Sections 2 and 4 of the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 (the “Acts”) impose important responsibilities on data controllers in relation to the protection of personal data kept by them. These responsibilities are summarised in the 8 Data Protection Principles and the Data Protection Commissioner takes a breach of any of these principles very seriously. As such, special attention should be afforded to ensuring that your firm is not in breach.
Compliance with the 8 Data Protection Principles should be subject to regular review and testing by your firm. This can be done in the form of a self-audit.
The 8 Data Protection Principles are as follows:
Principle 1 Personal data must be obtained and processed fairly.
Principle 2 Data must be kept only for specified, explicit and legitimate purpose(s).
Principle 3 Data must not be used or disclosed in a manner incompatible with those purposes.
Principle 4 Data must be protected against unauthorised access, alteration, disclosure or destruction, or unlawful processing.
Principle 5 Data must be accurate, complete and, where necessary, kept up to date.
Principle 6 Data must be adequate, relevant and not excessive in relation to the purpose for which it is collected.
Principle 7 Data must not be kept for longer than is necessary.
Principle 8 Data must be disclosed to the data subject on request, and corrected or destroyed where they so request.
The Data Protection Commissioner publishes annual reports in which he outlines a number of case studies concerning data breaches handled by his Office each year. He also names the entities involved in each case study.
Further information can be found at www.dataprotection.ie