It’s an easy mistake to make, you know.
You might be a data controller.
Let me explain.
Everyone has strong rights when it comes to the data that is held on them thanks to the Data Protection Acts.
And it is up to the data protection commissioner to ultimately uphold those rights if they are breached by the employer.
All businesses and institutiions should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.
People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.
Individuals should know when they provide personal information to any organisation:
- Who is gathering the data
- What use this data will be put
- Who the data will be disclosed to
If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.
Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.
In fact there are 8 rules of data protection which will broadly ensure you are in compliance with Data Protection legislation in Ireland.
8 Rules of Data Protection
1. Obtain and process information fairly.
For example, the data subject should know that you are gathering personal data, any processing must be after obtaining consent from the data subject, and the processing must be necessary.
2. The data must be kept for a specified, lawful purpose.
3. The data should be used and disclosed only for the specified purpose.
4. The data must be kept safe and secure.
5. The data must be up to date, accurate and complete.
6. The data must be relevant, adequate but not excessive.
7. The date must be retained for no longer than is necessary.
8. A copy of the data must be made available to the data subject, on request.
Non-compliance with data protection law
Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)
It should be noted that Irish data protection legislation only applies to data controllers who are established here.
Rights of Data Subjects
These rights derive from the Data Protection acts and include…….
- The right to be informed of data being kept on them
- The right to access to the data (there are a number of exceptions to this right)
- It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
- Right to prevent processing where it may cause damage or distress
The transfer of data outside the state is restricted to countries outside of the European Economic Area.
It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.
Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to europe but not all companies sign up.
Are you an employer who is concerned about his data protection obligations?
Or an employee whose rights have been infringed?
You might also be interested in this article which covers updated guidelines in relation to cctv and data protection obligations and rights.