The Minister for Justice recently commenced three previously inactive sections of the Irish Data Protection Acts 1988 and 2003 ("DPA"). The newly-commenced provisions mean that data controllers are now under a wider obligation to notify third party recipients of personal data when that data has been changed or deleted. Employers are also restricted from requiring various individuals in the employment context to make an access request for their personal data.
Notification to third parties - Statutory Instrument 337 of 2014
The DPA now provides specific situations where data controllers must notify certain third parties of changes to data. Previously, only the data subject had to be notified of any such changes. Now, if personal data has been "materially modified", the data controller must notify anyone to whom the controller disclosed the data in the past 12 months.
There are two circumstances where data controllers are obliged to notify the relevant third parties. These are if the changes to data have been made:
i.where the data subject has used their right to request for their data to be corrected or deleted, such as where the data was incorrect or excessive (section 6(2)(b)); or
ii.where the Data Protection Commissioner ("DPC") has issued an enforcement notice to the data controller that has resulted in personal data being changed or deleted (section 10(7)(b)).
The notification must be made within 40 days of either the sending of the access request or compliance with the enforcement notice. However, the responsibility to notify is limited in situations where it "proves impossible or involves disproportionate effort" for the data controller to notify the relevant third parties.
Access requests by employees - Statutory Instrument 338 of 2014
Access requests made in connection with employment have also been affected by these changes. Section 4(13) appears aimed at...