The Data Protection Review Group has issued a consultation paper to invite comment and feedback on a number of data protection related areas. The Review Group was set up by the Minister for Justice, Equality and Law Reform to examine whether changes need to be made to the data protection legislation to deal with data protection breaches. The aim of this consultation is to assist the Review Group in determining how Ireland should formulate the most appropriate legislative response to data breaches. The consultation period ends on Friday 30 October.
Currently in Ireland is there no explicit statutory obligation to notify the Data Protection Commissioner, or any data subject affected, of a data security breach. Some commentators assert that a security-breach notification law is not needed for the simple reason that security breach notification law is already embedded into the principles of the Data Protection Acts 1988 and 2003. Recently, the Data Protection Commissioner issued breach notification guidance which recommends that as soon as a data controller becomes aware that personal data for which it is responsible has been compromised, it should inform the Data Protection Commissioner as part of its response.
The consultation document is set out under three headings; legal issues, technical issues and regulatory issues. The section dealing with legal issues consists of a review of the EU model, a review of EU developments on data breach reporting and a look at the US model among other countries. The paper then reviews practical issues which might arise in the context of any proposed legislation, including mandatory reporting, informed consent and defences.
In terms of technical issues, the paper looks at the challenge of defining the concept of breach amid rapid changes in use and abuse of technology. In terms of regulatory issues around reporting of data breach reporting, the consultation paper sets out a range of possible regulatory options which covers areas such as the determination of a threshold and the level of penalty.
The Review Group stress that submissions need not be limited to the specific options set out or the issues raised in the body of the paper.
To access the Consultation Paper, click here.