Data Protection Guidelines
THE FOLLOWING INFORMATION IS FROM THE DATA PROTECTION OFFICE
OFFICE OF THE DATA PROTECTION COMMISSIONER
BLOCK 6, FLOOR 3, IRISH LIFE CENTRE,
LOWER ABBEY STREET, DUBLIN 1
TELEPHONE NO. (01) 874 8544
FAX NO. (01) 874 5405
E-MAIL ADDRESS:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
CONTENTS
1. What is Registration?
2. Who are required to register?
3. Multiple/separate registrations - Sect 17 (1) (b) (c)
4. Public Register
5. Status of applicant while the application for registration is pending.
6. How do I renew my registration?
7. “Off Register”
8. Amending your Registration
9. Refusing your application for Registration
10. Completing the Registration Application Form
11. Fees
12 Forms ( download from www.dataprotection.ie)
13. Appendix1
REGISTRATION
Data Protection Acts 1988 & 2003
Section 16
1. What is Registration?
Under the Data Protection Acts 1988 and 2003 certain categories of data controllers who control the contents and use of personal data (Data Controllers) and persons whose business consists wholly or partly in processing such data for others (Data Processors) must register details with the Data
Protection Commissioner.
Data Controllers - Form DPA1 registration is a simple process which entails submitting the form to the Data Protection Commissioner setting out the type of personal data you keep on computer, for what purpose/purposes you keep it and to whom the information is disclosed, so that these practices can be made available to the public for viewing (Public Register).
Data Processors - Form DPA 3, registration is even simpler. Submit the form to the Data Protection Commissioner Section 1 show your name, address, Section 2 state the countries or territories to which you transfer, or intend to transfer personal data.
2. Who are required to register?
Under Section 16 of the Data Protection Act, 1988, certain categories of data controllers are required to register providing that personal data is being held in an automated form (e.g. on computer). In order for Section 16 of the Data Protection Act to apply, the applicant must have a presence in this State.
Every data controller is bound by data protection requirements. Certain categories of controllers are in addition required to register with the Commissioner. For a list of the categories of data controllers who are required to register please see Appendix 1.
3. Multiple/separate registrations - Sect 17 (1) (b) (c)
If you keep personal data for two or more unrelated purposes, then you are required to apply for a separate registration for each of those unrelated purposes. Separate registrations allow you to reflect the clear distinctions between different databases in your organisation, in terms of the nature and uses of the personal data involved, the assignment of control over and responsibility for the databases, and the legal compliance arrangements.
If you wish to make an application for a separate registration, use the separate registration form DPA2 and remember to complete section 11 of the form which shows the total number of separate
registrations for your organisation.
4. Public Register
The register of data controllers and processors is a public register intended to bring transparency to the processing of personal data. All register entries are now available on this office’s website www.dataprotection.ie.
5. Status of applicant while the application for registration is pending.
Under Section 19 of the Data Protection Act, it is an offence to keep personal data unless you are
registered. However, an exception is made in the case of persons whose application for registration is pending. Such persons may keep personal data and use it in a way consistent with the details set out in their application, while the application is being considered by the Commissioner.
6. How do I renew my registration?
The registration period is for one year. You are obliged to renew your registration annually. The
Commissioner’s office will contact you six weeks prior to this date, and supply you with the required paperwork. The appropriate fee should be included with your signed application for continuance.
7. “Off Register”
If you fail to renew, you will be classified as “Off Register” and your details will be removed from the public register. Any “Off Register” period may remain on file and may be a factor in the investigation of any future complaint.
If you are required to register and fail to do so or fail to renew a registration, then you shall be
committing an offence under Section 19 of the Act if you continue to hold or process data. You may be liable to prosecution and a possible fine of up to €100,000.
8. Amending your Registration
The annual process of renewing your registration gives you an opportunity to update your registration details. However, if the details contained in your register entry become out of date during the year, you will need to apply to the Commissioner to have the details amended. This is important because if you are engaging in data handling practices that are not in conformity with the details in your public register entry, you may be committing an offence.
To apply for an amendment to your registration details, complete Form DPA5 and return it to the Data Protection Commissioner along with the amendment fee of €63.49.
9. Refusing your application for Registration
Under Section 17 of the Data Protection Act the Commissioner is required/obliged to accept an
application for registration unless he is of the opinion that the details submitted by the applicant are
insufficient, that other information requested has not been forthcoming, or that the applicant is likely to contravene any of the provisions of the Act. If the Commissioner’s office has queries regarding the
details submitted, the applicant will be contacted to give him the opportunity to resolve the matter.
If sensitive data is held by the data controller, then the Commissioner must not accept the application unless he/she is satisfied that appropriate safeguards for the protection of the privacy of the individuals concerned will be provided.
If your application is rejected you have a right to appeal such a rejection to the Circuit Court within 21 days of receipt of such a notification.
10. Completing the Registration Application Form
Although the registration application form is largely self-explanatory, the following notes indicate the level of detail required to enable your application to be speedily processed. Please note that the
suggested answers to particular sections of the form are provided for illustrative purposes only, and you will need to amend and/or supplement them to fit the particular circumstances of your
organisation.
You should also note that not all of the details which you provide in your application form will be made available as part of the public register. Only the responses to section 1 to 6 (inclusive) form part of the public register; the other details are required for the purposes of the office of the Data
Protection Commissioner, and will be treated as confidential. For clarity, each section below includes an indication of whether the information under that section forms part of the public register.
FORM DPA1
Section 1: Name & Address
This information forms part of the public register
You should give the registered name of the company or person carrying on business. In the case of a partnership, you should give its name and list each of the partners. Foreign companies who have a presence in the state and who are required to register must put the Irish address in Section 1.
Note: You must keep this office informed of any change of address. Failure to do so is an
offence under section 19 of the Act.
Section 2: Contact Person
This information forms part of the public register
You should identify the person to whom members of the public may address any applications for access to their personal data under section 4 of the Act. It is sufficient to identify the contact person by
title or position, e.g. “Finance Officer”, “County Secretary”, “Senior, Executive Officer’’, ”Director”, or
“Manager” etc. if you wish.
Section 3. Purpose(s) for which you keep or use personal data:-
You should provide a general, but comprehensive, statement of the purposes for which you carry on your business, trade or profession. Here are some examples:
Administration/provision of health services
Administration/provision of life, pension and disability insurance and related services
Administration/provision of local authority services
Provision of banking and related services
Provision of medical care
Provision of dental care
Provision of legal services
The general statement of purposes must be sufficiently comprehensive to cover all the purposes for which the business is carried on since your statement of purposes will be copied into the register and it is an offence to keep or use personal data for any purpose not described in a register entry (section 19(2) (b)).
The requirement to set out publicly your purpose for holding personal data makes an important contribution towards meeting your requirement under section 2 of the Data Protection Act to keep and use personal data ‘only for one or more specified and lawful purposes’. This is a requirement which applies to all data controllers, not just those who are obliged to register.
If the purpose for which personal data are processed, are unrelated then a separate application must be made for each unrelated purpose.
Section 4: Description
This information forms part of the public register
This section is divided into ‘Applications’ and ‘Description of Personal Data’. You are
required to identify the various applications, i.e. distinct areas or aspects of your work, for which personal data are held and to detail the types of personal data kept in respect of each such application.
Where the personal data held is what would normally be associated with that scheme or service then it can be described briefly like “contact details” or “income details”. If the data held would not normally be associated with that scheme or service or area of work then that data should be described in detail e.g. PPS Number, Racial Origin etc.
Personal data held for applications which are ancillary to your primary purpose, such as personnel and payroll data, should be recorded separately in the left hand column.
Below are two illustrative lists of
(i) applications, services, schemes or areas where it is expected that personal data would be held
on computer i.e. appropriate to the left hand column of part 4 of the form.
(ii) Brief descriptions of data that might be held in respect of those applications, services,
schemes or areas i.e. appropriate to the right hand column of part 4 of the form.
The lists below contain examples of what might appear in the two columns of part 4. Complete part 4 using your own knowledge of your business/organisation describing the data you process on
computer. In the table below the personal data descriptions on the right are not matched to the
“applications” on the left. When filling out the form you should match the information in both columns.
| Application, Service, Scheme or Area where personal data is kept on computer | Description of Personal Data held |
| Savings & Loans Insurance & Pensions Finance & Investment Human Resources Payment Services Training Customer/Client/Patient Records Appointment Systems Planning Application Grants Banking Services Security Volunteers/Voluntary Workers Library Services | Contact Details Income Details PPSN Occupation Property owned Employment status Financial details/circumstances CV/Qualifications Disability Information Personal data in respect of case/transaction/proceedings being undertaken Medical history Amount of debt and circumstances Next of Kin Marital Status Transaction Details Employment records CCTV Images |
Keeping personal data of any description other that that specified in the register entry may
involve an offence under section 19 of the Act.
Section 5: Disclosures
This information forms part of the public register
Section 2 of the Act requires inter alia that any disclosure of the data must be compatible with your specified purpose for holding the data. You should list in this section any third parties to whom you make such disclosures. You should note that the inclusion of a particular disclosure in your registration does not, of itself, make disclosure to that person legitimate.
In case of doubt, it is advisable to list the disclosure in any event.
Example: Possible disclosures are given below for illustrative purposes.
|
|
Service/ Scheme/Area Savings & Loans Insurance & Pensions Finance & Investment Human Resources Payment Services Training Customer/Client Records Appointment Systems Planning Application Grants Banking Services Security Volunteers/Voluntary Workers Library Services | Disclosees Local Government Computer Services Board Health Boards Local Authorities Government Departments An Bord Pleanala Environmental Protection Agency Housing Finance Agency National Building Agency Banks and insurance companies Money advice and Budgeting Service Homeless Agency Debt collection agency computer maintenance personnel Revenue Commissioners Irish Financial Services Regulatory Authority, |
|
|
Note: Knowingly to disclose personal data to a person who is not described in the entry, other than a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of the Act, may involve an offence under section 19 of the Act. | |
· made at the request or with the consent of the data subject, or to a person acting on his/her behalf
· required by or under any enactment or court order
· required urgently to protect someone’s health or property
· required for the purposes of preventing, detecting or investigating offences, or assessing or
collecting taxes
Section 6: Transfers abroad
This information forms part of the public register
This section relates only to personal data when transferred abroad.
Example: A possible transfer of personal data is given below for illustrative purposes
Application: personnel / payroll / administration | ||
| Country Description of data Purpose of transfer | ||
UK | Staff name, personnel/payroll number, salary details | Payroll administration |
This information DOES NOT form part of the public register
‘Sensitive data’ means any data of the types listed in section 16(1) (c) of the Data Protection Act i.e. racial origin, political opinions, religious beliefs, other beliefs, physical or mental health, sexual life or criminal convictions. This section must be completed where such sensitive types of personal data are held. If the nature of your business is such that you may potentially hold all categories of sensitive personal data at some point, then it is advisable to select all categories.
You should also indicate the measures you have taken to protect the privacy of the individuals about whom you keep sensitive data. You should note, in this regard, your legal obligation to use security measures that are appropriate to the sensitivity of the personal data in question. You should also note that the Commissioner is precluded under section 17(3) of the Data Protection Act from accepting an application unless he is satisfied that adequate safeguards are in place.
Example: Minimum security arrangements would normally include the following -
Physical Safeguards - ‘Access to computers is restricted to authorised personnel only, premises alarmed and secure when not occupied’.
Technical Safeguards - ‘Access to computer system is password-protected, PC workstation is subject to password-protected lock-out after period of inactivity, anti-virus software is in use, a firewall is used to protect systems connected to the internet.’ [Note: for especially sensitive data, it is also advisable to use additional technical safeguards, such as routine encryption of files and multi-level access control.]
Section 8: Public Information
This information DOES NOT form part of the public register
e.g. For local authorities this would include the electoral register.
This information DOES NOT form part of the public register
You should only tick ‘Yes’ if part of your business is processing personal data on behalf of a client, as may for example arise in the case of financial, accounting and tax-related practices.
This information DOES NOT form part of the public register
You should give the name and/or job status of the individual in your organisation who will supervise the application of the Act within your firm, and the person to whom this Office will address correspondence relating to your application.
Payment of the relevant fee must accompany the application. We are not currently in a position to
accept electronic fund transfer.
Payment should be made using a cheque, money order, postal order, payable order or bank draft(please avoid paying by cash if possible). Cheques should be made payable to the “Data
Protection Commissioner”. Foreign cheques will not be accepted due to the clearing charges involved, this does not apply to sterling cheques drawn on a bank in the UK and to US dollar cheques drawn on a bank in the USA.
Current fees:
€ 317.43 for applicants with more than 25 employees,
€ 63.49 for applicants with between 6 and 25 employees,
€ 25.37 in all other cases.
The number of employees should include the data controller/processor/partners but should not include voluntary workers. Calculations for part time workers are based on a full time worker working a 36 hour week.
Form DPA1 Registration as a data controller (or as both a data controller and a data processor)
Form DPA2 Registration as a data controller (or both a data controller and data processor) who is required to register, if you are keeping personal data for two or more purposes, and you wish to have separate registrations
Form DPA 3 Registration as a data processor
Form DPA 4 Application for Continuance of Registration
Form DPA 5 Application for alterations/amendments in Registration particulars
Those who have to register are data controllers who are public bodies and persons referred to in the Third Schedule of the Data Protection Act 1988.
(1) Third Schedule
1. The Government
2. A Minister of the Government
3. The Attorney General
4. The Comptroller and Auditor General
5. The Ombudsman
6. A local authority, a health board and any other body (other than the Garda Siochana and the Defence Forces) established-
(1) by or under any enactment (other than the Companies Acts, 1963 to 1987), or
(2) under the Companies Acts, 1963 to 1987, in pursuance of powers conferred by or under another enactment, and financed wholly or partly by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government, and a subsidiary of any such body.
7. A company the majority of the shares in which are held by or on behalf of a Minister of the Government.
8. A body (other than a body mentioned in paragraph 6 or 7 of this Schedule) appointed by the Government or a Minister of the Government.
9. An individual (other than an individual remunerated by a body mentioned in paragraph 6, 7 or 8 of this Schedule or in relation to whom the Government or a Minister of the Government is the appropriate authority) who is appointed by the Government or a Minister of the Government to an office established by or under any enactment.
10. Any other public authority, body or person standing prescribed for the time being and financed or remunerated wholly or partly out of moneys provided by the Oireachtas.
(2) Financial Institution -
(a) a person who holds/has held a Banking Licence from the Central Bank
(b) a person referred to in Section 30 of the Central Bank Act 1989, including
Ÿ the Post Office Savings Bank
Ÿ a Building Society
Ÿ an Industrial and Provident Society
Ÿ a Friendly Society
Ÿ A Credit Union
Ÿ the manager or trustee under a unit trust or collective investment scheme in respect of the carrying on of the business of the Scheme.
(3) Insurance Companies
Persons holding authorisations under the European Communities (Non-Life) Insurance Regulations, 1976 (S.I. No. 115 of 1976) or the European Communities (Life Assurance) Regulations, 1984 (S.I. No.57 of 1984).
(4) Data controllers whose business consists wholly or mainly in direct marketing, providing credit
references or collecting debts.
(5) Data controllers who keep personal data relating to
w racial origin
w political opinion
w religious or other beliefs
w physical or mental health
(other than as kept in respect of your employees in the normal course of personnel
administration and not used or disclosed for any other purpose)
w sexual life
w criminal convictions
(6) Data controllers -
Internet access providers, i.e. who are wholly or partly in the business of providing individuals with a connection to the internet, and who keep personal data relating to such individuals.
Telecommunications service providers, i.e. one who is required to notify the Commission for Communications Regulation under S.I. 306 of 2003 of his or her intention to provide an electronic communications network or an electronic communications service, and who holds personal data relating to a person to whom a network, service or system is provided under such an authorisation.
(7) Data processors whose business consists wholly or partly in processing personal data on behalf of data controllers are also required to register.