As the
internet continues to grow, so does each user’s virtual portfolio. When a person uploads information like their health or banking data to a website, it’s stored and used by the entity in charge of that website. Because some of this information is private, proper regulations must be in place to provide protection against unauthorized uses of the data. Most countries connected to the internet have extensive
data protection acts in order to regulate the collection and dissemination of personal information over the web.
Irish Data Protection Act
In order to protect its citizens, Ireland released its Data Protection Act of 1988with very heavy standards of protection. The Act was amended in 2003, and that amended version currently serves as the basis for Irish data protection. As with other acts of this nature, Ireland’s goal is to make sure that its citizens’ data is only in the hands of the proper intended recipients and only used for its intended purposes.
Background and Definitions
Before discussing Section Eight of the Act, which details certain rights of data subjects, it’s important to introduce some vocabulary. A data subject is the individual from whom the data originates. A data controller is a person or entity that has been given authorization to handle the data of another person. Processing refers to any operation taken with regard to the data; this could mean collection, storage, organization, dissemination, or destruction of the data.
Section Eight Compliance
Section Eight of Ireland’s Data Protection Act deals with rights provided to a data subject. Subsection one of part A of this section gives the data subject power to request that a data controller stop processing certain data that the subject has provided. This type of request must be served on a data controller in writing, and it has to be made for specific reasons that involve the risk of unwarranted, substantial damage or distress to the data subject or a third party. Under this section, a data subject can only object to processing that is considered to be necessary for the completion the data controller’s goal for collecting the data or to complete a task that is in the public interest.
Subsection three prevents a data subject from taking action to prevent processing under subsection one if the subject has given explicit permission to the the controller to process the data or if the processing is necessary to fulfill any contractual or legal duties on the part of the subject. That is, if the data subject has previously OK’d the processing, or if the processing is part of an established contract, the subject can’t take back permission later on. Additionally, subsection one does not apply to processing conducted by political candidates running for election or politicians holding office.
Once a notice is served under subsection one, the data controller has 20 days to respond to the notice stating whether or not it will comply with the notice and, if it will not comply, the reasons for noncompliance. If the controller fails to comply with a notice that the Commissioner of the Act thinks is valid, the Commissioner has the ability to order the controller to take the steps necessary to comply with the notice. Any processing that may have any significant or legal effects on a data subject cannot be completed automatically. Put another way, a human must play a role in the processing of data that will have significant or legal effects on the data subject.
For more information about data protection, contact Revision Legal’s team of experienced internet attorneys through the form on this page or call 855-473-8474.
Image credit: Flickr user StockMonkeys.com