The new Data Protection Regulation Directive will have implications for us all – not least on members of An Garda Síochána writes Darren Martin
In May 2018 the General Data Protection Regulation Directive and the Law Enforcement Directive come into effect. The Directives deal with how an individual’s personal data is processed, used and disseminated through both private business as well as the public services of the State. It presents a human rights-based approach to have one’s personal data protected. Additionally, it engages other human rights such as a right to privacy and is designed to impose strict obligations on those who handle and process information relating to individual persons. The legislation is currently passing through the Dáil as a Bill and shall be passed into law before May, when the new Regulation comes into effect.
The following are some of the new provisions that large State organisations, such as An Garda Síochána, shall be required to address when it commences.
The terms referenced in the legislation designate specific roles and responsibilities. A data controller has overall responsibility for personal data held by the organisation. They have responsibility to ensure, amongst other things, that data is processed for a specific legitimate purpose and is accurate and up to date.
A Data Processor is a person who is authorised to process data on behalf of the controller. A ‘data subject’ is any natural living person to whom the data relates. For the majority of members of An Garda Síochána, they hold the responsibilities of a data processor when they operate systems such as the PULSE system to access information. Processing includes collecting, recording, altering, re-trieving or consultation of data.
The Bill also creates a new role within organisations called the Data Protection Officer. This role is responsible for ensuring compliance within an organisation for data protection legislation. This includes conducting risk assessments for processing within the organisation. They ensure that their organisation has obtained explicit consent of data subjects in obtaining their data, limit who has access to the data, establish the various time limits on holding data – but most importantly – provide for specific, targeted training for those involved in the processing of data.
The Bill establishes the Data Protection Commission which shall be an independent authority for this purpose. This statutory body has responsibility for ensuring compliance with the regulation by others. Every controller and processor shall be obliged to cooperate with the Commission in exercising this duty. Where a processor becomes aware of a breach of data protection the Controller is deemed aware and there shall be an obligation to inform the Data Protection Commission within a specific time period.
The Bill creates a right of access to personal information held by a controller by that person. A person, or data subject, may request in writing for any data relating to them held by the data controller; enquire if data has been processed and on what legal basis; the categories held and the retention period with that body. There are limits applicable in certain circumstances especially for State agencies who have responsibility for enforcement of criminal legislation or protecting national security.
The Data Controller may restrict an access request where it is deemed necessary to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences, to protect national security or to protect the rights and freedoms of others.
The Controller may additionally refuse where the request relates to protecting the effectiveness of lawful methods systems, plans or procedures employed in crime prevention or detection, where the access request impacts the safety of a prison or place of detention, a system of communications internal or external used by An Garda Síochána, to protect life or well being of a person, prejudice national security or international relations. Any such refusal to an access request must be given in writing. This does not restrict a person seeking redress through the courts.
The two directives mark a new pan-European approach for law enforcement agencies across Europe in the new internet age. It attempts to protect the transient nature of how our data is used by private companies and the State into the future. The new Bill presents significant challenges and new obligations for law enforcement agencies on how data is collected, used and stored. The greater challenge for these bodies is having their staff trained and aware of their obligations with regards to data protection issues within their organisation.
The Data Protection Commission will have significant powers of investigation to examine the way these bodies conduct their operations and to examine data breaches. Many private companies are making advances towards compliance in the time left, given the significant fines that can apply for a breach. Fines do not apply to State agencies but this does not diminish their responsibilities in this area. Where a breach occurs a person can seek compensation against where they suffer a loss as a result of the data breach.
The clock is counting down – are we ready?
Darren Martin is a Detective Garda and a Barrister.
For full and in-depth coverage, see the current printed edition of Garda Review.