Data Protection Act 1988

F13[Security measures for personal data.

2C

2C.(1) In determining appropriate security measures for the purposes of section 2(1)(d) of this Act, in particular (but without prejudice to the generality of that provision), where the processing involves the transmission of data over a network, a data controller

(a) may have regard to the state of technological development and the cost of implementing the measures, and

(b) shall ensure that the measures provide a level of security appropriate to

(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and

(ii) the nature of the data concerned.

(2) A data controller or data processor shall take all reasonable steps to ensure that

(a) persons employed by him or her, and

(b) other persons at the place of work concerned,

are aware of and comply with the relevant security measures aforesaid.

(3) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall

(a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor carries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent to those imposed on the data controller by section 2(1)(d) of this Act,

(b) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and

(c) take reasonable steps to ensure compliance with those measures.]

Annotations

Amendments:

F13

Inserted (1.07.2003) by Data Protection Amendment Act 2003 (6/2003), s. 4, S.I. No. 207 of 2003.

Modifications (not altering text):

C31

Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(c), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015, otherwise (3.12.2018) by S.I. No. 503 of 2018.

Application of Act of 1988

123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—

(a) Chapter 2,

(b) Chapter 3, or

(c) an Article 7 request,

and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—

(i) Chapter 2 or the provisions of that Chapter,

(ii) Chapter 3 or the provisions of that Chapter, and

(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.

(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— ...

(c) in section 2C, the substitution of the following subsection for subsection (1):

“(1) In determining appropriate security measures for the purposes of section 2(1)(d) (but without prejudice to the generality of that provision), a data controller—

(a) shall, in relation to the processing of personal data supplied or received pursuant to—

(i) Chapter 2 of Part 12 of the Act of 2014, or

(ii) Chapter 3 of that Part of that Act,

comply with the technical specifications of the automated search and comparison procedure required by the relevant European Union or international instrument, and

(b) shall ensure that the measures provide a level of security appropriate to—

(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, or accidental alteration of, the data concerned, and

(ii) the nature of the data concerned.”,

...

Editorial Notes:

E26

Section applied to a deceased individual’s relevant information as it does to a living individual’s relevant information (13.07.2015) by Health Identifiers Act 2014 (15/2014), s. 27(3), S.I. No. 294 of 2015.