Number of - Data Protection Commissioner · Number 6 of 2003 ... 15. Amendment of section 14 (annual report) of Principal Act. 2 [No. 6.] Data Protection (Amendment) Act [2003.] 2003

————————

Number 6 of 2003

————————

DATA PROTECTION (AMENDMENT) ACT 2003

————————

ARRANGEMENT OF SECTIONS

Section

1. Definitions.

2. Amendment of section 1 (interpretation and application ofAct) of Principal Act.

3. Amendment of section 2 (collection, processing, keeping, useand disclosure of personal data) of Principal Act.

4. Provisions in relation to processing.

5. Amendment of section 4 (right of access) of Principal Act.

6. Amendment of section 5 (restriction of right of access) ofPrincipal Act.

7. Amendment of section 6 (right of rectification or erasure) ofPrincipal Act.

8. Certain rights of data subjects.

9. Amendment of section 8 (disclosure of personal data incertain cases) of Principal Act.

10. Additional functions of Commissioner.

11. Amendment of section 10 (enforcement of data protection)of Principal Act.

12. Restriction on transfer of personal data outside State.

13. Prior checking of processing by Commissioner.

14. Amendment of section 13 (codes of practice) of PrincipalAct.

15. Amendment of section 14 (annual report) of Principal Act.

2

[No. 6.] Data Protection (Amendment) Act [2003.]2003.

Section16. Amendment of section 16 (the register) of Principal Act.

17. Amendment of section 17 (applications for registration) ofPrincipal Act.

18. Amendment of section 18 (duration and continuance ofregistration) of Principal Act.

19. Amendment of Section 31 (penalties) of Principal Act.

20. Amendment of Second Schedule (the Data ProtectionCommissioner) to Principal Act.

21. Journalism, literature and art.

22. Repeals and Revocation.

23. Short title, collective citation, construction and com-mencement.

————————

[2003.] Data Protection (Amendment) Act [No. 6.]2003.

Acts Referred to

Data Protection Act 1988 1988, No. 25

Dentists Act 1985 1985, No. 9

Freedom of Information Act 1997 1997, No. 13

Interpretation Act 1937 1937, No. 38

Medical Practitioners Act 1978 1978, No. 4

National Archives Act 1986 1986, No. 11

Social Welfare (Consolidation) Act 1993 1993, No. 27

Statistics Act 1993 1993, No. 21

3

————————

Number 6 of 2003

————————

DATA PROTECTION (AMENDMENT) ACT 2003

————————

AN ACT TO GIVE EFFECT TO DIRECTIVE 95/46/EC OF THEEUROPEAN PARLIAMENT AND OF THE COUNCIL OF24 OCTOBER 1995 ON THE PROTECTION OF INDIVID-UALS WITH REGARD TO THE PROCESSING OF PER-SONAL DATA AND ON THE FREE MOVEMENT OFSUCH DATA, FOR THAT PURPOSE TO AMEND THEDATA PROTECTION ACT 1988 AND TO PROVIDE FORRELATED MATTERS. [10th April, 2003]

BE IT ENACTED BY THE OIREACHTAS AS FOLLOWS:

1.—In this Act—

‘‘Minister’’ means Minister for Justice, Equality and Law Reform;

‘‘the Principal Act’’ means the Data Protection Act 1988.

2.—Section 1 of the Principal Act is amended—

(a) in subsection (1)—

(i) by the insertion of the following definitions:

‘‘ ‘the Act of 2003’ means the Data Protection(Amendment) Act 2003;

‘automated data’ means information that—

(a) is being processed by means of equipmentoperating automatically in response toinstructions given for that purpose, or

(b) is recorded with the intention that it shouldbe processed by means of suchequipment;

‘blocking’, in relation to data, means so marking thedata that it is not possible to process it for purposesin relation to which it is marked;

‘the Directive’ means Directive 95/46/EC of theEuropean Parliament and of the Council of 24October 1995 on the protection of individuals with

5

Definitions.

Amendment ofsection 1(interpretation andapplication of Act)of Principal Act.

S.2

6


regard to the processing of personal data and on thefree movement of such data(1);

‘the EEA Agreement’ means the Agreement on theEuropean Economic Area signed at Oporto on 2May 1992 as adjusted by the Protocol signed at Brus-sels on 17 March 1993;

‘enactment’ means a statute or a statutory instru-ment (within the meaning of the Interpretation Act1937);

‘the European Economic Area’ has the meaningassigned to it by the EEA Agreement;

‘manual data’ means information that is recorded aspart of a relevant filing system or with the intentionthat it should form part of a relevant filing system;

‘relevant filing system’ means any set of informationrelating to individuals to the extent that, althoughthe information is not processed by means of equip-ment operating automatically in response to instruc-tions given for that purpose, the set is structured,either by reference to individuals or by reference tocriteria relating to individuals, in such a way thatspecific information relating to a particular individ-ual is readily accessible;

‘sensitive personal data’ means personal data as to—

(a) the racial or ethnic origin, the politicalopinions or the religious or philosophicalbeliefs of the data subject,

(b) whether the data subject is a member of atrade union,

(c) the physical or mental health or conditionor sexual life of the data subject,

(d) the commission or alleged commission ofany offence by the data subject, or

(e) any proceedings for an offence committedor alleged to have been committed by thedata subject, the disposal of such pro-ceedings or the sentence of any court insuch proceedings;’’,

(ii) by the substitution of the following definition for thedefinition of ‘‘data’’:

‘‘ ‘data’ means automated data and manual data;’’,

(iii) by the substitution of the following for the definitionof ‘‘direct marketing’’:

‘‘ ‘direct marketing’ includes direct mailing otherthan direct mailing carried out in the course of politi-cal activities by a political party or its members, or a

(1) O.J. No. L 281/38 of 23.11.95, p. 31.


body established by or under statute or a candidatefor election to, or a holder of, elective politicaloffice;’’,

(iv) by the substitution of the following definition for thedefinition of ‘‘personal data’’:

‘‘ ‘personal data’ means data relating to a living indi-vidual who is or can be identified either from thedata or from the data in conjunction with other infor-mation that is in, or is likely to come into, the pos-session of the data controller;’’,

and

(v) by the substitution of the following definition for thedefinition of ‘‘processing’’:

‘‘ ‘processing’, of or in relation to information ordata, means performing any operation or set of oper-ations on the information or data, whether or not byautomatic means, including—

(a) obtaining, recording or keeping the infor-mation or data,

(b) collecting, organising, storing, altering oradapting the information or data,

(c) retrieving, consulting or using the infor-mation or data,

(d) disclosing the information or data by trans-mitting, disseminating or otherwise mak-ing it available, or

(e) aligning, combining, blocking, erasing ordestroying the information or data;’’,

(b) by the insertion of the following subsections after subsection(3):

‘‘(3A) A word or expression that is used in this Actand also in the Directive has, unless the context otherwiserequires, the same meaning in this Act as it has in theDirective.

(3B) (a) Subject to any regulations under section 15(2)of this Act, this Act applies to data controllersin respect of the processing of personal dataonly if—

(i) the data controller is established in theState and the data are processed in thecontext of that establishment, or

(ii) the data controller is established neitherin the State nor in any other state that isa contracting party to the EEA Agree-ment but makes use of equipment in theState for processing the data otherwisethan for the purpose of transit throughthe territory of the State.

7

S.2

S.2

8


(b) For the purposes of paragraph (a) of this sub-section, each of the following shall be treatedas established in the State:

(i) an individual who is normally resident inthe State,

(ii) a body incorporated under the law of theState,

(iii) a partnership or other unincorporatedassociation formed under the law of theState, and

(iv) a person who does not fall within subpara-graphs (i), (ii) or (iii) of this paragraph,but maintains in the State—

(I) an office, branch or agency throughwhich he or she carries on anyactivity, or

(II) a regular practice,

and the reference to establishment in anyother state that is a contracting party to theEEA Agreement shall be construedaccordingly.

(c) A data controller to whom paragraph (a)(ii)of this subsection applies must, without preju-dice to any legal proceedings that could becommenced against the data controller, desig-nate a representative established in the State.

(3C) Section 2 and sections 2A and 2B (which sectionswere inserted by the Act of 2003) of this Act shall notapply to—

(a) data kept solely for the purpose of historicalresearch, or

(b) other data consisting of archives or departmentalrecords (within the meaning in each case ofthe National Archives Act 1986),

and the keeping of which complies with such require-ments (if any) as may be prescribed for the purpose ofsafeguarding the fundamental rights and freedoms ofdata subjects.’’,

and

(c) by the insertion of the following subsection after subsection(4):

‘‘(5) (a) A right conferred by this Act shall not preju-dice the exercise of a right conferred by theFreedom of Information Act 1997.


(b) The Commissioner and the Information Com-missioner shall, in the performance of theirfunctions, co-operate with and provide assist-ance to each other.’’.


(a) by the substitution of the following subsection for subsection(1):

‘‘(1) A data controller shall, as respects personal datakept by him or her, comply with the following provisions:

(a) the data or, as the case may be, the informationconstituting the data shall have beenobtained, and the data shall be processed,fairly,

(b) the data shall be accurate and complete and,where necessary, kept up to date,

(c) the data—

(i) shall have been obtained only for one ormore specified, explicit and legitimatepurposes,

(ii) shall not be further processed in a mannerincompatible with that purpose or thosepurposes,

(iii) shall be adequate, relevant and notexcessive in relation to the purpose orpurposes for which they were collectedor are further processed, and

(iv) shall not be kept for longer than is neces-sary for that purpose or those purposes,

(d) appropriate security measures shall be takenagainst unauthorised access to, or unauthor-ised alteration, disclosure or destruction of,the data, in particular where the processinginvolves the transmission of data over a net-work, and against all other unlawful forms ofprocessing.’’,

(b) in subsection (5), by the substitution of the following para-graph for paragraph (a):

‘‘(a) Subparagraphs (ii) and (iv) of paragraph (c) of thesaid subsection (1) do not apply to personal datakept for statistical or research or other scientificpurposes, and the keeping of which complies withsuch requirements (if any) as may be prescribedfor the purpose of safeguarding the fundamentalrights and freedoms of data subjects, and’’,

(c) by the deletion of subsection (6), and

(d) by the substitution of the following subsections for subsec-tion (7):

9

S.2

Amendment ofsection 2(collection,processing, keeping,use and disclosureof personal data) ofPrincipal Act.

S.3

10


‘‘(7) Where—

(a) personal data are kept for the purpose of directmarketing, and

(b) the data subject concerned requests the datacontroller in writing—

(i) not to process the data for that purpose,or

(ii) to cease processing the data for thatpurpose,

then—

(I) if the request is under paragraph(b)(i) of this subsection, the datacontroller—

(A) shall, where the data are keptonly for the purpose aforesaid,as soon as may be and in anyevent not more than 40 daysafter the request has been givenor sent to him or her, erase thedata, and

(B) shall not, where the data arekept for that purpose and otherpurposes, process the data forthat purpose after the expir-ation of the period aforesaid,

(II) if the request is under paragraph(b)(ii) of this subsection, as soon asmay be and in any event not morethan 40 days after the request hasbeen given or sent to the data con-troller, he or she—

(A) shall, where the data are keptonly for the purpose aforesaid,erase the data, and

(B) shall, where the data are keptfor that purpose and other pur-poses, cease processing the datafor that purpose,

and

(III) the data controller shall notify thedata subject in writing accordinglyand, where appropriate, inform himor her of those other purposes.

(8) Where a data controller anticipates that personaldata, including personal data that is required by law tobe made available to the public, kept by him or her willbe processed for the purposes of direct marketing, thedata controller shall inform the persons to whom the datarelates that they may object, by means of a request in


writing to the data controller and free of charge, to suchprocessing.’’.

4.—The following sections are inserted in the Principal Act aftersection 2:

‘‘Processing of 2A.—(1) Personal data shall not be processedpersonal data.

by a data controller unless section 2 of this Act(as amended by the Act of 2003) is complied withby the data controller and at least one of the fol-lowing conditions is met:

(a) the data subject has given his or her con-sent to the processing or, if the datasubject, by reason of his or her physi-cal or mental incapacity or age, is oris likely to be unable to appreciate thenature and effect of such consent, itis given by a parent or guardian or agrandparent, uncle, aunt, brother orsister of the data subject and the giv-ing of such consent is not prohibitedby law,

(b) the processing is necessary—

(i) for the performance of a contractto which the data subject is aparty,

(ii) in order to take steps at therequest of the data subject priorto entering into a contract,

(iii) for compliance with a legal obli-gation to which the data control-ler is subject other than an obli-gation imposed by contract, or

(iv) to prevent—

(I) injury or other damage to thehealth of the data subject, or

(II) serious loss of or damage toproperty of the data subject,

or otherwise to protect his or hervital interests where the seekingof the consent of the data subjector another person referred to inparagraph (a) of this subsection islikely to result in those interestsbeing damaged,

(c) the processing is necessary—

(i) for the administration of justice,

(ii) for the performance of a functionconferred on a person by orunder an enactment,

11

S.3

Provisions inrelation toprocessing.

S.4

12


(iii) for the performance of a functionof the Government or a Ministerof the Government, or

(iv) for the performance of any otherfunction of a public nature per-formed in the public interest by aperson,

(d) the processing is necessary for the pur-poses of the legitimate interests pur-sued by the data controller or by athird party or parties to whom thedata are disclosed, except where theprocessing is unwarranted in any par-ticular case by reason of prejudice tothe fundamental rights and freedomsor legitimate interests of the datasubject.

(2) The Minister may, after consultation withthe Commissioner, by regulations specify particu-lar circumstances in which subsection (1)(d) ofthis section is, or is not, to be taken as satisfied.

Processing of 2B.—(1) Sensitive personal data shall not besensitive personal

processed by a data controller unless:data.

(a) sections 2 and 2A (as amended andinserted, respectively, by the Act of2003) are complied with, and

(b) in addition, at least one of the followingconditions is met:

(i) the consent referred to in para-graph (a) of subsection (1) ofsection 2A (as inserted by the Actof 2003) of this Act is explicitlygiven,

(ii) the processing is necessary for thepurpose of exercising or per-forming any right or obligationwhich is conferred or imposed bylaw on the data controller in con-nection with employment,

(iii) the processing is necessary toprevent injury or other damageto the health of the data subjector another person or serious lossin respect of, or damage to, prop-erty or otherwise to protect thevital interests of the data subjector of another person in a casewhere—

(I) consent to the processingcannot be given by or onbehalf of the data subject inaccordance with section


2A(1)(a) (inserted by theAct of 2003) of this Act, or

(II) the data controller cannotreasonably be expected toobtain such consent,

or the processing is necessary toprevent injury to, or damage tothe health of, another person, orserious loss in respect of, or dam-age to, the property of anotherperson, in a case where such con-sent has been unreasonablywithheld,

(iv) the processing—

(I) is carried out in the course ofits legitimate activities byany body corporate, or anyunincorporated body of per-sons, that—

(A) is not established, andwhose activities are notcarried on, for profit,and

(B) exists for political,philosophical, religiousor trade union purposes,

(II) is carried out with appropri-ate safeguards for the funda-mental rights and freedomsof data subjects,

(III) relates only to individualswho either are members ofthe body or have regularcontact with it in connectionwith its purposes, and

(IV) does not involve disclosure ofthe data to a third partywithout the consent of thedata subject,

(v) the information contained in thedata has been made public as aresult of steps deliberately takenby the data subject,

(vi) the processing is necessary—

(I) for the administration ofjustice,

(II) for the performance of a func-tion conferred on a personby or under an enactment, or

13

S.4

S.4

14

[No. 6.] Data Protection (Amendment) Act [2003.]2003.(III) for the performance of a

function of the Governmentor a Minister of theGovernment,

(vii) the processing—

(I) is required for the purpose ofobtaining legal advice or forthe purposes of, or in con-nection with, legal pro-ceedings or prospective legalproceedings, or

(II) is otherwise necessary for thepurposes of establishing,exercising or defending legalrights,

(viii) the processing is necessary formedical purposes and is under-taken by—

(I) a health professional, or

(II) a person who in the circum-stances owes a duty of confi-dentiality to the data subjectthat is equivalent to thatwhich would exist if that per-son were a health pro-fessional,

(ix) the processing is necessary inorder to obtain information foruse, subject to and in accordancewith the Statistics Act 1993, onlyfor statistical, compilation andanalysis purposes,

(x) the processing is carried out bypolitical parties, or candidates forelection to, or holders of, electivepolitical office, in the course ofelectoral activities for the pur-pose of compiling data onpeople’s political opinions andcomplies with such requirements(if any) as may be prescribed forthe purpose of safeguarding thefundamental rights and freedomsof data subjects,

(xi) the processing is authorised byregulations that are made by theMinister and are made forreasons of substantial publicinterest,

(xii) the processing is necessary for thepurpose of the assessment, collec-tion or payment of any tax, duty,levy or other moneys owed or


payable to the State and the datahas been provided by the datasubject solely for that purpose,

(xiii) the processing is necessary for thepurposes of determining entitle-ment to or control of, or anyother purpose connected with theadministration of any benefit,pension, assistance, allowance,supplement or payment underthe Social Welfare (Con-solidation) Act 1993, or any non-statutory scheme administered bythe Minister for Social, Com-munity and Family Affairs.

(2) The Minister may by regulations madeafter consultation with the Commissioner—

(a) exclude the application of subsection(1)(b)(ii) of this section in such casesas may be specified, or

(b) provide that, in such cases as may bespecified, the condition in the saidsubsection (1)(b)(ii) is not to beregarded as satisfied unless suchfurther conditions as may be specifiedare also satisfied.

(3) The Minister may by regulations makesuch provision as he considers appropriate for theprotection of data subjects in relation to the pro-cessing of personal data as to—

(a) the commission or alleged commission ofany offence by data subjects,

(b) any proceedings for an offence commit-ted or alleged to have been commit-ted by data subjects, the disposal ofsuch proceedings or the sentence ofany court in such proceedings,

(c) any act or omission or alleged act oromission of data subjects giving rise toadministrative sanctions,

(d) any civil proceedings in a court or othertribunal to which data subjects areparties or any judgment, order ordecision of such a tribunal in any suchproceedings,

and processing of personal data shall be in com-pliance with any regulations under thissubsection.

(4) In this section—

‘health professional’ includes a registered medicalpractitioner, within the meaning of the Medical

15

S.4

S.4

16


Practitioners Act 1978, a registered dentist,within the meaning of the Dentists Act 1985 or amember of any other class of health worker orsocial worker standing specified by regulationsmade by the Minister after consultation with theMinister for Health and Children and any otherMinister of the Government who, having regardto his or her functions, ought, in the opinion ofthe Minister, to be consulted;

‘medical purposes’ includes the purposes of pre-ventive medicine, medical diagnosis, medicalresearch, the provision of care and treatment andthe management of healthcare services.

Security measures 2C.—(1) In determining appropriate securityfor personal data.

measures for the purposes of section 2(1)(d) ofthis Act, in particular (but without prejudice tothe generality of that provision), where the pro-cessing involves the transmission of data over anetwork, a data controller—

(a) may have regard to the state of techno-logical development and the cost ofimplementing the measures, and

(b) shall ensure that the measures provide alevel of security appropriate to—

(i) the harm that might result fromunauthorised or unlawful pro-cessing, accidental or unlawfuldestruction or accidental loss of,or damage to, the data con-cerned, and

(ii) the nature of the data concerned.

(2) A data controller or data processor shalltake all reasonable steps to ensure that—

(a) persons employed by him or her, and

(b) other persons at the place of workconcerned,

are aware of and comply with the relevant secur-ity measures aforesaid.

(3) Where processing of personal data is car-ried out by a data processor on behalf of a datacontroller, the data controller shall—

(a) ensure that the processing is carried outin pursuance of a contract in writingor in another equivalent formbetween the data controller and thedata processor and that the contractprovides that the data processor car-ries out the processing only on andsubject to the instructions of the datacontroller and that the data processorcomplies with obligations equivalent

[2003.] Data Protection (Amendment) Act [No. 6.]2003.to those imposed on the data control-ler by section 2(1)(d) of this Act,

(b) ensure that the data processor providessufficient guarantees in respect of thetechnical security measures, andorganisational measures, governingthe processing, and

(c) take reasonable steps to ensure com-pliance with those measures.

Fair processing of 2D.—(1) Personal data shall not be treated,personal data.

for the purposes of section 2(1)(a) of this Act, asprocessed fairly unless—

(a) in the case of data obtained from thedata subject, the data controllerensures, so far as practicable, that thedata subject has, is provided with, orhas made readily available to him orher, at least the information specifiedin subsection (2) of this section,

(b) in any other case, the data controllerensures, so far as practicable, that thedata subject has, is provided with, orhas made readily available to him orher, at least the information specifiedin subsection (3) of this section—

(i) not later than the time when thedata controller first processes thedata, or

(ii) if disclosure of the data to a thirdparty is envisaged, not later thanthe time of such disclosure.

(2) The information referred to in subsection(1)(a) of this section is:

(a) the identity of the data controller,

(b) if he or she has nominated a representa-tive for the purposes of this Act, theidentity of the representative,

(c) the purpose or purposes for which thedata are intended to be processed,and

(d) any other information which is neces-sary, having regard to the specific cir-cumstances in which the data are orare to be processed, to enable pro-cessing in respect of the data to be fairto the data subject such as infor-mation as to the recipients or categor-ies of recipients of the data, as towhether replies to questions asked forthe purpose of the collection of thedata are obligatory, as to the possible

17

S.4

S.4

Amendment ofsection 4 (right ofaccess) of PrincipalAct.

18


consequences of failure to give suchreplies and as to the existence of theright of access to and the right to rec-tify the data concerning him or her.

(3) The information referred to in subsection(1)(b) of this section is:

(a) the information specified in subsection(2) of this section,

(b) the categories of data concerned, and

(c) the name of the original data controller.

(4) The said subsection (1)(b) does notapply—

(a) where, in particular for processing forstatistical purposes or for the pur-poses of historical or scientificresearch, the provision of the infor-mation specified therein provesimpossible or would involve a dispro-portionate effort, or

(b) in any case where the processing of theinformation contained or to be con-tained in the data by the data control-ler is necessary for compliance with alegal obligation to which the data con-troller is subject other than an obli-gation imposed by contract,

if such conditions as may be specified in regu-lations made by the Minister after consultationwith the Commissioner are complied with.’’.


(a) in subsection (1), by the substitution of the following para-graphs for paragraphs (a) and (b):

‘‘(a) Subject to the provisions of this Act, an individualshall, if he or she so requests a data controller bynotice in writing—

(i) be informed by the data controller whether thedata processed by or on behalf of the datacontroller include personal data relating tothe individual,

(ii) if it does, be supplied by the data controllerwith a description of—

(I) the categories of data being processed byor on behalf of the data controller,

(II) the personal data constituting the data ofwhich that individual is the data subject,


(III) the purpose or purposes of the processing,and

(IV) the recipients or categories of recipients towhom the data are or may be disclosed,

(iii) have communicated to him or her in intelli-gible form—

(I) the information constituting any personaldata of which that individual is the datasubject, and

(II) any information known or available to thedata controller as to the source of thosedata unless the communication of thatinformation is contrary to the publicinterest,

and

(iv) where the processing by automatic means ofthe data of which the individual is the datasubject has constituted or is likely to consti-tute the sole basis for any decision signifi-cantly affecting him or her, be informed freeof charge by the data controller of the logicinvolved in the processing,

as soon as may be and in any event not more than40 days after compliance by the individual with theprovisions of this section and, where any of theinformation is expressed in terms that are notintelligible to the average person without expla-nation, the information shall be accompanied byan explanation of those terms.

(b) A request under paragraph (a) of this subsectionthat does not relate to all of its subparagraphsshall, in the absence of any indication to the con-trary, be treated as relating to all of them.’’,

(b) by the insertion of the following subsection after subsection(4):

‘‘(4A) (a) Where personal data relating to a data subjectconsist of an expression of opinion about thedata subject by another person, the data maybe disclosed to the data subject withoutobtaining the consent of that person to thedisclosure.

(b) Paragraph (a) of this subsection does notapply—

(i) to personal data held by or on behalf ofthe person in charge of an institutionreferred to in section 5(1)(c) of this Actand consisting of an expression ofopinion by another person about the datasubject if the data subject is being or wasdetained in such an institution, or

19

S.5

S.5

20


(ii) if the expression of opinion referred to inthat paragraph was given in confidenceor on the understanding that it would betreated as confidential.’’,

(c) in subsection (8)(a), by the insertion after ‘‘in the interestsof data subjects’’ of ‘‘or in the public interest’’, and

(d) by the insertion of the following subsections after subsection(8):

‘‘(9) The obligations imposed by subsection (1)(a)(iii)(inserted by the Act of 2003) of this section shall be com-plied with by supplying the data subject with a copy ofthe information concerned in permanent form unless—

(a) the supply of such a copy is not possible orwould involve disproportionate effort, or

(b) the data subject agrees otherwise.

(10) Where a data controller has previously compliedwith a request under subsection (1) of this section, thedata controller is not obliged to comply with a subsequentidentical or similar request under that subsection by thesame individual unless, in the opinion of the data control-ler, a reasonable interval has elapsed between compliancewith the previous request and the making of the currentrequest.

(11) In determining for the purposes of subsection (10)of this section whether the reasonable interval specifiedin that subsection has elapsed, regard shall be had to thenature of the data, the purpose for which the data areprocessed and the frequency with which the data arealtered.

(12) Subsection (1)(a)(iv) of this section is not to beregarded as requiring the provision of information as tothe logic involved in the taking of a decision if and tothe extent only that such provision would adversely affecttrade secrets or intellectual property (in particular anycopyright protecting computer software).

(13) (a) A person shall not, in connection with—

(i) the recruitment of another person as anemployee,

(ii) the continued employment of anotherperson, or

(iii) a contract for the provision of services tohim or her by another person,

require that other person—

(I) to make a request under subsection (1) ofthis section, or


(II) to supply him or her with data relating tothat other person obtained as a result ofsuch a request.

(b) A person who contravenes paragraph (a) ofthis subsection shall be guilty of an offence.’’.

6.—Section 5 of the Principal Act is amended by the insertion insubsection (1) before paragraph (h) of the following paragraph:

‘‘(gg) kept by the Commissioner or the Information Com-missioner for the purposes of his or her functions,’’.


(a) in subsection (1), by the insertion after ‘‘where appropri-ate,’’ of ‘‘blocked or’’, and

(b) by the substitution of the following subsection for subsec-tion (2):

‘‘(2) Where a data controller complies, or is deemedto have complied, with a request under subsection (1) ofthis section, he or she shall, as soon as may be and in anyevent not more than 40 days after the request has beengiven or sent to him or her, notify—

(a) the individual making the request, and

(b) if such compliance materially modifies the dataconcerned, any person to whom the data weredisclosed during the period of 12 monthsimmediately before the giving or sending ofthe request unless such notification provesimpossible or involves a disproportionateeffort,

of the rectification, blocking, erasure or statementconcerned.’’.

8.—The following sections are inserted in the Principal Act aftersection 6:

‘‘Right of data 6A.—(1) Subject to subsection (3) and unlesssubject to object to

otherwise provided by any enactment, an individ-processing likely tocause damage or ual is entitled at any time, by notice in writingdistress. served on a data controller, to request him or her

to cease within a reasonable time, or not to begin,processing or processing for a specified purposeor in a specified manner any personal data inrespect of which he or she is the data subject ifthe processing falls within subsection (2) of thissection on the ground that, for specifiedreasons—

(a) the processing of those data or their pro-cessing for that purpose or in thatmanner is causing or likely to causesubstantial damage or distress to himor her or to another person, and

21

S.5

Amendment ofsection 5(restriction of rightof access) ofPrincipal Act.

Amendment ofsection 6 (right ofrectification orerasure) ofPrincipal Act.

Certain rights ofdata subjects.

S.8

22


(b) the damage or distress is or would beunwarranted.

(2) This subsection applies to processing thatis necessary—

(a) for the performance of a task carried outin the public interest or in the exerciseof official authority vested in the datacontroller or in a third party to whomthe data are or are to be disclosed, or

(b) for the purposes of the legitimateinterests pursued by the data control-ler to whom the data are or are to bedisclosed, unless those interests areoverridden by the interests of the datasubject in relation to fundamentalrights and freedoms and, in particular,his or her right to privacy with respectto the processing of personal data.

(3) Subsection (1) does not apply—

(a) in a case where the data subject hasgiven his or her explicit consent to theprocessing,

(b) if the processing is necessary—

(i) for the performance of a contractto which the data subject is aparty,

(ii) in order to take steps at therequest of the data subject priorto his or her entering into acontract,

(iii) for compliance with any legal obli-gation to which the data control-ler or data subject is subject otherthan one imposed by contract, or

(iv) to protect the vital interests of thedata subject,

(c) to processing carried out by political par-ties or candidates for election to, orholders of elective political office, inthe course of electoral activities, or

(d) in such other cases, if any, as may bespecified in regulations made by theMinister after consultation with theCommissioner.

(4) Where a notice under subsection (1) of thissection is served on a data controller, he or sheshall, as soon as practicable and in any event notlater than 20 days after the receipt of the notice,serve a notice on the individual concerned—


(a) stating that he or she has complied orintends to comply with the requestconcerned, or

(b) stating that he or she is of opinion thatthe request is unjustified to any extentand the reasons for the opinion andthe extent (if any) to which he or shehas complied or intends to complywith it.

(5) If the Commissioner is satisfied, on theapplication to him or her in that behalf of an indi-vidual who has served a notice under subsection(1) of this section that appears to the Com-missioner to be justified, or to be justified to anyextent, that the data controller concerned hasfailed to comply with the notice or to comply withit to that extent and that not less than 40 dayshave elapsed since the receipt of the notice byhim or her, the Commissioner may, by anenforcement notice served on the data controller,order him or her to take such steps for complyingwith the request, or for complying with it to thatextent, as the Commissioner thinks fit and speci-fies in the enforcement notice, and that noticeshall specify the reasons for the Commissionerbeing satisfied as aforesaid.

Rights in relation to 6B.—(1) Subject to subsection (2) of thisautomated decision

section, a decision which produces legal effectstaking.concerning a data subject or otherwise signifi-cantly affects a data subject may not be basedsolely on processing by automatic means of per-sonal data in respect of which he or she is the datasubject and which is intended to evaluate certainpersonal matters relating to him or her such as,for example (but without prejudice to the gener-ality of the foregoing), his or her performance atwork, creditworthiness, reliability or conduct.

(2) Subsection (1) of this section does notapply—

(a) in a case in which a decision referred toin that subsection—

(i) is made in the course of stepstaken—

(I) for the purpose of consider-ing whether to enter into acontract with the datasubject,

(II) with a view to entering intosuch a contract, or

(III) in the course of performingsuch a contract,

or

23

S.8

S.8

Amendment ofsection 8 (disclosureof personal data incertain cases) ofPrincipal Act.

Additionalfunctions ofCommissioner.

24


(ii) is authorised or required by anyenactment and the data subjecthas been informed of the pro-posal to make the decision, and

(iii) either—

(I) the effect of the decision is togrant a request of the datasubject, or

(II) adequate steps have beentaken to safeguard the legit-imate interests of the datasubject by, for example (butwithout prejudice to the gen-erality of the foregoing), themaking of arrangements toenable him or her to makerepresentations to the datacontroller in relation to theproposal,

or

(b) if the data subject consents to the pro-cessing referred to in subsection (1).’’.

9.—Section 8 of the Principal Act is amended by—

(a) the substitution of ‘‘processing’’ for ‘‘disclosure’’ in eachplace where it occurs, and

(b) the deletion of paragraph (g).

10.—Section 9 of the Principal Act is amended by the insertion ofthe following subsections after subsection (1):

‘‘(1A) (a) The lawfulness of the processing of personal data(including their transmission to the Central Unitof Eurodac established pursuant to the CouncilRegulation) in accordance with the Council Regu-lation shall be monitored by the Commissioner.

(b) In paragraph (a) of this subsection, ‘the CouncilRegulation’ means Council Regulation (EC) No.2725/2000 of 11 December 2000(2) concerning theestablishment of Eurodac for the comparison offingerprints for the effective application of theDublin Convention.

(1B) The Commissioner shall arrange for the disseminationin such form and manner as he or she considers appropriate of—

(a) any Community finding (within the meaning of subsec-tion (2)(b) (inserted by the Act of 2003) of section11 of this Act),

(b) any decision of the European Commission or the Euro-pean Council under the procedure provided for inArticle 31(2) of the Directive that is made for the

(2) O.J. No. L 316, 15.12.00, p. 0001-0010.


purposes of paragraph 3 or 4 of Article 26 of theDirective, and

(c) such other information as may appear to him or her tobe expedient to give to data controllers in relationto the protection of the rights and freedoms of datasubjects in respect of the processing of personal datain countries and territories outside the EuropeanEconomic Area.

(1C) The Commissioner shall be the supervisory authority inthe State for the purposes of the Directive.

(1D) The Commissioner shall also perform any functions inrelation to data protection that the Minister may confer on himor her by regulations for the purpose of enabling the Govern-ment to give effect to any international obligations of theState.’’.



(i) in paragraph (a), by the deletion of ‘‘by a data con-troller or a data processor’’, and

(ii) in paragraph (b), by the substitution of the followingsubparagraph for subparagraph (ii):

‘‘(ii) if he or she is unable to arrange, within areasonable time, for the amicable resolutionby the parties concerned of the matter thesubject of the complaint, notify in writing theindividual who made the complaint of his orher decision in relation to it and that the indi-vidual may, if aggrieved by the decision,appeal against it to the Court under section26 of this Act within 21 days from the receiptby him or her of the notification.’’,

(b) by the insertion of the following subsection after subsection(1):

‘‘(1A) The Commissioner may carry out or cause tobe carried out such investigations as he or she considersappropriate in order to ensure compliance with the pro-visions of this Act and to identify any contraventionthereof.’’,

(c) in subsection (2), by the deletion of ‘‘, being a data control-ler or a data processor,’’,

(d) in subsection (3), by the substitution of the following para-graph for paragraph (a):

‘‘(a) to block, rectify, erase or destroy any of the dataconcerned, or’’,

and

(e) in subsection (7), by the substitution of the following for somuch of the subsection as follows paragraph (a):

25

S.10

Amendment ofsection 10(enforcement ofdata protection) ofPrincipal Act.

S.11

Restriction ontransfer of personaldata outside State.

26


‘‘(b) if such compliance materially modifies the data con-cerned, any person to whom the data were dis-closed during the period beginning 12 monthsbefore the date of the service of the enforcementnotice concerned and ending immediately beforesuch compliance unless such notification provesimpossible or involves a disproportionate effort,

of the blocking, rectification, erasure, destruction orstatement concerned.’’.

12.—The following section is substituted for section 11 of the Prin-cipal Act:

‘‘11.—(1) The transfer of personal data to a country or terri-tory outside the European Economic Area may not take placeunless that country or territory ensures an adequate level of pro-tection for the privacy and the fundamental rights and freedomsof data subjects in relation to the processing of personal datahaving regard to all the circumstances surrounding the transferand, in particular, but without prejudice to the generality of theforegoing, to—

(a) the nature of the data,

(b) the purposes for which and the period during which thedata are intended to be processed,

(c) the country or territory of origin of the information con-tained in the data,

(d) the country or territory of final destination of thatinformation,

(e) the law in force in the country or territory referred toin paragraph (d),

(f) any relevant codes of conduct or other rules which areenforceable in that country or territory,

(g) any security measures taken in respect of the data inthat country or territory, and

(h) the international obligations of that country orterritory.

(2) (a) Where in any proceedings under this Act a questionarises—

(i) whether the adequate level of protection speci-fied in subsection (1) of this section is ensuredby a country or territory outside the EuropeanEconomic Area to which personal data are tobe transferred, and

(ii) a Community finding has been made in relationto transfers of the kind in question,

the question shall be determined in accordance withthat finding.

(b) In paragraph (a) of this subsection ‘Community finding’means a finding of the European Commission made


for the purposes of paragraph (4) or (6) of Article25 of the Directive under the procedure provided forin Article 31(2) of the Directive in relation towhether the adequate level of protection specified insubsection (1) of this section is ensured by a countryor territory outside the European Economic Area.

(3) The Commissioner shall inform the Commission and thesupervisory authorities of the other Member States of any casewhere he or she considers that a country or territory outside theEuropean Economic Area does not ensure the adequate levelof protection referred to in subsection (1) of this section.

(4) (a) This section shall not apply to a transfer of data if—

(i) the transfer of the data or the information consti-tuting the data is required or authorised by orunder—

(I) any enactment, or

(II) any convention or other instrumentimposing an international obligation on theState,

(ii) the data subject has given his or her consent tothe transfer,

(iii) the transfer is necessary—

(I) for the performance of a contract betweenthe data subject and the data controller, or

(II) for the taking of steps at the request of thedata subject with a view to his or herentering into a contract with the datacontroller,

(iv) the transfer is necessary—

(I) for the conclusion of a contract between thedata controller and a person other than thedata subject that—

(A) is entered into at the request of thedata subject, and

(B) is in the interests of the data subject,or

(II) for the performance of such a contract,

(v) the transfer is necessary for reasons of substantialpublic interest,

(vi) the transfer is necessary for the purpose ofobtaining legal advice or for the purpose of orin connection with legal proceedings or prospec-tive legal proceedings or is otherwise necessaryfor the purposes of establishing or defendinglegal rights,

27

S.12

S.12

28


(vii) the transfer is necessary in order to preventinjury or other damage to the health of the datasubject or serious loss of or damage to propertyof the data subject or otherwise to protect his orher vital interests, and informing the data sub-ject of, or seeking his or her consent to, thetransfer is likely to damage his or her vitalinterests,

(viii) the transfer is of part only of the personal dataon a register established by or under an enact-ment, being—

(I) a register intended for consultation by thepublic, or

(II) a register intended for consultation by per-sons having a legitimate interest in its sub-ject matter,

and, in the case of a register referred to in clause(II) of this subparagraph, the transfer is made,at the request of, or to, a person referred to inthat clause and any conditions to which suchconsultation is subject are complied with by anyperson to whom the data are or are to be trans-ferred, or

(ix) the transfer has been authorised by the Com-missioner where the data controller adducesadequate safeguards with respect to the privacyand fundamental rights and freedoms of individ-uals and for the exercise by individuals of theirrelevant rights under this Act or the transfer ismade on terms of a kind approved by the Com-missioner as ensuring such safeguards.

(b) The Commissioner shall inform the European Com-mission and the supervisory authorities of the otherstates in the European Economic Area of any auth-orisation or approval under paragraph (a)(ix) of thissubsection.

(c) The Commissioner shall comply with any decision ofthe European Commission under the procedure laiddown in Article 31.2 of the Directive made for thepurposes of paragraph 3 or 4 of Article 26 of theDirective.

(5) The Minister may, after consultation with the Com-missioner, by regulations specify—

(a) the circumstances in which a transfer of data is to betaken for the purposes of subsection (4)(a)(v) of thissection to be necessary for reasons of substantialpublic interest, and

(b) the circumstances in which such a transfer which is notrequired by or under an enactment is not to be sotaken.


(6) Where, in relation to a transfer of data to a country orterritory outside the European Economic Area, a data control-ler adduces the safeguards for the data subject concernedreferred to in subsection (4)(a)(ix) of this section by means of acontract embodying the contractual clauses referred to in para-graph 2 or 4 of Article 26 of the Directive, the data subject shallhave the same right—

(a) to enforce a clause of the contract conferring rights onhim or her or relating to such rights, and

(b) to compensation or damages for breach of such aclause,

that he or she would have if he or she were a party to thecontract.

(7) The Commissioner may, subject to the provisions of thissection, prohibit the transfer of personal data from the Stateto a place outside the State unless such transfer is required orauthorised by or under any enactment or required by any con-vention or other instrument imposing an international obligationon the State.

(8) In determining whether to prohibit a transfer of personaldata under this section, the Commissioner shall also considerwhether the transfer would be likely to cause damage or distressto any person and have regard to the desirability of facilitatinginternational transfers of data.

(9) A prohibition under subsection (7) of this section shall beeffected by the service of a notice (referred to in this Act as aprohibition notice) on the person proposing to transfer the dataconcerned.

(10) A prohibition notice shall—

(a) prohibit the transfer concerned either absolutely oruntil the person aforesaid has taken such steps as arespecified in the notice for protecting the interests ofthe data subjects concerned,

(b) specify the time when it is to take effect,

(c) specify the grounds for the prohibition, and

(d) subject to subsection (12) of this section, state that theperson concerned may appeal to the Court undersection 26 of this Act against the prohibition speci-fied in the notice within 21 days from the service ofthe notice on him or her.

(11) Subject to subsection (12) of this section, the time speci-fied in a prohibition notice for compliance with the prohibitionspecified therein shall not be expressed to expire before the endof the period of 21 days specified in subsection (10)(d) of thissection and, if an appeal is brought against the prohibition, theprohibition need not be complied with and subsection (15) ofthis section shall not apply in relation thereto, pending the deter-mination or withdrawal of the appeal.

(12) If the Commissioner—

29

S.12

S.12

Prior checking ofprocessing byCommissioner.

30


(a) by reason of special circumstances, is of opinion that aprohibition specified in a prohibition notice shouldbe complied with urgently, and

(b) includes a statement to that effect in the notice,

subsections (10)(d) and (11) of this section shall not apply inrelation to the notice but the notice shall contain a statement ofthe effect of the provisions of section 26 (other than subsection(3)) of this Act and shall not require compliance with the pro-hibition before the end of the period of 7 days beginning on thedate on which the notice is served.

(13) The Commissioner may cancel a prohibition notice and,if he or she does so, shall notify in writing the person on whomit was served accordingly.

(14) (a) This section applies, with any necessary modifi-cations, to a transfer of information from the Stateto a place outside the State for conversion intopersonal data as it applies to a transfer of personaldata from the State to such a place.

(b) In paragraph (a) of this subsection ‘information’means information (not being data) relating to aliving individual who can be identified from it.

(15) A person who, without reasonable excuse, fails or ref-uses to comply with a prohibition specified in a prohibitionnotice shall be guilty of an offence.’’.

13.—The following section is inserted into the Act of 1988 aftersection 12:

‘‘12A.—(1) This section applies to any processing that is ofa prescribed description, being processing that appears to theCommissioner to be particularly likely—

(a) to cause substantial damage or substantial distress todata subjects, or

(b) otherwise significantly to prejudice the rights and free-doms of data subjects.

(2) The Commissioner, on receiving—

(a) an application under section 17 of this Act by a personto whom section 16 of this Act applies for regis-tration in the register and any prescribed infor-mation and any other information that he or she mayrequire, or

(b) a request from a data controller in that behalf,

shall consider and determine—

(i) whether any of the processing to which the applicationor request relates is processing to which this sectionapplies,


(ii) if it does, whether the processing to which this sectionapplies is likely to comply with the provisions of thisAct.

(3) Subject to subsection (4) of this section, the Com-missioner shall, within the period of 90 days from the day onwhich he or she receives an application or a request referred toin subsection (2) of this section, serve a notice on the data con-troller concerned stating the extent to which, in the opinion ofthe Commissioner, the proposed processing is likely or unlikelyto comply with the provisions of this Act.

(4) Before the end of the period referred to in subsection(3), the Commissioner may, by reason of special circumstances,extend that period once only, by notice in writing served on thedata controller concerned, by such further period not exceeding90 days as the Commissioner may specify in the notice.

(5) If, for the purposes of his or her functions under thissection, the Commissioner serves an information notice on thedata controller concerned before the end of the period referredto in subsection (3) of this section or that period as extendedunder subsection (4) of this section—

(a) the period from the date of service of the notice to thedate of compliance with the requirement in thenotice, or

(b) if the requirement is set aside under section 26 of thisAct, the period from the date of such service to thedate of such setting aside,

shall be added to the period referred to in the said subsection(3) or that period as so extended as aforesaid.

(6) Processing to which this section applies shall not be car-ried on unless—

(a) the data controller has—

(i) previously made an application under section 17of this Act and furnished the information speci-fied in that section to the Commissioner, or

(ii) made a request under subsection (2) of thissection,

and

(b) the data controller has complied with any informationnotice served on him or her in relation to the matter,and

(c) (i) the period of 90 days from the date of the receipt ofthe application or request referred to in subsec-tion (3) of this section (or that period asextended under subsections (4) and (5) of thissection or either of them) has elapsed withoutthe receipt by the data controller of a noticeunder the said subsection (3), or

(ii) the data controller has received a notice under thesaid subsection (3) stating that the particular

31

S.13

S.13

Amendment ofsection 13 (codes ofpractice) ofPrincipal Act.

32


processing proposed to be carried on is likely tocomply with the provisions of this Act, or

(iii) the data controller—

(I) has received a notice under the said subsec-tion (3) stating that, if the requirementsspecified by the Commissioner (which he orshe is hereby authorised to specify) andappended to the notice are complied withby the data controller, the processing pro-posed to be carried on is likely to complywith the provisions of this Act, and

(II) has complied with those requirements.

(7) A person who contravenes subsection (6) of this sectionshall be guilty of an offence.

(8) An appeal against a notice under subsection (3) of thissection or a requirement appended to the notice may be madeto and heard and determined by the Court under section 26 ofthis Act and that section shall apply as if such a notice and sucha requirement were specified in subsection (1) of the said section26.

(9) The Minister, after consultation with the Commissioner,may by regulations amend subsections (3), (4) and (6) of thissection by substituting for the number of days for the time beingspecified therein a different number specified in the regulations.

(10) A data controller shall pay to the Commissioner such fee(if any) as may be prescribed in respect of the consideration bythe Commissioner, in relation to proposed processing by thedata controller, of the matters referred to in paragraphs (i) and(ii) of subsection (2) of this section and different fees may beprescribed in relation to different categories of processing.

(11) In this section a reference to a data controller includes areference to a data processor.’’.

14.—(1) Section 13 of the Principal Act is amended—

(a) by the substitution of the following subsection for subsection(2):

‘‘(2) The Commissioner shall—

(a) where a code of practice (referred to sub-sequently in this section as a code) so pre-pared is submitted to him or her for consider-ation, consider the code and, after suchconsultation with such data subjects or per-sons representing data subjects and with therelevant trade associations or other bodiesaforesaid as appears to him or her to beappropriate—

(i) if he or she is of opinion that the codeprovides for the data subjects concerneda measure of protection with regard to


personal data relating to them that con-forms with that provided for by section 2,sections 2A to 2D (inserted by the Act of2003) and sections 3 and 4 (other thansubsection (8)) and 6 of this Act, approveof the code and encourage its dissemi-nation to the data controllers concerned,and

(ii) in any event notify the association or bodyconcerned of his or her decision toapprove or not to approve the code,

(b) where he or she considers it necessary or desir-able to do so and after such consultation withany trade associations or other bodiesreferred to in subsection (1) of this sectionhaving an interest in the matter and data sub-jects or persons representing data subjects ashe or she considers appropriate, prepare, andarrange for the dissemination to such personsas he or she considers appropriate of, codesof practice for guidance as to good practice indealing with personal data, and subsection (3)of this section shall apply to a code of practiceprepared under this subsection as it applies toa code,

(c) in such manner and by such means as he or sheconsiders most effective for the purposes ofthis paragraph, promote the following of goodpractice by data controllers and, in particular,so perform his or her functions under this Actas to promote compliance with this Act bydata controllers,

(d) arrange for the dissemination in such form andmanner as he or she considers appropriate ofsuch information as appears to him or her tobe expedient to give to the public about theoperation of this Act, about the practices inprocessing of personal data (including com-pliance with the requirements of this Act)that appear to the Commissioner to be desir-able having regard to the interests of datasubjects and other persons likely to beaffected by such processing and about othermatters within the scope of his or her func-tions under this Act, and may give advice toany person in relation to any of thosematters.’’,

and

(b) by the insertion of the following subsections after subsection(4):

‘‘(5) The Commissioner shall be paid by a person inrelation to whom a service is provided under this sectionsuch fee (if any) as may be prescribed and different feesmay be prescribed in relation to different such servicesand different classes of persons.

33

S.14

S.14

Amendment ofsection 14 (annualreport) of PrincipalAct.

Amendment ofsection 16 (theregister) ofPrincipal Act.

Amendment ofsection 17(applications forregistration) ofPrincipal Act.

34


(6) In proceedings in any court or other tribunal, anyprovision of a code, or a code of practice, approved undersubsection (3) of this section that appears to the court orother tribunal concerned to be relevant to the pro-ceedings may be taken into account in determining thequestion concerned.’’.

(2) A code of practice approved under subsection (2) of the saidsection 13 and in force immediately before the commencement ofthis section shall continue in force after such commencement as ifapproved under subsection (2) (inserted by this section) of section13 of the Principal Act.

15.—Section 14 of the Principal Act is amended by the insertionof the following subsection after subsection (2):

‘‘(3) For the purposes of the law of defamation, a reportunder subsection (1) shall be absolutely privileged.’’.

16.—Section 16 of the Act of 1988 is amended by the substitutionof the following subsection for subsection (1):

‘‘(1) In this section ‘person to whom this section applies’means a data controller and a data processor (other than such(if any) categories of data controller and data processor as maybe specified in regulations made by the Minister after consul-tation with the Commissioner) except in so far as—

(a) they carry out—

(i) processing whose sole purpose is the keeping inaccordance with law of a register that isintended to provide information to the publicand is open to consultation either by the publicin general or by any person demonstrating alegitimate interest,

(ii) processing of manual data (other than such cat-egories, if any, of such data as may beprescribed), or

(iii) any combination of the foregoing categories ofprocessing,

or

(b) the data controller is a body that is not established orconducted for profit and is carrying out processingfor the purposes of establishing or maintaining mem-bership of or support for the body or providing oradministering activities for individuals who are eithermembers of the body or have regular contact withit.’’.



(i) by the substitution of the following paragraph forparagraph (b):


‘‘(b) Where a data controller intends to keep per-sonal data for two or more related purposes,he or she shall make an application for regis-tration in respect of those purposes and, sub-ject to the provisions of this Act, entries shallbe made in the register in accordance withany such application,’’,

and

(ii) by the insertion of the following paragraph after para-graph (b):

‘‘(c) Where a data controller intends to keep per-sonal data for two or more unrelated pur-poses, he shall make an application for separ-ate registration in respect of each of thosepurposes and, subject to the provisions of thisAct, entries shall be made in the register inaccordance with each such application.’’,

and

(b) by the substitution of the following subsection for subsec-tion (3):

‘‘(3) The Commissioner shall not accept such an appli-cation for registration as aforesaid from a data controllerwho keeps sensitive personal data unless he or she is ofopinion that appropriate safeguards for the protection ofthe privacy of the data subjects are being, and will con-tinue to be, provided by him or her.’’.

18.—Section 18 of the Principal Act is amended by the substitutionof the following subsection for subsection (2):

‘‘(2) The prescribed period (which shall not be less than oneyear) shall be calculated—

(a) in the case of a first registration from the date on whichthe relevant entry was made in the register, and

(b) in the case of a registration which has been continuedunder this section, from the day following the expir-ation of the latest prescribed period.’’.

19.—Section 31 of the Principal Act is amended in subsection (1)by—

(a) in paragraph (a), the substitution of ‘‘\3,000’’ for ‘‘£1,000’’,and

(b) in paragraph (b), the substitution of ‘‘\100,000’’ for‘‘£50,000’’.

20.—The Second Schedule to the Principal Act is amended by theinsertion of the following paragraph after paragraph 9:

‘‘10. (1) A person who holds or held the office ofCommissioner or who is or was a member of the staff of theCommissioner shall not disclose to a person other than theCommissioner or such a member any information that isobtained by him or her in his capacity as Commissioner or as

35

S.17

Amendment ofsection 18 (durationand continuance ofregistration) ofPrincipal Act.

Amendment ofsection 31(penalties) ofPrincipal Act.

Amendment ofSecond Schedule(the DataProtectionCommissioner) toPrincipal Act.

S.20

Journalism,literature and art.

Repeals andRevocation.

36


such a member that could reasonably be regarded as confiden-tial without the consent of the person to whom it relates.

(2) A person who contravenes subparagraph (1) of this para-graph shall be guilty of an offence.’’.

21.—The following section is inserted into the Principal Act aftersection 22:

‘‘22A.—(1) Personal data that are processed only for journal-istic, artistic or literary purposes shall be exempt from com-pliance with any provision of this Act specified in subsection (2)of this section if—

(a) the processing is undertaken solely with a view to thepublication of any journalistic, literary or artisticmaterial,

(b) the data controller reasonably believes that, havingregard in particular to the special importance of thepublic interest in freedom of expression, such publi-cation would be in the public interest, and

(c) the data controller reasonably believes that, in all thecircumstances, compliance with that provision wouldbe incompatible with journalistic, artistic or literarypurposes.

(2) The provisions referred to in subsection (1) of this sectionare—

(a) section 2 (as amended by the Act of 2003), other thansubsection (1)(d),

(b) sections 2A, 2B and 2D (which sections were insertedby the Act of 2003),

(c) section 3,

(d) sections 4 and 6 (which sections were amended by theAct of 2003), and

(e) sections 6A and 6B (which sections were inserted bythe Act of 2003).

(3) In considering for the purposes of subsection (1)(b) of thissection whether publication of the material concerned would bein the public interest, regard may be had to any code of practiceapproved under subsections (1) or (2) of section 13 (as amendedby the Act of 2003) of this Act.

(4) In this section ‘publication’, in relation to journalistic,artistic or literary material, means the act of making the materialavailable to the public or any section of the public in any formor by any means.’’.

22.—(1) Section 23 and subsections (3), (4) and (5) of section 24and the Third Schedule of the Principal Act are repealed.

(2) The European Communities (Data Protection) Regulations2001 (S.I. No. 626 of 2001) are hereby revoked.


23.—(1) This Act may be cited as the Data Protection(Amendment) Act 2003.

(2) This Act and the Principal Act may be cited together as theData Protection Acts 1988 and 2003 and shall be construed togetheras one.

(3) Subject to the subsequent provisions of this section, this Actshall come into operation on such day or days as, by order or ordersmade by the Minister under this section, may be fixed therefor eithergenerally or with reference to any particular purpose or provisionand different days may be so fixed for different purposes and differ-ent provisions including the application of section 22(1) to differentprovisions specified therein.

(4) This Act, in so far as it—

(a) amends section 2 of the Principal Act and applies it to man-ual data, and

(b) inserts sections 2A and 2B into that Act,

comes into operation on 24 October 2007 in respect of manual dataheld in relevant filing systems on the passing of this Act.

(5) Notwithstanding subsection (4), a data controller shall, if sorequested in writing by a data subject when making a request undersection 4 of the Principal Act—

(a) rectify, erase, block or destroy any data relating to him orher which are incomplete or inaccurate, or

(b) cease holding manual data relating to him or her in a wayincompatible with the legitimate purposes pursued by thedata controller.

37

Short title,collective citation,construction andcommencement.

BAILE ATHA CLIATHARNA FHOILSIU AG OIFIG AN tSOLATHAIR

Le ceannach dıreach onOIFIG DHIOLTA FOILSEACHAN RIALTAIS,

TEACH SUN ALLIANCE, SRAID THEACH LAIGHEAN, BAILE ATHA CLIATH 2,

no trıd an bpost o

FOILSEACHAIN RIALTAIS, AN RANNOG POST-TRACHTA,51 FAICHE STIABHNA, BAILE ATHA CLIATH 2,

(Teil: 01 - 6476834/35/36/37; Fax: 01 - 6476843)no trı aon dıoltoir leabhar.

——————

DUBLINPUBLISHED BY THE STATIONERY OFFICE

To be purchased directly from theGOVERNMENT PUBLICATIONS SALE OFFICE,

SUN ALLIANCE HOUSE, MOLESWORTH STREET, DUBLIN 2,

or by mail order from

GOVERNMENT PUBLICATIONS, POSTAL TRADE SECTION,51 ST. STEPHEN’S GREEN, DUBLIN 2,

(Tel: 01 - 6476834/35/36/37; Fax: 01 - 6476843)or through any bookseller.

\4.06

Wt. 513. 1,250. 4/03. Cahill. (X44346). Gr. 30-15. 9 780755 739073

ISBN 0-7557-3907-8

Documents

Number of - Data Protection Commissioner · Number 6 of 2003 ... 15. Amendment of section 14 (annual report) of Principal Act. 2 [No. 6.] Data Protection (Amendment) Act [2003.] 2003