IIA Legal Working Group – Submission in Response to the Consultation Paper on Data Protection Registration Requirements
On behalf of its members, the Irish Internet Association (IIA) wishes to submit the following response to the Consultation Paper published by the Department of Justice Equality and Law Reform. This response has been prepared by the IIA Legal Working Group.
a.) What categories should be exempt from the registration requirement on the grounds referred to in Article 18(2) of the Directive that the processing operations to be undertaken are unlikely, given the personal data to be processed, to affect adversely the rights and freedoms of data subjects?
The IIA feels that there should not be a substantial change to the existing registration requirements.
b.) What registration rules should apply in the case of categories of data controller bound by codes of professional ethics where such codes prohibit or restrict the use of personal data held by the controller for other purposes?
If such data controllers are required to register, the existence of any applicable code of professional ethics should be disclosed in the Registration form so as to be publicly available.
c.) To what extent, if any, should the size of an entity that controls and/or processes personal data be taken into account?
The size of an entity is not relevant to registration. However the IIA would encourage the continuance of the current sliding scale of registration fees depending on the data controller’s size.
d.) Should certain categories of data controller continue to be exempted on the grounds that personal data is processed in the ordinary course of personnel administration and is not processed for another purpose?
e.) Should data controllers that routinely transfer large quantities of personal data to a country or territory outside the European Economic Area (apart from data processed in the ordinary course of personnel administration) be required to register?
No. The transfer of data outside of the European Economic Area is not a registration issue and is already governed by separate provisions of the Data Protection Acts.
f.) What registration arrangements should apply where, as referred to in Article 18(2) of the Directive, a data controller has appointed a personal data protection official for ensuring the internal application of data protection law in an independent manner?
The IIA would be reluctant to see a situation whereby specific named individuals could attract personal liability for the data protection compliance of a Data Controller.
g.) What registration provisions are required where personal data is processed by political parties, or candidates for election to, or holders of elective political office?
While the processing of sensitive political data by political parties, candidates for election and holders of elective political office is permitted under section 2B(1)(b)(x) of the Data Protection Acts, the IIA feels that these parties and candidates should be required to register as data controllers so that their data protection policies and procedures are available to the public.
h.) Should data processors be exempt from registration on the basis of the safeguards already provided for in section 2C(3) (inserted by the 2003 Act)?
i.) What factors should be taken into account for the purposes of updating existing registration fees?
Costs should not be a barrier to registration.
Submitted March 2004
If you require anything further, please contact any member of the IIA Legal Working Group:
Don McAleese, Chairman, Matheson Ormsby Prentice, email@example.com
Pat Ryan, Kilroys, firstname.lastname@example.org
Rob Corbet, Arthur Cox, Rob.Corbet@arthurcox.com
Paul Lambert, Merrion Legal, email@example.com