MIP Home

Managing Intellectual Property

Skip to main content Skip to Navigation menu Skip to Login form

The Global Magazine for Intellectual Property Owners

Navigation Menu

Skip to main content Skip to top of page

Change font size:   

MIP Home Page

Browse by Sector

Browse by Section

IP Resources

Other Services

Skip to Navigation menu Skip to top of page

NOVEMBER 2007

RELATED ARTICLES

LATEST NEWS

Ireland: Ireland clarifies data protection law

Back to country updates menu

A&L Goodbody, Dublin

A number of legislative changes in Irish data protection law have already taken effect and further developments are due to take effect in October 2007. These developments provide some welcome clarification for practitioners.

Registration

The Irish registration regime changed with effect from October 1 2007. Section 16 of the Data Protection Acts 1988-2003 (DPA) now requires all data controllers and processors with a presence in the State to register with the Data Protection Commissioner (DPC) unless they come within an exempt category.

New regulations have been made which exempt a limited number of categories of data controller from the obligation to register. The following categories of data controller and processor are now exempt:

  • certain not-for-profit organizations;
  • certain organizations whose purpose is to provide information to the public and which are open to consultation by the public;
  • certain organizations which carry out the processing of manual data;
  • elected representatives and candidates for electoral office;
  • schools, colleges, universities and other educational institutions;
  • solicitors and barristers;
  • data controllers who process data relating to personnel administration;
  • companies processing personal data relating to employees in personnel administration or in relation to shareholders, directors or other officers of the company;
  • data controllers who process personal data relating to past, existing, or prospective customers or suppliers for the purposes of normal commercial activity;
  • data controllers who process personal data for journalistic, literary or artistic purposes; and
  • data controllers or processors who adhere to a code of practice approved by the DPC in respect of their particular trade association.

The new regulations also specify particular categories of data controller and processor who are obliged to register with the DPC. As well as certain government bodies, public authorities, and anyone processing personal health-related data these include: certain financial/credit institutions; certain insurance undertakings; businesses involved wholly or mainly in direct marketing, providing credit references or debt-collection; internet access providers; electronic communications network or service providers, and persons processing genetic data.

Data controllers and processors who are obliged to register with the DPC should ensure compliance with the new regulations as soon as possible because it is an offence to continue to process data while unregistered. The maximum penalty for non-registration is a fine of €3,000 for each offence on summary conviction.

Manual data exemption

The Irish Data Protection (Amendment) Act 2003, which came into operation on July 1 2003, contained a number of temporary exemptions from the full application of the DPA including one in respect of manual data created before that date. This meant that in relation to such data it was not obligatory for data controllers to comply with either the data protection principles or with the conditions for legitimate processing of personal and sensitive data (although the data subject had the right of access to the data and the right to have such data corrected or deleted). The exemption expires on October 24 2007, after which the full provisions of the DPA will apply to all manual data irrespective of the date of its creation.

"Manual data" is any information kept (or so intended) as part of a "relevant filing system". Broadly, a "relevant filing system" is any set of information relating to individuals to the extent that, although the information is not processed by automatic equipment, the information is structured in such a way that specific information relating to a particular individual is readily accessible. As the scope of the legislative wording is not entirely clear, the Irish DPC has issued practical guidance on its website to assist persons in determining whether manual data is part of a relevant filing system and is therefore subject to the DPA (see www.dataprotection.ie).

The original aim of the exemption was to allow data controllers a set period of time to establish internal procedures which would ensure compliance with the DPA. The expiry of the exemption does not mean that data controllers must now digitize or computerize old manual records. It merely extends the application of the data protection principles and the provisions for legitimate processing of personal data and sensitive personal data to all manual records regardless of when the data was generated.

In practical terms, any company that holds manual data which was created before July 1 2003 and in a form which is readily accessible by reference to certain individuals, should review such data and the purposes for which it is being retained. Data controllers should also be aware that data should not be retained for longer than is necessary. Moreover, a higher compliance burden exists in relation to sensitive personal manual data and accordingly particular care should be exercised. If it is not necessary to process such sensitive personal data within a relevant filing system then it is recommended that such data be destroyed.

John Whelan and Ciara Cullen


A&L Goodbody
International Financial Services Centre
North Wall Quay
Dublin 1
Ireland
Tel: +353 1 649 2234
Fax: +353 1 649 2649
jwhelan@algoodbody.ie 
www.algoodbody.ie



Add Your Comment


  • All comments are subject to editorial review.




Email a friend

  • All fields are compulsory

To include more than one recipient, please separate each email address with a semi-colon ';'






Email the editor

  • All fields are compulsory




The material on this site is for financial institutions, professional investors and their professional advisers. It is for information only. Please read our terms and conditions and privacy policy before using the site. All material subject to strictly enforced copyright laws. © 2007 Euromoney Institutional Investor PLC. For help please see our FAQ.