Protected Disclosures (Amendment) Act 2022
|
Data protection | ||
|
18. The following section is inserted after section 16A (inserted by section 17 ) but in Part 3 of the Principal Act: | ||
“16B. (1) (a) The rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22, of the General Data Protection Regulation, and in Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20166 , are restricted in respect of relevant data— | ||
(i) to the extent necessary and proportionate for the purposes of— | ||
(I) safeguarding the important objectives of general public interest, and | ||
(II) the protection of the data subject or the rights and freedoms of others, | ||
and | ||
(ii) to the extent, and as long as, necessary to prevent and address attempts to hinder reporting or to impede, frustrate or slow down follow-up, in particular investigations, or attempts to find out the identity of reporting persons. | ||
(b) The important objectives of general public interest referred to in paragraph (a) are— | ||
(i) those referred to in section 60 (7) of the Data Protection Act 2018 , and | ||
(ii) the effective operation of this Act and, in particular, the protections afforded by this Part. | ||
(2) Without prejudice to the generality of subsection (1), a restriction of a right or obligation under that subsection shall be considered necessary and, as the case may be, proportionate for the purposes referred to in paragraph (a) of subsection (1) where the exercise of the right or compliance with the obligation may— | ||
(a) necessitate the disclosure of information that might identify the reporting person where such disclosure would be contrary to section 16, or | ||
(b) prejudice the effective follow-up, including any investigation of the relevant wrongdoing concerned. | ||
(3) Where a restriction of a right or obligation is applied by a relevant person in accordance with subsection (1), the relevant person shall inform the data subject of such restriction, unless to do so would— | ||
(a) necessitate the disclosure of information that might identify the reporting person where such disclosure of information would be contrary to section 16, | ||
(b) prejudice the effective follow-up, including any investigation, of the relevant wrongdoing concerned, or | ||
(c) prejudice the achievement of any of the important objectives of general public interest set out in subsection (1)(b). | ||
(4) Where a relevant person informs a data subject of a restriction in accordance with subsection (3), the relevant person shall also inform the data subject of the possibility of lodging a complaint with the Data Protection Commission or of seeking judicial remedy in relation to such restriction. | ||
(5) A relevant person shall ensure that relevant data in respect of which the relevant person is the controller is stored for no longer than is necessary for the fulfilment of the objective referred to in subsection (1)(b)(i). | ||
(6) A relevant person shall implement technical and organisational measures to prevent the abuse or unlawful access to or transfer of relevant data in respect of which the relevant person is the controller, including but not limited to the following: | ||
(a) the use of secure storage, passwords, encryption and other methods to ensure that the relevant data can only be accessed by persons authorised by the relevant person to access that data; | ||
(b) the use of controls to ensure that the relevant data is only disclosed to persons authorised by the relevant person, or entitled or permitted by law, to receive that data; | ||
(c) data minimisation, including the use of anonymisation and pseudonymisation, where appropriate. | ||
(7) Any processing of personal data pursuant to this Act, including the exchange or transmission of personal data by prescribed persons, the Commissioner and any suitable persons, shall be carried out in accordance with applicable data protection law. | ||
(8) Personal data which are manifestly not relevant for the handling of a specific report shall not be collected or, if accidentally collected, shall be deleted without undue delay. | ||
(9) In this section— | ||
‘relevant data’ means personal data, including special categories of personal data within the meaning of Article 9 of the General Data Protection Regulation and data relating to criminal convictions and offences within the meaning of Article 10 of the General Data Protection Regulation, processed for the purposes of this Act including receiving, dealing with or transmitting a report or follow-up on such a report; | ||
‘relevant person’ means a person to whom a report is made under this Act or any person to whom a report is transmitted in the performance of the first-mentioned person’s functions under this Act.”. | ||