I contributed to the Irish chapter of the report, along with TJ McIntyre and Colin Irwin. It gives a good overview of current Irish law on privacy and data protection.
The report concludes that, while Europe is the world leader in privacy rights, there remains much work to be done in the field.
The Directive on Data Protection has been implemented across EU member states and beyond, but inconsistencies remain. Surveillance harmonisation that was once threatened is now in disarray. Yet there are so many loopholes and exemptions that it is increasingly challenging to get a full understanding of the privacy situations in European countries. The cloak of ‘national security’ enshrouds many practices, minimises authorisation safeguards and prevents oversight.
The report includes a report card in its key findings, the highlights of which for Ireland include criticisms that Ministerial warrants can override privacy law protections and that powers allowing for interception of VoIP calls are ambiguous.
For more on international privacy law, Morrison Foerster have a very useful library which acts as an online sourcebook.
I wrote about car recalls last year. Car manufacturers don’t have ownership details of all cars sold and, in the event that a safety issue arises, needs to get that data from vehicle licensing authorities.
Access to this data would normally be prohibited under the Data Protection Acts 1988 and 2003 but was previously facilitated by a set of regulations published by the Department of Finance. The Data Protection Commissioner criticised the unqualified access provided under those regulations and sought their review. I don’t know whether the Commissioner’s comments influenced the Department of Finance, but in 2005 a new set of regulations were published which removed the reference to car manufacturers.
Therefore, in so far as I can tell, the law no longer provides for the provision of car registration data by vehicle registration authorities to car manufacturers. Unless Toyota is otherwise entitled to that data (and I have argued that they are not), the disclosure by the vehicle registration authorities is contrary to the Data Protection Acts.
When the Green Party withdrew from Government yesterday, Eamon Ryan suggested that a scaled-down bill could be passed quickly and that the balance of the provisions could be enacted by the next government. This seems a strange proposition and one might wonder why the next government couldn’t just do the whole job.
Nevertheless, the opposition have taken up that argument with Leo Varadkar memorably suggesting this morning that a “bikini bill” be passed: one which covers the bare essentials. Minister for Finance Brian Lenihan has difficulties with this, as some of the new provisions in the published bill address anti-avoidance measures and their publication has advertised opportunities to exploit tax loopholes. If they are not closed quickly, he argues, further taxes will be lost.
The list of items in the Bill published by the Department of Finance helpfully categorises them as measures which were announced in Budget 2011 and those which are new in the Bill. These type of provisions are often housekeeping and do not address strictly budgetary matters. One which caught my eye is that concerning taxpayer confidentiality.
Section 73 of the Bill would insert a new section 851A to the Taxes Consolidation Act 1997 to provide that taxpayer information held by the Revenue Commissioners is confidential and may only be disclosed in certain circumstances. The Department explains that this
addresses the current lack of a specific tax-related provision governing the confidentiality of taxpayer information provided to Revenue.
An offence of knowingly providing confidential information is included and can be punished by a fine of up to €10,000.
This section is surprising in light of the fact that the data security breach aspects of the Data Protection Acts 1988 and 2003 are currently under review. Indeed, the statement that it “addresses the current lack of a specific tax-related provision governing … confidentiality” suggests that the extensive provisions of the Data Protection Acts are insufficient. The proposition that these insufficiencies could be remedied by a single section in the Taxes Consolidation Act 1997 is implausible.
In 2009, the Data Protection Commissioner undertook a detailed audit of the Revenue Commissioners and the results were generally positive.
The Inspection Team considered that there exists a very high organisational awareness of data protection principles in Revenue. In particular, the presence of a dedicated Data Protection Unit, with designated contact points in the event of any issues arising was considered by the Team to be a very appropriate structure for a public sector entity in possession of high volumes of personal data. There is very clear evidence that a detailed approach has been taken by Revenue to identifying and setting out, via policy documents etc, its responsibilities under data protection legislation. This thorough approach is to be welcomed.
The Commissioner made a number of compliance recommendations and recommend that Revenue undertake a privacy impact assessment of any proposal to extend its investigative powers. Given that the report was overwhelmingly positive it is unclear where the impetus for section 73 lies (though TJ McIntyre speculates that it may have something to do with recent alleged wrongdoing by Revenue officials, uncovered by internal audits).
There are a number of aspects of the Data Protection Acts that could benefit from reform; not least the fact that the Acts do not provide for a straightforward offence of breaching data security, as is now proposed for Revenue data. Rather, it is an offence:
to ignore a notice issued by the Data Protection Commissioner in respect of personal data;
for a data processor to disclose personal data without the authority of the relevant data controller;
to gain access to personal data held by a data controller and to disclose it to another person.
This last offence does not apply to an employee of the data controller and so section 73 would seem to catch Revenue employees where the Data Protection Acts would not. However, the penalties in the Data Protection Acts reach a maximum of €100,000, in contrast with the €10,000 maximum fine envisaged in the Finance Bill. In the UK, the maximum fine is £500,000.
The Data Protection Acts are lacking in enforcement teeth to deal with willful data security breaches. Instead, they provide for a system of co-operation and escalated engagement with data controllers. Nevertheless, the decision of the Department of Finance to go it alone on this issue is disappointing and section 73 of the Finance Bill once again fragments Irish law on a particular area rather than seeking to improve the general law that applies to everyone.
If citizens deserve to have such a protection in place in respect of Revenue data, why not health or employment data?
Update: It was reported today (25/01/11) that a Donegal civil servant allegedly accessed personal data at the Department of Social Protection in Letterkenny and passed that data to a private investigator who subsequently sold it to insurance companies. This is precisely the type of data security breach that section 73 is aimed at, but section 73 will be limited to the Revenue Commissioners and so will not cover the Department of Social Protection. As I asked yesterday, if a protection like section 73 is necessary for Revenue data, why not for other data?
TJ McIntyre looks at some other IT law aspects of the Finance Bill here and here. From a practical perspective, it is also noteworthy that the Bill (section 75) proposes to allow payment of taxes by credit card. While this may facilitate the Revenue Commissioners, it would not appear to be a prudent move for indebted taxpayers who might avail of the facility.
The stories about the Department of Social Protection’s use of Facebook to detect fraud raised more questions than they answered. So, I requested details from the Department of its use of social networking.
Here’s the relevant part of the response:
Social networking sites, such as Facebook, are not a systematic part of the Department’s on-going targeted fraud and error control activities.
Circumstances, however, may give rise to a member of staff examining publicly available information on the internet, for example following receipt of a report from a member of the public making reference to relevant information on social networking sites.
Information from such sources is not used as evidence to terminate a claim in payment but may result in a review of entitlement by the Department.
On a point of information, at the end of August 2010 (latest figures available)
over 7,200 anonymous reports were made to the Department’s Central Control Division. (Reports are also made directly to scheme areas and public offices which are not included in that figure).
500,000 reviews approx. were completed by the Department. Investigations which refer to social networking sites would be negligible in an overall context.
As only information which is publicly available on social networking sites is accessed in such investigations, the cooperation of the operators of such sites is not needed. The Department has not accessed, or sought to access, information on social networking sites which is not available to the public at large.
The above doesn’t necessarily get the Department around the requirements of the Data Protection Acts and it is not clear what the Department does with data submitted to it by members of the public which is not publicly available online.
Daragh discusses the data protection principle of fair obtaining in this context. He notes section 8(b) of the Data Protection Acts 1988 and 2003, which suspend the restrictions in the Acts for the purposes of the investigation or prosecution of offences and in the case of collecting or assessing monies due to the State. However, the section 8(b) exemption only applies where processing of personal data (which would include getting it from Facebook) is required for the purposes of investigation, etc. The provision is, as yet, untested, but the wording certainly suggests that it is not open to the Department to process personal data obtained from Facebook merely as an aid to investigation.
This morning, the Irish Independent followed up on the story with surprising statements from Facebook itself, primarily that:
“Facebook protects people’s right to privacy but in the same way officials investigating a case can access post office details or phone records, accessing Facebook profiles would be the same kind of thing,” a spokesman said.
We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.
It is not known from the news reports whether Facebook has facilitated the Department of Social Protection or handed over information or access to profiles to the Department. If not, it is difficult to see how the Department has accessed any meaningful information from the site, unless it has taken advantage of data which has inadvertently been made public or, alternatively, if the Department has obtained the data by deception.
The incident is certainly worthy of investigation by the Data Protection Commissioner.
* I’m not an expert on the Social Welfare Acts and they are labyrinthine, but anyone with more knowledge on the powers of the Department in this area might comment below. I understand certain information can be shared by some State agencies for the purposes of making a decision on whether to provide social welfare or grants, but I don’t believe that extends to investigations by the Department.
The march of the machines is irresistible, with technology providing a range of opportunities for businesses to reduce the need for human input. There is a legal limit to such progress, but how many people know about it?
a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct
There are, as ever, exceptions to the ban, the most straightforward being consent. I have yet to see a set of terms and conditions containing such consent.
The widest exception concerns decisions made for the purposes of considering whether to contract with the data subject or in the course of performing such a contract. A further exception may arise where automatic decision making is required or authorised by law.
The contractual exception appears to strip the ban of much of its force. However, any exception to the ban on automated decision making only applies if the request for the entering into or the performance of the contract is granted or if there are suitable measures to safeguard the subject’s legitimate interests. Therefore, if the result of an automated decision is to not grant what the data subject requested, that decision will have to be reviewed by a human being.
A glaring question remains: what happens when section 6B is breached? As is often the case with data protection law in Ireland, the answer is unknown but it is likely that some enforcement proceeding might be engaged in by the Data Protection Commissioner.
Section 6B, which implements into Irish law Article 15 of the EU Data Protection Directive, appears to be ambiguously drafted (due to poor formatting), arguably making the contractual exemption wider than intended. I have, however, gone with the intention of the Directive on this point.
[Update: The European Commission decided on 31 January 2011 that the State of Israel is considered as providing an adequate level of protection for personal data. This permits data transfers in relation to automated processing only and excludes the exchange of data for national security purposes. It is mostly relevant to intra-company transfers; for example where an EU multinational has a place of business in Israel which might provide back-office services to the EU parent (eg. payroll processing or CRM).]
The Irish media yesterday gave prominence to the unexpected decision of the European Commission to halt a procedure under which Israeli data protection law would be recognised in the European Union. The Irish Times and RTÉ news reports on Thursday evening both opened with almost the exact same sentence:
The European Commission has halted a proposal to allow Israel access to potentially sensitive data on European Union citizens following concerns expressed by the Irish Government.
To me, this sentence suggests that the Israeli government would somehow have access to personal data about EU citizens. This is not the case. The proposal would merely have simplified cross-border transfers of personal data which can and do already occur. The failure of the Commission to approve Israel does not mean that such transfers cannot take place, only that they require extra paperwork.
It’s a technical legal issue, but one which has been simplified to a disappointingly misleading extent. (Today’s print report from the Times was a little more accurate.)
The use of bogus Irish passports by assassins and the suggestion that a stash of personal data was en route to Israel, but for the efforts of Dermot Ahern, makes for an exciting story. Unfortunately, reality is more mundane.
The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data …
The question of whether or not a country ensures an adequate level of protection for privacy and fundamental rights is primarily determined by the European Commission, which can approve countries for that purpose. The Commission has approved Switzerland, Canada, Argentina, Guernsey and the Isle of Man. The Commission has also approved certain transfers to the US, once they fall under the Department of Commerce Safe harbor Privacy Principles or the Bureau of Customs and Border Protection Air Passenger Name Record system.
So, the default position is that personal data cannot be transferred from the EU to an unapproved country. However, this is not an absolute prohibition on such transfers: section 11(4) of the DPA provides that the restriction does not apply in certain circumstances, which can be summarised as follows:
if the transfer required or authorised by law;
if the data subject has consented to the transfer;
if the transfer is necessary for contractual reasons in the interests of the data subject;
if the transfer is necessary for reasons of substantial public interest;
if the transfer is necessary for the purposes of obtaining legal advice;
if the transfer is necessary in order to prevent injury or other damage to the health or property of the data subject;
if the transfer is of part only of personal data on a public register;
if the transfer has been authorised by the Data Protection Commissioner; or
the transfer is made on terms of a kind approved by the Commissioner.
This represents a variety of ways in which the section 11 prohibition on transfers abroad can be worked around, though guidance on using these exemptions means that they are not as wide as they may seem at first.
Nevertheless, these exemptions are frequently used to facilitate cross-border data transfers. The most common examples of such transfers are those between group subsidiaries or transfers to service providers, usually for back-office services (finance, customer support, etc).
The most frequently used exemptions to section 11 are data subject consent, contractual necessity and transfers on terms approved by the Commissioner. This latter category involves the use of European Commission-approved model contracts which must be entered into by the transferor and transferee, or the use of binding corporate rules in the case of multinationals. These pass through EU data protection standards and obligations to the recipient of the data transfer.
The Israel incident
The European Commission websites do not appear to have any details of the recent developments in relation to Israel, but it is assumed that the proposal before the European Commission was to approve Israel as a country which ensures an adequate level of protection for privacy and fundamental rights.
If approval had gone through (and it seems that it may yet), transfers of personal data could have been made to Israel from the EEA without having to put in place additional measures like data subject consent or inter-party contracts. However, the transferor would still be subject to domestic data protection legislation and an Irish transferor would, for example, still be liable to data subjects.
The proposal would not have given anyone, as of right, access to the personal data of EU citizens. Neither does the failure of the proposal prevent the transfer of such data from the EEA to Israel: such transfers will just have to continue to operate under the exemptions listed above.
Today is National Famine Commemoration Day, which marks the Great Famine in Ireland. It is more a day of sombre reflection than celebration, but forms the hook on which I hang this: my first time hosting Blawg Review.
The Great Famine looms large in Irish history. It remains an issue, evidenced by the report in today’s Irish Times that there were “raised eyebrows at the absence of any representative from the British embassy” at a commemoration ceremony. Recently, controversy also erupted over plans to hold an auction of Famine artefacts. The collection to be auctioned appears to have survived thanks to the document retention policies of Irish lawyers.
The collection was held by Stewart and Kincaid, a Dublin law firm that acted on behalf of landlords in the 1840s. Thousands of letters were sent to the law firm by rent collectors and sub-landlords explaining why their tenants had not paid, and by clergymen asking for compassion to be shown to starving parishioners. The documents were stored at another Dublin law firm until a decade ago when it is said they decided to throw them out as they were not relevant to the business.
While Hollywood has occasionally concerned itself with the bellicose aspects of Irish history, there has been little dramatisation of the Great Famine. There is, however, Death or Canada, a docudrama which aims to tell “the compelling tale of how in 1847, the British Colony of Canada gave refuge to tens of thousands of Irish famine victims, who in turn were responsible for the building of North America as we know it today.” I missed it when it was broadcast on RTÉ but, having viewed the website, the IP lawyer in me can’t help but wonder if the logo used constitutes a State emblem and, if so, whether government consent was sought for its use.
On the topic of intellectual property and the movies, it seems that Iron Man 2 is “the most expensive movie ever made about an intellectual property dispute.” Maxwell Kennerly argues that the armoured suit at issue is not patented, but rather the subject of a trade secret. Unfortunately, I can’t read either post as I have yet to see the film and don’t want to prejudge the dispute.
Here in Ireland, there currently appears great interest (at least in media circles) in new constitutions and Second Republics. The debated deficiencies in the Irish constitution make an interesting contrast with that of the UK, which is thought to have worked well in producing a government from the “hung parliament” that the British electorate returned.
Instead of ushering in a ‘new republic’ or ‘renewed republic’ by means of a new Constitution, we ought, I [say], to try to re-imagine our relationship with the State and to become more deeply engaged with the Constitution that we have.
undercurrents of 1930s fascism, or at any rate the Mediterranean version of it as found in Salazar’s Portugal with state-sponsored corporatism; the particular ethos of the Roman Catholic church at the time (which was anything but progressive or liberal); the kind of rural idyll for what de Valera called a ‘frugal society’; and a view of women that saw them as homemakers subservient to the male population.
The UK doesn’t have a written constitution, but constitutional and rights-related issues are equally topical in that jurisdiction since the Conservative/Liberal Democrat government announced its coalition agreement. Charon QC says that the British “system of law and justice is creaking, underfunded, under developed and is not really meeting the needs of all in society”, but that the new coalition government has not got off to a bad start, with their programme for government including many law reform elements, such as a “freedom bill”. Henry Porter is more forthright:
One of the great pleasures of last week was hearing Jack Straw speaking on the Today programme in that patient, reasonable way of the true autocrat, and suddenly realising that I never have to pay attention to him again. Nor for a very long time will I have to listen to Mandelson, Campbell, Clarke, Smith, Reid, Falconer, Blunkett, Woolas or Blears: they’re history and the New Labour project to extend state control into so many areas of our lives is incontestably over.
The coalition results from what they refer to as a “hung parliament” in the UK. This is the default arrangement in Irish politics, where coalitions are an established and often unfortunate part of governance. Now that the UK is flirting with European-style coalition government, it might alsoconsider the introduction of a written constitution.
Of course, written constitutions do not necessarily result in fewer troubles: the unresolved issues of blasphemy and abortion in the Irish Constitution receive attention from Eoin O’Dell and Brook Elliott-Buettner, respectively.
The Guardian has launched a new legal section including an already-excellent selection of blog posts from its Guardian Legal Network. It has devoted a good deal of attention to a big US story combining law and politics: President Obama’s nominee for a vacant Supreme Court seat. It is unfortunate that the sexuality of the nominee is an issue but, more so, it is quite bizarre that a photograph of the young Elena Kagan appears to have sparked such speculation.
The incident, which has shades of The Contender, highlights to Irish eyes the level of scrutiny, professional and political, which surrounds judicial appointments in the US. The highly politicised appointment process may be alien to Irish lawyers, but there is something impressive about the fanatical examination of a nominee’s record on particular legal issues.
Our judicial appointments system is superficially independent but remains political and although the process is far less politicised than in the US, it is still “shrouded in mystery“. Edward McGarr discusses one of the long-running issues in the Irish judiciary: the lack of independent oversight. It seems a judicial council might finally be on the way, but:
What complaints will it receive? Possibly not all it should.
Though I don’t hold such lofty aspirations as a seat on the Irish Supreme Court, I am glad to know that, should the opportunity ever present itself, my humble undergraduate results are unlikely to be pored over by the blawggers at the Wall Street Journal, of whom Jess Bravin informs us that Kagan got her worst grade, a B- in torts.
She did marginally better in Criminal Law, with a B, and managed a B+ in Administrative Law. For the rest, it was all A or A-, except for passing ungraded courses in Accounting and Copyright.
A tenuous Irish theme got me the job of hosting this Blawg Review, so, given my Limerick location, I can hardly miss the opportunity to throw in another such theme by reproducing Madeleine Begun Kane‘s Kagan limerick.
“Obama’s Katrina,” they say.
“Obama’s H. Miers,” they pray.
To the wingnuts give thanks
For reminding the ranks
Of the many ways Bush went astray.
The future is … ?
The rather terrifying way in which we may be sleepwalking into a potential dystopian future was highlighted by two issues covered in blawgs this week: Facebook’s privacy practices and the rise of “personal genomics”.
the Net is an astonishing achievement with the potential, only partly but tantalizingly realized to date, to become a true milestone in the history of human communication and a possibly unstoppable force for the spread of liberty and freedom around the globe.
He says that the internet is “under siege” and that work must be done to keep it open. He differs, however, with Kouchner as to what the threats to the internet are. It is clear that, like Google, Facebook now intends to become “the internet” for many of its users and as ever, the threat may come from governments and large corporations rather than extremist groups.
The manner in which it changes privacy policies and settings has come under fire and the EU’s Article 29 Working Group (Brussels-speak for the European group of privacy regulators) says that these changes are unacceptable. However, Benn Parrargues that protecting privacy is up to users, not Facebook; though he does agree that the changes should have been better communicated. He is surprised that the media has “pile[d] up” on Facebook over the privacy issue, but surely such pressure merely reflects the fact that the site has gained such critical mass that, like Google, it has become the establishment and must expect such critiques.
(By the way, like everything these days, the Irish National Famine Memorial Day has a Facebook page.)
Google’s CEO, Eric Schmidt, famously said:
If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.
Which sounds suspiciously like the “innocent have nothing to fear” defence, excellently filleted by Eoin O’Dell.
Businesses scared of the internet might be tempted to shut down access to social media sites like Facebook, but David Donoghue gives some advice to them about adopting a realistic social media policy. This may be of interest to Irish journalists, who recently underwent a period of public introspection when the unconfirmed death of one of the country’s most popular radio presenters became the subject of twitgossip (twossip?). The controversy resulted in plans to introduce a social media policy in the country’s largest broadcaster.
While the online sphere is increasingly regulated by private enterprise, it is refreshing to see this creative workers’ rights protest, staged in the lobby of a hotel, proceed without being shut down or silenced by the hotel’s management (though one expects they were taken by surprise by this all-singing-all-dancing troupe of protestors) (from Waging Nonviolence).
21st Century privacy concerns won’t be online-only: Dan Vorhaus outlines recent developments in direct-to-consumer genetic testing and asks whether regulation is on the way. He says that the debate has long existed as to whether “individuals are capable of handling their own genetic information” and concludes:
Tests once predominantly available only to early adopters capable of seeking them out online will now begin to appear on the shelves of thousands of neighborhood drugstores nationwide. To a greater degree than ever before, genetic testing will soon be available to mainstream America (and subject to the impulse buy). And that, for better or for worse, may be all that it takes to convince some regulators that the time for action is finally at hand.
As with Facebook, there is a gap between theory and reality, between policy and consumer action. These products, whether they be Facebook’s instant personalisation service or chemist shop genetic tests, are flooding the market. Thought as to how they should be regulated struggles to keep up. Meanwhile, Ted Hennessydiscusses the scarily-titled Genetic Information Non-Discrimination Act 2008 in the context of employment law. On this side of the pond, we similarly regulate the use of genetic data, but have tucked such regulation away in less exciting secondary legislation.
Of course, genetic discrimination is merely a veiled, sophisticated form of old-fashioned discrimination, in relation to which Bill Egnormakes some very good points as he notes the difference between immigrants of colour in the US and Irish illegals, who might pass below the radar.
It is the obvious problem with uneven enforcement that makes this law so pernicious. Who does an immigrant look like?
Such double standards are not unknown in Ireland, where Eastern European and non-European immigrants are called “non nationals”, but English, French, American and German residents are referred to by their nationality. And here, of course, Irish immigrants in the US are known as “undocumented“.
Blawg Review has information about next week’s host, and instructions how to get your blawg posts reviewed in upcoming issues.
Ireland’s data protection legislation was introduced in 1988, but the law only came to public attention after several highprofiledatabreaches in recent years. As in other jurisdictions, there have been calls for the introduction of an obligation to notify the authorities when a data breach has or is likely to occur.
The Data Protection Commissioner has previously indicated that Ireland is likely to introduce a mandatory reporting law which will obligate data controllers to notify data subjects when their personal data has been leaked. At present, the EU plans to introduce a mandatory reporting law, but it would only apply to telecoms providers.
Karlin Lillington, in today’s Irish Times, adds her voice to thosecalling for a mandatory reporting law for all personal data breaches. She makes the point that the extent of data breaches will probably not be known until a mandatory reporting law is introduced, as was the case in California. This contention is supported by the Commissioner’s 2009 annual report, which attributes the increase in voluntary reporting of data breaches “to a greater awareness among organisations of their data protection responsibilities.” However, Karlin does not believe voluntary reporting is sufficient.
Given the reluctance of organisations to use a basic security tool such as encryption to lock down personal data, we need a legal threat to force adoption of this elementary form of best security practice.
We cannot sit about and wait for years for the subject to come back on to Europe’s agenda. No Irish citizen should have to wonder for years whether financial institutions, health organisations, insurance companies, energy suppliers, telecommunications companies, Government departments or small neighbourhood companies are keeping data safe – or dealing with the potentially catastrophic consequences if they are not.
In the UK it has been argued that a security breach notification law is not necessary. Dr. Chris Pounder argues that the existing law may already require data controllers to contact data subjects who are at risk of identity theft following a data security breach. Dr. Pounder bases this argument on the seventh principle in the UK Data Protection Act 1998, which requires data processors to establish “a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage … and the nature of the data to be protected.”
He says that compliance with the seventh principle requires a risk assessment which will enable the organisation to determine what level of security is appropriate and to implement that level of security. Allied to that is the recent amendment to the UK legislation to allow the Information Commissioner (the UK equivalent of the Data Protection Commissioner) to fine an organisation up to £500,000 for serious breaches of data protection law. Dr. Pounder argues that the loss of unencrypted personal data would qualify as such a serious breach and could result in a fine. He contends that the type of data security breach laws widely adopted in US states are already present in the data protection principles set out in European data protection legislation.
This argument relies on an interpretation of the existing law, which can be challenged by a data controller or processor. The Irish Data Protection Acts 1988 and 2003 are similar to the UK legislation and require that appropriate security measures are taken to protect personal data. The legislation sets out the criteria to be considered when evaluating what security measures are appropriate and the Commissioner has published guidance on this point. However, the Irish legislation does not provide for the extensive penalties possible under the UK law and it may be a stretch to extend Dr. Pounder’s argument (if that argument is accepted at all) to Irish law. At any rate, a specific provision in the DPA would be preferrable to an interpretation.
A report from the Data Protection Review Group established bythe Minister for Justice is expected soon and may well recommend the introduction of a mandatory reporting law. The Group’s consultation paper makes the point that a change in the law will not necessarily ensure protection against data breaches, but would “reduce the prospects of damage being done by such losses.”
Concern is evident from the Group’s evaluation of the regulatory options that a move toward mandatory reporting could reduce the historical approach of the Commissioner and data controllers to collaborate in resolving data protection issues and could force the Commissioner into a more confrontational enforcement role.
Such a role would provide more certainty and ensure that penalties apply where appropriate, but could involve significant cost on the part of the Commissioner’s office and would likely require the recruitment of enforcement specialists. Last year, for example, the Commissioner’s office put its legal requirements out to tender and the range of likely services sought tends to suggest that the expertise required to implement any new enforcement powers does not currently exist in-house.
[Updated 11/5/10; 6/4/11] People often wonder if it is possible to carry out a background check on someone in Ireland. The short answer is: not easily.
There is no central agency which deals with background checking. However:
Many are familiar with the concept of “Garda clearance”, but entitlement to apply for Garda clearance is very limited. Clearance services are provided by the Garda Central Vetting Unit and can only be sought by an organisation registered with it. Vetting is generally only carried out for the purposes of a proposed employment involving a significant amount of access to children or vulnerable adults. The proposed employee must consent to the vetting. The service has been extended to cover employment in the private security services industry and it appears likely that further extensions of the service will occur in future. Of potential relevance to background checking, a private investigator is a provider of a security service for the purposes of the Private Security Services Act 2004 and, accordingly, the regulatory regime operated by the Private Security Authority applies to their services.
Certain state agencies have specific authority to carry out background checks for licensing purposes (eg. haulage licensing).
The Irish Credit Bureau provides credit reports, most commonly for the purposes of lending. A credit report can be requested, usually by a bank or lender, with the consent of the customer. An individual is also entitled to request a copy of their own credit report.
One can carry out one’s own background check of an individual by doing basic research. However, a potential employee must be informed of checks that may be undertaken and obtain their consent if the information sought is not already in the public domain. The same principle would likely apply to any other business or organisation carrying a background check, for example on a customer. Even where the information is in the public domain, the general provisions of the Data Protection Acts 1988 and 2003 will apply if the data is retained on file.
Individuals may request a Police Certificate of Character from the Gardaí for specific purposes, for example when applying for a travel visa or authorisation to establish a business in another country, or for the purposes of inter-country adoption. An individual may also make a data access request in relation to their personal data held by an organisation or business. This includes the right to make such a request to the Gardaí, but they may be entitled to withhold certain data and the results of a data access request do not amount to Garda vetting or a statement of no record.
Employers and businesses should note that section 4(13) of the Data Protection Acts provides that it is an offence to require a person to make a data access request or supply the results of such a request in connection with employment or the provision of services.
For more information, see Chapter 4 of the Law Reform Commission report on spent convictions, which contains a comprehensive overview of vetting in Ireland.
Update (11 May 2010)
Fergal Mawe has an article in the May edition of the Law Society Gazette (pp.20-21 of this PDF) about the Garda vetting procedure and potential breaches of rights.
[T]he garda vetting form … refers to “a statement of all convictions and/or prosecutions, successful or not, pending or completed, in the state or elsewhere as the case may be”.
Say, for instance, if one were to be charged, prosecuted – but not convicted – the Garda Vetting Unit would still inform the employer that the applicant had been prosecuted, even if the outcome had been a not guilty verdict. To this end, the applicant would undoubtedly have his or her chances of winning the position severely damaged, if not totally eroded, due to the suspicion of a criminal history and an inference of guilt. On this point, it is hard not to see a series of breaches of a person’s human and constitutional rights – namely the right to a good name, the right to earn a living, the right to privacy, as well as a fair trial and a presumption of innocence.
To put it simply, if we are to live with a just legal system based on the presumption of innocence, an individual ought not to be prejudiced by prosecutions that did not lead to a criminal conviction.
Update (6 April 2011)
The Government has announced that its Summer legislative programme includes a Spent Convictions Bill:
To provide that in the case of convicted persons whose sentence is below a specific threshold (6 months imprisonment or a fine), they may, under certain circumstances, withhold details of the conviction.
One might have thought that such spent convictions would be omitted from Garda vetting by this Bill. However, while we await the text of that Bill, an indication is available in the Spent Convictions Bill 2007, drafted by the last Government. That Bill would effectively have prohibited reference to spent convictions when sentencing an individual on foot of a new conviction. It would also provide that an individual would not have to disclose spent convictions, but the types of employment covered by Garda vetting would have been excluded by section 5. When presenting that Bill (now lapsed) for its second stage in the Dáil on 18 December 2008, Barry Andrews TD said:
An expert group reported in 2004 on the current arrangements operated by the Garda in co-operation with other agencies such as the Health Service Executive. The group’s report recommended that the vetting system should be put on a statutory footing and that it should address the question of soft information as well as hard information. Meanwhile, as Members are aware, a joint committee has been considering children’s rights and it recently recommended the introduction of legislation to put on a statutory footing the vetting arrangements. This recommendation will be pursued as a matter of urgency in the coming months.
However, the legislation was put on the long finger on more than one occasion. The new Government’s legislative programme (p.10) indicates that the heads of the National Vetting Bureau Bill are not yet agreed and a timeframe for expected publication is not yet available.