Data protection act, 1988

Enactment Date13 July 1988
Act Number25


Number 25 of 1988


DATA PROTECTION ACT, 1988


ARRANGEMENT OF SECTIONS

Preliminary

Section

1.

Interpretation and application of Act.

Protection of Privacy of Individuals with regard to Personal Data

2.

Collection, processing, keeping, use and disclosure of personal data.

3.

Right to establish existence of personal data.

4.

Right of access.

5.

Restriction of right of access.

6.

Right of rectification or erasure.

7.

Duty of care owed by data controllers and data processors.

8.

Disclosure of personal data in certain cases.

The Data Protection Commissioner

9.

The Commissioner.

10.

Enforcement of data protection.

11.

Prohibition on transfer of personal data outside State.

12.

Power to require information.

13.

Codes of practice.

14.

Annual report.

15.

Mutual assistance between parties to Convention.

Registration

16.

The register.

17.

Applications for registration.

18.

Duration and continuance of registration.

19.

Effect of registration.

20.

Regulations for registration.

Miscellaneous

21.

Unauthorised disclosure by data processor.

22.

Disclosure of personal data obtained without authority.

23.

Provisions in relation to certain non-residents and to data kept or processed outside State.

24.

Powers of authorised officers.

25.

Service of notices.

26.

Appeals to Circuit Court.

27.

Evidence in proceedings.

28.

Hearing of proceedings.

29.

Offences by directors, etc., of bodies corporate.

30.

Prosecution of summary offences by Commissioner.

31.

Penalties.

32.

Laying of regulations before Houses of Oireachtas.

33.

Fees.

34.

Expenses of Minister.

35.

Short title and commencement.

FIRST SCHEDULE

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981

SECOND SCHEDULE

The Data Protection Commissioner

THIRD SCHEDULE

Public Authorities and Other Bodies and Persons


Acts Referred to

Central Bank Act, 1971

1971, No. 24

Civil Service Commissioners Act, 1956

1956, No. 45

Civil Service Regulation Acts, 1956 and 1958

Companies Act, 1963

1963, No. 33

Companies Acts, 1963 to 1987

Defence Act, 1954

1954, No. 18

European Assembly Elections Act, 1977

1977, No. 30

European Assembly Elections Act, 1984

1984, No. 6

Interpretation Act, 1937

1937, No. 38

Local Government Act, 1941

1941, No. 23

Official Secrets Act, 1963

1963, No. 1

Petty Sessions (Ireland) Act, 1851

1851, c. 93

Prison Act, 1970

1970, No. 11

Public Offices Fees Act, 1879

1879, c. 58

Statutory Instruments Act, 1947

1947, No. 44


Number 25 of 1988


DATA PROTECTION ACT, 1988


AN ACT TO GIVE EFFECT TO THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA DONE AT STRASBOURG ON THE 28TH DAY OF JANUARY, 1981, AND FOR THAT PURPOSE TO REGULATE IN ACCORDANCE WITH ITS PROVISIONS THE COLLECTION, PROCESSING, KEEPING, USE AND DISCLOSURE OF CERTAIN INFORMATION RELATING TO INDIVIDUALS THAT IS PROCESSED AUTOMATICALLY. [13th July, 1988]

BE IT ENACTED BY THE OIREACHTAS AS FOLLOWS:

Preliminary

Interpretation and application of Act.

1.—(1) In this Act, unless the context otherwise requires—

“appropriate authority” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

“back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;

“civil servant” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

“the Commissioner” has the meaning assigned to it by section 9 of this Act;

“company” has the meaning assigned to it by the Companies Act, 1963 ;

“the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;

“the Court” means the Circuit Court;

“data” means information in a form in which it can be processed;

“data controller” means a person who, either alone or with others, controls the contents and use of personal data;

“data equipment” means equipment for processing data;

“data material” means any document or other material used in connection with, or produced by, data equipment;

“data processor” means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;

“data subject” means an individual who is the subject of personal data;

“direct marketing” includes direct mailing;

“disclosure”, in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;

“enforcement notice” means a notice under section 10 of this Act;

“financial institution” means—

(a) a person who holds or has held a licence under section 9 of the Central Bank Act, 1971 , or

(b) a person referred to in section 7 (4) of that Act;

“information notice” means a notice under section 12 of this Act;

“local authority” means a local authority for the purposes of the Local Government Act, 1941 ;

“the Minister” means the Minister for Justice;

“personal data” means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller;

“prescribed”, in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;

“processing” means performing automatically logical or arithmetical operations on data and includes—

(a) extracting any information constituting the data, and

(b) in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any other services provided by him for a data controller,

but does not include an operation performed solely for the purpose of preparing the text of documents;

“prohibition notice” means a notice under section 11 of this Act;

“the register” means the register established and maintained under section 16 of this Act;

and any cognate words shall be construed accordingly.

(2) For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.

(3) (a) An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force—

(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the authority,

as respects the data concerned.

(b) Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, while the designation is in force—

(i) the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the Minister for Defence,

as respects the data concerned.

(c) For the purposes of this Act, as respects any personal data—

(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(ii) where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(iii) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the said Commissioner.

(4) This Act does not apply to—

(a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,

(b) personal data consisting of information that the person keeping the data is required by law to make available to the...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT