1. Data Protection: Your Rights as a Data Subject

2. Data Protection: a Human Right
Part of Right to Personal Privacy
Personal Privacy : necessary in a Democratic Society
Not absolute: other necessary Rights on a Democratic Society ( e.g. Freedom of Expression, Rights of Others)
Right protected by Irish Constitution and European Law

3. The Data Protection Rules
Fair obtaining & processing
Consent
Specified purpose
No disclosure
unless “compatible”
Safe and secure
Accurate, up-to-date
Relevant, not excessive
Retention period
Right of access

4. The Acts create: Background Data Protection Acts, 1988 & 2003
RIGHTS
for
individuals
RESPONSIBILITIES
users of personal data

5. Rights and Obligations
Rights of “data subject” (= identifiable, living individual) to control the use of their “personal data”
Obligations on “data controllers” (“a person who controls the contents and use of personal data”) and “data processors” (“A person who processes personal data on behalf of a data controller”)

6. Definitions(1) Personal Data Data Manual Data
Any Data relating to a living identifiable individual
Data
Automated data or structured manual data
Manual Data
Structured by reference to individuals in a way that makes data readily accessible

7. Definitions(2) Data Controller Data Processor
a person who controls the contents and use of personal data
Data Processor
A person who processes personal data on behalf of a data controller

8. Definitions(3) Data Subject Processing
an individual who is the subject of personal data
Processing
Anything done with personal data, from collection to disposal

9. Sensitive Data (special protection)
Physical or mental health
Racial origin
Political opinions
Religious or other beliefs
Sexual life
Criminal convictions
Alleged commission of offence
Trade Union membership

10. Rights of Individuals to fairness when giving information
to get a copy of their personal information – includes both computer and certain manual files
to have wrong information corrected
to opt out of marketing - includes mail & phone
to complain to the Data Commissioner

11. Obtain & Process Fairly I
Rule 1
Obtain & Process Fairly I
Data controller must give full information about
identity
purposes
disclosees
any other data necessary for “fairness”
Third party data controllers
must contact data subject to provide these details
must give name of original data controller

12. Obtain & Process Fairly II
Rule 1
Obtain & Process Fairly II
One of these conditions required:
Consent
Legal obligation
Contract with individual
Necessary to protect vital interests
Necessary for a public function (Justice)
necessary for ‘legitimate interests’

13. Processing Sensitive Data
Rule 1
Processing Sensitive Data
One of these additional conditions is required
Explicit consent
Necessary under employment law
To prevent injury or protect vital interests
Process the data of members/clients of non-profit orgs.
Legal advice
For Medical Purposes
Statutory function

14. Specified Purpose Rule 2
Part of obligations when obtaining to specify purpose
Cannot expand purpose without reverting to individual

15. Disclose only if compatible
Rule 3
Disclose only if compatible
General rule – no disclosure for different purpose
Exceptions made, to balance other interests of society
Section 8 exceptions
Investigation of crime
Collection of taxes
Security of the State
Protect life & limb
Law or court order
Legal advice and legal proceedings
No general “public interest” test

16. Keep Safe and Secure Rule 4 Appropriate security measures
Appropriate to the harm that might result..
Appropriate to the nature of the data
May have regard to cost of implementation
May have regard to the current state of technology
Staff must know and comply with measures
Internal review of security measures-part of Internal Audit function ?

17. Accurate, Complete and Up-to-Date
Rule 5
Accurate, Complete and Up-to-Date
Longer personal data is held, more likely it will be inaccurate and out-of-date
Right to have errors rectified (see later)

18. Relevant and not Excessive
Rule 6
Relevant and not Excessive
No right to ask for, or hold, information not relevant to service etc being provided
Challenge: who do you need all this personal data ?

19. Retain no longer than necessary
Rule 7
Retain no longer than necessary
Legal obligations to hold data?
Customer files
Do you need to hold all that data?
Payment records might have one retention period
Exam results might have longer retention period
Credit card details retained with consent
Must have policy thought through
Defend retention as necessary for purpose.

20. Right of Access Rule 8 applies to manual as well as computer files
data subjects are also entitled to know
purposes for which data is processed
persons to whom data are disclosed
the source of the data

21. Right of Access: Empowerment
The Right of Access empowers individuals by enabling them to supervise the processing of their personal data.

22. Scope of Access Request
Applies to all manual and electronic records in existence at the time of receipt of an access request – regardless of when the record was created.
Copy of information must be provided in permanent form unless data subject agrees otherwise or this is impossible or involves disproportionate effort

23. What must be disclosed in an access request
Personal data held
purposes for processing data
persons to whom data are disclosed
the source of the data
subject to confidentiality safeguards
logic involved in automated decisions

24. Access Request - Procedure
Shall be in writing
Data Subject shall provide sufficient information to identify oneself
Data Controller shall comply within 40 days
May charge a fee up to €6.35

25. Opinions
Exempt from an access request only if the expression of an opinion was given in confidence or under the understanding it would be treated as confidential.
References are not exempt in general
High threshold required
Work performance reports on colleagues are accessible
Interview notes-accessible

26. Exempt from Access Requests
Data relating to a claim of liability
Data covered by legal privilege
Data relating to a criminal investigation
Certain research data
Back-up data

27. Access: Exemptions (S.5)
Right of Access does not apply if likely to prejudice:
Preventing, detecting or investigating offences, apprehending or prosecuting offenders
Security in a place of detention
Other (international relations, privileged information etc)

28. Right to correct/erase/block
Section 6 of the Act
Data Subject makes a written request
Personal data must be:
Corrected, if inaccurate; or
Deleted, if should not be held.
Data Controller has 40 days to respond
No fee

29. Right of erasure
Doesn’t apply if you have a lawful purpose in retaining data
Such as auditing or accreditation purposes

30. Automated decisions
Key decisions cannot be made solely based on automated processing of personal data
creditworthiness
work performance
reliability
Exceptions
consent; legal necessity; contractual reasons

31. Right to object
Section 6A(1) allows the data subject to object to the processing of data
Is “likely to cause substantial damage or distress to him or her, or to another person, and
The damage or distress is or would be unwarranted”

32. DP/FOI Access to Personal Information
DP and FOI Acts reinforce one another in relation to personal access in the public sector
Defending access to personal information as human (DP) and citizen (FOI) right
3rd Party Access restricted under both Acts
FOI access to personal information should sometimes prevail in the public interest

33. Right to opt out of direct marketing
Data subject may opt out of direct marketing database (e.g. a mailing list)
Data controller must delete the data subject’s details (or stop using them for direct marketing)
Data controller must reply within 40 days

34. Electronic Communications
Right to “opt-out” of all unsolicited direct marketing calls
Ex-Directory customers (and most mobiles) automatically ‘opted-out’
If not ex-directory, Contact your phone line provider and ask to be put on the National Directory Database ‘opt-out’ list
SMS and unsolicited marketing banned

35. Frequently Asked Questions

36. Can my employer monitor me?
Yes, depending on the conditions of any in-house policy document.
Employees should be made fully aware of Office policy in relation to content, and acceptable usage
Monitoring should be proportionate and not unduly intrusive.

37. Can monitoring occur without my consent?
Where a criminal offence is being investigated, covert monitoring may be legitimate.
Whilst transparency is fundamental to the fair obtaining principle, consent is not always required.

38. Can I get a copy of my personnel file?
You have a right to a copy of any records relating to you – including personnel files, assessments, evaluations and interview notes.
Note – this may be subject to restriction, for instance re statements of opinion or third party .

39. How can I check my credit rating?
Contact the Irish Credit Bureau at (
Your credit rating can be checked by member institutions (banks, etc.) when you apply for credit.

40. How do I stop unwanted phone marketing?
You should contact your telephone line
provider – e.g. Eircom, BT – and ask to have your details included in the National Directory Database (the NDD) ‘opt-out list’
After about one month, marketing calls from Ireland should cease.
More info: and

41. How do I stop Junk Mail?
You can write to the organisation sending the mail, instructing them to stop. They are obliged to comply.
Or you can use the Mail Preference Service operated by the Irish Direct Marketing Association (

42. Further Guidance