Data Protection Law in Ireland
A comprehensive review by Anne Marie James, Partner and Claire O’Sullivan, Solicitor, Kirwan McKeown James Solicitors
A matter that must be considered by every brokerage
The issue of data protection and the obligations it imposes on every single entity which holds or processes information on third parties is a very serious and comprehensive matter. It is essential that brokerages are clear about their obligations pursuant to the legislation and ensure that they are complying with these obligations. The recent surge in data access requests being made by individuals, together with the recent high profile data security breaches by organizations are amongst the key data protection trends for Irish Brokerages to consider for 2014.
The area of data protection is governed by the Data Protection Acts 1988 and 2003 (the “Acts”). In addition, Statutory Instrument No. 535 of 2003 European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 relates to the processing of personal data and the protection of privacy in the electronic communications sector. The above legislation imposes a number of obligations on any person or company that deals in personal data by automatic means or otherwise. e.g. recording, collecting; storing; organising; altering or adapting personal data; or consulting or using personal data.
Under the Acts, obligations are imposed on what are referred to as “Data Processors” and “Data Controllers”. A data processor is defined as “a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment”. A data controller is defined as “a person who, either alone or with others, controls the contents and use of personal data”. Data means automated data and manual data while personal data is defined as “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”. Brokerages would fall into the category of Data Controllers.
Brokerages, as data controllers, are bound to adhere to the EIGHT RULES OF DATA PROTECTION as follows:
1. Obtain and process information fairly.
2. Keep it only for one or more specified, explicit and lawful purpose.
3. Use and disclose it only in ways compatible with these purposes.
4. Keep it safe and secure.
5. Keep it accurate, complete and up-to-date.
6. Ensure that it is adequate, relevant and not excessive.
7. Retain it for no longer than is necessary for the purpose or purposes; and
8. Give a copy of his or her personal data to an individual on request.
Obtaining Information: Consent is essential
In order to comply with the obligation to fairly obtain data, the data subject must at the time the personal data is being collected be made aware of the identity of the data controller, the purpose for collecting the data and the person or category of persons to whom the data may be disclosed. Future or new uses of the information should also be brought to the attention of persons providing personal information.
Most importantly, to fairly process personal data it must have been fairly obtained and the data subject must have given consent to the processing or the processing must be necessary for one of a number of reasons as follows:
- it is necessary for the performance of a contract to which the data subject is party; or
- it is necessary for the administration of justice or a government or ministerial function; or
- it is necessary to prevent injury to the data subject or damage to his property; or
- it is necessary to ensure compliance with a legal obligation on the data controller; or
- a public/legitimate interest is being pursued by the data controller.
The person who provides you with the data, or whom you hold information in relation to is referred to as the “Data Subject”. The Acts give data subjects a number of rights and extend to all personal data, whether stored on computer, obtained from a web site or stored on manual files created since 1st July 2003.
Particular care needs to be taken in relation to “sensitive personal data” which is data relating to a person’s racial origin, political opinions or religious or other beliefs, physical or mental health, sexual life, criminal convictions or the alleged commission of an offence or trade union membership. The specific consent of the data subject in question should be sought before processing or dealing with sensitive personal data.
As a Data Controller you must NEVER use data for any purpose other than that explicitly consented to by the Data Subject.
Appropriate security measures must be in place to protect personal data, relative to the sensitivity of the data, e.g. the use of password protection, locking filing cabinets, access limited to certain personnel for certain purposes.
Another important aspect of ensuring that personal data is stored correctly is ensuring that staff are made awar of the importance of correctly storing data and are trained in relation to the security measures and procedures that are in place within your organisation to ensure that no security breaches occur.
It is advisable to put your organisations data storage policy in writing and ensure that this forms part of the employee manual furnished to employees at the commencement of their employment. In circumstances where you do not have a data storage policy in place at present this should be prepared and circulated to all employees. This is an essential part of ensuring compliance with the Data Protection Acts. In absence of a clear policy that is specifically communicated to employees it is the employer who will be immediately held culpable for any breaches of the Acts.
When determining what security measures are appropriate for your organisation the following factors should be taken into consideration:
- The state of technological development - measures must be reviewed over time.
- The cost of implementing the measures. Larger organisations with greater resources can be expected to implement more advanced measures, or update measures more regularly, than smaller bodies.
- The harm that might result from unlawful processing. Might someone be at a financial loss or be at risk of suffering injury as a result of disclosure or destruction of data?
- The nature of the data concerned. There is a greater duty of care relating to the processing of sensitive personal data.
As a minimum standard, you should be able to answer YES to the following questions:
- Is access to your computers and manual files restricted to authorised staff only?
- Is access to the information restricted on a “need-to-know” basis in accordance with a defined policy?
- Are your computer systems password protected?
- Is information on screens kept hidden from callers to your offices?
- l Have you a back-up procedure in operation, including off-site back-up?
- l Are all waste papers, printouts, etc. disposed of carefully?
This requirement places a responsibility on Data Controllers to be clear about the length of time for which data will be kept and the reason why the information is being retained. If there is no good reason for retaining personal information, then that informatio should be routinely deleted. Information should never be kept “just in case” a use can be found for it in the future.
You should pay particular attention to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which you do not need to hold any longer. If you would like to retain information about customers to help you provide a better service to them in the future, you must obtain the customers’ consent in advance.
The same applies to paper records. Good housekeeping would dictate that you regularly review the need to retain records.
It is advisable that brokerages identify and categorise the data held by them. Following this it is necessary to determine what records need to be retained and for how long. Regard must be had to retention periods mandated by legal/regulatory environment. Records should then be reviewed periodically to determine what is no longer required. Records that need to be destroyed must be disposed of safely and securely.
It is worthwhile nominating a particular person/s within the organisation to take responsibility for reviewing the data retained by the organisation and ensuring that it is:
A) Up to date
Data protection policy
Leading on from the idea of having a data storage policy (discussed above) it is important to have an overall data protection policy in place. Employees, managers, etc. should be aware of their rights and responsibilities under the Acts.
The Office of the Data Protection Commissioner provides a basic data protection check list for those collecting, processing and retaining personal data.
- Are the individuals whose data you collect aware of your identity?
- Have you told the data subject what use you make of his or her data?
- Are the disclosures you make of that data legitimate ones?
- Do you have appropriate security measures in place?
- Do you have appropriate procedures in place to ensure that each data item is kept up-to-date?
- Do you have a defined policy on retention periods for all items of personal data?
- Do you have a data protection policy in place?
- Do you have procedures for handling access requests from individuals?
- Are you clear on whether or not you should be registered?
- Are your staff appropriately trained in data protection?
- Do you regularly review and audit the data which you hold and the manner in which they are processed.
Data access requests
Subject to certain exceptions a data subject has the right to receive a copy of all personal data relating to him or her by makinga written access request. The right of access extends to both manual data and automated data. The data subject also has the right to rectify any errors in personal data held in relation to them and to have data blocked or erased.
Data Access Requests by individuals have become increasingly popular, indeed, as solicitors we often utilise it as the first means of gathering information in respect of a matter. Accordingly, it is highly likely that you will receive such a request at some stage.
Upon receipt of a data access request it is essential that same is complied with within 40 days. As a Data Controller you are entitled to charge a fee of no more than €6.35 to process such a request and time will not begin to run until this fee is received in circumstances where you request it.
In circumstances where the personal data relating to an individual contains personal data about another individual or if certain information in a document is privileged then this aspect of the document should be redacted to conceal the information that is not relevant to the Data Subject.
An issue which is worth noting is the fact that employees are deemed to be Data Subjects and are therefore entitled to request access to personal information held on file by their employer. This may include such paper work as interview notes, performance evaluations and disciplinary records. Employees will also be able to request access to notes for meetings which concern such decisions as their redundancy, salary reviews or promotions.
Failure to comply with a Data Access Request by failing to respond to same OR failing to provide all of the information relevant to the Data Subject is considered a breach of the Acts.
Having looked at the matter of Data Protection and the means required to comply with ones obligations under the various pieces of legislation we will now briefly address some specific issues in relation to data protection compliance on your website.
1. WEBSITE PRIVACY STATEMENT – DO YOU NEED ONE?
A Privacy Statement is a public declaration of how the organisation applies the data protection principles to data processed on its website. A website should contain a privacy statement if:
- It collects personal data (visitors filling in web forms etc.);
- It covertly collects personal data (IP addresses, email addresses).
It is a legal requirement that websites that process the above information have privacy statements. Two distinct pieces of legislation apply: The Data Protection Acts and Statutory Instrument Number 336 of 2011 European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011 (“SI 336/2011”).
The information in the privacy statement should include the following:
1. Identity (complete name and address) of the operator of the website.
2. All purposes for collection of the personal data.
3. Any proposed disclosure by the website operator of the personal data to third parties must be disclosed in the privacy statement.
4. The data subject’s right of access to the personal information must be referred to.
5. The data subject’s right of rectification or erasure of personal information must be referred to. It should be noted that the website operator cannot charge for such a request and must comply with the request within 40 calendar days of receipt of such a request.
6. If different data is used for different purposes, this should be referred to clearly in the privacy statement.
2. COOKIES POLICIES
Various provisions concerning electronic communications, including the storing and accessing of information on terminal equipment e.g. cookies, is set out in Statutory Instrument No. 336 of 2011 which implemented the ePrivacy Directive into Irish law on the 1st of July 2011.
In order to meet the legal requirements, the minimum requirement is that clear communication to the user as to what he/she is being asked to consent to in terms of cookies usage and a means of giving or refusing consent is required.
Information – not just personal data – may not be stored on or retrieved from a person’s terminal equipment (computer, smartphone, mobile phone or other equipment used by an individual to access electronic communications networks) unless the individual:
(a) has been given clear and comprehensive information about whythis is being done; and
(b) has given her/his consent.
The obligation to meet the requirements for providing comprehensive information to users and obtaining their consent for the placement of cookies rests with the service providers who place cookies on users’ equipment.
The Data Protection Commissioner has published updated guidelines in relation to website cookies Policies. The Cookie Statement should contain clear and comprehensive information on how cookies are used, including information on the types of cookies used and details on how to remove them.
As best practice, the following information could also be provided in the Cookie Statement:
- Itemised cookie types, including their purpose e.g. preferences such as language or, font, browsing & search history, tracking, session security and any third party cookies
- Instructions on how to disable the cookies.
A recent survey by the Irish Computer Society (ICS) revealed that over 50%of Irish companies have experienced data breaches. The DPC has also reported that over 1.5 million people faced serious security issues with their personal data last year. Due to a number of recent high profile data security breaches it is likely that the matter of data breaches is going to be high on the agenda of the DPC over the coming years so this is something that all brokerages should be mindful of.
A breach of the principles set out in the Acts does not automatically amount to a criminal offence. A data subject may make a complaint to the Data Protection Commissioner who, if it finds that a breach has occurred, can issue an Enforcement Notice (S10 (2) of the Acts). It is an offence not to comply with an Enforcement Notice. Under the Acts the maximum fine on summary conviction of such an offence is set at €3,000. On convictions on indictment, the maximum penalty is a fine of €100,000. However, criminal prosecutions tend to be rare and fines at the lower end of the scale.
A Data Controller may also be subject to civil remedies in breach of contract or liable in tort where they fail to comply with the principles set out in Section 2 of the Acts. Section 7 of the Acts creates a duty of care between the Data Controller and the Data Subject and it is possible that an individual who has suffered a loss as a result of a breach could seek to recover damages against a Data Controller.
While the Acts do not explicitly oblige a Data Controller to inform an individual of when their information has been lost, stolen or otherwise compromised, the Data Protection Commissioner issued a ‘Data Security Breach Code of Practice’ in 2010. Pursuant to this code a Data Controller must give immediate consideration to informing an individual and any other appropriate authority, the Gardai, for example. Generally speaking the Data Protection Commissioner must also be informed of a breach. The Data Protection Commissioner doesn’t need to be informed where the individuals have been notified, the breach affects less than 100 individuals, and it doesn’t involve sensitive or financial information.
The above is a whistle-stop tour through some of the major issues surrounding compliance with data protection law. For further information contact Anne Marie James, Partner, Kirwan Mc Keown James Solicitors, firstname.lastname@example.org or Claire O’Sullivan, Solicitor, Kirwan McKeown James Solicitors, email@example.com