The purpose of the Data Protection Acts 1988 and 2003 (the "Acts") is to protect the privacy of individuals whose personal data is being processed. Personal data is information relating to a living individual who can be identified from the data itself or in conjunction with other information held.
What is Data Protection?
What are the main principles of Data Protection?
Are there exceptions or limitations on the right of access to personal data?
Transferring personal data to other agencies?
Who can I contact in SOLAS with regard to Data Protection matters?
How do I make a Data Access Request to SOLAS?
How soon will I get a response to my request?
How much will it cost?
What details have SOLAS registered with the Data Protection Commission?
What is Data Protection?
The purpose of the Data Protection Acts 1988 and 2003 (the "Acts") is to protect the privacy of individuals whose personal data is being processed. Processing data includes the obtaining, recording, storing, collecting, retrieving of information or data. It relates to both automated data (i.e. computer held records) and manual data.
Personal data is information relating to a living individual who can be identified from the data itself or in conjunction with other information held.
The Acts give individuals a right to get a copy of all personal data relating to them, by making a written "access request", which applies to both automated data and manual data in the possession of a data controller (i.e. a person who controls the contents and use of personal data).
Additionally, there is a right for an individual to block uses of personal data, i.e., prevent it from being used for certain purposes and lastely, the right to have any inaccurate information rectified or erased. The data controller must write back to the individual within 20 days confirming compliance with your request, or stating its reasons for non-compliance. If an individual is unhappy with the data controller's response, s/he can complain to the Data Protection Commissioner, who can use her enforcement powers if necessary.
SOLAS is a Data Controller under the Data Protection Acts 1988 and and 2003. 'Data Controller' means a person who, either alone or with others, controls the contents and use of personal data.
2. What are the main principles of Data Protection?
(a) Fair Obtaining and Fair Processing
The fundamental principle of data protection is that all personal information must be obtained and processed "fairly". If SOLAS (as a data controller) wishes to keep personal information about staff/clients, then it must collect the information fairly, and it must be used fairly.
(b) Specifying the Purpose
Personal data shall be kept only for one or more specified and legitimate purposes. It is unlawful to collect information about people routinely without having a legitimate purpose for doing so.
(c) Use and disclosure of personal information
Personal data of an individual shall not be used or disclosed in any manner incompatible with the purpose or purposes for which the personal information was provided unless the consent of the individual has been obtained for such. If personal information is obtained for a particular purpose, it may then not be used for any other purpose. Furthermore, such personal information may not be divulged to a third party except in ways that are 'compatible' with the specified purpose.
If a data controller, such as SOLAS, holds personal information and wishes to use it for a new purpose, they are obliged to give an option to the individuals concerned to indicate whether or not they wish their personal information to be used for the new purpose.
(d) Security of Personal Data
All data controllers, including SOLAS, must take appropriate security measures against unauthorised access to, or alteration, disclosure or destruction of personal information held and against accidental loss or destruction of the data.
(e) Accurate and Up to Date
All personal information obtained shall be kept accurate and, where necessary, kept up to date. Apart from ensuring compliance with the Acts, data controllers may be liable to an individual for damages if they fail to observe the duty of care provision in the Acts that apply to the handling of personal data.
(f) Adequate, relevant and not excessive
Personal data kept should be enough to enable a data controller to achieve its purpose and no more. It should be adequate, relevant and not excessive in relation to the purpose or purposes for which the data was provided. A data controller should not ask intrusive or personal questions if the information obtained in this way has no bearing on the specified purpose for which it holds personal data.
(g) Retention of personal data
Data controllers must not keep personal data for longer than is necessary for the purpose or other purposes specified. If there is no good reason for retaining personal information, then that information should be routinely destroyed. Information should never be kept 'just in case'.
(h) What rights do I have as regards access to personal data?
Any individual about whom a data controller keeps personal information is entitled to a copy of the personal data on making a written request and payment of the access fee. This "right of access" is subject to a limited number of exceptions which are set out below.
Individuals also have the right to have any inaccurate information rectified or erased or to block the use of personal data and the right to complain to the Data Protection Commissioner.
3. Are there exceptions or limitations on the right of access to personal data?
Yes. The restrictions on the right of access include the following:
The right of access does not apply where there is a need to strike a balance between the rights of the individual, on the one hand and some important needs of civil society, on the other hand, such as the need to investigate crime effectively, and the need to protect the international relations of the State.
The right of access to medical data and social workers' data is also restricted in very limited circumstances, e.g. to protect the individual from hearing something about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being.
The right of access does not include a right to see personal data about other individuals without that other person's consent. It is necessary to protect the privacy rights of the other person.
The right of access does not apply where an expression of opinion has been given in confidence, such an opinion should not be given to the individual making an access request.
4. Transferring personal data to other agencies
Organisations that transfer personal data from Ireland to third countries and other organisations for processing, i.e., places outside of the European Economic Area (EEA) need to ensure that there are adequate levels of data protection provided.
If a data controller retains the services of an agent to process personal data on its behalf - a data processor - then it must put in place a contract in writing (or equivalent form) which deals adequately with issues of security, confidentiality and other data protection matters
With regard to the level of security measures that organisations must have in place to protect personal data, generally organisations must take all necessary and reasonable steps having regard to the state of current technology, and to the sensitivity of the personal data in question.
The Acts apply to all data controllers established in Ireland - this may include a foreign data controller which operates through an Irish intermediary. The Acts will also apply to data controllers established outside the EEA which use equipment in Ireland to process personal data. These non EEA data controllers must designate a representative in Ireland.
When processing personal data, other legitimate processing requirements are imposed on those processing such data which are in addition to the data protection rules . Essentially, the individual must consent to the processing of personal data. However, there are a number of other methods for legitimising the processing of personal data such as processing necessary for the performance of a contract to which the data subject is party.
The Acts impose obligations on those data controllers that obtain personal data from other data controllers to notify the individuals in question that they hold information about them, to inform them of the uses and disclosures being made of that data and to ensure that they are aware of their right to access their data and modify it if it is incorrect.
5. Who can I contact in SOLAS with regard to Data Protection matters?
Manager Legal & Audit Services
Phone: (01) 533 2388
6. How do I make a Data Access Request to SOLAS?
In making a Data Access request to SOLAS, you must make an application in writing by letter or email, identifying yourself and stating that you wish to receive information under the Acts. This should be accompanied by the prescribed access fee, which in the case of SOLAS is €6.35 (see "How much will it cost?" below).
7. How soon will I get a response to my request?
Generally copies of the personal data must be supplied to the requestor within 40 days of SOLAS receiving the request. SOLAS cannot change any personal data upon receiving a request.
SOLAS will provide you with the personal information in a form which will be clear to the ordinary person (e.g., codes explained).
SOLAS will provide personal information only to the individual concerned or someone acting on their behalf or with their authority. Personal information will not be given over the phone.
If no personal information is held about you, you will be informed of this within the 40 days.
8. How much will it cost?
The maximum fee that a requestor can be required to pay is €6.35 at the time of making the written request. SOLAS are under no obligation to refund the access fee of €6.35 if it is discovered that no personal data is in fact on record. However, the fee must be refunded if SOLAS does not comply with the request or if it rectifies, supplements or erase the data concerned.
9. What details have SOLAS registered with the Data Protection Commission?
SOLAS is registered as a Data Controller with the Office of the Data Protection Commissioner. For registration details click here:
This information is intended only as a general guide and not as a detailed legal analysis. The information should not be used as a substitute for professional advice based on the facts of a particular case.