Data Protection Act 2003/ 2018

Roisin Farrell
 Data Protection Act 2003/2018
What does this act state?
The Data Protection Acts state that information about you must be accurate, must only be made
available to those that should have it and must only be used for specified purposes. You have the
right to access personal information relating to you and have any errors corrected or, in some
cases, have the information erased.

If your information is being held for the purposes of direct marketing, you can have your details
removed.

Data protection rights apply to information held on computer or in manual or paper files.

The Data Protection Commissioner is appointed by the Government. The Commissioner is

independent in the exercise of their functions. Individuals who feel their rights are being
infringed can complain to the Commissioner, who has powers to enforce the provisions of the
Act.

If you suffer damage as a result of a breach of your data protection rights, you may sue for
damages through the courts.

The Commissioner also maintains a register, available for public inspection, giving general
details about the data handling practices of many important data controllers, such as government
departments and State-sector bodies, financial institutions, and any person or organisation who
keeps sensitive types of personal data.

2018 changes
A new European Union-wide framework known as the General Data Protection Regulation
(GDPR) changes the rules on data protection. It provides for a more uniform interpretation and
application of data protection standards across the EU.

The Data Protection Act 2018, which was signed into law on 24 May 2018, changed the previous
data protection framework, established under the Data Protection Act 2003.

It includes :

● Establishing a new Data Protection Commission as the State’s data protection authority
● Transposing the law enforcement Directive into national law
● Giving further effect to the GDPR in areas where member states have flexibility (for
example, the digital age of consent)
Who does it protect?
The Data Protection Act protects everyone. The Data Protection Act controls how your personal
information is used by organisations, businesses or the government. The Act was designed to
protect people’s privacy, from businesses to individuals.

Why is it important?
It is important to protect people’s privacy and to protect the fundamental rights and freedoms of
persons that are related to that data. It is also important to prevent third party access
Some key information is stored by businesses in the form of employee records, loyalty schemes,
customer details, etc. These include name, address, phone number, email, bank details, health
information, etc. These are important and sensitive data and needs to be protected from third
parties. This information can be used for identity theft, scams or other types of criminal
activities.

How is it enforced?
The Acts (1988 & 2003) establishes the office of the Data Protection Commissioner. The
Commissioner's role is to ensure that those who keep personal information on computer comply
with the provisions of the Act. The Commissioner has a wide range of enforcement powers to
assist him/her in ensuring that the principles of data protection are being observed. These powers
include the serving of legal notices compelling a data controller to provide information needed to
assist his enquiries, or compelling a data controller to implement a provision of the Act. The
commissioner also investigates complaints made by the public and has wide powers in this area
also. He/she can authorise for officers to enter premises and inspect personal information kept on
computer.
Case study
Prosecution of AA Ireland Limited

In December 2017 the DPC received a complaint from an individual who had received
unsolicited marketing text messages from AA Ireland Limited. He informed the DPC that he had
recently received his motor insurance renewal quotation from his current insurance provider and
had decided to shop around to try to get a more competitive quotation. One of the companies he
telephoned for a quotation was AA Ireland Limited. The complainant informed the DPC that he
had expressly stated to the agent who answered his call that he wanted an assurance his details
would not be used for marketing purposes and that he had been given that assurance by the
agent. The phone call continued with the agent providing a quotation. The complainant noted
that the quotation was higher than the renewal quotation from his current insurance provider and
the complainant had indicated to the agent that he would not be proceeding with the quotation
offered by AA Ireland Limited.
The day after the phone call in question he had received a marketing text message from AA
Ireland Limited offering him €50 off the quote provided. A further similar text message was sent
to his mobile phone one day later. The complainant stated that he felt that this action was a
blatant breach of his very clear instructions that he did not wish to receive any marketing
communications.
During the course of the Data Protection Comission’s investigation, AA Ireland Limited
confirmed that it had sent both text messages to the complainant and admitted that it had not
obtained consent to send these messages to the complainant. The company acknowledged that
the complainant had requested that he not receive marketing messages, that the complainant’s
request should have been actioned and that his details should not have been used for marketing
purposes. The company claimed that the incident arose as a result of human error. It explained
that the correct process had not been followed by the agent so that the complainant’s details had
been recorded with an opt-in for him to receive marketing messages therefore resulting in
marketing text messages being sent to him.
As the DPC had previously issued a warning in separate circumstances to AA Ireland Limited in
relation to unsolicited marketing communications, in this instance the DPC decided to initiate
prosecute proceedings. At Dublin Metropolitan District Court on 14 May 2018 AA Ireland
Limited entered a guilty plea to one offence. It also agreed to cover the prosecution costs
incurred by the DPC.