The principle concerning purpose is probably the most significant as it imposes a huge limitation ondata controllers as they cannot use data collected for a certain purpose for another purpose. Anexample of the importance of this principle is the case brought before the Data ProtectionCommissioner concerning the Department of Education using information on union membershipagainst striking teachers.Section 2(1) [d] of the Data Protection Act 1988 sets out the final principle that is the requirement for
appropriate security measures
. However, this is not an absolute obligation.The term
“appropriate security measures”
is subsequently explained by stating that a data controller:
may have regard to the state of technological development and the cost of implementingthe measures, and
shall ensure that the measures provide a level of security appropriate to
the harm that might result from unauthorised or unlawful processing, accidental orunlawful destruction or accidental loss of, or damage to, the data concerned, and
the nature of the data concernedSection 2(c)(2) states that a data controller/processor must take all reasonable steps to ensure thatemployees and other
persons at the place of work concerned, are “…aware of and comply with therelevant security measures aforesaid.”
As well as this, Section 2(c)(3) compels data controllers to put in place contractual controls with data
processors and to “…take reasonable steps to ensure compliance with those measures.”
S.7 of the 1988 Act created a general duty of care on the part of the data controller/processor. Thereare no reported Irish cases on the matter, however McIntyre draws a comparison to the case of
Gray v Minister for Justice ,
which concerned the negligent disclosure of information. A failure to complywith this statutory tort can result in liability to the data subject.As McIntyre notes, the liability based regime that data protection law creates has many disadvantageswhen applied to large scale data breaches such as the one concerning the Sony PlayStation Network inearly 2011.
Organisations do not wish to advertise the existence of a data breach, for example it took Sonyapproximately Three days to announce that there had been a hacking and that a large scale data breachhad occurred.
Without speedy notifications, individuals may not be able to take protective actionin time.
This limits reactions to being “reactive” as opposed to “proactive”.
Under Irish law it is unlikely that one individual will have suffered enough damage to justifybringing an action, for example an individual PS3 account holder.
Should class actions be introduced?
For example as Brimsted notes, there is a potential class action against Sony in the USA.