Businesses face a hugely increased compliance burden, "dawn raids" and privacy audits under the terms of a new data protection law, which comes into force today. Barry O'Halloran reports.
The Data Protection (Amendment) Act, 2003, increases the control that individuals have over the information that is stored about them. Its terms extend the law to manual as well as computer files.
Another key provision increases the powers of the Data Protection Commissioner, Mr Joe Meade, who will be able to conduct "dawn raids" and privacy audits of businesses and organisations to ensure compliance.
He already has the power to prosecute errant organisations in the District Court. Businesses could face criminal and civil proceedings if they fail to comply.
Maximum fines for summary conviction in the District Court have been increased from €1,270 to €3000, and for conviction on indictment by a jury, from €67,000 to €100,000.
Organisations will not be allowed to "process" information about any individual without first getting their consent. Solicitor Mr Philip Nolan of Mason Hayes Curran says "process" could be interpreted to include a range of routine administrative activities.
Businesses have to provide explicit information to customers, employees or any others on whom they hold information on their activities and the ways in which they will store, use or disclose personal information.
Individuals now have the right to prevent businesses from using information for a specific purpose. Organisations will not be allowed to transfer personal information outside the European Economic Area (the EU and neighbouring states) without meeting certain safeguards.
Solicitor Mr Liam Kennedy, partner with law firm A&L Goodbody, said yesterday that the new law would impose particular limits on insurers and healthcare.
He said it created extra safeguards for the kind of sensitive information held by organisations in these sectors.
He warned that all businesses would have to review procedures for dealing with information supplied by customers and employees to ensure they meet the Act's requirements.
"Businesses are going to have to have a privacy policy," he said, predicting this would increase ongoing costs for some sectors. He added that it would not be possible to quantify these.
A section that will allow employers to vet information through the Garda Síochána will not come into force until a review of the Garda's vetting unit is complete.
