Recent controversies involving social media companies, and in particular the recent investigation of Facebook Ireland Limited by the Data Protection Commissioner, have once again cast the spotlight on Data Protection and the safeguarding of the right to privacy.
In the course of business, organisations may collect and process vast quantities of information and data regarding their customers and clients. The Data Protection Acts 1988 and 2003 were enacted to balance the rights of organisations to gather data, with the privacy rights of the individual to whom the data relates.
A number of data protection principles are set out in Section 2 of the 1988 Act (as amended by Section 3 of the 2003 Act). All persons, or entities, controlling Personal Data must adhere to these principles. Personal Data is information relating to a living individual who can be identified from the data in question.
Key Obligations Are As Follows:
- Data must be fairly obtained and processed. In particular, the individual to whom the data relates must be made aware of who is collecting the information, the purpose for which it has been collected and the identity of any parties to whom it may be disclosed;
- Data must be collected and held only for specified, explicit and lawful purposes;
- Data must only be used and disclosed in a manner compatible with these purposes. The Data Protection Commissioner has suggested that the key test of compatibility is whether the data is used and disclosed in the manner in which the individual in question would expect it to be used or disclosed;
- Data must be kept safe and secure. Section 2C of the Acts stipulates that those who control data must have appropriate security measures in place to protect it;
- Data held must be accurate, complete and up-to-date;
- Data held must be adequate, relevant and not excessive. Only the minimum amount of data required for the specified purpose should be sought and retained;
- Personal data must not be retained for any longer than is necessary for the purpose for which it was originally collected. Data should be deleted or otherwise destroyed once the purpose for which it was collected has ceased;
- A copy of all personal data must be given to the relevant individual on request. In addition to this right of access, the relevant individual is entitled to have inaccuracies corrected and certain information erased.
It is strongly recommended that businesses carefully note their obligations under the Acts and regularly review all data and information held to ensure continued compliance with the above mentioned principles.
The Data Protection Commissioner is charged with ensuring that the principles of data protection are observed. The Commissioner is granted a wide range of powers under the Acts, including power to investigate complaints, the power to obtain information, the power to enforce compliance with the Acts and the power to prosecute offences under the Acts.
Finally, it should be noted that the European Commission has recently published proposals for the reform of this area of the law. The new Directive, if approved by the European Parliament, will update and streamline data protection rules across the EU. It is expected that the Directive shall become directly effective within two years and shall not require any further implementation in the Member States.