Data protection laws can cause significant headaches for business owners and employers.
As a business owner and/or employer you can easily fall foul of the law.
This piece aims to give you an overview of the most important obligations on business and employers in relation to data protection.
And it is up to the data protection commissioner to uphold those rights.
The role of the data protection commissioner in protecting your privacy rights when it comes to data being held about you is critical.
Data Controllers and Data Subjects
Firstly though, it is important to understand what a data controller and what a data subject is as defined under the legislation. Many data controllers do not understand the vital responsibility that they have when it comes to retaining data on employees, customers, clients, etc.
“data controller” means a person who, either alone or with others, controls the contents and use of personal data;
“data subject” means an individual who is the subject of personal data;
People who control and use data about others are called ‘data controllers’ and are recognised in the acts above as having certain obligations imposed on them by law.
Individuals should know when they provide personal information to any organisation
- Who is gathering the data
- What use this data will be put
- Who the data will be disclosed to.
If a data controller has the data for a specific purpose but in the future decides to use it for a new purpose he must ask the person whose information he has whether they are agreeable to that new use or not as the data shall only be held for specified purposes.
Data Protection for Employers
All businesses should be concerned about data protection and the Data Protection Acts 1988 and 2003. These 2 acts attempt to balance the rights of individuals in relation to personal data that is stored by various organisations about them.
Learn more about data protection and employers at EmploymentRightsIreland.com.
As an employer you should be concerned with other aspects of your role as a data controller such as the usefulness of online backup services which can provide online backups of your valuable data or offsite backup if that is more convenient for you.
The Data Protection Acts 1988 and 2003 also impose stringent requirements on the data kept by employers about employees and in particular in respect of sensitive personal data. Employers are of course data controllers and processors within the legislation.
The Data Protection Commissioner can impose fines of up to €100,000 and employees can succeed in claims in relation to breaches of data protection law.
The principle obligations on the employer in respect of sensitive personal data is to collect and process it fairly, is accurate and up to date, and is kept no longer than necessary. For this reason employers should ensure that they have a data protection policy in the workplace.
Employee as Data Subject
The employee, as a data subject, has a general right to know what personal data is held about him/her, to whom it is disclosed, and to have it deleted or amended if incorrect. A written data request from an employee should be responded to within 40 days.
The Data Protection Acts, section 8 in particular, set out the circumstances where the employer may disclose the employee’s data to a third party.
Whether the 3rd party is a member of the EEA (European Economic Area) or not will determine whether the request can be complied with or not by the employer. If the data is being disclosed to a 3rd party within the EEA then a written contract is required.
If not, the transfer of data is prohibited (subject to exceptional safeguards).
Registration with the Data Protection Commissioner
Data controllers fall into 3 categories for the purpose of registration
- Categories of persons who are always obliged to register-this includes Banks and financial institutions, insurance companies, internet service providers, phone companies
- Categories of persons who may be required to register –this includes data controllers who process personal data relating to mental and physical health
- Categories who are excluded- not for profit organisations, elected representatives, data processed for the normal course of personnel administration, solicitors and barristers, data for journalistic, literary or artistic material
Please note that these are not exhaustive lists and you may need to consult the legislation or a solicitor who has an expertise in this area if you are in doubt.
Personal data should not be excessive in relation to the purpose for which it is held and should not be kept for longer than is necessary for that purpose.
Non compliance with data protection law
Non-compliance with data protection law may lead to a complaint to the Data Protection Commissioner and the Data Controller can be held liable under normal common law principles (eg the law of contract, confidential information etc.)
It should be noted that Irish data protection legislation only applies to data controllers who are established here.
Data Protection Law and Direct Marketing
Many direct marketers are blissfully unaware of the significant conditions in the Data Protection Acts 1988 and 2003 concerning the use of personal data for direct marketing purposes.
For example the Data Protection Act 1988 provides that the data controller/direct marketer has forty days to agree to a request from the recipient to stop using his data for direct marketing.
There is also a positive obligation on the data controller/direct marketer to let the recipients (data subjects) know that they can object in writing and free of charge to the data controller using their data for direct marketing purposes.
The significance of this is that there is a real obligation on the marketer to let the “target” know that they are being targeted for direct marketing purposes.
The basic rule is this:
The basic rule that applies to direct marketing is that you need the consent of the individual to use their personal data for direct marketing purposes.
The Electronic Communications Regulations 2003 (SI 535 of 2003)
These regulations (subsequently revoked-see below) provide further protection to the consumer/recipient of direct marketing messages and cover, amongst other things
- Email marketing
- SMS messaging
- Processing of location data.
These regulations aim to protect recipients from unwanted and unsolicited SMS messages and email.
In summary the Electronic Communications Regulations provide that
- The use of email, fax, automatic dialling machines, and SMS messaging for direct marketing purposes to individuals without the advance consent of the recipient is prohibited
- The use of these methods of direct marketing to businesses is prohibited if the business (or non-natural person) had recorded their objection in the National Directory Database or has told the sender that they do not consent
- The use of telephone marketing is also prohibited if the phone subscriber has recorded their objection in the National Directory Database or advised the caller that they do not consent
- Unsolicited telephone callers must provide their name and, if requested, their address and phone number
- The same situation applies in relation to sending SMS messages or emails for direct marketing purposes
- If a customer gives their contact details in the course of a transaction or purchase then their details can be used for direct marketing purposes only if it is made clear to the recipient that they are provided with an easy and free way of objecting. And this direct marketing is only permissible in respect of similar goods or services to the original purchase.
Breach of all of the activities 1-6 above is actually a criminal offence, unlike much of Data Protection Law breaches.
It is worth noting also for example that the Data Protection Commissioner has found that unsolicited political soliciting of support has been found to be unlawful direct marketing.
For further useful information and frequently asked questions in this potentially dangerous area for direct marketers take a look at http://www.dataprivacy.ie which is the website of the Data Protection Commissioner.
The above statutory instrument and SI 526 of 2008 were revoked by statutory instrument, 336/2011, European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.
SI 336/2011-European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011
Different rules apply to phone, fax, text message and e-mail marketing.
Direct Marketing by Post
The Data Protection Acts determine how you can market by direct mail through the postal service.
For the protection of the Data Protection Acts to apply, the letter must be addressed to a named individual.
Unaddressed mail or post addressed to the ‘householder’ or ‘homeowner’ for example is not covered as this type of mail is deemed not to use ‘personal data’.
In addition, post addressed to corporate entities and/or named office holders in those entities is not covered by data protection legislation.
In order to use personal data for direct postal marketing, you must firstly tell the person that you intend using their personal data for this purpose and give them the opportunity to ‘opt out’.
A person can withdraw their consent at any time.
The rules surrounding marketing by email, text, phone, fax are more stringent than those applying to direct marketing by post.
And certain more restrictive rules apply to marketing to corporate entities than applies re marketing by post.
You cannot make a marketing call to a person or business if they have indicated their preference to not receive such calls in the National Directory Database. The same rule applies to a person or business that has made it known to you that they do not consent to such calls.
You cannot make a call to a mobile phone unless the person has consented to such calls or the person has indicated his/her willingness generally to receive such calls on the National Directory database.
Electronic mail includes email, phone text, MMS messages, voice messages, image messages, and sound messages.
Individual and business customers : Consent is again required; in addition the offer you are making must be of a kind similar to that which you sold the person to begin with, you must have given them the opportunity to object to such marketing in an easy manner, every time you send a marketing message you must give the person the opportunity to opt out again, and the original sale must have occurred in the last 12 months.
Individuals who are not customers: consent is required to send marketing messages.
Business contacts: you cannot send marketing messages where the business has advised you that they do not consent to such messages.
Direct Marketing by Fax
You cannot send a fax with a marketing message to a person if they have not previously consented. However, the fax line must be used for personal/domestic purposes and any use in relation to a business will see that line being treated as part of the business and not a residential line.
You may not send a marketing fax to a business which has indicated its unwillingness to receive such messages on the National Directory Database. Nor can you send one if the business has told you they do not wish to receive them.
The onus is on you, if you are prosecuted, to prove that you had consent for the sending of marketing messages. Any consent that you have should be retained for 2 years.
The penalties for breaches of data protection legislation and electronic communications regulations are very stiff.
And each breach attracts a new penalty.
Processing of personal data
In order to process personal data the most important pre-condition to be satisfied is that the data may only be processed where the subject has given his consent.
However there is considerable debate as to what ‘consent’ in this context means-is it the opt-in procedure (where the subject must expressly consent to his data being processed)?
Or is it the opt-out procedure (where the subject is asked if they object to their data being processed)
There are additional preconditions relating to the processing of sensitive personal data such as racial or ethnic origin, political opinion, religious belief etc.
In these circumstances the data subject must expressly consent and the ‘opt out’ procedure would not be sufficient in these situations.
Rights of Data Subjects
These rights derive from the Data Protection acts and include
- The right to be informed of data being kept on them
- The right to access to the data (there are a number of exceptions to this right)
- It is worth noting that the Data Protection Commissioner appears to be of the opinion that CCTV footage of a person is data within the meaning of the acts.
- Right to prevent processing where it may cause damage or distress
The transfer of data outside the state is restricted to countries outside of the European Economic Area.
It may not occur unless that country provides an adequate level of protection and this causes problems re transfer of such data to USA as there are varying standards of protection in the USA.
Their Safe Harbour scheme is a voluntary scheme which provides similar standards of data protection to Europe but not all companies sign up.
Data Protection and Schools
Data protection legislation applies to schools even though the Freedom of Information Act does not.
The Data Protection Commissioner has stated that
CCTV may be used legitimately for security related purposes at the perimeter of a school. Any use beyond this would need to be fully justifiable and evidence-based with a very high threshold for such evidence. This is particularly the case in a school environment as most of the personal data processed will relate to minors.
Data requests can be made by parents on behalf of children or any member of staff.