Data Protection Act 1988


Number 25 of 1988


DATA PROTECTION ACT 1988

REVISED

Updated to 25 May 2018


This Revised Act is an administrative consolidation of the Data Protection Act 1988. It is prepared by the Law Reform Commission in accordance with its function under the Law Reform Commission Act 1975 (3/1975) to keep the law under review and to undertake revision and consolidation of statute law.

All Acts up to and including Data Protection Act 2018 (7/2018), enacted 24 May 2018, and all statutory instruments up to and including Data Protection Act 2018 (Establishment Day) Order 2018 (S.I. No. 175 of 2018), made 24 May 2018, were considered in the preparation of this Revised Act.

Disclaimer: While every care has been taken in the preparation of this Revised Act, the Law Reform Commission can assume no responsibility for and give no guarantees, undertakings or warranties concerning the accuracy, completeness or up to date nature of the information provided and does not accept any liability whatsoever arising from any errors or omissions. Please notify any errors, omissions and comments by email to

revisedacts@lawreform.ie.


Number 25 of 1988


DATA PROTECTION ACT 1988

REVISED

Updated to 25 May 2018


Introduction

This Revised Act presents the text of the Act as it has been amended since enactment, and preserves the format in which it was passed.

Related legislation

Data Protection Acts 1988 to 2018 : this Act is one of a group of Acts included in this collective citation ( Data Protection Act 2018 (s. 1(2)). The Acts in the group are:

Data Protection Act 1988 (25/1988)

Data Protection Act 2003 (6/2003)

Data Protection Act 2018 (7/2018)

Annotations

This Revised Act is annotated and includes textual and non-textual amendments, statutory instruments made pursuant to the Act and previous affecting provisions.

An explanation of how to read annotations is available at

www.lawreform.ie/annotations.

Material not updated in this revision

Where other legislation is amended by this Act, those amendments may have been superseded by other amendments in other legislation, or the amended legislation may have been repealed or revoked. This information is not represented in this revision but will be reflected in a revision of the amended legislation if one is available.

Where legislation or a fragment of legislation is referred to in annotations, changes to this legislation or fragment may not be reflected in this revision but will be reflected in a revision of the legislation referred to if one is available.

A list of legislative changes to any Act, and to statutory instruments from 1984, may be found linked from the page of the Act or statutory instrument at

www.irishstatutebook.ie.

Acts which affect or previously affected this revision

Data Protection Act 2018 (7/2018)

Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018)

National Shared Services Office Act 2017 (26/2017)

Prisons Act 2015 (57/2015)

Communications Regulation (Postal Services) (Amendment) Act 2015 (20/2015)

Customs Act 2015 (18/2015)

Freedom of Information Act 2014 (30/2014)

Health Identifiers Act 2014 (15/2014)

Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014)

Local Government Reform Act 2014 (1/2014)

Credit Reporting Act 2013 (45/2013)

Courts and Civil Law (Miscellaneous Provisions) Act 2013 (32/2013)

Health (Alteration of Criteria for Eligibility) Act 2013 (10/2013)

Personal Insolvency Act 2012 (44/2012)

Property Services (Regulation) Act 2011 (40/2011)

Student Support Act 2011 (4/2011)

National Asset Management Agency Act 2009 (34/2009)

Criminal Justice (Miscellaneous Provisions) Act 2009 (28/2009)

Nursing Homes Support Scheme Act 2009 (15/2009)

Criminal Justice (Mutual Assistance) Act 2008 (7/2008)

Medical Practitioners Act 2007 (25/2007)

Europol (Amendment) Act 2006 (37/2006)

Electoral (Amendment) Act 2006 (33/2006)

Planning and Development (Strategic Infrastructure) Act 2006 (27/2006)

Disability Act 2005 (14/2005)

Health Act 2004 (42/2004)

Public Service Management (Recruitment and Appointments) Act 2004 (33/2004)

Commissions of Investigation Act 2004 (23/2004)

Public Service Superannuation (Miscellaneous Provisions) Act 2004 (7/2004)

Civil Registration Act 2004 (3/2004)

Data Protection (Amendment) Act 2003 (6/2003)

Residential Institutions Redress Act 2002 (13/2002)

Customs and Excise (Mutual Assistance) Act 2001 (2/2001)

Planning and Development Act 2000 (30/2000)

Commission to Inquire into Child Abuse Act 2000 (7/2000)

British-Irish Agreement Act 1999 (1/1999)

Europol Act 1997 (38/1997)

Health (Provision of Information) Act 1997 (9/1997)

Refugee Act 1996 (17/1996)

Statistics Act 1993 (21/1993)

All Acts up to and including Data Protection Act 2018 (7/2018), enacted 24 May 2018, were considered in the preparation of this revision.

Statutory instruments which affect or previously affected this revision

Data Protection Act 1988 (Section 2 B) (No. 2) Regulations 2016 (S.I. No. 427 of 2016)

Data Protection Act 1988 (Section 2 B) Regulations 2016 (S.I. No. 426 of 2016)

Data Protection Act 1988 (Section 2A) Regulations 2016 (S.I. No. 220 of 2016)

Data Protection Act 1988 (Section 2B) Regulations 2015 (S.I. No. 240 of 2015)

Data Protection Act 1988 (Commencement) Order 2014 (S.I. No. 337 of 2014)

European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014)

European Union (Good Agricultural Practice for Protection of Waters) Regulations 2014 (S.I. No. 31 of 2014)

Data Protection Act 1988 (Section 2A) Regulations 2013 (S.I. No. 313 of 2013)

Data Protection Act 1988 (Section 2B) Regulations 2012 (S.I. No. 209 of 2012)

Data Protection Act 1988 (Section 2B) Regulations 2011 (S.I. No. 486 of 2011)

Finance (Transfer of Departmental Administration and Ministerial Functions) Order 2011 (S.I. No. 418 of 2011)

European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011)

European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2010 (S.I. No. 610 of 2010)

European Communities (Data Collection in the Fisheries Sector) Regulations 2010 (S.I. No. 132 of 2010)

Data Protection Act 1988 (Section 5(1)(d)) (Specification) Regulations 2009 (S.I. No. 421 of 2009)

European Communities (Payment Services) Regulations 2009 (S.I. No. 383 of 2009)

European Communities (Good Agricultural Practice For Protection of Waters) Regulations 2009 (S.I. No. 101 of 2009)

European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008)

Data Protection (Processing of Genetic Data) Regulations 2007 (S.I. No. 687 of 2007)

Data Protection (Fees) Regulations 2007 (S.I. No. 658 of 2007)

Data Protection Act 1988 (Section 16(1)) Regulations 2007 (S.I. No. 657 of 2007)

European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2005 (S.I. No. 788 of 2005)

European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2006 (S.I. No. 378 of 2006)

Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004 (S.I. No. 254 of 2004)

European Communities (Clinical Trials on Medicinal Products For Human Use) Regulations 2004 (S.I. No. 190 of 2004)

European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (S.I. No. 535 of 2003)

European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003)

European Communities (Data Protection and Privacy in Telecommunications) Regulations 2002 (S.I. No. 192 of 2002)

European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001)

Data Protection (Registration) Regulations 2001 (S.I. No. 2 of 2001)

Data Protection (Fees) Regulations 1996 (S.I. No. 105 of 1996)

Data Protection Commissioner Superannuation Scheme 1993 (S.I. No. 141 of 1993)

Data Protection Act 1988 (Section 5(1)(d) (Specification) Regulations 1993 (S.I. No. 95 of 1993)

Data Protection (Fees) Regulations 1990 (S.I. No. 80 of 1990)

Data Protection Act 1988 (Section 5(1)(d)) (Specification) Regulations 1989 (S.I. No. 84 of 1989)

Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989)

Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989)

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989 (S.I. No. 81 of 1989)

Data Protection (Registration) Regulations 1988 (S.I. No. 351 of 1988)

Data Protection (Registration Period) Regulations 1988 (S.I. No. 350 of 1988)

Data Protection Act (Commencement) Order 1988 (S.I. No. 349 of 1988)

Data Protection (Fees) Regulations 1988 (S.I. No. 347 of 1988)

All statutory instruments up to and including Data Protection Act 2018 (Establishment Day) Order 2018 (S.I. No. 175 of 2018), made 24 May 2018, were considered in the preparation of this revision.


Number 25 of 1988


DATA PROTECTION ACT 1988

REVISED

Updated to 1 January 2018


ARRANGEMENT OF SECTIONS

Preliminary

Section

1.

Interpretation and application of Act.

Protection of Privacy of Individuals with regard to Personal Data

2.

Collection, processing, keeping, use and disclosure of personal data.

2A.

Processing of personal data.

2B.

Processing of sensitive personal data.

2C.

Security measures for personal data.

2D.

Fair processing of personal data.

3.

Right to establish existence of personal data.

4.

Right of access.

5.

Restriction of right of access.

6.

Right of rectification or erasure.

6A.

Right of data subject to object to processing likely to cause damage or distress.

6B.

Rights in relation to automated decision taking.

7.

Duty of care owed by data controllers and data processors.

8.

Disclosure of personal data in certain cases.

The Data Protection Commissioner

9.

The Commissioner.

10.

Enforcement of data protection.

11.

Prohibition on transfer of personal data outside State.

12.

Power to require information.

12A.

Prior checking of processing by Commissioner.

13.

Codes of practice.

14.

Annual report.

15.

Mutual assistance between parties to Convention.

Registration

16.

The register.

17.

Applications for registration.

18.

Duration and continuance of registration.

19.

Effect of registration.

20.

Regulations for registration.

Miscellaneous

21.

Unauthorised disclosure by data processor.

22.

Disclosure of personal data obtained without authority.

22A.

Journalism, literature and art.

23.

Provisions in relation to certain non-residents and to data kept or processed outside State.

24.

Powers of authorised officers.

25.

Service of notices.

26.

Appeals to Circuit Court.

27.

Evidence in proceedings.

28.

Hearing of proceedings.

29.

Offences by directors, etc., of bodies corporate.

30.

Prosecution of summary offences by Commissioner.

31.

Penalties.

32.

Laying of regulations before Houses of Oireachtas.

33.

Fees.

34.

Expenses of Minister.

35.

Short title and commencement.

FIRST SCHEDULE

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981

SECOND SCHEDULE

The Data Protection Commissioner

THIRD SCHEDULE

Public Authorities and Other Bodies and Persons


Acts Referred to

Central Bank Act, 1971

1971, No. 24

Civil Service Commissioners Act, 1956

1956, No. 45

Civil Service Regulation Acts, 1956 and 1958

Companies Act, 1963

1963, No. 33

Companies Acts, 1963 to 1987

Defence Act, 1954

1954, No. 18

European Assembly Elections Act, 1977

1977, No. 30

European Assembly Elections Act, 1984

1984, No. 6

Interpretation Act, 1937

1937, No. 38

Local Government Act, 1941

1941, No. 23

Official Secrets Act, 1963

1963, No. 1

Petty Sessions (Ireland) Act, 1851

1851, c. 93

Prison Act, 1970

1970, No. 11

Public Offices Fees Act, 1879

1879, c. 58

Statutory Instruments Act, 1947

1947, No. 44


Number 25 of 1988


DATA PROTECTION ACT 1988

REVISED

Updated to 1 January 2018


AN ACT TO GIVE EFFECT TO THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA DONE AT STRASBOURG ON THE 28TH DAY OF JANUARY, 1981, AND FOR THAT PURPOSE TO REGULATE IN ACCORDANCE WITH ITS PROVISIONS THE COLLECTION, PROCESSING, KEEPING, USE AND DISCLOSURE OF CERTAIN INFORMATION RELATING TO INDIVIDUALS THAT IS PROCESSED AUTOMATICALLY. [13 th July, 1988]

BE IT ENACTED BY THE OIREACHTAS AS FOLLOWS:

Annotations:

Modifications (not altering text):

C1

Prospective affecting provision: application of collectively cited Data Protection Acts 1988 and 2003 extended with any necessary modifications by Criminal Justice (Miscellaneous Provisions) Act 2009 (28/2009), s. 23(2), not commenced as of date of revision.

Data Protection.

23.— (1) The Data Protection Commissioner is hereby designated as the national supervisory authority for the purposes of Article 60 of the Council Decision and Article 114 of the Schengen Convention.

(2) The Data Protection Acts 1988 and 2003 shall apply and have effect with any necessary modification to the collection, processing, keeping, use and disclosure of personal data for the purposes of the operation of the Council Decision and the Schengen Convention.

...

C2

Application of Act extended (28.05.2018) by Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018), s. 8, S.I. No. 178 of 2018.

Application of Data Protection Act 1988

8. The Data Protection Act 1988, shall apply to the processing of personal data supplied or received under this Act and, for the purposes of the application of the Data Protection Act 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to this Act or the provisions of this Act.

C3

Application of Act restricted (25.05.2018) by Data Protection Act 2018 (7/2018), s. 8, S.I. No. 174 of 2018.

Application of Data Protection Act 1988

8. (1) Subject to this section, the Act of 1988 shall, on and from the date on which this section comes into operation, cease to apply to the processing of personal data (within the meaning of that Act) other than—

(a) the processing of such data for the purposes of safeguarding the security of the State, the defence of the State or the international relations of the State, or

(b) the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 to the extent that the Act of 1988 is applied in those Acts.

(2) The Act of 1988 shall apply to—

(a) a complaint by an individual under section 10 of that Act made before the commencement of this section, and

(b) a contravention of that Act that occurred before such commencement.

(3) An investigation under section 10 of the Act of 1988 that was begun but not completed before the commencement of this section shall be completed in accordance with that Act and that Act shall apply to such an investigation.

C4

Reference to “Commissioner” construed (25.05.2018, establishment day) by Data Protection Act 2018 (7/2018), s. 14(3)), subs. (4) and S.I. No. 175 of 2018.

Transfer of functions of Data Protection Commissioner to Commission

...

(3) A reference in the Act of 1988 (other than in section 1(3)(c)(iii) in so far as it refers to the Commissioner of the Garda Síochána) to the Commissioner shall be construed as a reference to the Commission.

(4) This section shall come into operation on the establishment day.

C5

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (1.01.2018) by National Shared Services Office Act 2017 (26/2017), s. 35(1), S.I. No. 579 of 2017.

Sharing of data

35. (1) Notwithstanding anything contained in the Data Protection Acts 1988 and 2003 or any other enactment, the data controller of Oifig an Ard-Chláraitheora (the first-named person) shall provide to the data controller of the Office such of the following certificates capable of being produced by the first-named person as may be requested by the data controller of the Office, if the first-named person is satisfied that the certificate will be used for a relevant purpose only—

(a) a birth certificate relating to a child of a member of staff of a public service body,

(b) a marriage certificate relating to a member of staff of a public service body,

(c) a death certificate relating to a member of staff of a public service body.

(2) Any provision of documents for the purposes of subsection (1) shall go no further than is reasonably necessary for the attainment of the relevant purpose.

(3) The data controller of Oifig an Ard-Chláraitheora may refuse a request under subsection (1) if he or she is satisfied that it would be unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.

...

C6

Application of collectively cited Data Protection Acts 1988 and 2003 extended with any necessary modifications (31.12.2016) by Customs Act 2015 (18/2015), s. 41(4), (5), S.I. No. 611 of 2016.

Naples II Convention and CIS Decision

41. ...

(4) For the purposes of this Act, the Naples II Convention and the CIS Decision, the Data Protection Acts 1988 and 2003 shall apply and have effect, with any necessary modifications, to the collection, processing, keeping, use or disclosure of personal data.

(5) Without prejudice to the generality of subsection (4) , for the purposes of—

(a) Article 30 of the CIS Decision, and

(b) Article 25 of the Naples II Convention,

section 7 of the Data Protection Act 1988 shall apply as regards the liability of the State for injury caused to a person through the use of the CIS in the State, and for injury caused to a person through the processing of data communicated in the State, respectively.

...

C7

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (28.01.2014) by European Union (Good Agricultural Practice for Protection of Waters) Regulations 2014 (S.I. No. 31 of 2014), reg. 31.

Compliance with Data Protection Acts

31. The provision of information by a local authority, the Agency or the Minister for Agriculture, Food and the Marine in accordance with Article 27, 29 or 30 of these Regulations shall not be a breach of the Data Protection Acts, 1988 and 2003.

C8

Application of Act restricted by Personal Insolvency Act 2012 (44/2012), s. 21A, as inserted (31.07.2013) by Courts and Civil Law (Miscellaneous Provisions) Act 2013 (32/2013), s. 47, S.I. No. 286 of 2013.

Retention of information by Insolvency Service

21A. Notwithstanding the Data Protection Act 1988, the Insolvency Service shall retain such information or data obtained by it under this Act as is necessary for the performance of its functions under this Act.

C9

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (19.04.2013) by Health (Alteration of Criteria for Eligibility) Act 2013 (10/2013), s. 8(4), S.I. No. 133 of 2013

Furnishing of personal data to and by Health Service Executive in certain circumstances.

8.— ...

(4) Notwithstanding anything contained in the Data Protection Acts 1988 and 2003, but subject to this section, a person who receives a request made in accordance with subsection (1), (2) or (3) shall comply with that request and shall do so in accordance with an agreement entered into under subsection (5) between the person and the person who made the request.

...

C10

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (27.06.2011) by Student Support Act 2011 (4/2011), s. 28(1), S.I. No. 303 of 2011.

Processing of personal data.

28.— (1) Notwithstanding anything contained in the Data Protection Acts 1988 and 2003 or any other enactment, the data controller of a person listed in Schedule 2, or of a person prescribed for the time being under subsection (2) (in this subsection called “the first named person”) shall on being requested to do so by the data controller of a person so listed or prescribed, process personal data kept by the first named person, or information extracted from such data, to the data controller of the other person so listed or prescribed for the time being, if the data controller of the first named person is satisfied that it will be used for a relevant purpose only.

...

C11

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (23.03.2010) by European Communities (Data Collection in the Fisheries Sector) Regulations 2010 (S.I. No. 132 of 2010), reg. 7.

Obligations on certain public bodies

7. Notwithstanding the Data Protection Acts 1998 and 2003, the Sea Fisheries Protection Authority, the Marine Institute, Bord Iascaigh Mhara and the Minister shall make available to a data collection officer such data relating to activities referred to in Regulations 3, 4 or 5 as is available.

...

C12

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (21.12.2009) by National Asset Management Agency Act 2009 (34/2009), s. 201, S.I. No. 545 of 2009.

Operation of Data Protection Acts 1988 and 2003.

201.— To avoid doubt, an obligation on a credit institution or any other person under this Act to disclose information to NAMA, a NAMA group entity or the NTMA extends to personal information, within the meaning of the Data Protection Acts 1988 and 2003.

...

C13

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (27.10.2009) by Nursing Homes Support Scheme Act 2009 (15/2009), ss. 26 and 45, S.I. No. 423 of 2009.

Collection of monies advanced by way of ancillary State support.

26.— ...

(12) This section applies notwithstanding any provision of the Data Protection Acts 1988 and 2003.

...

Records.

45.— (1) Notwithstanding any provision of the Data Protection Acts 1988 to 2003, the Executive may, in accordance with this section, access and process any relevant records for the purposes of this Act.

...

C14

Application of Act restricted and application of Act confirmed (1.09.2008) by Criminal Justice (Mutual Assistance) Act 2008 (7/2008), ss. 94, 107 and sch. 14, S.I. No. 338 of 2008.

Application in State of Ireland - US Treaty.

94.—(1) The Ireland - US Treaty has the force of law in its application in relation to the State.

...

(5) Article 7, in its application in relation to the use of personal data contained in evidence or information obtained under the Treaty by a person in the State, is without prejudice to the application of section 7 (duty of care owed by data controllers and data processors) of the Data Protection Act 1988 in respect of the use of such data.

(6) The Data Protection Acts 1988 and 2003 apply in relation to such data in respects other than those related to their use.

...

Personal data protection.

107.— (1) The provisions of the relevant international instrument have effect in respect of the use of personal data communicated to or otherwise obtained by a person in the State under the instrument.

2) Subsection (1) is without prejudice to the application of section 7 (duty of care owed by data controllers and data processors) of the Data Protection Act 1988 in respect of the use of such data.

3) The Data Protection Acts 1988 and 2003 apply in relation to such data in respects other than those relating to their use.

...

SCHEDULE 14

Text of Ireland/US Treaty of 18 January 2001, as applied by Instrument of 14 July 2005

...

Article 7

1. The Requesting Party may use any evidence or information obtained from the Requested Party:

(a) for the purpose of its criminal investigations and proceedings;

(b) for preventing an immediate and serious threat to its public security;

(c) in its non-criminal judicial or administrative proceedings directly related to investigations or proceedings:

(i) set forth in subparagraph (a); or

(ii) for which mutual legal assistance was rendered under Article 1 (1 bis)(a) of this Treaty;

(d) for any other purpose, if the evidence or information has been made public within the framework of proceedings for which they were transmitted, or in any of the situations described in subparagraphs (a), (b) and (c); and

(e) for any other purpose only with the prior consent of the Requested Party.

...

C15

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (1.11.2009) by European Communities (Payment Services) Regulations 2009 (S.I. No. 383 of 2009), reg. 94, continued in force.

Processing of personal data.

94. The processing, within the meaning of the Data Protection Acts 1988 and 2003, of personal data by a payment system or payment service provider is permitted for the purposes of the prevention, investigation and detection of payment fraud.

C16

Application of Act restricted (11.12.2006) by Electoral (Amendment) Act 2006 (33/2006), s. 19, commenced on enactment.

List relating to draft register and register in force.

19.— Notwithstanding anything in the Data Protection Acts 1988 and 2003, a registration authority may, for the purposes of assisting in the preparation of a complete and accurate register of electors, prepare and publish, at any time after it publishes a draft register of electors in accordance with Rule 5 of the Second Schedule to the Act of 1992, a list, in such form and manner as the authority considers appropriate, of the names of all persons who are registered as electors in the register (in force at the time of publication of that draft register) but whose names are not included in that draft register.

C17

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (5.12.2005) by Civil Registration Act 2004 (3/2004), s. 66, S.I. No. 764 of 2005, as amended

• by Housing (Miscellaneous Provisions) Act 2009 (22/2009), s. 8 and sch. 2 part 8 item 1, not commenced as of date of revision;

• (1.01.2011) by Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010 (24/2010), s. 21, S.I. No. 648 of 2010;

• (1.01.2009) by Health Act 2008 (21/2008), s. 11, commenced as per s. 1(2);

• (17.12.2008) by Social Welfare (Miscellaneous Provisions) Act 2008 (22/2008), s. 25, commenced on enactment;

• (1.01.2005) by Health Act 2004 (42/2004), s. 75 and sch. 6 part 26 item 26, S.I. No. 887 of 2004.

Power of Ard-Chláraitheoir to give information to others.

66.—(1) Notwithstanding anything contained in the Data Protection Acts 1988 to 2003 or any other enactment, an tArd-Chláraitheoir may, after consultation with [...] the Minister for Social and Family Affairs, give such information as may be prescribed in relation to births, [marriages, civil partnerships, decrees of divorce, decrees of nullity of marriage, decrees of dissolution or decrees of nullity of civil partnership ], registered under this Act or under any of the repealed enactments to—

(a) the Minister for Defence for the purpose of—

(i) the administration of schemes under the Defence Forces (Pensions) Acts 1932 to 1975, or

(ii) the administration of the Army Pensions Acts 1923 to 1980,

(b) the Minister for the Environment, Heritage and Local Government for the purpose of registration in a register under the Electoral Act 1992,

(c) the Minister for Foreign Affairs for the purpose of—

(i) determining entitlements to passports, or

(ii) verifying the identity of persons applying for or holding passports,

(d) the Minister for Justice, Equality and Law Reform for the purpose of determining the immigration or citizenship status of persons,

(e) the Minister for Social and Family Affairs for the purpose of—

(i) determining entitlement to, or control of, benefit under the Social Welfare (Consolidation) Act 1993, or

(ii) section 223 of that Act,

(f) the Minister for Transport for the purpose of the grant of driving licences and provisional licences under Part III of the Road Traffic Act 1961,

(g) the Minister for the purpose of the enforcement of regulations under section 31 of the Health Act 1947 and the Minister or [the Executive ], hospital or other body or agency participating in any cancer screening programme (including any programme of breast or cervical cancer screening) authorised by the Minister, for the purpose of compiling and maintaining a record of the names, addresses and relevant dates of persons who, for public health reasons, may be invited to participate in any such programme,

(h) the Revenue Commissioners for the purpose of the administration of the Taxes Consolidation Act 1997, the Stamp Duties Consolidation Act 1999 and the Capital Acquisitions Tax Consolidation Act 2003,

(i) [the Executive ] for the purpose of determining entitlement to a service provided for, by or under section 45 [, 45A ], 58, 59 or 61 of the Health Act 1970, and

(j) a housing authority (within the meaning of the Housing Act 1966 ) for the purpose of—

(i) the determination of entitlement to houses or grants under the Housing Acts 1966 to 2002,

(ii) the determination of a rent or other payment under section 58 of the Housing Act 1966, or

(iii) the preparation of a housing strategy under the Planning and Development Act 2000.

(2) In this section “information” means personal data (within the meaning of the Data Protection Acts 1988 and 2003) and information extracted from such data.

C18

Application of collectively cited Data Protection Acts 1988 and 2003 restricted (1.05.2004) by European Communities (Clinical Trials on Medicinal Products For Human Use) Regulations 2004 (S.I. No. 190 of 2004), reg. 48(3)(d).

Enforcement

48. — ...

(3) ...

(d) inspect and copy or extract information from any data (including personal data) within the meaning of the Data Protection Acts 1988 and 2003

...

C19

Application of Act extended with any necessary modifications (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).

Unsolicited commercial communications.

9. ...

(6) The following provisions of the Act, namely —

(a) sections 1, 10, 12, 24 and 25,

(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,

and

(c) sections 27 to 30,

apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.

(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.

...

(11) In this Regulation —

“Act” means the Data Protection Act 1988 ( No. 25 of 1988);

...

C20

Application of Act extended with any necessary modifications (22.02.2002) by Customs and Excise (Mutual Assistance) Act 2001 (2/2001), ss. 5 and 9, S.I. No. 59 of 2002.

Application of Data Protection Act, 1988.

5.—(1) For the purposes of this Act, the CIS Convention and the Customs Co-operation Convention, the Data Protection Act, 1988, shall apply and have effect, with any necessary modifications, to the collection, processing, keeping, use or disclosure of personal data included in or received from the Customs Information System.

(2) Without prejudice to the generality of subsection (1), for the purposes of Article 21 of the CIS Convention, section 7 of the Data Protection Act, 1988, shall apply as regards the liability of the State for injury caused to a person through the use of the Customs Information System in the State.

(3) Without prejudice to the generality of subsection (1), for the purposes of Article 25 of the Customs Co-operation Convention, section 7 of the Data Protection Act, 1988, shall apply as regards the liability of the State for injury caused to a person through the processing of data communicated in the State.

...

Offences.

9.—Without prejudice to the generality of section 5(1) , any person who uses personal data from the Customs Information System other than for the purpose of the aim specified in Article 2(2) of the CIS Convention shall, save where such use is in accordance with and is subject to the conditions specified in Article 8(1) of that Convention, be guilty of an offence under the Data Protection Act, 1988.

C21

Application of Act restricted (20.11.2000) by Refugee Act 1996 (17/1996), s. 11(5), S.I. No. 365 of 2000.

Investigation of application by Commissioner.

11. ...

(5) Nothing in the Data Protection Act, 1988, shall be construed as prohibiting a person from giving to the Commissioner, on request by him or her, such information as is in the person’s possession or control relating to the application.

C22

Act applied to certain bodies with any necessary modifications (2.12.1999) by British-Irish Agreement Act 1999 (1/1999), s. 51, S.I. No. 377 of 1999.

Application of Data Protection Act, 1988.

51.— ...

(2) The Act of 1988 shall apply in relation to the Bodies with any necessary modifications and subject to the subsequent provisions of this section.

...

C23

Application of Act restricted (1.04.1997) by Health (Provision of Information) Act 1997 (9/1997), s. 1(2), commenced on enactment. [Note that functions of specified bodies including health boards were transferred (1.01.2005) to the Health Service Executive by Health Act 2004 (42/2004), s. 59, S.I. No. 887 of 2004].

Requests for and provision of information.

1. ...

(2) Nothing in the Data Protection Act, 1988, shall prevent the Minister for Health or a health board, hospital or other body or agency referred to in subsection (1) (b) from providing—

( a) to the Minister for Health, or to any other such health board, hospital or other body or agency, for the purposes of that programme, or

( b) for the purposes of inviting persons to participate in that programme,

any information provided under subsection (1).

C24

Application of Act restricted (1.11.1994) by Statistics Act 1993 (21/1993), s. 24(2), S.I. No. 323 of 1994.

Invitation to provide information on a voluntary basis.

24. ...

(2) Persons and undertakings may provide information and records, or copies thereof, which they may possess to the Director General or officers of statistics on invitation under the provisions of this Act notwithstanding anything contained in the Data Protection Act, 1988.

Editorial Notes:

E1

Previous affecting provision: application of collectively cited Data Protection Acts 1988 and 2003 restricted (20.12.2010) by European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2010 (S.I. No. 610 of 2010), reg. 31; revoked (28.01.2014) by European Union (Good Agricultural Practice for Protection of Waters) Regulations 2014 (S.I. No. 31 of 2014), reg. 3.

E2

Previous affecting provision: application of collectively cited Data Protection Acts 1988 and 2003 restricted (31.03.2009) by European Communities (Good Agricultural Practice For Protection of Waters) Regulations 2009 (S.I. No. 101 of 2009), reg. 31; revoked (20.12.2010) by European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2010 (S.I. No. 610 of 2010), reg. 2.

E3

Previous affecting provision: application of collectively cited Data Protection Acts 1988 and 2003 restricted (1.08.2006) by European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2006 (S.I. No. 378 of 2006), reg. 31; revoked (31.03.2009) by European Communities (Good Agricultural Practice For Protection of Waters) Regulations 2009 (S.I. No. 101 of 2009), reg. 2.

E4

Previous affecting provision: application of collectively cited Data Protection Acts 1988 and 2003 restricted (1.02.2006) by European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2005 (S.I. No. 788 of 2005), reg. 31; revoked (1.08.2008) by European Communities (Good Agricultural Practice for Protection of Waters) Regulations 2006 (S.I. No. 378 of 2006), reg. 2.

E5

Previous affecting provision: application of Act extended with any necessary modifications (1.10.1998) by Europol Act 1997 (38/1997), s. 6, S.I. No. 345 of 1998, as amended (23.12.2006) by substitution of subs. (1) by Europol (Amendment) Act 2006 (37/2006), s. 3, commenced on enactment; repealed (1.02.2013) by Europol Act 2012 (53/2012), s. 17, S.I. No. 15 of 2013.