Ireland: Changes In Data Protection Law

New legislation is likely to be published later this year which will give effect to a 1995 European Directive on the protection of individuals with regard to the processing of personal data. This new legislation will extend the protection currently afforded by the Data Protection Act, 1988 (the "1988 Act").

The 1988 Act only applies to the processing of personal data by computer. One of the main changes will be that the new law will extend to manual records. This means that manual files which relate to employees, interviewees, customer base and in the case of the medical profession, health records of patients will be covered.

Under the 1988 Act, responsibility for data processing is held by a data controller or a data processer designated by the Controller both of whom manage the data. Only the controller or a person authorised by the controller may process personal data. The new legislation will also impose new duties on controllers relating to security measures to protect personal data and also measures to protect the confidentiality of data. The more sensitive the data, the more care that needs to be taken.

Under the new regulations a data controller will be required to provide data subjects with certain information:-

• the identity of the data controller and his/her representative;
• the purpose for which the data is intended;
• any further information such as the recipients of the data;
• whether the replies to the questions are obligatory or voluntary; and
• the existence of the right of access to data.

Measures will be introduced to protect data subjects from computer generated decisions which may affect them. The Directive provides that an individual ought not to be subject to a decision which is based solely on automated processing of data, for example, evaluation of creditworthiness. For example, if a bank dealing with a loan application runs a credit check which is entirely computer generated, the bank cannot rely exclusively on the computer results.

The new Act will not provide a blanket prohibition . Processing of personal data will be permitted once clear and unambiguous consent is given by the data subject. There are however certain important exceptions. These include:-

• where processing is necessary for the performance of a contract with the data subject; or
• compliance with a legal obligation to which the controller is subject.

Under the 1995 Directive, Member states are obliged in general to prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of data concerning health or sex life. It is likely that this provision will be mirrored in the Irish legislation.

The new law will provide protection to the data subject beyond National territory. The directive states that personal data may only be transferred to countries which provide an adequate level of protection. In essence, this will mean that the country concerned must have sufficiently similar data protection laws in place. Where this is not the case companies engaged in the transfer of data will be obliged to enter into a contract to replicate such conditions.

Organisations affected by the new legislation who are engaged in data processing at present will have three years to comply with the new legislation. There is a possibility that the new Act will allow a transitional period of twelve years for data held in manual files.

This article was intended to provide general guidelines. Specialist advice should be sought about specific facts.