Data Protection Act 1988

Interpretation and application of Act.

1

1. (1) In this Act, unless the context otherwise requires—

F1 [ the Act of 2003 means the Data Protection (Amendment) Act 2003 ]

appropriate authority” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

F1 [ automated data means information that

  ( a ) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or

  ( b ) is recorded with the intention that it should be processed by means of such equipment; ]

back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;

F1 [ blocking , in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked; ]

civil servant” has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

the Commissioner” has the meaning assigned to it by section 9 of this Act;

company” has the meaning assigned to it by the Companies Act, 1963

the Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;

the Court” means the Circuit Court

F2 [ data means automated data and manual data; ]

data controller” means a person who, either alone or with others, controls the contents and use of personal data;

data equipment” means equipment for processing data;

data material” means any document or other material used in connection with, or produced by, data equipment;

data processor” means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;

data subject” means an individual who is the subject of personal data;

F1 [ the Directive means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1) ; ]

F3 [ ]

disclosure”, in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;

F1 [ the EEA Agreement means the Agreement on the European Economic Area signed at Oporto on 2 May 1992 as adjusted by the Protocol signed at Brussels on 17 March 1993; ]

F1 [ enactment means a statute or a statutory instrument (within the meaning of the Interpretation Act 1937 ); ]

enforcement notice” means a notice under section 10 of this Act;

F1 [ the European Economic Area has the meaning assigned to it by the EEA Agreement; ]

F3 [ ]

information notice” means a notice under section 12 of this Act;

F4 [ local authority means a local authority for the purposes of the Local Government Act 2001 (as amended by the Local Government Reform Act 2014); ]

F1 [ manual data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; ]

the Minister” means the Minister for Justice;

F2 [ personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller; ]

prescribed”, in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;

F2 [ processing of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including

  ( a ) obtaining, recording or keeping the information or data,

  ( b ) collecting, organising, storing, altering or adapting the information or data,

  ( c ) retrieving, consulting or using the information or data,

  ( d ) disclosing the information or data by transmitting, disseminating or otherwise making it available, or

  ( e ) aligning, combining, blocking, erasing or destroying the information or data; ]

prohibition notice” means a notice under section 11 of this Act;

F3 [ ]

F5 [ relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible; ]

F1 [ sensitive personal data means personal data as to

  ( a ) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,

  ( b ) whether the data subject is a member of a trade union,

  ( c ) the physical or mental health or condition or sexual life of the data subject,

  ( d ) the commission or alleged commission of any offence by the data subject, or

  ( e ) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings; ]

and any cognate words shall be construed accordingly.

(2) For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.

(3) ( a) An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force—

(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the authority,

as respects the data concerned.

( b) Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respects all or part of the personal data kept by him in relation to the Defence Forces, designate an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, while the designation is in force—

(i) the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the Minister for Defence,

as respects the data concerned.

( c) For the purposes of this Act, as respects any personal data—

(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(ii) where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(iii) a member of the Garda Síochána (other than the Commissioner of the Garda Síochána) shall be deemed to be an employee of the said Commissioner.

F1 [ (3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.

(3B) ( a ) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if

(i)     the data controller is established in the State and the data are processed in the context of that establishment, or

(ii) the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agreement but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.

( b ) For the purposes of paragraph ( a ) of this subsection, each of the following shall be treated as established in the State:

(i)     an individual who is normally resident in the State,

(ii)     a body incorporated under the law of the State,

(iii) a partnership or other unincorporated association formed under the law of the State, and

(iv) a person who does not fall within subparagraphs (i), (ii) or (iii) of this paragraph, but maintains in the State

(I)     an office, branch or agency through which he or she carries on any activity, or

(II) a regular practice,

and the reference to establishment in any other state that is a contracting party to the EEA Agreement shall be construed accordingly.

( c ) A data controller to whom paragraph ( a )(ii) of this subsection applies must, without prejudice to any legal proceedings that could be commenced against the data controller, designate a representative established in the State.

(3C) Section 2 and sections 2A and 2B (which sections were inserted by the Act of 2003) of this Act shall not apply to

( a )     data kept solely for the purpose of historical research, or

( b )     other data consisting of archives or departmental records (within the meaning in each case of the National Archives Act 1986 ),

and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects. ]

(4) This Act does not apply to—

( a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,

( b) personal data consisting of information that the person keeping the data is required by law to make available to the public, or

( c) personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

F1 [ (5) F3 [ ] ]

Annotations:

Amendments:

F1

Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 2, S.I. No. 207 of 2003.

F2

Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 2, S.I. No. 207 of 2003.

F3

Repealed other than for certain excepted purposes (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(1)(a), (4), S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b), (2) and (3). See C-note below.

F4

Substituted (1.06.2014) by Local Government Act 2014 (1/2014), s. 5(8) and sch. 2 part 6, S.I. No. 214 of 2014.

F5

Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 2, S.I. No. 207 of 2003.

Modifications (not altering text):

C25

Certain provisions repealed, but retained for certain excepted purposes, (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(1)(a), (4), S.I. No. 174 of 2018. These provisions are subs. (1), definitions of “direct marketing”, “financial institution” and “the register”, and subs. (5), see previous versions below. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b) (the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014) or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018) to the extent that the Act of 1988 is applied in those Acts) and s. 8(2), (3) (transitional provisions).

1. (1) In this Act, unless the context otherwise requires— ...

F2 [ direct marketing includes direct mailing other than direct mailing carried out in the course of political activities by a political party or its members, or a body established by or under statute or a candidate for election to, or a holder of, elective political office; ]

...

financial institution” means—

( a) a person who holds or has held a licence under section 9 of the Central Bank Act, 1971, or

( b) a person referred to in section 7 (4) of that Act;

...

the register” means the register established and maintained under section 16 of this Act;

...

F1 [ (5) ( a ) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997 .

( b ) The Commissioner and the Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other. ]

C26

Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(a), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.

Application of Act of 1988

123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—

(a) Chapter 2,

(b) Chapter 3, or

(c) an Article 7 request,

and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—

(i) Chapter 2 or the provisions of that Chapter,

(ii) Chapter 3 or the provisions of that Chapter, and

(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.

(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely—

(a) in section 1(1), the insertion of the following definitions:

‘Act of 2008’ means the Criminal Justice (Mutual Assistance) Act 2008;

‘Act of 2014’ means the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014;

‘Agreement with Iceland and Norway’, ‘Council Decision’, ‘dactyloscopic data’, ‘designated state’, ‘European Union or international instrument’, ‘Member State’ and ‘relevant European Union or international instrument’ have the meanings they have in section 109 of the Act of 2014;

‘Article 7 request’ means a request made or received under Chapter 3 of Part 5 of the Act of 2008 pursuant to Article 7 of the Council Decision or that Article insofar as it is applied by Article 1 of the Agreement with Iceland and Norway;

‘Central Authority’ has the meaning it has in section 2(1) of the Act of 2008;

‘data protection authority’, in relation to a designated state, means the authority in that designated state that is designated by that designated state to be the independent data protection authority of that designated state for the purposes of a European Union or international instrument;

‘DNA’ means deoxyribonucleic acid;

‘national contact point’, in relation to a relevant European Union or international instrument, has the meaning it has in section 109 of the Act of 2014;

‘processing’ has the meaning it has in this Act and shall include the sending or receipt, as the case may be, of a notification under section 113 (2), 114 (3), 115 (2), 116 (3), 119 (2) or 120 (2) of the Act of 2014.

...

C27

The definition of “financial institution”, defined above, is extended (31.03.2014) by European Union (Capital Requirements) Regulations 2014 (S.I. No. 158 of 2014), reg. 152.

Continuation of contravention of Regulations

152. Notwithstanding Regulation 7(1), the references, however expressed, to the holder of a licence under section 9 of the Act of 1971, in—

(a) sections 19 to 26, section 28, sections 31 to 42 or section 58 of the Act of 1971,

(b) section 27, sections 49 to 51, sections 90, 108, 117, 134 or 140 of the Central Bank Act 1989 (No. 16 of 1989), or

(c) any other enactment which was in force on 1 January 1993,

shall be construed so as to include any person who, but for the application of Regulation 7(1), was or would have been required to hold a licence under section 9 of the Act of 1971.

C28

Functions transferred and references to “Department of Finance” and “Minister for Finance” construed (29.07.2011) by Finance (Transfer of Departmental Administration and Ministerial Functions) Order 2011 (S.I. No. 418 of 2011), arts. 2, 3, 5 and sch. 1 part 2, in effect as per art. 1(2), subject to transitional provisions in arts. 6-9.

2. (1) The administration and business in connection with the performance of any functions transferred by this Order are transferred to the Department of Public Expenditure and Reform.

(2) References to the Department of Finance contained in any Act or instrument made thereunder and relating to the administration and business transferred by paragraph (1) shall, on and after the commencement of this Order, be construed as references to the Department of Public Expenditure and Reform.

3. The functions conferred on the Minister for Finance by or under the provisions of —

(a) the enactments specified in Schedule 1, and

(b) the statutory instruments specified in Schedule 2,

are transferred to the Minister for Public Expenditure and Reform.

...

5. References to the Minister for Finance contained in any Act or instrument under an Act and relating to any functions transferred by this Order shall, from the commencement of this Order, be construed as references to the Minister for Public Expenditure and Reform.

...

Schedule 1

Enactments

...

Part 2

1922 to 2011 Enactments

Number and Year

Short Title

Provision

(1)

(2)

(3)

...

...

...

No. 25 of 1988

Data Protection Act 1988

Sections 1 and 33(1); Second Schedule, paragraph 9

...

...

...

C29

Application of section extended (24.02.2003) by European Communities (Directive 2000/31/EC) Regulations 2003 (S.I. No. 68 of 2003), reg. 9(6).

Unsolicited commercial communications.

9. ...

(6) The following provisions of the Act, namely —

(a) sections 1, 10, 12, 24 and 25,

(b) section 26 in so far as it relates to a requirement specified in an enforcement notice or an information notice or a decision of the Data Protection Commissioner in relation to a complaint under section 10 (1) (a) of the Act,

and

(c) sections 27 to 30,

apply for the purpose of this Regulation with the modifications specified in paragraphs (7) to (10) and any other necessary modifications.

(7) References, in the provisions of the Act mentioned in paragraph (6), to that Act or the provisions of that Act shall, unless the context otherwise requires be construed as including references to this Regulation or the provisions of this Regulation.

(8) Section 1(1) of the Act applies as if the following definition were inserted: “‘Regulations of 2003’ means the European Communities (Directive 2000/31/EC) Regulations 2003;”

...

(11) In this Regulation —

“Act” means the Data Protection Act 1988 ( No. 25 of 1988);

...

Editorial Notes:

E6

As provided (13.07.2015) by Health Identifiers Act 2014 (15/2014), s. 27(1), (2), S.I. No. 294 of 2015, a living individual’s individual health identifier held by certain persons is considered personal data for the purposes of the Data Protection Acts 1988 and 2003. This shall not be construed to prevent a living individual’s individual health identifier held by a person other than the certain persons from being personal data in accordance with the provisions of those Acts.

E7

Previous affecting provision: construction of section extended (6.11.2003) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2008 (S.I. No. 535 of 2003), reg. 17(1)(a); reg. 17 substituted (13.12.2008) by European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) (Amendment) Regulations 2008 (S.I. No. 526 of 2008), reg. 9; revoked and replaced (1.07.2011) by European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011), reg. 35, subject to transitional provisions in reg. 34.

E8

Previous affecting provision: definitions for “Directive”, “EEA Agreement”, “Enactment” and “European Economic Area” inserted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 2(a); substituted as per F-note above.

E9

Previous affecting provision: subs. (5) inserted (1.04.2002) by European Communities (Data Protection) Regulations 2001 (S.I. No. 626 of 2001), reg. 2(b); substituted as per F-note above.

(1) O.J. No. L 281/38 of 23.11.95, p.31.