Data Protection Commissioner
Data Protection Commissioner

 

Number 6 of 2003

————————

DATA PROTECTION (AMENDMENT) ACT 2003

————————

ARRANGEMENT OF SECTIONS

 

Section

1.Definitions.

2.Amendment of section 1 (interpretation and application of Act) of Principal Act.

3.Amendment of section 2 (collection, processing, keeping, use and disclosure of personal data) of Principal Act.

4.Provisions in relation to processing.

5.Amendment of section 4 (right of access) of Principal Act.

6.Amendment of section 5 (restriction of right of access) of Principal Act.

7.Amendment of section 6 (right of rectification or erasure) of Principal Act.

8.Certain rights of data subjects.

9.Amendment of section 8 (disclosure of personal data in certain cases) of Principal Act.

10.Additional functions of Commissioner.

11.Amendment of section 10 (enforcement of data protection) of Principal Act.

12.Restriction on transfer of personal data outside State.

13.Prior checking of processing by Commissioner.

14.Amendment of section 13 (codes of practice) of Principal Act.

15.Amendment of section 14 (annual report) of Principal Act.

16.Amendment of section 16 (the register) of Principal Act.

17.Amendment of section 17 (applications for registration) of Principal Act.

18.Amendment of section 18 (duration and continuance of registration) of Principal Act.

19.Amendment of Section 31 (penalties) of Principal Act.

20.Amendment of Second Schedule (the Data Protection Commissioner) to Principal Act.

21.Journalism, literature and art.

22.Repeals and Revocation.

23.Short title, collective citation, construction and com- mencement.

 

 
ACTS REFERRED TO:
 
Data Protection Act 19881988, No. 25
Dentists Act 19851985, No. 9
Freedom of Information Act 19971997, No. 13
Interpretation Act 19371937, No. 38
Medical Practitioners Act 19781978, No. 4
National Archives Act 19861986, No. 11
Social Welfare (Consolidation) Act 19931993, No. 27
Statistics Act 19931993, No. 21
 
 
DATA PROTECTION (AMENDMENT) ACT 2003
————————
AN ACT TO GIVE EFFECT TO DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 24 OCTOBER 1995 ON THE PROTECTION OF INDIVID- UALS WITH REGARD TO THE PROCESSING OF PER- SONAL DATA AND ON THE FREE MOVEMENT OF SUCH DATA, FOR THAT PURPOSE TO AMEND THE DATA PROTECTION ACT 1988 AND TO PROVIDE FOR RELATED MATTERS. [10th April, 2003]
 
BE IT ENACTED BY THE OIREACHTAS AS FOLLOWS:
 

1.—In this Act—Definitions.

‘‘Minister’’ means Minister for Justice, Equality and Law Reform; 
‘‘the Principal Act’’ means the Data Protection Act 1988. 
 

2.—Section 1 of the Principal Act is amended—Amendment of

 section 1
(interpretation and
(a) in subsection (1)—application of Act)
 of Principal Act.
(i) by the insertion of the following definitions: 
‘‘‘the Act of 2003’ means the Data Protection (Amendment) Act 2003;
‘automated data’ means information that—
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) is recorded with the intention that it should be processed by means of such equipment;
‘blocking’, in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked;
‘the Directive’ means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
 
S.2regard to the processing of personal data and on the
 free movement of such data(1);
 ‘the EEA Agreement’ means the Agreement on the
 European Economic Area signed at Oporto on 2
 May 1992 as adjusted by the Protocol signed at Brus-
 sels on 17 March 1993;
 ‘enactment’ means a statute or a statutory instru-
 ment (within the meaning of the Interpretation Act
 1937);
 ‘the European Economic Area’ has the meaning
 assigned to it by the EEA Agreement;
 ‘manual data’ means information that is recorded as
 part of a relevant filing system or with the intention
 that it should form part of a relevant filing system;
 ‘relevant filing system’ means any set of information
 relating to individuals to the extent that, although
 the information is not processed by means of equip-
 ment operating automatically in response to instruc-
 tions given for that purpose, the set is structured,
 either by reference to individuals or by reference to
 criteria relating to individuals, in such a way that
 specific information relating to a particular individ-
 ual is readily accessible;
 ‘sensitive personal data’ means personal data as to—
 (a) the racial or ethnic origin, the political
 opinions or the religious or philosophical
 beliefs of the data subject,
 (b) whether the data subject is a member of a
 trade union,
 (c) the physical or mental health or condition
 or sexual life of the data subject,
 (d) the commission or alleged commission of
 any offence by the data subject, or
 (e) any proceedings for an offence committed
 or alleged to have been committed by the
 data subject, the disposal of such pro-
 ceedings or the sentence of any court in
 such proceedings;’’,
(ii)by the substitution of the following definition for the definition of ‘‘data’’:
‘‘‘data’ means automated data and manual data;’’,
(iii)by the substitution of the following for the definition of ‘‘direct marketing’’:
‘‘‘direct marketing’ includes direct mailing other than direct mailing carried out in the course of politi- cal activities by a political party or its members, or a
 
body established by or under statute or a candidate S.2 for election to, or a holder of, elective political office;’’,
(iv)by the substitution of the following definition for the definition of ‘‘personal data’’:
‘‘‘personal data’ means data relating to a living indi- vidual who is or can be identified either from the data or from the data in conjunction with other infor- mation that is in, or is likely to come into, the pos- session of the data controller;’’,
and
(v)by the substitution of the following definition for the definition of ‘‘processing’’:
‘‘‘processing’, of or in relation to information or data, means performing any operation or set of oper- ations on the information or data, whether or not by automatic means, including—
(a) obtaining, recording or keeping the infor- mation or data,
(b) collecting, organising, storing, altering or adapting the information or data,
(c) retrieving, consulting or using the infor- mation or data,
(d) disclosing the information or data by trans- mitting, disseminating or otherwise mak- ing it available, or
(e) aligning, combining, blocking, erasing or destroying the information or data;’’,
(b) by the insertion of the following subsections after subsection (3):
‘‘(3A) A word or expression that is used in this Act and also in the Directive has, unless the context otherwise requires, the same meaning in this Act as it has in the Directive.
(3B) (a) Subject to any regulations under section 15(2) of this Act, this Act applies to data controllers in respect of the processing of personal data only if—
(i)the data controller is established in the State and the data are processed in the context of that establishment, or
(ii)the data controller is established neither in the State nor in any other state that is a contracting party to the EEA Agree- ment but makes use of equipment in the State for processing the data otherwise than for the purpose of transit through the territory of the State.
 
S.2(b) For the purposes of paragraph (a) of this sub-
 section, each of the following shall be treated
 as established in the State:
 (i) an individual who is normally resident in
 the State,
 (ii) a body incorporated under the law of the
 State,
 (iii) a partnership or other unincorporated
 association formed under the law of the
 State, and
 (iv) a person who does not fall within subpara-
 graphs (i), (ii) or (iii) of this paragraph,
 but maintains in the State—
 (I) an office, branch or agency through
 which he or she carries on any
 activity, or
 (II) a regular practice,
 and the reference to establishment in any
 other state that is a contracting party to the
 EEA Agreement shall be construed
 accordingly.
 (c) A data controller to whom paragraph (a)(ii)
 of this subsection applies must, without preju-
 dice to any legal proceedings that could be
 commenced against the data controller, desig-
 nate a representative established in the State.
 (3C) Section 2 and sections 2A and 2B (which sections
 were inserted by the Act of 2003) of this Act shall not
 apply to—
 (a) data kept solely for the purpose of historical
 research, or
 (b) other data consisting of archives or departmental
 records (within the meaning in each case of
 the National Archives Act 1986),
 and the keeping of which complies with such require-
 ments (if any) as may be prescribed for the purpose of
 safeguarding the fundamental rights and freedoms of
 data subjects.’’,
 and
(c) by the insertion of the following subsection after subsection (4):
‘‘(5) (a) A right conferred by this Act shall not preju- dice the exercise of a right conferred by the Freedom of Information Act 1997.
 
(b) The Commissioner and the Information Com- missioner shall, in the performance of their functions, co-operate with and provide assist- ance to each other.’’.
 
3.—Section 2 of the Principal Act is amended—
(a) by the substitution of the following subsection for subsection (1):
‘‘(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:
(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,
S.2
Amendment of section 2 (collection, processing, keeping, use and disclosure of personal data) of Principal Act.
(b) the data shall be accurate and complete and, where necessary, kept up to date,
(c) the data—
(i)shall have been obtained only for one or more specified, explicit and legitimate purposes,
(ii)shall not be further processed in a manner incompatible with that purpose or those purposes,
(iii)shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
(iv)shall not be kept for longer than is neces- sary for that purpose or those purposes,
(d) appropriate security measures shall be taken against unauthorised access to, or unauthor- ised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a net- work, and against all other unlawful forms of processing.’’,
(b) in subsection (5), by the substitution of the following para- graph for paragraph (a):
‘‘(a) Subparagraphs (ii) and (iv) of paragraph (c) of the said subsection (1) do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects, and’’,
(c) by the deletion of subsection (6), and
(d) by the substitution of the following subsections for subsec- tion (7):
 
S.3‘‘(7) Where— 
 (a) personal data are kept for the purpose of direct
 marketing, and 
 (b) the data subject concerned requests the data
 controller in writing— 
 (i) not to process the data for that purpose,
 or 
 (ii) to cease processing the data for that
 purpose, 
 then— 
 (I) if the request is underparagraph
 (b)(i) of this subsection, the data
 controller— 
(A) shall, where the data are kept only for the purpose aforesaid, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, erase the data, and
(B) shall not, where the data are kept for that purpose and other purposes, process the data for that purpose after the expir- ation of the period aforesaid,
(II) if the request is under paragraph (b)(ii) of this subsection, as soon as may be and in any event not more than 40 days after the request has been given or sent to the data con- troller, he or she—
(A) shall, where the data are kept only for the purpose aforesaid, erase the data, and
(B) shall, where the data are kept for that purpose and other pur- poses, cease processing the data for that purpose,
and
(III) the data controller shall notify the data subject in writing accordingly and, where appropriate, inform him or her of those other purposes.
(8) Where a data controller anticipates that personal data, including personal data that is required by law to be made available to the public, kept by him or her will be processed for the purposes of direct marketing, the data controller shall inform the persons to whom the data relates that they may object, by means of a request in
 
writing to the data controller and free of charge, to such processing.’’.
 
4.—The following sections are inserted in the Principal Act after section 2:
‘‘Processing of personal data.
2A.—(1) Personal data shall not be processed by a data controller unless section 2 of this Act (as amended by the Act of 2003) is complied with by the data controller and at least one of the fol- lowing conditions is met:
(a) the data subject has given his or her con- sent to the processing or, if the data subject, by reason of his or her physi- cal or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the data subject and the giv- ing of such consent is not prohibited by law,
(b) the processing is necessary—
S.3
Provisions in relation to processing.
(i)for the performance of a contract to which the data subject is a party,
(ii)in order to take steps at the request of the data subject prior to entering into a contract,
(iii)for compliance with a legal obli- gation to which the data control- ler is subject other than an obli- gation imposed by contract, or
(iv)to prevent—
(I)injury or other damage to the health of the data subject, or
(II)serious loss of or damage to property of the data subject,
or otherwise to protect his or her vital interests where the seeking of the consent of the data subject or another person referred to in paragraph (a) of this subsection is likely to result in those interests being damaged,
(c) the processing is necessary—
(i)for the administration of justice,
(ii)for the performance of a function conferred on a person by or under an enactment,
 
S.4
Processing of sensitive personal data.
(iii)for the performance of a function of the Government or a Minister of the Government, or
(iv)for the performance of any other function of a public nature per- formed in the public interest by a person,
(d) the processing is necessary for the pur- poses of the legitimate interests pur- sued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any par- ticular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
(2) The Minister may, after consultation with the Commissioner, by regulations specify particu- lar circumstances in which subsection (1)(d) of this section is, or is not, to be taken as satisfied.
2B.—(1) Sensitive personal data shall not be processed by a data controller unless:
(a) sections 2 and 2A (as amended and inserted, respectively, by the Act of 2003) are complied with, and
(b) in addition, at least one of the following conditions is met:
(i)the consent referred to in para- graph (a) of subsection (1) of section 2A (as inserted by the Act of 2003) of this Act is explicitly given,
(ii)the processing is necessary for the purpose of exercising or per- forming any right or obligation which is conferred or imposed by law on the data controller in con- nection with employment,
(iii)the processing is necessary to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of, or damage to, prop- erty or otherwise to protect the vital interests of the data subject or of another person in a case where—
(I)consent to the processing cannot be given by or on behalf of the data subject in accordance with section
 
2A(1)(a) (inserted by the S.4 Act of 2003) of this Act, or
(II)the data controller cannot reasonably be expected to obtain such consent,
or the processing is necessary to prevent injury to, or damage to the health of, another person, or serious loss in respect of, or dam- age to, the property of another person, in a case where such con- sent has been unreasonably withheld,
(iv)the processing—
(I)is carried out in the course of its legitimate activities by any body corporate, or any unincorporated body of per- sons, that—
(A)is not established, and whose activities are not carried on, for profit, and
(B)exists for political, philosophical, religious or trade union purposes,
(II)is carried out with appropri- ate safeguards for the funda- mental rights and freedoms of data subjects,
(III)relates only to individuals who either are members of the body or have regular contact with it in connection with its purposes, and
(IV) does not involve disclosure of the data to a third party without the consent of the data subject,
(v)the information contained in the data has been made public as a result of steps deliberately taken by the data subject,
(vi)the processing is necessary—
(I)for the administration of justice,
(II)for the performance of a func- tion conferred on a person by or under an enactment, or
  
S.4(III) for theperformance of a
  function of the Government
  or a Minister of the
  Government,
 (vii) the processing—
 (I)is required for the purpose of
  obtaining legal advice or for
  the purposes of, or in con-
  nection with, legal pro-
  ceedings or prospective legal
  proceedings, or
 (II)is otherwise necessary for the
  purposesof establishing,
  exercising or defending legal
  rights, 
 (viii) the processing is necessary for
 medical purposes and is under-
 taken by— 
 (I)a health professional, or
(II) a person who in the circum- stances owes a duty of confi- dentiality to the data subject that is equivalent to that which would exist if that per- son were a health pro- fessional,
(ix) the processing is necessary in order to obtain information for use, subject to and in accordance with the Statistics Act 1993, only for statistical, compilation and analysis purposes,
(x) the processing is carried out by political parties, or candidates for election to, or holders of, elective political office, in the course of electoral activities for the pur- pose of compiling data on people’s political opinions and complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects,
(xi) the processing is authorised by regulations that are made by the Minister and are made for reasons of substantial public interest,
(xii) the processing is necessary for the purpose of the assessment, collec- tion or payment of any tax, duty, levy or other moneys owed or
 
payable to the State and the data S.4 has been provided by the data subject solely for that purpose,
(xiii)the processing is necessary for the purposes of determining entitle- ment to or control of, or any other purpose connected with the administration of any benefit, pension, assistance, allowance, supplement or payment under the Social Welfare (Con- solidation) Act 1993, or any non- statutory scheme administered by the Minister for Social, Com- munity and Family Affairs.
(2)The Minister may by regulations made after consultation with the Commissioner—
(a) exclude the application of subsection (1)(b)(ii) of this section in such cases as may be specified, or
(b) provide that, in such cases as may be specified, the condition in the said subsection (1)(b)(ii) is not to be regarded as satisfied unless such further conditions as may be specified are also satisfied.
(3) The Minister may by regulations make such provision as he considers appropriate for the protection of data subjects in relation to the pro- cessing of personal data as to—
(a) the commission or alleged commission of any offence by data subjects,
(b) any proceedings for an offence commit- ted or alleged to have been commit- ted by data subjects, the disposal of such proceedings or the sentence of any court in such proceedings,
(c) any act or omission or alleged act or omission of data subjects giving rise to administrative sanctions,
(d) any civil proceedings in a court or other tribunal to which data subjects are parties or any judgment, order or decision of such a tribunal in any such proceedings,
and processing of personal data shall be in com- pliance with any regulations under this subsection.
(4) In this section—
‘health professional’ includes a registered medical practitioner, within the meaning of the Medical
 
S.4
Security measures for personal data.
Practitioners Act 1978, a registered dentist, within the meaning of the Dentists Act 1985 or a member of any other class of health worker or social worker standing specified by regulations made by the Minister after consultation with the Minister for Health and Children and any other Minister of the Government who, having regard to his or her functions, ought, in the opinion of the Minister, to be consulted;
‘medical purposes’ includes the purposes of pre- ventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
2C.—(1) In determining appropriate security measures for the purposes of section 2(1)(d) of this Act, in particular (but without prejudice to the generality of that provision), where the pro- cessing involves the transmission of data over a network, a data controller—
(a) may have regard to the state of techno- logical development and the cost of implementing the measures, and
(b) shall ensure that the measures provide a level of security appropriate to—
(i)the harm that might result from unauthorised or unlawful pro- cessing, accidental or unlawful destruction or accidental loss of, or damage to, the data con- cerned, and
(ii)the nature of the data concerned.
(2)A data controller or data processor shall take all reasonable steps to ensure that—
(a) persons employed by him or her, and
(b) other persons at the place of work concerned,
are aware of and comply with the relevant secur- ity measures aforesaid.
(3) Where processing of personal data is car- ried out by a data processor on behalf of a data controller, the data controller shall—
(a) ensure that the processing is carried out in pursuance of a contract in writing or in another equivalent form between the data controller and the data processor and that the contract provides that the data processor car- ries out the processing only on and subject to the instructions of the data controller and that the data processor complies with obligations equivalent
 
Fair processing of personal data.
to those imposed on the data control- S.4 ler by section 2(1)(d) of this Act,
(b) ensure that the data processor provides sufficient guarantees in respect of the technical security measures, and organisational measures, governing the processing, and
(c) take reasonable steps to ensure com- pliance with those measures.
2D.—(1) Personal data shall not be treated, for the purposes of section 2(1)(a) of this Act, as processed fairly unless—
(a) in the case of data obtained from the data subject, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (2) of this section,
(b) in any other case, the data controller ensures, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in subsection (3) of this section—
(i)not later than the time when the data controller first processes the data, or
(ii)if disclosure of the data to a third party is envisaged, not later than the time of such disclosure.
(2)The information referred to in subsection (1)(a) of this section is:
(a) the identity of the data controller,
(b) if he or she has nominated a representa- tive for the purposes of this Act, the identity of the representative,
(c) the purpose or purposes for which the data are intended to be processed, and
(d) any other information which is neces- sary, having regard to the specific cir- cumstances in which the data are or are to be processed, to enable pro- cessing in respect of the data to be fair to the data subject such as infor- mation as to the recipients or categor- ies of recipients of the data, as to whether replies to questions asked for the purpose of the collection of the data are obligatory, as to the possible
 
S.4consequences of failure to give such
 replies and as to the existence of the
 right of access to and the right to rec-
 tify the data concerning him or her.
 (3) The information referred to in subsection
 (1)(b) of this section is:
 (a) the information specified in subsection
 (2) of this section,
 (b) the categories of data concerned, and
 (c) the name of the original data controller.
 (4) The said subsection (1)(b) does not
 apply—
Amendment of section 4 (right of access) of Principal Act.
(a) where, in particular for processing for statistical purposes or for the pur- poses of historical or scientific research, the provision of the infor- mation specified therein proves impossible or would involve a dispro- portionate effort, or
(b) in any case where the processing of the information contained or to be con- tained in the data by the data control- ler is necessary for compliance with a legal obligation to which the data con- troller is subject other than an obli- gation imposed by contract,
if such conditions as may be specified in regu- lations made by the Minister after consultation with the Commissioner are complied with.’’.
 
5.—Section 4 of the Principal Act is amended—
(a) in subsection (1), by the substitution of the following para- graphs for paragraphs (a) and (b):
‘‘(a) Subject to the provisions of this Act, an individual shall, if he or she so requests a data controller by notice in writing—
(i)be informed by the data controller whether the data processed by or on behalf of the data controller include personal data relating to the individual,
(ii)if it does, be supplied by the data controller with a description of—
(I)the categories of data being processed by or on behalf of the data controller,
(II)the personal data constituting the data of which that individual is the data subject,
 
(III) the purpose or purposes of the processing, S.5 and
(IV) the recipients or categories of recipients to whom the data are or may be disclosed,
(iii)have communicated to him or her in intelli- gible form—
(I)the information constituting any personal data of which that individual is the data subject, and
(II)any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest,
and
(iv)where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to consti- tute the sole basis for any decision signifi- cantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing,
as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section and, where any of the information is expressed in terms that are not intelligible to the average person without expla- nation, the information shall be accompanied by an explanation of those terms.
(b) A request under paragraph (a) of this subsection that does not relate to all of its subparagraphs shall, in the absence of any indication to the con- trary, be treated as relating to all of them.’’,
(b) by the insertion of the following subsection after subsection (4):
‘‘(4A) (a) Where personal data relating to a data subject consist of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure.
(b) Paragraph (a) of this subsection does not apply—
(i)to personal data held by or on behalf of the person in charge of an institution referred to in section 5(1)(c) of this Act and consisting of an expression of opinion by another person about the data subject if the data subject is being or was detained in such an institution, or
 
S.5 (ii) if the expression of opinion referred to in
  that paragraph was given in confidence
  or on the understanding that it would be
  treated as confidential.’’,
(c)in subsection (8)(a), by the insertion after ‘‘in the interests
  of data subjects’’ of ‘‘or in the public interest’’, and
(d)by the insertion of the following subsections after subsection
(8):
‘‘(9) The obligations imposed by subsection (1)(a)(iii) (inserted by the Act of 2003) of this section shall be com- plied with by supplying the data subject with a copy of the information concerned in permanent form unless—
(a) the supply of such a copy is not possible or would involve disproportionate effort, or
(b) the data subject agrees otherwise.
(10) Where a data controller has previously complied with a request under subsection (1) of this section, the data controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the data control- ler, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
(11) In determining for the purposes of subsection (10) of this section whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that such provision would adversely affect trade secrets or intellectual property (in particular any copyright protecting computer software).
(13) (a) A person shall not, in connection with—
(i) the recruitment of another person as an employee,
(ii) the continued employment of another person, or
(iii) a contract for the provision of services to him or her by another person,
require that other person—
(I) to make a request under subsection (1) of this section, or
 
(II)to supply him or her with data relating to S.5 that other person obtained as a result of such a request.
(b) A person who contravenes paragraph (a) of this subsection shall be guilty of an offence.’’.
 
6.—Section 5 of the Principal Act is amended by the insertion in subsection (1) before paragraph (h) of the following paragraph:
‘‘(gg) kept by the Commissioner or the Information Com- missioner for the purposes of his or her functions,’’.
 
7.—Section 6 of the Principal Act is amended—
(a) in subsection (1), by the insertion after ‘‘where appropri- ate,’’ of ‘‘blocked or’’, and
(b) by the substitution of the following subsection for subsec- tion (2):
‘‘(2) Where a data controller complies, or is deemed to have complied, with a request under subsection (1) of this section, he or she shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him or her, notify—
(a) the individual making the request, and
(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request unless such notification proves impossible or involves a disproportionate effort,
Amendment of section 5 (restriction of right of access) of Principal Act.
Amendment of section 6 (right of rectification or erasure) of Principal Act.
of the rectification, blocking, erasure or statement concerned.’’.
 
8.—The following sections are inserted in the Principal Act afterCertain rights of
section 6:data subjects.
‘‘Right of data subject to object to processing likely to cause damage or distress.
6A.—(1) Subject to subsection (3) and unless otherwise provided by any enactment, an individ- ual is entitled at any time, by notice in writing served on a data controller, to request him or her to cease within a reasonable time, or not to begin, processing or processing for a specified purpose or in a specified manner any personal data in respect of which he or she is the data subject if the processing falls within subsection (2) of this section on the ground that, for specified reasons—
(a) the processing of those data or their pro- cessing for that purpose or in that manner is causing or likely to cause substantial damage or distress to him or her or to another person, and
 
S.8(b) the damage or distress is or would be
  unwarranted.  
 (2) This subsection applies to processing that
 is necessary—  
 (a) for the performance of a task carried out
  in the public interest or in the exercise
  of official authority vested in the data
  controller or in a third party to whom
  the data are or are to be disclosed, or
 (b) forthepurposesofthe legitimate
  interests pursued by the data control-
  ler to whom the data are or are to be
  disclosed, unless those interests are
  overridden by the interests of the data
  subject in relation to fundamental
  rights and freedoms and, in particular,
  his or her right to privacy with respect
  to the processing of personal data.
 (3) Subsection (1) does not apply— 
 (a) inacase where the data subject has
  given his or her explicit consent to the
  processing,  
 (b)if the processing is necessary— 
  (i) for the performance of a contract
  to which the data subject is a
  party,  
  (ii) inorder totakestepsat the
  request of the data subject prior
  to his or her entering into a
  contract,  
  (iii)for compliance with any legal obli-
  gation to which the data control-
  ler or data subject is subject other
  than one imposed by contract, or
  (iv)to protect the vital interests of the
  data subject,  
 (c)to processing carried out by political par-
  ties or candidates for election to, or
  holders of elective political office, in
  the course of electoral activities, or
(d) in such other cases, if any, as may be specified in regulations made by the Minister after consultation with the Commissioner.
(4) Where a notice under subsection (1) of this section is served on a data controller, he or she shall, as soon as practicable and in any event not later than 20 days after the receipt of the notice, serve a notice on the individual concerned—
 
Rights in relation to automated decision taking.
(a) stating that he or she has complied or S.8 intends to comply with the request concerned, or
(b) stating that he or she is of opinion that the request is unjustified to any extent and the reasons for the opinion and the extent (if any) to which he or she has complied or intends to comply with it.
(5) If the Commissioner is satisfied, on the application to him or her in that behalf of an indi- vidual who has served a notice under subsection
(1) of this section that appears to the Com- missioner to be justified, or to be justified to any extent, that the data controller concerned has failed to comply with the notice or to comply with it to that extent and that not less than 40 days have elapsed since the receipt of the notice by him or her, the Commissioner may, by an enforcement notice served on the data controller, order him or her to take such steps for complying with the request, or for complying with it to that extent, as the Commissioner thinks fit and speci- fies in the enforcement notice, and that notice shall specify the reasons for the Commissioner being satisfied as aforesaid.
6B.—(1) Subject to subsection (2) of this section, a decision which produces legal effects concerning a data subject or otherwise signifi- cantly affects a data subject may not be based solely on processing by automatic means of per- sonal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the gener- ality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct.
(2) Subsection (1) of this section does not apply—
(a) in a case in which a decision referred to in that subsection—
(i)is made in the course of steps taken—
(I)for the purpose of consider- ing whether to enter into a contract with the data subject,
(II)with a view to entering into such a contract, or
(III)in the course of performing such a contract,
or
 
S.8(ii) is authorised or required by any
 enactment and the data subject
 has been informed of the pro-
 posal to make the decision, and
 (iii) either—
Amendment of section 8 (disclosure of personal data in certain cases) of Principal Act.
Additional functions of Commissioner.
(I) the effect of the decision is to grant a request of the data subject, or
(II) adequate steps have been taken to safeguard the legit- imate interests of the data subject by, for example (but without prejudice to the gen- erality of the foregoing), the making of arrangements to enable him or her to make representations to the data controller in relation to the proposal,
or
(b) if the data subject consents to the pro- cessing referred to in subsection (1).’’.
 
9.—Section 8 of the Principal Act is amended by—
(a) the substitution of ‘‘processing’’ for ‘‘disclosure’’ in each place where it occurs, and
(b) the deletion of paragraph (g).
 
10.—Section 9 of the Principal Act is amended by the insertion of the following subsections after subsection (1):
‘‘(1A) (a) The lawfulness of the processing of personal data (including their transmission to the Central Unit of Eurodac established pursuant to the Council Regulation) in accordance with the Council Regu- lation shall be monitored by the Commissioner.
(b) In paragraph (a) of this subsection, ‘the Council Regulation’ means Council Regulation (EC) No. 2725/2000 of 11 December 2000(2) concerning the establishment of Eurodac for the comparison of fingerprints for the effective application of the Dublin Convention.
(1B) The Commissioner shall arrange for the dissemination in such form and manner as he or she considers appropriate of—
(a) any Community finding (within the meaning of subsec- tion (2)(b) (inserted by the Act of 2003) of section 11 of this Act),
(b) any decision of the European Commission or the Euro- pean Council under the procedure provided for in Article 31(2) of the Directive that is made for the
(2) O.J. No. L 316, 15.12.00, p. 0001-0010.
 
purposes of paragraph 3 or 4 of Article 26 of the S.10 Directive, and
(c) such other information as may appear to him or her to be expedient to give to data controllers in relation to the protection of the rights and freedoms of data subjects in respect of the processing of personal data in countries and territories outside the European Economic Area.
(1C) The Commissioner shall be the supervisory authority in the State for the purposes of the Directive.
(1D) The Commissioner shall also perform any functions in relation to data protection that the Minister may confer on him or her by regulations for the purpose of enabling the Govern- ment to give effect to any international obligations of the State.’’.
 
11.—Section 10 of the Principal Act is amended—
(a) in subsection (1)—
(i)in paragraph (a), by the deletion of ‘‘by a data con- troller or a data processor’’, and
(ii)in paragraph (b), by the substitution of the following subparagraph for subparagraph (ii):
‘‘(ii) if he or she is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the individual who made the complaint of his or her decision in relation to it and that the indi- vidual may, if aggrieved by the decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him or her of the notification.’’,
(b) by the insertion of the following subsection after subsection (1):
‘‘(1A) The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the pro- visions of this Act and to identify any contravention thereof.’’,
(c) in subsection (2), by the deletion of ‘‘, being a data control- ler or a data processor,’’,
(d) in subsection (3), by the substitution of the following para- graph for paragraph (a):
‘‘(a) to block, rectify, erase or destroy any of the data concerned, or’’,
and
Amendment of section 10 (enforcement of data protection) of Principal Act.
(e) in subsection (7), by the substitution of the following for so much of the subsection as follows paragraph (a):
 
S.11
Restriction on transfer of personal data outside State.
[No. 6.]Data Protection (Amendment) Act [2003.]
 2003.
 ‘‘(b) if such compliance materially modifies the data con-
 cerned, any person to whom the data were dis-
 closed during the period beginning 12 months
 before the date of the service of the enforcement
 notice concerned and ending immediately before
 such compliance unless such notification proves
 impossible or involves a disproportionate effort,
 of the blocking, rectification, erasure, destruction or
 statement concerned.’’.
 
12.—The following section is substituted for section 11 of the Prin- cipal Act:
‘‘11.—(1) The transfer of personal data to a country or terri- tory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of pro- tection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data having regard to all the circumstances surrounding the transfer and, in particular, but without prejudice to the generality of the foregoing, to—
(a) the nature of the data,
(b) the purposes for which and the period during which the data are intended to be processed,
(c) the country or territory of origin of the information con- tained in the data,
(d) the country or territory of final destination of that information,
(e) the law in force in the country or territory referred to in paragraph (d),
(f) any relevant codes of conduct or other rules which are enforceable in that country or territory,
(g) any security measures taken in respect of the data in that country or territory, and
(h) the international obligations of that country or territory.
(2) (a) Where in any proceedings under this Act a question arises—
(i)whether the adequate level of protection speci- fied in subsection (1) of this section is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, and
(ii)a Community finding has been made in relation to transfers of the kind in question,
the question shall be determined in accordance with that finding.
(b) In paragraph (a) of this subsection ‘Community finding’ means a finding of the European Commission made
 
for the purposes of paragraph (4) or (6) of Article S.12 25 of the Directive under the procedure provided for
in Article 31(2) of the Directive in relation to whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area.
(3)The Commissioner shall inform the Commission and the supervisory authorities of the other Member States of any case where he or she considers that a country or territory outside the European Economic Area does not ensure the adequate level of protection referred to in subsection (1) of this section.
(4)(a) This section shall not apply to a transfer of data if—
(i)the transfer of the data or the information consti- tuting the data is required or authorised by or under—
(I)any enactment, or
(II)any convention or other instrument imposing an international obligation on the State,
(ii)the data subject has given his or her consent to the transfer,
(iii)the transfer is necessary—
(I)for the performance of a contract between the data subject and the data controller, or
(II)for the taking of steps at the request of the data subject with a view to his or her entering into a contract with the data controller,
(iv)the transfer is necessary—
(I)for the conclusion of a contract between the data controller and a person other than the data subject that—
(A)is entered into at the request of the data subject, and
(B)is in the interests of the data subject, or
(II)for the performance of such a contract,
(v)the transfer is necessary for reasons of substantial public interest,
(vi)the transfer is necessary for the purpose of obtaining legal advice or for the purpose of or in connection with legal proceedings or prospec- tive legal proceedings or is otherwise necessary for the purposes of establishing or defending legal rights,
 
S.12(vii) the transfer is necessary in order to prevent
 injury or other damage to the health of the data
 subject or serious loss of or damage to property
 of the data subject or otherwise to protect his or
 her vital interests, and informing the data sub-
 ject of, or seeking his or her consent to, the
 transfer is likely to damage his or her vital
 interests,
 (viii) the transfer is of part only of the personal data
 on a register established by or under an enact-
 ment, being—
 (I) a register intended for consultation by the
 public, or
 (II) a register intended for consultation by per-
 sons having a legitimate interest in its sub-
 ject matter,
 and, in the case of a register referred to in clause
 (II) of this subparagraph, the transfer is made,
 at the request of, or to, a person referred to in
 that clause and any conditions to which such
 consultation is subject are complied with by any
 person to whom the data are or are to be trans-
 ferred, or
 (ix) the transfer has been authorised by the Com-
 missioner where the data controller adduces
 adequate safeguards with respect to the privacy
 and fundamental rights and freedoms of individ-
 uals and for the exercise by individuals of their
 relevant rights under this Act or the transfer is
 made on terms of a kind approved by the Com-
 missioner as ensuring such safeguards.
(b) The Commissioner shall inform the European Com- mission and the supervisory authorities of the other states in the European Economic Area of any auth- orisation or approval under paragraph (a)(ix) of this subsection.
(c) The Commissioner shall comply with any decision of the European Commission under the procedure laid down in Article 31.2 of the Directive made for the purposes of paragraph 3 or 4 of Article 26 of the Directive.
(5) The Minister may, after consultation with the Com- missioner, by regulations specify—
(a) the circumstances in which a transfer of data is to be taken for the purposes of subsection (4)(a)(v) of this section to be necessary for reasons of substantial public interest, and
(b) the circumstances in which such a transfer which is not required by or under an enactment is not to be so taken.
 
(6) Where, in relation to a transfer of data to a country or S.12 territory outside the European Economic Area, a data control-
ler adduces the safeguards for the data subject concerned referred to in subsection (4)(a)(ix) of this section by means of a contract embodying the contractual clauses referred to in para- graph 2 or 4 of Article 26 of the Directive, the data subject shall have the same right—
(a) to enforce a clause of the contract conferring rights on him or her or relating to such rights, and
(b) to compensation or damages for breach of such a clause,
that he or she would have if he or she were a party to the contract.
(7)The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from the State to a place outside the State unless such transfer is required or authorised by or under any enactment or required by any con- vention or other instrument imposing an international obligation on the State.
(8)In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.
(9)A prohibition under subsection (7) of this section shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.
(10)A prohibition notice shall—
(a) prohibit the transfer concerned either absolutely or until the person aforesaid has taken such steps as are specified in the notice for protecting the interests of the data subjects concerned,
(b) specify the time when it is to take effect,
(c) specify the grounds for the prohibition, and
(d) subject to subsection (12) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the prohibition speci- fied in the notice within 21 days from the service of the notice on him or her.
(11)Subject to subsection (12) of this section, the time speci- fied in a prohibition notice for compliance with the prohibition specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (10)(d) of this section and, if an appeal is brought against the prohibition, the prohibition need not be complied with and subsection (15) of this section shall not apply in relation thereto, pending the deter- mination or withdrawal of the appeal.
(12)If the Commissioner—
 
S.12(a)by reason of special circumstances, is of opinion that a
  prohibition specified in a prohibition notice should
  be complied with urgently, and
 (b)includes a statement to that effect in the notice,
Prior checking of processing by Commissioner.
subsections (10)(d) and (11) of this section shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3)) of this Act and shall not require compliance with the pro- hibition before the end of the period of 7 days beginning on the date on which the notice is served.
(13)The Commissioner may cancel a prohibition notice and, if he or she does so, shall notify in writing the person on whom it was served accordingly.
(14)(a) This section applies, with any necessary modifi- cations, to a transfer of information from the State to a place outside the State for conversion into personal data as it applies to a transfer of personal data from the State to such a place.
(b) In paragraph (a) of this subsection ‘information’ means information (not being data) relating to a living individual who can be identified from it.
(15) A person who, without reasonable excuse, fails or ref- uses to comply with a prohibition specified in a prohibition notice shall be guilty of an offence.’’.
 
13.—The following section is inserted into the Act of 1988 after section 12:
‘‘12A.—(1) This section applies to any processing that is of a prescribed description, being processing that appears to the Commissioner to be particularly likely—
(a) to cause substantial damage or substantial distress to data subjects, or
(b) otherwise significantly to prejudice the rights and free- doms of data subjects.
(2) The Commissioner, on receiving—
(a) an application under section 17 of this Act by a person to whom section 16 of this Act applies for regis- tration in the register and any prescribed infor- mation and any other information that he or she may require, or
(b) a request from a data controller in that behalf,
shall consider and determine—
(i) whether any of the processing to which the application or request relates is processing to which this section applies,
 
(ii) if it does, whether the processing to which this section S.13 applies is likely to comply with the provisions of this Act.
(3)Subject to subsection (4) of this section, the Com- missioner shall, within the period of 90 days from the day on which he or she receives an application or a request referred to in subsection (2) of this section, serve a notice on the data con- troller concerned stating the extent to which, in the opinion of the Commissioner, the proposed processing is likely or unlikely to comply with the provisions of this Act.
(4)Before the end of the period referred to in subsection (3), the Commissioner may, by reason of special circumstances, extend that period once only, by notice in writing served on the data controller concerned, by such further period not exceeding 90 days as the Commissioner may specify in the notice.
(5)If, for the purposes of his or her functions under this section, the Commissioner serves an information notice on the data controller concerned before the end of the period referred to in subsection (3) of this section or that period as extended under subsection (4) of this section—
(a) the period from the date of service of the notice to the date of compliance with the requirement in the notice, or
(b) if the requirement is set aside under section 26 of this Act, the period from the date of such service to the date of such setting aside,
shall be added to the period referred to in the said subsection
(3)or that period as so extended as aforesaid.
(6)Processing to which this section applies shall not be car- ried on unless—
(a) the data controller has—
(i)previously made an application under section 17 of this Act and furnished the information speci- fied in that section to the Commissioner, or
(ii)made a request under subsection (2) of this section,
and
(b) the data controller has complied with any information notice served on him or her in relation to the matter, and
(c) (i) the period of 90 days from the date of the receipt of the application or request referred to in subsec- tion (3) of this section (or that period as extended under subsections (4) and (5) of this section or either of them) has elapsed without the receipt by the data controller of a notice under the said subsection (3), or
(ii) the data controller has received a notice under the said subsection (3) stating that the particular
 
S.13processing proposed to be carried on is likely to
 comply with the provisions of this Act, or
 (iii) the data controller—
Amendment of section 13 (codes of practice) of Principal Act.
(I)has received a notice under the said subsec- tion (3) stating that, if the requirements specified by the Commissioner (which he or she is hereby authorised to specify) and appended to the notice are complied with by the data controller, the processing pro- posed to be carried on is likely to comply with the provisions of this Act, and
(II)has complied with those requirements.
(7)A person who contravenes subsection (6) of this section shall be guilty of an offence.
(8)An appeal against a notice under subsection (3) of this section or a requirement appended to the notice may be made to and heard and determined by the Court under section 26 of this Act and that section shall apply as if such a notice and such a requirement were specified in subsection (1) of the said section 26.
(9)The Minister, after consultation with the Commissioner, may by regulations amend subsections (3), (4) and (6) of this section by substituting for the number of days for the time being specified therein a different number specified in the regulations.
(10)A data controller shall pay to the Commissioner such fee (if any) as may be prescribed in respect of the consideration by the Commissioner, in relation to proposed processing by the data controller, of the matters referred to in paragraphs (i) and
(ii)of subsection (2) of this section and different fees may be prescribed in relation to different categories of processing.
(11)In this section a reference to a data controller includes a reference to a data processor.’’.
 
14.—(1) Section 13 of the Principal Act is amended—
(a) by the substitution of the following subsection for subsection (2):
‘‘(2) The Commissioner shall—
(a) where a code of practice (referred to sub- sequently in this section as a code) so pre- pared is submitted to him or her for consider- ation, consider the code and, after such consultation with such data subjects or per- sons representing data subjects and with the relevant trade associations or other bodies aforesaid as appears to him or her to be appropriate—
(i)if he or she is of opinion that the code provides for the data subjects concerned a measure of protection with regard to
 
personal data relating to them that con- S.14 forms with that provided for by section 2, sections 2A to 2D (inserted by the Act of 2003) and sections 3 and 4 (other than subsection (8)) and 6 of this Act, approve
of the code and encourage its dissemi- nation to the data controllers concerned, and
(ii)in any event notify the association or body concerned of his or her decision to approve or not to approve the code,
(b) where he or she considers it necessary or desir- able to do so and after such consultation with any trade associations or other bodies referred to in subsection (1) of this section having an interest in the matter and data sub- jects or persons representing data subjects as he or she considers appropriate, prepare, and arrange for the dissemination to such persons as he or she considers appropriate of, codes of practice for guidance as to good practice in dealing with personal data, and subsection (3) of this section shall apply to a code of practice prepared under this subsection as it applies to a code,
(c) in such manner and by such means as he or she considers most effective for the purposes of this paragraph, promote the following of good practice by data controllers and, in particular, so perform his or her functions under this Act as to promote compliance with this Act by data controllers,
(d) arrange for the dissemination in such form and manner as he or she considers appropriate of such information as appears to him or her to be expedient to give to the public about the operation of this Act, about the practices in processing of personal data (including com- pliance with the requirements of this Act) that appear to the Commissioner to be desir- able having regard to the interests of data subjects and other persons likely to be affected by such processing and about other matters within the scope of his or her func- tions under this Act, and may give advice to any person in relation to any of those matters.’’,
and
(b) by the insertion of the following subsections after subsection (4):
‘‘(5) The Commissioner shall be paid by a person in relation to whom a service is provided under this section such fee (if any) as may be prescribed and different fees may be prescribed in relation to different such services and different classes of persons.
 
S.14
Amendment of section 14 (annual report) of Principal Act.
Amendment of section 16 (the register) of Principal Act.
[No. 6.]Data Protection (Amendment) Act [2003.]
 2003.
 (6) In proceedings in any court or other tribunal, any
 provision of a code, or a code of practice, approved under
 subsection (3) of this section that appears to the court or
 other tribunal concerned to be relevant to the pro-
 ceedings may be taken into account in determining the
 question concerned.’’.
(2) A code of practice approved under subsection (2) of the said section 13 and in force immediately before the commencement of this section shall continue in force after such commencement as if approved under subsection (2) (inserted by this section) of section 13 of the Principal Act.
 
15.—Section 14 of the Principal Act is amended by the insertion of the following subsection after subsection (2):
‘‘(3) For the purposes of the law of defamation, a report under subsection (1) shall be absolutely privileged.’’.
 
16.—Section 16 of the Act of 1988 is amended by the substitution of the following subsection for subsection (1):
‘‘(1) In this section ‘person to whom this section applies’ means a data controller and a data processor (other than such (if any) categories of data controller and data processor as may be specified in regulations made by the Minister after consul- tation with the Commissioner) except in so far as—
(a) they carry out—
(i)processing whose sole purpose is the keeping in accordance with law of a register that is intended to provide information to the public and is open to consultation either by the public in general or by any person demonstrating a legitimate interest,
(ii)processing of manual data (other than such cat- egories, if any, of such data as may be prescribed), or
(iii)any combination of the foregoing categories of processing,
or
Amendment of section 17 (applications for registration) of Principal Act.
(b) the data controller is a body that is not established or conducted for profit and is carrying out processing for the purposes of establishing or maintaining mem- bership of or support for the body or providing or administering activities for individuals who are either members of the body or have regular contact with it.’’.
 
17.—Section 17 of the Principal Act is amended—
(a) in subsection (1)—
(i)by the substitution of the following paragraph for paragraph (b):
 
‘‘(b) Where a data controller intends to keep per- S.17 sonal data for two or more related purposes,
he or she shall make an application for regis- tration in respect of those purposes and, sub- ject to the provisions of this Act, entries shall be made in the register in accordance with any such application,’’,
and
(ii)by the insertion of the following paragraph after para- graph (b):
‘‘(c) Where a data controller intends to keep per- sonal data for two or more unrelated pur- poses, he shall make an application for separ- ate registration in respect of each of those purposes and, subject to the provisions of this Act, entries shall be made in the register in accordance with each such application.’’,
and
(b) by the substitution of the following subsection for subsec- tion (3):
‘‘(3) The Commissioner shall not accept such an appli- cation for registration as aforesaid from a data controller who keeps sensitive personal data unless he or she is of opinion that appropriate safeguards for the protection of the privacy of the data subjects are being, and will con- tinue to be, provided by him or her.’’.
 
18.—Section 18 of the Principal Act is amended by the substitution of the following subsection for subsection (2):
‘‘(2) The prescribed period (which shall not be less than one year) shall be calculated—
(a) in the case of a first registration from the date on which the relevant entry was made in the register, and
(b) in the case of a registration which has been continued under this section, from the day following the expir- ation of the latest prescribed period.’’.
 
19.—Section 31 of the Principal Act is amended in subsection (1) by—
(a) in paragraph (a), the substitution of ‘‘\3,000’’ for ‘‘£1,000’’, and
Amendment of section 18 (duration and continuance of registration) of Principal Act.
Amendment of section 31 (penalties) of Principal Act.
(b) in paragraph (b), the substitution of ‘‘\100,000’’ for ‘‘£50,000’’.
 
20.—The Second Schedule to the Principal Act is amended by the insertion of the following paragraph after paragraph 9:
‘‘10. (1) A person who holds or held the office of Commissioner or who is or was a member of the staff of the Commissioner shall not disclose to a person other than the Commissioner or such a member any information that is obtained by him or her in his capacity as Commissioner or as
Amendment of Second Schedule (the Data Protection Commissioner) to Principal Act.
 
S.20
Journalism, literature and art.
Repeals and
Revocation.
[No. 6.]Data Protection (Amendment) Act [2003.]
 2003.
such a member that could reasonably be regarded as confiden- tial without the consent of the person to whom it relates.
(2) A person who contravenes subparagraph (1) of this para- graph shall be guilty of an offence.’’.
 
21.—The following section is inserted into the Principal Act after section 22:
‘‘22A.—(1) Personal data that are processed only for journal- istic, artistic or literary purposes shall be exempt from com- pliance with any provision of this Act specified in subsection (2) of this section if—
(a) the processing is undertaken solely with a view to the publication of any journalistic, literary or artistic material,
(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publi- cation would be in the public interest, and
(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision would be incompatible with journalistic, artistic or literary purposes.
(2) The provisions referred to in subsection (1) of this section are—
(a) section 2 (as amended by the Act of 2003), other than subsection (1)(d),
(b) sections 2A, 2B and 2D (which sections were inserted by the Act of 2003),
(c) section 3,
(d) sections 4 and 6 (which sections were amended by the
Act of 2003), and
(e) sections 6A and 6B (which sections were inserted by the Act of 2003).
(3)In considering for the purposes of subsection (1)(b) of this section whether publication of the material concerned would be in the public interest, regard may be had to any code of practice approved under subsections (1) or (2) of section 13 (as amended by the Act of 2003) of this Act.
(4)In this section ‘publication’, in relation to journalistic, artistic or literary material, means the act of making the material available to the public or any section of the public in any form or by any means.’’.
 
22.—(1) Section 23 and subsections (3), (4) and (5) of section 24 and the Third Schedule of the Principal Act are repealed.
(2) The European Communities (Data Protection) Regulations
2001 (S.I. No. 626 of 2001) are hereby revoked.
 
23.—(1) This Act may be cited as the DataProtection Short title,
(Amendment) Act 2003.collective citation,
 construction and
 commencement.
(2)This Act and the Principal Act may be cited together as the Data Protection Acts 1988 and 2003 and shall be construed together as one.
(3)Subject to the subsequent provisions of this section, this Act shall come into operation on such day or days as, by order or orders made by the Minister under this section, may be fixed therefor either generally or with reference to any particular purpose or provision and different days may be so fixed for different purposes and differ- ent provisions including the application of section 22(1) to different provisions specified therein.
(4)This Act, in so far as it—
(a) amends section 2 of the Principal Act and applies it to man- ual data, and
(b) inserts sections 2A and 2B into that Act,
comes into operation on 24 October 2007 in respect of manual data held in relevant filing systems on the passing of this Act.
(5) Notwithstanding subsection (4), a data controller shall, if so requested in writing by a data subject when making a request under section 4 of the Principal Act—
(a) rectify, erase, block or destroy any data relating to him or her which are incomplete or inaccurate, or
(b) cease holding manual data relating to him or her in a way incompatible with the legitimate purposes pursued by the data controller.
 
´  
BAILE ATHA CLIATH
´ ´
ARNA FHOILSIU AG OIFIG AN tSOLATHAIR
Le ceannach dı´reach o´n 
´´ 
OIFIG DHIOLTA FOILSEACHAN RIALTAIS,
´ ´
TEACH SUN ALLIANCE, SRAID THEACH LAIGHEAN, BAILE ATHA CLIATH 2,
no´ trı´d an bpost o´  
´´´
FOILSEACHAIN RIALTAIS, AN RANNOG POST-TRACHTA,
´
51 FAICHE STIABHNA, BAILE ATHA CLIATH 2, (Teil: 01 - 6476834/35/36/37; Fax: 01 - 6476843)
no´ trı´ aon dı´olto´ir leabhar.
——————
DUBLIN
PUBLISHED BY THE STATIONERY OFFICE
To be purchased directly from the
GOVERNMENT PUBLICATIONS SALE OFFICE,
SUN ALLIANCE HOUSE, MOLESWORTH STREET, DUBLIN 2,
or by mail order from
GOVERNMENT PUBLICATIONS, POSTAL TRADE SECTION,
51 ST. STEPHEN’S GREEN, DUBLIN 2, (Tel: 01 - 6476834/35/36/37; Fax: 01 - 6476843) or through any bookseller.
\4.06
Wt. 513. 1,250. 4/03. Cahill. (X44346). Gr. 30-15.
ISBN 0-7557-3907-8
9 780755 739073