Data Protection Law

Rights/Obligations/Responsibilities of either data controllers or data subjects under Irish/European Law Does this law properly meet its objectives?

As Kelleher and Murray state, data protection law is made up of a complex set of rules which control how the personal data of data subjects are processed by data controllers. This area of law is becoming of great importance as computer technology advances and companies grow. As a Which? magazine ( Nov 2011) investigation on 10 insurance companies data practices demonstrated, this can be a problematic area. The obligation to keep data secure can from various different sources, for example the constitutional right to privacy, the European Charter of Fundamental Rights and contract law. However, the most important security obligations concerning data protection are those established by the Data Protection Act 1988, which gave effect to the Strasbourg Convention and The Data Protection (Amendment) Act 2003, which implemented the Data Protection Directive.

DATA CONTROLLERS Principles of data protection The fundamental principles of data protection are set out by S.2 of the 1988 Act. Kelleher and Murray note that this provision, even in isolation, imposes serious limitations on how personal data may be processed. Part (a) of subsection 1 sets out the first principle of data protection and that is that data must be obtained and processed fairly. Although this is not defined, S.2 (1) (d) [i] states what cannot be regarded as fairly obtained.

Part (b) states that the data must be accurate and kept up to date. This is the second principle of data protection.

Part (c)(i) notes that the data must be kept only for one or more specified and lawful purposes. (c)(ii) states that the data must not be used or disclosed contrary to the above purposes. (c)(iii) sets out that the data must be adequate, relevant and not excessive for the above purposes. (c)(iv) says that the data must not be kept for longer than is necessary.

The principle concerning purpose is probably the most significant as it imposes a huge limitation on data controllers as they cannot use data collected for a certain purpose for another purpose. An example of the importance of this principle is the case brought before the Data Protection Commissioner concerning the Department of Education using information on union membership against striking teachers. Section 2(1) [d] of the Data Protection Act 1988 sets out the final principle that is the requirement for appropriate security measures. However, this is not an absolute obligation. The term appropriate security measures is subsequently explained by stating that a data controller: (a) may have regard to the state of technological development and the cost of implementing the measures, and (b) shall ensure that the measures provide a level of security appropriate to (i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and (ii) the nature of the data concerned Section 2(c)(2) states that a data controller/processor must take all reasonable steps to ensure that employees and other persons at the place of work concerned, are aware of and comply with the relevant security measures aforesaid. As well as this, Section 2(c)(3) compels data controllers to put in place contractual controls with data processors and to take reasonable steps to ensure compliance with those measures. S.7 of the 1988 Act created a general duty of care on the part of the data controller/processor. There are no reported Irish cases on the matter, however McIntyre draws a comparison to the case of Gray v Minister for Justice , which concerned the negligent disclosure of information. A failure to comply with this statutory tort can result in liability to the data subject. As McIntyre notes, the liability based regime that data protection law creates has many disadvantages when applied to large scale data breaches such as the one concerning the Sony PlayStation Network in early 2011. 1) Organisations do not wish to advertise the existence of a data breach, for example it took Sony approximately Three days to announce that there had been a hacking and that a large scale data breach had occurred. Without speedy notifications, individuals may not be able to take in time. This limits reactions to being reactive as opposed to proactive. 2) Under Irish law it is unlikely that one individual will have suffered enough damage to justify bringing an action, for example an individual PS3 account holder. Should class actions be introduced? For example as Brimsted notes, there is a potential class action against Sony in the USA. protective action

3) The scope of s.7 of the 1988 Act is unsatisfactorily unclear. What type of harm does it cover? This position can be contrasted against the English position which expressly separates the duty of care in cases of distress and damage. In 2010 the Data Protection Commissioner approves Code of Practice that sets out a general requirement to notify the office of the Data Protection Commissioner in the event of large scale data breach. As Wilkes points out, the intention was to make this Code of Practice a legally binding instrument, however the ... required due process was not followed and as such the Code of Practice remains just that: a code of practice. As Hickey notes, technological advancements over the past few decades have undoubtedly jeopardised the privacy of individuals on a global level.

Criteria of legitimacy As well as the principles of data protection, data may only be processed where at least one of the criteria for making data protection legitimate are complied with, these are set out by Section 2A of the Data Protection Acts as amended. The first of these criteria is where there is consent on the part of the data subject. Reliance on this would be unwise as consent is not defined under the Data Protection Acts. Next is where the processing is necessitated on contractual or legal grounds. There is also the criterion known as the public interest which includes the administration of justice. Finally there is the criterion that data processing is in the legitimate interest of the data controller.

Sensitive Personal Data Certain types of data, such as that relating to ethnicity, health or political membership, is regarded as requiring special standards. The categories a relatively broad and the data controllers must abide by the normal principles and criteria. The Data Protection Acts state that at least one of the 14 criteria must be met in order for sensitive personal data to be processed. These include: 1. 2. 3. 4. Explicit consent In connection with employment Necessary to prevent injury Necessary in the administration of justice

DATA SUBJECTS Entitled to establish the existence of and obtain a description of any personal data held and its purpose. Right to have name erased from lists for direct marketing within 40 days.