Data Protection Act

dahamsta

I'm not sure if this should go in here, Humanities, or Business & Economy, but I reckon I've as good a chance of getting an answer here as any. Feel free to move it it though. Anyway...

The Guardian is doing an excellent pullout series on privacy at the moment, and in one of them it gave details on how to find out what information public or private organisations hold on you. They included a sample letter, which I've included below.

I'm curious about the crossover, if any, between the British and Irish Data Protection Acts. I believe the Irish one was transposed from a European directive, but the website tends to give the impression that the act applies to use of data for direct marketing purposes, there isn't much mention of other uses.

Was the British Act also transposed from an EU directive, or was it developed locally? Was the Irish Act transposed correctly, or was it done in ODTR fashion? Most importantly, how would the sample letter below stand up in Ireland?

Thanks,
adam

Dear ...

I am writing to request all the information to which I am entitled under
section 7 (1) of the Data Protection Act 1998.

In order to assist you with this request, I am outlining some of the areas
and occasions on which your organisation may have compiled information on
me. As you will understand, this may not be a definite list of such
occasions. [Give a description of how you have come into contact with
the organisation - the more specific, the better.]

I would be interested in any discussion or opinions expressed within your
organization of my person, reputation, character, history or behaviour,
actual or perceived. I should make it clear that this request should also
cover all or any other information you may hold. I hope that you will be
able to comprehensively search all your records.

The definition of "personal data" under the act covers both facts and
opinions about myself as an individual, as well as information regarding
the intentions of your organization towards myself as an individual. This
request should therefore cover any internal/external memos, emails, faxes,
and any other correspondence or readily accessible data held on computer by
your organization which could be classified as "personal data" under the
1998 Data Protection Act. This request covers both manual and electronic
data.

I enclose a photocopy of [proof of your address, such as gas /
electricity / telephone bill] as confirmation of the above being my
home address. I have also enclosed a photocopy of my passport [or
similar, such as a driving licence] and a recent photograph of myself
to aid your identification.

I understand that urder the act, I should be entitled to a response within
40 days. I would be grateful if you could confirm in writing that you have
received this request.

I look forward to hearing from you in the near future.

Yours,
...

sceptre

You would need to change

7 (1) of the Data Protection Act 1998

to the relevant parts of the Irish 1988 Act (the UK act was older but it's been updated)

I think it's section 6 in the Irish one but offhand I can't remember.

The Act is here. There was an amendment bill this year (which I assume was passed) extending the scope of the Act to include data held in a manner other than on a computer.

It applies to any information held about you on a computer. You can apply to have the information corrected, provided to you or if it's being held for direct marketing purposes, deleted.

tobylobs

Hello this is some fact about the data protection act that you might or might not know.

1. If you are old enough to vote your name and address can be obtained by any individual or company from any post office, county council or any place that holds an electoral register.
2. Your local county council sells the electoral register to direct marketing companies on CD-rom and makes a profit from your information. This is legal because the register does not come under the data protection act as it’s a public domain document. So the only way to stop them doing this is to remove your name but this interferes with your constitutional right to vote as an Irish citizen.
3. There are companies that compile data from all sources like on street polls, Market research companies like mori and l.m.r. and the people who are on the city centre streets (if you spent any time in the city centre you can see them collecting for concern one day and sight savers the next who despite what the say they do work on commission) and then pass your details on to other so called recognised trusted third parties and this is all above board because is says so in the current data act.
These are some facts that you might or might not know but I know from personal experience because I have had calls to my home from market research companies even though my number is ex-directory, I have had mail from the Canadian government lottery inviting me to join not to mention the Irish direct marketing association and every company that uses this as a strategy to drum up new sales. I even after I registered with the preferred mail service (a body run by an post set up to prevent this happening) I still got junk mail from MBNA and car finance direct.
When the act was set up by the government of the day they got a directive from Europe to put one in place however like so many things from Europe the government seems to set them up so the most beneficial way for themselves and not people whom it is supposed to protect.

My other pet hate is VRT on cars, now this is another example of not implementing Europe’s policies. The government said it was an eco tax when it is a form of double taxi ton. If the laws of free market trading were implemented correctly we would have some of the cheapest prices of cars in Europe but as it stands we are second highest.
This along with the recent revelations and the fact we already voted on the very same treaty is the reason I intend to vote NO TO NICE again.

P.S. To add your name to the preferred mail service just rind the G.P.O. and ask for that department
:rolleyes: :rolleyes:

Chaos-Engine

Originally posted by sceptre
There was an amendment bill this year (which I assume was passed) extending the scope of the Act to include data held in a manner other than on a computer.

It would be 2002 then not 1988... I brought that up when we were studying business law last year in school during revision for the exams. The teacher got very very worried when I told him it was ammended the previous month.

Hobbes

Originally posted by tobylobs
Your local county council sells the electoral register to direct marketing companies on CD-rom and makes a profit from your information. This is legal because the register does not come under the data protection act as it’s a public domain document.

Actually it would. DPA protects such an action. The county council would have to be registered with the Data Protection agency and comply with the law. There are only two parts of the government which are immune to the DPA are the revenue commisioners and the department of Education (this may of changed since).

Your other stuff sounds like FUD too. The data protection act does not stop companies compiling data on you. It does however legally bind them to release all information relating to you when you request it and to get that information changed or removed.

As sceptre points out, one of the flaws with the original act was it only related to information contained on computers.

In regards to the first post, you also missed the processing fee cost which as far as I remember was £5 punts.

dahamsta

Sceptre, pardon my obtuseness, I just don't have the energy to plough though the actual Act right now: Your second-last paragraph states that the Act has been amended, however the last paragraph states that it applies to computer data. Does the amendment apply yet?

Also - again with the obtuseness - assuming I change the letter to refer to the Irish DPA (obviously), would it achieve the same as the DPA in the UK? In other words, if someone sent a request like this in the UK, and they scoped it correctly, they should by rights be able to get just about everything that refers to them in the organisation -- is it the same here?

And finally, where do we stand on breaches of the Act? Say for example that someone did a DPA request to an organisation, and the organisation didn't return some documents that the person /knew/ they have - what recourse does the person have?

Thanks,
adam

sceptre

Bah, I'd a response typed and the timeout kicked in (then I got my password wrong as usual, got tempted by the Back button and the whole thing went west). Shorter reply second time around then

Originally posted by dahamsta
Sceptre, pardon my obtuseness, I just don't have the energy to plough though the actual Act right now: Your second-last paragraph states that the Act has been amended, however the last paragraph states that it applies to computer data. Does the amendment apply yet?

Looking at my last two paragraphs , they don't make sense when read in order.:(

I checked the 2002 Amendment Bill. As with all amendment bills it just inserts a lot of new paragraphs and can't be read on its own. It's passed through five stages in the Seanad but hasn't been near the Dail - hence it isn't law yet (including the new provisions on non-computer data) so I'm going to ignore it.

The UK Act transposes directive 95/46/EC. The new Irish Bill will transpose the same directive when it becomes an Act. The Irish 1988 Act transposes the rather imaginatively titled "Convention for the protection of individuals with regard to automatic processing of data" from 1981

Also - again with the obtuseness - assuming I change the letter to refer to the Irish DPA (obviously), would it achieve the same as the DPA in the UK? In other words, if someone sent a request like this in the UK, and they scoped it correctly, they should by rights be able to get just about everything that refers to them in the organisation -- is it the same here?

Yes.

Under the Irish Act, this letter below (after including any relevant account details) would be enough to make a request in Ireland:

Dear ...

Please send me a a copy of any information you keep on computer about me. I am making this request under section 4 of the Data Protection Act, 1988.

Yours sincerely

Seems a bit short but it's a request, not a short story. As Hobbes mentioned, the fee payable (if any) can't exceed £5. They have to supply the information within 40 days, not merely acknowledge the communication.

Under section 11 of the Irish Act if they're part of the list that must register with the Data Protection Commission, they can't transfer any info overseas unless it's to a place listed as a storage location for data when they register. The letter above will get any information held by an Irish company (in any location)about you. If it's a UK company obviously you would be using the UK letter.

Very company that keeps personal data about individuals has to have a data protection officer. This one person will have access to (and will have to provide) all data held by the company about that individual.

If the data is being held for direct marketing and the person requests that this data is ceased to be used for this purpose the data must be erased within 40 days (and the person informed) or if the data is being held for some other reason inform the person of that reason.

There are a few exceptions on getting the information (including a person not being entitled to information held on him by the gardai - the exceptions are fairly obvious to be honest)

Sometimes it's not necessary to actually send a letter (though strictly speaking, it's necessary). When Vodafone kept sending me useless messages I got myself removed from the list. It took two phone calls (and a threat to report them) before it was done though but they did send me out a confirmation letter fairly quickly (I was honest and told them that the letter was just for me to forward to the Data Protection Commissioner if they ever sent me a text message again). Nokia rolled over in the same way.

And finally, where do we stand on breaches of the Act? Say for example that someone did a DPA request to an organisation, and the organisation didn't return some documents that the person /knew/ they have - what recourse does the person have?

There's a maximum penalty on summary conviction for breaches of the Act of £1000. Not all breaches are offences liable to punishment though. With reference to a company failing to disclose all computer-held data about a person, there's a good information page on making a complaint to the Data Protection Commissioner here. They take their job fairly seriously. Keep in mind though that the Act as it stands still applies only to information held on computer so the orgnisation wouldn't have to send you letters you sent them that are held in a paper file, for example.

I hope the above will at least be of some help. If you've any more questions, keep them coming. I've a nice copy of the 1988 Act printed out (should be of some use to me in the future).

Blade

Originally posted by tobylobs
1. If you are old enough to vote your name and address can be obtained by any individual or company from any post office, county council or any place that holds an electoral register.
2. Your local county council sells the electoral register to direct marketing companies on CD-rom and makes a profit from your information. This is legal because the register does not come under the data protection act as it’s a public domain document. So the only way to stop them doing this is to remove your name but this interferes with your constitutional right to vote as an Irish citizen.

I only registered there recently and I was asked if I wanted my name put on a list for marketting purposes, of course I ticked no. Have they only been offering this option recently?

dahamsta

Bah, I'd a response typed and the timeout kicked in (then I got my password wrong as usual, got tempted by the Back button and the whole thing went west). Shorter reply second time around then

Go offline, then hit Back and copy the message -- it's remembering it is the tricky part. I tend to compose the heftier responses in EditPlus, saves the whining when I do what you did.

Looking at my last two paragraphs , they don't make sense when read in order.

Nah.

I checked the 2002 Amendment Bill ... it isn't law yet ... so I'm going to ignore it.

Cool.

Under the Irish Act, this letter below (after including any relevant account details) would be enough to make a request in Ireland:

Yowza, simple as that, eh? Jeez, I'll be able to send a raft of them out!

If it's a UK company obviously you would be using the UK letter.

I didn't know I could use the UK Act. This was provided for in the European directive?

There are a few exceptions on getting the information

Ok, here's one: Credit ratings. Can I DPA the information, and if so, does anybody know who handles it in Ireland?

When Vodafone kept sending me useless messages I got myself removed from the list. It took two phone calls (and a threat to report them) before it was done though but they did send me out a confirmation letter fairly quickly

I'm not particularly fond of Vodafone, but I have to say that their response to my DPA request was excellent. I did it on Monday, because I got that ski trip SMS spam over the weekend and I've previously been told by a friend on Vodafone that she gets tons of junk. I hate junk, so I said I'd go on the attack early. I sent a DPA request by email at about noon on Monday, and received an apology and confirmation of removal by just before three. A written confirmation arrived the next day. This is what I sent, for reference:

To: care@vodafone.ie
Subject: Vodafone text messages

ATTENTION: Data Protection Officer

I received an unsolicited text message this weekend advertising a Vodafone competition. I would like Vodafone to refrain from sending me any further unsolicited messages, and remove me from it's direct marketing database immediately. For your reference, my name is Adam Beecher, and my mobile number is XXXXXXX. I await your response within 40 days, as per the Data Protection Act, 1998.

I hope the above will at least be of some help.

It was, thanks sceptre.

If you've any more questions, keep them coming.

If you keep answering, I'll keep asking.

adam

sceptre

I didn't know I could use the UK Act. This was provided for in the European directive?

As far as I can tell, it is. Obviously you couldn't use the UK Act in reference to an Irish company (stating the obvious I suppose)


Ok, here's one: Credit ratings. Can I DPA the information, and if so, does anybody know who handles it in Ireland?

This is one of the easy ones. The principal credit reference agency in Ireland is the ICB (Irish Credit Bureau Limited). 36 institutions are registered with the ICB - they hold data on 2.7 million individuals.

The address is:
Irish Credit Bureau, Newstead, Clonskeagh Road, Dublin 14. Tel. (01) 260 0388

They usually get the applicant to fill in a standard form (phoning them is the easiest way to get it)

Plenty of info here. There are sample cases at the bottom of the page including one on debt collection


If you keep answering, I'll keep asking.

Happy to. I'm also learning stuff as I go.

dahamsta

As far as I can tell, it is. Obviously you couldn't use the UK Act in reference to an Irish company (stating the obvious I suppose)

Pretty cool if it works that way. GUS, the people who own Argos, have an enormous database of consumer information, and I've actually bought stuff from Argos, so I'd be curious about what they have on me.

Useless information of the day: GUS now makes more money from data than it does from it's retail operations.

This is one of the easy ones.

So it was. I'm rather embarasses I didn't spot that on the DP site, although to be fair, I've concentrated on DM removal in the past. You learn something new every day, thanks sceptre.

They usually get the applicant to fill in a standard form (phoning them is the easiest way to get it)

Rang 'em first thing this morning, so I should be nice and angry by Monday or Tuesday next week.

Happy to. I'm also learning stuff as I go.

I'LL BE BACK.

adam

Our man in Havana

The new ammended act of 2003 is now in force. You can now get access to all paper files now as well as computer files.