prominent positions. A sign at all entrances will normally suffice.

 

As the identity of the data controller may be obvious from the location and as the default purpose is generally that of security, all that need be placed on the sign is a statement that CCTV is in operation as well as a contact (such as a phone number) for persons wishing to discuss this processing. This contact can be for either the security company operating the cameras or the owner of the premises.

 

If a client intends to use cameras to identify disciplinary (or other) issues relating to staff, staff must be informed of this before the cameras are used for these purposes. Similarly, if a camera system is in place for security purposes, its positioning might be restricted to areas accessible by the public and/or sensitive areas. Use of cameras in private staff areas might be considered to be disproportionate. Where possible, cameras placed so as to record external areas should be positioned in such a way as to prevent recording of another person's private property.

 

Storage and retention.

 

A cycle of 28 (or so) days is recommended. If no issue is identified within that period, the tape should be recorded over. Newer systems do allow for recording onto computer hard disks with a potential to retain records going back several months or years. This is discouraged, in general.

 

Section 2(1)(c)(iv) states that data "shall not be kept for longer than is necessary for" the purposes for which they were obtained. It is difficult to accept that an image from a security system need be retained beyond 28 days, except where the image identifies an issue and is retained specifically in the context of an investigation of that issue.

 

Tapes should be stored in a secure environment with a log of access to tapes kept. Access should be restricted to authorised personnel. Similar measures should be employed when using disk storage, with automatic logs of access to the images created.

 

Supply of tapes/data to An Garda Síochána

 

If the Gardaí want a tape for a specific investigation, it is up to the data controller to satisfy himself that there is a genuine investigation underway. For practical purposes, a phone call to the requesting Garda's station may be sufficient, provided that you speak to a member in the District Office, the station sergeant or a higher ranking officer, as all may be assumed to be acting with the authority of a District/Divisional officer in confirming that an investigation is authorised.

 

Access Requests

 

Any person whose image has been recorded has a right to be given a copy of the information recorded. To exercise that right, a person must make an application in writing. A data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.

 

Practically, a person should provide necessary information to a data controller, such as the date, time and location of the recording. If the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data.

 

In giving a person a copy of his/her data, the data controller may provide a still/series of still pictures, a tape or a disk with relevant images. However, other people's images should be obscured before the data are released.

 

Covert surveillance.

 

The use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to involve An Garda Síochána.

 

Covert surveillance must be focused and of short duration. Only specific (and relevant) individuals/locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.

 

If the surveillance is intended to prevent crime, overt cameras may be considered to be a more appropriate measure, and less invasive of individual privacy.

 

Responsibilities of security companies.

 

Security companies that place and operate cameras on behalf of clients are considered to be "Data Processors". As data processors, they operate under the instruction of data controllers (their clients). Sections 2(2) and 2C of the Data Protection Acts place a number of obligations on data processors.

 

These include having appropriate security measures in place to prevent unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all unlawful forms of processing. This obligation can be met by having appropriate access controls to image storage or having robust encryption where remote access to live recording is permitted.

 

Staff of the security company must be made aware of their obligations relating to the security of data.

 

Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.

 

Furthermore, section 16 of the Data Protection Acts 1988 & 2003 requires that all data processors must have an entry in the public register maintained by the Data Protection Commissioner, Those parties who are required to be registered and process data whilst not registered are committing a criminal offence and may face prosecution by this office. (This provision may only apply where the data controller can identify the persons whose images are captured.)

 


 

Domestic use of CCTV systems.

 

The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. This exemption would generally apply to the use of CCTVs in a domestic environment. However, the exemption may not apply if the occupant works from home.

 

Some Case Studies relevant to this topic:

 

The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

 

CASE STUDY 8/05 - CCTV cameras on the luas line

 

 

 

       Users who read this document also viewed...

 

    21 February 2005 - Documents by Topic display page

 

    24 February 2004 - Documents by Topic

 

    21 February 2005 - Details of Registrant

 

    17 February 2005 - Self Assessment Data Protection Checklist

 

 

 

Guidance Notes - Monitoring of Staff

 

The Data Protection Commissioner accepts that organisations have a legitimate interest to protect their business, reputation, resources and equipment. To achieve this, organisations may wish to monitor staff’s use of email, the internet, and the telephone. However, it should be noted that the collection, use or storage of information about workers, the monitoring of their email or internet access or their surveillance by video cameras (which process images) involves the processing of personal data and, as such, data protection law applies to such processing. The processing of sound and image data in the employment context falls within the scope of the Data Protection Laws.

 

The Article 29 Working Party, has adopted a Working Document (WP55) on the surveillance of electronic communications in the workplace. Its main guiding principle is that you do not lose your privacy and data protection rights just because you are an employee. Any limitation of the employee’s right to privacy should be proportionate to the likely damage to the employer’s legitimate interests. An acceptable usage policy should be adopted reflecting this balance and employees should be notified of the nature, extent and purposes of the monitoring specified in the policy.

 

In principle, there is nothing to stop an employer specifying that use of equipment is prohibited for personal purposes but the likelihood is that most employers will allow a limited amount of personal use. In the absence of a clear policy, employees may be assumed to have a reasonable expectation of privacy in the workplace.

 

The following points need to be addressed by data controllers:

 

 

Use of the Computer Network, E-Mail and Internet.

 

Private use of the Internet in the workplace and the monitoring of private emails pose certain challenges. A workplace policy should be in place in an open and transparent manner to provide that:

 

 


 

Template for Acceptable Usage Policy – Email and Internet

 

The following is the Office Policy of the Data Protection Commissioner and may serve as a template for organisations wishing to develop Acceptable Usage Policies in relation to email and the internet.

 

 

1 - Potentially dangerous material

 

Do not launch, detach or save any executable file (i.e. those ending in 'exe' or 'vbs') under any circumstances. Contact IT Division immediately.

 

All incoming attachements must be virus checked by IT Division. Please note that all floppy disks and CD's brought into the office from home PC's should also be virus checked. The safer option is to forward these attachments by e-mail from your home pc as they will be automatically screened by the mailsweeper software.

 

Do not open, detach or save any unofficial file attachments to your hard disk or any network drive. Official attachements should be placed in the relevant document Library or detached to a shared drive. Please beware of saving any documentation to the hard drive of you pc as this will not be backed up and will be irretrievable in the event of your pc breaking down.

 

2. Obscenity, Child pornography and Incitement to hate.

 

You are subject to all legislation regulating Internet use, including the provisions regarding obscenity, child pornography, sedition and the incitement of hate. In particular, persons have obligations under the Irish Child Trafficking and Pornography Act 1997, not to allow any of its systems (mail, Internet etc.) to be used for downloading or distributing offensive material.

 

3. Other Offensive and Time wasting Material

 

Unsolicited material can arrive from anywhere. Should you receive material which you find offensive or abusive or time wasting respond to it just as you would an offensive letter: complain directly to the sender and bring it to the attention of the sender’s employing organisation / IT and HR managers as appropriate.

 

In the case of any Spam mail don’t issue any reply.

 

4. Misleading information

 

Always be aware that the Internet is an unregulated, world wide environment. It contains information and opinions that range in scope from reliable and authoritative to controversial and extremely offensive. It is your responsibility to assess the validity of the information found on the Internet.

 

Material you send

 

Remember that e-mail is effectively on official headed paper and can be traced back to place, date and time of sending. Make sure you are satisfied with its content and that it has been approved at the appropriate level. Double check the address of the intended recipient. Once the “send” key is pressed, e-mail cannot be stopped or retrieved. Deleting mail from your system does not make it untraceable.

 

Do not send any unofficial graphics or executable files under any circumstances. Do not instigate or forward “unofficial mail” to users either within or outside the Office or send any material which may be offensive or disruptive to others or which may be construed as harassment. Do not make derogatory comment regarding gender, marital status, family status, sexual orientation, religion, age, disability, race or membership of the travelling community.

 

Remember that screensavers can be a means of causing offence.

 

Do not use another’s e-mail account.

 

All e-mail's are automatically backed up and are recoverable. All e-mail's leaving the Office should have the following text or equivalent automatically appended :-

 

“The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. It is the policy of [ insert employer’s name] to disallow the sending of offensive material and should you consider that the material contained in the message is offensive you should contact the sender immediately and also your IT manager”.

 

In general : think before you send.

 

Screening procedures

 

A suitable IT screening system should automatically screen all mail for known viruses, attachments etc.

 

IT Division does not normally read individuals mail or open mail boxes except:

 

(1) where the screening software or a complaint from an individual indicates that a particular mailbox contains material which is dangerous or offensive.

 

(2) where a legitimate work reason exists to open the e-mail.

 

Opening mailboxes for investigation requires authorisation by (Senior manager) on a case by case basis. The individual’s mailbox, hard disk, network drive and relevant backups are then searched.

 

Where investigation proves that a problem exists it will be reported to the sender, their organisation, the staff member concerned, Head of Division and HR Manager for appropriate action. Where the problem concerns material such as a virus or an unauthorised .exe file, which can damage the network, IT Division may immediately close down an account pending further investigation and action.

 

Blocked messages either inbound or outbound are deleted after 21 days, if a request for release is not received. Messages containing virus files are not retained.

 


 

Time wasting and resources

 

Network resources such as storage space and capacity to carry traffic are not unlimited. However your time and that of your colleagues is the most valuable resource available to the Office.

 

You must not deliberately perform acts which waste your own and your colleagues time or computer resources. These acts include

 

 

Financial Implications

 

Do not download any material / software from the Internet for which a registration fee is charged without first obtaining the express permission of the Office. Only the software installed by IT Division, and therefore listed on the Offices Assets Register, is deemed to be legally sourced by the Office and covered by the appropriate licence agreement. No other software is approved for use on any of the Offices computers or laptops.

 

Security

 

You are responsible for the use of the facilities granted in your name. The main protection at present is your password. Make it difficult to guess and above all, do not share your password with anyone, write it down or give it out over the phone. If you think someone knows your password, ask for it to be changed as soon as possible. Maintaining the privacy of your password is your responsibility and consequently you are responsible for any abuses taking place using your name and password.

 

In general do not leave your computer unattended without securing the session by password or signing off.

 

When leaving your pc unattended press Ctrl Alt Del (in the same way as logging into your pc) and click the “Lock workstation / Lock computer” box. On return press Ctrl Alt Del and enter your password to log back into the pc.

 

Users accessing the Internet through a computer attached to the Office’s network must do so through an approved Internet firewall or other security device. Bypassing the Office’s computer network security by accessing the Internet directly by modem or other means is strictly prohibited.

 

You are reminded that files obtained from sources outside the Office, including disks brought from home, files downloaded from the Internet, news groups, bulletin boards or other online services and files attached to e-mail messages may contain computer viruses that may damage the Office’s computer network. While the Office is continually upgrading its virus protection infrastructure, the potential introduction of viruses on the Office system always remains a threat. All incoming material, regardless of origin, should be virus checked before being used on any PC on the Office’s network. This is not paranoia : a wide variety of viruses from a wide range of individuals and organisations have been blocked over the last 12 months. This threat is real and will not be diminishing. If you suspect that a virus has been introduced into the Office’s network, notify the IT Section immediately.

 

The Internet is not secure. Whether by e-mail or via the World Wide web, do not give out more information than is necessary to fulfil your purpose. Beware of demands for unnecessary information. Be wary of sites which request more data than is necessary for accessing the site or for making a transaction, or which do not tell you why they require this data from you. In particular, no information on IT systems or resources should be disclosed over the Internet or through e-mail without authorisation from IT Division.

 

External e-mail should only be used to transmit unclassified information to individuals outside the Office. Classified or confidential material should not be sent by e-mail unless it is encrypted.

 

Weblogs

 

All web browsing is logged. Screening software prevents access to certain non-work related sites. The logs of web browsing will only be accessed with management authorisation, where there are reasonable grounds to believe that this policy has been contravened.

 

Personal Use

 

Just as with the phone, a small amount of limited personal use of e-mail and Internet facilities is permitted if such use does not otherwise infringe this policy.

 

Freedom of Information and Archives Acts (only applies to public bodies)

 

Incoming and outgoing e-mail's which are of “enduring organisational interest” are records under the above Acts and must not be kept in your e-mail account. They must be transferred to the appropriate document library or file.

 

Data Protection Access Requests for Personnel Records

 

Under section 4 of the Data Protection Acts, 1988 and 2003, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system, by any person or organization, regardless of when the data was created. The procedure for making an access request is explained in the section “know your rights”.

 

The Acts apply to data held on computer and manual data in a “relevant filing system” and, as such, personnel records will, therefore, normally come within the terms of the Acts. No issues should generally arise in respect of access requests made for most personnel records. This note seeks to address access requests for data relating to:

 

 

1. Discipline, grievance and dismissal

 

It is not the purpose of this note to provide guidance as to how disciplinary, grievance or dismissal procedures should be conducted. However, in relation to creating and keeping records, HR staff should be conscious of the accuracy requirement and that data kept should be “adequate, relevant and not excessive”. The right of access supports fair procedures and natural justice which provide that an individual be made aware of the case s/he has to answer.

 

The general rule is that an employee has a right of access to personal data relating to him/her in connection with discipline, grievance and dismissal procedures, even if the disciplinary procedure is on-going or the subject of legal proceedings such as an unfair dismissals claim. There are however some limitations and exemptions to this right which are provided in Sections 4 & 5 of the Acts. These limitations and exemptions include:

 

(i) Opinions given in confidence

 

Section 4(4A) provides that personal data containing expressions of opinion about the data subject may be given to the data subject without the permission of the person who expressed that opinion but this does not include opinions “given in confidence or on the understanding that it would be treated as confidential”

 

An opinion given in confidence on the understanding that it will be kept confidential must satisfy a high threshold of confidentiality. Simply placing the word “confidential” at the top of a page will not automatically render the data confidential. The Commissioner will look at the data and its context and will need to be satisfied that the data would not otherwise have been given but for this understanding. Supervisors and managers will not normally be able to rely on the provision as it is an expected part of their role to give opinions on staff which they should be capable of standing over. On the other hand, a colleague who reports a matter relating to an individual in confidence to a supervisor could be expected to be protected by the confidentiality provision.

 

(ii) Professional legal privilege

 

The right of access does not apply to data - "in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers."” (Section 5(g))

 

Accordingly, the subject access provisions in section 4 of the Acts do not apply to personal data where the circumstances are such that a claim of privilege could be maintained in court proceedings in relation to communications between a client and his professional legal advisers or between those advisers. This is a very limited exemption which only applies in connection with the provision of legal advice or in anticipation or furtherance of litigation.

 

(iii) Protecting the source of data

 

Section 4(1)(a)(iii)(II) provides that the source of the data does not have to be provided if to do so would be contrary to the public interest. This would apply in situations where revealing the source of the information would be a disincentive to others providing similar information in the future. Examples would be “whistleblowers” or the reporting of child abuse.

 

(iv) Investigation of an offence

 

If access would or potentially could prejudice a criminal investigation, access may be refused pursuant to section 5(1)(a) of the Acts. This provides that “this Act does not apply to personal data kept for the purpose of preventing, detecting or investigating offences…in any case in which the application of that section (viz. section 4) to the data would be likely to prejudice any of the matters aforesaid”.

 

A distinction may require to be made between an investigation to determine whether disciplinary procedures need to be invoked and the disciplinary proceedings themselves. Inevitably, certain complaints arising in a workplace will require to be investigated and until such time as the investigation is completed, data prepared in connection with the investigation would, if disclosed at a juncture not provided for in the process itself, be likely to prejudice the effectiveness and fairness of the investigative process. In such circumstances, the provisions of section 5(1)(a) of the Acts, quoted above, may be relied on and the data is not liable to be disclosed. When such an investigation is completed, the risk of prejudice no longer arises and the application of section 5(i)(a) should be set aside.

 

(v) Other exemptions under Section 5

 

Section 5 also provides exemptions from access in other circumstances including:

 

 


 

2. Appraisal, Performance Reports and References

 

The right of access applies to Appraisal and Performance Reports and the Commissioner considers that the confidentiality provision of section 4(4A)(b)(ii) cannot reasonably be applied to them.

 

In regard to references, it is often said that these are given in confidence. Notwithstanding this, the Commissioner considers generally that the right of access applies to them. There would need to be particular exceptional circumstances which would cause the Commissioner to be satisfied that the data would not otherwise have been given but for this understanding

 

3. Medical reports

 

The Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. No. 82 of 1989) provide that health data relating to an individual should not be made available to that individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the data subject. A person who is not a health professional should not disclose health data to an individual without first consulting the individual’s own doctor or some other suitably qualified health professional.

 

An employee has a right of access to medical data held by the organisation’s company doctor or medical officer, unless the “harm” exemption, detailed above, applies. Experience is that such situations are rare.

 

Organisations should have a procedure in place so that when HR data is requested, clarification is sought as to whether the request includes medical data. If medical data is being sought, HR should advise the Company Doctor/Medical Officer who should make the data available to the employee directly.

 

Definitions

 

As with any legislation, certain terms used in the Data Protection Acts, 1988 and 2003, have a quite specific meaning. The following are some important definitions, taken from section 1 of the Act, with additional comments and relevant links provided where appropriate.

 

Data means automated and manual data  

 

Automated data means information that -
(a) is being processed by means of equipment operating automatically in response to instructions given for that
Purpose, or
(b) is recorded with the intention that it should should be processed by means of such equipment;

 

Manual data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;

 

Relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;

 

>>  see guidance note on relevant filing system  

 

Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;

 

>>  see guidance note on personal data

 

Note that "personal data" means any information about or relating to the individual. In this respect, the term "personal data" has a different meaning than the term "personal information", as used in the Freedom of Information Act, which is restricted to the sort of private, confidential or sensitive information that might only be known to the individual and his or her family.

 

LINK»   go to website of the Information Commissioner

 

Sensitive personal data means personal data as to -

 

(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

 

(b) whether the data subject is a member of a trade union

 

(c) the physical or mental health or condition or sexual life of the data subject,

 

(d) the commission or alleged commission of any offence by the data subject, or

 

(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;

 

Data subject is an individual who is the subject of personal data.

 

Data controller is a person who (either alone or with others) controls the contents and use of personal data.

 

Data processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.

 

Disclosure - In relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.

 

Comment: Arising from this definition, a transfer of personal data to an agent, who is carrying out a task on your behalf, is not a disclosure, and need not involve a contravention of the Data Protection Act in the same way as a disclosure to a third party. However, to rely on this provision, the principal-agent relationship must be bona fide and accompanied with appropriate safeguards. Where a data processor is involved there must be a contract in place that imposes equivalent security obligations on the processor as would apply to the controller.

 

LINK»   more about disclosures of personal data to third parties

 

Processing, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including-

 

(a) obtaining, recording or keeping the information or data

 

(b) collecting, organising, storing, altering or adapting the information or data, (c) retrieving, consulting or using the information or data,

 

(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or,

 

(e) aligning, combining, blocking, erasing or destroying the information or data, and, cognate words shall be construed accordingly;

 

Territorial Application of the Data Protection Act

 

A Guide to the New Data Protection Rules

 


 

European Communities (Data Protection) Regulations, 2001

 

Naturally, if a data controller is based completely outside of Ireland, does not use equipment in Ireland for its processing, and does not have any branches or agencies acting on its behalf in Ireland, the data controller is not subject to the Data Protection Act, 1988.  Conversely, if a data controller is located in Ireland, carries on its activities in Ireland, and uses equipment and agencies located in Ireland, it is obvious that the Act applies to it. 

 

However, what about less clear-cut cases?  If the data controller is based outside of Ireland, but uses branches or agencies in Ireland to collect and process personal data, does the Irish Act apply?  What if a company is legally established in Ireland, but carries on all of its activities in other countries?  Does it affect matters if the other country is an EU or EEA counry? 

 

Up to now, issues such as these have been dealt with under section 23 of the Data Protection Act, 1988.  As a result of the new European Communities (Data Protection) Regulations, 2001, this section is to be replaced with new provisions, in line with Article 4 of the EU Data Protection Directive.  The new provisions, which take effect of 1 April 2002, will introduce simpler, clearer rules for determining whether the Irish Data Protection Act applies in particular cases.  In essence, the Act will apply to data controllers 'established in Ireland', and to data controllers established outside the EEA who make use of equipment in Ireland for processing personal data.  Further details are given below. 

 

Data controllers established in Ireland

 

The Irish Data Protection Act applies to all data controllers established in Ireland[1].  It does not matter whether the personal data relates to non-Irish people, or whether the data controller actually carries on all of its activities outside of Ireland.  Once the data controller is established in Ireland, then it is subject to Irish data protection law. 

 

However, the term ‘established in Ireland’ requires some clarification.  The new Regulations provide clear rules on which organisations are to be treated as established in Ireland, summarised below. 

 

(i)                Individuals normally resident in Ireland

 

(ii)                Individuals can be data controllers – e.g. doctors, pharmacists, politicians and lawyers.  Where the individual data controller is resident in Ireland, he or she must comply with the provisions of the Data Protection Act, 1988.

 

(iii)            A body incorporated under the law of the State

 

(iv)              The bulk of Irish data controllers will fall into this category, which includes companies and other bodies corporate that are incorporated under Irish law.  Note that this category includes all companies incorporated in Ireland, including a company that is a wholly-owned subsidiary of an overseas company.

 

(iii) A partnership or other unincorporated association formed under the law of the State.
 This category includes some legal and accountancy firms, medical practices, and voluntary associations. 

 

  (iv) A person who does not fall within (i)-(iii) above, but who maintains either

 

  I.  an office, branch, or agency in Ireland, through which the person carries on any activity, or

 

II.  a regular practice in Ireland.

 

 This important category provides for situations in which a data controller located outside of Ireland carries on business activity in Ireland – whether through a branch, through retaining the services of an agency, or through maintaining a regular practice in Ireland.  Any non-Irish data controller that does business in Ireland in this way is subject to Irish data protection law – at least insofar as its activities conducted in Ireland are concerned.  Note that this rule makes no distinction between data controllers that are established in European Economic Area (EEA) countries[2], and those established in non-EEA ‘third countries’. 

 

However, data controllers based elsewhere in the EEA who have direct dealings with Irish people – e.g. data controllers who engage in direct marketing over the telephone or the internet – are not covered by this category.  Such data controllers, which do not operate via an Irish-based intermediary, would normally be subject to the data protection laws of the EEA country in which they are based.

 

Data controllers established outside of the EEA are subject to special rules – see next section below. 

 

Data controllers established outside the EEA

 

Data controllers established outside of the European Economic Area (EEA) are subject to Irish data protection law in certain limited circumstances.  The Regulations specify that any such non-EEA data controllers are subject to the Data Protection Act only in cases where they make use of equipment in Ireland for the purpose of processing personal data.  (However, this rule does not apply if the only processing involved is the transit through the State of the personal data.  This exemption may be of relevance to some telecommunications service providers, or telecommunications infrastructure companies.)

 

Non-EEA data controllers that are covered by this rule must designate a representative established in Ireland.  This representative would, in general, be expected to be answerable for compliance with Irish data protection laws. 

 

[1]  Technically, the Regulations refer to data controllers "established in the State".  As a matter of legal interpretation, "the State" does not include Northern Ireland.

 

[2] The European Economic Area (EEA) is comprised of the twenty EU countries together with Norway, Iceland and Liechtenstein.

 

 

 


 

Current Legislation

 

Compendium of Data Protection Acts 1988 & 2003

 

This index linked Compendium is produced simply as an aid to data controllers, data subjects and legal practitioners and does not purport to be the official text of the legislation. Consequently, at all times, the official texts of the legislation should be consulted as appropriate

 

[view more...] Published on 20 March 2006

 

 

 


 

Compendium of Data Protection Acts 1988 & 2003

 

This Compendium is produced simply as an aid to data controllers, data subjects and legal practitioners and does not purport to be the official text of the legislation. Consequently, at all times, the official texts of the legislation should be consulted as appropriate.

 

[view more...] Published on 30 April 2003

 

 

 


 

Data Protection Act 1988

 

An Act to give effect to the convention for the protection of individuals with regard to automatic processing of personal data done at Strasbourg on teh 28th January, 1981, and for that purpose to regulate in accordance with its provisions the collection, processing, keeping, use and disclosure of certain information relating to individuals that is processed automatically. [13th July, 1988]

 

[view more...]

 

 

 


 

Data Protection (Amendment) Act 2003

 

An Act to give effect to directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of the individual with regard to the processing of the personal data and on the free movement of such data, for that purpose to amend the Data Protection Act 1988 and to provide for related matters [10 April 2003]

 

[view more...] Published on 10 April 2003

 

 

 


 

S. I. No. 535 of 2003

 

I, Dermot Ahern, Minister for Communications, Marine and Natural Resources, in exercise of the powers referred on me by Section 3 of the European Communities Act, 1972 (No. 27 of 1972) for the purposes of giving effect to Directive No. 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and protection of privacy in the electronic communications sector, hereby make the following Regulations...

 

[view more...] Published on 12 July 2002

 

 

 


 

S.I. No. 207 of 2003

 

Data Protection (Amendment) Act 2003 (Commencement) Order 2003 I, Michael McDowell, Minister for Justice, Equality and Law Reform, in exercise of the powers conferred on me by section 23(3) of the Data Protection (Amendment) Act 2003 (No. 6 of 2003) hereby order as follows:1. This Order may be cited as the Data Protection (Amendment) Act 2003 (Commencement) Order 2003.........

 

[view more...]

 

 

 


 

S.I. No. 347 of 1988

 

Data Protection (Fees) Regulations, 1988 I, Gerard Collins, Minister for Justice, in exercise of the powers conferred on me by sections 4, 16 and 17 of the Data protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Finance, make the following regulations: 1. These Regulations may be cited as the Data Protection (Fees) Regulations, 1988.2. In these Regulations "the Act" means the Data Protection Act, 1988 (No. 25 of 1988)

 

[view more...]

 

 

 


 

S.I. No. 2 of 2001

 

Data Protection (Registration) Regulations, 2001. I, Joe Meade, Data Protection Commissioner, in exercise of the powers conferred on me by section 16(1)(e) of the Data Protection Act, 1988 (No. 25 of 1988), and with the consent of the Minister for Justice, Equality and Law Reform, hereby make the following regulations: 1. (1) These Regulations may be cited as the Data Protection (Registration) Regulations, 2001.....

 

[view more...]

 

 

 


 

S.I. No. 105 of 1996

 

Data Protection (Fees) Regulations, 1996. I, Nora Owen, Minister for Justice, in exercise of the powers conferred on me by section 17 of the Data Protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Finance, make the following regulations: 1. (1) These Regulations may be cited as the Data Protection (Fees) Regulations, 1996.(2) These Regulations shall come into operation on the 19th day of May, 1996......

 

[view more...]

 

 

 


 

S.I. No. 95 of 1993

 

Data Protection Act, 1988 (Section 5(1)(d)) (Specification) Regulations, 1993. I, Maire Geoghegan-Quinn, Minister for Justice, being of opinion that the functions described in column (1) of the Schedule to these Regulations, being functions conferred by or under the enactments specified in column (2) of that Schedule, are designed to protect members of the public against the financial loss referred to in subsection (1)(d) of section 5 of the Data Protection Act, 1988..............

 

[view more...]

 

 

 


 

S.I. No. 83 of 1989

 

Data Protection (Access Modification) (Social Work) Regulations, 1989. I, Gerard Collins, Minister for Justice, considering it desirable in the interests of data subjects, hereby, in exercise of the powers conferred on me by section 4 (8) of the Data Protection Act, 1988 (No. 25 of 1988), and after consultation with the Minister for Health, the Minister for Education, the Minister for the Environment, the Minister for Social Welfare and the Minister for Labour, make the following Regulations......

 

[view more...]

 

 

 


 

S.I. No. 82 of 1989

 

Data Protection (Access Modification) (Health) Regulations, 1989. I, Gerard Collins, Minister for Justice, considering it desirable in the interests of data subjects, hereby in exercise of the powers conferred on me by section 4 (8) of the Data Protection Act, 1988 (No. 25 of 1988), and after consultation with the Minister for Health, the Minister for Finance, the Minister for Education, the Minister for Social Welfare, the Minister for Defence and the Minister for Labour, make the following Regulations:

 

[view more...]

 

 

 


 

S.I. No. 81 of 1989

 

Data Protection Act, 1988 (Restriction of Section 4) Regulations, 1989. I, Gerard Collins, Minister for Justice, being of opinion that the prohibitions and restrictions on the disclosure, and the authorisations of the withholding, of information contained in the provisions of the enactments specified in the Schedule to these Regulations ought to prevail in the interests of the data subjects concerned and any other individuals concerned........

 

[view more...]

 

 

 


 

S.I. No. 351 of 1988

 

Data Protection (Registration) Regulations, 1988. I, Donal C. Linehan, Data Protection Commissioner, by virtue of the powers conferred on me by section 20 of the Data Protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Justice, make the following regulations: 1. These Regulations may be cited as the Data Protection (Registration) Regulations, 1988.2. These Regulations shall come into force on the 9th day of January, 1989.3.

 

[view more...]

 

 

 


 

S.I. No. 350 of 1988

 

Data Protection (Registration Period) Regulations, 1988. I, Donal C. Linehan, Data Protection Commissioner, in exercise of the powers conferred on me by section 18 of the Data Protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Justice, make the following regulations: 1. These Regulations may be cited as the Data Protection (Registration Period) Regulations, 1988.

 

[view more...]

 

 

 

S.I. No. 349 of 1988

 

Data Protection Act, 1988 (Commencement) Order, 1988. I, Gerard Collins, Minister for Justice, in exercise of the powers conferred on me by section 35 of the Data Protection Act, 1988 (No. 25 of 1988), hereby make the following order: 1. This Order may be cited as the Data Protection Act, 1988 (Commencement) Order, 1988.2. In this Order "the Act" means the Data Protection Act, 1988 (No. 25 of 1988).

 

[view more...]

 

 

 

Section 51 British-Irish Agreement Act 1999

 

DPC role in relation to Cross Border Bodies

 

[view more...] Published on 08 February 2005

 

 

 

Repealed Legislation

 

 

 

S.I. No. 192 of 2002

 

I, Mary O'Rourke, Minister for Public Enterprise, in exercise of the powers conferred on me by section 3 of the European Communities Act 1972 (No. 27 of 1972) and for the purpose of giving effect to Directive 97/66/EC of the European Parliament and of the Council of 15 December 19971 concerning the processing of personal data and the protection of privacy in the telecommunications sector and for the purpose of giving further effect to Directive 98/10/EC of the European Parliament .....

 

[view more...] Published on 10 March 2002

 

 

 

Data Protection (Amendment) Bill 2002

 

Bill entitled an Act to give effect to directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of the individual with regard to the processing of the personal data and on the free movement of such data, for that purpose to amend the Data Protection Act 1988 and to provide for related matters

 

[view more...] Published on 25 July 2002

 

 

 

S.I. No. 80 of 1990

 

Data Protection (Fees) Regulations, 1990. I, Ray Burke, Minister for Justice, in exercise of the powers conferred on me by section 17 of the Data Protection Act, 1988 (No. 25 of 1988), hereby, with the consent of the Minister for Finance, make the following regulations: 1. These Regulations may be cited as the Data Protection (Fees) Regulations, 1990.2. In these Regulations "the Act" means the Data Protection Act, 1988 (No. 25 of 1988).

 

[view more...]

 

 

 

S.I. No. 84 of 1989

 

Data Protection Act, 1988 (Section 5(1)(d)) (Specification) Regulations. I, Gerard Collins, Minister for Justice, being of opinion that the functions described in column 1 of the Schedule to these Regulations, being functions conferred by or under the enactments specified in column 2 of that Schedule, are designed to protect members of the public against the financial loss referred to in subsection (1)(d) of section 5 of the Data Protection Act, 1988 (No. 25 of 1988).......

 

[view more...]

 

Case Study 2 - Life assurance company and medical reports - access request denied

 

I received a complaint from a data subject who had not been given copies of medical reports, commissioned from independent specialists by a life assurance company in connection with her on-going income continuance claims – the Company had discontinued her claims on the basis that she was no longer fulfilling the definition of disability, as required under her policy.

 

In investigating this complaint, I reiterated  that the Data Protection Acts give people a statutory right of access to their data, including their medical records, and that this right can only be limited or set aside in very specific and narrow circumstances. 

 

The Company had cited the exemptions in section 5(1)(f) and 5(1)(g) as a basis for denying access to certain reports.

 

Section 5(1)(f) of the Acts provides that the right of access to personal data does not apply to personal data:

 

"(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim."

 

I considered that medical reports commissioned by a life assurance company are for the purpose of assessing a claim.  I found that the exemption in section 5(1)(f) permits a data controller, who puts on file an estimate of the amount of money that may be needed to meet a claim for compensation, to plead an exemption if the release of that estimate would be prejudicial.  The contents of the medical reports at issue in this case did not relate to estimating liability per se.  Rather, they related to whether or not there is a disability and opinions about capacity to work.  It was therefore my view that this exemption cannot be claimed in respect of medical reports.

 

The company also proposed to withhold other reports on the basis of legal privilege as provided in section 5(1)(g), as they believed that they would ‘seriously prejudice (their) defence in any action’.  Section 5(1)(g) provides that the right of access to personal data does not apply in respect of data :

 

“(g) in respect of which a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers.”

 

In assessing whether privilege could be claimed, it is necessary to look at the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice.  My staff outlined to the Company that it is important  when a life assurance company commissions a report that the claimant fully understands the purpose of the examination e.g. the purpose being for the company to assess and to come to a decision on a claim.  Whether the reports were commissioned in anticipation or furtherance of litigation and thus attract privilege, falls to be determined on a case by case basis.

 

It was understood that the decision in this case might ultimately be challenged in court and the Company indicated that in their opinion there was a high likelihood of this. The exemption refers to a potential situation where ‘a claim of privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers’.  In this case, my staff considered that it was conceivable that such a claim could be maintained in a court.  Therefore, it was held that certain medical reports specified by the company may be withheld pursuant to section 5(1)(g) pending any court proceedings.

 

This case shows how the balance between a data subject’s right of access to personal data must be balanced with the legitimate interests of a data controller – in this case one who may possibly be facing litigation. In the event of litigation not taking place, the data controller would be required to review its decision.