| PRIVACY & DATA PROTECTION |
| |
| Irish data protection laws are contained in the following: |
| |
| Data Protection Act, 1988 |
- Data Protection (amendment)Act 2003 which amends the 1988 Act
to fully implement the Data
Protection Directive 95/46. Most of the 2003 Act came into effect
on the 1st of July 2003 by virtue of the Data Protection (Amendment)
Act 2003 (commencement) order 20903 with the exception of s4(13)
(Criminal Offences) and s.16 (Registration).
- EC(Directive 2000/31/EC) Regulations 2003. (see the e-commerce
section)
- EC
(Electronic Communications Networks and Services) (Data Protection
and Privacy) Regulations, 2003. (S.I. No. 535 of 2003) (see whats
new?)
|
| Privacy Law |
| Although the Irish Constitution of 1937 does not contain an explicit right
to privacy, its existence has been recognised by the Irish courts,
notably by the High Court in Kennedy & Arnold v Ireland [1987]
IR 587. Article 8 of the European Convention on Human Rights provides
that: |
| |
| “(1) Everyone has the right to respect for his
private and family life, his home and correspondence. |
| |
| (2) There shall be no interference by a public authority
with the exercise of this right except such as is in accordance with
the law and is necessary in a democratic society in the interests
of national security, public safety or the economic well being of
the country, for the prevention of disorder or crime, for the protection
of health or morals, or for the protection of the rights and freedoms
of others.” |
| |
| |
| The Data Protection Act, 1988
|
| |
| The Data Protection Act, 1988 provides a statutory
code of good data protection practice. The Act applies to computerised
data only and imposes obligations on organisations which control and
process 'personal data'. Personal data is information which is capable
of being processed automatically and which relates to a living individual
who is identifiable from that information or from other information
held by the organisation. The ‘data protection principles’
must be complied with and they are as follows: |
| |
| - Data must have been obtained and must be processed
fairly. |
| - Data must be accurate and kept up to date. |
| - Data must be kept for only one or more specified
and lawful purpose. |
| - Data must not be used or disclosed in any manner
incompatible with that specified purpose or purposes. |
| - Data must be adequate, relevant and not excessive
in relation to the purpose or purposes specified. |
| - The data must only be kept for as long as is necessary
for the specified purpose. |
| |
| The Data Protection Commissioner has the responsibility
of supervising the implementation of the Act. He can do this by issuing
information notices; enforcement notices and prohibition notices.
A data subject may enforce his rights under the Act through the commissioner
or alternatively he may institute an action in tort in the courts
in the normal way. |
| |
| |
| Data Protection (Amendment) Act
2003 |
| |
| This Act confers considerable rights on individuals
to control how data relating to them personally is processed. It also
places the controllers of such data and those who process such data
under considerable duties. To summarise the main provisions on this
legislation, personal data must be processed fairly and lawfully,
it must be collected for specified, explicit and legitimate purposes
and must be adequate, relevant and not excessive in relation to the
purposes for which they are collected and processed. The information
must be accurate and where necessary kept up to date. The subject
must not be identifiable for longer than is necessary. |
| |
| While the 1988 Act only applied to the processing of
data 'automatically’. The 2003 Act extends data protection laws
to |
| |
| ‘manual data’ which are held in filing
systems. That is ‘data..that is recorded as part of a relevant
filing system or with the intention that it should form part of
a relevant filing system’. |
| ‘relevant filing system’ means that ‘the
set is structured…. in such a way that specific information
relating to a particular individual is readily accessible’.
|
| |
| The definition of processing is extended to include
the following: |
| |
| obtaining, recording or keeping the information or
data, |
| collecting, organising, storing, altering or adapting
the information or data, |
| retrieving, consulting or using the information or
data, |
| disclosing the information or data by transmitting,
disseminating or otherwise making it available, or |
| aligning, combining, blocking, erasing or destroying
the information or data. |
| |
| The Act also sets out the criteria for making data
processing legitimate. Any processing that does not comply with this
will be illegal. Processing can only be carried out if the data subject
has unambiguously given his consent (subject to exceptions). This
might mean that the current situation where a box must be ticked if
you object to data processing will be replaced by a situation requiring
the ticking of a box where you want your data to be processed. Processing
will also be permitted if it pursuant to a contract or a legal obligation
or to protect the vital interests of the subject or in the public
interest. Sensitive data such as data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union
membership and data concerning health or sex life may not be processed.
There are exceptions to this for example if the data subject has given
his 'explicit consent'. |
| |
| If the processing of data is to be fair then the individual
must be able to learn that such processing is going on. Therefore,
where data is collected from a person, then he must be given certain
information such as the identity of the controller and the purposes
for which the information is to be processed. Similar information
must also be supplied where data is not collected directly from the
individual. |
| |
| The Act also gives individuals a right to access to
data concerning them and the right not to be subject to an automated
decision. So if any decisions are made about a person another person
must make them a computer program cannot simply be programmed to make
those decisions. Individuals are also given the right to object to
the processing of data in certain circumstances particularly where
such processing is likely to cause distress. |
| |
| The 2003 Act also provides for prior checking. |
| Where data processing is of a kind likely to cause
substantial damage or distress to a data subjects or significantly
prejudices the rights and freedoms of data subjects |
| Data controller can apply to the Data Protection Commissioner
nand he must revert to the data controller within 90 days stating
the extent to which, in the opinion of the Commissioner, the proposed
processing is likely or unlikely to comply with the provisions of
this Act. |
| |
| Transborder data flows: |
| |
| Free transfers of data within the EU |
| Transfers outside EU only permitted if adequate data
protection laws exist – Commission Finding. |
| Norway, Liechtenstein and Iceland (EEA) |
| Switzerland, Hungary |
| US – Safe Harbour principles (Dept. of Commerce).
|
| |
| Transfers are allowed where inter alia: |
| |
| Transfer is required by law; |
| Data subject has given his consent; |
| Transfer is necessary for the performance of a
contract between the controller and subject |
| Legal proceedings. |
| Prevent an injury to the subject or to protect his
vital interests. |
| Authorised by the Commissioner. |
| |
| Transfers are also allowed where |
| |
| A controller adduces the safeguards for the data subject
by means of a contract embodying the contractual clauses as set out
by the EU. |
| |
| The Commissioner may prohibit transfers outside the
statee |
| |
| Consideration must be given to whether the transfer
would cause damage or distress to any person and the desirability
of facilitating international transfers of data. |
| |
| |
| Internet & email use Policies
in the Workplace |
| |
| Data protection laws apply in the workplace (see Murray,
Data Protection in the Workplace, Irish Law Times, No. 13, Vol 21
2003). But workplace privacy places at issue many of the most difficult
aspects of personal privacy, surveillance and control. The employee’s
right to privacy and the employer’s right to protect itself
from possible legal liabilities have to be reconciled. The employer
must be especially aware that third parties such as customers or friends
and family of employees also have a right to privacy. However, as
the operator of its computer systems the employer will be subject
to all of the potential liabilities of any Internet Service Provider,
but will also be vicariously liable for the actions of his employees.
The potential liabilities of an employer are considerable e.g., an
employer may be sued for defamatory statements made by employee, an
employee’s use of a system may compromise his organisations
security, an employer may be liable for harmful or illegal content
etc. However, an employee has a strong right to privacy. There are
many laws (in particular data protection laws) in this area which
must be taken into account before putting together any policy on email
and Internet use. The recently enacted Human Rights Act, 2003 incorporates
the European Convention on Human Rights into Irish Domestic Law. Unlike
the Irish Constitution, Article 8 of the Convention contains a specific
protection for the right of privacy of individuals: “Everyone
has the right to respect for his private and family life, his home
and his correspondence.” |
| |
| |
| Privacy and Photographs |
| |
| The Copyright and Related Rights Act 2000 provides a
right to privacy in respect of some photographs and films. Section
114 provides that where a person commissions the taking of a photograph
or the making of a film, they have a right not to have the work or
copies of the work made available to the public. The right is given
provided that copyright subsists in the resulting work. In other words,
the photograph or film must be original. |
| |
| |
| Relevant sites |
| Data Protection Commissioners Website at www.dataprivacy.ie |
| see Kelleher, Data protection and FOI, Gazette, August,
Sept 2003. |
| Data Protection in the European Union. |
| Data Protection (Access Modification) Health, Regulations,
1989. |
| Data
Protection (Access Modification ) Social Work Regulations, 1989 |
| European Communities (Data Protection and Privacy in
Telecommunications) Regulations 2002 S.I. No. 192 of 2002 |
| Department of Justice, Consultation on Data Retention |
| Office of the Information Commissioner |
| Model Contracts on the transfer of personal information
to third countries. |
| Article 29 Data Protection Working Parties |
| Information Commissioner in the UK |
| |
| |
| © Karen Murray2003 |
| |
| |
