S.I. No. 221/2022 - Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 6th May, 2022. | ||
I, MICHAEL MCGRATH, Minister for Public Expenditure and Reform, in exercise of the powers conferred on me by section 60 (6) of the Data Protection Act 2018 (No. 7 of 2018), and having duly complied with subsections (9)(b) and (10) of section 60 of that Act, hereby make the following regulations, with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving of the draft has been passed by each such House: | ||
Citation and commencement | ||
1. These Regulations may be cited as the Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022. | ||
Interpretation | ||
2. In these Regulations - | ||
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018); | ||
“relevant function” has the meaning assigned to it in Regulation 3; | ||
“relevant objective” shall be construed in accordance with Regulation 4. | ||
Relevant function | ||
3. In these Regulations, “relevant function” means a function of the Ombudsman under the Ombudsman Act 1980 (No. 26 of 1980). | ||
Relevant objective | ||
4. In these Regulations, “relevant objective” means an objective - | ||
(a) referred to in paragraph (b), (h), (l)(ii), (n) or (o) of section 60(7) of the Act of 2018, and | ||
(b) pursued by the Ombudsman in performing a relevant function. | ||
Categories of personal data | ||
5. These Regulations apply to personal data (including special categories of personal data and Article 10 data) in respect of which the Ombudsman is the controller, processed by the Ombudsman. | ||
Purpose of processing | ||
6. These Regulations apply to the processing by the Ombudsman of personal data to which these Regulations apply in the pursuit of a relevant objective. | ||
Restriction of rights and obligations | ||
7. (1) Subject to paragraph (2), the rights and obligations provided for in Articles 12 to 22 and Article 34, and Article 5 (in so far as any of its provisions correspond to the rights and obligations in Articles 12 to 22), of the Data Protection Regulation, in respect of processing to which these Regulations apply, are restricted to the extent that is - | ||
(a) necessary to safeguard a relevant objective, and | ||
(b) proportionate to the need to safeguard the relevant objective, | ||
including, but not limited to, where the exercise of the right or compliance with the obligation, as the case may be - | ||
(i) may interfere with - | ||
(I) the performance by the Ombudsman of a relevant function, | ||
(II) the independence of the Ombudsman in carrying out a relevant function, or | ||
(III) the prohibitions and restrictions on the disclosure of information and documents under section 9(1) of the Ombudsman Act 1980 , | ||
(ii) would disclose that the Ombudsman is exercising a function in pursuit of a relevant objective, where such disclosure may prejudice the achievement of the relevant objective, or | ||
(iii) would prevent the Ombudsman processing personal data for a period of time, where such delay to the processing may prejudice the achievement of a relevant objective. | ||
(2) Matters which are relevant, for the purposes of paragraph (1), in determining whether a restriction of a right or obligation is necessary and proportionate for the purposes of safeguarding a relevant objective, include but are not limited to - | ||
(a) the extent to which the exercise of the right or compliance with the obligation would prejudice the achievement by the Ombudsman of the relevant objective, | ||
(b) the essence of the right to data protection of the data subject, and | ||
(c) the risks to the rights and freedoms of the data subject that may result from such a restriction. | ||
Information to be provided where a right is restricted | ||
8. (1) Where a right or obligation referred to in paragraph (1) of Regulation 7 is restricted in accordance with that paragraph, the Ombudsman shall notify the data subject concerned in writing in a timely manner of the restriction, unless so notifying the data subject may prejudice the achievement of a relevant objective. | ||
(2) A notification under paragraph (1) shall inform the data subject concerned of the following: | ||
(a) the relevant right or obligation affected by the restriction; | ||
(b) whether the right or obligation concerned has been restricted in whole or in part; | ||
(c) the reasons for the restriction, unless informing the data subject concerned of the reasons may prejudice the achievement of a relevant objective; | ||
(d) that the data subject concerned may lodge a complaint with the Commission pursuant to Article 77(1) of the Data Protection Regulation; | ||
(e) that the right referred to in subparagraph (d) is without prejudice to any other rights or remedies which the data subject concerned may have in relation to the Ombudsman. | ||
(3) Where requested by a data subject notified in accordance with paragraph (1), the Ombudsman shall provide information on the policies and procedures referred to in Regulation 10(1) to the data subject. | ||
Communication with data subject | ||
9. The Ombudsman shall ensure that all information provided to a data subject under or in relation to these Regulations is provided in a concise, intelligible and easily accessible form using clear and plain language. | ||
Safeguards | ||
10. (1) The Ombudsman shall prepare and implement policies and procedures to provide for the matters referred to in Article 23(2)(d) and (f) of the Data Protection Regulation. | ||
(2) Without prejudice to the generality of paragraph (1), the policies and procedures of the Ombudsman referred to in that paragraph shall provide for the following: | ||
(a) the use of secure storage, passwords, encryption and other methods to ensure personal data can only be accessed by persons authorised by the Ombudsman to access that personal data; | ||
(b) the use of controls to ensure that personal data is only disclosed to persons authorised by the Ombudsman, or entitled or permitted by law, to receive that personal data; | ||
(c) the determination of appropriate storage periods for personal data or classes of personal data; | ||
(d) the treatment of personal data or classes of personal data at the expiry of the storage periods referred to in subparagraph (c); | ||
(e) data minimisation, including the use of anonymisation and pseudonymisation. | ||
(3) The policies and procedures referred to in paragraph (1) shall be reviewed by the Ombudsman on a regular basis and updated where the Ombudsman considers it appropriate to do so. | ||
Interaction with other law | ||
11. The restriction referred to in paragraph (1) of Regulation 7 is in addition to and not in substitution for any restriction of the rights and obligations referred to in that paragraph under any other enactment or law of the European Union in operation. | ||
| ||
GIVEN under my Official Seal, | ||
4 May, 2022. | ||
MICHAEL MCGRATH, | ||
Minister for Public Expenditure and Reform. |
