S.I. No. 254/2004 - Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004
I, Charlie McCreevy, Minister for Finance, in exercise of the powers conferred on me by section 8 of the Customs and Excise (Mutual Assistance) Act 2001 (No. 2 of 2001), after consultation with the Minister for Justice, Equality and Law Reform and the Minister for Foreign Affairs, hereby make the following regulations with respect to which, pursuant to section 11 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving of the draft has been passed by each such House: 1. (1) These Regulations may be cited as the Customs and Excise (Mutual Assistance) Act 2001 (Section 8) (Protection of Manual Data) Regulations 2004. | ||||||||
(2) These Regulations come into operation on the date on which the declaration by the State under Article 32 (4) of the Customs Co-operation Convention takes effect and cease to have effect on 24 October 2007. 2. (1) These Regulations apply to manual data held in relevant filing systems on the passing of the Data Protection (Amendment) Act 2003 (No. 6 of 2003). | ||||||||
(2) These Regulations apply only to personal data received under the Customs Co-operation Convention by the Revenue Commissioners and to personal data forwarded by the Revenue Commissioners under that Convention. These Regulations do not apply to personal data in the possession or control of the Revenue Commissioners from which personal data forwarded by them has been derived or copied. 3. (1) In these Regulations- | ||||||||
“back-up data” means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged; | ||||||||
“blocking”, in relation to data, means so marking the data that it is not possible to process it for purposes in relation to which it is marked; | ||||||||
“Commissioner” means the Data Protection Commissioner; | ||||||||
“Community” means the European Community; | ||||||||
“Convention” means the Customs Co-operation Convention; | ||||||||
“data” means manual data; | ||||||||
“data subject” means an individual who is the subject of personal data; | ||||||||
“manual data” means information that was recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; | ||||||||
“personal data” means manual data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the Revenue Commissioners; | ||||||||
“processing”, in relation to information or data, means performing any operation or set of operations on the information or data, including | ||||||||
(a) obtaining, recording or keeping the information or data, | ||||||||
(b) collecting, organising, storing, altering or adapting the information or data, | ||||||||
(c) retrieving, consulting or using the information or data, | ||||||||
(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or | ||||||||
(e) aligning, combining, blocking, erasing or destroying the information or data; | ||||||||
“relevant filing system” means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible; | ||||||||
“sensitive personal data” means personal data as to— | ||||||||
(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, | ||||||||
(b) whether the data subject is a member of a trade union, | ||||||||
(c) the physical or mental health or condition or sexual life of the data subject, | ||||||||
(d) the commission or alleged commission of any offence by the data subject, or | ||||||||
(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. | ||||||||
(2) In these Regulations- | ||||||||
(a) a reference to a Regulation is to a Regulation of these Regulations, unless it is indicated that reference to some other Regulations is intended, | ||||||||
(b) a reference to a paragraph or subparagraph is a reference to a paragraph or subparagraph of the provision in which the reference occurs, unless it is indicated that reference to some other provision is intended. | ||||||||
(3) For the purposes of these Regulations, data are inaccurate if they are incorrect or misleading as to any matter of fact. 4. (1) In accordance with these Regulations, the processing of personal data received by the Revenue Commissioners under the Convention shall be authorised only for the purpose of preventing and detecting infringements of national customs provisions and prosecuting and punishing infringements of Community and national customs provisions. | ||||||||
(2) Personal data received by the Revenue Commissioners under the Convention may be forwarded without the consent of the authority supplying them to the Garda Síochána, the Attorney General, the Director of Public Prosecutions to enable them to prosecute or the Courts to enable them to punish, infringements of national and Community customs provisions. | ||||||||
(3) In all cases of data transmission, other than those specified in paragraph (2), the consent of the authority forwarding them shall be necessary and such data transmission must be in accordance with these Regulations. 5. (1) The Revenue Commissioners shall, as respects personal data received by them under the Convention and forwarded by them under the Convention, comply with the following provisions: | ||||||||
(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed fairly, | ||||||||
(b) the data shall be accurate and complete and, where necessary, kept up to date, | ||||||||
(c) the data— | ||||||||
(i) shall be processed only for the purpose of preventing and detecting infringements of national customs provisions and prosecuting and punishing infringements of Community and national customs provisions, | ||||||||
(ii) shall not be further processed in a manner incompatible with that purpose, | ||||||||
(iii) shall be adequate, relevant and not excessive in relation to the purpose for which they were collected or further processed, and | ||||||||
(iv) shall not be kept for longer than is necessary for that purpose, and | ||||||||
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of the data and against all other unlawful forms of processing. | ||||||||
(2) Paragraph (1) (a) does not apply to information intended for inclusion in data, or to data, kept for the purpose of preventing and detecting infringements of national customs provisions and prosecuting and punishing infringements of Community and national customs provisions, in any case in which the application of that Regulation to the data would be likely to prejudice the said purpose. | ||||||||
(3) Paragraph (1) (b) does not apply to backup data. | ||||||||
(4) In determining appropriate security measures for the purposes of paragraph (1)(d), the Revenue Commissioners— | ||||||||
(a) may have regard to the state of technological development and the cost of implementing the measures, and | ||||||||
(b) shall ensure that the measures provide a level of security appropriate to— | ||||||||
(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and | ||||||||
(ii) the nature of the data concerned. | ||||||||
(5) The Revenue Commissioners shall take all reasonable steps to ensure that— | ||||||||
(a) persons employed by them, and | ||||||||
(b) other persons at the place of work concerned, are aware of and comply with security measures taken under paragraph (1)(d). | ||||||||
(6) Personal data shall not be treated for the purposes of paragraph (1)(a), as processed fairly, unless— | ||||||||
(a) in the case of data obtained from the data subject, the Revenue Commissioners ensure, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in paragraph (7), | ||||||||
(b) in any other case, the Revenue Commissioners ensure, so far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the information specified in paragraph (8)— | ||||||||
(i) not later than the time when the Revenue Commissioners first process the data, or | ||||||||
(ii) if disclosure of the data to a third party is envisaged, not later than the time of such disclosure. | ||||||||
(7) The information referred to in paragraph (6) (a) is any information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data to be fair to the data subject such as information as to the recipients or categories of recipients of the data, as to whether replies to questions asked for the purpose of the collection of the data are obligatory, as to the possible consequences of failure to give such replies and as to the existence of the right of access to and the right to rectify the data concerning him or her. The Revenue Commissioners shall control the content and use of the data and the purpose for which the data are intended to be processed shall be for preventing and detecting infringements of national customs provisions and prosecuting and punishing infringements of Community and national customs provisions. | ||||||||
(8) The information referred to in paragraph (6) (b) is: | ||||||||
(a) the information specified in paragraph (7), | ||||||||
(b) the categories of data concerned, and | ||||||||
(c) the name of the original data controller. | ||||||||
(9) Paragraph (6) (b) does not apply in any case where the processing of the information contained or to be contained in the data by the Revenue Commissioners is necessary for compliance with a legal obligation to which the Revenue Commissioners are subject other than an obligation imposed by contract, if such conditions as may be specified in regulations made under section 2D (4) (inserted by section 4 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 (No. 25 of 1988) are complied with. 6. Sensitive personal data received under the Convention shall not be processed by the Revenue Commissioners unless Regulation 5 is complied with, and the data subject has given his or her consent to the processing or, if the data subject, by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of such consent, it is given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the data subject and the giving of such consent is not prohibited by law. 7. (1) (a) Subject to these Regulations, an individual shall, if he or she so requests the Revenue Commissioners by notice in writing— | ||||||||
(i) be informed by the Revenue Commissioners whether the data processed by the Revenue Commissioners under the Convention include personal data relating to the individual, | ||||||||
(ii) if it does, be supplied by the Revenue Commissioners with a description of— | ||||||||
(I) the categories of data being processed by the Revenue Commissioners under the Convention, | ||||||||
(II) the personal data constituting the data of which that individual is the data subject, | ||||||||
(III) the purpose or purposes of the processing, and | ||||||||
(IV) The recipients or categories of recipients to whom the data are or may be disclosed, | ||||||||
(iii) have communicated to him or her in intelligible form— | ||||||||
(I) the information constituting any personal data for the purposes of the Convention of which that individual is the data subject, and | ||||||||
(II) any information known or available to the Revenue Commissioners as to the source of those data unless the communication of that information is contrary to the public interest, | ||||||||
as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms. | ||||||||
(b) A request under paragraph (1)(a) that does not relate to all of its paragraphs shall, in the absence of any indication to the contrary, be treated as relating to all of them. | ||||||||
(2) An individual making a request under this Regulation shall supply the Revenue Commissioners with such information as they may reasonably require in order to satisfy themselves of the identity of the individual and to locate any relevant personal data or information. | ||||||||
(3) Nothing in paragraph (1) obliges the Revenue Commissioners to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure. However, where the circumstances are such that it would be reasonable for the Revenue Commissioners to conclude that, if any particulars identifying that other individual were omitted, the data could then be so disclosed without the other individual being identified to the data subject, the Revenue Commissioners shall disclose the data to the data subject with the omission of those particulars. | ||||||||
(4) Information supplied pursuant to a request under paragraph (1) may take account of any amendment of the personal data concerned made since the receipt of the request by the Revenue Commissioners (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment. | ||||||||
(5) (a) Where personal data relating to a data subject consist of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure. | ||||||||
(b) Subparagraph (a) does not apply if the expression of opinion referred to in that paragraph was given in confidence or on the understanding that it would be treated as confidential. | ||||||||
(6) A notification of a refusal of a request made by an individual under and in compliance with the preceding provisions of this Regulation shall be in writing and shall include a statement of the reasons for the refusal and an indication that the individual may complain to the Commissioner about the refusal. | ||||||||
(7) The obligations imposed by paragraph (1)(a)(iii) shall be complied with by supplying the data subject with a copy of the information concerned in permanent form, unless— | ||||||||
(a) the supply of such a copy is not possible or would involve disproportionate effort, or | ||||||||
(b) the data subject agrees otherwise. | ||||||||
(8) Where the Revenue Commissioners have previously complied with a request under paragraph (1), they are not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in their opinion, a reasonable interval has elapsed between compliance with the previous request and the making of the current request. | ||||||||
(9) In determining for the purposes of paragraph (8) whether the reasonable interval specified in that Regulation has elapsed, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered. | ||||||||
(10) Subject to paragraph (11), an individual in respect of whom the Revenue Commissioners hold personal data under the Convention, may require the Commissioners to state what data relating to him or her have been forwarded or received by them in the application of the Convention and the use or uses which have been made of such data. | ||||||||
(11) Paragraph (10) does not apply to personal data where the application of the Regulation would be likely to prejudice the prevention and detection of infringements of national customs provisions and prosecuting and punishing infringements of Community and national customs provisions. 8. (1) An individual shall, if he or she so requests the Revenue Commissioners in writing in a case where they keep personal data relating to him or her under the Convention, be entitled to have rectified or, where appropriate blocked or erased, any such data where it is found to be inaccurate. The Revenue Commissioners shall comply with the request, as soon as may be, but in any event not more than 40 days after it has been given or sent to them. | ||||||||
(2) The Revenue Commissioners shall, as respects data that are inaccurate or not kept up to date, be deemed— | ||||||||
(a) to have complied with a request under paragraph (1) if they supplement the data with a statement (to the terms of which the individual has assented) relating to the matters dealt with by the data, and | ||||||||
(b) if they supplement the data as aforesaid, not to be in contravention of Regulation 5 (1)(b). | ||||||||
(3) Where the Revenue Commissioners comply, or are deemed to have complied, with a request under paragraph (1), they shall, as soon as may be, but not more than 40 days after the request has been given or sent to them, notify— | ||||||||
(a) the individual making the request, and | ||||||||
(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request unless such notification proves impossible or involves a disproportionate effort, | ||||||||
of the rectification, blocking, erasure or statement concerned. 9. The Revenue Commissioners shall record the forwarding and receipt of any personal data forwarded or received under the Convention in writing or in electronic format which can be produced in legible form. 10. (1) The Commissioner is the supervisory authority in the State for the purposes of these Regulations. | ||||||||
(2) Sections 10 (as amended by section 11 of the Data Protection (Amendment) Act 2003 ) and 24 of the Data Protection Act 1988 apply to these Regulations and references in subsections (1)(a) and (2) of section 10 and in subsection (1) of section 24, of that Act to that Act are to be read as reference to these Regulations. | ||||||||
(3) Section 12 of the Data Protection Act 1988 applies to these Regulations and the reference in subsection (1) of section 12 of that Act to the performance by the Commissioner of his functions includes a reference to the performance by him of his functions under these Regulations. 11. The Revenue Commissioners shall keep any personal data received in the application of the Convention only for the period necessary for which they were received. | ||||||||
| ||||||||
|
Explanatory Note | ||||||||
(This is not part of the instrument and does not purport to be a legal interpretation.) | ||||||||
This Instrument enables the Customs and Excise (Mutual Assistance) Act 2001 and the Customs Co-operation Convention to have full effect. | ||||||||
The Customs Co-operation Convention requires that the processing of all personal data, whether by automated or manual means, must be protected by law. The Data Protection (Amendment) Act 2003 applies the provisions of the Data Protection Act 1988 to certain manual data with effect from the date on which it is passed (1 July 2003). Therefore, such new manual data created after that date will enjoy the protection of the Act. However, in respect of manual data created prior to that date, the provisions of the Data Protection Act 1988 will only apply with effect from 24 October 2007. These Regulations are therefore required in order to protect such manual data created prior to 1 July 2003 and which it is desired to process prior to 24 October 2007, for the purposes of the Customs Co-operation Convention. | ||||||||
These Regulations come into effect on the date on which the declaration by the State under Article 32 (4) of the Customs Co-operation Convention takes effect and cease to have effect on 24 October 2007. |
