New rules up the ante on data protection

If paperwork is a headache for your business, then the new data protection laws could leave you with a resounding migraine.

If paperwork is a headache for your business, then the new data protection laws could leave you with a resounding migraine.

The Data Protection (Amendment) Act, 2003 came into force last week. The new law increases the rights that individuals have over any personal information held about them by businesses and organisations.

This means that businesses have a range of extra obligations to those on whom they hold information of almost any kind. Those most likely to be affected are employees and customers, but the law includes all individuals on whom any organisation holds personal information.

According to solicitor Mr Philip Nolan of Mason Hayes Curran, the key word in the Act for any business dealing in personal information is "consent". The data cannot be held or processed unless the subject first allows this.

READ SOME MORE

"It creates a new rule in relation to the processing of data," Mr Nolan explains.

"Everything that you do with the information is 'processing' and the legislation says that before you process data you must get that person's consent."

Getting the consent will depend on the individual situation. In some cases, it will be relatively easy, Mr Nolan says. For example, application forms for credit cards and loans can be used to include all the relevant information on how the information will be handled.

These can also include requests for permission to use the information for marketing and other purposes, or in the case of the insurance sector, shared between brokers and insurers.

Mr Liam Kennedy, partner with law firm A&L Goodbody, says employers can include the necessary terms and information in contracts and staff manuals.

Mr Kennedy points out the new legislation is particularly onerous for businesses who use direct mail. These will have to allow their customers the opportunity to opt out of receiving any or all of this material.

He also warns that e-commerce businesses will have to ensure that the personal information they store is secured and that they update the privacy policies posted on their websites.

They may also need to review their use of information tracking technology.

Mr Kennedy says that businesses should put in place privacy policies covering staff, customers and any other relevant individuals and security. He adds that all employees should be trained to deal with their obligations under the law.

The law divides personal information into two categories, general and sensitive. The latter can include details like membership of trade unions and political organisations, the fact that someone is suffering from an illness, religious beliefs, or a criminal record.

Sensitive information cannot be processed without explicit consent. This effectively means that each time the information is used or stored, the individual must first give consent.

Mr Kennedy points out that this has obvious implications for insurers and healthcare professionals among others. Doctors will have to obtain informed patient consent before passing on personal information to specialists or for use in clinical trials and research.

One provision severely restricts companies from transferring information outside the European Economic Area - which includes the EU, non-member states in western Europe and Iceland. Mr Kennedy predicts that this could cause problems for multinationals.

Manual files are included for the first time. Businesses have until 2007 to update existing material to ensure it is fully compliant. Any information collected and stored manually from this week has to fall in with the law.

The Act also has a provision requiring the registration of all data processors- anyone holding personal information on anyone else. This has not yet come into force and business organisations are lobbying to exclude small enterprises.

If you fail to comply, the law considerably boosts the powers of the Data Protection Commissioner, Mr Joe Meade. He will be able to conduct "dawn raids" and privacy audits of businesses and organisations to ensure compliance.

He already has the power to prosecute errant organisations in the District Court. Businesses could face criminal and civil proceedings if they fail to comply.

Maximum fines for summary conviction in the District Court have been increased from €1,270 to €3000, and for conviction on indictment by a jury from €67,000 to €100,000.

You have been warned. . .

Barry O'Halloran

Barry O'Halloran

Barry O’Halloran covers energy, construction, insolvency, and gaming and betting, among other areas