Number 25 of 1988
DATA PROTECTION ACT, 1988
Preliminary
Interpretation and application of Act.
1.-(1) In this Act, unless the context otherwise requires-
"appropriate authority" has the meaning assigned to
it by the Civil Service Regulation Acts, 1956 and 1958;
"back-up data" means data kept only for the purpose
of replacing other data in the event of their being lost,
destroyed or damaged;
"civil servant" has the meaning assigned to it by the
Civil Service Regulation Acts, 1956 and 1958;
"the Commissioner" has the meaning assigned to it by
section 9 of this Act;
"company" has the meaning assigned to it by the
Companies Act, 1963;
"the Convention" means the Convention for the
Protection of Individuals with regard to Automatic Processing of
Personal Data done at Strasbourg on the 28th day of January, 1981,
the text of which is set out in the First Schedule to this Act;
"the Court" means the Circuit Court;
"data" means information in a form in which it can be
processed;
"data controller" means a person who, either alone or
with
others, controls the contents and use of personal data;
"data equipment" means equipment for processing data;
"data material" means any document or other material
used in connection with, or produced by, data equipment;
"data processor" means a person who processes
personal data on behalf of a data controller but does not include
an employee of a data controller who processes such data in the
course of his employment;
"data subject" means an individual who is the subject
of personal data;
"direct marketing" includes direct mailing;
"disclosure", in relation to personal data, includes
the disclosure of information extracted from such data and the
transfer of such data but does not include a disclosure made
directly or indirectly by a data controller or a data processor to
an employee or agent of his for the purpose of enabling the
employee or agent to carry out his duties; and, where the
identification of a data subject depends partly on the data and
partly on other information in the possession of the data
controller, the data shall not be regarded as disclosed unless the
other information is also disclosed;
"enforcement notice" means a notice under section 10
of this Act;
"financial institution" means-
(a) a person who holds or has held a licence under section
9 of the Central Bank Act, 1971, or
(b) a person referred to in section 7(4) of that Act;
"information notice" means a notice under section 12
of this Act;
"local authority" means a local authority for the
purposes of the Local Government Act, 1941;
"the Minister" means the Minister for Justice;
"personal data' means data relating to a living individual
who can be identified either from the data or from the data in
conjunction with other information in the possession of the data
controller;
"prescribed", in the case of fees, means prescribed
by regulations made by the Minister with the consent of the
Minister for Finance and, in any other case, means prescribed by
regulations made by the Commissioner with the consent of the
Minister;
"processing" means performing automatically logical
or arithmetical operations on data and includes-
(a) extracting any information constituting the data, and
(b) in relation to a data processor, the use by a data
controller of data equipment in the possession of the data
processor and any other services provided by him for a data
controller,
but does not include an operation performed solely for the
purpose of preparing the text of documents;
"prohibition notice" means a notice under section II
of this Act;
"the register" means the register established and
maintained under section 16 of this Act;
and any cognate words shall be construed accordingly.
(2) For the purposes of this Act, data are inaccurate if
they are incorrect or misleading as to any matter of fact.
(3) (a) An appropriate authority, being a data
controller or a data processor, may, as respects all or
part of the personal data kept by the authority, designate
a civil servant in relation to whom it is the appropriate
authority to be a data controller or a data processor and,
while the designation is in force-
(i) the civil servant so designated shall be
deemed, for the purposes of this Act, to be a data
(ii) this Act shall not apply to the authority,
as respects the data concerned.
(b) Without prejudice to paragraph (a) of this
subsection, the Minister for Defence may, as respect all
or part of the personal data kept by him in relation to
the Defence Forces, designated an officer of the Permanent
Defence Force who holds a commissioned rank therein to be
a data controller or a data processor and, which the
designation is in force-
(i) the officer so designated shall be deemed, for
the purposes of this Act, to be a data controller or,
as the case may be, a data processor, and
(ii) this Act shall not apply to the Minister for
Defence,
as respects the data concerned.
(c) For the purposes of this Act, as respects any
personal data-
(i) where a designation by the relevant appropriate
authority under paragraph (a) of this subsection is
not in force, a civil servant in relation to whom that
authority is the appropriate authority shall be deemed
to be its employee and, where such a designation is in
force, such a civil servant (other than the civil
servant the subject of the designation) shall be
deemed to be an employee of the last mentioned civil
servant,
(ii) where a designation under paragraph (b) of the
subsection is not in force, a member of the Defence
Forces shall be deemed to be an employee of the
Minister for Defence and, where such a designation is
in force, such a member (other than the officer the
subject of the designation) shall be deemed to be an
employee of that officer, and
(iii) a member of the Garda Siochana (other than
the Commissioner of the Garda Siochana) shall be
deemed to be an employee of the said Commissioner.
(4) This Act does not apply to-
(a) personal data that in the opinion of the Minister
or the Minister for Defence are, or at any time were, kept
for the purpose of safeguarding the security of the State,
(b) personal data consisting of information that the
person keeping the data is required by law to make
available to the public, or
(c) personal data kept by an individual and concerned
only with the management of his personal, family or
household affairs or kept by an individual only for
recreational purposes.
Protection of Privacy of Individuals with regard
to Personal Data Collection, processing, keeping, use and disclosure of personal
data
2.-(1) A data controller shall, as respects personal data
kept by him, comply with the following provisions:
(a) the data or, as the case may be, the information
constituting the data shall have been obtained, and the
data shall be processed, fairly,
(b) the data shall be accurate and, where necessary,
kept up to date,
(c) the data-
(i) shall be kept only for one or more specified
and lawful purposes,
(ii) shall not be used or disclosed in any manner
incompatible with that purpose or those purposes,
(iii) shall be adequate, relevant and not excessive
in relation to that purpose or those purposes, and
(iv) shall not be kept for longer than is necessary
for that purpose or those purposes,
(d) appropriate security measures shall be taken
against unauthorised access to, or alteration, disclosure
or destruction of, the data and against their accidental
loss or destruction.
(2) A data processor shall, as respects personal data
processed by him, comply with paragraph (d) of subsection
(1) of this section.
(3) Paragraph (a) of the said subsection (1) does not
apply to information intended for inclusion in data, or to
data, kept for a purpose mentioned in section 5 (1) (a) of
this Act, in any case in which the application of that
paragraph to the data would be likely to prejudice any of
the matters mentioned in the said section 5 (1) (a).
(4) Paragraph (b) of the said subsection (1) does not
apply to back-up data.
(5) (a) Paragraph (c) (iv) of the said subsection (1)
does not apply to personal data kept for historical,
statistical or research purposes, and
(b) the data or, as the case may be, the information
constituting such data shall not be regarded for the
purposes of paragraph (a) of the said subsection as having
been obtained unfairly by reason only that its use for any
such purpose was not disclosed when it was obtained,
if the data are not used in such a way that damage or
distress is, or is likely to be, caused to any data subject,
(6) (a) The Minister may, for the purpose of providing
additional safeguards in relation to personal data as to
racial origin, political opinions, religious or other
beliefs, physical or mental health, sexual life or
criminal convictions, by regulations amend subsection (1)
of this section.
(b) Regulations under this section may make different
provision in relation to data of different descriptions.
(c) References in this Act to subsection (1) of this
section or to a provision of that subsection shall be
construed in accordance with any amendment under this
section.
(d) Regulations under this section shall be made only
after consultation with any other Minister of the
Government who, having regard to his functions, ought, in
the opinion of the Minister, to be consulted.
(e) Where it is proposed to make regulations under this
section, a draft of the regulations shall be laid before
each House of the Oireachtas and the regulations shall not
be made until a resolution approving of the draft shall
have been passed by each such House.
(7) Where-
(a) personal data are kept for the purpose of direct
marketing, and
(b) the data subject concerned requests the data
controller in writing to cease using the data for that
purpose,
the data controller shall, as soon as may be and in any
event not more than 40
days after the request has been given or sent to him-
(i) if the data are kept only for the purpose
aforesaid, erase the data,
(ii) if the data are kept for that purpose and
other purposes, cease using the data for that purpose,
and
(iii) notify the data subject in writing
accordingly and, where appropriate, inform him of
those other purposes.
Right to establish existence of personal data
3.-An individual who believes that a person keeps personal data
shall, if he so requests the person in writing-
(a) be informed by the person whether he keeps any such
data, and
(b) if he does, be given by the person a description of
the data and the purposes for which they are kept,
as soon as may be and in any event not more than 21 days after
the request has been given or sent to him.
Right of access
4.(1)(a) Subject of the provisions of this Act, an
individual shall, if he so requests a data controller in
writing-
(i) be informed by the data controller whether the
data kept by him include personal data relating to the
individual, and
(ii) be supplied by the data controller with a copy
of the information constituting any such data,
as soon as may be and in any event not more than 40
days after compliance by the individual with the
provisions of this section; and, where any of the
information is expressed in terms that are not
intelligible to the average person without explanation,
the information shall be accompanied by an explanation of
those terms.
(b) A request for the information specified in
sub-paragraph (i) of subsection (1)(a) of this section
shall, in the absence of any indication to the contrary,
be treated as including a request for a copy of the
information specified in subparagraph (ii) of the said
subsection (1) (a).
(c) (i) A fee may be payable to the data controller
concerned in respect of such a request as aforesaid
and the amount thereof shall not exceed such amount as
may be prescribed or an amount that in the opinion of
the Commissioner is reasonable, having regard to the
estimated cost to the data controller of compliance
with the request, whichever is the lesser.
(ii) A fee paid by an individual to a data
controller under subparagraph (i) of this paragraph
shall be returned to him if his request is not
complied with or the data controller rectifies or
supplements, or erases part of, the data concerned
(and thereby materially modifies the data) or erases
all of the data on the application of the individual
or in accordance with an enforcement notice or an
order of a court.
(2) Where pursuant to provision made in that behalf under
this Act there are separate entries in the register in respect
of data kept by a data controller for different purposes,
subsection (1) of this section shall apply as if it provided
for the making of a separate request and the payment of a
separate fee in respect of the data to which each entry
relates.
(3) An individual making a request under this section shall
supply the data controller concerned with such information as
he may reasonably require in order to satisfy himself of the
identity of the individual and to locate any relevant personal
data or information.
(4) Nothing in subsection (1) of this section obliges a
data controller to disclose to a data subject personal data
relating to another individual unless that other individual
has consented to the disclosure:
Provided that, where the circumstances are such that it
would be reasonable for the data controller to conclude that,
if any particulars identifying that other individual were
omitted, the data could then be disclosed as aforesaid without
his being thereby identified to the data subject, the data
controller shall be obliged to disclose the data to the data
subject with the omission of those particulars.
(5) Information supplied pursuant to a request under
subsection (1) of this section may take account of any
amendment of the personal data concerned made since the
receipt of the request by the data controller (being an
amendment that would have been made irrespective of the
receipt of the request) but not of any other amendment.
(6) (a) A request by an individual under subsection (1)
of this section in relation to the results of an
examination at which he was a candidate shall be deemed,
for the purposes of this section, to be made on-
(i) the date of the first publication of the
results of the examination, or
(ii) the date of the request,
whichever is the later; and paragraph (a) of the said
subsection (1) shall be construed and have effect in
relation to such a request as if for "40 days"
there were substituted "60 days".
(b) In this subsection "examination" means
any process for determining the knowledge, intelligence,
skill or ability of a person by reference to his
performance in any test, work or other activity.
(7) A notification of a refusal of a request made by an
individual under and in compliance with the preceding
provisions of this section shall be in writing and shall
include a statement of the reasons for the refusal and an
indication that the individual may complain to the
Commissioner about the refusal.
(8) (a) If and whenever the Minister considers it
desirable in the interests of data subject to do so and by
regulations so declares, the application of this section
to personal data-
(i) relating to physical or mental health, or
(ii) kept for, or obtained in the course of,
carrying out social work by a Minister of the
Government, a local authority, a health board or a
specified voluntary organisation or other body,
may be modified by the regulations in such manner, in
such circumstances, subject to such safeguards and to such
extent as may be specified therein.
(b) Regulations under paragraph (a) of this subsection
shall be made only after consultation with the Minister
for Health and any other Minister of the Government who,
having regard to his functions, ought, in the opinion of
the Minister, to be consulted and may make different
provision in relation to data of different descriptions.
Restriction of right of access.
5.(1) Section 4 of this Act does not apply to personal data-
(a) kept for the purpose of preventing, detecting or
investigating offences, apprehending or prosecuting
offenders or assessing or collecting any tax, duty or
other moneys owed or payable to the State, a local
authority or a health board, in any case in which the
application of that section to the data would be likely to
prejudice any of the matters aforesaid,
(b) to which, by virtue of paragraph (a) of this
subsection, the said section 4 does not apply and which
are kept for the purpose of discharging a function
conferred by or under any enactment and consisting of
information obtained for such a purpose from a person who
had it in his possession for any of the purposes mentioned
in paragraph (a) of this subsection,
c) in any case in which the application of that section
would be likely to prejudice the security of, or the
maintenance of good order and discipline in-
(i) a prison,
(ii) a place of detention provided under section 2
of the Prison Act, 1970,
(iii) a military prison or detention barrack within
the meaning of the Defence Act, 1954, or
(iv) Saint Patrick's Institution,
(d) kept for the purpose of performing such functions
conferred by or under any enactment as may be specified by
regulations made by the Minister, being functions that, in
the opinion of the Minister, are designed to protect
members of the public against financial loss occasioned
by-
(i) dishonesty, incompetence or malpractice on the
part of persons concerned in the provision of banking,
insurance, investment or other financial services or
in the management of companies or similar
organisations, or
(ii) the conduct of persons who have at any time
been adjudicated bankrupt,
in any case in which the application of that section to
the data would be likely to prejudice the proper
performance of any of those functions,
(e) in respect of which the application of that section
would be contrary to the interests of protecting the
international relations of the State,
(f) consisting of an estimate of, or kept for the
purpose of estimating, the amount of the liability of the
data controller concerned on foot of a claim for the
payment of a sum of money, whether in respect of damages
or compensation, in any case in which the application of
the section would be likely to prejudice the interests of
the data controller in relation to the claim,
(g) in respect of which a claim of privilege could be
maintained in proceedings in a court in relation to
communications between a client and his professional legal
advisers or between those advisers,
(h) kept out for the purpose of preparing statistics or
carrying out research if the data are not used or
disclosed (other than to a person to whom a disclosure of
such data may be made in the circumstances specified in
section 8 of this Act) for any other purpose and the
resulting statistics or the results of the research are
not made available in a form that identifies any of the
data subjects, or
(i) that are back-up data.
(2) Regulations under subsection (1) (d) and (3) (b) of
this section shall be made only after consultation with any
other Minister of the Government who, having regarding to his
functions, ought, in the opinion of the Minister, to be
consulted.
(3) (a) Subject to paragraph (b) of this subsection,
section 4 of this Act, as modified by any other provisions
thereof, shall apply notwithstanding any provision of or
made under any enactment or rule of law that is in force
immediately before the passing of this Act and prohibits
or restricts the disclosure, or authorises the
withholdings, of information.
(b) If and whenever the Minister is of opinion that a
prohibition, restriction or authorisation referred to in
paragraph (a) of this subsection in relation to any
information ought to prevail in the interests of the data
subjects concerned or any other individuals and by
regulations so declares, then, while the regulations are
in force, the said paragraph (a) shall not apply as
respects the provision or rule of law concerned and
accordingly section 4 of this Act, as modified as
aforesaid, shall not apply in relation to that
information.
Right of rectification of erasure.
6.(1) An individual shall, if he so requests in writing a data
controller who keeps personal data relating to him, be entitled to
have rectified or, where appropriate, erased any such data in
relation to which there has been a contravention by the data
controller of section 2(1) of this Act; and the data controller
shall comply with the request as soon as may be and in any event
not more than 40 days after it has been given or sent to him:
Provided that the data controller shall, as respects data that
are inaccurate or not kept up to data, be deemed-
(a) to have complied with the request if he supplements
that data with a statement (to the terms of which the
individual has assented) relating to the matters dealt
with by the data, and
(b) if he supplements the data as aforesaid, not to be
in contravention of paragraph (b) of the said section
2(1).
(2) On compliance by a data controller with a request under
subsection (1) of this section, he shall, as soon as may be
and in any event not more than 40 days after the request has
been given or sent to him, notify-
(a) the individual making the request, and
(b) if such compliance materially modifies the data
concerned, any person to whom the data were disclosed
during the period of 12 months immediately before the
giving or sending of the request, of the rectification, erasure or statement concerned.
Duty of care owed by data controllers and data processors.
7.-For the purposes of the law of torts and to the extent that
that law does not so provide, a person, being a data controller or
a data processor, shall, so far as regards the collection by him
of personal data or information intended for inclusion in such
data or his dealing with such data, owe a duty of care to the data
subject concerned:
Provided that, for the purposes only of this section, a data
controller shall be deemed to have complied with the provisions of
section 2(1) (b) of this Act if and so long as the personal data
concerned accurately record data or other information received or
obtained by him from the data subject or a third party and include
(and, if the data are disclosed, the disclosure is accompanied
by)-
(a) an indication that the information constituting the
data was received or obtained as aforesaid,
(b) if appropriate, an indication that the data subject
has informed the data controller that he regards the
information as inaccurate or not kept up to date, and
(c) any statement with which, pursuant to this Act, the
data are supplemented.
Disclosure of personal data in certain cases.
8.-Any restrictions in this Act on the disclosure of personal
data do not apply if the disclosure is-
(a) in the opinion of a member of the Garda Siochana
not below the rank of chief superintendent or an officer
of the Permanent Defence Force who holds an army rank not
below that of colonel and is designated by the Minister
for Defence under this paragraph, required for the purpose
of safeguarding the security of the State,
(b) required for the purpose of preventing, detecting
or investigating offences, apprehending or prosecuting
offenders or assessing or collecting any tax, duty or
other moneys owed or payable to the State, a local
authority or a health board, in any case in which the
application of those restrictions would be likely to
prejudice any of the matters aforesaid,
(c) required in the interests of protecting the
international relations of the State,
(d) required urgently to prevent injury or other damage
to the health of a person or serious loss of or damage to
property,
(e) required by or under any enactment or by a rule of
law or order of a court,
(f) required for the purposes of obtaining legal advice
or for the purposes of, or in the course of, legal
proceedings in which the person making the disclosure is a
party or a witness,
(g) made to the data subject concerned or to a person
acting on his behalf, or
(h) made at the request or with the consent of the data
subject or a person acting on his behalf.
The Data Protection Commissioner
The Commissioner.
9.(1) For the purposes of this Act, there shall be a person
(referred to in this Act as the Commissioner) who shall be
known as an Coimisinéir Cosanta Sonraí or, in the English
language, the Data Protection Commissioner; the Commissioner shall
perform the functions conferred on him by this Act.
(2) The provisions of the Second Schedule to this Act shall
have effect in relation to the Commissioner.
Enforcement of data protection.
10.(1)(a) The Commissioner may investigate, or cause to
be investigated, whether any of the provisions of this Act
have been, are being or are likely to be contravened by a
data controller or a data processor in relation to an
individual either whether the individual complains to him
of a contravention of any of those provisions or he is
otherwise of opinion that there may be such a
contravention.
(b) Where a complaint is made to the Commissioner under
paragraph (a) of this subsection, the Commissioner shall-
(i) investigate the complaint or cause it to be
investigated, unless he is of opinion that it is
frivolous or vexatious, and
(ii) as soon as may be, notify the individual
concerned in writing of his decision in relation to
the complaint and that the individual may, if
aggrieved by his decision, appeal against it to the
Court under section 26 of this Act within 21 days from
the receipt by him of this notification.
(2) If the Commissioner is of opinion that a person, being
a data controller or a data processor, has contravened or is
contravening a provision of this Act (other than a provision
the contravention of which is an offence), the Commissioner
may, by notice in writing (referred to in this Act as an
enforcement notice) served on the person, require him to take
such steps as are specified in the notice within such time as
may be so specified to comply with the provision concerned.
(3) Without prejudice to the generality of subsection (2)
of this section, if the Commissioner is of opinion that a data
controller has contravened section 2(1) of this Act, the
relevant enforcement notice may require him-
(a) to rectify or erase any of the data concerned, or
(b) to supplement the data with such statement relating
to the matters dealt with by them as the Commissioner may
approve of; and as respects data that are inaccurate or
not kept up to date, if he supplements them as aforesaid,
he shall be deemed not to be in contravention of paragraph
(b) of the said section 2(1).
(4) An enforcement notice shall-
(a) specify any provision of this Act that, in the
opinion of the Commissioner, has been or is being
contravened and the reasons for his having formed that
opinion, and
(b) subject to subsection (6) of this section, state
that the person concerned may appeal to the Court under
section 26 of this Act against the requirement specified
in the notice within 21 days from the service of the
notice on him.
(5) Subject to subsection (6) of this section, the time
specified in an enforcement notice for compliance with a
requirement specified therein shall not be expressed to expire
before the end of the period of 21 days specified in
subsection (4) (b) of this section and, if an appeal is
brought against the requirement, the requirement need not be
complied with the subsection (9) of this section shall not
apply in relation thereto, pending the determination or
withdrawal of the appeal.
(6) If the Commissioner-
(a) by reason of special circumstances, is of opinion
that a requirement specified in an enforcement notice
should be complied with urgently, and
(b) includes a statement to that effect in the notice,
subsections (4) (b) and (5) of this section shall not
apply in relation to the notice, but the notice shall
contain a statement of the effect of the provisions of
section 26 (other than subsection (3) of the Act andshall
not require compliance with the requirement before the end
of period of 7 days beginning on the data on which the
notice is served.
(7) On compliance by a data controller with a requirement
under subsection (3) of this section, he shall, as soon as may
be and in any event not more than 40 days after such
compliance, notify-
(a) the data subject concerned, and
(b) if such compliance materially modifies the data
concerned, any person to whom the data were disclosed
during the period beginning 12 months before the data of
the service of the enforcement notice concerned and ending
immediately before such compliance,
of the rectification, erasure or statement concerned.
(8) The Commissioner may cancel an enforcement notice and,
if he does so, shall notify in writing the person on whom it
was served accordingly.
(9) A person who, without reasonable excuse, fails or
refuses to comply with a requirement specified in an
enforcement notice shall be guilty of an offence.
Prohibition on transfer of personal data outside State.
11.(1)The Commissioner may, subject to the provisions of this
section, prohibit the transfer of personal data from the State to
a place outside the State.
(2) The Commissioner, when considering whether to prohibit
a proposed transfer of personal data from the State to a place
in a state bound by the Convention, shall have regard to the
provisions of Article 12 of the Convention.
(3) The Commissioner shall not prohibit a proposed transfer
of personal data from the State to a place outside the State
unless he is of opinion that the transfer would, if the place
were in a state bound by the Convention, be likely
to lead to a contravention of the basic principles for data
protection set out in Chapter II of the Convention.
(4) In determining whether to prohibit a transfer of
personal data under this section, the Commissioner shall also
consider whether the transfer would be likely to cause damage
or distress to any person and have regard to the desirability
of facilitating international transfers of data.
(5) A prohibition under subsection (1) of this section
shall be effected by the service of a notice (referred to in
this Act as a prohibition notice) on the person proposing to
transfer the data concerned.
(6) A prohibition notice shall-
(a) prohibit the transfer concerned either absolutely
or until the person aforesaid has taken such steps as are
specified in the notice for protecting the interests of
the data subjects concerned,
(b) specify the time when it is to take effect
(c) specify the grounds for the prohibition, and
(d) subject to subsection (8) of this section, state
that the person concerned may appeal to the Court under
section 26 of this Act against the prohibition specified
in the notice within 21 days from the service of the
notice on him.
(7) Subject to subsection (8) of this section, the time
specified in a prohibition notice for compliance with the
prohibition specified therein shall not be expressed to expire
before the end of the period of 21 days specified in
subsection (6) (d) of this section and, if an appeal is
brought against the prohibition, the prohibition need not be
complied with and subsection (13) of this section shall not
apply in relation thereto, pending the determination or
withdrawal of the appeal.
(8) If the Commissioner-
(a) by reason of special circumstances, is of opinion
that a prohibition specified in a prohibition notice
should be complied with urgently, and
(b) includes a statement to that effect in the notice,
subsections (6) (d) and (7) of this section shall not apply in
relation to the notice but the notice shall contain a statement of
the effect of the provisions of section 26 (other than subsection
(3) of this Act and shall not require compliance with the
prohibition before the end of the period of 7 days beginning on
the date on which the notice is served.
(9) The Commissioner may cancel a prohibition notice and,
if he does so, shall notify in writing the person on whom it
was served accordingly.
(10) This section shall not apply to a transfer of data if
the transfer of the data or the information constituting the
data is required or authorised by or under any enactment or
required by any convention or other instrument imposing an
international obligation on the State.
(11) For the purposes of this section, a place shall be
deemed to be in a state bound by the Convention if it is in
any territory in respect of which the state is so bound.
(12) (a) This section applies, with any necessary
modification, to a transfer of information from the State
to a place outside the State for conversion into personal
data as it applies to a transfer or personal data from the
State to such a place.
(b) In paragraph (a) of this subsection
"information" means information (not being data)
relating to a living individual who can be identified from
it.
(13) A person who, without reasonable excuse, fails or
refuses to comply with a prohibition specified in a
prohibition notice shall be guilty of an offence.
Power to require information.
12.(1) The Commissioner may, by notice in writing (referred to
in this Act as an information notice) served on a person, require
the person to furnish to him in writing within such time as may be
specified in the notice such information in relation to matters
specified in the notice as is necessary or expedient for the
performance by the Commissioner of his functions.
(2) Subject to subsection (3) of this section-
(a) an information notice shall state that the person
concerned may appeal to the Court under section 26 of this
Act against the requirement specified in the notice within
21 days from the service of the notice on him, and
(b) the time specified in the notice for compliance
with a requirement specified therein shall not be
expressed to expire before the end of the period of 21
days specified in paragraph (a) of this subsection and, if
an appeal is brought against the requirement, the
requirement need not be complied with and subsection (5)
of this section shall not apply in relation thereto,
pending the determination or withdrawal of the appeal.
(3) If the Commissioner-
(a) by reason of special circumstances, is of opinion
that a requirement specified in an information notice
should be complied with urgently, and
(b) includes a statement to that effect in the notice,
subsection (2) of this section shall not apply in
relation to the notice, but the notice shall contain a
statement of the effect of the provisions of section 26
(other than subsection (3) of this Act and shall not
require compliance with the requirement before the end of
the period of 7 days beginning on the date on which the
notice is served.
(4) (a) No enactment or rule of law prohibiting or
restricting the disclosure of information shall preclude a
person from furnishing to the Commissioner any information
that is necessary or expedient for the performance by the
Commissioner of his functions.
(b) Paragraph (a) of this subsection does not apply to
information that in the opinion of the Minister or the
Minister for Defence is, or at any time was, kept for the
purpose of safeguarding the security of the State or
information that is privileged from disclosure in
proceedings in any court.
(5) A person who, without reasonable excuse, fails or
refuses to comply with a requirement specified in an
information notice or who in purported compliance with such a
requirement furnishes information to the Commissioner that the
person knows to be false or misleading in a material respect
shall be guilty of an offence.
Codes of practice.
13.(1)The Commissioner shall encourage trade associations and
other bodies representing categories of data controllers to
prepare codes of practice to be complied with by those categories
in dealing with personal data.
(2) The Commissioner may approve of any code of practice so
prepared (referred to subsequently in this section as a code)
if he is of opinion that it provides for the data subjects
concerned a measure of protection with regard to personal data
relating to them that conforms with that provided for by
sections 2, 3, 4 (other than subsection (8) and 6 of this Act
and shall encourage its dissemination to the data controllers
concerned.
(3) Any such code that is so approved of may be laid by the
Minister before each House of the Oireachtas and, if each such
House passes a resolution approving of it, then-
(a) in so far as it relates to dealing with personal
data by the categories of data controllers concerned-
(i) it shall have the force of law in accordance
with its terms, and
(ii) upon its commencement, references (whether
specific or general) in this Act to any of the
provisions of the said sections shall be
construed (or, if the code is in substitution for a
code having the force of law by virtue of this
subsection, continued to be construed) as if they were
also references to the relevant provisions of the code
for the time being having the force of law.
and
(b) it shall be deemed to be a statutory instrument to
which the Statutory Instruments Act, 1947, primarily
applies.
(4) This section shall apply in relation to data processors
as it applies in relation to categories of data controllers
with the modification that the references in this section to
the said sections shall be construed as references to section
2(1)(d) of this Act and with any other necessary
modifications.
Annual report.
14.(1) The Commissioner shall in each year after the year in
which the first Commissioner is appointed prepare a report in
relation to his activities under this Act in the preceding year
and cause copies of the report to be laid before each House of the
Oireachtas.
(2) Notwithstanding subsection (1) of this section, if, but
for this subsection, the first report under that subsection
would relate to a period of less than 6 months, the report
shall relate to that period and to the year immediately
following that period and shall be prepared as soon as may be
after the end of that year.
Mutual assistance between parties to the Convention.
15.(1) The Commissioner is hereby designated for the purposes
of Chapter IV (which relates to mutual assistance) of the
Convention.
(2) The Minister may make any regulations that he considers
necessary or expedient for the purpose of enabling the said
Chapter IV to have full effect.
|