Ireland - Data Protection
History of Data Protection in IRELAND
The Irish Data Protection Act 1988 was passed on 13 July 1988, and came into full force on 19 April 1989. This Act established the Irish Data Protection Commission.
The Irish legislation was updated in 2003 by the Data Protection (Amendment) Act. This Act incorporates Directive 95/46/EC into Irish law.
Summary of Data Protection in IRELAND
| Title of Data Protection Legislation | Data Protection Act 1988 |
| Name of supervisory authority | Data Protection Commission |
| General Powers of supervisory authority | Section 9 of the Act establishes the Commissioner. Section 10 outlines that the commissioner can investigate suspected breaches on his own initiative or following a compliant. The Commissioner can request compliance with a provision of the Act (s10(2)) Section 13(1) reads "The Commissioner shall encourage trade associations and other bodies representing categories of data controllers to prepare codes of practice to be complied with by those categories in dealing with personal data". |
| Who has standing to notify the supervisory authority of breaches? | The data subject |
| What are the penalties for data controllers if they breach the law? | Section 31 of the 1998 Act outlines the penalties for breaches. They include fines (s31(1)) and the destruction or forfeiture of the data concerned (s31(2)). |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Although there is a national ID number system- Personal Public Service Number (PPSN)- no formal system exists. While rules do exist governing its use, these are not covered by the data protection legislation. For example, S.14(1) of the Social Welfare Act 1998 makes it an offence to use a PPSN or to seek to have a PPSN disclosed. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | No |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- Data Protection Act 1988
- Data Protection (Amendment) Act 2003
- Consolidated version of both Acts
- European Communities (Data Protection) Regulations 2001 (S.I. No. 2) - gives effect to some parts of the Data Protection Directive
- Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. No. 82 of 1989)
- Data
Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No.
83 of 1989)