Data Protection Act, 1988

Collection, processing, keeping, use and disclosure of personal data.

2.—(1) A data controller shall, as respects personal data kept by him, comply with the following provisions:

(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

(b) the data shall be accurate and, where necessary, kept up to date,

(c) the data—

(i) shall be kept only for one or more specified and lawful purposes,

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes,

(iii) shall be adequate, relevant and not excessive in relation to that purpose or those purposes, and

(iv) shall not be kept for longer than is necessary for that purpose or those purposes,

(d) appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.

(2) A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.

(3) Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5 (1) (a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5 (1) (a).

(4) Paragraph (b) of the said subsection (1) does not apply to backup data.

(5) (a) Paragraph (c) (iv) of the said subsection (1) does not apply to personal data kept for historical, statistical or research purposes, and

(b) the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,

if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject.

(6) (a) The Minister may, for the purpose of providing additional safeguards in relation to personal data as to racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life or criminal convictions, by regulations amend subsection (1) of this section.

(b) Regulations under this section may make different provision in relation to data of different descriptions.

(c) References in this Act to subsection (1) of this section or to a provision of that subsection shall be construed in accordance with any amendment under this section.

(d) Regulations under this section shall be made only after consultation with any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted.

(e) Where it is proposed to make regulations under this section, a draft of the regulations shall be laid before each House of the Oireachtas and the regulations shall not be made until a resolution approving of the draft shall have been passed by each such House.

(7) Where—

(a) personal data are kept for the purpose of direct marketing, and

(b) the data subject concerned requests the data controller in writing to cease using the data for that purpose,

the data controller shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him—

(i) if the data are kept only for the purpose aforesaid, erase the data,

(ii) if the data are kept for that purpose and other purposes, cease using the data for that purpose, and

(iii) notify the data subject in writing accordingly and, where appropriate, inform him of those other purposes.