The increasing awareness of the issue of Data Protection stems from societal change to a digital age. Our dependence on computers and our growing obsession with social media means that we continuously leave digital footprints which are not easily erased or forgotten. This leaves us exposed to intrusion and surveillance from unwanted bodies.
Data Protection law in Ireland is governed by the Data Protection Acts 1988 and 2003 together with the European Guidelines, Directives and legislation by which we are also bound. There are three statutory defined parties in data protection legislation, namely the data subject, the data processor and the data controller.
The data subject is the person whose data is being processed, retained or stored.
A data controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files. Being a data controller carries with it serious legal responsibilities, so you should be quite clear if these responsibilities apply to you or your organisation.
If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller. If, on the other hand, you hold the personal data, but some other organisation decides and is responsible for what happens to the data, then that other organisation is the data controller, and your organisation is a “data processor”
Duties of Data Controllers (Companies), including Financial Brokers and Advisors
You have certain key responsibilities in relation to the information which you keep on computer or in a structured manual file about individuals. These may be summarised in terms of eight “Rules” which you must follow, and which are listed below.
1. Obtain and process the information fairly
2. Keep it only for one or more specified and lawful purposes
3. Process it only in ways compatible with the purposes for which it was given to you initially
4. Keep it safe and secure
5. Keep it accurate and up-to-date
6. Ensure that it is adequate, relevant and not excessive
7. Retain it no longer than is necessary for the specified purpose or purposes
8. Give a copy of his/her personal data to any individual, on request. These provisions are binding on every data controller. Any failure to observe them would be a breach of the Act.
If you hold or process personal data, but do not exercise responsibility for or control over the personal data, then you are a “data processor”. Examples of data processors include payroll companies, accountants and market research companies, all of which could hold or process personal information on behalf of someone else.
It is possible for one company or person to be both a data controller and a data processor, in respect of distinct sets of personal data. For example, a payroll company would be the data controller in respect of the data about its own staff, but would be the data processor in respect of the staff payroll data it is processing for its client companies.
Responsibilities of data processors
Unlike data controllers, data processors have a very limited set of responsibilities under the Data Protection Act. These responsibilities concern the necessity to keep personal data secure from unauthorised access, disclosure, destruction or accidental loss. In addition all data processors, whose business consists wholly or partly in processing personal data on behalf of data controllers who are required to register.
The duties placed on data controllers are not overly onerous if they are properly monitored and regulated. However, many smaller companies are unaware of the
obligations under the data protection legislation. Others choose to ignore and disregard them as they feel there are no grave implications for non-compliance. This approach is reckless at best as the recent fines placed on a number of large corporate signals a clear message from the courts and the Data Protection Commissioner that such breaches will not be tolerated.
Lawlor Kiernan LLP Solicitors & Tax Consultants