Data Protection: 10 Facts You or Your Business Need to Know

  1. Are you a “data controller”? If you or your business keep personal information about individuals and you control how it is kept and used then you are a data controller and the Data Protection Acts apply to you.
  2. Any data you hold must have been obtained for one or more specific and legitimate purposes, and can’t be used for any other reason which is not compatible with the original purpose. So for example you can’t obtain information from individuals for marketing purposes and then sell that information to another company for profit.
  3. If you have data about an individual which is only used for the purposes of direct marketing, the individual can request you in writing to cease using it for that purpose. You have 40 days to do so. In other words, offer an “opt out”.
  4. Once you have an individual’s data and you have become a data controller, you can only process that data once certain conditions are met. In general, in a business sense, these will be met where you have obtained information in order to fulfil an order or provide the services of your business. In other situations different considerations may apply.
  5. As a data controller you have to make sure that you take all reasonable steps to provide for the security of the information you have obtained, especially if that data is transmitted over a network. The measure you take must be appropriate having regard to the state of technological development, the cost of implementing the best measures and the nature of the data itself.
  6. If you outsource any element of your work and you transmit data to another business for that purpose, that business will be a “data processor”. The law requires you to ensure that the data processor complies with all elements of the Act, including in its security measures. If you outsource any work you should therefore ensure that you have a contract in place which deals with these requirements.
  7. As a data controller, you owe a duty of care to the individual whose data you control. The Acts essentially say that if you comply with the Acts then you will have fulfilled this duty. If you haven’t complied with the Acts then you could be leaving yourself open for difficulties.
  8. The Acts have implications regarding recruitment and employment practices. For example, due to recent changes it is now illegal to compel potential employees to obtain access to information held in relation to them by the Gardai.
  9. The Data Protection Commission is the body in charge of making sure that all data controllers comply with the Acts. That office is responsible for ensuring that data controllers are in compliance with the Acts and for prosecuting offences under the Acts.
  10. If you want to check that you’re in compliance with the Acts give us a call or contact us at [email protected].

David Reilly

We specialise within the area of Commercial and Technology Law and if you wish to discuss any of the above please call us on 023 99 21919 or on 086 252 9483 or email us on [email protected] – we regularly advise on software and all types of commercial and IT contracts.