S.I. No. 665/2018 - Data Protection Act 2018 (Section 159(4)) Rules 2018


Notice of the making of this Statutory Instrument was published in

“Iris Oifigiúil” of 26th April, 2019.

We, being the panel nominated by the Chief Justice pursuant to section 158 (6) of the Data Protection Act 2018 , by virtue of the powers conferred on us by section 159 (4) of the Data Protection Act 2018 , do hereby make the following Rules.

Dated this 19th day of July 2018.

John A. Edwards

David Barniville

Marie Quirke

Citation and entry into force

1. These Rules, which may be cited as the Data Protection Act 2018 (Section 159(4)) Rules 2018, shall come into operation on the 1st day of August 2018.

Scope

2. These Rules (being processing rules within the meaning of section 159(9) of the 2018 Act) apply to the processing of personal data —

(a) of which a judge or court, when acting in a judicial capacity, is a controller, and

(b) which are not personal data contained in a record of a court,

where such personal data are processed on behalf of such controller by any processor, including any other processor engaged by a processor for carrying out specific processing activities on behalf of the controller.

Interpretation

3. (1) In these Rules:

“2018 Act” means the Data Protection Act 2018 ;

“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;

in relation to personal data of which a court is the controller, references to a judge or court are references to that judge or court when acting in a judicial capacity and “judge”, in the case of any proceedings the hearing of which has not been assigned to any judge or panel of judges or, in any case where the judge concerned is no longer a member of that court or the panel concerned can no longer be constituted, shall mean —

(a) the Chief Justice in relation to a judge of the Supreme Court,

(b) the President of the Court of Appeal in relation to a judge of the Court of Appeal,

(c) the President of the High Court in relation to a judge of the High Court,

(d) the President of the Circuit Court in relation to a judge of the Circuit Court, and

(e) the President of the District Court in relation to a judge of the District Court;

“Processor” means a processor of personal data of which a court is the controller and includes without limitation, any court officer, any member of the staff of the Courts Service for the time being employed in a court office and any contractor of the Courts Service notified to the president of the court concerned by the Courts Service (including any employee or person working under the direction of such contractor) who is processing personal data of which a court is the controller.

(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation or the Directive shall have the meanings given to them in the Data Protection Regulation or, as the case may be, the Directive.

Processing of personal data

4. (1) Where a Processor processes personal data on behalf of any court or judge of a court, the subject matter, duration, nature and purpose of the processing, the type of personal data to be processed and the categories of data subjects to whom the personal data relate shall be as set out in this rule.

Subject matter of processing

(2) The subject matter of processing to which these Rules apply consists of personal data to which rule 2 applies.

(3) Personal data to which rule 2 applies may, in addition to being held by the judge or court concerned, be held securely in hard copy or in electronic form by an officer of the court concerned, a member of the staff of the Courts Service or a contractor of the Courts Service notified to the president of the court concerned, at an office of or attached to the court concerned, at premises or in a system used by the Courts Service or, as the case may be, at premises or in a system used by that contractor.

(4) A Processor may collect, record, organise, structure, store, retrieve, consult and use personal data to which rule 2 applies in accordance with the directions of the judge or court concerned, solely for the purposes of the judge or, as the case may be, the court concerned.

(5) A Processor may not disclose personal data to which rule 2 applies to any person, other than the judge who is the controller, or the court which is the controller, save as directed by the judge or, as the case may be, the court concerned.

Duration of processing

(6) Personal data to which rule 2 applies shall be retained only for such period as the judge or, as the case may be, the court concerned shall require.

Purpose of processing

(7) Personal data to which rule 2 applies may be processed solely for the purposes of the judge or, as the case may be, the court concerned.

Type of personal data to be processed and data subjects to whom the personal data relate

(8) Any type of personal data (to which rule 2 applies) of any data subject is liable to be processed.

Obligations of Processor

5. In respect of any processing of personal data to which rule 4 applies, the Processor shall:

(a) act only on a direction given by or on behalf of the judge or, as the case may be, the court concerned in relation to the processing, except in so far as European Union law or the applicable law of a Member State of the European Union requires the Processor to act otherwise;

(b) ensure that any person authorised by the Processor to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so;

(c) assist the judge or, as the case may be, the court concerned in ensuring compliance with the judge’s, or as the case may be, the court’s obligations under applicable data protection law in respect of data subject rights;

(d) in the case of a Processor who is a contractor of the Courts Service, on the conclusion of the contract or at any other time in accordance with the provisions of the contract, upon completion of the processing services carried out by the Processor on behalf of the judge or, as the case may be, the court concerned —

(i) return to the judge or, as the case may be, the court concerned, as directed by the Courts Service on behalf of the judge or, as the case may be, the court, or

(ii) erase

all personal data, and erase any copy of the data, unless the Processor is required by European Union law or the law of a Member State of the European Union to retain the data;

(e) in the case of a Processor who is an officer of the court concerned or a member of staff of the Courts Service, maintain all personal data subject to the direction of the judge or the court concerned and otherwise in accordance with rule 4(6);

(f) make available to the judge or, as the case may be, the court concerned all information necessary to demonstrate compliance by the Processor concerned with its obligations as a processor under these Rules and under law, including under Article 28 of the Data Protection Regulation or under the 2018 Act, as applicable, and allow for and contribute to audits, including inspections, conducted by an auditor on behalf of the judge or, as the case may be, the court concerned;

(g) not engage any other processor (who is not a court officer or a member of the staff of the Courts Service) otherwise than in accordance with the prior specific or general written authorisation of the president of the court concerned; in the case of any general authorisation, the Courts Service shall inform the president of the court in advance of any intended changes concerning the addition or replacement of any other processor who is not a court officer or employed in a court office;

(h) ensure that where another processor (who is not a court officer or a member of the staff of the Courts Service) is engaged to process personal data on behalf of the judge or, as the case may be, the court concerned, that other processor shall be subject to these Rules or a written contract shall exist between the Processor and such other processor containing obligations equivalent to those imposed on the Processor in these Rules. In the event that any such other processor fails to meet its data protection obligations in respect of any such processing, the Processor shall be fully liable to the judge or, as the case may be, the court concerned for the performance of its obligations in accordance with these Rules;

(i) implement such technical and organisational security measures as are required to comply with the data security obligations under applicable data protection law;

(j) inform the judge or, as the case may be, the court concerned immediately if, in the Processor’s opinion, it receives an instruction from the judge or the court which infringes the Data Protection Regulation, the Directive or the 2018 Act;

(k) notify the judge or, as the case may be, the court concerned immediately after becoming aware of any personal data breach and provide the judge or, as the case may be, the court concerned with such co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach, and

(l) assist the judge or, as the case may be, the court concerned in complying with the judge’s or court’s obligations under applicable data protection law in respect of data protection impact assessments.

/images/ls

EXPLANATORY NOTE

(This note is not part of the Instrument and does not purport to be a legal interpretation.)

These rules, made under section 159 (4) of the Data Protection Act 2018 , govern, for the purposes of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Article 22(3) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, the processing by a processor of personal data —

(a) that are not personal data contained in a court record, and

(b) in respect of which a court, when acting in its judicial capacity, is a controller.