Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Information Technology Law - Data Protection

Information Technology Law - Data Protection

Ratings: (0)|Views: 14 |Likes:
Published by Jason Mcwalter
Information Technology Law - Data Protection
Information Technology Law - Data Protection

More info:

Published by: Jason Mcwalter on Dec 12, 2011
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less





Data Protection Law
Rights/Obligations/Responsibilities of either data controllers or data subjects underIrish/European Law
Does this law properly meet its objectives?
As Kelleher and Murray state,
data protection law is made up of a complex set of rules which controlhow the personal data of data subjects are processed by data controllers.
This area of law is becoming of great importance as computer technology advances and companiesgrow. As a Which? magazine ( Nov 2011) investigation on 10 insurance companies data practicesdemonstrated, this can be a problematic area.The obligation to keep data secure can from various different sources, for example the constitutionalright to privacy, the European Charter of Fundamental Rights and contract law.However, the most important security obligations concerning data protection are those established bythe Data Protection Act 1988, which gave effect to the Strasbourg Convention and The DataProtection (Amendment) Act 2003, which implemented the Data Protection Directive.
DATA CONTROLLERSPrinciples of data protection
The fundamental principles of data protection are set out by S.2 of the 1988 Act. Kelleher and Murray
note that this provision, even in isolation, imposes “serious limitations on how pe
rsonal data may be
Part (a) of subsection 1 sets out the first principle of data protection and that is that data must be
obtained and processed “fairly”. Although this is not defined, S.2
(1) (d) [i] states what cannot beregarded as fairly obtained.Part (b) states that the data must be accurate and kept up to date. This is the second principle of dataprotection.Part (c)(i) notes that the data must be kept only for one or more specified and lawful purposes.(c)(ii) states that the data must not be used or disclosed contrary to the above purposes.(c)(iii) sets out that the data must be adequate, relevant and not excessive for the above purposes.(c)(iv) says that the data must not be kept for longer than is necessary.
The principle concerning purpose is probably the most significant as it imposes a huge limitation ondata controllers as they cannot use data collected for a certain purpose for another purpose. Anexample of the importance of this principle is the case brought before the Data ProtectionCommissioner concerning the Department of Education using information on union membershipagainst striking teachers.Section 2(1) [d] of the Data Protection Act 1988 sets out the final principle that is the requirement for
appropriate security measures
. However, this is not an absolute obligation.The term
“appropriate security measures”
is subsequently explained by stating that a data controller:
may have regard to the state of technological development and the cost of implementingthe measures, and
shall ensure that the measures provide a level of security appropriate to
the harm that might result from unauthorised or unlawful processing, accidental orunlawful destruction or accidental loss of, or damage to, the data concerned, and
the nature of the data concernedSection 2(c)(2) states that a data controller/processor must take all reasonable steps to ensure thatemployees and other
 persons at the place of work concerned, are “…aware of and comply with therelevant security measures aforesaid.”
 As well as this, Section 2(c)(3) compels data controllers to put in place contractual controls with data
 processors and to “…take reasonable steps to ensure compliance with those measures.
 S.7 of the 1988 Act created a general duty of care on the part of the data controller/processor. Thereare no reported Irish cases on the matter, however McIntyre draws a comparison to the case of 
Gray v Minister for Justice ,
which concerned the negligent disclosure of information. A failure to complywith this statutory tort can result in liability to the data subject.As McIntyre notes, the liability based regime that data protection law creates has many disadvantageswhen applied to large scale data breaches such as the one concerning the Sony PlayStation Network inearly 2011.
Organisations do not wish to advertise the existence of a data breach, for example it took Sonyapproximately Three days to announce that there had been a hacking and that a large scale data breachhad occurred.
Without speedy notifications, individuals may not be able to take protective actionin time.
This limits reactions to being “reactive” as opposed to “proactive”.
Under Irish law it is unlikely that one individual will have suffered enough damage to justifybringing an action, for example an individual PS3 account holder.
Should class actions be introduced?
For example as Brimsted notes, there is a potential class action against Sony in the USA.
The scope of s.7 of the 1988 Act is unsatisfactorily unclear.
What type of harm does it cover?
This position can be contrasted against the English position which expressly separates the
duty of care in cases of „distress‟ and „damage‟.
 In 2010 the
Data Protection Commissioner approves Code of Practice that sets out a generalrequirement to notify the office of the Data Protection Commissioner in the event of large scale databreach. As Wilkes points out, the intention was to make this Code of Practice a legally binding
instrument, however the “... required due process was not follow
ed and as such the Code of Practice
remains just that: a code of practice.”
As Hickey notes, technological advancements over the past few decades have “…undoubtedly jeopardised the privacy of individuals on a global level.”
Criteria of legitimacy
As well as the principles of data protection, data may only be processed where at least one of thecriteria for making data protection legitimate are complied with, these are set out by Section 2A of theData Protection Acts as amended.The first of these criteria is where there is consent on the part of the data subject. Reliance on thiswould be unwise as consent is not defined under the Data Protection Acts.Next is where the processing is necessitated on contractual or legal grounds.There is also the criterion known as the public interest which includes the administration of justice.Finally there is the criterion that data processing is in the legitimate interest of the data controller.
Sensitive Personal Data
Certain types of data, such as that relating to ethnicity, health or political membership, is regarded asrequiring special standards.The categories a relatively broad and the data controllers must abide by the normal principles andcriteria. The Data Protection Acts state that at least one of the 14 criteria must be met in order forsensitive personal data to be processed. These include:1.
Explicit consent2.
In connection with employment3.
Necessary to prevent injury4.
Necessary in the administration of justice

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->