Data Protection in the Republic of Ireland
- Data Protection Principles
- The Commissioner
This is a refereed article.
Date of publication: 31 January 1996
Citation: Clark, R. (1996) 'Data Protection in Ireland', 1996 (1) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/elj/jilt/dp/1eire/>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1996_1/clark/>
While Irish law differs from U.K. law insofar as the Irish Constitution recognises a right to privacy, particularly in the context of communications, (compare the U.K. case of Malone v. Metropilitan Police Commissioner  2 ALL ER 620, with the Irish decision in Kennedy and Arnold v. Ireland  IR 587; 1988 ILRM 472.) there was a need for specific legislative action in the field of privacy rights in relation to information gathering, retention and use. The 1981 Strasbourg Convention was implemented in the form of the Data Protection Act 1988, which generally came into effect as from April 19, 1989.
It is essential to note that the legislation relates to personal data only. The legislation provides that computer users should observe a number of provisions - data protection principles - when the user is the controller of a computerised file. Data held in manual (i.e. paper) formats are not covered by the Act. These obligations are applicable regardless of whether the computer user - data controller or data processor - is obliged to register with the Data Protection Commissioner, the statutory body charged with enforcing the Act.
Data subjects - human persons only - are generally entitled to access computerised data held by others about them, and the computer user is bound to observe limits vis-a-vis freedom to use or disclose such data. There are exceptions to these provisions in areas of crime detection, state security, etc.
The Commissioner has broad powers to instigate complaints and has powers of enforcement but cannot award damages or compensation - litigation in the ordinary courts is necessary for such purposes. Power to regulate cross border data flows are also given but the Commissioner's powers to prohibit such transfers are circumscribed by the legislation. Several criminal offences are provided for such as processing of personal data when not registered (when required) or unauthorised disclosure of personal data to a third party.
Key definitions - these are found in section 1 of the Act
- data 
- information in a form in which it can be processed.
- performing automatically logical or arithmetical operations on data and includes extracting any information constituting the data, in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any services provided by him for a data controller.
This does not include an operation performed solely for the purpose of preparing the text of documents.
- data relating to a living individual who can be identified either from data the data in conjunction with other information in the possession of the data controller.
- data 
- a person who, either alone or with others, controls the contents and use controller of personal data.
- data 
- a person who processes personal data for another person, excluding an processor employee of the data controller who processes such data in the course of employment.
- includes the disclosure of information extracted from such data, and the transfer of such data, but it does not include necessary disclosures to employees or agents of the data controller/processor; partial disclosure of anonymous data is not a disclosure.
The act does not apply to personal data kept for the purpose of safeguarding the security of the State, which consists of information which by law is to be made available to the public, kept by an individual for personal, family or household affairs, or for recreational purposes only.
Section 2 obliges a data controller to observe certain principles in relation to personal data. The data or information constituting the data shall be obtained and processed fairly, the data shall be accurate and where necessary kept up to date.
Data held for back-up purposes is exempt, shall be kept for one or more specified or lawful purposes - specified refers generally to purposes specified in any registration document, where applicable, shall not be used or disclosed in any manner incompatible with such purpose(s), shall be adequate, relevant and not excessive in relation to that purpose(s), shall be kept for no longer than is necessary; data held for historical, statistical or research purposes is exempt.
Both data controllers and data processors are obliged to observe a separate security principle appropriate security measures should be taken against unauthorised access to, alteration of, or disclosure of personal data. Such safeguards may be technical or physical in nature and directed against accidental loss or destruction as well as deliberate acts of sabotage.
Provision is made in Section 2(6) to allow extra safeguards against misuse of confidential data on racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life or criminal convictions, but no regulations have been made.
Personal data held for direct marketing purposes is obviously subject to these provisions, but the Act goes further by allowing data subjects a right to have such data deleted within 40 days of a request for deletion being made.
It should be noted that while the data protection principles apply regardless of the issue of registration, breach of the principles does not per se involve a criminal offence. Should the Commissioner investigate a complaint and issue one of the Statutory notices - enforcement, prohibition, information - failure to comply without reasonable excuse is an offence. Other offences such as unauthorised disclosure under Section 21 and 22 are specific offences.
Apart from the Data Protection Act 1988, the misuse of data in the form of unauthorised access - hacking - is criminalised under the provisions of the Criminal Damage Act 1991.
Section 3 give data subjects the right to establish whether personal data is kept by another person. Section 4 gives data subjects a right to request copies of their personal data held by data controllers if the data subject complies with the Section - gives the necessary notice and details to the controller, pays a fee if so requested (not more than £5) or separate fees in relation to separate requests.
A specific right operates in relation to examination results. Disclosure is not to be made if there cannot be the editing out of personal data about third parties, and specific protection is available in relation to health or social work data. In general, health data should be disclosed unless in the opinion of a health professional such disclosure would be harmful to the health or prospects of recovery of the data subject in question.
These disclosures do not apply to personal data kept for investigating crime, for taxation or other fiscal purposes kept for prison or detention purposes kept for protecting the public from financial services malpractice where disclosure would be contrary to the interests of the State vis-a-vis International Relations to estimate a potential insurance liability by an insurer a legal professional privilege applies for statistical purposes back up data.
Where data is rectified or erased because it is misleading, the data controller must notify disclosures over the previous 12 months of the error or change. Any loss that results may be the basis of an action in tort under Section 7.
The principles which regulate non disclosure are relaxed for certain kinds of data by Section 8. Restrictions in the Act do not apply to data certified by a senior member of the police or defence forces as being required to safeguard the security of the State, for criminal investigation purposes or taxation or other fiscal purposes.
protecting the International Relations of the State required urgently to prevent injury or other damage to a person or serious loss or damage to property required by law or court order for the purpose of obtaining legal advice or in legal proceedings to an agent of the data subject made with the consent of the data subject.
The Data Protection Commissioner is charged with enforcing the Act by investigating complaints, sponsoring codes of practice, prosecuting offenders, supervising the registration process, and generally raising awareness and understanding about data protection. The attitude of the Commissioner's office is generally non-confrontational and prosecutions for offences have not been initiated.
The number of formal complaints in 1994 Report for that year remained identical with 1993 period at 24 complaints per year. Most of these complaints are resolved by a combination of "persuasion and encouragement" (1994 Report, p. 15). In 1994 half of the 24 complaints were public sector complaints with the banking and insurance sectors also attracting five complaints each.
The Irish system of registration is selective. The following data controllers must register:
- Public Sector
- the Government
- Government Ministers
- Attorney General
- Comptroller and Auditor General
- local authorities, health boards, publicly financed companies.
- companies where a majority of shares are held by a Minister or the Government under Statute.
- Private Sector
- financial institutions, direct marketing, credit reference and debt collection, businesses.
- Holders of Sensitive personal data relating to racial origin, political opinions and religious beliefs, physical or mental health, sexual life and criminal when prescribed by the Commissioner (i.e. previous defaulters).
- All data processors must register but the registration requirement is not onerous.
Registration lasts for one year. Annual fees are payable. Registration must be reviewed and kept up to date.
Clark, Robert, Data Protection Law in Ireland, Round Hall Press Dublin (1991).
For details on Guidelines and information contact:
Data Protection Commissioner,
Irish Life Centre,
Telephone: Dublin 874 8544
Fax: Dublin 874 5405