Data Protection: The Law

EU & Irish Legislation• Data Protection

Directive 95/46/EC• Electronic Privacy

Directive 2002/58/EC

• EUROPOL etc

• Data Protection Acts 1988 & 2003

• EC Electronic Privacy Regulations 2003 (SI 535/2003)

• Corresponding Acts• Good Friday

Agreement• Disability Act 2005

The Data Protection Rules (Directive 95/46 & Data Protection Acts)1. Fair obtaining &

processing• Consent

2. Specified purpose3. No disclosure

• unless “compatible”

4. Safe and secure

5. Accurate, up-to-date6. Relevant, not

excessive7. Retention period8. Right of access

Definitions(1)• Personal Data

Any Data relating to a livingliving identifiableidentifiable individual

• Data Automated data or structured manual manual

datadata• Manual Data

Structured by reference to individuals in a way that makes data readily accessible

Definitions(2)

• Data Controller a person who controls the contents and

use of personal data

• Data Processor A person who processes personal data

on behalf of a data controller

Definitions(3)

• Data Subject an individual who is the subject of

personal data

• Processing Anything done with personal data,

from collection to disposal

Sensitive Data (special protection)• Physical or mental health• Racial origin• Political opinions• Religious or other beliefs• Sexual life• Criminal convictions• Alleged commission of offence• Trade Union membership

Using Sensitive DataEXTRA conditions: S.2B (one only is needed)

1. explicit consent2. necessary under employment law3. non-profit body (political, philosophical,

religious, trade-union) – its members / clients4. necessary for medical purposes (contd)

Using Sensitive DataEXTRA conditions: (one only is needed)

5. necessary to protect vital interests6. necessary for legal advice / legal claim7. for electoral purposes8. for substantial public interest

1. as prescribed by Minister

Genetic Testing

• Disability Act 2005 (Part 4): Informed consent of data subject

required Prohibited in relation to insurance

policies, pensions, and mortgages Subject to DPC prior approval in

relation to employment

Electronic Communications (SI 535/2003)• General DP Principles apply• Telecom-specific:

‘Cookies’ on PCs Caller ID (phones) Location Data (mobiles) Directories ‘SPAM’ Data Retention ‘Cold Calling’ opt-out

North/South Bodies

• S 31, British-Irish Agreement Act, 1999: Irish DPC responsible for Bodies

established in Republic UK Information Commissioner

responsible for Bodies established in Northern Ireland

DP/FOI Access to Personal Information • DP and FOI Acts reinforce one another in

relation to personal access in the public sector

• Defending access to personal information as human (DP) and citizen (FOI) right

• 3rd Party Access restricted under both Acts• FOI access to personal information should

sometimes prevail in the public interest

Access right: DP v FOI• FOI - Public Interest (s 28(5)(a)) when “on

balance, the public interest that the request should be granted outweighs the public interest that the right to privacy of the individual to whom the information relates should be upheld”

• Information Commissioner: Case No 99001- “the protection of personal privacy afforded by s.28 exemption is intended to be a strong one”

DP and FOI• A right conferred by the Data Protection

Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997.

• The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other (DP Act 2003)