UK Organisations which do business in Ireland and process personal data often assume that compliance with the GDPR is sufficient in order to process the personal data of Irish individuals or assume that the UK Data Protection Act is virtually identical to its Irish counterpart. This is not necessarily the case – while the Irish Data Protection Act 2018 is the overarching piece of data privacy legislation in this jurisdiction and, similarly to its UK equivalent, implemented the provisions of the GDPR, the Irish Act contains a number of provisions specific to this jurisdiction and is impacted by a wide variety of other Acts and Regulations, sector-specific and otherwise.
Given the difficulties and complexities our UK-based clients often face when seeking to understand and apply the provisions of the above legislation to the processing of personal data in Ireland, we have set out below a summary of the key requirements specific to the Irish privacy regime and the most important recent developments in this area.
The Irish Data Protection Commission
The Data Protection Commission (the "DPC") is the national supervisory authority in this jurisdiction and while the Irish data protection provisions do not grant the DPC any additional powers above those granted by the GDPR, the Irish provisions are more specific in regard to the exercise of those powers, which include:
- The right to access, enter search and inspect any premises where processing of personal data takes place and to inspect or remove any documents and records it considers necessary;
- The right to require employees to produce any documents, records, statements or other information relating to the processing of personal data;
- The right to conduct audits, issue information notices, and issue enforcement notices. Where the DPC decides to issue an information notice, enforcement notice or to impose an administrative fine, the controller or processor has 28 days from the date on which it is notified of the decision to appeal to court;
- The right to conduct Section 110 'statutory inquiries' which can be a complaint-based inquiry; or inquiries of the DPC's "own volition";
- The right to require a data controller to disclose a data breach to affected data subjects; and
- The right to impose an administrative fine.
Failure to comply with an enforcement notice without reasonable excuse, or failure to notify the DPC or the data subject of the steps taken to comply with an enforcement notice within the required 28 day period, can lead to the same fines and imprisonment terms as in relation to failure to comply with an information notice.
We have seen that the DPC exercises its powers of enforcement regularly. In 2019, it concluded 5,496 complaints, a large percentage of which related to access rights and subject access requests and was managing 70 statutory inquiries as of the date of publication of its last Annual Report.
On issuing a notice, the DPC can require a data controller or a data processor to provide it with a report on any matter specified in the notice. An individual must be nominated either by the relevant controller or processor, or by the DPC, to prepare the report. Any person who obstructs or impedes this individual in the preparation of the report, or knowingly gives false or misleading information in a material respect, is guilty of an offence.
Privacy professionals will also no doubt be aware of the recent EU Court of Justice judgment in Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (commonly known as Schrems II) to which the DPC was a party and led to the finding that the so-called Privacy Shield agreement between the U.S. and the EU does not offer sufficient protection of EU citizens' personal data and was therefore invalid.
Restrictions of Data Subject's Rights
The Irish Data Protection Act 2018 contains a number of important provisions which restrict the rights of a data subject, which he or she otherwise would hold pursuant to the GDPR, in certain circumstances. These restrictions, which relate to, amongst others, the data subject's rights to access, erasure, rectification, the right to be forgotten and the right to object to processing based on legitimate interest grounds, can apply on the basis that:
- the personal data consists of an expression of opinion about the data subject given in confidence, or on the understanding that it would be treated as confidential, to a person who has a legitimate interest in receiving the information;
- the restrictions are necessary and proportionate for the establishment of legal claims or prospective legal claims or proceedings;
- the personal data is processed for the purpose of seeking, receiving or giving legal advice; or
- the restrictions are necessary and proportionate for the enforcement of civil law claims, to safeguard cabinet confidentiality or national security, for estimating liability of a data controller, etc.
Ireland has implemented specific legislation in the form of the Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 (as amended) in relation to health research, which set out a number of specific regulatory requirements concerning governance and procedure which impacted several aspects of research. One requirement introduced by these Regulations is that personal data cannot be included in health research unless either explicit consent exists, or a consent declaration has been granted by the Health Research Consent Declaration Committee. The Regulations also require in certain circumstances that a Data Protection Impact Assessment is carried out before the processing of personal data for health research purposes.
We have seen in practice that this requirement for 'explicit consent' has been the source of considerable uncertainty for organisations conducting health research in Ireland. Varying interpretation of the legislation between sites and difficulty applying the technical requirements of the Regulations in practice (particularly where the personal data relates to patients who cannot be located or are deceased) has highlighted a particular need for Irish legal guidance in this area.
COVID-19 and Employee Test Results
Irish employers have a number of obligations to their employees under the Safety, Health and Welfare at Work Act 2005, including a statutory obligation to provide employees with a safe place of work. This obligation, together with Article 9(2)(b) GDPR, is being widely used in the current climate as a legal basis for employers to process sensitive personal data of their employees and receive COVID-19 test results from external medical practitioners, where such tests are organised by the employer. Employers will likely fulfil the requirement that any such processing of an employee's health data, particularly in the case of positive COVID-19 test results, is necessary and proportionate for the purposes of contact tracing.
The sensitive personal data of an employee must in all cases be treated in a confidential manner i.e. any communications to staff about the possible presence of COVID-19 in the workplace should not generally identify any individual employees and should be anonymised. Furthermore, the standard principles of Irish data protection law will of course apply to the disclosure of COVID-19 test results to an employer – the data disclosed to the employer should be limited only to what is necessary, be stored securely, be accurate, and so on. A policy document be put in place to make clear to employees that in the event that they receive a COVID-19 test result in the course of a test organised by their employer, this result will be disclosed to employers, based on the employer's legitimate interests under the GDPR and the employer's obligations under the Safety, Health and Welfare at Work Act 2005.
Criminal Convictions Data
The Irish data protection legislation provides for a number of restrictions on the processing of personal data relating to criminal convictions and offences. In this jurisdiction, this type of personal data may only be processed where:
- it is done under the control of official authority;
- the data subject has provided their explicit consent to the processing;
- the processing is necessary and proportionate for the performance of a contract to which the data subject is a party to;
- the processing is necessary for the purpose of obtaining or providing legal advice or establishing, exercising or defending legal rights;
- the processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of damage to, property or otherwise to protect the vital interests of the data subject or another person; or
- the processing is permitted by ministerial regulations or otherwise authorised by the law of the State. At this time, no such ministerial regulations have been enacted.
It is also important to note the particular requirements of the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016, which provides that certain minor convictions which are older than seven years are deemed "spent" and the individual concerned cannot be required by law or general agreement to disclose the conviction or circumstances relating to it, except in certain circumstances.
Originally published by BHSM, October 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.