Data Protection: The Law

EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection Acts 1988 & 2003 EC Electronic Privacy Regulations 2003 (SI 535/2003) Corresponding Acts Good Friday Agreement Disability Act 2005

The Data Protection Rules (Directive 95/46 & Data Protection Acts) 1.Fair obtaining & processing Consent 2.Specified purpose 3.No disclosure unless “compatible” 4.Safe and secure 5. Accurate, up-to-date 6. Relevant, not excessive 7. Retention period 8. Right of access

Definitions(1) Personal Data livingidentifiable  Any Data relating to a living identifiable individual Data manual data  Automated data or structured manual data Manual Data  Structured by reference to individuals in a way that makes data readily accessible

Definitions(2) Data Controller  a person who controls the contents and use of personal data Data Processor  A person who processes personal data on behalf of a data controller

Definitions(3) Data Subject  an individual who is the subject of personal data Processing  Anything done with personal data, from collection to disposal

Sensitive Data (special protection) Physical or mental health Racial origin Political opinions Religious or other beliefs Sexual life Criminal convictions Alleged commission of offence Trade Union membership

Using Sensitive Data EXTRA conditions: S.2B (one only is needed) 1.explicit consent 2.necessary under employment law 3.non-profit body (political, philosophical, religious, trade-union) – its members / clients 4.necessary for medical purposes (contd)

Using Sensitive Data EXTRA conditions: (one only is needed) 5.necessary to protect vital interests 6.necessary for legal advice / legal claim 7.for electoral purposes 8.for substantial public interest 1. as prescribed by Minister

Genetic Testing Disability Act 2005 (Part 4):  Informed consent of data subject required  Prohibited in relation to insurance policies, pensions, and mortgages  Subject to DPC prior approval in relation to employment

Electronic Communications (SI 535/2003) General DP Principles apply Telecom-specific:  ‘Cookies’ on PCs  Caller ID (phones)  Location Data (mobiles)  Directories  ‘SPAM’  Data Retention  ‘Cold Calling’ opt-out

North/South Bodies S 31, British-Irish Agreement Act, 1999:  Irish DPC responsible for Bodies established in Republic  UK Information Commissioner responsible for Bodies established in Northern Ireland

DP/FOI Access to Personal Information DP and FOI Acts reinforce one another in relation to personal access in the public sector Defending access to personal information as human (DP) and citizen (FOI) right 3 rd Party Access restricted under both Acts FOI access to personal information should sometimes prevail in the public interest

Access right: DP v FOI FOI - Public Interest (s 28(5)(a)) when “on balance, the public interest that the request should be granted outweighs the public interest that the right to privacy of the individual to whom the information relates should be upheld” Information Commissioner: Case No “the protection of personal privacy afforded by s.28 exemption is intended to be a strong one”

DP and FOI A right conferred by the Data Protection Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other (DP Act 2003)