The General Data Protection Regulation (GDPR) in Ireland-the Essentials

gdpr-data-protection

Have you heard about the GDPR (General Data Protection Regulation)?

Do you know the changes it will bring to data protection law in Ireland?

Do you know when it is to come into effect here?

These questions, and similar foundational ones, are what I am about to look at.

Ready?

Let’s go.

The “big bang” date for the this Regulation to come into effect in Ireland will be 25th May, 2018. As EU regulations have direct effect in Irish law, it will not require any act of transposition or formal introduction into Irish law.

The effect of the GDPR will be to replace the existing data protection framework in Ireland. If you are data controller, and you currently have obligations under data protection law, you will need to know what new obligations the GDPR will have for you and your organisation or business.

At its core it strengthens the rights of EU citizens to data privacy and central to this is the three principles of

  1. Security
  2. Accountability
  3. Transparency.

You will note that these are the principles inherent in the current data protection regime in Ireland, pursuant to the Data Protection Act 1988 and Data Protection (Amendment) Act, 2003. It will be a relief to discover that if you are in line with current legislation you will be broadly covered for the new regime.

However, there is some new elements being introduced by GDPR which you need to be aware of. The Office of the Data Protection Commissioner has suggested a 12 step approach to the new regime. Those 12 steps are:

1. Becoming aware

Key personnel need to be aware the law is changing in this area from 25th May, 2018.

2. Become accountable.

Gather up your existing personal data and review it under the following headings

  • Why are you holding it?
  • How did you obtain it?
  • Why was it gathered?
  • How long will you retain it?
  • How secure is it?
  • Do you share it with 3rd parties? If so, on what basis?

This will cover the accountability principle mentioned at number 2 above.

3. Communicate with staff and service users

This involves lettering your staff or service users know about the collection of their personal data.

Under GDPR new obligations include:

  • Providing information about the legal basis for processing the data
  • Retention periods
  • Complaint procedures
  • Their individual rights under GDPR
  • Whether the data will be subject to automated decision making.

4. Personal Privacy Rights

Generally, the rights afforded to individuals will be similar to what they currently enjoy eg to have inaccuracies corrected, to have data deleted, to object to direct marketing.

You will also need to consider how you will provide data electronically if requested by the data subject. You will need to consider,too, how long it will take to locate the data and who will make decisions about deletion of data.

5. How will access requests change

The GDPR will change the timescale for responding to data protection requests to one month so you need to review how you will deal with this faster timescale.

It will be less likely that you will be able to charge for such requests and the ground for refusal will need to be founded in well documented policies and procedures for refusal.

You will also need to provide additional information to data subjects such as information about the data retention periods and having inaccurate data amended.

6. The legal basis

You will have to explain your legal basis for processing personal data and data subjections will have stronger grounds for having their data deleted and the legal bases for processing data will be reduced significantly.

If customer consent is the only justification for processing data the data subject will be in a stronger position to request that it be deleted.

7. Customer consent as a ground to process data

Consent must be ‘freely given, specific, informed and unambiguous’ in relation to customer consent. The customer must not be duped or forced into giving the information. They must also know what exactly they are consenting to and requires a positive action of approval; it cannot be inferred be silence or a failure to take action eg tick a box to opt out.

Subjects also need to be told of their right to withdraw consent. You need to be able to show how consent was obtained, and have a record of it. Generally, where consent is relied upon, the data subject has stronger rights in relation to their personal data.

8. Processing children’s data

If you must gather children’s data you need to be careful about being able to verify the age of the child and obtain the consent of the guardian.

Special protections in respect of children’s data will be introduced, especially in relation to social media use and commercial internet services.

9. Reporting data breaches

You must ensure you have sound procedures in place to detect, report and investigate any data protection breach. The GDPR will introduce mandatory data breach reporting obligations to the Data Protection Commissioner.

Failure to report a breach will result in a fine in addition to the fine for the breach and breaches will typically have to be reported within 72 hours.

10. Data protection impact assessments (DPIA)

This involves the systematic consideration of how a particular initiative will impact on the privacy of individuals. This assessment may involve discussions with groups and stakeholders.

If this assessment leads the organiser to believe that the risks to personal data cannot be mitigated fully it may be necessary to contact the Data Protection Commissioner before starting the process of gathering data.

If a project requires a DPIA you will need to consider

  • Who carries it out?
  • Who needs to be involved?
  • Will it be run locally or centrally?

The whole thrust of the DPIA is to identify potential problems with an initiative involving the gathering of personal data and look at ways to mitigate those issues.

11. Data protection officers

Some organisations will need to designantt a DPO (data protection officer) under the GDPR regime. Such organisations would include public bodies, large organisations, and so forth but you need to consider whether you need a data protection office in your organisation.

He/she will need to be conversant with GDPR and its obligations. You may appoint an external advisor to this role, if there is nobody suitable or qualified in your organisation.

12. GDPR and international organisations

For organisations which have operations in many EU states you will be entitled to deal with one data protection authority, a Lead Supervisory Authority (LSA) as your single regulating body in the country where you are mainly established.

This will generally be determined as the country where the main administration of the organisation is carried out.

Conclusion

If you are currently in compliance with existing data protection legislation in Ireland you will be in good shape to deal with the new situation after 25th May, 2018. However, even though you will be playing a similar game it will be more akin to being in the Premier league than division 3 or 4.

Using CCTV and Data Protection-the Facts You Should Know

cctv-data-protection

Is CCTV being operated in your workplace?

Are you an employer who is considering introducing CCTV?

The Data Protection Commissioner has issued updated guidelines in December, 2015 in respect of the use of CCTV.

Because recognisable images captured by CCTV systems are considered to be “personal data”, as defined by the Data Protection Acts in Ireland, and are subject to the provisions of Data Protection legislation.

Justification of CCTV System

This means that a data controller must be able to justify use of a CCTV system. Sometimes this is easy, for example, using CCTV to keep an eye on a building for security reasons.

However, the use of CCTV to watch employees, students, or customers can be harder to justify.

But that is the first question to be answered: is the use of a CCTV system justified?

Proportionality

The second question to be looked at, assuming the system is justified, is what will the system be used for?

Is the use of CCTV proportionate?

If it is used to capture images of attempted burglars or other undesirables, there is no problem with the test of proportionality.

However, if it is used to monitor employees, showing that it is proportional can be more problematic, although not impossible, for example for health and safety reasons.

But whatever the reason, use of CCTV needs to be justified in the particular circumstances. This justification would generally arise from issues which have arisen prior to the installation.

Where will the cameras be located? What sort of images will be captured? The use of CCTV cameras in toilets, and other locations where you could reasonably expect privacy, will be difficult.

However, even where they can be justified in toilets they should never be used to capture images from urinals or cubicles.

Carry Out an Assessment

The Data Protection Commissioner’s office recommends that detailed assessments be carried out prior to the installation of cctv cameras. It also recommends the following steps:

  • A Risk Assessment
  • A Privacy Impact Assessment
  • A Specific Data Protection policy drawn up for use of the devices in a limited and defined set of circumstances only (this policy should include documented data retention and disposal policy for the footage)
  • Documentary evidence of previous incidents giving rise to security/health and safety concerns
  • Clear signage indicating image recording in operation.

Warning to Data Subject

Before any data is recorded the data subject must be warned.

This warning can generally be achieved by placing signs in prominent positions.

If it is obvious that the purpose of the data collection is security it will suffice that the sign states that CCTV is in operation and a contact number should be provided.

If the purpose is not obvious then the data subjects should be warned beforehand. This would be especially true if CCTV was being used to monitor staff conduct or performance, as this would not be an obvious purpose.

Written CCTV Policy

A written CCTV policy should be in place and it should contain

  1. The identity of the data controller
  2. The purpose of the data processing
  3. Any 3rd parties to whom it is made available
  4. How to make an access request
  5. The retention period of the CCTV
  6. The security arrangements for the CCTV

Data should not be kept for longer than necessary.

Longer than 1 month in the case of CCTV would be hard to justify.

Access to the data should be restricted to authorised personnel, and it should be stored in a safe place.

Supplying Images to an Garda Siochána

Supplying, as opposed to permitting viewing of, CCTV images to an Garda Siochana should be by written request which states that a criminal investigation is being carried out.

If a verbal request is acceded to, where there is a degree of urgency, a formal written request should be obtained afterwards.

Rights to Access Data

When a data subject requests CCTV images he should supply a time frame of the recording. This would refer to specific days and/or hours but a general request for all CCTV data held would not be acceptable.

Where images of parties other than the requesting data subject appear on the CCTV footage the onus lies on the data controller to pixelate or otherwise redact or darken out the images of those other parties before supplying a copy of the footage or stills from the footage to the requestor.

Alternatively, the data controller may seek the consent of those other parties whose images appear in the footage to release an unedited copy containing their images to the requester.

It would be unacceptable for the data controller to claim that he cannot pixelate images or provide copies for technical reasons, or that he cannot provide images to be viewed on the requester’s device.

If the data controller chooses to use this technology he needs to be able to comply with the data protection consequences.

Hidden Cameras

Generally, the use of hidden/covert surveillance is forbidden, except on a case by case basis to prevent or detect offences or crimes. Any covert surveillance should be specific, limited, and for a short period.

Security Companies

Security companies acting on behalf of clients are considered to be “data processors”.

Their clients are the data controllers. Data processors have specific obligations placed on them by the data protection acts, for example to prevent unauthorised access to the data and ensuring security of the data.

Also certain data processors must have an entry in the public register maintained by the Data Protection Commissioner. (See section 16 Data Protection act, 1988)

The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts.

However, this would not allow recording of a public space, and neighbour has a constitutional and common law right to privacy. They could enforce this right by taking a civil court action.

What to Do Now

  1. Carry out an assessment,
  2. draw up a written CCTV policy,
  3. obtain professional advice if you are unsure or unclear about your rights or obligations.

The 8 Rules of Data Protection in Ireland

8-rules-data-protection

It’s an easy mistake to make, you know.

You might be a data controller.

Let me explain.

Everyone has strong rights when it comes to the data that is held on them thanks to the Data Protection Acts.

And it is up to the data protection commissioner to ultimately uphold those rights if they are breached by the employer.

All businesses and institutiions should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.

People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.

Individuals should know when they provide personal information to any organisation:

  • Who is gathering the data
  • What use this data will be put
  • Who the data will be disclosed to

If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.

Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.

In fact there are 8 rules of data protection which will broadly ensure you are in compliance with Data Protection legislation in Ireland.

8 Rules of Data Protection

1. Obtain and process information fairly.

For example, the data subject should know that you are gathering personal data, any processing must be after obtaining consent from the data subject, and the processing must be necessary.

2. The data must be kept for a specified, lawful purpose.

3. The data should be used and disclosed only for the specified purpose.

4. The data must be kept safe and secure.

5. The data must be up to date, accurate and complete.

6. The data must be relevant, adequate but not excessive.

7. The date must be retained for no longer than is necessary.

8. A copy of the data must be made available to the data subject, on request.

Non-compliance with data protection law

Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)

It should be noted that Irish data protection legislation only applies to data controllers who are established here.

Rights of Data Subjects

These rights derive from the Data Protection acts and include…….

  • The right to be informed of data being kept on them
  • The right to access to the data (there are a number of exceptions to this right)
  • It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
  • Right to prevent processing where it may cause damage or distress

The transfer of data outside the state is restricted to countries outside of the European Economic Area.

It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.

Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to europe but not all companies sign up.

Are you an employer who is concerned about his data protection obligations?

Or an employee whose rights have been infringed?

You might also be interested in this article which covers updated guidelines in relation to cctv and data protection obligations and rights.

Data Protection in Employment Law in Ireland-the Essentials

data-protection-employment-ireland

The Data Protection Acts 1988 and 2003  impose stringent requirements on the data kept by employers about employees and in particular in respect of sensitive personal data.

Employers are considered to be data controllers and processors within the legislation.

The Data Protection Commissioner can impose fines of up to €100,000 and employees can succeed in claims in relation to breaches of data protection law.

The principle obligations on the employer in respect of sensitive personal data is to collect and process it fairly, is accurate and up to date, and is kept no longer than necessary. For this reason employers should ensure that they have a data protection policy in the workplace.

Employee as Data Subject

The employee, as a data subject, has a general right to know what personal data is held about him/her, to whom it is disclosed, and to have it deleted or amended if incorrect. A written data request from an employee should be responded to within 40 days.

The Data Protection Acts, section 8 in particular, set out the circumstances where the employer may disclose the employee’s data to a third party. Whether the 3rd party is a member of the EEA (European Economic Area) or not will determine whether the request can be complied with or not by the employer. If the data is being disclosed to a 3rd party within the EEA then a written contract is required.

If not, the transfer of data is prohibited (subject to exceptional safeguards).

Registration with the Data Protection Commissioner

Data controllers fall into 3 categories for the purpose of registration

  1. Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
  2. Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
  3. Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material

Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.

You might also want to read the 8 rules of data protection in Ireland.