Data Protection
Author:
Mark Farrell
Most of us will be aware of the existence of Data Protection legislation - we are all familiar with the "opt out" boxes that we are invited to tick on application forms and other documents from banks, public agencies, direct mailing companies, etc. But how many of us are aware that the original 1988 Data Protection Act applies to all companies or organisations (including accountancy practices of any size or type) that hold personal information on computer systems? Furthermore, the legislation has just been substantially revised and now (since 1 July 2003) applies to all personal information, whether held in electronic or hard copy format. This has major implications for virtually every company operating in the country today. We need only think of personnel and client files held in traditional paper format to realise the potential impact. In addition, the new legislation has granted the Data Protection Commissioner extensive new powers to monitor compliance and carry out spot checks in order to enforce the legislation.
Basic Principles of Data Protection
There are 8 fundamental principles of Data Protection, which were enshrined in the original Act and are unchanged by the 2003 amendments. In relation to personal data, data controllers must:
(a) obtain and process it fairly
(b) keep it only for one or more specified and lawful purposes
(c) use and disclose it only in ways compatible with those purposes
(d) keep it safe and secure
(e) keep it accurate and up to date
(f) ensure that it is adequate, relevant and not excessive
(g) retain it no longer than is necessary for the purpose for which it was created (see (b) above)
(h) give a copy of it to the individual concerned, upon request.
This means, amongst other things, that data collected for one purpose cannot be used for another, for example data collected for medical records cannot be used to attempt to sell or promote medicines or medical equipment. It also means that records such as client files must only contain data that is relevant to the purpose for which they were created (for example the provision of accounting or auditing services) and that such data must be kept accurate and up to date at all times.
Manual Records
With the extension of data protection legislation to cover manual records, accountancy practices and other companies face a major task in ensuring compliance.
The 2003 Data Protection (Amendment) Act defines manual data as information "kept as part of a relevant filing system, or kept with the intention that it should form part of such a system". It defines a relevant filing system as "any set of information that is structured by reference to individuals ... so that particular information relating to a particular individual is readily accessible". This in effect means any filing system in operation in any company or office, for example a system designed for the storage of personnel files or client files.
The legislation applies to all manual data created on or after 1 July 2003. For manual data created prior to this date, the requirements to keep it accurate, complete and up to date, to ensure that it is adequate, relevant and not excessive and to retain it for no longer than necessary, will apply from 24 October 2007.
Creating Personal Data
In order to comply with the legislation, companies must collect and create personal data in accordance with certain strict provisions. For example, a data subject (i.e. an individual on whom data is held, such as an employee or a client) must be provided with full information about the data controller's identity, the purpose for which the data is being processed and any other information that may be considered to be in the interest of fairness, for example whether the data will be disclosed to other persons and in what circumstances this may happen.
Right of Access
A data subject (for example a client or employee) has the right to inspect data held about them and to request that it be revised, updated or deleted, as appropriate.
Upon receipt of a written request for access, a data controller is obliged to give a data subject access to all personal data held about that individual. This potentially includes records of staff appraisals, complaints, disciplinary procedures, references, etc.
It is therefore essential that employers take care in what information is created and held in personnel and other files. Such data is subject to the basic requirements of data protection, such as ensuring its accuracy and relevance. Such data should not be put to any other uses, other than the stated use for which it was created in the first instance.
Registration
The new legislation also changes the provisions with regard to registration of data controllers. Under the original 1988 Act, data controllers were required to register with the Data Protection Commissioner only if specifically required to do so under Section 16 of the Act. The 2003 Act, however, requires all data controllers to register, unless specifically exempted under regulations issued by the Commissioner. If required to register with the Commissioner, it is an offence for a data controller not to do so. This has major implications for all companies, although it is reportedly the intention of the Commissioner to exempt as many "low risk" data controllers as possible (examples cited being small shops or small businesses that keep only payroll data about staff).
Powers of the Data Protection Commissioner
The powers of the Commissioner have been widened and strengthened under the amended legislation. He will now have the power to carry out investigations as he sees fit in order to ensure compliance and identify breaches of the legislation. The Commissioner can carry out "privacy audits" at random on a targeted, sectoral basis. He will also have the power to prepare codes of practice for guidance in applying the legislation in particular areas. Such codes may be placed before the Oireachtas in order to give them statutory effect. The Commissioner can serve a legal notice compelling a data controller to provide information needed to assist in his enquiries. He can compel a data controller to implement a provision of the legislation and can authorise his officials to enter premises and to inspect personal information held there. A data controller found guilty of an offence under the Act can be fined up to €63,500.
Conclusions
With such widespread powers available to the Commissioner, and such substantial punishments for breaches of the legislation, the consequences of non-compliance could be extremely serious. It is imperative that all companies are aware of their obligations under data protection legislation and that they have the proper records management procedures in place in order to ensure compliance. Data protection does not cut across other record retention requirements. This means that employers should be aware of other record-keeping requirements, such as retaining time-keeping and leave records for a minimum of three years, keeping employment contracts for one year after the individual's employment has ceased, and so on. Allied to the wide range of legislation, directives and regulations now facing Irish businesses, all of this adds up to an absolute requirement to prove compliance through the creation, maintenance and careful management of accurate and reliable records which document and demonstrate the policies, procedures and activities of your business.
Mark Farrell, BA, Dip AS is a professionally qualified records manager and a director of Arcline, Ireland's only dedicated records management consultancy.
Email:markfarrell@arcline.ie