A new statutory instrument has been created to ensure that personal data collected and stored by internet access providers and telecommunications service providers is specifically subject to regulatory oversight.
The new regulations were signed on January 9 2001 and came into operation on January 10 2001. The statutory instrument was made by the data protection commissioner, with the consent of the minister for justice, equity and law reform under the powers of the Data Protection Act 1988.
The regulations provide for the registration, under Section 16 of the Data Protection Act 1988, of persons who provide telecommunications services and internet access services, and who keep personal data relating to users of those services.
'Personal data' is defined by the act as data "relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller". Such data must now be described in an entry registered with the state-appointed data commissioner's register.
Data controllers who fail to register such data are guilty of an offence. If an offence is committed under the Data Protection Act then the guilty party is liable on summary conviction to a fine not exceeding £1000 or, on conviction on indictment, to a fine not exceeding £50,000. Further, the court may order that any data connected to the offence becomes forfeited and must be destroyed. Officers of a company, including the directors, can be found guilty of offences under the act if an offence was committed "with the consent or connivance of", or can be "attributable to any neglect on the part of", the officer. Offences which can be committed under the Irish legislation include:
- failure to register sensitive personal data with the data commissioner;
- failure to comply with an order of the data commissioner;
- attempting to mislead the data commissioner; or
- obtaining unauthorized access to personal data and disclosing it.
Data subjects in this jurisdiction have rights under Irish law regarding such data, including the right to:
- establish the existence of data files relating to them, including a description of the data and the purposes for which it is kept;
- access such records and copy any such files;
- rectify or erase data where there has been a contravention by the data controller of the statutory terms relating to collecting, keeping, use or disclosure of personal data; and
- require that the data controller cease to use the data for the purposes of direct marketing.
Data controllers owe an express statutory duty of care to data subjects regarding the personal data collected. Therefore, where a data subject believes that he or she has suffered damage due to a breach of this duty, he or she may sue for damages through the courts.
Where representations are made in relation to the uses to which personal data supplied by a data subject will be used, then there will also be an implicit (or possibly even explicit) contract that the personal data only be used in accordance with the terms of such an agreement. If the data controller does not observe these terms, the data subject may also sue for breach of contract. The use of personal data without authorization may also breach the common law duty of confidentiality. A breach of this duty which is found to exist in the particular circumstances of the case will give rise to a cause of action.
For further information on this topic please contact David Sanfey at A & L Goodbody by telephone (+353 1 649 2000) or by fax (+353 1 649 2649) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.