On the 30th of July, the Irish Times reported that a restaurant had been warned, by the Data Commissioner, against sending unsolicited marketing text messages. Until now, people may have assumed that the Commissioner only investigated direct marketing companies. On the contrary, he is entitled to enquire into any reported abuses of the Data Protection Act, committed by any type of organisation.

In this particular case, the restaurant had allegedly taken customers’ mobile phone numbers from the reservation book and used them to send out marketing texts relating to special offers. The clients had apparently not been aware that their phone numbers would be used for promotional purposes.

The general principle of Data Protection is that individuals should be in a position to control how data relating to them is used. People may be aware of the Data Protection Act, as it relates to nuisance mailing, or, in the case above, nuisance texting. However, Data Protection legislation applies to any Irish organisation which processes personal data, particularly, “sensitive” data (relating to an individual’s racial/ethnic origin; political opinions; religious/philosophical beliefs; trade union membership; health; sexual life; criminal record). Penalties can be levied against organisations which do not comply to the legislation. These include fines up to €100,000.

The Data Protection Act of 1988 dealt with personal information (relating to a living identifiable individual) held electronically – on computers and databases, for example – but the Data Protection (Amendment) Act (2003) extended the remit to paper files. The exemptions within the Amendment Act are due to expire in October 2007.

Data means ‘information in a form in which it can be processed’. While data protection legislation creates rights for individuals, it simultaneously entails responsibilities for organisations which process personal data. Unlike Freedom of Information (FOI), Data Protection applies to the private, as well as the public, sector. Recently, it was decreed by the Information Commissioner that any request made by an individual for their personal information under FOI should also be examined under Data Protection criteria, without the need for a separate request to be made.

The Data Protection Commissioner is responsible for upholding the rights of individuals, according to the Data Protection Acts, for promoting good practice and for enforcing the Acts’ obligations upon data controllers. There are also some European functions. The Office of the Data Protection Commissioner maintains a very informative website: www.dataprotection.ie, which offers some illuminating case studies as well as outlining the Eight Rules of Data Protection:
· Obtain and process the information fairly
· Keep it only for one or more specified and lawful purposes
· Process it in ways compatible with the purposes for which it was given to you initially
· Keep it safe and secure
· Keep it accurate and up-to-date
· Ensure that is adequate, relevant and not excessive
· Retain it no longer than is necessary for the specified purpose or purposes
· Give a copy of his/her personal data to any individual, on request

Awareness of one’s rights under data protection is growing. Every organisation needs to be aware of its responsibilities as a ‘data controller/processor’ and to make sure that all their staff members are made aware too. For example, ‘unauthorised disclosure to a third party’ can apply to giving the data to a different section of the same organisation. Data Protection legislation applies to how an organisation collects, keeps and disposes of data. Good records management within an organisation will, therefore, assist in adhering to Data Protection requirements.

At a conference in March 2007, a representative from the Office of the Data Protection Commissioner advised that records management is a key component in adhering to Data Protection. If, for example, a proper records retention and disposition schedule is in place, personal data will not be held for longer than is necessary. A thorough records management programme will also identify any records containing personal information that would fall under Data Protection and contain strategies for keeping this data safe and secure.

back to top

Back to Hot Topics