1. Introduction

As of 1 October, 2007, subject to certain exemptions highlighted in this article, all persons that are established in Ireland (or using their own equipment in Ireland) and are either data controllers or data processors as such terms are defined in the Data Protection Act 1988 (the "1988 Act") as amended by the Data Protection (Amendment) Act, 2003 (the "2003 Act") (together, the 1988 Act and the 2003 Act are referred to herein as the "Acts") are required to register with the Office of the Data Protection Commissioner (the "DPC").

The Minister for Justice, Equality and Law Reform signed three Statutory Instruments on 26 September, 2007, which brought into operation Section 16 of 2003 Act, expanded the scope of manual data that is now subject to the Acts, and increased the fees payable by persons applying to be registered for the first time or renewing their registration. The principal result of these changes is that some firms that were subject to the registration requirements of the Acts are no longer required to register, others are required to register for the first time and some remain unaffected by the changes.

2. Registration requirements prior to 1 October 2007

The registration regime under the Data Protection Act 1988 stipulated that only certain specified categories of data controller were required to register with the DPC. Only data controllers who were prescribed in the Third Schedule to the 1988 Act, or where they qualified as "financial institutions" or kept "sensitive data" as defined in the Acts, were required to register. "Financial institution" meant an entity that held a licence under the Central Bank Act, 1971, or a person referred to in Section 7(4) of such legislation (being ACC Bank plc, Bank of Scotland (Ireland) Ltd., the Post Office Savings Bank, a trustee savings bank certified under the Trustee Savings Banks Acts, 1863 to 1965, a building society, an industrial and provident society, a friendly society, a credit union, an investment trust company or the manager under a unit trust scheme in respect of the carrying on of the business of the scheme). In addition, data processors whose business consisted wholly or partly in processing personal data on behalf of data controllers were required to register.

The 2003 Act clarified that the legislation only applied to firms established in Ireland or firms using their own equipment in Ireland. The use of third party equipment alone did not require the firm to register in Ireland. The firm only needed to register as a data controller if it maintained its own equipment such as a server or other database in Ireland. Accordingly, non-Irish domiciled firms generally were not required to register with the DPC.

3. Registration requirements from 1 October 2007

SI No. 657 of 2007, the Data Protection Act 1988 (Section 16(1)) Regulations 2007 (the "Regulations") came into force on the 1 October, 2007 and from that date replaced the registration regime discussed above. The Regulations implement the registration provisions of the 2003 Act, namely Section 16 thereof, and determine the categories of data controllers and data processors who must register with the DPC.

Under the new regime, all data controllers and data processors must register with the DPC except those exempted, or specified by the Minister for Justice Equality and Law Reform (the "Minister") by regulation as not being obliged to register.

Those persons expressly exempted are data controllers and data processors who process personal data for the keeping of a public register, in respect of manual data only not otherwise prescribed, or are nonprofit organisations processing personal data further to the activities of such organisations.

In broad terms, the Minister has specified that the following categories of data controllers and data processors are not required to register under the Acts if they hold or process personal data on computer in a manner prescribed in the Regulations (subject to the caveat below):

  • data controllers who process personal data in the ordinary course of personnel administration;
  • elected representatives and candidates for electoral office;
  • certain educational institutions;
  • solicitors and barristers;
  • data controllers (other than health professionals processing health-related data for medical purposes) who process personal data relating to past, existing or prospective customers or suppliers for certain specified purposes;
  • companies which process personal data relating to shareholders, directors or other officers of a company for the purpose of compliance with the Companies Acts 1963-2006;
  • data controllers who process personal data with a view to the publication of journalistic, literary or artistic material;

  • categories of data controllers or data processors to which a code of practice approved under Section 13 of the 1988 Act applies;

  • data processors who process personal data on behalf of data controllers where the processing of the data would fall under one or more of the above categories;

provided that they do not also fall within one of the following categories below of those who are not exempt and are still required to register:

  • certain banks and financial/credit institutions;
  • insurance undertakings;
  • persons whose business consists wholly or mainly in direct marketing, providing credit references or collecting debts;
  • internet access providers;
  • telecommunications network or service providers; and
  • anyone processing genetic data within the meaning of Section 41 of the Disability Act 2005.

In addition, any data processor who processes personal data on behalf of a data controller which falls under any of the categories listed above must register with the DPC.

Data controllers and data processors should be aware that either failing to register with the DPC, where required, or processing data for an unregistered purpose amount to a criminal offence under the Acts. The penalty on conviction in the District Court could lead to a fine not exceeding 3,000 euros and, on indictment in the Circuit Criminal Court, to a fine not exceeding 100,000 euros. Data controllers and data processors should also be aware that adverse publicity generated by the failure to register and the attendant consequences could damage a firm's reputation. In addition, directors and officers of a firm can be subject to personal liability for failure to register if such failure occurs with the consent, connivance or neglect of the relevant director or officer.

4. Manual Data

Under the Acts, "manual data" is data stored or intended to be stored in a structured filing system which enables specific information relating to a particular individual to be readily accessed (e.g. by name or in chronological order). Up until 24 October, 2007, the provisions of the Acts applied only to manual data created after the passing of the 2003 Act i.e. since 10 April, 2003.

Now that this temporary exemption period has expired, data controllers and data processors will need to ensure that they are in full compliance with their obligations under the Acts in respect of all manual data that they hold. Whilst few records are likely to be solely in manual form this may impact original, signed documents such as employment contracts and legal agreements which are filed in a structured manner.

5. Miscellaneous Changes

The fee for registration, which must be paid annually as the registration is renewed, depends upon the number of employees the data controller/processor has, as set out in the table below:

Number of Employees

Number of Employees

Registration/Renewal Fee

1 to 5

40.00 euros

6 to 25

100.00 euros

26 or more

480.00 euros

 

A reduction applies to on-line applications made using the DPC's website.

6. Conclusion

The Regulations mark a change in the registration regime in Ireland by bringing Section 16 of the 2003 Act into full operation for the first time and by providing that all data controllers and data processors, unless exempted, must register with the DPC. This is in line with European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data. Data controllers and data processors might take the occasion of the introduction of the new registration regime to review their operations to determine whether they should be renewing their registration or registering with the DPC for the first time. Notwithstanding the registration requirements, all data controllers and data processors must comply with the provisions of the Acts applicable to their business operations even if they are not required to register with the DPC.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.