Data Protection

All personal data that people or organisations collect, process, keep, use or disclose about an individual is protected by the Data Protection Act, 1988 and the European Communities (Data Protection) Regulations, 2001. These Acts holds the data controller and data processors responsible with respect to personal data kept by them and set out the following conditions when collecting data;

• Collection: The manner in which the data is both obtained and processed must be done fairly and lawfully
• Purpose: Data can only be collected for declared, and lawful purposes and can not be used or disclosed, partly or fully, for any other purposes
• Accurate: The data must be accurate (updated if necessary), relevant and not excessive in relation to its declared purposed use
• Time Limit: The data may only be kept for as long as required of that disclosed purpose
• Security: It is the responsibility of the data controller to take proper security steps to ensure that the integration of the data is not compromised. This includes unauthorised access or disclosure, alteration, destruction or accidental loss of the data. Transferring of data in electronic form must be done using encryption techniques. (See Security Section for more details).

Data Transfer to a Third Country

Data controllers must ensure that there is an ?adequate level of data protection? for the personal data they transfer to a Third Country outside the European Economic Area, (EEA). Personal data can only be transferred if the Third Country is approved by the EU, as falling into one of the following categories;

1. Fully Compliant: Hungary and Switzerland are the only countries fully compliant to date
2. Partly Compliant: Canada and the USA?s Safe Harbour Arrangement fall into this category, restricted transfer of data allowed.

If the Third Country falls outside these two categories there is limited transfer allowed if the personal data falls into one or more of the following categories:

1. Data is required or authorised by law
2. Data Subjects consent for transfer
3. To assist the data subject to either explore, enter, performance or complete a contract with a data controller
4. Contract is entered into at the request of the data subject
5. Necessary for obtaining legal advice or in connection with legal proceedings
6. To prevent serious damage or injury to data subject?s health or property with or without the data subjects consent
7. Data is part of a statutory, public or private, register and only released to relevant persons

Failing these options one can seek authorisation to transfer data from the Data Protection Commissioner under exception circumstances.

Rights of a Data Subject

Any Data Subject, who believes a person to be a Data Controller, can make a request in writing for a copy of all relevant information, if any, relating to them and the purpose for which it is being kept. The Data Controller has 21 days to reply in writing. If the Data Controller is involved in Direct Marketing then a Data Subject can request the Data Controller, in writing, to cease using the data. The Data Controller must as soon as possible (within 40 days) erase the data. Where data is being kept for another purpose besides Direct Marketing, the Data Subject must be notified in writing of the other purpose or purposes.

Registration of Data Controllers and Data Processors

Data controllers need to be registered if their business type falls into one of the following categories:

• Financial
• Insurance
• Assurance
• Direct marketing
• Credit reference services
• Debt collecting

Registration is also required if storing information relating to any of the following:

• Criminal record
• Health statues, excluding work related HR records
• Political opinion
• Racial origin
• Religion or other beliefs
• Sexual preference

A Data Processor who processes personal data on behalf of any Data Controller who falls into any of the above categories must also be registered. Registrations are made with the Data Protection Commissioner and the following information is required:

1. Name(s) of data controllers
2. Addresses of data controllers
3. Brief description of data kept
4. Purpose of keeping of data
5. List of people who, the data has been disclosed to

Formal Contract

Data Controllers who use Data Processors to process any personal data must put in place a formal contract, ?written or equivalent form?, containing the limitations of use the Data Processor has to the data. They must also ensure that security measures are in place and comply with best practice. (An overview of security "best practice" is covered in the Security Section).

Definitions

1. Data: Information that can be processed
2. Data Controller: A person or persons who exercise responsibility for or control the storage or processes of personal data, about any living person, on any type of computer or word processor
3. Data Processor: A person or persons who hold or process personal data, but does not exercise responsibility for or control over that personal data
4. Data Subject: An individual who is the subject of personal data
5. Direct Marketing: includes direct mailing
6. Disclosure: This includes the disclosure of information extracted from data and the transfer of data, other then in the course of the data controllers work, but excludes data where its identification is solely dependent on other data controlled by the data controller
7. Personal Data: Data relating to any living individual who can be directly or indirectly identified by other data in the public domain or in the control of the data controller
8. Safe Harbour: The 'Safe Harbour Privacy Principles' allow US companies to become certified to an "adequate" personal data privacy protection level

© Trinity Solutions 2002 ~ 2012